Wednesday, August 21, 2013

Game Theory and NSA Practices

"Who shall watch the watchers themselves?" or "Quis custodiet ipsos custodes?" is an old question and certainly one raised by recent revelations about NSA practices.

But what the NSA situation reveals is the importance of a strategic perspective and the importance of governance models in making sure that the right strategy is being executed, resources are well allocated, and managers are held accountable by independent third parties.

The simplistic demagogic views falls into two categories:

1. Slippery slope: if a well meaning government has no constraints on monitoring, it lays the foundation for tyranny if or when the unethical are in charge.

2. National defense: we need to pursue terrorism to the maximum extent possible.

A more nuanced assessment might suggest that a different framing of the problem is required, The issues are really much more subtle,

Presumably, the ability to track terrorist and terrorist projects is desirable because practically everybody would prefer not to be blown up or injured by terrorist activity. But not all activities of monitoring lead to successful prevention of terrorism events or tracking down of terrorists after a terrorism event. There is, therefore, an important question of both effectiveness and cost effectiveness. Presumably we should all desire to prevent terrorism if it is effective, cost effective and does not risk tyranny. And we should avoid ineffective monitoring that raises risk of abuse.

However, data around effectiveness, cost effectiveness and potential for or actual abuse is not currently disclosed. In a business this would be equivalent to providing carte blanche to a department and not holding them accountable. I hypothesize there that it is possible to disclose performance and compliance information without jeopardizing the overall effectiveness. I would also suggest that assessment of the potential for abuse and tyranny is not possible without disclosure.

From a game theory perspective, politicians play in a game that is annoyingly short sighted.

If a politician is in power and a terrorism event occurs, the argument can be made by an opposition that the politician did not spend enough or pay enough attention. The criticism may or may not be true. The absence of disclosure ensures that any debate will be sterile.

If no terrorism event occurs while a politician is in office, then he/she will argue whatever program is in place must be good. Again, there is no way of assessing the value of the spending and the activities or the potential for abuse.

If a politician spends too much on programs for countering terrorism, there is little penalty for overspending.

If a politician cuts spending on anti-terrorism and no events occur, then the politician is still at risk of political attack for a visible decision to cut and no clarity on what may previously have been overspending.

The net result is that there are strong incentives for politicians, suppliers and government staff to continue to demand increased spending. Increased spending will typically lead to more monitoring activity. Presumably, more monitoring activity increases the potential for abuse.

And strangely, even those politicians who are anti-government, seem content to fund defense and security spending without significant disclosure, risk assessment or effectiveness measures.

In a :"Show me. I am from Missouri." universe, performance and operating data needs to be revealed. Without performance reporting we can have no assurance that money is being well spent or that practices are consistent with guidelines and governance processes that highlight and protect against abuse.

And as with any portfolio decision, investment in NSA activities needs to be compared with other approaches to preventing terrorism and its root causes. Bureaucratic budget holders are, like any budget holder, always reluctant to propose reductions of their own budget. If we knew for example, that the cost of preventing a terrorism event was $5B and we also knew that we could reduce the likelihood of equivalent terrorism in a country by investing in that country the same amount, it would frame the budget and performance decisions differently.

The American constitution is built upon the concept of separation of powers and authority. The same is true in corporations where auditors are supposed to be independent of the company. NSA monitoring of terrorist activity looks very different if there are no auditors or guardians of the guards.

Any claim that disclosure of activities would jeopardize the effectiveness of collection activities is too easy. It's highly unlikely that bad guys have not being going to the movies or reading newspapers, so I think we can safely bet that they know they are being monitored. And as in wars, there is a difference between immediate and eventual disclosure. Aggregated data can provide metrics on monitoring without disclosing significant secrets.

I am sure of one thing in this debate. Knee jerk assessments may not be the most effective way of assessing this complex task.

No comments: