Tuesday, January 12, 2010

Systems Engineering: Adaptive Processes...

The Operational Risks associated with the insider threat of fraud, terrorism, intellectual property theft and economic espionage are a moving target. This variation, deviation and migration from traditional methods of criminal activity has much to do with our systems orientation and reliance on trusted information. Until you miss one step in a process or misspell someone's name.

Systems Engineering as a discipline has it's roots in understanding the business problem before designing a remedy or tool to solve the issue at hand. Whether the engineering is business oriented or software focused the combined "Convergent Engineering" has the goal of being adaptive, flexible and on a trajectory for an integrated discipline.

Adaptive Systems have the opportunity to assist in the mitigation of risks yet software information systems continue to plague us because they are still not being developed in concert with the changing business processes. This operational risk has been in existence since the emergence of computers. The solution to this problem and the "Holy Grail" is to engineer the business or government and it's supporting software as a single, integrated system. Convergent engineering involves modeling and designing the business directly in software. This has been advocated and written about since the 1990's by David A. Taylor, "Business Engineerig with Object Technology" and others advocating concurrent engineering.

The failure of processes during our Global War on Terror is an operational risk that all too often is in the audit, testing and scenario exercises. The Washington Post highlights the breakdown in the Christmas Day 2009 "Under Pants" Bombing attempt on NW 253:

Back in November, it was a day or two after the initial Visa Viper report was received at the National Counterterrorism Center (NCTC) before analysts there realized the correct spelling of Abdulmutallab's name, based on data from other agencies. With the error corrected, he was listed, along with about 400,000 others, on the Terrorist Identities Datamark Environment (TIDE). That is a list of people, along with relevant information about them, who are suspected of, or known to be associated with, terrorist activities outside the United States.

At that time, NCTC analysts who worked on TIDE entries processed only nominations from the State Department, the CIA and other collection agencies. They checked the TIDE list to see if a name was on it, but they did not search other databases for more information. The NCTC also determined what further action, if any, was necessary, such as moving a person's name to the next level, the FBI's Terrorist Screening Center.

Meanwhile, back at the U.S. Embassy in Nigeria, State Department officials -- "out of curiosity" -- did check to see whether Abdulmutallab had a visa for entry into the United States, according to a department official who spoke on the condition of anonymity because the matter is under investigation. But because the misspelled name was used, the fact that Abdulmutallab had a multi-entrance, two-year tourist visa obtained in June 2008 was not sent to the NCTC or to other intelligence agencies.

As Crowley put it last week, "The initial search to determine if there was a visa did not -- one did not show, expressly because of this misspelling."

"This is a critical lesson learned," Crowley said. "The steps that we've put in the process beginning immediately after December 25 will, in fact, make sure that future reports do have visa information in them, so that this is . . . inserted into the process right from the outset."


The process is now adapting to the exposure of a vulnerability that could be exploited by the attacker to the system as it was designed. Could the same be said for the unfortunate incident soon thereafter on FOB Chapman in Afghanistan five days later. This breakdown again by the Washington Post brings this point into focus on the "Process Failure."


Those at the scene on Dec. 30 had been trying to strike a balance between respect for their informant -- best demonstrated, in the regional tradition, by direct personal contact -- and caution, illustrated by the attentiveness of the security guards, according to CIA officials.

But more than a dozen current and former government officials interviewed for this article said they could not account in full for what they called a breach of operational security at the base in Afghanistan's Khost province. Advance pat-downs and other precautions are common in an age of suicide bombers, and meetings are kept small and remote. None of these sources would agree to be identified by name, in many cases because of their former or current work as covert operatives.


The continuous diligence in the discipline of Operational Risk Management calls for an "All Threats & All Hazards" vigilance. However, in both of the previously mentioned cases all of the attention to process and protocols would not have overcome the larger factor of human psychology and human emotions. These Human Factors will continue to be the systems engineers worst nightmare and the single vulnerability that will never be totally mitigated.

Whether signs and red flags are missed in government or the private sector, the threat to our workplace, institutions and livelihood is at stake. ABB, a Swiss global infrastructure company is dealing with a workplace violence incident in St. Louis, MO USA and is now asking themselves "Who Knew What When":

The man widely identified as the gunman in a fatal shooting spree at a St. Louis industrial plant was described as an amicable family man and good neighbor, who would rake an elder's leaves and bring him holiday treats.

But 51-year-old Timothy Hendron of Webster Groves, a St. Louis suburb, was unhappy at work, according to those who knew him even casually, and embroiled in a pension dispute with his company that was being litigated this week in U.S. District Court in Kansas City.

Police said the gunman showed up at ABB Group's plant in north St. Louis around 6:30 a.m. Thursday and opened fire, killing three people and wounding five before apparently killing himself. Frightened co-workers scrambled into closets and to the snow-covered roof for safety.

He was found dead inside the plant from an apparent self-inflicted gunshot wound.


Systems engineering for business or government must continue to explore the human factors. Adaptive processes and software that has been designed with "Adaptive" abilities will continue to challenge even the smartest and most capable Operational Risk Managers for years to come.