MBA 669Special Topics: IT-enabled organizational Forms
Dave [email protected] (email)
http://www.davesalisbury.com/ (web site)
Gathering things up & winding down
Ethical issues (besides those that cropped up earlier)
Systems reliability and accuracy An alternative perspective
Ethical issues
Privacy Internet privacy Corporate email Matching
Accuracy Credit card
accounts Student Records
Property Intellectual
property Software piracy Identity Theft
Access Who can see it? Who should see it?
Information & systems reliability
Information accuracy (Wikipedia article) Systems reliability
Airbus A320 flight control systems Interpreted low-speed/low-altitude scenario as
short final Pilot inputs rejected (Airbus design policy) Landed in trees short of the runway
Spreadsheets Error rates at 1% (that’s actually a lot) Testing is not particularly emphasized
Tales from the darkside:
On International Criminal & Terrorist Groups as Knowledge-Based Virtual Organizations, and the Subversion of Technologies
Wm. David SalisburySchool of Business AdministrationUniversity of Dayton
Abhijit GopalRichard Ivey School of BusinessUniversity of Western Ontario
Information systems foundations
Information Intensity Informational component of any product,
service, process or relationship Infrastructure
Information can be changed to zeros and ones and moved through a robust information infrastructure (e.g. the Internet)
Open Standards Anybody can attach
Opportunities for individual action
E-commerce implies that Individuals are enabled – indeed expected – to handle more of the details of their interactions with a firm Telephones – used to need an operator Ordering goods – used to have to call in 1-800
numbers Flights – used to have to call a number or
work with a travel agent This also provides opportunities for
unanticipated individual action – the age of the “super-empowered individual”
Using IT to re-engineer “business”
Criminals & Terrorists are engaged in business process reengineering Information Intensity Infrastructure Open Standards
The closer and more interconnected the world, the easier for these groups to operate; the infrastructure is free and the standards open
Infrastructure
An underlying base or foundation especially for an organization or system
Examples Financial Energy Transportation Telecommunications, which as it includes
the Internet also represents a robust information infrastructure
Enablers of global commerce…
Democratization of finance, information and technology
Open Standards TCP/IP HTML Standardized file Formats
Robust Information Infrastructure Networked computing Emphasis on the informational
component of business processes
Have other uses
Money laundering Criminal networks Cyber attacks
Hacking DOS Phishing Pharming
Unconventional warfare Network-centric warfare Terrorism
The inter-connected world
Vital infrastructures tend to be closely linked, and interdependent
Telecommunications depends on power generation & transmission
Control of power generation, natural gas transmission, etc. depends on telecommunications (e.g. Supervisory Control and Data Acquisition - SCADA systems)
The “global trailer park”
More of the inter-connected world
Systems & software are increasingly built by limited number of suppliers, leading to a “monoculture” Microsoft SAP Oracle
Transport is increasingly integrated in vast global supply chains
Attaching to existing infrastructures
Financial Money laundering
Transportation 9/11/2001 Hiding in cargo containers
Information Viruses Encoded messages through open channels Phishing
Telecommunication Cell phones to set off bombs Blackberries to send emails to set off bombs?
Open standards, robust infrastructure
(Relatively) easy attachment at any entry point
As long as the protocol is followed, one can move relatively freely
What does the network care if the packet is my paycheck deposit or a virus, or if the cargo container contains engine parts or an al Qaeda terrorist (The Economist, 4/4/2002)?
Understandings about technology
Made for a specific task More feature-rich, leading to
greater potential for alternative uses
Institutionalization, even of illegitimate uses – leads to shocks
Background expectancies
The subversion of technology
Subverted by its own design Axes to kill rather than chop wood Screwdrivers to dig holes rather than
drive screws Spreadsheets as word processors Commercial aircraft as cruise missiles Cell phones as bomb triggers
Leveraging the infrastructure
Two ways to uses of information technology Conventional ways to do
unconventional things Unconventional ways
Technology as both enabler and target
Both a Weapon and a Target
Information infrastructure used for command and control
Disruption of vital information flows Delivery mechanism for attacks Force multiplication (e.g. physical attack
coupled with cyber attack) The economy as a “pillar” of U.S.
strength Attaching to various infrastructures by
employing available open standards
One response – harden defenses
Various efforts by Homeland Security Certification programs Information Assurance programs Network security Will these work? How well did this work for the French
with the Maginot Line in WWII?
Best practices
Knowledge-based organizations Knowledge encoded and transmitted to
membership Networking to acquire and then apply
resources Sophisticated data mining efforts
Virtual organizations Brought together to achieve short-term goal
then disbanded Communities of practice
Knowledge & information technology
Tacit v. Explicit Knowledge Codifying Explicit Knowledge Creating Networks built on Tacit
Knowledge Using other people’s stuff -
leveraging Other Available Networks for Intelligence Gathering
Knowledge types
Tacit Socially constructed Culturally specific Somewhat difficult to communicate to
outside groups Emphasizes people to people
knowledge sharing
Knowledge types
Explicit Procedural More universal Relatively easily communicated to
outside groups Emphasizes people to document
knowledge sharing
Codifying explicit knowledge
Easy transmission of instructional materials (e.g. bomb-making manuals)
Telephone tracking databases Intelligence-gathering and mapping of
U.S. radar coverage by drug cartels Al Qaeda’s use of publicly available
information to derive better understandings of capabilities & defenses
Tacit knowledge as “culture”
Linguistic codes (Bernstein, 1967) Elaborated Restricted
Members of one culture (shared stories and background) “get it”, but others won’t “Matewan” Military shorthand
Creating & using networks
Robust information infrastructure enables easy communication Chat rooms Websites Email Supported by strong encryption
Lean messages, but drawing upon common cultural metaphors and analogies
Steganography (hidden writing) Wide Reach
Attaching to others’ networks
The Internet as means of reconnaissance DOE site provided detailed information
about Nuclear Plants, Electrical Power Grid Detailed map of unclassified CIA networks Derivation from multiple public sources (cf.
Mason, 1986) Phishing attacks by criminals (previously)
and terror groups (more recently), and some groups actually use FDIC-looking pages
Pharming attacks
Attaching to others’ networks
Warchalking.org maps open, unsecured wireless access
points 28,000 points ID’d in Boston (Verton, 2003)
Sending the kids to MIT (or other places) Colombian drug cartels have gained strong
encryption skill sets in this manner Al Qaeda recruiting heavily among Muslim
students graduating in CS, CE, IS, IT-related fields
Making use of this knowledge
The “12th Lesson” of the al Qaeda training manual Information about personnel, officers, families Information about facilities, procedures
Built into knowledge bases, networked using the robust Internet information infrastructure
Colombian Drug Cartels Mapping flights of U.S. Drug Interdiction Flights Times, days, routes
Virtuality & terror/criminal groups
Virtual Organization Collection of geographically distributed,
functionally or culturally diverse entities that are linked by electronic forms of communication and rely on lateral, dynamic relationships for coordination” (DeSanctis and Monge, 1999)
Malleable organizational forms Who is al Qaeda now? More like a
religious movement rather than a specific group
Strength of weak ties
Networks make good use of “weak” ties (Grannoveter, 1973)
Some 9/11 hijackers likely did not know Mohammed Atta (cf. Krebs, cited in Stewart, 2001)
U.S. success in Afghanistan has forced al Qaeda to move to more cellular and networked forms of organization – natural selection is apparently at work
Splinter groups, loose associations, no clear chain of command (a lot like Iraq these days)
Strength of weak ties
Non-formal members (but sympathetic to cause) Attacks on U.S., Indian & British sites Email spoofing “Patriot Hacking” (Al-Neda & Al-Jazeera
Hacks) Malaysian virus-writers
AQTE Al Qaeda Network Anti-India Crew
Russian and Pakistani Hacker Groups Some paid, others are true believers
“Script Kiddies”
Nation-states are slow
Terrorists do not seem to have specific, rigid procedures, but train for specific competencies that can be called separately or in combination to obtain a given objective
Nation-states feature rigid procedures and clear division of labor that depend on the problems they face being divisible into clear-cut portions
Terrorists as “object-oriented”
Theoretical lens: structuration theory
Rules and their application (DeSanctis and Poole 1994; Giddens, 1984)
Schemata and their transposability(Sewell 1992)
Resources(Giddens 1984; Sewell 1992; Fincham 1992)
Human agency(Giddens 1984; Sewell 1992)
Structuration theory suggests
Resource applications driven by unique schemata
Unanticipated appropriations of technical infrastructures and organizational forms driven by different cultural understandings of appropriate use
Networked organizational forms and “swarming” attacks (cf. Arquilla & Ronfeldt, 2001)
Terrorist schemata
Central organizing theme of establishing a Islamic Caliphate, overthrowing “non-Islamic regimes” and expelling Westerners from Muslim countries
Feelings of disenfranchisement, persecution & oppression, leading to moral justification for nearly any act
Culture as legitimacy Existence outside the mainstream enables
casting off of taken-for-granted understandings of appropriate use of technologies
So what is war, anyway?
Two views of terrorists Criminals Non-state actors engaged in active
warfare Exploiting the gap between “police”
and “military” Radical change to posse comitatus? “Military Lite”, or “Police on Steroids”?
(cf. discussion by Barnett, 2000)
Who wrote your code?
How easy would it be to insert rogue code into business applications?
How well did your offshore coding provider vet their programmers?
What does this do to the economics of outsourcing/offshoring?
Has defense been outsourced?
Many of the most critical infrastructures are privately held, privately maintained, and privately defended (e.g. financial services, power grid, telecommunications); cf. Verton, 2003
Much of the equipment that supports the electrical infrastructure is made outside the U.S.
Al Qaeda actively targets western economies A key pillar of western power and global reach is
its economy, and attacks on any of these three infrastructures would be extremely damaging
Where is Marine One being built? (New York Times, January 28, 2005)
Smart people, figuring out the gaps
These people are smart and creative, and they spend time figuring out what systems do (and more importantly) do NOT account for
Not just information systems; ANY systematic mechanism for dealing with a given situation
U.S. Border procedures as described in 9/11 Commission report
Systems dependent on certain background expectancies that these people are more than willing to violate
The problems are not exclusively technical; nor will their solutions likely be
Potential criminal/terrorist alliance
Terror groups have good networks in Europe (cf. Castells, 1998)
Drug cartels have well-established networks in the U.S.
What are the possibilities for some sort of virtual organization arrangement between these groups?
Some implications for future work
What is the relationship between feeling disenfranchised and creative appropriation of technologies?
Terror groups and the Internet Greek women and wet blankets
What is “knowledge” anyway? How is knowledge enacted in communities of
practice? How can nation-states adopt institutional changes
that resist this direct challenge to their sovereignty & legitimacy?
How can US institutions be re-cast in a manner that enables them to confront these sorts of threats?
Partial reading List Arquilla, J. and Ronfeldt, D., Editors (2001). Networks
and Netwars: The Future of Terror, Crime and Militancy. Santa Monica, CA: Rand.
Verton, D. (2003). Black Ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne.
Castells, M. (1996). The Information Age: Economy, Society and Culture, Vol. 1, The Rise of the Network Society, Malden, MA: Blackwell.
Castells, M. (1998). The Information Age: Economy, Society and Culture, Vol. 3, The End of Millennium, Malden, MA: Blackwell.
Friedman, T. L. (2000). The Lexus and the Olive Tree: Understanding Globalization. New York: Farrar, Straus and Giroux
Partial reading List Neilson, R. E., Editor (1997). Sun Tzu and Information
Warfare: A Collection of Papers from the Sun Tzu Art of War in Information Warfare Competition. Washington, D.C., National Defense University Press.
Tenner, E. (1997). Why Things Bite Back: Technology and the Revenge of Unintended Consequences. New York: Alfred A. Knopf.
Barnett, T. P. M. (2004). The Pentagon’s New Map: War and Peace in the Twenty-First Century. New York: Putnam.
Stern, Jessica (2003). Terror in the Name of God: Why Religious Militants Kill. New York: HarperCollins.