There’s No Fixing the FBI’s Computers

While Congress and the Department of Justice consider mandating that ISPs retain data about all of our communications, the FBI, it seems, can't keep its own IT systems up to date. Putting aside the irony to focus on practical matters, what will bring the FBI up to snuff? I told the reporter in the article linked just above that nothing will.

The problem is institutional; when an organization's membership doesn't enjoy feast or famine based on the success of the organization, very little can bring it into focus and create success. . . . Congressional and public oversight is a weak, weak substitute for competitive pressure.

But the FBI's computer systems have to be fixed, don't they? They do. And to get there, you might have to shrink the FBI and law enforcement generally — especially federal law enforcement.

Because of the nature of bureaucracies, I don't think there is an effective management solution to the FBI's problems with IT. The better answer occurs at a higher level of abstraction:

Too many risks and threats are being treated as public problems to be dealt with through law enforcement when they should be treated as private problems to be dealt with through security.

To illustrate: Imagine that the nation's garages had been designed without garage doors. People finding that their lawn mowers and garden tools were being stolen could call the cops (public/law enforcement) or design and install garage doors (private/security). Much going on in Internet security and online anti-fraud these days equates to people without garage doors calling the cops. There should be more personal and corporate responsibility, less government and law enforcement.

Another example: Starting more than 30 years ago, the U.S. government started taking responsibility for airline security (public/law enforcement) rather than leaving it with airlines (private/security). In fact, President Nixon announced expansion of the air marshals program on September 11, 1970, 31 years to the day before 9/11.

Mixed responsibility allowed both the public and private sectors to avoid ownership of the risk that a flight would be commandeered and used as a weapon. After 9/11, the government took further control over airline security and absolved airlines of the liability that might have accrued to them in the courts. (I don't think they should have been liable for the full consequences of 9/11 or would have been found liable in well-functioning courts, except perhaps for the lives of their passengers.)

The lesson that private owners of critical infrastructure across the country learned is: Failure to secure themselves will bring them protection from liability, subsidies, and government-provided security services. In other words, they have been shown that leaving their garage doors open and calling the cops is better for them than taking responsibility. (In insurance economics, this is called "moral hazard.")

"How do you fix the FBI's computers?" You don't. And you won't. That's the best answer I know.

Does it come off as too ideological to argue that the FBI should be smaller? Consider that the management problems at the FBI are merely part of a different ideological choice: having a large federal law enforcement apparatus. It doesn't have to be this way, and the management problems are a product of the fact that it is.

Does it come off "soft on crime" to argue that federal law enforcement should be reduced? The opposite tack — "tough on crime" — means accepting incompetent law enforcement, which is the best friend crime ever had.