denotes premium content | Jan 9 2009 Feature
posted 1 May 2000 in Volume 3 Issue 8
The Knowledge Salient: Intelligence
& information warfare in an age of uncertainty
In the Information Age, the amount
of data available, together with the increasing sophistication of analysis
techniques, provides both threat and opportunity for commercial organisations.
In the following article, David Snowden and James Luke
examine organisational
and behavioural aspects of information warfare in a corporate
environment.
Open Source
Intelligence is revolutionising the activities of security agencies - both in
defence and in the police force (Rathmell, 1998). The advent of the Information
Age and the exponential growth in the Internet has generated a vast amount of
data that is freely available without recourse to clandestine methods.
In both private
and public sectors the borderlines of legitimacy have become blurred:
'Information Warfare' has emerged as a discipline in its own right with
military, government and commercial organisations all striving for Information
Superiority; companies are adopting the cold war KGB tactic of monitoring patent
disclosures in order to target their competitors R&D strategy; individuals
sell their capabilities and knowledge to the highest bidder; loyalty is one of
the most ambiguous words in the corporate lexicon. The pervasive nature of
communication has resulted in a casual attitude to security. Perhaps most
worrying is the attitude that security is simply a question of passwords and
firewalls; as information becomes truly pervasive our perceptions of security
must extend beyond a locked computer room.
Security is not just a matter of
password discipline; it needs to be incumbent in every activity. It is not
practical to impose fixed rules regarding security. There is a need to build
understanding so that employees can interact with natural security processes in
a way that is neither paranoid nor too relaxed. The majority of Information
Warfare attacks go unreported because employees assume that "it wouldn't happen
to them". Employees should understand the basics regarding what constitutes a
security breach (that is, what information would be of value to a competitor)
and what are the indicators that suggest someone is interested in that
information.
We
never cease to be amazed at the amount of confidential material that can be
gleaned by sideways glances to a neighbour's laptop during a transatlantic
flight, or just by sitting on a London bound train surrounded by mobile phone
addicts - utilising the addictions of one's targets was always an intelligence
trick in spy novels. Even more damaging is the information which can be
generated when fusing together information from many different sources; an
overheard conversation, a patent search, a company advert requesting specific
skills, can all be combined to reveal a specific corporate direction.
For commercial companies
the vast amount of available data, and the increasing sophistication of analysis
techniques provide both threat and opportunity. Threat comes from three
sources:
Companies who wish to survive in this new age have to be good custodians
of their intellectual assets. They have to develop a clear understanding of
their Information Picture, the sources used to compile the it, the level of
trust associated with those sources, the assumptions on which every item of
information is based. The next stage is to understand how the Information
Picture relates to their operational activity; what exactly is the relationship
between a competitor advertisement and the subsequent drop in revenue? What is
the time lag between a competitor announcing a technical capability and delivery
of a robust product? What is the relationship between competitor job adverts and
employee attrition? Clearly such a deep understanding of the Information Picture
cannot be developed simply through organisational process.
Instead companies need to create an
ecology (or ecologies) in which their employees, associates, customers,
suppliers - and competitors - make their knowledge available. In doing this they
need to constantly reflect on one of the fundamentals truths of knowledge
management: Valuable knowledge can only ever be volunteered, it can never be
conscripted. The organisational forms and reward structures of a volunteer
community are radically different from those of a conscript society. This is not
an easy message to accommodate when the organisational norm of the past fifty
years has been based on a hierarchical or matrix model, predicated on rational
behaviour and the 'predictability' myth of much strategic planning.
Technology has played a
key part in the growth of the area, and provides many of the tools for its
propogation. We do not intend to summarise their use - that information is all
too readily available from vendors and exhibitions. In this article we want to
look at two organisational and behavioural aspects of information warfare in a
commercial setting. We will start with a summary of the realities of the data
rich environment in which we work, illustrating that reality examples of current
knowledge management activity that borrows directly or indirectly from
Information Warfare techniques. Finally, by debunking one of the most common
knowledge management myths (the transformation of information into knowledge) We
wish to open up a way forward for companies drawing on some of my own work
linking complexity theory to knowledge management.
Current reality
The Cyberpunk genre of
Science Fiction founded by William Gibson visualised a future society in which
the boundaries of virtual and physical reality are known but are irrelevant.
Individuals slip between their virtual and physical worlds without a second
thought. For most people this is already the case. Videoconferences, the daily
tyranny of e-mail, intranets; these are all a natural part of day-to-day
business life. The danger with something that is both common place and new, is
that we have not yet aquired instinctive response mechanisms - many of our
natural reactions are still those of a bounded physical work environment. Any
individual or organisation has to be aware of the following 'realities'.
Everything we do in
virtual space is ultimately knowable or traceable
Storage and analysis capacity are
rarely, if ever, an issue. Our ability to replay or look back in time is bounded
only by our willingness to do so. Once upon a time you knew if you had been
caught speeding in any single journey. Now a flash in the rear view mirror could
be sunlight or three penalty points on the licence, and you won't know for
months. Consider a further development - if a credit card is used to purchase
petrol at two service stations on the M1 is the timing of the transactions
sufficient to prove a charge of speeding? Especially when correlated with
forecourt close circuit TV systems showing the car and the driver. In such a
case the police would not even have to obtain the information; they could ask
drivers 'under caution' and threaten to obtain the information! In defining a
threat the military often refer to 'capability and a willingness to use that
capability'. In this respect we should understand that the technical capability
for this level of data fusion already exists; what is lacking in many situations
is the realisation and therefore the willingness to use the capability.
This is
especially the case in the corporate environment where considerable numbers of
data sources exist but are never exploited. For example, network analysis of
email contacts and telephonic communication can produce maps of an
organisation's connectivity. We can draw on the experience and tools used by
intelligence agencies to see patterns in multi-source data. We can look to see
if there is any intelligence in the footprints of individuals and communities in
virtual space. Those same tools can be used to measure improvements in knowledge
utilisation. We can use network analysis tools to identify trusted communities
via knowledge node holders. Such node holders are the key individuals who
connect a companies knowledge assets (Foster & Falkowski 1999): "I don't
know myself, but I know someone who does..."
Another example is a classic case of
the use of intelligence techniques. We provide a document repository with the
added feature that readers may only exit from a document if they provide an
assessment of its value - say a simple score on a scale of one to five.
Documents can be flagged according to the number of readers and the rating level
provided. This is a useful feature for any professional body. It reflects the
way that professionals work. They want to know what other people are reading so
that they can keep up to date. Now, what if we extend that facility to allow
each individual to maintain lists of who they respect for different subject
areas, and then view the document repository through that filter? The tool is
more valuable, and therefore more likely to be used. However, we now have used
the facility to gather intelligence. By looking at the lists we know who rates
whom. That is valuable knowledge for team formation, performance rating; the
list is endless.
Considering the external sources of information, all organisations
publish data. Often the website of a company reveals far more than was
originally intended - both by omission and commission. This open source material
can provide valuable competitive intelligence - or it can be used to misinform,
either through direct dishonesty, or more effectively, by selective emphasis.
All organisations also have to publish data. Much of this was in former times
safe by virtue of its physical separation. However, in a virtual age, all
connections between desperate databases are possible. One common example is
patent data. This information is readily available in electronic format; its
acquisition no longer requires searches through documents or microfiche.
Legislation requires a degree of disclosure higher than most companies would
provide given a free choice. During the cold war, the KGB recognised the
usefulness of this and developed software to monitor patent registration to
indicate areas of technology development, and to provide vital clues to assist
parallel development. When the wall came down, it was not long before this same
technology was utilised by major corporations to monitor the patent
registrations of their competitors with the same intent as the KGB - to glean
secrets without investment. Some of them have gone a stage further and are now
seeking to register patents in the white space around the areas of their
competitors' registrations. This activity is effectively a legal form of
industrial sabotage, and is often more effective than head hunting or terrorist
activity! It is worth re-iterating that beyond the formal methods of releasing
information, every act undertaken by an individual within an organisation
represents a release of information. There is a wonderful anecdote about the
Pentagon on the night the Gulf War started; apparently it was impossible to
order a pizza (or any other form of takeaway food) for 50 miles due to the
unexpected orders from those working late. As stated earlier every activity of
an organisation reveals information.
What and who can be
trusted?
When
we make decisions, we rely on a dynamic combination of information, experience
and gut feel. If the information is false then we have problems. Falseness can
arise from a variety of circumstances, though some of them may be
innocent:
- The information could have been planted with an intention to deceive
- Key items of information, particularly those related to context could be
missing
- The information may be out of date
- The information may result from an urban myth: In a cut and paste
environment facts can arise spontaneously and without any relation to
reality
- The process of abstraction and codification necessary to convert data into
information may have stripped away necessary context
- The information could be incestuous. It is not uncommon for organisations to release information that is later received back into the organisation as a fact. For example, a member of a pharmaceutical research organisation makes a guarded statement about one of the organisation's programmes at a public conference. The facts are reported in a trade journal and, due to the lack of complete information, the research organisation assumes a competitor has taken the lead in the particular area of research.
What is true of information may also be true of individuals. Someone may
be trusted on the basis of past results. However, a previous positive outcome
may have been good luck, or the real responsibility of a less gifted player,
unskilled in the politics of a corporation. The individual may not be aware of
the environmental factors - now changed - which gave rise to their correct
judgement on a previous occasion. Where a company is being targeted (and you
should work on the basis that you are being), it needs to be aware of some of
the secondary criteria for an information warfare weapon (Schwartau 1996):
invisibility, passivity, droning (remote control or activity traceable to an
innocent third party), fallout (secondary effect on related areas to original
target), insidiousness or lack of trace ability. Just think through the
implications of some of those for recently made decisions in your organisation.
You may not even be the original target. You may be using material, originating
as fallout, which has developed as an urban myth within your industry.
Of course, the boundary
line between sensible awareness and paranoia is slight. It would be easy to
become paralysed with fear in the face of some of this stuff (incidentally that
is another Information Warfare technique involving no falsity whatsoever). This
is analagous to chemical warfare, where the threat alone is sufficient to reduce
operational effectiveness, due to the gas masks and the additional equipment the
troops must wear, without a single weapon actually being used. Similarly in
Information Warfare consider the effect on a news organisation if every single
fact had to undergo detailed confirmation. The news organisation would probably
be put out of business by its inability to provide timely information.
Knowledge, and by
implication knowledge management, is key to solving this problem. The way we
validate information is to validate the knowledge used to create that
information. We may look to the source of the information, or seek to
corroborate the information from multiple sources. Ultimately any decision is
based to some extent on an acceptable level of uncertainty (Snowden 1998). The
issue is to determine an acceptable level of uncertainty for different classes
of decision-making.
Knowledge management practice has given rise to a variety of methods for
increasing trust. The sharing and controlling of information within communities
of competence is among the most effective techniques available. The constant
validation and testing of information within a professional - and hopefully
sceptical - community, is a good way of providing for constant validation.
Testing the reasonableness of a decision or assumption on multiple non-connected
communities is another. Techniques can be borrowed from history: The Catholic
Church long ago created the position of Devil's Advocate to argue the contra
side in any canonisation proceedings. Virtual space makes this sort of process
far simpler. Allowing anonymity within a virtual community can open up a greater
degree of honesty - at the expense of senior management egos. Use of retired
employees or the innocence of an apprentice are also appropriate as their
interest in the corporate power trip is less than the active players who are
making the decisions in the first place.
The key issue here is speed, ease of
use and pervasiveness. Validation techniques - and with them threat assessment -
need to become an integral part of all employees activity. A specific act, or a
highly structured process can more readily become the victim of an attack.
Organisations that are highly process-based are often more vulnerable. The sheer
weight of processes creates an organisational sub-culture of finding ways
around, or performing meaningless and ill understood tasks to avoid bucking the
processes. For example, a password system that is too complex will almost
certainly result in passwords being displayed on post-it notes on the side of
computer terminals. Expense systems based on rules rather than human judgement
are more likely to be subject to fraud than otherwise.
Trusted mechanisms based on trade are
also emerging. The first electronic knowledge exchanges make use of structures
derived from medieval guilds to validate knowledge trades within a virtual
community. Some companies are starting to think of using internal markets for
knowledge - including spread betting - for improved forecast accuracy in sales
departments. Human imagination can rise to meet a threat, just as human
imagination creates the threat in the first place.
One last danger deserves mention in
their area of what and who we trust; that of tool fetishism. Web surfing is not
just a danger to the young; a variant also affects middle-aged managers. Models
of scientific rationalism on which much management practice is based are not
well equipped for the age of uncertainty that we have entered. We have trained a
generation of managers who think that, given sufficient analysis and data
capture, there is a correct answer. Such managers given access to a large IT
budget are very dangerous. They constantly build the equivalent of the defence
system that almost launched a nuclear counter strike on detecting a flock of
birds. One of the key lessons from defence to the private sector is the constant
need for human validation of decision-making and sanity checking of automated
rules. All rules contain assumptions and ass/u/me will always make an ass of you
and me. Human beings are able to cope with uncertainty far better than
computers. There is also a need to provide the correct level of abstraction in
analysis systems. The generation of further business metrics is only of value if
they can be used in influencing the future direction of the business. If there
is no real understanding of the value of the metrics, their association with the
performance of the enterprise or the business drivers that affect the metrics,
then there is no reason to invest effort in their derivation.
Ambiguity over what
is right and what is wrong
Information warriors or degenerate
hackers? The skills to break through a security system inspire admiration as
well as disgust, depending on your perspective. A virus can go undetected if it
causes no immediately apparent damage. Their purpose may be to obtain
information. We know of one company where an employee created a virus that did
no damage, but merely copied spreadsheets from various managers' PC every time
they accessed email. The purpose? Well, the virus ran during salary review time,
and the employee sold comparative data of salaries and raises, derived from the
managers attempts to apportion their allocations. That company found an easy
solution: They promoted the individual to a management position. On a larger
scale, we know that banks often fail to prosecute electronic fraud through fear
of loss of confidence in the banking system.
For the hacker the probability of
detection is slight, and the probability of punishment even less. Hackers may be
internal or external to the organisation. The reality is that there is no
coercive substitute for loyalty and trust. If that is lost within an
organisation, then the organisation is vulnerable to loss of intellectual
capital and to direct or indirect attack using Information Warfare techniques.
Building trust through the establishment of networks with mutual dependencies
between individuals and groups is therefore a survival activity for firms, not a
nice to have. Companies over-engineered on the assumption that the human assets
were always replaceable once the process was codified are discovering that the
price of this pseudo-efficiency is a loss of responsiveness and loss of loyalty.
Service companies know that their internal brand, and the identity and loyalty
created as a result, is more important than their external brand. Customers can
be won and lost, but intellectual capital once lost is much more expensive to
replace.
The
Knowledge Salient
The definition at the head of this article shows that salient is both a
description of a defensive feature and a first stage or origin. The Knowledge
Salient of the title takes up both these characteristics. We have already talked
about using communities of competence and other trusted mechanisms as a means of
validating information. In this final section we want to look at knowledge as an
underlying cause or means of viewing the world. We have long rejected the
concept of knowledge as a higher order level of information (Willmott and
Snowden 1997). Knowledge is our sense making capability. It is the means by
which we interpret data and create, through a process of abstraction and
codification (Boisot 1998) messages that inform others: Information. If
knowledge is the means by which information is created - and by implication
interpreted and used - then the management of knowledge is key to the effective
use of that information.
We normally break knowledge into five components: Artefacts, Skills,
Heuristics, Experiences & Natural Talent (see David Snowden's article in the
last issue of Knowledge Management). These have a mnemonic ASHEN, and provide a
spectrum on the more traditional use of explicit and tacit. Artefacts, skills
and to some extent heuristics can be made explicit at least for a specified
period of time. The rest are always primarily tacit in nature. If we understand
what combination of assets has been used in the creation of information then we
are closer to creating the right level of trust in their usage.
Here we meet a
paradox: On the one hand, explicit knowledge is more readily audited, and
subject to cyclical review and a trusted mechanism can be created. On the other
hand, anything that is explicit can be stolen, transferred or interfered with.
The only really unique knowledge that an organisation possesses is tacit. There
is no right or wrong answer. However, the creation of self-awareness - a key
condition of transferable sense-making capability - will mitigate risks. A
soundly executed knowledge management programme requires that sufficient
attention is paid to common language (Snowden 1998). If this is done, then the
capability of an organisation to assess, use and defend its information sources
is immeasurably enhanced. Language is also important as a defence mechanism.
Organisations can readily create expert languages through the use of stories
routed in that organisations' history. Such expert languages render information
difficult to interpret to someone who does not share that history. This is a
growing area of knowledge management, and one with some of the richest potential
for fast return.
Within this context self-awareness and honesty are synonyms. Again,
techniques can be borrowed from intelligence. Key information or keys to unlock
information can be shared amongst individuals so that they can only act in
concert, not independently.
One model from warfare - information
or otherwise - is also useful here. OODA stands for observe, orientate, decide
and act. It makes the point that what matters is not raw power, but the speed of
assimilation of new data, and the capacity to turn or respond in consequence of
that process. The person who most quickly assimilates and responds, is the one
who acts, everyone else reacts. Good knowledge management seeks to make the
intellectual assets of an organisation available in a timely manner so that the
organisation can sense change and respond to opportunity.
There is also a more fundamental
contribution from knowledge management. This is based on work taking place to
incorporate ideas from complexity theory into the more organic schools of
knowledge management. Complexity theory contributes two concepts to knowledge
management that allow us to turn our knowledge salient from a defensive
structure to the more poetical definition of leaping, jumping and jetting
forth.
- Simple rules enable consistent behavior in complex environments. When we
drive down a road, we handle a vast amount of data input from dashboard
instruments and from our senses. We manage this task through a simple
unarticulated rule set. For safe drivers it may be something like: Match
speed, stay in lane, avoid collision. Other rule sets are possible, as anyone
who has drive around Hyde Park Corner in rush hour will know! In business and
customer decision-making, these rules or values can often be derived from
observation or story telling (Aibel & Snowden 1998). This is a powerful
technique for cultural change, but also for information validation and
information warfare. If you understand the unspoken rules and values that
govern a competitor's decision-making then the opportunity to influence it is
high.
- Micro interventions have a macro effect. This is the famous butterfly that flaps in wings in the rain forest and causes a hurricane in the West Indies. Treating the organisation as a complex ecology allows us to manage more indirectly - and more effectively. It also allows us to construct interventions that not only have a ripple effect (the endorsement of an idea by the CEO, for instance), but also to refine our understanding of the rules and behaviors of the community we are studying. An example of using trusted lists for profession communities was given earlier in this paper.
Conclusions
Knowledge management is key to the
effective management of information, and also to its protection and validation.
Information warfare techniques have already transferred in varying degrees into
the commercial sector and this trend will increase in direct proportion to the
pervasiveness of computing. However, very few organisations currently have the
capability to exploit these techniques. This is largely due to a lack of
management understanding and organisation; there are few technical constraints.
As computer systems increase in intelligence they will compensate for this lack
of management understanding. There are potentially massive benefits for those
organisations that are at the forefront of these techniques. Organisations need
to create a necessary level of self-awareness to combat this, while avoiding the
paralysis of paranoia. Treating knowledge management as a technique to codify
knowledge and share it on databases is just not good enough in these
circumstances. The best way to combat evil in the long-term has always been
through doing good - although it is often the most painful. For a criminal, the
first act of criminality is the most difficult. It is similar for employees.
Companies seeking to compete in the new age of uncertainty, of which open source
data is but one symptom, need to focus on creating the necessarily levels of
trust and security that will secure their human assets. Four final points to
hold in your mind as you consider decision making and information use:
- Intelligence is not about the number of neurons you have in the brain, but
the number of connections; the same is true for organisations
- The knowledge economy requires volunteers and organisational forms that
encourage volunteers, not conscripts. Red neck management and short term
targets is contra -indicated
- Information warfare in the commercial sector is not an option; it is an
ever-present reality
- The act of observation affects the thing observed. How do you balance the
need for covert action with the need for trust?
- Every single thing we do as individuals, as
individuals within organisations, and as organisations themselves, transmits
information.
References
Aibel, J and Snowden, D 'Intellectual Capital Deployment: A new perspective' Focus on Change Management, (September 1998)
Boisot, M Knowledge Assets (Oxford University Press, 1998)
Rathmell, A Cambridge Review of International Affairs (Spring 1998, Vol XI, No2)
Foster, F & Falkowski, G 'Organization Network Analysis: A Tool for Building a Learning Organization' unpublished paper
Schwartau, W Information Warfare: Chaos on the Electronic Super Highway (Thundermouth Press, 1996)
Snowden, D 'Thresholds of Acceptable Uncertainty - achieving symbiosis between Intellectual Assets through mapping and simple models' Knowledge Management (Ark Publications, May 1998) (Republished in Knowledge Management Year Book 1999, Butterworth April 1999)
Snowden, D 'Three Metaphors, two stories and a picture - how to build common understanding in Knowledge Management Programmes' Knowledge Management Review (Melcrum Publishing, March/April 1999)
Willmott, H & Snowden, D 'Knowledge Management: Promises and Pitfalls' Mastering Management - The Reader 8 (pp17 et seq, Financial Times, 1997)
David Snowden is European director of the Institute for Knowledge Management. He can be contacted at:snowded@uk.ibm.com
James Luke is an Information Warfare Specialist at IBM. He can be contacted at:james_luke@uk.ibm.com
