Standards Today

EDITOR'S NOTE:

Giving it a Name

Andrew Updegrove

The year was 1960, and a dynamic young Democrat from Massachusetts was searching for points of vulnerability in his opponent's record, the vice president to the retiring, Republican incumbent. And the Cold War was in full swing.

One chink in the armor of Richard Nixon that John Kennedy thought he could exploit was the perception (inaccurate, as it later became apparent) that the Soviet Union had more nuclear weapons targeted at the U.S. than the U.S. had targeted at the U.S.S.R. In short, as the politically perfect sound byte had it, there was a "Missile Gap."

The concept of a gap in defensive or offensive military resources is not only ancient and important, but also easy to grasp. In modern times, we've begun to quantify areas in which national competitiveness can rise or fall depending on whether there is a "gap" between the resources of one nation and its trade rivals, most commonly in higher education (how many engineers are we graduating? How many biochemists?) and job skills (how many trained software developers are in the employment pool?)

But national competitiveness also depends on the efficiency with which the public and private sectors collaborate to promote national interests abroad. And if one half of that partnership isn't knowledgeable in an area of importance while other governments are, well you've got a gap that matters.

In this issue, I focus on one such gap for the U.S. in comparison to some of its largest competitors in global trade. That gap is the low level of awareness relating to standard matters in Congress and within some federal agencies. The premise of this issue is that this "Standards Sophistication Gap" needs to be recognized and closed.

In my Editorial, I focus on a small, but important first step being taken to raise the level of the government's game, and urge rapid passage of H.R. 5116, a bill that would authorize the National Institute of Standards and Technology (NIST) to play a more active role in supporting the federal agencies and Congress in addressing important standards-related issues.

This month's Feature Article, as usual, explores the same topic in greater detail. In it, I review NIST's historical role in the standards arena, and the ways in which its past experience have prepared it to play an expanded role in meeting complex, cross sectoral, standards-dependent challenges to our national competitiveness. I supplement this article with the Testimony that I delivered to the House Subcommittee on Technology and Innovation in support of this broader role.

For my Standards Blog selection, I return to a saga that I have tracked for many years in this publication: the fortunes of the OpenDocument Format (ODF). The best-known implementations of that standard are the free, open source productivity suite historically supported by Sun Microsystems known as OpenOffice, and StarOffice, the expanded and supported version of that suite that Sun sells to enterprise customers. Ever since Oracle announced its agreement to acquire Sun, proponents of ODF have wondered how well, and to what purpose, Oracle would continue to support these products. In my blog entry, I give my reading of the latest tea leaves that Oracle has made available on this topic.

Next up is Chapter 2 of my new mystery eNovel, a tale of espionage, intrigue, and technology called The Alexandria Project (the first chapter appeared in the last issue of Standards Today. If you are enjoy it, you can find 17 more chapters on line, and a new one every Monday at the same location.

I close, as usual, with a Consider This piece, and explore the enduring appeal of the gold standard in times (like these) of economic turmoil.

As always, I hope you enjoy this issue. But either way, it's always great to hear what you think. Let me know, why don't you?

The complete series of Consortium Standards Bulletins can be accessed on-line at http://www.consortiuminfo.org/bulletins/. It can also be found in libraries around the world as part of the EBSCO Publishing bibliographic and research databases.

Sign up for a free subscription to Standards Today.

return to top

---

EDITORIAL:

H.R. 5116: It's Time to
Close the "Standards Sophistication Gap"

Andrew Updegrove

One of the key goals of any properly motivated government is to ensure that its domestic industries will enjoy fair access to foreign markets — in other words, to assure the proverbial level playing field. With globalization and the penetration of the Internet becoming more complete, achieving that goal for U.S. interests is becoming both more achievable — and also more difficult. More achievable, in that our economy is increasingly based on the provision of services, and more and more services can now be delivered remotely. But also more difficult, because the same holds true in both directions.

This dichotomy applies in many other areas as well: those goods we still manufacture competitively tend to be high value, innovative goods (e.g., technology products) that can be marketed globally, because they conform to globally-adopted standards. But that edge disappears when the same products become commoditized.

In short, competing on a level playing field means that you still need to put the best team on the field, or you're no better off than before.

Just as the design of the equipment, and even high tech attire, of Olympic athletes can now spell the difference between success and failure, prowess in addressing the finer points of international trade competition increasingly separates the winners from the losers. The role of governments can therefore no longer end once the trade barriers have come down. This is particularly true if governments abroad are forming more effective public-private partnerships in pursuit of international trade opportunities.

One area where this is already happening involves standards, because standards can play a huge role in closing — as well as opening — markets to foreign competition. While there are protections against the former under the Agreement on Technical Barriers to Trade (applicable to those that have acceded to the World Trade Organization), those protections are at best cumbersome, complex and slow moving. By the time that a standards-based complaint has been brought to the attention of the Department of Commerce, registered internationally, adjudicated and settled, years of damage will already have been done.

The better way, as with any other area of international relations, is to spot and act on problems when they are brewing, rather than react to them after hostilities have already broken out. In the standards arena, that requires two competencies that have historically been in short supply in the United States: institutionalized, intra-agency sophistication and cooperation on standards matters, and a government-wide awareness that standards and competitiveness are inextricably intertwined.

Why worry now? Because the two largest markets in the world today besides our own, China and the European Union, are years ahead of the U.S. in their breadth and depth of institutional understanding of the relationship between standards and trade. They are also far ahead in integrating standards development and uptake into their international trade policies, and in connecting their public and private sectors to advantage in capitalizing on their standards policies in areas such as aerospace (in the EU) and wireless telephony (in China).

Meanwhile, in the private sector in the U.S. — by its own choosing — largely goes it alone when it comes to standards. Under the Technology Transfer and Advancement Act of 1995, the leadership of the private sector in standards development was not only recognized, but the federal agencies were directed to use private sector standards rather than developing its own.

In the past, this "bottom up" system has served the national interest well, in part because the U.S. has also been a leader in standards development in economically vital areas such as information and communications technology. In the future, however, that advantage will be increasingly challenged, as massively standards-dependent, policy-imperative goals such as deploying SmartGrid technology provide commercial opportunities too large for governments to willingly cede to foreign vendors.

Happily, there is a bill in committee in the House of Representatives that, if passed in its current form, would take an important first step towards making America more standards-competitive in international trade. In short, towards closing what might fairly be called an incipient "Standards Sophistication Gap." That legislation is found in Title IV of the America COMPETES Reauthorization Act of 2010 (H.R. 5116), and is titled the National Institute of Standards and Technology Authorization Act of 2010.

Among other actions, the bill would elevate the Director of NIST to Undersecretary status and approve an extensive internal reorganization of the National Laboratories. Section 4.05 of the bill would also expand NIST's historical standards-related mission, by empowering and directing the agency to play a more central role in coordinating standards-related matters of importance among the increasingly technology-dependent federal agencies. NIST has already been authorized to play such a role to support specific policy initiatives, such as developing the extensive framework of standards needed to make the SmartGrid a reality.

By institutionalizing this role, administrations could more easily recruit NIST in the future in support of important standards-dependent initiatives requiring public-private collaboration. Similarly, NIST would be encouraged to invest in the resources needed to train personnel and evolve methodologies to perform this function in the most effective and cost-effective manner.

Less noticeably, but equally significantly, H.R. 5116 would also recruit NIST to support national competitiveness by tasking it with bringing national and international standards-related issues to the attention of Congress at a time when those issues are just emerging, and can therefore be addressed in the most opportunistic and productive fashion. This would be a dramatic shift from the present, when standards related issues, if they reach Congress or the Administration at all, are likely to do so in a more urgent, damage-control mode after we have already been challenged abroad.

H.R. 5116 alone will not close the Standards Sophistication Gap. It does not, for example, instruct NIST to proactively and preemptively develop an ongoing, formal interface between the public and private sectors so that possible new initiatives in areas such as cyber security and global warming could be launched in a less ad hoc fashion. But it is a first, important step towards recognizing that our government must raise the level of its game at home if U.S. commercial interests are to truly capitalize on the benefits of a level playing field aboard.

I urge you to lend your support to H.R. 5116.

Copyright 2010 Andrew Updegrove

Sign up for a free subscription to Standards Today.

return to top

---

FEATURE ARTICLE:

Expanding the Role of NIST: Reconnecting
Government to Standards Development

Andrew Updegrove

Abstract: Over the past 100 years, the United States has evolved a unique separation of responsibilities in the standards area: the private sector standards development process provides almost all of the standards needed by government as well as the marketplace, with the governmental agencies (since 1995) obliged to participate in that process, and to report annually to Congress on their compliance with this charge. In parallel, since 1901, the National Institute of Standards and Technology (NIST) has performed a multipurpose role supporting industry and science, including by defining and providing the means to test for weights and measures. However, the advent of the Internet and other recent technological advances presents complex, cross-sectoral, standards-reliant opportunities, as well as challenges to the national interest at home and national competitiveness abroad that this existing system is ill-equipped to address. A new bill in the House of Representatives would provide an important first step towards creating the type of public-private collaboration needed to address such challenges.

If the governments of the major industrialized nations of the world were to be tested for sophistication in matters involving standards, the United States would score poorly in comparison with many of its peers.

Strange to say, such a sorry showing would not trouble much of the private sector, because over much of the last century private industry has made the most of its opportunities to develop the standards it needs, largely unhindered (except in the case of standards involving health and safety) by federal intervention. Over the past thirty years, American national, and especially multinational, companies have shown increased innovation by launching most of the hundreds of global standards consortia that now supply the great majority of the myriad information and communications technology (ICT) standards that have enabled the transformation of the American economy from one based on traditional manufacturing to one relying on modern technology and the remote provision of services.

Such a system of identifying, developing and adopting standards within the private sector as the need arises is usually referred to as a "bottom up" system, and contrasts with systems that operate in the opposite direction, with the same functions being assumed by the government. Such a system, inevitably, is referred to as a "top down" system. Most countries operate somewhere between these goal posts, with some (such as China) being very government oriented, and others (most notably the United States) being almost entirely industry-driven.

Historically, the bottom up approach has served U.S. interests very well. But the same motivations that led industry to assume the burden of developing its own standards also resulted in the creation of standard setting organizations (SSOs) that are very sector-specific, and often turf conscious as well. And in fact, until now, the national interest has not required a different system. To the extent that there has been a need for SSOs to collaborate, those needs have typically been limited to a desire to maintain communications to avoid redundancy, or to collaborate on the development of a single standard. These goals are usually met by the establishment of ad hoc networks among self-selecting SSOs using high-level, typically non-binding liaison agreements. Such systems are far too limited in sectoral breadth, commitment and resources to address challenges such as creating a SmartGrid, either within the ambitious time frames set by the current administration, or indeed at all.

In contrast, a "top down" approach should be capable of addressing such challenges, and in fact might be expected to have more (if not all) mechanisms needed to achieve such goals already in place.

To an important extent, the American National Standards Institute (ANSI) has been able to ameliorate this lack of a formal, collaborative infrastructure by providing a venue within which the many traditional SSOs that it accredits can meet and address matters of common concern.¹ However, the global consortia that create the great majority of information technology standards, and to a lesser extent communications standards, have to date been hesitant to participate widely in activities sponsored by the representative of a single nation.

ANSI has been successful in bringing both consortia and traditional SSOs together with varying degrees of success in the several "standards panels" that it has launched in recent years, in some cases unilaterally, and in others in cooperation with government agencies. These useful exercises have focused on areas such as biofuels, homeland security and nanotechnology. In the case of the Health Information Standards Panel launched with public funding and defined goals in October of 2005, the initiative represents the type of formal, public-private partnership contemplated by this article. In others, the goals have been more general.²

Despite the recent innovative examples of HITSP, the SmartGrid and EHRs, what remains lacking is an in-place mechanism that can not only identify and prioritize cross-sectoral standards-dependent issues before the need to resolve them becomes urgent, but also identify those existing SSOs competent to assume the duty of supplying specific categories of standards, recruit them to the task, resolve the inevitable differences that will arise between them, and then promote the results to industry and government for adoption — all within the space of a few years when the national interest depends on rapid action.

Although the lack of such an infrastructural mechanism has been exposed as a serious weakness in the process of launching the SmartGrid and EHRs, the significance of this weakness has not been widely appreciated, perhaps because few have realized that such efforts will need to be launched with increasing frequency in the future. What has become clear is that in order to reap the benefits of the complex, interactive, Internet-based systems that such initiatives seek to create, new ways are needed to integrate, control, secure and analyze their operations. In order to do so, an unprecedented number and variety of stakeholders, with more divergent needs and interests, must be brought into the pool within which consensus must be established before standards can be developed that must ultimately be voluntarily adopted or supported by all.

It is also clear that successfully accomplishing aggressive and complex standards-dependent initiatives will often require active government participation for additional reasons, since not only "top down" facilitation and coordination are crucial, but regulatory and financial support will be required needed to guarantee rapid, pervasive and effective adoption. The Obama administration has found it necessary to incentivize the private sector by providing huge subsidies to ensure that the resulting standards are actually implemented in order to achieve these ambitious goals within the aggressive schedules set out for them. The same will be likely to hold true to a greater or lesser extent in order to address other standards-dependent challenges already in view, such as tackling systemic cybersecurity vulnerabilities, enabling open government, and monitoring and addressing global warming.

In a definitively top down country like China, such challenges can be addressed within existing systems and utilizing traditional lines of authority. But when the Obama administration committed to its multi-billion dollar SmartGrid and EHR initiatives, it found that it had few tools at its disposal to generate the complex standards frameworks needed to make such systems viable. As a result, it found it necessary to jury-rig a process from whole cloth, convening ad hoc meetings of stakeholders (even at the White House) to gather input in an effort to achieve consensus, and then legislatively charge the National Institute of Standards and Technology (NIST) with selecting and overseeing private contractors hired to coordinate the creation of guidelines and frameworks that can be populated with standards already developed, and with others identified as needing to be developed, by existing SSOs.

While recognizing and crediting the creativity, speed, and rapid progress of these ad hoc efforts, it must also be acknowledged that this is not the wisest and safest way to expend tens of billions of dollars of public funding. Given that the SmartGrid and EHRs are only the first challenges that will require public-private collaboration, it is important to face up to the fact that if such efforts will be required on a periodic basis, a methodology should be developed and institutionalized to ensure that they will be met efficiently and well. Ad hoc measures such as those being employed to launch the SmartGrid and EHRs can be excused once, and perhaps even twice. But to make a habit of the practice would be to betray the public trust.

Top down, bottom up (or something else?) If it is accepted that a reliable way of addressing such challenges should be institutionalized, the next question is how? Should it automatically be assumed that the United States should convert to a top down system, or is a different solution possible? Similarly, would new bureaucracies be needed to fill the gap?

The experience to date with the SmartGrid and EHR initiatives suggests that the answer to each of these questions is "no." In each case, it is instructive to note that Congress opted to create a new type of collaborative, incentive-based partnership between the public and private sectors rather than to invert the control pyramid. And in each case, it selected the same, existing federal agency to establish and administer that partnership — the National Institute of Standards and Technology.

In fact, Congress had almost nowhere else to turn. Despite the essential role that the approximately one million standards in use today play in making just about everything we use useful, or even possible, throughout our national existence the federal government has maintained a remarkably aloof attitude towards their creation, investing essentially nothing in their development while relying heavily on their availability. This has been especially so since the passage of the Technology Transfer and Advancement Act of 1995³, which directs the federal agencies to replace, wherever possible, "government unique" standards in their procurement activities with private sector standards, and to participate in their development. The result is that rather than having systemic knowledge across government regarding standards, there are only isolated pockets of competence within individual agencies.

The historical role of NIST and standards: Despite the word "standards" in NIST's name, the United States has tasked this single agency with an astonishingly diverse range of duties. Among the remits that have accumulated under NIST's mission of promoting "U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life" are activities as varied as managing multiple scientific laboratories, operating over 400 local offices throughout the country to support small businesses, providing more than 1,300 reference materials from the mundane to the exotic⁴ to industry, and administering the Malcolm Baldridge National Quality Awards program. For all of these purposes, NIST has been given a budget of less than $1 billion per year.⁵

Given this broad current offering of duties and services, it is easy to forget that NIST's role in the traditional world of standards harks back to Section 8 of the U.S. Constitution, which grants Congress the power to "fix the standards of weights and measures." Notwithstanding this charge from the founding fathers, it was not until 1830 that the first (unofficial) U.S. office of weights and measures was established. It took Congress another 70 years to take action to support the development of federally determined, national standards of weights and measures to replace the welter of local and regional standards that had emerged in the vacuum of the national marketplace. Such measurement against standards as was performed was via instruments that had to be sent abroad for calibration, because the domestic competence to perform that function did not exist.

The NIST of today therefore traces its direct descent only from the National Bureau of Standards that Congress created in 1901 under the Department of Labor and Commerce.⁶ From the beginning, only some of its activities focused on standards. Indeed, as NIST explains its own origins in the "Welcome" paragraph of its Web site, it was not created as the nation's first bureau of standards, but as America's first "federal physical science research laboratory." The introduction goes on to note:

Over the years, the scientists and technical staff at NIST have made solid contributions to image processing, DNA diagnostic "chips," smoke detectors, and automated error-correcting software for machine tools. Just a few of the other areas in which NIST has had major impact include atomic clocks, X-ray standards for mammography, scanning tunneling microscopy, pollution-control technology, and high-speed dental drills. We invite you to explore our web site to learn about our current projects, to find out how you can work with us, or to make use of our products and services.

When compared to the agencies that are charged with standards development in other nations, it may seem surprising that NIST's self description places so little emphasis on its standards capabilities. The reason harks back to its origins.

When NIST was created, the challenge in establishing standards for commerce was not so much in defining the standards themselves as in developing the capabilities of testing compliance with them, and to calibrate the equipment used to do so. The exact weight assigned to the word "pound," after all, is irrelevant. But it is essential that when a vendor assigns a weight to a product in pounds, it does so accurately.

NIST's greatest challenge in its earliest days, then, was to not only define standards, but to perform the research and development necessary to provide the marketplace with the tools needed to reliably utilize these standards. That role has continued through to the present in such areas as the definition and calibration of time, and essential duty that NIST has addressed using technologies of increasing scientific sophistication, including (since 1949), atomic processes. Its current atomic clock is accurate to within one second every 20 million years. So precise is the measurement of time now required to be that the on-line Internet Time Service provided by NIST to scientists and commercial interests, such as commercial aviation, is updated 3,000 times per second.

The example of time determination illustrates the clearest historical demarcation between the roles assumed by the public and private sectors in this country. First, the development of means to test weights and measures is quite expensive. Second, ensuring that weights and measures are properly utilized in commerce is a traditional government regulatory function. Third, from its earliest days, NIST's mission has been to actively support commerce, and not simply engage in an isolated technical exercise. And lastly, the foundational responsibility established by the Constitution was limited to weights and measures.⁷

A final point bears mention in even so brief a review of the varied history of NIST, because it figures prominently in the context of the current discussion. Since its inception, NIST has played a remarkably agile role in supporting government and the public interest, taking on both new and transitory duties as the times have demanded. Those duties have changed and expanded as new industries have emerged that needed NIST's unique support (e.g., aerospace), when new issues have arisen that required intensive research and investment to address (e.g., in connection with automobile safety), when wars have placed sudden demands on the nation's industrial capabilities, and as more and more areas of scientific endeavor became essential drivers of national competitiveness.

In each of these cases, Congress has called upon NIST to step in to address new needs. Along the way, NIST therefore has been required to become not only a jack of many trades (and an expert in each of them), but to repeatedly step in as a pinch hitter when sudden needs have arisen.

At the same time that NIST was tackling the capital intensive and research-dependent standards-related tasks, industry was stepping in to create the types of standards (e.g., to enable interoperability) that can be created by private parties without great expense. The earliest private sector standards, such as those defining screw threads, did not require expensive testing at all. Other early standards, such as those regulating boiler construction and pressure, were developed by commercial firms in order to lower the frequency of well-publicized explosions, and therefore the insurance costs of their potential customers as well.

Industry came to appreciate the benefits of developing standards, and also the fact that the private sector could create them more quickly than government. Government, in turn, was happy to allow industry to assume the burden of this quasi-governmental function, while reserving to itself the right to set standards (via regulation) where it felt the need, as in areas of safety and public health. Even then, however, it was happy to incorporate private sector standards where they were appropriate and available.

Over time, private industry formed hundreds of dedicated standards bodies, trade associations, and more recently, industry consortia to create the thousands of standards that commerce required to permit healthy, successful, well-insured industries to develop and prosper. And NIST continued to do the basic research, laboratory development, and (when needed) actual testing of those standards that science, industry and government needed, but that required significant monetary and physical resources.

At the same time that private industry was developing broad competence in standards development, the federal agencies were developing their own unique standards for use in procurement. Often, these standards duplicated private sector standards in coverage, if not in detail. The result was that while competition drove the prices of private-sector standards compliant products down, the costs of government procurement continued to rise.

This bifurcation between public and private standards development was largely eradicated when Congress passed the Technology Transfer and Advancement Act in 1995, later augmented by the Office of Management and Budget's Circular A-119.⁸ The thrust of these two enactments was that the federal agencies should use private sector standards wherever possible, and also participate in their development.⁹ For most purposes, therefore, government had opted out of the standards development business, except to the extent that its employees took their place next to industry representatives in SSO technical working groups.

Congressional authorization of NIST: NIST's specific areas of authority arise under the National Institute of Standards and Technology Act (15 U.S.C. Ch. 7), originally enacted on March 3, 1901 upon NIST's creation as an agency within the Department of the Treasury.¹⁰ The Act, and NIST's authority and duties under it, have been often been amended since 1901, with the most extensive, recent revision of the Act occurring in 1988.¹¹

Section 271(a) of the NIST Act establishes NIST as "a science, engineering, technology, and measurement laboratory." The Congressional findings supporting the adoption of the Act in the same Section read as follows (the most directly standards-related sections are highlighted):

(a) The Congress finds and declares the following:
     (1) The future well-being of the United States economy depends on a strong manufacturing base and requires continual improvements in manufacturing technology, quality control, and techniques for ensuring product reliability and cost-effectiveness.
     (2) Precise measurements, calibrations, and standards help United States industry and manufacturing concerns compete strongly in world markets.
     (3) Improvements in manufacturing and product technology depend on fundamental scientific and engineering research to develop (A) the precise and accurate measurement methods and measurement standards needed to improve quality and reliability, and (B) new technological processes by which such improved methods may be used in practice to improve manufacturing and to assist industry to transfer important laboratory discoveries into commercial products.
     (4) Scientific progress, public safety, and product compatibility and standardization also depend on the development of precise measurement methods, standards, and related basic technologies.
     (5) The National Bureau of Standards since its establishment has served as the Federal focal point in developing basic measurement standards and related technologies, has taken a lead role in stimulating cooperative work among private industrial organizations in efforts to surmount technological hurdles, and otherwise has been responsible for assisting in the improvement of industrial technology.
     (6) The Federal Government should maintain a national science, engineering, and technology laboratory which provides measurement methods, standards, and associated technologies and which aids United States companies in using new technologies to improve products and manufacturing processes.

The second section of the NIST Act that is worthy of note is Section 272(b), which provides a list of the 13 functions that NIST is currently authorized to fulfill (the list has grown over time). Those sections that relate most directly to standards are as follows:¹²

(b) Functions of Secretary and Institute
     (2) to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for making measurements consistent with those standards;
     (3) to compare standards used in scientific investigations, engineering, manufacturing, commerce, industry, and educational institutions with the standards adopted or recognized by the Federal Government and to coordinate the use by Federal agencies of private sector standards, emphasizing where possible the use of standards developed by private, consensus organizations;…
     (6) to assist industry in the development of measurements, measurement methods, and basic measurement technology;…
     (9) to assure the compatibility of United States national measurement standards with those of other nations;
     (10) to cooperate with other departments and agencies of Federal Government, with industry, with State and local governments, with the governments of other nations and international organizations, and with private organizations in establishing standard practices, codes, specifications, and voluntary consensus standards;…
     (13) to coordinate Federal, State, and local technical standards activities and conformity assessment activities, with private sector technical standards activities and conformity assessment activities, with the goal of eliminating unnecessary duplication and complexity in the development and promulgation of conformity assessment requirements and measures….

Two aspects of the language above bear mention in the context of the current discussion. This first is the tight focus on certain limited areas of standardization. But the second is the assigning to NIST of the role of facilitator in standards matters among the federal agencies, between the federal agencies and the private sector, and between the federal agencies and domestic as well as foreign governments.

Expanding the future standards role of NIST: Under a bill now in committee in the House of Representatives (H.R. 5116), two new functions would be assigned to NIST that are crucial to allowing it to become an ongoing public partner in the type of public-private partnership that will be needed to address future complex, cross sectoral standards challenges.

Under the current form of the draft bill, those functions would be as follows:

     (14) to promote collaboration among Federal departments and agencies and private sector stakeholders in the development and implementation of standards and conformity assessment frameworks to address specific Federal Government policy goals; and

     (15) to convene Federal departments and agencies, as appropriate, to—

     (A) coordinate and determine Federal Government positions on specific policy issues related to the development of international technical standards and conformity assessment-related activities; and

     (B) coordinate Federal department and agency engagement in the development of international technical standards and conformity assessment-related activities.

The first of these two new functions accurately describes the role that NIST is currently playing under separate Congressional authority with respect to the SmartGrid. By institutionalizing this role within the NIST Act itself, Congress would not only permit the administration to call upon NIST more quickly as future needs arise, but would also encourage NIST to invest in the creation of the type of human and other resources, and accumulate the type of experience, needed to support those requests as they arise.

H.R. 5116 would also require NIST to compile and deliver a new annual report to Congress, identifying:

     (1) current and anticipated international standards and conformity assessment-related issues that have the potential to impact the competitiveness and innovation capabilities of the United States;

     (2) any action being taken by the Federal Government to address these issues and the Federal agency taking that action; and

     (3) any action that the Director is taking or will take to ensure effective Federal Government engagement on technical standards and conformity assessment-related issues, as appropriate, where the Federal Government is not effectively engaged.

Of greatest interest for current purposes is subsection (1), which would allow NIST to not only coordinate activities as requested by the administration, but to independently bring issues to the attention of Congress that NIST believes may impact national competitiveness.

Conclusions: Two of the great strengths of the American economic system are the robust, bottom up standards infrastructure that has been developed within the private sector, and the highly skilled, capital intensive resources of NIST, which provide standards-related tools and services that the private sector is not likely to develop on its own. Both of those resources should be preserved at all costs, but they should be supplemented by new, more direct public-private infrastructures that will allow American industry to meet policy needs at home while remaining competitive abroad.

Among all existing agencies, NIST is the most experienced and most obviously empowered public body to provide the public half of this equation. While H.R. 5116 is perhaps more modestly worded than might be hoped, it sets the tone, and would provide sufficient authority to take up that challenge. Hopefully, its passage by both houses of Congress, without diminishment, will be rapid.

Copyright 2010 Andrew Updegrove

Sign up for a free subscription to Standards Today.

---

End Notes

¹ It must be noted that while I am a member of the Board of Directors of ANSI, all characterizations of, and observations regarding, that organization are mine and mine alone.

² A list of ANSI Standards Panels can be accessed at http://www.ansi.org/standards_activities/
standards_boards_panels/overview.aspx?menuid=3. The HITSP Web site can be found at http://www.hitsp.org/. All on-line resources cited in this article were last accessed on May 21, 2010.

³ 15 U.S.C. 3701. The Act may be accessed at http://ts.nist.gov/standards/information/113.cfm

⁴ And sometimes even downright bizarre, as I explore I explored in a Consider This essay titled For Your Reference (June 22, 2005), at http://www.consortiuminfo.org/blog/considerthis.php?ct=29

⁵ A very readable history of the evolution of NIST's role during its first 100 years can be found at http://www.100.nist.gov/cent_toc.htm

⁶ When Commerce and Labor were later separated, NIST not surprisingly followed Commerce, where it remains today.

⁷ Of course, at the time the Constitution was written, weights and measures were the only empirical standards in existence. While the limitations on government powers in the standards arena that Congressional "strict constructionists" might nonetheless impose can be imagined, those limits will be left to the imagination of the reader.

⁸ Office of Management and Budget Circular No. A-119 (Revised February 10, 1998), Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities, may be accessed at http://www.whitehouse.gov/omb/rewrite/circulars/a119/a119.html

⁹ The Act also requires NIST to report annually to Congress on the Agencies compliance with the Act.

¹⁰ NIST was later moved to the Department of Commerce and Labor, and when that agency was divided, NIST remained with what is today the Department of Commerce.

¹¹ The full text of the NIST Act, with amendment history, may be accessed at http://uscode.house.gov/download/pls/15C7.txt

¹² The purposes of the NIST Act also bear mention:

    (b) It is the purpose of this chapter —
     (1) to rename the National Bureau of Standards as the National Institute of Standards and Technology and to modernize and restructure that agency to augment its unique ability to enhance the competitiveness of American industry while maintaining its traditional function as lead national laboratory for providing the measurements, calibrations, and quality assurance techniques which underpin United States commerce, technological progress, improved product reliability and manufacturing processes, and public safety;
     (2) to assist private sector initiatives to capitalize on advanced technology;
     (3) to advance, through cooperative efforts among industries, universities, and government laboratories, promising research and development projects, which can be optimized by the private sector for commercial and industrial applications; and
     (4) to promote shared risks, accelerated development, and pooling of skills which will be necessary to strengthen America's manufacturing industries.

return to top

---

POLICY:

Testimony Before the U.S. House of Representatives
Committee on Science and Technology Subcommittee
On Technology and Innovation

Andrew Updegrove

Recently I was invited to present testimony before a House subcommittee considering a portion of a wide-ranging House bill (H.R. 5116), part of which would amend sections of the Act under which the authority of the National Institute of Technology (NIST) is established. One of these changes was intended to elevate the status of this non-regulatory agency by raising the rank of its Director to Undersecretary within the Department of Congress, and another would consent to a reorganization of the National Laboratories recommended by President Obama's appointed head of NIST, Dr. Patrick D. Gallagher. A third would enlist NIST to assist the Federal agencies in addressing standards-related issues internally, and to assist Congress in recognizing and addressing standards-related issues of external importance.

It was the third series of changes that was of interest to me, and about which the Subcommittee had asked me to share my views, based in part on the recommendations that I had made in earlier issues of Standards Today, and in particular in two articles from the October/November 2008 issue: Behind the Curve: Addressing the Policy Dependencies of a "Bottom Up" Standards Infrastructure and 10 Standard Recommendations for the Obama Administration.

The text in question appears in Section 405 of the H.R. 5116, and as currently drafted, would add the following two new functions to the existing list of tasks previously assigned to NIST by Congress under Section 272(b) of the National Institute of Standards and Technology Act (15 U.S.C. 272(b):

     (14) to promote collaboration among Federal departments and agencies and private sector stakeholders in the development and implementation of standards and conformity assessment frameworks to address specific Federal Government policy goals; and

     (15) to convene Federal departments and agencies, as appropriate, to—

     (A) coordinate and determine Federal Government positions on specific policy issues related to the development of international technical standards and conformity assessment-related activities; and

     (B) coordinate Federal department and agency engagement in the development of international technical standards and conformity assessment-related activities.

The bill would also assign a new reporting function to NIST, described as follows:

     (b) REPORT.—The Director, in consultation with appropriate Federal agencies, shall submit a report annually to Congress addressing the Federal Government's technical standards and conformity assessment-related activities. The report shall identify-

     (1) current and anticipated international standards and conformity assessment-related issues that have the potential to impact the competitiveness and innovation capabilities of the United States;

     (2) any action being taken by the Federal Government to address these issues and the Federal agency taking that action; and

     (3) any action that the Director is taking or will take to ensure effective Federal Government engagement on technical standards and conformity assessment-related issues, as appropriate, where the Federal Government is not effectively engaged.

In my written testimony, as well as in my oral testimony and responses to later written questions, I strongly supported the amendment, as did the other witnesses. My testimony appears below, and links to the statements of each witness, as well as video and audio recordings of the hearing, can all be accessed through the meeting Web page:
http://science.house.gov/Publications/hearings_markups_details.aspx?NewsID=2774

Introduction

Chairman Wu, Ranking Member Smith, and Subcommittee Members. Thank you for the opportunity to testify on this important topic.

I ask that my written testimony be accepted into the record.

My name is Andrew Updegrove, and I am a partner in the Boston law firm of Gesmer Updegrove LLP. I am also on the Board of Directors of the American National Standards Institute (ANSI), but the opinions I will express today are mine alone. Those opinions are primarily informed by my experience in representing almost 100 non-profit membership organizations that develop and/or promote standards over the past 22 years.

I will seek to frame my testimony today in the context of three important areas where standards play a crucial role: achievement of policy goals, maintaining national competitiveness, and ensuring the efficient use of taxpayer dollars.

Over the last hundred years, our "bottom up," private sector-led standards development structure has served this nation well. This approach was wisely affirmed and strengthened by Congress in 1995 when it passed the Technology Transfer and Advancement Act (TTAA). But today, the world is changing in ways that I believe require us to optimize this "bottom up" partnership.

To whom can Congress turn when it determines that multiple industry sectors must be motivated to provide the standards tools needed to address ambitious policy goals? In the examples noted above, the answer has been clear: to NIST.

As we have become ever more dependent on technology in general and the Internet in particular, thousands of new standards have been required to simply make things work. Major policy initiatives such as the SmartGrid and lowering healthcare costs through national adoption of Electronic Health Records (EHRs) are each dependent on the availability of scores — and even hundreds — of standards, many of which did not exist when these initiatives were launched.

As we have become ever more dependent on technology in general and the Internet in particular, thousands of new standards have been required to simply make things work. Major policy initiatives such as the SmartGrid and lowering healthcare costs through national adoption of Electronic Health Records (EHRs) are each dependent on the availability of scores — and even hundreds — of standards, many of which did not exist when these initiatives were launched.

Unfortunately, while the private sector is capable of developing individual standards quickly for specific purposes within a single sector, it lacks the will to tackle complex, cross-sectoral challenges rapidly, in part due to the inherent difficulties of resolving competing economic interests. While adequate cross-sectoral solutions can, and usually do, evolve over time, urgent challenges such as cybersecurity and the rising costs of healthcare do not permit us the luxury to allow normal market forces to provide solutions. As a result, when the national interest demands the rapid development of a wide, cross-sectoral range of coordinated standards, a catalyzing force is needed. And note this well: challenges such as the SmartGrid and EHRs are but the advance party of a host of similarly cross-sectoral, complex, standards-dependent challenges that policy makers will face in the future.

To whom can Congress turn when it determines that multiple industry sectors must be motivated to provide the standards tools needed to address ambitious policy goals? In the examples noted above, the answer has been clear: to NIST.

Let me turn now to the topic of National Competitiveness

The development and deployment of standards is essential to creating new technologies and new product markets — and therefore to jobs creation and maintaining a healthy balance of trade as well. This lesson has not been lost on many governments abroad. In particular, policy makers in the European Union and China have integrally woven standards development and adoption into their national strategies.

Indeed, in 2005, a U.S. aerospace industry working group concluded:

Without a clear strategy and support from industry and government space agencies, the US is in the process of ceding the development of standards for the commercial space industry to venues outside of our influence.

The Chinese government has observed this process, and today is sponsoring the creation of more and more "homegrown" standards for the benefit of its domestic industries. This is especially worrisome, because standards are essential to every emerging area of potential manufacturing job growth on the horizon today.

But how are we to achieve such sophistication without abandoning our "bottom up" model? The answer, I believe, is to charge a single agency or department with the role of tracking emerging needs for public-private coordination, with marshalling facts and data for lawmakers and the administration to support the development and deployment of standards-aware international trade policy, and with providing a coordinating function between the public and private sectors.

Who could provide such a function better than NIST, which is not only the governmental domain expert in the area of standardization, and has acted in this capacity in the past with respect to multiple individual initiatives, but a part of the Department of Commerce as well?

Lastly, let me highlight the relevance of standards to the Efficient Use of Resources

There is no argument that widely adopted standards create competition, increase product choices and drive costs down. Hence, supporting the development of standards can have a very material impact in lowering government costs directly in procurement, especially where any agency can buy products from a single approved list. The same support can lower costs indirectly, because government-side standards adoption allows information to be entered once, and then exchanged widely, securely and rapidly across departments and agencies.

Because of the immense "soft power" of government purchasing, government can also provide incentives to industry to move rapidly in directions that are beneficial to society in general, such as towards greater cybersecurity, and towards greater accessibility for those with disabilities.

With these observations as background, let me turn to the three questions posed to me in your invitation.

1.   Why is coordination amongst Federal agencies and departments on technical standards issues important? How can it be improved?

Achieving goals such as protecting Homeland Security and making government more open, interactive and transparent requires the ability to seamlessly and securely exchange data among agencies, and in a consistent fashion with citizens, first responders and others externally. In order to meet that goal, I believe that it will be necessary to charge a single agency or department with the responsibility of facilitating the exchange of information and the coordination of action across agency and departmental boundaries. That body should also be required to report back to Congress on compliance with the program.

Given NIST's competence in the standards area, as well as its experience in compiling and reporting Agency compliance data under the TTAA, it appears to be the obvious candidate for this task.

2.   What could a future NIST role in technical standards be? How can NIST foster federal agency collaboration on international technical standards issues?

I believe that there are three ways in which our "bottom up" process needs to be optimized. In each case, NIST would be the logical choice to act on behalf of government:

• Most crucially, I believe that the role that NIST has played in initiatives such as the SmartGrid and EHRs should be institutionalized and optimized over time. The private sector simply does not have the will to self-organize and drive large, cross-sector, standards-based initiatives through to a rapid conclusion without the support and, frankly, the prodding of the government.
  
  
• In contrast to most other nations, there is no government-appointed spokesperson for the United States in all but one of the major formal international standards bodies, or in the hundreds of "informal," but often more influential, SSOs generally referred to as "consortia." ANSI is internationally recognized as the United States representative in several of the formal organizations, but it lacks an explicit Congressional appointment to serve in that capacity. In fact, NIST and ANSI have worked together productively on many initiatives in the past, and I believe that this relationship should be formalized as the principal conduit between government and private industry, thereby ensuring an ongoing and efficient flow of information. Among other benefits, NIST and ANSI could facilitate formulating joint positions between government agencies and relevant industry sectors on international issues when such unanimity would be useful.
  
  
• With the convergence of technologies and the rising importance of systemic concerns such as global warming, the need to develop positions relating to standards will regularly cross agency and departmental boundaries. NIST can act as a clearinghouse for communication between agencies to help them understand their respective needs and priorities. Similarly, NIST can coordinate their participation in SSOs to minimize cost, and maximize government input into the standards development process.

3.   Please share any perspectives on the proposed NIST realignment.

For historical reasons, NIST has become the custodian of a variety of missions, each of which must compete for necessarily limited resources. To the extent that realignment will help NIST support the goals that I have highlighted above, I think that it is crucial for Congress to support that realignment.

Conclusion

For decades, the United States has been a global leader in standardization, led in large part by private industry. The leadership of the private sector remains necessary, but it is no longer sufficient. The U.S. needs a more empowered, more activist NIST to bring our historical public-private partnership in the standards arena up to the demands of the present and the future, and to assist the Federal agencies and departments in efficiently managing the jobs that they have been asked to perform.

Mr. Chairman, ranking member Smith, and Subcommittee members, I would like to thank you for committing your time to these important matters, and for the opportunity to testify before you today.

Copyright 2010 Andrew Updegrove

Sign up for a free subscription to Standards Today.

return to top

---

STANDARDS BLOG:

Oracle's ODF Plug-in Pricing:
What's up with That?

Andrew Updegrove

When news of Oracle's intended acquisition of Sun Microsystems broke long ago, many people wondered what that would mean for OpenOffice, the most widely adopted full desktop implementation of ODF. But Oracle immediately imposed a company-wide "no comment" policy on that topic, so everyone has been wondering what the answer might be ever since.

So like many others, I expect, I'm trying to get my brain around Oracle's reasoning in deciding to charge $90 for a formerly free ODF conversion plug-in developed by Sun Microsystems. That downloadable plug-in was intended for Microsoft Office users who wanted to import ODF-compliant documents created, most obviously, by users of the free, open source OpenOffice.org (OOo) version, or of Sun's StarOffice, the for-sale, supported productivity suite based on the free OOo code.

Moreover, it's not just $90 you'll need to fork over — the plug-in is only available in packages of 100.

Before you ask: (a) yes, an Office 2007 service pack released some time back by Microsoft allows users of that version of Office (and also of Office 2000, 2003 and XP) to work with documents using ODF 1.0, but not the most current version of ODF, which is version 1.2; and (2) no, unlike OpenOffice, the plug-in was never made available by Sun as open source software.

For me, this raises three important questions:

1. What is Oracle trying to accomplish?

2. Is it likely to work?

3. Given that Oracle controls OpenOffice.org, developer of the most widely used desktop direct implementation of ODF, what does this indicate for the future of that software?

Here's my best take on answering those questions, but first here's some back story on how the plug-in came to be created to begin with, and why it was so important.

It all goes back to August of 2005, when the ODF story first burst onto the international scene. What happened back then was Peter Quinn, then the CIO of the Commonwealth of Massachusetts, decided that only the ODF and (Adobe's PDF) document format standard, but not Microsoft's competing XML-based specification (usually referred to as OOXML), qualified under the Commonwealth's Enterprise Architecture definition of an "open standard." With that, ODF vaulted into the public eye, and the most closely contested standards war of the last decade was on.

Opting for ODF over OOXML, however, didn't mean that Massachusetts could suddenly convert all of its 50,000 desktops over to ODF-compliant software. Among other difficulties, it had millions of legacy documents created using various versions of Office (none of which, by the way, were compliant with OOXML at that time, either). Thus, before Massachusetts, or any other large enterprise user that might want to follow its lead, could switch over, a way had to be found to at minimum convert over these existing documents, as well as deal with documents coming in from outside that were created using, most often, Microsoft Office and Word.

Unfortunately, neither OpenOffice, StarOffice, nor any of the other open and proprietary suites that had some degree of compliance at that time with ODF could pull that feat off with any high degree of fidelity. Proponents of ODF therefore had a great incentive to close the interoperability gap in order to seize the opportunity that the Massachusetts decision had suddenly opened.

Back then, Sun was walking an interesting line: under a court settlement it was not free to openly criticize Microsoft about OOXML, but behind the scenes it was doing a lot to support ODF. Not surprisingly, given its familiarity with OpenOffice and its investment in StarOffice, it created the first and best plug-in to provide reasonable interoperability between those programs and Microsoft's Office. That plug-in quickly became, and has continued since then to be, widely downloaded and used by both individual and enterprise users. (If you're a glutton for back stories, you can find all 223 blog entries I've previously written on this topic here.)

To summarize: for five years, Sun Microsystems developed, offered for free, and continued to maintain, a plug-in that supported OpenOffice and StarOffice. How? By making it easier for non-ODF users to deal with documents created by ODF users, so that more non-ODF users would be likely to become ODF users. Got it?

And it worked. Over time, more and more Microsoft shops downloaded the plug-in, so that today many, many SMEs and enterprise users can deal with ODF-based documents as they come in the door, which put more pressure (among other factors) on Microsoft to eventually include ODF support in Office and Word as well.

So if the free plug-in strategy worked so well for so long, why change now? Let's return to my three initial questions.

1. What is Oracle trying to accomplish? First, let's take note of another bit of news — the fact that, prior to its previous promises, Microsoft recently admitted (as contended by OOXML BRM convenor Alex Brown) that even its next release of Office will not support the "strict" version of OOXML that was adopted by ISO/IEC. That means that if you are, for example, one of the governments that preferentially buy products that comply with ISO/IEC standards, you will be more likely to buy natively ODF-compliant products than Office. The products that they will turn to (like StarOffice and OpenOffice) will not only be able to output documents that comply with the currently approved ISO/IEC version of ODF (version 1.0), but also the newer and more up to date version (1.2). Preferentially, users will output in 1.2.

That means that more ODF-compliant documents will be created using ODF 1.2 in those jurisdictions, which means that there will be more demand for plug-ins that can read those documents — because current versions of Office cannot.

Result? There's a profit opportunity for Oracle here.

One has to ask, though, is there enough profit to offset the benefits of continuing to offer the plug-in for free to help promote further uptake of ODF? After all, Larry Ellison has always taken delight in tucking it to Microsoft whenever he can, and even highly robust plug-in revenues will disappear into the rounding error of Oracle's balance sheet. So profit as a motive really doesn't make any sense.

What does make sense is this: you can still download a copy of OpenOffice for free, and then use OpenOffice to open the document that comes over the transom. Then you can export it again as an Office-readable document. In short, you can get a 100 downloads of a complete office suite for nothing instead of 100 copies of just a plug-in for $9000. What would you do?

That's where the beauty of the plug-in price comes in. Now, instead of 100 users with a plug-in, you've got 100 people who discover how easy OpenOffice is to use. How easy is that? Much easier than you expect, particularly if you own a computer that uses a post-Office 2003 office suite, and hate it. When you download OpenOffice, you'll feel like you have your nice, familiar copy of Office 2003 back again — and for free. Now isn't that nice?

Well, for an individual, yes. For a business, well, maybe not so much (see below).

2. Is it likely to work? For this one, you have to ask the time-honored question, "Who's the customer?" For individuals and small businesses, not only is it a no-brainer, but it's also no choice, since they are hardly likely to buy 100 copies of something when they only need one or a few copies. For the enterprise user, the $18 volume discount price would be an annoying, but presumably bearable, addition to the cost of maintaining each desktop if it made use, integration and maintenance easier. But for a smaller business, $90 would be too much. Unfortunately, integrating OpenOffice might be a non-starter as well. Ultimately, someone else will probably come out with a cheaper alternative.

Now let's take a look at the pricing for Oracle Open Office (the new name for Sun's former StarOffice and StarSuite). Here's what you'll see at the Oracle site.

• Oracle Open Office Standard Edition (perpetual license): $49.95
• Enterprise edition: $18 – $90, depending on volume
• Office plug-in: $18 – $90, depending on volume

Let's see now; so I can get the full, supported suite for the same price as just the plug-in. Hmm. What should I do?

No, this certainly won't convert many Office users to an Oracle Open Office user. But with a new version of Office coming out, which will require new license fees, new integration fees, and new training costs, it might make some users more likely to make the switch, particularly if they are facing an upgrade decision. After all, StarOffice is still a whole hell of a lot cheaper than Office, and continues to get better and better.

So assuming that this is what Oracle is up to, will it work, and if so, to what extent? That's a pretty complicated question, because there are so many different types of users and individual situations. But I think it's fair to say that it makes as much sense as keeping the plug-in free (at least, for Oracle), and also helps to justify the substantial ongoing costs of maintaining and upgrading both the proprietary as well as the open source versions of ODF.

3. What does this indicate for the future of ODF-compliant software? Overall, I don't think this is a good thing for ODF, and maybe not, when all is said and done, maybe for Oracle, either. Happily, the future of ODF is not tied to the future of OpenOffice any more than it is now to the procurement decisions of the Commonwealth of Massachusetts. Just as Peter Quinn's decision was later reversed, ODF now has sufficient traction around the world that it is no longer dependent on the existence of OpenOffice as a credible alternative to Office. After all, there are other quality open source as well as proprietary ODF-compliant suites (the SoftMaker version is apparently particularly good), and there are cloud-based compliant office suites available as well, such as Google Docs.

Conclusion: While the existence of OpenOffice was essential to ODF in the first few years after Peter Quinn's quixotic decision to support the rebel standard, ODF is now past the point where its future is dependent on it. And in point of fact, Sun was always at best a flawed steward for the poster child implementation of ODF, keeping too close control over it to attract the kind of broad individual and enterprise support that flocked to contribute to Linux and Apache, for example.

Overall, though, I think that Oracle has probably made a reasonable decision insofar as its own self interest is concerned. It does leave open one tantalizing question though, that's harder to read: does the decision to charge for the plug-in indicate that Oracle is taking its ODF-compliant office suite unit seriously as a money maker, and plans to put serious resources behind it, or that it is simply imposing a bean-counter's discipline on the unit to make money?

If it's the former, than that's good news for the ODF community, because OpenOffice still has the most dedicated users, and the most credibility, of all the alternatives. And if the paid version gets traction, there will be more third party software developers, like those that create crucial software, such as document management tools, that will take the time to integrate with it. This is essential to creating a true proprietary as well as an open source competitor to Office.

But if it's the latter, well, that would be a real shame. But it wouldn't be the end of ODF.

Bookmark the Standards Blog at http://www.consortiuminfo.org/newsblog/ or set
up an RSS feed at http://www.consortiuminfo.org/rss/

Copyright 2010 Andrew Updegrove

Sign up for a free subscription to Standards Today.

return to top

---

THE ALEXANDRIA PROJECT:

Chapter 2: The Plot Thickens

Andrew Updegrove

New to The Alexandria Project? Find a plot synopsis and guide to the characters here, find the earlier chapters here, and follow the Further Adventures of Frank on Twitter

Frank wondered how long his phone had been buzzing.  He was about to turn it off when he saw that it was his daughter Marla calling.

"Hi Kid," he said, "Listen…"

His daughter jumped in.  "Hey, Dad, thanks for picking up.  I considered worrying about you for a second, and then figured you'd never really jump out the window — you're only on the second floor, after all, and broken bones don't solve anything.  I mean, you're just much too logical not to think of that.

"So how's your big morning-after-the-night-before coming along?"

Frank tried to escape again, "Listen, Marla, this just isn't a good time.  I'm in the middle of something, and…"

"Right.  Fat chance YOU got lucky last night.  I'll be right over."  She hung up.

Frank looked helplessly at the phone.  He started to call her back, and then snapped the phone shut.  She wouldn't answer anyway.

Frank turned back to his laptop and took stock.  All he really knew so far was that a file directory in the most secure part of a government computer system had been compromised by someone with hard to guess motives.  That, and the fact that whoever had broken in either had a snarky sense of humor, or wanted to lead him down the wrong path — or both.  No matter how you looked at it, there wasn't a lot to work with.

Frank's fingers drummed on the kitchen table for a full minute, and then opened the Alexandria Project screenshot again. This time, Frank opened it using a photo editing program.  But cleaning the image up as much as possible uncovered no new clues.  More finger drumming didn't help, so for want of anything more productive to do, he deleted the Greek text, typed in the English translation where the Greek characters had been, and stared at it some more.

Frank wondered how seriously to take what had just happened.  After all, someone with truly malicious intent would never have left a message.  Instead, whoever had launched the exploit would do everything he could to avoid detection.  But if the intruder wanted his exploit to be known, what exactly was he trying to prove?  Perhaps he was just showing off.

That would still be troubling enough, Frank thought, given how deeply inside the LOC's defenses the intruder had penetrated.  And what if the files the mysterious cracker had decided should be "contributed" had been really important files?  Or files that had just been created, and hadn't yet been backed up?

On a hunch, Frank started typing again.  A few new passwords and a number from a different RSA SecurID token than he'd used before, and he was staring at the same directory at the offsite backup center for the Library of Congress.  He hesitated, and then clicked on the enter key for his security proposal.  Nothing.  And then the following message appeared:

Frank was impressed; he also had to grudgingly admit he liked the guy's sense of humor.  Whoever had hacked the LOC's system was good — really good.  He had not only penetrated the LOC's primary security system, but managed to pass a virus through to the Library's backup site as well, thereby ensuring that whatever had been "contributed" was gone for good.  That was truly disturbing.  If the cracker could do that with one file, theoretically he could do it with every file on every server available from his point of entry.  Frank would have to put some real effort into working this one out.

And then it struck him: why bother?

Frank smiled slowly and leaned back, all of the tension that had been building up inside him disappearing all in a rush as he laced his fingers behind his head and stretched his legs out under the table.  This was actually rather cool, wasn't it?  No, he corrected himself, this was really, really cool.

Up until that moment, Frank had been secretly dreading checking his email.  Now he opened it with relish.

Yes, there was an email from George waiting for him.  Frank grinned wickedly as he read the subject line — in all caps, even:  "WHAT IS THE ALEXANDRIA PROJECT?"

"Great question!"  Frank banged out happily.  "Better get Rick on that right away!"   He hit the "send" button with a flourish, and leaned back again, staring gleefully at the screen as the message disappeared.

Frank poured himself another cup of coffee and toggled back to the screen with the Alexandria Project logo in translation.  Now he saw it with a new sense of appreciation.  It actually was an awfully good looking image, wasn't it?  Just right to replace his old screen saver.  Amazing how quickly a day could take a turn for the better.

Just then he heard a knock, followed by Marla's key rattling in the door down the hall.  Frank got up to usher her in.

"Hey, kid!" he greeted her, smiling broadly.  "It's great to see you."

"My, you sound perky," she said, looking at him with curiosity. "I thought after last night's little passion play I'd find you huddled in the corner in a fetal position, moaning softly."

Marla put the bagels and fruit she'd brought with her on the kitchen table, and then went into the hall to hang up her coat.  Returning, she found her father standing behind his laptop with arms crossed, and a goofy grin spread across his face.

"So what gives, Charles Atlas?  Somebody else holding all the world's cares on their shoulders for you this morning?  I haven't seen you look this happy since Rush Limbaugh got busted for popping illicit pain pills."

Frank just continued to grin and pointed at the laptop.  Marla's face looked a question, but she didn't want to ask for an explanation if her father hadn't chosen to offer one.  She sat down and stared at the screen, searching for clues.

"Okay," She said.  "So you've found a new charity you like, and that makes you all giggly?"  Frank just raised his eyebrows, so she looked at the screen again, vexed that her father had posed a riddle she couldn't solve.

Finally, she had to give up.  "Alright, whoever you are, what have you done with my cranky old man?  I'm not saying this isn't a huge improvement, but unless you agree to keep him, you might as well let him go now."

Frank traded the goofy grin for a simple smile and sat down.  "Sorry to be so mysterious," he said, pouring her a cup of coffee.  "It's just that it's not every day I get to savor something this delicious.  And this really is good."

"Fine," she said.  "Now share."

"So here's what's up: you've certainly figured out by now that I expected to get the project that Rick was given last night.  And you've also assumed, I'm sure, that it was a security project, or my nose wouldn't have been so far out of joint."  Marla shrugged.  Of course that much had been obvious, but she didn't want to embarrass her father further by admitting it.

"If so, you're right on target.  Now here are two things you don't know:  first, the project is an important one: the boys up on the Hill suddenly have their knickers all in a twist about cybersecurity.  And it's a damn good thing they do, too, because there are bad guys out the wazoo out there with plenty of reasons to want to tuck it to us — North Koreans, Revolutionary Guards from Iran, the big boys in Al Qaeda, wherever they're hiding out, criminals in Eastern Europe and Russia, and who knows who else.  And the easiest way to wreak havoc on the only remaining super power in the world is via an Internet connection.

"Isn't that a bit of an overstatement, Dad?  I mean, with all the money we spend on defense, how could some rogue nation, much less a criminal outfit, manage that?"

"How?  Because we haven't done enough to prevent it.  In fact, it wasn't until last June that the Department of Defense formally acknowledged that cybersecurity protection needed to be part of national defense.  That's when Secretary of Defense issued an order establishing a Cybersecurity Command — but it won't be fully operational until this October.  That's just the first step needed.

"And that's pretty scary, because if you think about it, our $600 billion annual defense budget makes us more vulnerable, not less so.  Why?  Because everything we do now is controlled by computers — all the bombers, all the rockets, all the ground troops — everything.  Worse, it's all controlled through the Internet.

"Sure, the government uses passwords and firewalls and all that, but data still has to get in and out or it isn't useful.  The CIA bigwigs at Langley have to suck information in from their resources all over the world, and they also have to get instructions back out to their agents in the field.  Same with the Department of Defense.  The generals and civilian managers back at the Pentagon need to bring information in and send orders back out.  All that data is spewing in and out like a giant fire hose — video from predator drones flying over Afghanistan, satellite data from all over the world, battlefield intelligence from spotters in forward positions, and much, much more — gigabytes of it every hour.

Marla looked unconvinced.  "Okay, so why is this any different from the old days, when all they had were secure telephones and secret codes for anything that went out by radio?  It may be more information now, but aren't the challenges just the same?"

"Yes and no," he admitted, "and the ‘yes' bit is by far the smallest part.  The first thing to realize is that in the old days, besides sending paper documents by courier, all you had to worry about were voices and Morse code signals.  Both of those data streams relied on "analog" technology — telephones and radios generated electric, and electromagnetic, pulses.  Even if a bad guy managed to intercept the call or transmission, all he could do was record it and play it back later.  These days, of course, we can send all kinds of information electronically in addition to voice — everything from text to spreadsheets to video to radar images to you name it.  And all that information is transmitted as "digital" data — as you know, that's just ones and zeroes.  But those ones and zeroes can be analyzed, stored, searched, repurposed and altered in ways that a voice recording never could.

"So?"  Marla asked.  "That should just make things a whole lot easier to deal with, shouldn't it?  I mean, computers can just encrypt all that information automatically, right?  In the old days, someone had to use code tables and other tricks to encrypt messages at one end, word by word, and then someone else had to do the same thing in reverse at the other end before they could be read.  And if someone broke the code and you didn't know it, you were cooked.  Remember how the Brits cracked the Nazi's Enigma machine code and the Germans never figured it out.

"All that's true," Frank said, "but there are some important differences.  Back when most information existed only in paper form, it was easy to control how many copies of a top secret document there were, and who had access to them.  And you could put them behind walls, locks and guards.  Now they're all on servers, and those servers are all linked together, and…"

"Ok, Ok," Marla interrupted.  "You've ranted at me about this often enough before."

"Hardly ranting," he said primly.  "Simply fulfilling a father's duty to pass along important information to the next generation."  Marla made a face at him.  "But to continue:  every day, every big enterprise is adding new computers for new employees; swapping out old routers as part of normal maintenance; updating obsolete software and adding new programs.  All of that has to be done according to strict protocols, or it introduces points of vulnerability.  And as you know, when you allow email to be received, bad stuff can come in that way, too.

"These are all very real vulnerabilities.  Every moment, the bad guys are probing our systems for gaps in our defenses.  It only takes one vulnerability to allow a bad guy to get something through the firewall, and it may be very difficult for us to find it thereafter.  Once it's inside, it can start prowling around, and when it finds what it's looking for, it will try and open up a port so it can send that data back out again to whoever planted it in the first place.  Or maybe it will corrupt or delete the information so it's no longer available, or perhaps subtly alter it in such a way that while it may seem fine, it's actually no longer trustworthy.

"Or maybe the virus just sits there, like a living member of a sleeper cell, just waiting for the right time.  You don't know it's there, but it is.  One day its clock runs out, or it gets a signal from outside, or maybe even gets triggered by something inside it's been waiting for.  Then it does something truly destructive, like take down a key system just when it's needed the most.

Marla broke in.  "OK, I'm appropriately impressed.  But if this is so dangerous, why don't we hear more about this kind of risk?"

"But you have, my dear," he replied.  "Do any of these names ring a bell?  Heartland?  T.J.X?  Hannaford Brothers?"

"I remember hearing the name Heartland before.  Wasn't that the big credit card security breach that was in the news awhile back?  So I'm guessing the other two were also security breaches, right?"

"Bingo."  Frank nodded.  "In the biggest breaches, like those, the credit and debit card information of millions of people gets compromised, and often even by the same guy, a cracker named Albert Gonzalez."  Frank had been pulling Gonzalez's mug shot up on his computer while he was speaking.  "Here — that's the guy."

"Hmm.  Not a bad looking hacker," Marla observed appreciatively, watching her father out of the corner of her eye.

"Cracker!"  Frank corrected her.  "Crackers wear black hats.  Hackers aren't criminals.  Your father is a hacker."

"Whatever," Marla responded emphatically.  "Are we getting any closer to the point here?"

"Yes," Frank replied tartly.  "And I doubt Gonzalez will look like that by the time he gets out of Federal prison.  Anyway, in the data breach you remember, Gonzalez got a virus called a "sniffer" inside the firewall of an information processing company that sits between the merchants downstream that take in credit card information, and the financial institutions upstream that complete the card transactions.

"What a sniffer program does is look for information, and when it finds what it wants, it sends it back to the cracker that planted it to begin with.  All it took was one employee adding a wireless router to the system and forgetting to set the security settings up properly.  Probably in no time flat, the automated software Gonzalez was using found this vulnerability, and in went the sniffer.  It was two years — and 40 million pirated customer records — before Heartland realized it was broadcasting sensitive personal financial data to criminals.

"Okay, so a company goofed up," Marla objected.  "I would certainly expect our government to be much more careful."

Her father raised his eyebrows, and Marla paused.  "Or maybe not," she admitted.

Frank smiled smugly and continued.  "Unfortunately, the federal government is a lot like the credit and debit card system — it's got thousands of locations with computers, countless types of hardware and software products in use (and changing) at any time, and millions of people who might be a little bit lazy or not well enough trained.  So every government agency has thousands of points of potential vulnerability.  All it takes is one careless moment by one individual, and this time it could be the Department of Defense, or the CIA, or the White House that gets the sniffer.

"And it's worse than that," Frank continued.  Check out this article in the New York Times, which describes a recent top brass meeting on how the U.S. could respond to a cyber attack:

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What's more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

"And what state are our defenses in?  Check this quote out:"

William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America's concepts for protecting computer networks reminded him of one of defensive warfare's great failures, the Maginot Line of pre-World War II France.

"So I'm getting the "not good" part here loud and clear."  Marla acknowledged. "But what does that have to do with you and Rick and the LOC?  And what does it especially have to do with the gnomic message on your laptop, by the way?  Remember your laptop?  I believe it's what I see on your laptop we were actually talking about."

"I'll get to that."  Frank responded, but Marla groaned and put her head on the table; she was all too familiar with simple questions posed to her father that were still unanswered fifteen minutes later.

Frank made a face this time.  "Alright.  I'll move on.  But just keep this part in focus:  for all our wealth and strength, any third world country — or even a terrorist organization — can theoretically crash an entire agency — or, for that matter, Wall Street — if they put some smart guys to work on it.

"Fine.  I'm appropriately terrified.  Now Daddy, make your little girl feel warm and secure again.  You are going to make it all better now, aren't you?  Please?

Frank smiled ruefully.  "That's a tall order.  But I will tell you what we're trying to do about it, or at least the non-classified details that make their way down to someone at my level.

"The new administration is much more aware of cybersecurity than the old one, thank goodness, and more creative, too.  They've decided to take a competitive approach to the problem and have told every single agency and semi-independent department, like the LOC, that it has to design its own security plan — and fast.  We've only got until February 28 to submit our security proposal to the White House.

"And that's a really good idea.  The thought is that if we get fifty different teams competing, we'll come up with a lot more clever ideas than we would if we had just one design team.  And if we cherry pick the best ideas that come back, we'll get better system-wide solutions than if we hired just one outfit to design a plan.  Even better, we should be able to come up with and implement several different system plans, rather than just one.  That way the whole government won't be vulnerable to a single attack across the board, or as likely to permit a successful exploit in one agency to infect another once it's inside the first one.

"And George thinks that Rick is going to be able to pull that off better than you?"  Marla looked both dubious as well as offended on her father's behalf.

Frank suddenly looked less cheerful.  "Yes, and George may be right.  This is one of those projects that requires getting a whole lot of people on the same page.  It will take lots of meetings; lots of compromises; lots of cajoling.  That's not exactly where I shine.  Last night I could have punched George in the nose, but this morning I have to admit that everybody else would probably want to punch me within a week if I was in charge.

"Still having trouble with that ‘smartest guy in the room' problem, huh?  And it sounds like it would involve actually having to talk to people.  I know how that makes your day.

"It's not only that," her father replied wearily.  "Yes, I'd be frustrated when some people couldn't keep up with me.  But at the same time, I probably wouldn't focus well on the big picture, either.  Plus, whoever is in charge is going to have to spend a lot of time grinding away on administrative details, and I get too impatient.

"Finally, anybody that tackles something like this has to balance what's perfect with what's practical, so that overly strict security requirements don't bring everything to a standstill, or require people to do more than you can actually get them to do.  And that rubs up against the purist in me.  In order to come up with a really good solution, we need to take into account how people really act.  Otherwise, people will be tempted to take short cuts that leave security gaps.

"In short, doing something like this takes lots of things I just don't have the patience for, or for that matter, much talent.

Marla interrupted him and gently changed the subject:  "So what about this Alexandria Project thing?"

"Ah yes!" Frank responded, brightening considerably.  "It seems that my good friends George and Rick may be facing a deadline that's much earlier than they expected, and a challenge that I bet is a lot more than either of them bargained for.

Read the next chapter

Read the last chapter

Email this chapter to a friend

Follow Frank's Further Adventures here and on Twitter

Copyright 2010 Andrew Updegrove

Sign up for a free subscription to Standards Today.

return to top

---

CONSIDER THIS:

#63 How Now, Gold Bug?

Andrew Updegrove

Sometimes, its just turtles, all the way down

Standards cover an awful lot of ground — how big things are; how much they weigh; how fast they go; how much power they consume; how pure they are; how they must be shaped so that they fit together — the list goes on and on. But despite the enormous range of characteristics that standards define, you notice that they all have one thing in common: you can describe them by using the word "how."

In short, standards relate to measurable things. Indeed, the earliest formal standards created in societies everywhere were usually those related to weights and measures. Invariably these were established when trade became more sophisticated than tribal bartering. Ever since, the history of standards has largely been one of establishing ways to define more and more measurable characteristics as they became important and as the scientific ability to test them came along.

There is, however, one exception to this rule. Curiously enough, it involves a standard that is as old as weights and measures themselves. And despite its ancient lineage, nations still can't agree for very long on what measuring stick should be used, or how it should work. This is rather remarkable, given that the standard in question is perhaps the only one that nearly everyone makes use of almost very day of their lives.

That standard, of course, is money — dollars, Euros, renminbi — each one a measure of value.

The problem starts with the fact that while any two people may agree on what it means to say that a given object weighs a pound, the value of the object in Pounds is necessarily in the eye of the beholder. There are temporal issues to address as well. While the weight of the object in question will still be one pound tomorrow if left undisturbed, its value in the marketplace will likely have changed, even if only slightly.

All well and good, you may say, but a standard is the way we measure value, not the value of the object itself. So if it's worth £3.01 tomorrow instead of £3.00, what's your point? We can still measure the difference (domestically, at least) in new pennies. Fair enough. But consider this: if something's value changes, it must be changing relative to something.

Now what exactly might that be? When we say that the object in question is one metre long, we are more efficiently saying (thank heavens) that its length is the same as the distance that light would travel, in a vacuum, in 1/299,792,458 of a second. With the kilogram, the earth's gravitational force at a certain place and altitude provides our yardstick. But where is that certain something we use as the reference point for that Pound of which you speak?

Tricky, that. Trying to find the reference point for that dollar is rather like finding out what the true foundation of the world might be from the perhaps apocryphal person who famously believed that the earth is a giant bowl residing on the top of an enormous turtle. When asked what the turtle was standing on, she scornfully replied, "Don't talk such nonsense! It's turtles all the way down!"

Determining what the dollar is "standing on" matters, because even if we are dealing with perceptions rather than empiricism, the rise and fall of markets, interest rates, and even nations rests on the perception of the relative wealth and creditworthiness of those involved.

So it is that people have struggled from the dawn of time with how to measure what is, in fact, an abstraction. That effort has too often involved forcing the round peg of traditional standards rules into the square hole of monetary policy. When that happens, people time and again have turned to a single gleaming, elemental reference point to give some sort of reality to the value of their dollars and pounds, roubles and francs.

I refer, of course, to gold — the "Mama Bear" of monetary reference points. There's neither too much of it available to be unwieldy to store securely nor too little to go around for everyone to rely on; it doesn't oxidize, so it doesn't require special care to avoid deterioration; its supply doesn't grow faster than the global economy (the opposite is true); and perhaps best of all, it has intrinsic visual credibility — it looks valuable, and desirable, too.

As a result, gold has always provided an appealing option as a reference point for establishing value. Even from ancient times, it has been used far less often as coinage than to back up the credibility of coinage made of lesser metals. Because the amount of gold in the treasury of the sovereign whose mint struck a given type of coin supposedly equaled the amount of coinage placed in circulation, the coins had credibility. Indeed, in some countries in some eras coinage could actually be presented at a mint in exchange for gold.

In the modern era, bank notes have largely replaced coins, but in many cases (as in the United States) those bank notes could be exchanged for actual gold coins, and later for silver. Only in the mid twentieth century were "silver certificates" removed from circulation in the U.S. After World War II, the gold standard was internationally formalized with the dollar as the first link in the valuation chain: under the Bretton Woods treaty, the value of the dollar was fixed at 1/35^th of a Troy ounce of pure gold, and other nations indirectly established the value of their currency relative to gold via conversion rates into dollars.

Nor was this completely an abstraction. By the same agreement, treaty parties had the right to redeem dollars for actual gold. All this ended in 1971 when an economically beleaguered U.S. President (Richard Nixon) unilaterally dropped out of the treaty. Today, modern nations issue only "fiat currency," backed by nothing tangible at all.

Meanwhile, domestically as well as internationally we increasingly employ less and less to represent more and more — pieces of plastic, or indeed nothing tangible at all — simply digital numbers displaying above ATM keypads, electronic signals exchanged between banks, and debits applied to accounts as we drive at speed through toll booths.

In such a world, one might reasonably ask whether there is any empirical measurement of "value" at all? The answer, I would submit, is "no."

As evidence, witness the enormous increase in the money supply issued by central banks in countries such as the United States during the recent recession. Despite the fact that the value (however measured) of gross national production declined in the U.S. relative to the years preceding the economic crisis, the amount of exchangeable currency (both printed and virtual) was made to increase dramatically. In other words, there was no measurable relationship between the supply of money and any underlying value at all. Instead, the Federal Reserve relied on the marketplace to believe that somehow everything would all work out, with neither the type of catastrophic inflation or deflation to follow that would lead a holder of government debt to suffer.

The result has been a call from a surprising number of quarters to roll the clock back a hundred years and revert to a gold standard, ideally on a global basis. One express goal of such a move would be to prevent a government from issuing more currency and loans than it could pay back if the holders of currency sought to redeem their holdings in gold (necessarily valued now at something like $6,000 an ounce, given the size of the global economy relative to the available supply of bullion).

Superficially, such a suggestion sounds rational. This being economics, of course, there are as many who hold the opposite view, pointing out that in the Great Depression, the speed with which a nation's economy revived after the Crash correlated closely with the rapidity with which it abandoned the gold standard in favor of easing credit. Sometimes, it seems, delinking the currency supply from the value behind it may be a good idea.

Perhaps it would help gold bugs abandon the dream of resurrecting the past to find the future by pointing out one simple fact: if we're going to peg everything to gold, what is it that we're going to peg gold to? Yes, such a system might to some degree rationalize economic relations between countries, but the world as a whole would remain unsupported. Sadly, there simply aren't any more turtles underneath to support whatever value it is we agree to give to gold.

All of which leads me to conclude that arguments over a return to the gold standard only distract us from developing the kinds of standards we really need to ensure the credibility and stability of the financial system. Those standards go by a different names, though. We call them laws and regulations.

Copyright 2010 Andrew Updegrove

Read more Consider This… entries at: http://www.consortiuminfo.org/blog/

return to top

---