Fifteen years ago, cartoonist Peter Steiner drew two dogs sitting in front of a computer, one saying to the other, "On the Internet, nobody knows you're a dog." This iconic adage, cute in its day, is now a warning.

Criminal, terrorist and nation-state cyberattacks against banks, technology companies, online merchants, individuals and government agencies cost the U.S. economy $400 billion annually, focused most often on stealing business and military secrets, and personal data.

In cyberspace, not knowing for sure what person or device is on the other end of the line has serious downsides. It erodes overall trust, limits users' ability to secure their own systems, hinders effective governmental response, and causes organizations to collect more personal data than they really need.

Allan Holmes pointed me to a recent story in the Congress Daily. It seems that Edward Kennedy, D-Mass., who chairs the office of Senate Health, Education, Labor and Pensions Committee Chairman circulated on Monday a list of options for strengthening drug and device safety that are being considered for inclusions in legislation Kennedy's panel is reviewing to improve FDA oversight.

The recent contamination problems with foreign produce heparin that is believed for the deaths of 81 persons in the US as well as chemical-tainted wheat gluten in pet food have been major drivers for strengthening the FDA's oversight capabilities.

The story goes on to say:

The Washington Times is reporting that Sen. Russ Feingold, D-Wis., wants to know "why federal air marshals (FAMs) were prevented from boarding some flights because their names matched those on the terrorist no-fly list, and whether the problem has been solved."

The Times ran a story yesterday that said the problem has persisted for years, but it wasn't until April 23 that a new security directive was released "to address those situations where air carriers deny FAMs boarding based on 'no-fly list' names matches."

"Glad" to see that the government takes as long to address the problems of air marshals as the general public.

If this is all true, this is just too dumb for words.

No problem can be solved from the same level of consciousness that created it.
~Albert Einstein~

We hear a lot about consciousness these days. This attention to a new level of awareness has increasing numbers of people checking their egos, performing acts of kindness and attempting to inject a greater level of civility into our daily discourse. All of which is welcome indeed, but it is less clear how the expansion of consciousness will have any impact on the very serious issues we all face in the world of politics, business and the economy. Einstein’s quotation gives us a hint.

Regardless of whether we protested or agreed, we have all lived in a political and social context over the recent years that operated on two fundamental principals: We could have war without cost and profit without value. On their face, these principals make no sense. We all knew they made no sense. Now we are beginning to experience the reality that they make no sense and the potential consequences from an economic perspective look worse every day. Just when the latest mortgage backed securities write-offs by UBS were supposed to mark the end of that crisis, we discover that the financial turmoil has seriously impacted GE, a stalwart performer whose stock price dropped nearly 15 percent last week. So much for the theory that the credit crisis would only affect the financial services sector of the economy.

As noted in a long article in Sunday's Washington Post, critics are accusing Housing and Urban Development Secretary Alphonso Jackson, who is resigning in less than glorious circumstances, of being grossly inattentive to the looming housing crisis.

They contend, "Jackson ignored warnings from within his agency, … whose inspector general told Congress that some of the secretary's efforts were 'ill-advised policy' and likely to put more families at risk of losing their homes."

Of course, HUD denies this.

However, during Jackson's era, the story said, "... foreclosures for loans insured by HUD's Federal Housing Administration have risen and default rates have hit a record high."

As also noted in the Post article, FHA Commissioner Brian Montgomery, a former White House political aide with no previous housing experience, said, "It is beyond outrageous for anyone to suggest we would do anything to put FHA at unnecessary risk."

This must mean, I guess, that the increased risk of families losing their homes was a necessary HUD & FHA risk.

That's OK then.

In fact, it must be OK since Montgomery recently won the "annual Lenders One Hero for Housing Award for his efforts on behalf of American homeowners at a challenging time in the housing market."

Of course, one might ask if the award was really on behalf of American homeowners or the 100 plus mortgage bankers that make up Lenders One?

Okay, I totally concur that American Airlines was at fault for not following the airworthiness directive to the letter, which I assume was backed up by a rigorous risk assessment that showed that one-inch spacing of wire bundle straps poses the least amount of risk to the safety of flight, and that anything more than that - like a quarter inch - poses such a risk.

I, for one, can hardly wait to see that risk assessment, along with all the experimental and field data showing that any deviation from the one-inch spec could cause wire chafing and bring down an MD-80 aircraft.

I trust, given the unprecedented disruption of flights, that the FAA will be posting on its Web site in the near future this risk assessment showing why the one-inch spacing was so risk critical.

The FAA also may want to post a detailed discussion about the American Airlines situation to clear up the safety paradox it has created in the minds of the flying public, or at least in the 250,000 passengers who saw their flights canceled last week.

On one hand, the FAA allowed American 18 months to comply with the directive, which I assume meant the bundles weren't secured very well and therefore prone to chafing. On the other hand, after American secured the bundles a few weeks ago, the FAA now felt that the wire bundles, even though secured by straps, being off by a small amount now meant that the airplanes were no longer safe to fly.

Was the risk of chafing associated with misplaced tie-down straps or with the bundles being free to move about?

This whole episode has served to create an overall impression of risk confusion, not competent risk management.

Last week Commerce Department Secretary Carlos Gutierrez told a House panel that the Census Bureau was dropping plans to use newly developed handheld computers to collect information from Americans who did not mail in census forms for the 2010 census. In his testimony, he said the handhelds were part of a larger plan to make the census "better, faster, and simpler."

The plan, Gutierrez said, was to address the increasing problems that the bureau is facing that threaten the accuracy of the census, including a larger population, the changing shape and diversity of American families, and a decreased response rate to the census because of a growing distrust of government and because of privacy concerns. These problems have led to lower productivity of the temporary workers the bureau hires to go door to door to count Americans, which requires hiring even more temporary workers to make up for the lost work. Gutierrez said the bureau developed the GPS enabled handhelds to collect more accurate address locations to make it easier for the workers to find residences.

About a year or so ago a poster designed by Milton Glazer began appearing on the sides of telephone booths in Manhattan. It featured a hand, the fingers of which displayed the colors of the world’s races. The title of the poster was "We are all African." The brilliance of its design evoked the factual knowledge that we all have evolved from the African continent and the emotional truth that we are all our brother’s keeper. Its intent was to encourage people to become involved in fighting world poverty.

But there is now another way that “we are all Africans,” and it is one that is increasingly uncomfortable and increasingly impossible to ignore. It is the story of interest rates and the management of risk.

All 50 states have some form of requirement for automobile insurance. But when you get in your car to go somewhere, how many of us think about our insurance policy? In that moment do we know what the deductibles are, what the maximum amount of coverage we have for liability or collision? Probably not.

We are interested in getting from where we are to where we want to go. We pay attention to those things that will enable that process. We check the gas, we check the mirrors. During the drive we comply with traffic laws and watch out for other drivers who may not be as aware or who might be impaired. We manage the risks of getting from where we are to where we want to go. The insurance policy stays in the desk drawer unless or until something bad happens. And when that bad thing happens, that accident, even if we have an excellent policy with a company that actually pays the full cost of repairs, we now own a car that has been damaged and its trade-in value is lower than it would have been.

According to an Associated Press story on the Government Executive website, "Christopher De Rosa, a top scientist at the Centers for Disease Control and Prevention's toxic substances agency, said his bosses told him that his warnings of a 'pending public health catastrophe' could be misinterpreted if publicly released." De Rosa was told to keep quiet about the high levels of formaldehyde gas found in FEMA trailers that Katrina victims were given.

"Misinterpreted," eh?

What, those poor folks living in trailers filled with formaldehyde gas and the public at large might actually think that the trailers were dangerous, when they weren't? Or was it that the trailers were dangerous, but neither the CDC or FEMA wanted anyone to know about the risks because it would be politically embarrassing?

Let's refresh some memories, shall we?

The Federal Reserve is not part of the federal government. Regrettably, most Americans are ignorant of this fact. Since the members of the Board of Governors of the Fed are appointed by the president, the assumption is that it is another agency of the executive branch, but nothing could be further from the truth. It is owned primarily by private banks that are shareholders and appoint two thirds of the members of the boards of directors of the twelve regional Federal Reserve banks.

In this context, the expanded powers of the Fed that are being proposed by the Bush administration (and the weakening of the powers of the Securities and Exchange Commission) presents an interesting event in what passes for risk management these days in the financial services system. Barney Frank, the chairman of the House Financial Services Committee, has, in effect, signed on to this plan following an epiphany some time ago that occurred during his conversation with Charles O Prince III, the former chairman of Citibank. According to the New York Times, Mr. Prince was explaining that “structured investment vehicles” were kept off the balance sheet so that his bank could compete with investment banks. Somehow the practices of commercial banks using archaic accounting to keep investments off their books led to the conclusion that regulation should extend to investment banks and hedge funds. There doesn’t seem to be any mention of getting those “structured investment vehicles” back on the balance sheet.

According to the Associated Press, the Agriculture Department is being pressured by the food industry not to identify retailers where tainted meat was sold except in cases of serious health risk.

The AP story goes on, "Had that been the rule in place last month, consumers would not have been told if their supermarkets sold meat from a Southern California slaughterhouse that triggered the biggest beef recall in U.S. history."

One reason for why the food industry opposes the rule is that it "could create confusion for consumers since retailer lists could be incomplete or take days or weeks to compile. Customers could have a false sense of security if their grocery store doesn't immediately show up on the list, the groups contend."

So, incomplete risk information is riskier than no information?

Another reason is competitive: "If lists of retailers selling recalled meat become public, competitors would know who to approach to offer the product at a lower price."

Now, I just wonder whose risk management concerns are the priority: consumers having a false sense of security or meat producers' competitive issues?

Of course, there also is the little question of the USDA definition of "serious health risk." Just how serious is serious? Is it defined by the number of people ill or does one or more people have to die before the recall is announced?

In essence, the information security/assurance certification and accreditation process -- in both civilian and military realms -- represents a command and control view of decision making.

On the battlefield, the commander gathers information from advisors who are qualified to attest to the accuracy (or limitations) of the information they provide. Because no one ever operates without a degree of uncertainty, the commander makes decisions using available information but with the full realization that other factors are unknown and perhaps unknowable. The commander also recognizes that a bad decision will reflect on him or her directly.

The Kabbalists tell us that we can only see 1 percent of what is going on. The astrophysicists tell us that we can only see 5 percent (the rest is dark energy and dark matter, although no one really seems to know what either of them are). Kahneman and Tversky, in their work on how people respond to risk tell us that emotion always overrides rational thought (witness the rise in the stock market of hundreds of points on the smallest shred of information that might be considered good news).

So on a good day we are all in the tall grass. For the past 500 or 600 years we have been operating on the basis that rational thought separates us from the animals. Now we are being told – not so. What separates us from the animals is our consciousness and our ability to recognize that we are more than our thoughts. This idea comes to us from many teachers with an infinite variety of approaches (Ian Lungold, Albert Clayton Gauldin, Ester Hicks, Neale Donald Walsch and many others). It has become so mainstream that now Oprah and Eckart Tolle are in the midst of a worldwide weekly video conference designed to spread the idea that our minds and our egos are getting in the way of understanding what life wants from us.

Amazingly, it appears that the risk of contract fraud, waste and abuse doesn't exist overseas, only here in the United States. At least according to Office of Management and Budget, and the White House.

A story in the Washington Post notes that a new rule that requires U.S. contractors to report fraud, waste and abuse (FW&A) they find while performing work provided an exemption to those contractors doing work overseas.

So, the only conclusion one can reach is that OMB doesn't think there is any risk of FW&A in overseas contracts, or that it is perfectly OK for U.S. contractors to ignore (or engage in?) FW&A overseas.

So, which is it?

There was an interesting story in today's Boston Globe. It appears that there are significant security gaps in "implanted devices that help regulate heartbeats and use wireless technology."

Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center in FDA who led a research project into medical device security risks, says in the story:

"With some technical expertise, we were able to retrieve information from the device [built by Medtronic] in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

While Maisel says not to worry, that the technical expertise required to hack these devices is very high, how long do you think it will be before hackers actually are able to replicate what Maisel and his team of researchers were able to do?

Of course, medical device manufacturers like Medtronic don't really have to worry too much. Given the recent Supreme Court ruling on Class III medical devices, all they have to do is to add the risk to their warning label, get the FDA to approve it, and they are immune if their devices get hacked.

As reported by Government Executive's Bob Brewin, the latest GAO report on the Army's Future Combat System, "Significant Challenges Ahead in Developing and Demonstrating Future Combat System's Network and Software," is not particularly flattering.

As the GAO report notes, "Almost five years into the program, it is not yet clear if or when the information network that is at the heart of the FCS concept can be developed, built, and demonstrated by the Army and LSI."

Does this mean that the FCS probability of success has slipped below the 70 percent mark (actual "in excess of 70 percent") that then Chief of Staff of the Army General Peter Schoomaker in 2004 told Congress after FCS was restructured to follow a spiral process?

Some of you may recall that before the restructuring, Schoomaker told Congress that FCS had only a 28% chance of success (which makes one wonder how given its size and importance to the Army it ever was allowed to proceed in the first place).

I would be interested, given the latest difficulties, what the Army now thinks the probability of success for FCS is today - higher or lower than 70 percent?

I hope someone in Congress asks them.

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

I'm still trying to come to terms with what the term "risk" actually means to the government.

In today's Washington Post, there is a story about the Agriculture Department prohibiting the use of beef from so-called "downer cattle" in federally funded school lunch programs, but it also allows the beef under certain conditions to be sold to the general public. As the article notes, this disparity seems to undermine Agriculture's claims that there is no food safety reason to ban meat from all cows too sick or injured to stand.

Last week the Government Accountability Office placed the Census Bureau’s 2010 census effort on its high risk list. As I have noted elsewhere on this blog, this is a case of risk management JTL – Just Too Late. The GAO really needs to change the name of its High Risk List to the Very Big Problem List, since nearly every one of the programs on its list is one in serious trouble. As highlighted by Census Bureau Director Steve Murdock in relationship to the issues that landed it on the GAO High Risk List, “I cannot overemphasize the seriousness of this problem." (My emphasis.)

If the GAO really wants to do some real good, it needs to make a clear distinction between projects or programs in trouble and those headed for trouble.

Speaking of High Risk Lists, isn’t it about time for the fiscal 2008 first quarter OMB High Risk List to be published? I am really curious to see whether the fiscal 2007 fourth quarter improvement rate has continued.

The GAO announced on Thursday that it had placed the Census Bureau’s 2010 census effort on its high risk list. This is very unusual, as the GAO’s press release pointedly notes:

“Although a regular update to its high-risk list is set for 2009, GAO decided it was important to flag the census now because of the survey's impact on everything from the apportionment of congressional seats to the distribution of billions of dollars in federal funds.

“GAO added the upcoming census to the high-risk list due to a combination of long-standing deficiencies and emerging challenges, including shortcomings in the Census Bureau's management of information technology, weak performances by technology that the Bureau plans to use for data collection, uncertainty of cost estimates, and the elimination of several dress rehearsal activities.”

So what were the problems that made the GAO reward the Census Bureau with such an honor?

Recently, the Supreme Court ruled that the balloon catheter manufacturer Medtronic whose catheter burst and injured a patient was immune from liability because its product, along with its warning labels about the product's risks, had received premarket approval from the Food and Drug Administration (FDA). The Supreme Court said that state laws allowing lawsuits against so-called Class III medical devices were not permissible.

Class III medical devices are, according to the FDA, “the most stringent regulatory category for devices. Class III devices are those for which insufficient information exists to assure safety and effectiveness solely through general or special controls.

“Class III devices are usually those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury.”

There are reports that the IRS as well as tax authorities in other countries including Canada, Germany, Australia, Italy, Sweden, Spain, the United Kingdom, and New Zealand have purchased stolen information detailing confidential bank accounts in Liechtenstein. Liechtenstein has very strict banking privacy laws, and it is seen by all the above countries as a safe haven for tax evaders. The country, which is a tiny principality next to Switzerland, is one of three countries (Andorra and Monaco being the other two) listed by the Organization for Economic Cooperation and Development as being "uncooperative tax havens."

How did the countries get this information? In one news report, it was said that, "Heinrich Kieber, a 42-year-old computer expert, offered the information for sale to several countries, including Germany, which paid about $6.3-million for it. (Mr. Kieber is said to be hiding in Australia under a new identity.)"

In the ironically-labeled memorandum M-07-11 (feeling lucky?), officials at the Office of Management and Budget say that adopting standardized configurations for Windows desktops in federal agencies will somehow create a situation in which “[i]nformation is more secure, overall network performance is improved, and overall operating costs are lower.” Each of these claims is questionable, but the essential truth is that standardizing desktop configurations will have tiny security impacts, will entail enormous unfunded costs and will potentially make federal networks less secure.

This is not to say that configuration management practices in the federal government are beyond reproach, but we need to admit a few realities:

According to a briefing by Vice Chairman, Joint Chiefs of Staff Gen. James Cartwright, the recent successful shoot down of the wayward spy satellite was not a test of the missile defense system. While the Missile Defense Agency was helpful in netting all the sensors needed together, according to Cartwright,

the missile itself is a standard missile in the Navy inventory; the ship is a standard ship in the Navy inventory. We added a lot of instrumentation. We made some modifications to the software to be able to go after a satellite.

You know, this is a one-time mod. It is -- if you put this mod in, we can't use the ship or the missile for another function without taking the mods out. So it's not something that we would be entering into the service in some standard way.

Yet, Defense Secretary Robert M. Gates said the shot proves that missile defense works.

I think, actually, the question of whether this capability works has been settled. The question is: Against what kind of a threat (do we employ the technology)? How large a threat? How sophisticated a threat?

So, is this shot "proof" of missile defense, or just a one-off highly constrained, albeit successful, experiment?

On a scale of importance, where would you rank the following: taxpayer personal information, plans for weapons systems, pre-decisional legal or enforcement deliberations, names of informants in this or other countries, results of drug trials, pre-award procurement information, blueprints of government facilities, schedules of surprise enforcement actions (immigration, food safety, etc.), unpublished minutes of the Federal Reserve Board Open Market Committee, and official travel schedules of government officials in countries with active terrorist cells?

Because I am a government annuitant and a participant in various federal health benefit programs, you can bet I am concerned that the Office of Personnel Management and its contractors maintain the highest standards in protecting personal, banking, and health information about me and my family. But it is clear to me that other government information is worthy of even higher standards of protection.

Apparently, in FedWorld, personal information must be far more important than any other type of data, because protection of personal information appears to be the sole focus of attempts to “fix” the Federal Information Security management Act (FISMA).

Then I remember that none of the other information types vote, so every elected official is elbowing others on the way to the microphone to proclaim his dedication to privacy principles … and the Office of Management and Budget is standing in line at the microphone to announce a new reporting requirement.

Billy Graham used to have a fellow who traveled everywhere with him whose sole responsibility was to detect when the Rev. Graham was getting carried away with himself or his mission and yell "bullsh**." I believe the U.S. government needs just such a person to keep the legislative and executive branches focused on protecting our most precious assets (including information). I would volunteer but the ceaseless shouting would be more than my aged body could stand.

Since retiring from the federal government in 2007, I have watched with a mixture of alarm and amusement as the Office of Management and Budget, Congress, the National Institute of Standards and technology, the inspectors general, the Government Accountability Office and agencies have continued to miss the point of information and mission assurance while enriching consultants and printer manufacturers by producing mountains of increasingly meaningless paperwork.

I intend to bring to readers’ attention various issues I believe deserve more critical thinking than is typically available in the federal enterprise (which I will henceforth call FedWorld).

I also believe:

• Information protection is better than security plans
• Privacy protection is better than privacy plans or impact statements
• Intrusion prevention beats the pants off intrusion detection
• Personnel security has almost nothing to do with HSPD-12
• Cybersecurity is only marginally related to information security
• … and so on.

Please remember my point of view before you comment on something I’ve written by chiding me that the Federal Information Security Management Act (FISMA) has it otherwise, that OMB guidance points in another direction, or that an IG will write me up. I no longer live in FedWorld so those customs and folk beliefs seem quaint.

The FDA announced that for the coming flu season, the flu shot will be made up of three new flu strains: Brisbane/10, a version of the H3N2 flu; a second new Type A strain known as H1N1/Brisbane/59, and a newer Type B/Florida strain. The reason is that this year's vaccine has proven to be only 40 percent effective, rather than the 70 percent to 90 percent that is more usual.

Since it takes a long time to create a flu vaccine, scientists have to make their best risk estimate of what next season's predominant viruses are going to be nine months in advance. Most times, they get it right, but sometimes not, like this year.

The Washington Post had a recent story on the problems at the Census Bureau, a story that Editor Allan Holmes has written extensively about in Government Executive. The problem is that the Census Bureau is relying on capturing census data using handheld wireless devices, but the project has had cost, schedule and technical difficulties. Congressional leaders and their staff were briefed last week by Commerce Secretary Carlos M. Gutierrez and Steve H. Murdock, new director of the U.S. Census Bureau, on the status of the project.

The Census Bureau thinks that it can work out the problems and be ready for the 2010 Census. Marc Raimondi, a spokesman for Harris, the contractor, said, “It's a large IT system integration program. It's not unusual for a program to have challenges.”

Not risk, mind you, but challenges. There are many, myself included, who think some pretty extensive contingency planning is needed in case these "challenges" aren’t able to be surmounted, but the Census apparently believes that isn’t necessary. We won’t have to wait much longer to find out whose right.

Henry Kissinger supposedly said that even the paranoid can have enemies. Government Executive.com columnist Bob Brewin recently wrote somewhat whimsically, about the various conspiracy theories about who might be behind the cutting of the four undersea fiber-optic cables serving the Middle East, India and Pakistan. He noted at the time, “All these cuts could just be a coincidence, albeit a mighty strange one.”

Now there is word out that the United Nations is looking closely at the idea of sabotage: “Damage to several undersea telecom cables that caused outages across the Middle East and Asia could have been an act of sabotage, the International Telecommunication Union said on Monday.

“We do not want to preempt the results of ongoing investigations, but we do not rule out that a deliberate act of sabotage caused the damage to the undersea cables over two weeks ago,” the UN agency’s head of development, Sami al-Murshed, told AFP (Agence France-Presse).

One of the cable owners, FLAG Telecom, thinks the whole flap is nonsense, and was probably caused by anchors or fishing trawlers, and anyway, it won't happen again because they are going to lay a new cable that is "fully resilient" against cuts and will "provide a diversity in routes."

I don't know that any of the cut cables are a result of sabotage, but the event was at the very least a low probability, high consequence risk that has now occurred. If it happens again, well, then ... outsourcers to the Middle East and Asia better make sure their contingency plans are up to snuff.

Government Executive published a nice article called On Top Of IT in the 1 February issue that dealt with the need for strong contract management in IT programs and projects. However, I was a bit surprised after reading the article that neither the words “risk” nor “risk management” were used at all in the article, although their fingerprints were all over the piece.

The contract is the primary IT project risk management vehicle – it defines by the choices made (and not made) how much risk is acceptable by both parties to the agreement. In essence, a contract is the cornerstone risk analysis and management document, setting out the objectives, assumptions, constraints, risk thresholds, etc., that define what is and is not acceptable performance, and remedies in the case of failure.

If you look at the examples of poor contracting mentioned in the article, i.e., the Coast Guard's Deepwater and FBI’s Virtual Case File project, effective rather than pro forma "tick in the box" risk management was sorely missing in both of these cases.

If you want to stay on top of IT contracts and contractors, you better have a clear understanding of the risks involved, and who is best able to manage them effectively.

With the resignation of David M. Walker, head of the Government Accountability Office, the federal government loses a thoughtful and out-spoken government enterprise risk manager. Walker has continually warned about the need for increased federal government fiscal responsibility, given the mandatory spending on Medicare, Social Security, and interest on the U.S. debt.

It will be unfortunate if Walker's successor does not take on the mantle of the government’s enterprise risk manager, providing a realistic assessment of U.S. finances and actively stating the risks of not making hard choices among competing needs in the midst of scarce resources.

The New York Times reported Feb. 17 that there are $45.5 trillion of credit default swaps currently outstanding in the marketplace. For starters, that number is twice the value of the U.S. stock market. As most of us don’t have much of an idea of what these financial instruments are, the following example may help to illustrate:

Let’s say that you are 50 pounds overweight and your company wants to help you get in shape. They tell you that they will pay you $100 a pound at the end of 10 months, $5,000 if you can lose all the weight by then. You accept the challenge, but you want your money now to invest in a treadmill, weights and the added supplements and organic food that you need to achieve the goal. You go to the bank and take out a 10 month loan at 10 percent interest and off you go on your weight loss program. The bank, being less sure that you will actually lose the weight, buys a credit default swap (an insurance policy) for the face value of your loan from a third party – Investor A.

Sometime in the next 12 to 24 months we will have a brand new regulatory bill emerge from Congress detailing the manner in which information is disclosed during the process of applying for a mortgage. Like Sarbanes-Oxely, it will once again demonstrate the tragedy of American business practices that we have all come to accept. Certainly it was no surprise to even the most junior financial executive five years ago that there ought to be controls in the financial management process, that the senior executives of the firm should know what they are and that a firm’s auditors should not be their consultants. Similarly, the new regulations will put in place standards for the mortgage application process that are stunningly obvious.

The concern is that the time span between scandals is growing shorter and shorter. We had the savings and loan scandals of the 1980s, which resulted in the passage of FDICIA (Federal Deposit Insurance Corporation Improvement Act) in 1991; a precursor to Sarbanes. Then we had the dot-com bubble (beginning in 1995 and ending in 2000) that, via WorldCom and Enron, bled into the corporate scandals of 2001. It seems we had just led the last of the criminal executives involved in Enron off to jail when the sub-prime mortgage scandal rises to public attention. As the executives who ran these financial institutions resign and slip away with lucrative severance packages we can only wonder if the underlying malfeasance will result in criminal prosecutions. It appears that that is unlikely at this point; what is more likely is a plethora of lawsuits.