I was rather entertained a few weeks ago when I read that former Homeland Security Secretary Michael Chertoff said politics was never a factor in determining whether the nation's color-coded terror-alert level should be raised.

Chertoff was made his remarks in response to former GOP lawmaker and Pennsylvania governor Tom Ridge who served as the nation's first Homeland Security secretary and who first made, and then backed away from, a claim that then-Attorney General John Ashcroft and then-Defense Secretary Donald Rumsfeld wanted to raise the threat level before the 2004 election, and how he opposed it.

A reason for my amusement is that for one, politics always enters decisions to raise or lower the risk state of an endeavor, be it a project, program or national threat level. No one may want to acknowledge it, but like an elephant sitting in the corner of the room, it can't be totally ignored. In fact, it is a legitimate factor that has to be considered: any risk assessment that does not taken into account politics by definition is fatally flawed.

Politics only becomes a worrisome issue when it trumps everything other factor in a risk assessment - i.e., politics moves from being the elephant sitting quietly in the corner to becoming a raging behemoth stamping into dust every other factor of consideration.

The current DHS flap over new border checkpoint construction stimulus-related projects where apparently low-volume crossings get priority over busier and higher-priority ones is an example which looks like Politics trumping common sense - anther important factor to consider in a risk assessment.

Therefore, I sincerely hope that Mr. Chertoff misspoke when he said, "Politics never entered into raising the alert during my tenure in any way, shape or form."

In fact, I'll wager that not raising the threat alert before the election in 2004, if it was indeed considered, was not done precisely because of politics. To do so would lead to wide-spread public demands as to why it was being raised at that specific time and on what grounds.

One real criticism of the threat alert system is that it is rarely raised - and never lowered below orange. The alert system was designed, according to Homeland Security Presidential Directive-3 that authorized it, " ... to create a common vocabulary, context, and structure for an ongoing national discussion about the nature of the threats that confront the homeland and the appropriate measures that should be taken in response."

If the threat never changes, you don't create much of a dialogue do you?

I would also be willing to wager that the reason that the threat level never changed is directly due to politics. As long as it remains "yellow" (significant risk of terrorist attack) or "orange" for flying (high risk of terrorist attack), you have political cover if such an attack does occur. After all, you said there was a risk.

As London School of Economics professor Michael Power writes in his book, The Risk Management of Everything, for the UK government, risk management has become a means to deflect blame from the government for things going wrong in exactly this way. It is sad to see the same misuse of risk management creeping into governmental decision making here too.

You would like to think that after spending hundreds of billions on homeland defense, and hundreds more fighting in Iraq and Afghanistan, the claim by the National Intelligence Director Dennis Blair that the intel community is much better at tracking terrorists, etc., that the threat level would have changed back to at least the "guarded" (general risk of terrorist attacks) level by now.

Similarly, never changing threat level doesn't, as Directive 3 also states, "inform and facilitate decisions appropriate to different levels of government and to private citizens at home and at work."

This idea was explored in some detail in an excellent New York Times multimedia opinion piece on the poor design of the alert system itself by writer Kurt Andersen, author of Reset: How This Crisis Can Restore Our Values and Renew America. As Andersen notes, you would be hard pressed to find an average private citizen who makes their decisions based on the current threat level.

In fact, The Biscuit Injury Threat Evaluation or BITE, developed by the research company Mindlab International at behest of Rocky, a chocolate biscuit bar, which lists the riskiest British biscuits to eat, does a better job than the current alert system. It identifies, at least, specific risks (for instance, Custard Cream is the riskiest biscuit to eat, whereas the Jaffa cakes pose almost no risk in comparison) which, having seen the number of comments about BITE across the Web, has sparked an ongoing discussion about the nature of the threats that confront eating breakfast and the appropriate measures that should be taken in response.

Hopefully, the current terrorist alert system will change to a three-tier system with "guarded" as being the new "normal" condition as was recommended this week and is not, as Mr. Chertoff says, so ingrained in governmental security procedures that it can't be changed.

If, alas, it is not, I do hope that politics enters into the decision making process about whether to raise the threat alert level, or maybe even lower it.

The defense acquisition, systems and software engineering communities lost one of the true giants this week with the passing Monday of retired Rear Adm. Wayne E. Meyer at the age of 83.

Adm. Meyer was the "father" of Aegis, shepherding it from its beginning to its successful deployment in the fleet.

Meyer's well-known philosophy was "Build a little. Test a little. Learn a lot." It is unfortunate that this philosophy, as well as Meyer's highly disciplined approach to acquiring large-scale, technologically complex systems, has never taken a firm hold across the defense community. A lot of defense program blunders could have been avoided if the community had embraced the approach.

Part of the reason for the Aegis' success was Meyer's determined effort to stay with the program for 15 years, which gave a continuity of technical insight, resource and management commitment and program oversight that no defense program that I know of can boast of today.

Meyer is the last of a military management breed that included Adm. Levering Smith (Polaris Missile), Adm. Hyman Rickover (nuclear submarines), and U.S. Air Force Gen. Bernard Schriever (Minuteman Missile). I doubt their like will ever be seen again.

A full obituary that highlights Adm. Meyer's accomplishments is in today's Washington Post.

I don't know if Roger Baker is a "rock star" CIO, but I do think Mr. Baker is an extremely competent one who seems intent, along with his boss, Secretary of Veterans Affairs Eric K. Shinseki, on creating a new standard for IT governance, risk management and project accountability in the federal government.

Last week, Shinseki announced that the VA

"will temporarily halt 45 information technology projects which are either behind schedule or over budget. These projects will be reviewed, and it will be determined whether these projects should be continued."

In addition,

"Each of the 45 projects will be temporarily halted. No further development will occur and expenditures will be minimized. A new project plan that meets the requirements of Program Management Accountability System (PMAS) must be created by the project manager and approved by VA's Assistant Secretary for Information and Technology before resuming."

That total is the most IT projects ever stopped at once by any governmental agency or department ever, at least in the last 30 plus years that I can remember, and probably is as many that have been stopped for review across all of government IT in the past decade, if not longer.

To which we say, "Well done," along with, "It's about time."

There is a mighty difference between IT failures and IT blunders, and for those that are blunders, invoking the IT mercy rule can't happen fast enough.

As Shinseki said, the

"VA has a responsibility to the American people, who are investing millions of dollars in technology projects, to deliver quality results that adhere to a budget and are delivered on time. They need to have confidence that the dollars they are spending are being effectively used to improve the lives of our Veterans."

Amen.

Viva La Revolucion - and show me the plan!

It was great to see that U.S. Chief Information Officer Vivek Kundra was able to get the new federal government IT dashboard up and running as promised by the end of June. Score one for a government group meeting an IT promise on schedule.

I find the dashboard interesting for what it shows, as well as what it doesn't show. For instance, while the CIOs at the Agriculture, Transportation, Justice and Veterans Affairs departments have all given their evaluations of their department's IT projects, others like the Defense, Homeland Security, Health and Human Services, Commerce departments, etc. have not. This is disappointing and hopefully that information (and not some default rating) will be forthcoming soon.

According to the dashboard Web site, in making their evaluation:

"The CIO balances the following criteria: requirements management, risk management, contractor oversight, past performance, human capital, and other factors that the CIO deems vital."

Given that insight, it becomes even more interesting to look at the various agency CIOs' evaluations where they do exist, and then look at the summary data provided on the dashboard for the agency's projects' cost and schedule. For instance, at Justice, there are no projects that are in the red in relation to their cost and schedule, but two are placed there by the CIO. The Agriculture CIO determined that three IT projects are red and 12 are yellow, yet there are three IT projects red in terms of cost (four are yellow), and while nine are red in terms of schedule (eight are yellow).

So, does this mean that there are a couple of Justice IT projects going bad, while a number of those in Agriculture are getting better? And is schedule not as much a concern to the Agriculture CIO as is cost?

I also am puzzled a bit on how, in the overall ratings for Agriculture, that only two projects are deemed as red when the CIO says there are three that are red. I thought from the FAQs that the CIO rating trumps all?

The Transportation CIO also seems to rate fewer projects red than the cost and schedule data show, while the VA CIO shows more.

Following CIO evaluations over time will likely provide some interesting insights into CIO evaluation bias and risk tolerance -- both optimistic and conservative -- in rating their IT projects. It also should be useful in terms of determining the ultimate value of the published quantitative cost and schedule data in predicting IT project success as opposed to other qualitative factors -- like internal risk assessments -- that the CIO uses.

Assuming they hang around long enough, we should be able to tell which CIOs really have good insights into the true states of their IT projects and which are more concerned in keeping their overall agency IT project rating as "green" as possible.

It should be fun to watch.

It was probably the stark absurdity of the situation that created the final decision tipping point: release classified documents relating to the CIA waterboarding of captured Al Qaeda members, but move mightily to keep information about aircraft bird strikes from the public.

Transportation Department Secretary Ray LaHood yesterday sensibly ordered FAA to reverse its proposal to make the bird strike data off limits to the public. "Public disclosure is our job," LaHood wrote on his blog.

Amen.

FAA had argued that allowing the public access to the information might unduly scare the flying public away; it also argued that allowing such access would make airlines and airports less likely to report bird strikes.

Of course, FAA never provided any facts to back up its worries, which appear absurd on the face of it. It appears even more so when one considers that a) the number of bird strikes have quadrupled from around 1,750 in 1990 to some 7,600 in 2007, b) the number of bird strikes reported have kept growing despite the data being widely available to the public for years, and c) the continued increase in passenger volume has grown steadily over those same years despite the 400 percent plus increase in bird strikes.

Now, I may not mingle in the right circles, but I have never encountered anyone telling me that they were afraid of flying because of a bird striking a plane. Weather? Yes. Bird strikes? No. (Maybe FAA should instead make local airport weather reports secret?)

Of course, some passengers may now be afraid of flying because of potential bird strikes because of all the attention FAA has managed to successfully create about the issue.

Anyway, tomorrow, FAA's bird-strike database will be made public here. I will be most interested to see how much airline traffic falls off or how the reporting of bird strikes declines over the next 12 months.

However, returning to the release of the CIA waterboarding memos: It may have inadvertently set a new threshold for keeping government information from the public. It is going to be hard to argue that almost any government data, other than legal in nature or critical to national security information, shouldn't now be released.

After all, if the CIA memos can be made public, then why can't (insert document name here) be released?

We can call it the CIA Memo Threshold Test of Government Transparency: CIA MeT To GovTrans? The acronym needs a little help.