Launching major transformation efforts is a common way that business leaders try to get a leg up on the competition, or just keep their heads above water. But too many of these efforts fail. Change is difficult, and many people not only resist it but seek to undermine it. Unsurprisingly, then, a McKinsey study found that merely 26% of transformation initiatives succeed. Most successful transformations have one thing in common: Change is driven through empowerment, not mandated from the top.

In my research of transformative political revolutions, social movements, and organizational change, successful efforts not only identify resistance from the start but also make plans to overcome those who oppose the transformation. And it’s done not with bribes, coercion, shaming, or cajoling, but by enabling others within their organizations to drive change themselves. Here’s how they do it.

Start with a small group. Typically, leaders launch transformation efforts with a large kickoff. It makes sense: They want to build momentum early by communicating objectives clearly. This can be effective if a ready consensus already exists around the initiative. Yet if the desired change is truly transformational, it is likely to encounter fierce opposition; inertia can be a powerful force, even more powerful than hope or fear. So by starting with a large communication campaign, essentially presenting the initiative as a fait accompli, you are very likely to harden the opposition of those who are skeptical of the change.

Most successful transformations begin with small groups that are loosely connected but united by a shared purpose. They’re made of people who are already enthusiastic about the initiative but are willing to test assumptions and, later, to recruit their peers. Leaders can give voice to that shared purpose and help those small groups connect, but the convincing has to be done on the ground. Unless people feel that they own the effort, it’s not likely to go very far. For example, when Wyeth Pharmaceuticals set out to drive a major transformation to adopt lean manufacturing practices, it began with just a few groups at a few factories. The effort soon spread to thousands of employees across more than a dozen sites and cut costs by 25%.

Identify a keystone change. Every change effort begins with some kind of grievance: Costs need to be cut, customers better served, or employees more engaged, for example. Wise managers transform that grievance into a “vision for tomorrow” that will not only address the grievance but also move the organization forward and create a better future. This vision, however, is rarely achievable all at once. Most significant problems have interconnected root causes, so trying to achieve an ambitious vision all at once is more likely to devolve into a five-year march to failure than it is to achieve results. That’s why it’s crucial to start with a keystone change, which represents a clear and tangible goal, involves multiple stakeholders, and paves the way for bigger changes down the road.

That gap between aspiration and practical reality was the challenge that Barry Libenson encountered when he arrived at Experian as CIO in 2015. In his conversations with customers, it became clear that what they most wanted from his company was access to real-time data. Yet to deliver that, he would have to move from the company’s traditional infrastructure to the cloud, an initiative that raised serious concerns about security and reliability. He began by developing methods for accessing real-time data for internal use, rather than going straight to customer-facing features. That required his team to engage many of the same stakeholders and develop many of the same processes that a full shift to the cloud would have required and allowed him to show some early results.

“Once we developed some internal APIs, people could see that there was vast potential, and we gained some momentum,” Libenson told me. Experian not only successfully moved to the cloud but also launched its Ascend platform based on the new infrastructure, which is now the fastest-growing part of its business.

Network the movement. All too often we associate any large-scale change with a single charismatic leader. The U.S. civil rights and Indian independence movements will always be associated Martin Luther King Jr. and Mohandas Gandhi, respectively. In much the same way, turnarounds at major companies like IBM and Alcoa are credited to their CEOs at the time, Lou Gerstner and Paul O’Neill.

The truth is more complicated. King, for example, was just one of the “big six” of U.S. civil rights leaders. Gerstner gained allies by refocusing the company around customers. O’Neill won over labor unions by making a serious commitment to workplace safety. These examples show why, in his book Leaders: Myth and Reality, General Stanley McChrystal defines effective leadership as “a complex system of relationships between leaders and followers, in a particular context, that provides meaning to its members.”

Every large-scale change requires both leadership at the top and the widening and deepening of connections through wooing — not coercing — an ecosystem of stakeholders.

Consider the case of Talia Milgrom-Elcott, cofounder of 100Kin10. When she set out to start a movement to recruit and retain 100,000 STEM teachers in 10 years, she knew there was no shortage of capable groups working to improve education. In fact, she had worked with many people who were building myriad approaches to the issue. But they had never met one another. And so she created a platform for collaboration that brings together nearly 300 partner organizations through conferences, working groups, and networking. Today 100Kin10 is ahead of schedule to meet its goal.

Surviving victory. Often the most dangerous part of any transformation effort is when the initial goals have been met. That’s why successful transformation leaders focus not only on immediate goals but also on the process of change itself. If Wyeth had stopped at a 25% cost reduction, it would have soon found itself in trouble again. But because its employees embraced the lean manufacturing methods, the company was able to keep moving forward. In much the same way, if Experian had been satisfied with merely shifting to a new technology infrastructure, little would have been gained.

In some cases, the benefits of a successful transformation can last for decades. Remembering Gerstner’s IBM turnaround in the 1990s, one of his top lieutenants, Irving Wladawsky-Berger, told me, “Because the transformation was about values first and technology second, we were able to continue to embrace those values as the technology and marketplace continued to evolve.” After a near-death experience, the company remains profitable today.

Editor’s note: An earlier version of this article misidentified Barry Libenson as the CEO of Experian. He is the company’s CIO.
Greg Satell is an international keynote speaker, adviser and bestselling author of Cascades: How to Create a Movement that Drives Transformational Change. His previous effort, Mapping Innovation, was selected as one of the best business books of 2017. You can learn more about Greg on his website, GregSatell.com and follow him on Twitter @DigitalTonto.

Article link: https://hbr.org/2019/08/4-tips-for-managing-organizational-change

Racing to protect the most important network of the 21st century

Tom Wheeler and David SimpsonTuesday, September 3, 2019

Editor’s Note: Tom Wheeler recently appeared on the Lawfare Podcast to discuss the cybersecurity of 5G networks with Brookings Fellow Margaret Taylor. You can listen to the podcast episode here.

“The race to 5G is on and America must win,” President Donald Trump said in April. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement.

We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.[1]

5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.

Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.

“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”

The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.

HYPERFOCUS ON HUAWEI

Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.

The purpose of this paper is to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.

Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.

The after-the-fact cost of missing a proactive 5G cybersecurity opportunity will be much greater than the cost of cyber diligence up front. The NotPetya attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks did not exist at that time, of course, but the attack illustrates the high cost of such incursions, and it pales in comparison to an attack that would result in human injury or loss of life. We need to establish the conditions by which risk-informed cybersecurity investment up front is smart business for all 5G participants.

China is a threat even when there is not Huawei equipment in our networks. From the successful exfiltration of highly sensitive security clearance data in the Office of Personnel Management breach commonly attributed to China, to the ongoing China-linked threat actor campaign against managed service providers, many of China’s most successful attacks have taken advantage of vulnerabilities in non-Chinese applications and hardware and poor cyber hygiene. None of this goes away with the ban on Huawei. We cannot allow the headline-grabbing focus on Chinese network equipment to lull us into a false sense of cybersecurity. In a world of interconnected networks, devices, and applications, every activity is a potential attack vector. This vulnerability is only heightened by the nature of 5G and its highly desirable attributes. The world’s hackers (good and bad) are already turning to the 5G ecosystem, as the just concluded DEFCON 2019 (the annual ethical “hacker Olympics”) illustrated. The targets of this year’s hacker villages included key parts of the 5G ecosystem such as: aviation, automobiles, infrastructure control systems, privacy, retail call centers and help desks, hardware in general, drones, IoT, and voting machines.

5G EXPANDS CYBER RISKS

There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:

1. The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
2. 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
3. Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
4. The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
5. Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.

   Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”

 

5G service providers are the first ones to tell us that 5G will underpin radical and beneficial transformation in what we can do and how we manage our affairs. At the same time, these companies have publicly worried about their ability to address the totality of the cyber threat and have described the future challenge in disturbingly blunt terms. The president’s National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry—told him in November, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”

The nature of 5G networks exacerbates the cybersecurity threat. Across the country, consumers, companies, and cities seeking to use 5G are ill-equipped to assess, let alone address, its threats. Placing the security burden on the user is an unrealistic expectation, yet it is a major tenet of present cybersecurity activities. Looking to the cybersecurity roles of the multitude of companies in the 5G “ecosystem of ecosystems” reveals an undefined mush. Our present trajectory will not close the cyber gap as 5G greatly expands both the number of connected devices and the categories of activities relying on 5G. This general dissonance is further exacerbated by positioning Chinese technological infection of U.S. critical infrastructure as the essential cyber challenge before us. The truth is that it’s just one of many.

WHAT HAVE WE LEARNED THUS FAR?

5G has challenged our traditional assumptions about network security and the security of the devices and applications that attach to that network. As officials of the Federal Communications Commission (FCC), the authors struggled to deal with these challenges only to be confronted by:

• Industrial-era procedural laws that make rulemaking activity cumbersome and non-rulemaking activity less than optimal.
• The incentive of bad actors to overcome any solution that is typically greater than the incentive to maintain the protection.
•  Industry stakeholder fear of exposing their internally identified risk factors at precisely the time when sharing information about attacks would be of greatest value for a collective defense.

At the same time, those who know the networks the best—the network operators—exist under business structures that are not optimal for effective risk reduction. As an FCC white paper concluded three years ago:

As private actors, ISPs (internet service providers, such as 5G networks) operate in economic environments that pressure against investments that do not contribute to profit. Protective action taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job efficiently.

The FCC report’s finding—that market forces alone would not address society’s cyber risk interests—highlighted the ISPs over which the agency had primary jurisdiction. The report additionally examined the larger ecosystem and concluded that the motivation to solve the problem generally gets worse when consumers do not link a purchasing decision with a cyber risk outcome. This, unfortunately, is all too often the case, as service providers as well as device and application vendors do not make meaningful security differentiators public and don’t compete on any verifiable security indicators.

“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.”

In 2016, for instance, hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders. That the internet could be attacked this way reflected the reality of digital supply chains: Because consumers didn’t consider cybersecurity in their purchase decisions of low-cost connected devices (they were the means, not the target of the attack), retailers didn’t prioritize security in their decisions of what to stock. As a result, manufacturers didn’t emphasize cyber in the components they purchased and thus chip and motherboard manufacturers did not include cyber protections in their product. None of companies defined a role for themselves for sustaining post-purchase product cyber readiness and, by and large, that’s still the case.

New industry verticals are bringing 5G-enabled capabilities to a market where good faith efforts are insufficient. There is no evidence that the business priorities of the suppliers of devices and applications are any different than those attributed to network operators in the FCC report. A 2018 report by the Trump administration’s Council of Economic Advisers, for instance, warned of, “underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged. Continuation of corporate and governmental policies that are not keeping up with today’s cyber risk do not bode well for a volumetric expansion of the attackable network and data surface of 5G networks. There is a crying need for coordinated efforts to achieve targeted expectations.

TWO KEYS TO WINNING THE REAL “5G RACE”

The real “5G race” is whether the most important network of the 21st century will be sufficiently secure to realize its technological promises. Yes, speedy implementation is important, but security is paramount. To answer that overriding question requires new efforts by both business and government and a new relationship between the two.

The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Our nation has moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.

Key #1: Companies must recognize and be held responsible for a new cyber duty of care

The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:

Reversing chronic underinvestment in cyber risk reduction

Proactive cyber investment today is the exception rather than the rule. For public companies, the Securities and Exchange Commission (SEC) and others are driving change from the corporate board-level on down through management. A favorite entrance point for cyberattacks, however, remains the smaller companies, many of which are outside of the scope of these efforts. Unfortunately, the SEC’s efforts impact only the less than 10% of American companies that are publicly owned. At the very least, where companies have a role in critical infrastructure or provide a product or service that, if attacked, could imperil public safety, there must be the expectation that cybersecurity risks are being addressed proactively.[2]

Implementation of machine learning and artificial intelligence protection

Cyberattacks on 5G will be software attacks; they must be countered with software protections. During a Brookings-convened discussion on 5G cybersecurity, one participant observed, “We’re fighting a software fight with people” whereas the attackers are machines. Such an approach was like “looking through soda straws at separate, discrete portions of the environment” at a time when a holistic approach and consistent visibility across the entire environment is needed. The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.

Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators

A 2018 White House report found a “pervasive” underreporting of cyber events that “hampers the ability of all actors to respond effectively and immediately.” The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities. There are a number of good examples to pull from. Shared cyber risk assessments are increasingly a best practice for cyber-mature companies and their supply chain. Several accounting and insurance firms have developed lead metrics to inform cyber risk reduction investments and underwrite policies. The Department of Homeland Security has resiliency self-assessment standards to motivate long-term community disaster preparedness improvement.[3] Such a model should be extended to the 5G cyber realm in order to shift oversight from lag indicators to lead indicators.

A regular program of engagement with boards and regulators using cybersecurity lead indicators will build trust, accelerate closing the 5G readiness gap and lead towards more constructive outcomes when cyber attackers do succeed. Underreporting of lag indicators, as highlighted in the 2018 White House report should be addressed, but with the primary purpose of closing the feedback loop, improving the quality of lead measures and the investment decision process they inform.

Cybersecurity starts with the 5G networks themselves

While many of the large network providers building 5G are committing meaningful resources to cyber, small- and medium-sized wireless ISPs serving rural communities have been hard pressed to rationalize a robust cybersecurity program. Some of these companies have fewer than 10 employees and can’t afford a dedicated cyber security officer or a 24/7 cyber security operations center. Still, they will be offering 5G services and interconnecting with 5G networks. About one-third of these companies have ignored government warnings about the use of Huawei equipment and are now petitioning Congress to pay for their poor decisions and pay to replace the non-Chinese equipment. Any replacement must include the expectation that the companies will establish sufficient cybersecurity processes that sustain protections. All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.

Insert security into the development and operations cycle

For many application developers, a core agile development tenet has been sprinting to deploy a minimum viable product, accepting risk, and committing to later providing consumer-feedback-driven upgrades once the product gains a following. Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project. Such security by design should be a minimum duty of care across the commercial space for innovations in the emerging 5G environment.

Best practices

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has established five areas for best practice cybersecurity management that could become the basis of industry best practices: Identify, protect, detect, respond, and recover. For instance, NIST’s “identify” initiative focuses on determination of a company’s cyber universe, threats, and vulnerabilities in order to identify cyber risk reduction investments. While not limited only to the NIST framework, Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies. While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The Consumer Technology Association (CTA)—representing the $377 billion U.S. consumer technology industry—helped produce an anti-botnet guide that outlines best practices for device manufactures, but there is no way for a consumer to easily tell if it’s being followed.

“While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry.”

Unfortunately, publication of optional cybersecurity best practices without full industry buy-in may be an attempt at responsible behavior and good public relations, but often do little to change the cyber risk landscape. While CTA has additionally published a useful buyer’s guide to explain cyber risk issues and improve household cyber hygiene, one wonders how many consumers of low-cost network connected technologies even know of its existence. Shifting cyber risk burdens to poorly informed consumers has limited utility. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.

Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities

Current procedural rules for government agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.

More effective regulatory cyber relationships with those regulated

Cybersecurity is hard, and we should not pretend otherwise. As presently structured, government is not in a good position to get ahead of the threat and determine detailed standards or compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. This would replace detailed compliance instructions left over from the industrial era with regular and fulsome cybersecurity engagements between the regulators and the providers at greatest risk as determined by criticality, scale (impact), or demonstrated problems (vulnerabilities) built around the cyber duty of care. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors.

Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns. These activities would be afforded confidentiality and not be used by themselves to discover enforcement violations, but instead to help both regulators and the regulated better spot trends, best practices, and collectively and systematically improve their sector’s approach to cyber risk. DHS can have a supporting role for this, but at the end of the day, the balance between security, innovation, corporate means, and market factors is inherently regulatory. Absent the ability to impose a decision, government involvement can only be hortatory.

Recognition of marketplace shortcomings

Economic forces drive corporate behavior. Of course, there are bottom-line-affecting costs associated with cybersecurity. Even when such costs are voluntarily incurred, however, their benefits can be undone by another company that doesn’t make the effort. The first of this paper’s two recommendations suggests what companies can do to exercise their cyber duty of care. History has shown, however, that the carrot accompanying such efforts often needs the persuasion of a standby stick. This is only fair to those companies that step up to their responsibility and should not be penalized in the marketplace by those that do not step up. A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.

Consumer transparency

Consumers have little awareness and no insight with which to make an informed market decision. The situation is analogous to the forces that resulted in the establishment of nutritional labeling for foods. Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.

Inspection and certification of connected devices

For years, the FCC has overseen a program to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Whether cellphones, baby monitors, electronic power supplies, or Tickle Me Elmo, the FCC assures the design and assembly of transmitting devices are within standards. The industry then organizes underneath that construct to self-certify devices in a cost-effective means baked into their production and distribution processes. At the time of the 2016 DYN attack that took control of millions of video cameras, the authors proposed a similar regimen to review the cybersecurity of connected devices. If we protect our radio networks from harmful equipment, why do we not protect our 5G networks from cyber-vulnerable equipment?

Contracts aren’t enough

Both the executive and legislative branches have focused on using government acquisition standards and pathfinder contracts to impose cybersecurity requirements where government contracts can compel commercial actions. This is an important, proven practice, but it can only go so far. Federal acquisition policies do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network. The majority of small and medium 5G network providers are not bound by any of these government contracts.

Stimulate closure of 5G supply chain gaps

For years government review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Moving companies and processes offshore or to joint ventures with foreign ownership/control has created wholesale gaps in the supply of crucial 5G components and the absence of domestic procurement options. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.

Re-engage with international bodies

At present, the standards setting process for 5G is governed by the 3rd Generation Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. (Huawei reportedly made the most contributions to the 5G standard). The Obama FCC engaged directly with 3GPP to identify public safety and cybersecurity risk considerations applicable to the U.S. market. It additionally opened a notice of inquiry to ask the nation’s best technology brains how to implement cybersecurity risk reduction as part of the development and deployment cycle. The move was opposed by some industry associations and the Republican commissioners. Shortly after the beginning of the Trump administration, the new FCC cancelled the Obama FCC’s cyber initiatives.

There needs to be informed third-party oversight early in the 5G industry’s design and deployment cycle in order to prioritize cyber security. The nation, our communities and our citizens should—through their government—have some degree of agency in the process. The FCC and Commerce Department should participate in 3GPP and the U.S. feeder group as observer stakeholders. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting. The representatives of American citizens should have the option to escalate engagement on matters of national security and public safety concern.

CONCLUSION

It is an amazing turn of events when the U.S. Senate, currently led by Republicans, feels it necessary to introduce legislation instructing the Trump administration “to develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure.” The 5G cybersecurity threat is a whole-of-the-nation peril. We should not be lulled into complacency because the newness of the network has masked the threat. We must not confuse 5G cybersecurity with international trade policy. Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity. The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.

“People are going to be put at risk and possibly die as we increasingly connect life sustaining devices to the internet,” was the stark warning from one of the experts participating in a Brookings roundtable on 5G cybersecurity. This cold reality is because the internet’s connection to people and the things on which they depend will increasingly be through vulnerable 5G networks. It is an exposure that is exacerbated by a cyber cold war simmering below the surface of consumer consciousness.

Early generation cyberattacks targeted intellectual property, extortion, and hacked databases. Today, the stakes are even higher as nation-state actors and their proxies gain footholds in our nation’s critical infrastructure to create attack platforms lying in wait. Any rational risk-based assessment reveals that the favored adversary target is our commercial sector. Companies that provide critical network infrastructure or provide products or services connected to it represent the likely and potentially most dangerous enemy course of action in the ongoing cyber cold war.

“If you’re asking me if I think we’re at war, I think I’d say yes,” the former commandant of the Marine Corps, Gen. Robert Neller, told an audience in February. “We’re at war right now in cyberspace. … They’re pouring over the castle walls every day.” While our adversaries, no doubt, see positive outcomes for high-profile direct attack, they also are perfecting less-risky positive outcomes in a steady pace of low-level attacks intended to erode U.S. public confidence in our cyber critical infrastructure and the digital economy it underpins. The low-intensity cyber war is already ongoing as our adversaries risk very little in these attacks and stand to gain much.

Into this attack environment has come a software-based network built on a distributed architecture. With its software operations per se vulnerable, and a distributed topology that precludes the kind of centralized chokepoint afforded by earlier networks, 5G networks will be an invitation to attacks. Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications. The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.

At the same time, the federal government has its own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this paper, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem.

Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.

The moment is now for a bipartisan call to action to not just address the current 5G exposures, but also to address the structural shortfalls that have allowed the cyber readiness gap to continue to grow. What got us here won’t get us to a secure 5G-enabled future.

Tom Wheeler was the 31st chair of the FCC from 2013 to 2017. Currently, he is a visiting fellow at the Brookings Institution. Rear Admiral David Simpson, USN (Ret.), was chief of the FCC’s Public Safety and Homeland Security Bureau during the same period. Currently, he is a professor at Virginia Tech’s Pamplin College of Business.

The Brookings Institution is a nonprofit organization devoted to independent research and policy solutions. Its mission is to conduct high-quality, independent research and, based on that research, to provide innovative, practical recommendations for policymakers and the public. The conclusions and recommendations of any Brookings publication are solely those of its author(s), and do not reflect the views of the Institution, its management, or its other scholars.

Microsoft provides general, unrestricted support to The Brookings Institution. The findings, interpretations, and conclusions posted in this piece are not influenced by any donation. Brookings recognizes that the value it provides is in its absolute commitment to quality, independence, and impact. Activities supported by its donors reflect this commitment.

Report Produced by Center for Technology Innovation

Article link: https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/

1. 1Captain Wayne P. Hughes, Jr., USN (Ret.), Fleet Tactics and Coastal Combat, 2^nd ed., U.S. Naval Institute Press, 2000, pp.40-44
3. 2Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015). Externalities and the Magnitude of Cyber Security Underinvestment by Private Sec tor Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
5. 3While the authors do not want to understate the shortfalls associated with the NIMS self-assessment model and lack of federal engagement at the regional level to assess actual NIMS implementation, we do want to note that a decade in, NIMS has succeeded in establishing a common language and investment framework for long-term steady improvements to resiliency in over 10,000 jurisdictions across the country.

 

---

August 12, 2019  By Jack Corrigan,
Staff Correspondent

The plan is meant to help federal leaders roll out standards that reduce the potential risks of AI without stifling innovation.

Federal standards for artificial intelligence must be strict enough to prevent the tech from harming humans, yet flexible enough to encourage innovation and get the tech industry on board, according to the National Institute of Standards and Technology.

However, without better standards for measuring the performance and trustworthiness of AI tools, officials said, the government could have a tough time striking that balance.

On Monday, NIST released its much-anticipated guidance on how the government should approach developing technical and ethical standards for artificial intelligence. Though it doesn’t include any specific regulations or policies, the plan outlines multiple initiatives that would help the government promote the responsible use of AI and lists a number of high-level principles that should inform any future standards for the tech.

The strategy also stresses the need to develop technologies that would help agencies better study and assess the quality of AI-powered systems. Such tools, which include standardized testing mechanisms and robust performance metrics, would allow the government to better understand individual systems and determine how to develop effective standards.

“It is important for those participating in AI standards development to be aware of, and to act consistently with, U.S. government policies and principles, including those that address societal and ethical issues, governance and privacy,” NIST officials wrote in the plan. “While there is broad agreement that these issues must factor into AI standards, it is not clear how that should be done and whether there is yet sufficient scientific and technical basis to develop those standards provisions.”

NIST’s plan was born out of a February executive order that called on agencies to ramp up their investments in AI as global competitors like China work to bolster their own AI capabilities. The strategy comes as one of the government’s first and most concrete steps toward placing guardrails on a technology that could have significant negative repercussions if left unchecked.

The AI standards developed in the years ahead should be flexible enough to adapt to new technologies while also minimizing bias and protecting individual privacy, the agency said. While some standards will apply across the broader AI marketplace, NIST advised the government to also examine whether specific applications require more targeted standards and regulations.

“The degree of potential risk presented by particular AI technologies and systems will help to drive decision making about the need for specific AI standards and standards-related tools,” officials said.

As the government begins developing rules for AI, it’s also important to remember the importance of timing, according to NIST. Standards that come too early could get in the way of innovation, officials said, but if they come too late, it will be difficult to get industry to agree to them voluntarily. As such, agencies need to constantly look outside of government to gauge the current state of AI and understand when federal action may be needed.

“The government’s meaningful engagement … is necessary, but not sufficient, for the nation to maintain its leadership in this competitive realm,” NIST said. “Active involvement and leadership by the private sector, as well as academia, is required.”

In the plan, NIST officials said government leaders should work to better coordinate agencies’ efforts to understand AI and develop standards for the tech. To that end, they recommended the White House designate a member of the National Science and Technology Council to oversee AI standards and urged agencies to study the approaches tech companies are taking to steer their own AI development efforts.

NIST also advised the government to invest in research that focuses on understanding AI trustworthiness and incorporating those metrics into future standards. Expanding public-private partnerships could also help inform federal AI standards, they said, and increasing cooperation with international partners could help address many of the national security concerns related to the tech.

“Public trust, security, and privacy considerations remain critical components of our approach to setting AI technical standards,” U.S. Chief Technology Officer Michael Kratsios said in a statement. “As put forward by NIST, federal guidance for AI standards development will support reliable, robust and trustworthy systems and ensure AI is created and applied for the benefit of the American people.

Article link: https://www.nextgov.com/emerging-tech/2019/08/nist-lays-out-roadmap-developing-artificial-intelligence-standards/159119/

 

By Driek Desmet, Niels Maerkedahl, and Parker Shi

To fully benefit from new business technology, CIOs need to adapt their traditional IT functions to the opportunities and challenges of emerging technology “ecosystems.” Here’s how it’s done.

IT has traditionally functioned as the foundation to keep a company running. One of its core functions has been to protect company operations with firewalls and encryption to keep external technologies out. With the advance of technologies, however, a vast array of capabilities and sources of competitive advantage are emerging beyond a business’ traditional walls. Those capabilities are coalescing in a wealth of new ecosystems (see Exhibit 1).

These ecosystems often overlap. A social payment app, for example, may be part of the mobile, social, data, and banking services ecosystems. The Internet of Things (IOT) is an ecosystem where multiple applications communicate with each other as a network

By plugging into these ecosystems, companies can get access to entire networks. They can, among other benefits, find new customers, tap into new sources of data, and improve established business processes.

CIOs and IT organizations have a huge role to play in capturing these opportunities. But they can’t do it through “business as usual.” In an ecosystem environment, an exclusive focus on “protecting the center” can limit a company’s ability to capitalize on emerging opportunities. To adapt their complex business-technology architecture to function in a world of ecosystems, CIOs will have to figure out how to simultaneously draw external technologies closer while managing security issues and getting a handle on the accelerating stream of technological innovations.

IDC predicts that by 2018, more than 50 percent of large enterprises—and more than 80 percent of enterprises with advanced digital-transformation strategies—will create or partner with industry platforms.1 At the same time, there will be more than 50 billion connected devices expected by 2020, according to Cisco.

These numbers point toward a radical reframing of what IT is and how CIOs manage it—not as an internal collection of information technologies (IT) but as a broad network of ecosystem technologies (ET). For the CIO, this shift also creates a significant opportunity to work closely with the CEO on business priorities and to become a prime strategic partner.

Understanding ecosystem technologies

ET encapsulates an expanded set of IT capabilities and functions (Exhibit 2). The CIO still needs to manage the multi-speed IT functions2 as well as current bilateral programs. The new layer of ET represents a new set of capabilities as well as the extension of existing ones.

CIOs can define and shape their ET three ways:

1. Opening up internal IT to outside world

This approach is about architecting IT to link internally driven systems and capabilities into external systems. One example of this in action is Delta Air Lines’ mobile app, which extends to Uber so travelers can order a car upon landing. Kraft has expanded its recipe app to become a pantry-management tool, generating a shopping list that seamlessly connects with the grocery-delivery service Peapod. Think of it as extending the customer’s journey—and the company’s relationship with the customer—through integration with other service providers.3

Many companies have already been providing integration capabilities to upstream and downstream partners—technologies such as EDI (electronic data interchange) have been in existence for decades. However, those integration points are often static. They are bilateral connections with a small, preselected group of partners such as distributors and suppliers. Those points of integration happen infrequently and often in a batch.

The future of integration into external ecosystems will force companies to interact with many more partners covering a broad range of functions, ranging from customer sourcing to social advertising to payment solutions. That’s because the low cost of technology and a dynamic start-up environment has led to a massive increase in the rate at which new services are being introduced. This means that the IT function must follow the ‘Amazon principle’ of making system components available as a service to enable integration with the ecosystem. The interfaces must be open, dynamic, and functional in real time so that they can integrate partners, technologies, and applications on an as-needed basis.

One clear implication is the need to design lightweight technology architecture built on microservices and application programming interfaces (APIs) to allow third parties to easily hook into the new ecosystem. CIOs need to start thinking in terms of platform architecture such as auto-industry OEMs use to allow for future upgrades across the ecosystem. They may even need to offer an ‘app store’ to allow consumers to pick and choose desired capabilities—and, of course, the infrastructure must be robust and secure.

One example of how this can play out might be found in telecom players that expand their connected services to e-commerce, music, health, insurance, education, media, and smart homes. These services would all be connected into one ecosystem offering the customer multiple services through the telco’s technology backbone. Salesforce’s AppExchange is already doing this by creating an environment in the cloud where developers can create and release their own apps.

2. Internalizing external IT

This approach focuses on opening up internal IT systems so that the business can plug in the external capabilities available in the ecosystem to better serve its own customers, support its own employees, or create new products and capabilities, often offered via SaaS and APIs. A simple example is integrating a third-party point-of-sale (POS) application into a company’s internal payment systems to simplify a customer’s in-store purchase process. Or integrating a third-party customer-service chat function into a company’s website. Or even integrating Yammer to help with employee productivity.

This approach clearly changes how IT designs and manages its systems. It’s no longer about buying software packages and building bespoke solutions on premise or working with a few systems integrators to deliver a business solution. It’s now all about understanding the end-to-end customer experience and how external and already available services can be utilized with internal solutions to offer a complete and unique offering. Companies will need to complement internal skills with external specialization integrated deeply into the ongoing fabric of its IT application development and infrastructure management. It’s about creating a 24/7 environment that enables product offerings to millions of customers globally.

One leading international travel company, disrupted by start-ups in the market, decided it needed to build up its capabilities to drive its transformation. An important component of its strategy was to use specialized vendors from the external ecosystem to support different capabilities, for example, mobile, search engine, CRM, payments. This approach allowed them to accelerate their transformation, scale up their services, and tap specialized talent as technologies evolved and demand spiked.

3. Modernizing IT to scale innovation

We’ve all heard often enough how torrid the pace of new technologies has become. But it’s worth remembering that many of the new tools have the potential to fundamentally change a company’s business model, though that may not be clear at first. To guard against being caught unprepared and to adopt a more aggressive competitive posture, companies should begin testing these technologies to be ready to bring them on board as soon as their value is proven and they can work at scale. This may be a matter of “playing” with new technology (e.g., alike open source standards) in dedicated sandlots where the connectivity between the internal IT and external IT can be tested. Furthermore IT leaders will need to actively form partnerships or alliances with vendors and service providers to really understand and evaluate how the technology can be used in their business environment.

It is true that many companies have already been actively investing in emerging technologies. For example, many financial-services companies have set up internal corporate venture-capital funds to invest in technologies such as blockchain and the IOT. However, companies have demonstrated less progress—and success—in integrating those technologies into their existing IT infrastructure and successfully extending the value proposition to their customers. The start-ups often have immature technologies that cannot scale, and they often leverage external cloud services that may not be compatible with companies’ own cloud infrastructure. Therefore it’s important for companies to think through how they enable a smooth integration of both technical solution and working culture to fully capitalize on the products that the start-ups are offering. If not done correctly, companies will create the next wave of spaghetti IT infrastructure.

Given the scale of innovation, it would be virtually impossible to keep up unless the CIO designates specific analysts or architects whose job it is to identify and assess the compatibility of external technologies. The DBS Innovation Group, for example, has established a fintech SVP role responsible for identifying, integrating, and managing potential eco-system members. This person leads and drives fintech engagements locally and regionally, and reports to the global head of partnerships.
Regardless of which way—or combination of ways—the CEO and CIO choose, IT moves to the forefront not just of technology but also of business-model innovation.

Getting started with ET

While building out ET is complex and based on many interdependencies, we’ve found that focusing on the following six elements gives CIOs and CEOs a big advantage in getting the most value from it:

1. Rethink the business’ strategy.

Which way, or combination of ways, a company chooses to interact with various ecosystems (or create its own ecosystem) depends on three things: its strategy, the market environment, and the risk appetite of the overall enterprise. This in turn requires the CIO to work closely as a partner with the CEO and C-suite to help shape the business strategy by identifying emerging technologies and ecosystems that could disrupt the marketplace, determine where future sources of value are, and develop necessary strategic actions to capture it. This dialog is a two-way and constant exploration in which technology and business strategy are inextricably linked. The CIO’s role is not just to determine feasibility but to help the business determine what threats and opportunities exist in engaging in ecosystems (see article “The economic essentials of digital strategy”).

2. Develop the infrastructure.

The new bidirectional integration of technologies is dynamic in nature; it happens in real time with thousands of invoking partners or end consumers. This requires companies to redesign the next-generation integration architecture to support it and enforce open standards that can be easily adopted by external parties. A company’s existing master data-management catalog will also need to be extended to include third-party data and potential integration with external master-data providers. There has to be a clear data architecture and governance in place to ensure data cleaning, rationalization, and standardization for the systems to work.

3. Reinvent customer-management processes and structures.

When customers call with technical issues, it will be challenging to figure where the fault points are in an ET environment. Is it the company’s systems, a third party’s services, the cloud that houses the service, the network—or some combination of the above? This reality will require companies to fundamentally rethink their infrastructure-support processes.

Creating SLAs that clearly define issue resolution and escalation protocols that all parties agree to will be crucial. Creating standard identifying tags or ‘tripwires’ and integrating them into participating ET services, partners, and technologies will be important to locate issues quickly so they can be resolved.

These standards and agreements, however, are not an excuse for shuttling customers from one partner to another and another. The customer-facing company needs to solve the issues behind the scenes and spare the customer the complexity of navigating the partners’ ecosystems.

4. Define the parameters for cybersecurity, legal, and partnerships.

As a result of the extended infrastructure, internal cybersecurity policies and processes will need to include third-party partners and vendors. A new set of security standards should be defined and agreed to that clearly articulates how the integration will take place and what kind of data can be exchanged with whom.

Working with a broad range of third parties will raise other legal questions as well. IP, liability, privacy, profit sharing, and regulatory/compliance issues all have the potential to severely impede potential benefits from engaging in the broader ecosystem. Licensing issues have already emerged between cloud companies and on-premises hardware and software businesses because of competing and different business models. Data ownership and customer management in particular will be crucial given the need for companies to access both.

This will call on significant negotiating skills and a commitment to develop and apply a broad set of standards to avoid constant renegotiating with each new partner or vendor from scratch. Setting up an app-store approach where standards are clearly stated, tools provided, and agreements specifically made at the beginning may provide a useful model.

Engaging with a network of vendors also requires changes in skills certification and vendor performance management. Companies will need to clearly define the standards and procedures under which vendors must operate and guidelines that define how the vendor will be included in the delivery lifecycle. Home Depot is developing standards with the manufacturers of its products to ensure compatibility with the Wink connected-home system. Companies that do this most effectively treat vendor relationships as partnerships with strong transparency. The internal-supply and vendor-management functions will need to be restructured to work more like M&A, which can integrate new partners or establish new alliances quickly and efficiently.

5. Cultivate an “open” mind.

CIOs have traditionally focused on protecting systems and ensuring that they run well. But the new digital world demands more active engagement with the outside world to understand competitive threats and sources of value. CIOs should start with developing a much more externally compatible view of the current IT infrastructure and thinking about how to design new ways of meaningfully integrating external systems. Spending a long time building overly complex ‘bulletproof’ systems is counterproductive; testing an application or new platform environment should take a matter of days or weeks.

6. Invest in new  capabilities

As businesses increasingly engage with external ecosystem technologies, full-stack architects and convergence infrastructure engineers are needed who can provide expertise in third-party packaged software, have fluency in multiple best-of-breed technologies, and bring experience integrating multiple technologies. ‘Translator’ capabilities will also be crucial to bridge the gaps between business goals and technology requirements to be provisioned through the ecosystem. Any new function within the enterprise architecture should work closely with business to understand how external services can be integrated with products to extend the customer value proposition.
With the advancement of cloud computing and infrastructure as programmable software, infrastructure resources (e.g., networks, servers, storage, applications and services) can now be rapidly provisioned, managed, and operated with minimal effort. That requires DevOps (the integration of development and operations) and cloud engineers, who have the experience to navigate a rapidly changing cloud computing ecosystem and program software, as well as data scientists, automation engineers, and enterprise architects. Companies will also need to find a few senior developers who can set up app-store development standards.

Companies have outsourced many of these capabilities. But due to the increased importance of engineering and automation skills, many are rethinking that approach as IT evolves from utility to enabler.

Integrating a company’s IT with third-party capabilities creates opportunities to capture substantial new sources of value. But until IT expands to become ET, the vast majority of those opportunities will remain out of reach.

Article link: https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/adopting-an-ecosystem-view-of-business-technology

July 16, 2019
Officials outlined plans to drive innovation, streamline IT acquisitions and build a more agile and resilient cyber posture.

By Jack Corrigan, Staff Correspondent

Pentagon officials vowed to improve oversight of their IT investments as part of a multi-year push to upgrade the Defense Department’s tech for the 21st century.

Officials on Friday released their Digital Modernization Strategy, offering insight on how the Pentagon plans to prioritize its roughly $46 billion annual IT budget over the next five years. Cloud adoption, artificial intelligence and cybersecurity will all factor in heavily to the department’s technological future, according to the strategy, but those capabilities won’t be possible unless officials do a better job coordinating their efforts.

“More effective oversight of IT investments is necessary due to the decentralized nature of [Defense Department] operations and spending,” officials wrote in the strategy.

In January, Congress passed a law giving the Pentagon’s chief information officer more authority over IT budget requests and spending plans, and officials said the new measures “will enable continual, comprehensive department-wide IT modernization in a common, coordinated way.”
In the strategy, officials outlined four overarching goals that will guide the department’s tech efforts in the years ahead: innovate for competitive advantage; optimize for efficiencies and improved capability; evolve cybersecurity for an agile and resilient defense posture; and cultivate talent for a ready digital workforce.

Under the first goal, officials pointed to a number of areas where the Pentagon should focus its investments in the years ahead, including cloud computing, artificial intelligence and command, control and communications systems. While each new capability will be critical to maintaining the nation’s technological edge, the department sees cloud adoption as “the foundation” for many of the others, officials said.

Today, the Pentagon is in the process of bidding out two massive cloud computing contracts—Defense Enterprise Office Solutions and Joint Enterprise Defense Infrastructure—worth billions. The platforms are intended to help the department make better use of data and pave the way for emerging technologies like artificial intelligence, and if they’re not up and running soon, Defense leaders fear national security could suffer.

Officials are also ramping up operations at the Joint Artificial Intelligence Center, which will serve as the hub for AI research across the department. In the years ahead, officials plan to focus on building more partnerships between the JAIC, industry and academia, and building a pipeline to scale up the technologies developed at the center.

The second goal—optimize for efficiencies and improved capability—will focus largely on the department accelerating IT procurements and adopting more enterprisewide solutions, as opposed to component-specific systems. Officials plan to accomplish the goal in part by improving category management and technology deployment process, as well as optimizing migrating applications that can’t run in the cloud to optimized, enterprise data centers.

The third goal, agile and resilient cybersecurity, will involve prioritizing security in each step of the acquisition process for “every network, system, application and enterprise service,” they said. Other steps include restructuring the department’s cyber architecture to bolster defenses and digital awareness, deploying an “end-to-end” identity, credential and access management infrastructure, and securing information held by Defense contractors, they said.

Lastly, maintaining the country’s technological capabilities will require the department to build a similarly capable tech workforce, officials said. To that end, the department plans to improve its internal workforce management processes, increase training opportunities for IT procurement specialists and expand programs to recruit and retain cyber specialists.

The government faces a continuous struggle to recruit and retain talented technologists, though the Pentagon has historically fared better than civilian agencies.

Article link: https://www.nextgov.com/it-modernization/2019/07/pentagon-releases-its-5-year-digital-modernization-strategy/158460/

In Beyond Performance 2.0 (John Wiley & Sons, 2019), McKinsey senior partners Scott Keller and Bill Schaninger draw on their 40-plus years of combined experience, and on the most comprehensive research effort of its kind, to provide a practical and proven “how to” guide for leading successful large-scale change. This article, drawn from the book’s opening chapter, provides an overview of this approach and explains why it works. Future articles will deal with specific topics such as uncovering and shifting limiting mind-sets during change efforts, as well as how to create the ownership and energy needed to succeed.

---

Neville Isdell took the helm as CEO of Coca-Cola during troubled times. In his words, “These were dark days. Coke was losing market share. Nothing, it seemed—even thousands of layoffs—had been enough to get the company back on track.”¹ Its total shareholder returns stood at minus 26 percent, while its great rival, PepsiCo, delivered a handsome 46 percent. Isdell was clear eyed about the challenge ahead; as he put it, “There were so many problems at Coke, a turnaround was risky at best.”²

Isdell had a clear sense of what the company needed: to capture the full potential of the trademark Coca-Cola brand, develop other core brands in noncarbonated soft drinks, build wellness platforms, and create adjacent businesses. These weren’t new ideas, and Isdell’s predecessors had failed to make change happen at scale. No matter which direction he set, the company couldn’t make progress until it improved its declining morale, deficient capabilities, strained partnerships with bottlers, divisive politics, and flagging performance culture.

Just a hundred days into the new role, Isdell announced that the company would fall short of its meager earnings-growth target: 3 percent. Later that year, Coca-Cola announced that its third-quarter earnings had tanked by 24 percent. However, Isdell plowed onward, launching what he called “Coca-Cola’s Manifesto for Growth.” The goal was to outline a path that showed not just where the company aimed to go—its strategy—but also what it would do to get there and how people would work together differently along the way.

Isdell launched what he called “Coca-Cola’s Manifesto for Growth.” The goal was to outline a path that showed not just where the company aimed to go—its strategy—but also what it would do to get there and how people would work together differently along the way.

Working teams tackled performance-related issues, such as the company’s new targets and objectives, as well as the capabilities they would require. Other teams addressed organizational effectiveness: how people could work together as a global team; how to improve planning, metrics, rewards, and people development; and how once again to “live our values.” The manifesto was created using a collaborative process to ensure that the organization’s leaders would feel deep ownership and authorship of the program. As Isdell explained, “The magic of the manifesto is that it was written in detail by the top 150 managers and had input from the top 400. Therefore, it was their program for implementation.”³

Soon, the benefits of Isdell’s approach became apparent. Within three years, shareholder value jumped from negative territory to a 20 percent positive return. Volume growth in units sold increased by almost 10 percent, to 21.4 billion. Coca-Cola had amassed 13 billion-dollar brands—30 percent more than Pepsi. Of the 16 market analysts who followed the company, 13 rated it as outperforming.

Quantifiable improvements in people-related measures matched these impressive performance gains. Staff turnover at US operations fell by almost 25 percent. Employee-engagement scores jumped so high that researchers at the external company that conducted the survey hailed what it called an “unprecedented improvement.” Employees’ views of the company’s leadership improved by 19 percent. Communication and awareness of goals rose to 76 percent, from 17 percent. According to Isdell, however, the biggest change was qualitative. Three years into the role, Isdell noted that “when I first arrived, about 80 percent of the people would cast their eyes to the ground. Now, I would say it’s about 10 percent. Employees are engaged.”⁴ When he retired as CEO, he handed over a healthy, well-performing company.

Isdell explained the turnaround’s success by pointing out that he had “taken the ‘how’ as seriously as the ‘what.’” To put it another way, he put equal emphasis on the hard and the soft stuff: performance and health.

Isdell explained the turnaround’s success by pointing out that he had “taken the ‘how’ as seriously as the ‘what.’”⁵ Another way to explain it is that he put equal emphasis on the hard and the soft stuff: performance and health. Performance is what an enterprise does to deliver improved financial and operational results for its stakeholders. Companies evaluate their performance through financial and operational metrics such as net operating profit, returns on capital employed, total shareholder returns, net operating costs, and stock turn (and the relevant equivalents in not-for-profit and service industries). By contrast, health describes how effectively people work together to pursue a common goal. It is evaluated by an organization’s levels of internal alignment, quality of execution, and capacity to renew itself to sustain high performance in an ever-changing external environment. To deliver successful change at scale, leaders should emphasize performance- and health-related efforts equally.

How do we know? In 2010, we wrote Beyond Performance,⁶ which laid out a methodology we called the “five frames of performance and health,” a change-leadership approach that emphasized performance and health equally. The book included the finding (from our 2010 survey of 2,314 global business executives) that only a third of those who had experienced a large-scale change program during the previous five years reported that it had been “mostly” or “completely” successful. This was consistent with findings from previous research that we had conducted and others in the field had reported.⁷ By 2015, we felt enough time had passed to test how well the five-frames approach worked. A global survey of 1,713 executives who had taken part in at least one large-scale change program during the previous five years showed that 79 percent of those organizations fully implementing the five-frames methodology reported success.

The value of health

Quotes about the importance of organizational health could fill a whole article, if not a whole book. Yet many leaders think that however well this wisdom works elsewhere, it won’t for their companies. Still others argue that they must improve performance first or that the people-oriented aspects of change don’t have a proven return on investment. Our research, over many years, has therefore focused on determining—through hard facts—how much value organizational health creates. When we wrote Beyond Performance, we had accumulated 600,000 data points across 500 organizations from our Organizational Health Index survey tool since its development in 2002, which meant that we had the data required to answer the question once and for all.

When we tested for correlations between performance and health on a broad range of business metrics, we found a strong positive one in every case. Companies in the top quartile of organizational health were 2.2 times more likely than lower-quartile companies to have above-median EBITDA⁸ margins, twice as likely to have above-median growth in enterprise value to book value, and 1.5 times more likely to have above-median growth in net income to sales.

Now, almost ten years later, with more than five million data points across 2,000 organizations, the analytics tell the same story. Companies in the top quartile of organizational health had total shareholder returns three times greater than bottom-quartile companies, and their returns on invested capital were two times higher (Exhibit 1). Companies in the bottom quartile for health didn’t experience any growth in sales; top-quartile ones averaged 24 percent sales growth.⁹

The correlation between health and performance doesn’t necessarily mean that the relationship is causal. Education and income are highly correlated, for example, but it is just as logical to argue that a higher income creates opportunities for a higher education as that a higher education creates opportunities for a higher income. This is why we haven’t rested our case on correlations alone. We’ve also tested the relationship over time. First, we looked at regression coefficients between comparable units within organizations—for example, the performance and health of branches in bank networks, hospitals in healthcare networks, stores in retail networks, and oil refineries in oil companies (Exhibit 2). We’ve found, in every case, that health explains more than 50 percent of the variation in performance across locations.

We’ve also tested causality by conducting extensive research comparing experimental and control groups over multiyear time frames. One group embarked on change in a traditional, relatively performance-oriented way, the other used our five-frames approach. After running five longitudinal tests in industries as diverse as telecommunications, mining, financial services, and retailing, we found that the experimental groups applying the balanced performance-and-health approach delivered results that, on average, were 1.8 times higher than those of groups using the traditional one (Exhibit 3).

For example, at a large financial-services institution, we studied two experimental groups and a control group, which were comparable and representative of the wider organization across a range of criteria, including net profit before taxes, branch-staff characteristics, and customer economics (average income per customer in retail banking and industry composition in business banking). Over an 18-month period, each experimental group pursued a sales-stimulation program, one using a more traditional, performance-heavy approach, the other emphasizing performance and health equally. During the trial, we took care to minimize distortions (corporate initiatives such as operational restructuring, leadership changes, and significant staff turnover) that might disproportionately affect any one group.

The results of the study were compelling. In business banking, the traditional approach generated 8 percent more value than the control group did, but the performance-and-health approach generated 19 percent more value than the control group. In retail banking, the respective figures were 7 and 12 percent. With findings like these across multiple industries, we felt that the case for causation was well and truly closed. This proof that health is a significant causal driver of performance is great news for leaders. Unlike many factors that affect performance—changes in customer behavior, competitors’ moves, government actions—your organization’s health is something you can control.

The perils of performance

Emphasizing performance and health equally isn’t simple. When your company requires large-scale change, for example, spending time on health may seem counterintuitive. In fact, companies can and often do make short-term gains without improving their health, but these are unlikely to last.

Perhaps the starkest example of the perils of pursuing performance at the expense of health is the story of Albert J. Dunlap—“Chainsaw Al”—famous for taking over struggling companies, ruthlessly downsizing them, and selling them at a profit. When he took over the US appliance-maker Sunbeam, he sold two-thirds of its plants and fired half of its 12,000 employees. Ironically, the stock price of Sunbeam then rose so high that he couldn’t sell it quickly. Having compromised its health, Dunlap now needed to sustain its performance for the foreseeable future. But the damage was too great. Two years later, the company faced quarterly losses as high as $60 million, and Dunlap was fired.

By contrast, when Louis Gerstner became CEO of IBM, he decided—in the face of pressure from Wall Street—not to focus exclusively on improving its performance but instead to devote considerable effort and resources to lifting its health as well. Under Gerstner, the company strived to act as “one IBM” across its businesses: it became more externally oriented and less arrogant, trimmed its bureaucracy, and adopted a continuous-learning mind-set. By the time Gerstner retired, nine years later, IBM’s stock had increased in value by 800 percent, and the company had regained its leadership in parts of the computer, technology, and IT-consulting sectors.

Perversely, the greatest obstacle to emphasizing health in an appropriate way isn’t an urgent performance imperative but rather its absence.

Gerstner was courageous to work on IBM’s culture despite the threat that the company would fail. Yet, perversely, the greatest obstacle to emphasizing health in an appropriate way isn’t an urgent performance imperative but rather its absence. When organizations are thriving financially, a certain complacency may set in, so that their health declines. That in turn leads, in the least-bad case, to a slow decline in performance and, in the worst, to an existential crisis.

Consider the cautionary tale of Atari. Founded in 1972 to develop electronic games, which were then just a figment of a designer’s imagination, the company sold $40 million worth of them and earned profits of $3 million in 1973. Not long afterward, deep-pocketed owners who invested heavily in R&D bought Atari. By 1980, it had posted revenues of $415 million and was hailed as the fastest-growing business in US history.
Yet Atari soon began to crumble from inside: teamwork declined, communication broke down, a risk-avoidance culture set in, investment in R&D fell, and the quality of products was sacrificed to push them into the market more quickly. The result was some of the biggest duds in video-gaming history. Alienated engineers departed, many to found or join rival companies. By 1983, Atari had lost $536 million and resorted to massive layoffs. It never recovered. The shell of the company—little more than a brand name—was sold in 1998 for only $5 million. Atari was so focused on performance that it was unaware of its deteriorating health.

By way of contrast, consider the case of Pixar, the computer-generated-animation studio. Pixar has 15 offerings that rank among the 50 highest-grossing animated films, and it has earned 19 Academy Awards, eight Golden Globes, and 11 Grammys. Its president, Ed Catmull, who had no business experience before cofounding the company, says that its development process is unusual: “Our development team doesn’t look for stories. Their job is to create teams of people that work well together.”10

That isn’t the company’s only distinctive feature. An average Hollywood studio produces six to 12 films a year. Pixar produces just one—a risky bet, since an animated film costs about $180 million to make. “We have realized that having lower standards for something is bad for your soul,” Catmull explained. Taking the right risks and accepting the reality that bold, innovative ideas demand a tolerance for uncertainty are central to the culture. As Catmull says, “Talent is rare. Management’s job is not to prevent risk but to build the capability to recover when failures occur.”11

Pixar focused on health to build a strong organization from the start. Other companies have learned over time the importance of pursuing performance and health in equal measure. In 2009, for instance, General Motors (GM)—once the world’s dominant carmaker—filed for bankruptcy and accepted a $50 billion US government bailout. The company then underwent an 18-month turnaround that enabled it to pay back a significant portion of that money and to reenter the stock market in 2010. Many observers suggested that GM was on track, but though performance was on the upswing, underlying health issues remained.

Soon enough, in 2014, the devastating ignition-switch problems of GM cars left at least 124 people dead and 275 injured. An internal investigation attributed this disaster to organizational-health-related factors.12 Mary Barra, who took over as CEO in 2014, vowed to improve not only the company’s performance but also its health by focusing on accountability, teamwork, results, candor, transparency, and customers. 13 Her efforts seem to be paying off, with three profitable years and a strong balance sheet. As GM’s experience shows, when organizations tend to their health, it really does improve—and so does performance.

The five frames of performance and health

How can change leaders emphasize performance and health equally in practice? There are no simple guiding principles or rules of thumb—if there were, success rates would no doubt be much higher than 30 percent. However, we can offer a structured, careful, and proven methodology that has now been battle tested and further refined for almost ten years: the five frames of performance and health.

This approach divides the overall change journey into smaller, more manageable stages. Each stage has a basic question companies must answer through their work at that point in the journey. It’s easy to know when to advance from one stage to the next—if you have the answer, move forward. These five stages are collectively called the “5As”:

• Aspire. Where do we want to go?
• Assess. How ready are we to go there?
• Architect. What must we do to get there?
• Act. How do we manage the journey?
• Advance. How do we continue to improve?

For each of these five stages, we offer explicit, practical guidance for addressing performance and health. It takes the form of five frameworks for performance (one for each stage) and five for health (ditto). These are the frameworks for performance:

• Strategic objectives (aspire). Create a compelling long-term change vision, set midterm aspirations along the path, and guard against biases in the process.
• Skill-set requirements (assess). Forecast demand for skills and understand their supply dynamics; then decide how to close gaps.
• Bankable plan (architect). Define the portfolio of initiatives that will realize your strategic objectives and meet your skill requirements; then sequence your actions and reallocate resources accordingly.
• Ownership model (act). Establish strong governance, decide how to scale your change initiatives, monitor their progress, and dynamically adjust them throughout implementation.
• Learning infrastructure (advance). Institutionalize processes and expertise so that the organization shares knowledge, constantly improves, and continually learns how to do new things.

Here are the five frameworks for health:

• Health goals (aspire). Objectively check your organization’s health, choose where to be exceptional, and target areas that need immediate improvement.
• Mind-set shifts (assess). Pinpoint helping and hindering behaviors for priority health areas, explore the underlying mind-set drivers, and prioritize a critical few “from–to” mind-set shifts.
• Influence levers (architect). Use four levers to reshape the work environment: role modeling, understanding and conviction, reinforcement mechanisms, and confidence-building efforts. Then ensure that performance initiatives are engineered to promote the necessary mind-set and behavioral shifts.
• Generation of energy (act). Mobilize influence leaders, make the change personal for employees, and maintain high-impact, two-way communication.
• Leadership placement (advance). Prioritize ongoing roles by their potential to create value, match the most important ones to the best talent, and make the talent-match process business as usual.

The advance stage prepares the way for another five-frames cycle, starting once again with aspire. This approach helps organizations to drive multiple S-curves of change: an intensive period of activity and radical improvement, followed by a period of consolidation and incremental improvement, eventually followed by another ramp-up in intensity, and so on. If both performance and health improve during each cycle, the organization over time “learns to learn” and changes continually.

This approach helps organizations to drive multiple S-curves of change: an intensive period of activity and radical improvement, followed by a period of consolidation and incremental improvement, eventually followed by another ramp-up in intensity, and so on.

To apply this approach, it’s important to understand how the elements work together horizontally and vertically. Let’s start with the horizontal elements.

In practice, the performance and health elements of each stage are far more integrated than the previous discussion implies. Early on (for example, in the aspire stage), the work related to each element of performance and health is relatively self-contained. Later, as the work moves from planning to action, efforts to boost performance increasingly reinforce health, and vice versa. By the act stage, employees experience a single, integrated change program—the distinction between performance and health is semantics. Unfortunately, however, some leaders grasp the concepts of performance and health but not the need for integrated activity to promote them. They therefore tell their business heads to “do the performance stuff” and HR to “do the health stuff.” That approach is doomed to fail.

---

Now let’s consider the vertical relationship between the elements of performance and health. Although we lay out the 5A change process in a linear way, from aspire to advance, in practice it must be applied far more dynamically. In the assess stage, for example, an organization may discover that its readiness to change is so doubtful that the aspiration it set earlier isn’t realistic. If so, the next step is to move backward. That must also happen if new discoveries or unexpected events in the act stage invalidate assumptions in the architect stage.

Mastering irrationality

The Nobel Prize–winning physicist and Santa Fe Institute cofounder Murray Gell-Mann once asked people to consider “how hard physics would be if particles could think.”¹⁴ The “particles” in the physics of change—employees—can not only think but often do so in seemingly irrational ways. As the change journey unfolds, smart leaders must therefore understand the social science of “predictable irrationality.”¹⁵ When people are in a hurry to park, for example, how many circle around a parking lot to find the most convenient space when it would be much quicker to take the first one they see? Why take home pencils from the office without guilt if the idea of raiding the petty cash to buy pencils would shock you? As these examples show, we are all susceptible to irrationality in decision making.

The social, cognitive, and emotional biases that promote seemingly irrational decisions are well understood by the field of behavioral economics. That isn’t true for change management and organizational leadership, but it should be.

The social, cognitive, and emotional biases that promote seemingly irrational decisions are well understood by the field of behavioral economics. That isn’t true for change management and organizational leadership, but it should be. In each stage of the 5A process, leaders ought to consider important lessons about human irrationality and how to work with it constructively. We call this part of the effort the change leader’s “masterstrokes”: building buy-in by involving the people who will execute a solution in its development; paying as much attention to what’s going well (and trying to get more of that) as to finding and fixing problems; thoughtfully describing the “why?” of change to tap into five sources of motivation; signaling a long-term, reciprocal relationship with employees rather than a transactional one; and putting equal effort into ensuring a fair process and a fair outcome.

Exhibit 4 shows the specific steps within each of the five frames of performance and health, as well as the relevant masterstrokes.

Many workplaces are characterized by competing agendas and conflict (no alignment on direction), by politics and bureaucracy (low quality of execution), and by the corrosive idea that work is “just a job” (a low sense of renewal). These aren’t just unhealthy for companies that want to deliver sustainable bottom-line results—they are unhealthy for the human soul. As the Japanese proverb goes, “Vision without action is a daydream. Action without vision is a nightmare.”

Healthy organizations, by contrast, unleash our potential and uplift our spirit. They inspire (aligning on a big, important goal), create a sense of belonging (executing as one team), and foster creativity and innovation (through a sense of renewal). To paraphrase motivational speaker Joel Barker’s riff on the aforementioned Japanese proverb, healthy organizations connect vision with action to change the world.

In this way, putting equal emphasis on the performance and health elements of leading organizational change doesn’t just improve the odds of success; it improves the lives of employees, builds an organization’s resilience, and creates a pro-change mind-set.

About the author(s)

Scott Keller is a senior partner in McKinsey’s Southern California office, and Bill Schaninger is a senior partner in the Philadelphia office.

Article link: https://www.mckinsey.com/business-functions/organization/our-insights/a-better-way-to-lead-large-scale-change

March 22, 2019
Roosa Tikkanen

Toplines
“Medicare for All” has captured a lot of attention, but there is a wide range of approaches to universal health coverage, as other countries show

Countries that have universal health coverage achieve it in different ways, with some relying more on public insurance and others on regulated competition among private plans

Last week, the Commonwealth Fund released an interactive tool to help people compare recent congressional bills aimed at expanding health insurance coverage and lowering the cost of health care in the United States. Using the tool allows you to see how much each bill would expand the nation’s public health insurance system, or those aspects regulated or run by state and federal government.

While “Medicare for All” has captured the most attention, a comparison of the reform proposals reveals that their approaches to achieving universal coverage are far more nuanced than this term would suggest. “Single payer,” meanwhile, is generally used to describe how other wealthy countries organize their health systems. But a closer look similarly shows a wider variety of approaches than this catchall term implies. Other high-income nations manage to insure all their residents and spend less per capita than the U.S. But some of them do that by covering everyone through a regulated system of health plans, while others truly have a single public plan for everyone.

Countries also diverge in their approaches to financing health care — relying on different combinations of taxes, premium contributions, and cost-sharing — and in how they control growth in overall costs. Finally, while nearly all the health systems feature a role for private insurance — a fact that might surprise many in the U.S. — its size varies considerably.

Let’s take a closer look at how eight of our peer countries get to universal coverage, how much they pay for their health care, and what role private insurance plays in each.

A Regulated System of Health Plans

One way to achieve universal coverage is through a system of competing private health insurance carriers. In the Netherlands and Switzerland, people are legally required to buy private insurance or else pay a fine. The Dutch choose between plans offered on a national marketplace, while the Swiss shop on regional marketplaces. These systems resemble the marketplaces introduced in the U.S. by the Affordable Care Act (ACA).1
But there are key differences. In the Netherlands, financing is shared between individuals and their employers, and insurance plans also cover dependents. But the Swiss pay the entirety of their plan costs, and children require the purchase of separate plans.

The Dutch also pay lower premiums, averaging around $115 to $150 per month, compared to $385 per month in Switzerland. In comparison, average employee premiums in the U.S. in 2017 were $118 for single-person plans and $435 for family plans. Approximately 40 percent of the Dutch, moreover, receive tax subsidies to purchase insurance, similar to the subsidies introduced by the ACA.

Cost-sharing is also lower in the Netherlands: there is none for primary care and preventive services, while copayments for other services are capped at $475 per year, after which they are free. By contrast, the Swiss face copayments for all services up to a deductible of their choosing, between $248 and $2,065. After this, 10 percent to 20 percent coinsurance applies on all services, capped at $579 per year for adults. All told, average annual out-of-pocket costs in Switzerland are nearly four times higher than those in the Netherlands ($2,313 vs. $605).

A Single Public Plan

In countries that have public insurance systems, also known as “single payer” systems, national, regional, or local governments are the main payer of health care. In the United Kingdom, the National Health Service is funded by national taxes, while other systems are decentralized, with revenues raised through regional taxes (Canada) or local taxes (Sweden). In Norway, funding is split: primary care is funded through municipal taxes, while national taxes pay for hospital and specialty care.

The House and Senate bills that would introduce a single public plan for the U.S., however, differ from the approaches taken in other countries in two important ways.
First, many of these proposals would impose no patient cost-sharing. This is in contrast to Scandinavia, where patients pay copayments for most services. Norwegians pay $17 (U.S.) for primary care visit, $39 for specialist visits, and up to $51 for prescription drugs. At the same time, total annual out-of-pocket spending is capped at $221 per year (as of 2017), after which services are free; also, vulnerable populations such as children and pregnant women are exempt from most cost-sharing. Even in countries where physician and hospital services are free, such as the U.K. and Canada, patients pay some portion of prescription drug costs.

Second, the single public plans that have been proposed in the U.S. so far would provide everyone with a wide range of benefits, including vision, dental, and long-term care. Most countries with universal coverage, however, cover vision and dental benefits only for targeted populations such as children and low-income adults. Similarly, long-term care is not typically covered. Instead, these services are financed separately, whether through national long-term care insurance or local taxes.

Private Coverage: A Bit Part or a Featured Role?

In all countries with universal coverage, at least some portion of the population has secondary private insurance, either to help pay for noncovered services like dental and vision care or physiotherapy or to provide quicker access to elective care or private providers.

While less common in England and Norway — where only one in 10 has private coverage — private insurance plays a large role in several other countries. In Canada, the majority of residents have private insurance for prescription drugs — which the national program doesn’t cover — and other benefits, paid mostly through employers.2

In Australia, the federal government has introduced strong financial incentives for adults to purchase private hospital insurance, such as premium discounts for younger adults, financial penalties for high-income earners who don’t purchase coverage, and rebates on premiums. As a result, approximately half of Australians have purchased such coverage.

One country allows its residents a choice between two systems. In Germany, everyone is mandated to have coverage, and the majority choose among 110 nonprofit insurers known as “sickness funds.” This type of coverage is financed by individuals and their employers through payroll contributions (cost-sharing is relatively low). But the government allows people to opt out of this system entirely.

About one in 10 Germans choose instead to get private coverage from for-profit and nonprofit carriers; they pay for it entirely themselves through contributions. This option is particularly attractive to higher earners and to younger adults, to whom insurers typically offer generous benefit packages and lower premiums.

Weighing Options

Several members of Congress have proposed — or plan to propose — ways to cover the remaining 28 million uninsured Americans, reduce the number who are underinsured, and lower the overall rate of cost growth. The health systems described here all get to universal coverage while paying less for health care — and often with better health outcomes — than the United States. If we as a nation aim to achieve similar results, it will be informative for lawmakers to carefully consider the full range of options these other systems represent.

1. Their insurance requirement also resembles the ACA’s individual mandate, although the penalty for not having coverage was eliminated by the Trump administration and Congress beginning January 2019.

2. Most Canadian provinces and territories also operate public prescription drug plans for targeted populations such as children, the elderly, or people receiving social assistance.

Article link: https://www.commonwealthfund.org/blog/2019/universal-health-coverage-eight-countries