Shostack + Friends Blog Archive

 

Compliance Lessons from Lance

Recently, Lance Armstrong decided to forgo arbitration in his fight against the USADA over allegations of his use of certain performance enhancing drugs. His statement is “Full text of Armstrong statement regarding USADA arbitration.” What I found interesting about the story is the contrast between what might be termed a “compliance” mindset and a “you’re never done” mindset.

The compliance mindset:

I have never doped, and, unlike many of my accusers, I have competed as an endurance athlete for 25 years with no spike in performance, passed more than 500 drug tests and never failed one. — “Lance Armstrong Responds to USADA Allegation

Lance’s fundamental argument is that what matters is the tests that were performed, in accordance with the rules as laid out by the USADA, and that he passed them all.

Now, there’s some pretty specific allegations of cheating, and we can and should think critically about what his former teammates and now authors have to gain by bringing up these allegations.

But there’s a level at which those motivations have nothing to do with the facts. Did they accept delivery of certain banned performance enhancers? (I’m using that phrase because there are lots of accepted performance enhancers, like coffee and gatorade, and I think some of the distinctions are a little silly. However, that’s not the focus of this post.)

What I’d like to talk about is the damage that can come from both the compliance mindset and the “you’re never done” mindset, and what we can take from them.

The compliance mindset is that you perform some set of actions, you pass or fail, and you’re done. (Well, if you fail, you put in place a program to rectify it.) The USADA is illustrating a pursuit of perfection of which I’ve sometimes been guilty. “You’re never fully secure!” “You have to keep looking for problems!”

Neither is the only way to be. In Lance’s case, I think there’s a simple argument: the USADA did its best at the time to ensure a fair race. Lance won a lot of those races. The Orwellian re-write of the official histories by the Ministry of Drugs doesn’t change history.

What matters is the outcome, and in racing, there’s a defined finish line. You make it across the line first, you win. In systems, there’s less of a defined line, but if you make it through another day, week, year without being pwned, you’re winning. All the compliance failures not exploited by the bad guys are risks taken and won. You made it across the finish line.

What’s ugly about the Lance vs USADA case is that it really can’t be resolved.

There’s probably more interesting compliance lessons in this case. I’d love to hear what you think they are.

4 comments on "Compliance Lessons from Lance"

  • adamo says:

    “f you make it through another day, week, year without being pwned, you’re winning”

    Maybe I am a pessimist, but I view it as one more day closer to being pwned.

  • Nick Owen says:

    So should companies maintain logs as long as the USADA maintains urine?

  • cc says:

    Nice food for thought.

    One lesson might be don’t start a private compliance entity that isn’t itself capable of being openly audited by the people it is designed to serve and protect. If the system fails to detect non-compliance in a timely manner, it seems one of the top priorities would be to fix that problem.

    But without someone watching the watchers, I fear it is too easy for quasi-governmental private compliance entities like the USADA to settle for mere compliance theater as their end product. If the agency is not accountable to anyone, what does it matter as long as they put on a good show? They sure put on a show with Lance Armstrong.

    But the real story in my mind is why couldn’t the USADA catch this before he even won his first medal? Isn’t that what other athletes are counting on? If he was certified even though he shouldn’t have been, that itself is also a monumental failure in the compliance process.

    I have seen this time and again in security tools, they fail and nobody knows they failed because nobody is watching how they run, just the end results. Eventually a vulnerability is finally discovered out of band and so much attention is paid to the vulnerability that people forget that their security tool should have caught it earlier and prevented it. Sometimes that post-mortem discussion happens, and things get improved, but sometimes it doesn’t. Especially if there is nobody watching the watchers.

    My gut feeling here is that something is wrong at USADA too. What they seem to be forcing on elite athletes sounds more invasive than what the TSA is doing on a daily basis to innocent American women and children at our nation’s airports with the body scanners and pat-downs.

    Compliance theater.

  • Regulation in many cases ossifies what is forbidden at a point in time and quickly becomes irrelevant as things change. The economist Arnold Kling has put forth the concept of principles based regulation. A general exposition of the idea can be found here.
    http://american.com/archive/2012/may/why-we-need-principles-based-regulation

    Worthy of discussion in its own right vis-á-vis info sec.

Comments are closed.