One Bad Apple

I generally try to stay on technical topics, because my understanding is that’s what readers want. But events are overwhelming and I believe that not speaking out is now a political choice.

I want to start from this Chris Rock video:

I hadn’t seen it before, but I have spent a lot of time studying how airlines respond to problems, and you know what?

When German Wings had one bad apple, Europe rolled out new rules on pilot mental health.

That’s how you deal with the bad apples. You don’t let them spoil the whole lot. So what does that mean? The obvious answers are things like “fire them! Prosecute them!” Those are attractive answers. They seem like good ideas. Like a key part of justice for the victims. A key deterrent to future incidents.

Another element from my work is to improve, we need to learn. Learning is hard when emotions run high (this is not a criticism, it’s a biological reality.) Learning is hard when people are getting blamed. Etsy has done great work in how to facilitate a blameless postmortems. But their post-mortems are not literal ones. No one knelt on someone’s neck for 9 minutes. But, in this incident and almost every one like it, it turns out that the officer had a history of less impactful incidents. Today, we use adversarial processes to investigate those (review boards, courts). We know that adversarial approaches are at odds with learning. They result in dug-in heels, justification, righteousness, not understanding of the other side’s position.

A large part of me wants to be righteous, and declare that even these smaller incidents should bring down the wrath of the system; that when police are failing to serve and protect, there should be Consequences.

But is that desire for consequences actually reducing our ability to change? If so, what do we do?

I make no claims to answers to these questions. There are clearly important differences between a computer security issue and death or “even” serious injury, and I don’t claim that the analogies are perfect.

I want to thank Nicole Forsgren for inspiring me to write this.

6 Comments on "One Bad Apple"


  1. This is a complex set of problems with no easy solutions – and it will take “real” leadership from people who are not in it for themselves. That leadership is not there at the national level (you do see it at some state level). This is a fundamental societal problem for the USA which will require sustained efforts over generations. And it will require many things to happen on many fronts – a coordinated effort.

    I suspect that things will get worst before they get better, unfortunately.

    As to the “…when police are failing to serve and protect…”, I leave you this. https://youtu.be/jAfUI_hETy0


  2. Well said, Adam, thank you for speaking up. Your point about non-adversarial learning is spot on.
    Not to change the subject, but to connect this to my own experience, proactive software security reviews always work best when the tone is kept non-judgmental. That’s why I believe it’s so important to involve the entire team in any security effort; the experts can effectively lead, but not carry the full load.

    This time, with so many novel factors in play all at once, it does really feel different. I remain optimistic that there is extraordinary opportunity in crisis, and while it will surely be messy, we can accomplish far greater and faster progress if we “strategize, organize, and mobilize”.

    [That quote is from Killer Mike, speaking recently at the mayor’s press conference in Atlanta.]


  3. I’d like to add one idea that is based on experience in digital security that I think is greatly needed.
    All government authorities – police force personnel are the prime example now – should always act with accountably, and the best way to ensure that is strong authentication.

    Specifically, it should be law that all police are prominently identified, either by name or if there are security concerns then a short random identifier that authorities can map to an individual. Unit commanders should be held responsible for all personnel being clearly and accurately identified, visible front and back, as a precondition of deployment, and intentionally obscuring this should be a serious federal offense.

    We have body cams that aren’t perfect, and increasingly there are citizen videos, but the lack of clear identification and the anonymity of riot gear and masks makes it too easy to dismiss complaints. With the exception of undercover operations, why shouldn’t any government officer be easily identified? Why isn’t this already the law?

Comments are closed.