philosecurity

Earlier this week, two Green Line trains crashed. Apparently the young woman who was driving the second train failed to apply the brakes, and smashed into the train ahead which had stopped at a red light. The driver was killed and nine other people were injured. MBTA representatives said that we were very lucky that more people were not hurt.

“We know a lot of you must be wondering: “Just how safe is this system?” commented a WCVB newscaster. In the wake of the accident, WCVB did a report on the history of Green Line crashes, and determined that the majority of accidents were similar– one train was stopped, and another slammed into it. The Green Line is the oldest and most heavily used light-rail system in the nation. Much of it runs above ground, through busy city streets, stopping at traffic lights just as the cars do.

I often cross in front of the Green Line at lights, and it never fails to occur to me that as the train approaches, there is nothing enforcing the traffic signal, no technology other than the human mind to prevent it from running me over. It’s truly amazing that the system is as reliable as it is.

As a security professional, this sounds like par for the course. You can, for example, apply the same sentiments to the traffic system in general. Every day we entrust our lives to thousands of other drivers, and every day, 99.99% of them earn that trust. The streets have potholes, construction, pedestrians jaywalking, bicycles weaving in and out of traffic. When I rollerblade down narrow city streets, every single driver has to see me and deftly move a little to the left to avoid an accident. The system is extremely complex and dependent on zillions of risky interactions, but surprisingly it functions relatively smoothly.

In his recent talk at SourceBoston, Dan Geer said:
“[T]he NIMDA virus appeared the evening of September 18, 2001… Until that point, we’d never seen a virus that had carried more than one method of attack, and NIMDA had five. …Because NIMDA had five methods for propagation and because it was evidently written with speed in mind, NIMDA was also the fastest spreading virus we had yet seen. That rate of spread is known amongst infectious disease people as virulence.

“An older virus called E911…. would cause your modem to dial 911 repeatedly. …The E911 virus was old and forgotten on September 18, 2001, but it was still available on the net and, of course, the Internet in the fall of 2001 was still dominated by dial-up connections. We got lucky in the simplest, stupidest, dumb luck kind of way. No jackass had the imagination to grab the E911 virus and re-target it at the backdoor NIMDA was busy installing at warp speed everywhere while we all were pre-occupied with watching CNN 24×7. If someone had done that, then everyone in America would have gotten up the morning of September 19 only to find that there was no emergency service available nationwide; it would have been turned off everywhere and all at once, like a light switch.”

Another complex system which has functioned miraculously well is our city’s food supply. Paul Hawken comments, “In studies of complex adaptive systems at the Santa Fe Institute, it has been noted that food enterprises in the city of New York, and other cities like it, manage to keep all restaurants and stores completely supplied while not retaining more than a few days’ reserves. Quoting John Holland, computer scientist and fellow of the Institute, ‘From the point of view of physics, it is a miracle that happens without any control mechanism other than sheer capitalism.’”

Why do our traffic systems, food systems, and computer systems work as reliably as they do? I often refer to humans as “unreliable components,” but clearly this isn’t always the case. Sun Tsu writes that “the art of war is governed by five constant factors…” The first of these is “the Way” or “the Moral Law,” which “causes the people to be in complete accord with their ruler, so that they will follow him regardless of their lives, undismayed by any danger.” In other words, when the motivations of individuals are in alignment with each other and the authority, the established system is stable and effective. It clearly doesn’t benefit drivers to crash into other cars or drive on the wrong side of the road, so generally they don’t.

I believe this is why our world functions today, and why the Internet is alive and well despite the fact that it could be flooded by viruses at any moment. As frightened as we are of terrorists, attackers today gain greater benefit from exploiting a stable system than crashing it entirely. Many security professionals have commented that this is why we don’t see “noisy” viruses anymore which DoS the entire Internet, as we did six or eight years ago. There are more profitable, subtler ways for attackers to spend their time. Above and beyond that, there are millions of people working constantly to support the established systems because they benefit from doing so.

We can’t address even a thousandth of the potential safety and security issues which exist throughout our society, from transportation to medicine to food and water. Given this, perhaps the most effective way to improve security of the Internet, and our world in general, is not to focus on the symptoms or even the infinite vulnerabilities themselves, but to ensure that, as Sun Tsu says, “the Way” of the global population is in line with “the Way” of the establishment. In short, we need to make sure that people benefit more from maintaining the system than risking destruction. If “we” are afraid of nameless terrorists and organized crime and attackers around the globe, then perhaps the simplest solution is to change the definition of “we.”

In the cities, there will always be transportation accidents. On the Internet, there will always be script kiddies and malware. When it comes to computer security, we can apply the lessons illustrated in our transportation system: Ensuring the stability of a system is not a matter of fixing infinite specific vulnerabilities or trying to achieve 100% reliability (impossible in a complex, changing system with limited resources). Instead, it is about accepting risk, and setting up a self-stabilizing environment in which individual components benefit from supporting and improving the functioning of the whole.