By User701213-Oracle on Jul 30, 2008
This summer Idaho has had the loveliest profusion of wildflowers I’ve ever seen, the product of a healthy snow pack, full reservoirs and a late spring. Happily enough, many wildflowers have seeded themselves in my rock garden, which is far more diverse and healthy than is the case with whatever else is planted that is not coming up because I have a black thumb. (I’ve actually thought about planting weeds and hoping invasive flowers take over. A girl can dream.)
I also have excellent early warning systems in my backyard in Idaho. Specifically, the critters I support on my property are all – individually and collectively – quite good at alerting me when Something Is Happening. Birds, pine squirrels (more on them later) and – last but not least – my dog Thunder are all very good alarm system proxies. It took me a couple of years living away from large urban enclaves to learn how to “read” nature’s cues. Now, my ears have been retrained to the point that I listen to the birds, squirrels and my dog when they are trying to tell me something. I claim no special nature skills but I like to think that family genes (my grandfather was and my father is a consummate woodsman after years of hunting) are asserting themselves.
When I sit out in my backyard and hear the “chit-chit-chit-chit” of a pine squirrel, I know that it means “intruder at twelve o’clock.” Pine squirrels are really noisy, and thus very good at telling you when somebody or something is coming, at least 6 trees away from the action (and yes, I can tell the difference between pine squirrel alarms and pine squirrel pickup lines). The birds also get noisier, and in a different way, when there is a (fox, dog, cat, coyote, other) prowling through the sage brush that I can’t see, but I know is there because the birds have gone to Defcon 4. Thunder also has entirely different barks for “someone’s coming up the driveway I know,” “someone’s coming up the driveway I don’t know” and “a fox just ran across the porch and is hightailing it for the back yard.” The prize for alarm specificity goes to my sister’s miniature schnauzer Sneakers, whose bark (in increasing order of frenzy) refers to: a) a jogger b) a squirrel c) a fox d) the neighbor’s white dog e) deer or f) lots of deer.
My other “tenants” (the family of white-throated swifts that nests under my peaked roof) don’t warn of “incoming,” but they keep pests out of my yard. Late afternoon, there are eight to ten of them in aerial dogfights with any flying insects that darken my airspace. Watching the sparrows turn, bank, and maneuver is just about as big a thrill as watching the Blue Angels. I like to grab a glass of wine at the end of the workday, go outside and watch the swifts on evening pest patrol. It’s very soothing and lends new meaning to the phrase, “running the debugger.”
One of the things I have been doing some thinking and speaking about is the idea of synthesis. More specifically, the lessons we can learn in IT security from other disciplines, such as business, economics, history (especially military history and strategy) and biology. I confess that I felt a little nervous speaking on this topic at a university recently, because I figured any one of the professors or graduate students on the audience knew more than I did about IT security – certainly on the nerd level. On the other hand, they are all in the perfect environment to think differently about their profession via synthesis: all they have to do is walk across the quad to talk to another department. In fact, a professor of biology I met said that at her university, there was a tight synthesis between the computer science and biology departments. Each department had realized that they were kissin’ cousins, so to speak.
Of course, we IT security weenies know this intuitively. We speak of computer “viruses” because they “infect” vulnerable hosts unless the host has been “inoculated” against them. Some of the research going on focuses on making hosts just different enough that viruses are not able to infect all of them. Mirroring the arms race that biological hosts and opportunistic germs engage in, virus makers try to find ways to defeat anti-virus defenses by disguising their nasty, germy little packages so they aren’t recognized by the defense systems – just like you can’t be inoculated against the common cold because there are so many slightly different rhinoviruses, as I know all too well because I have spent two weeks and then some getting rid of a particularly rotten summer cold. And, just as in biology, computer viruses do not want to kill the host, but to use it.
A few years ago, there was an interesting paper positing that a software monoculture was a national security risk. That is, a lack of “biological diversity” in enterprises makes those enterprises more vulnerable to a cyber plague that affects the entire enterprise, not just a portion of it (just like the Irish potato famine wiped out millions of people because the strain of potatoes grown in Ireland was not resistant to the potato blight). Note that there is some happy medium here. If it is true that running only one kind of software may make the enterprise more susceptible to a cyber plague, it’s also true that running one of every type of application, database, operating system, and so on is neither economical nor easily secured, as one would have to be an expert in absolutely everything to manage such a system.
We know that biological entities use trickery to survive, thrive and propagate. Moths disguise themselves as other, more toxic moths to fool predatory birds. (What is a honey pot but a technical equivalent of a biological system designed to attract predators?)
I have read a couple of fascinating books on how companies are modifying plants to be resistant to some diseases. This is not without risk or without controversy. The University of Hawai’i, for example, just implemented a five-year ban on genetic modification of kalo (taro), in part, because for Hawaiians, kalo is not just a plant but part of their culture. I also note that genetic modification does not necessarily deliver all the promises claimed by the proponents (e.g., the so-called “golden rice,” genetically engineered to have Vitamin A in it, doesn’t have enough in it to do much good. More specifically, according to one book I read, you’d have to eat 12 pounds of the rice a day to get the minimum daily requirement and who eats 12 pounds of rice a day?)
I’ve had the same discussions over products that claim “native protection” against classes of attacks (like SQL injection – which I believe is doable) and that do “virtual patching” (which I don’t believe all the claims for). For those who are not up on “virtual patching,” it is the idea that you can replicate in a gatekeeper/cyber-Doberman function the exact equivalent of what a patch does. You can’t. You can (in some cases) have a good workaround, or you can prevent a specific exploit or exploits, which may buy customers needed time to patch. That is very useful, I agree. Unfortunately, “virtual patch” as a term is indiscriminate: “preventing known exploits” is more accurate but doesn’t reel in the gullible, so we have “virtual patching” as an industry term and not “can’t replace patching but gives you some protection, maybe, so might be worth a shot.” To my point, shilling “virtual patching” as a replacement for patching is as irresponsible and potentially harmful to customers as parents skipping inoculations for DPT is to their children: someone, some time is going to get hit by something horrible.
As I look at my backyard, I wonder what bright technoid will look at a white-throated swift and think, “I can build that. I can build a cyber patrolling predator so swift (no pun intended) and agile that it can dive bomb pests before they reach my cyberbackyard.” Instead of staying on the telephone wire and hoping a pest drives by (like static defenses people deploy now), the cyber swifts could circulate freely on perpetual pest patrol. I think about early warning systems as sophisticated, yet recognizable as my sister’s Schnauzer or the neighborhood pine squirrels. One frenzied bark or one “chit-chit-chit” and I have a pretty good idea what is out there and how worried I should be about it. I wish most of the cyber defenses we had now were as good, as recognizable, as accurate and descriptive. Of course, foxes, coyotes and cats aren’t constantly changing their guise to be unrecognizable to Neighborhood Crime Stopper Pine Squirrels, either.
There are other disciplines that have applicability to the world of IT security, if we choose to explore them. For example, when I was in graduate business school, one of the financial market theories I learned pertained to whether companies should diversify given that investors can do it themselves. For example, conglomerates (companies that have a lot of diverse, not-necessarily-complementary lines of business), the theory goes, are not necessarily valued correctly by the marketplace. And in fact, since investors can diversify their own investments (by buying, say, automobile stock and pharmaceutical company stock separately, if that’s what they want to own), there is no reason – per se – for conglomerates to have multiple lines of disparate businesses. The big idea then (and now to a certain extent) is to focus on core competencies (we see this today in discussions about outsourcing or software as a service: if IT is not a core competency, why do it yourself?)
A number of these business trends/theories, for better or worse and sometimes both, are extended to the global marketplace. For example, the idea that if they can produce sugar more cheaply in Foobaria, then the Snafu Republic should not subsidize their domestic sugar farmers but should happily import sugar from Foobaria. Over time, the Snafu Republic’s farmers will find something else to grow that they can grow better, cheaper or faster than Foobaria (or another country). (Note: You may be less enthused about this idea if you are a sugar farmer* in Foobaria than a policy wonk in Foobaria, because no policy wonk’s job has ever moved overseas that I know of.)
Another argument, more along the lines of industrial policy, is that the people of the Snafu Republic – instead of being subsistence farmers, barely eking out enough food to feed their families – should go work in factories or someplace that will give them a higher wage so they can buy food (and more besides). In a happy dappy world, everyone (or every country) will focus on his or its core competencies and outsource everything else. Globalization facilitates everyone doing what he does best and the rising tide lifts all economies.
I am not here to argue for or against globalization as a general policy or construct (it’s a lot more complicated than one can describe in a blog entry and I think it is dangerous to reduce complex ideas to sound bytes). But I do note that there are a number of interesting – if disturbing – discussions taking place recently about the limits of globalization as a result of spiraling food prices. Food prices, of course, are spiraling for a number of reasons: increased transportation costs, the “crowding out” effect of biofuels, higher demand for high quality food as a result of growing economies, crop failures in some key areas, and so on.
Some countries have acted to ban exports of key staples (rice, for example), wanting to ensure that they can feed their own people. As a result, have-not countries are potentially rethinking that policy that said “get the subsistence farmers into higher wage jobs,” because at least a subsistence farmer might have been able to feed his own family. If you can no longer import food because exporters hoard it, you can’t always eat what the factory is producing unless they are refining sugar. You can eat potato chips but not microchips.
In short, we’ve recently had a lesson that the theory of “everyone (read “every country”) does what it does best, and we all trade for what ever else we want” does not necessarily work when you have a shock to the system, like the transportation costs going through the roof, a result of which is that sugar schlepped from Foobaria is now really, really expensive to Snafuians. It also assumes that no country is ever going to use exports as a competitive weapon. Not only is that assumption a bigger stretch than most economists typically posit (“investors are rational” – they aren’t – otherwise how we do explain how breakfast cereal portal companies got funded in the DotCom days?), but we know from history it is not true. It’s never been true, in fact.
The second mistake a lot of policy wonks make is assuming peace, love and happiness in perpetuity. That’s not true, either. Natural resources such as food water, minerals, spices (yes, spices – salt and cloves being two that immediately come to mind – the British empire enforced a monopoly on salt within their empire, and the Portuguese dominated the spice trade for years) are often used as competitive weapons and the fight over them causes wars. Japan (prior to World War II) felt that they could never be a great empire without controlling their own supply of key resources and a proximate trigger of the Pacific War was the US cutting off the supply of scrap metal to Japan. Japan did not go on a territory-acquiring binge just to have more places for rice paddies, but to acquire natural resources that went with the territory. (And ultimately they lost the war because the US destroyed so much of their merchant shipping that they could no longer ship oil to where they needed it – their ships and planes.)
What’s the security issue? The security issue is that people need to think about their supply chain when formulating national security policies. Where are food, water, energy, spare parts, computer software and hardware coming from? Are any of those critical to national security, to the point where we need multiple suppliers or a “home grown” supplier because it is in one’s national security interests to do so? (For example, the Defense Science Board looked at this issue in relation to having a Trusted Foundry Program – domestic suppliers of integrated circuits for critical defense applications.) Do we actually trust non-domestic suppliers? (News flash: yes, other nation states would, too act to put malware or backdoors in software. A shock, I know, but some countries do act to advance their national interests at the expense of – gasp, horror – other nations. Been going on as long as recorded history.)
We should assume that this is happening and deal with it instead of worrying about Hurting Other Country’s Feelings by calling them on it (the international relations equivalent of telling a country We Are On To You, Knock That &^^%$ Off Right This Minute). I recently participated in a meeting where the debate was whether the group should issue guidance on how to protect your electronics (e.g., cel phone, laptop) when you travel overseas from being co-opted by Bad Guys (bad guys here could be bad guys working for the foreign government). The guidance was all good guidance and not aimed at any country in particular, but the discussion devolved to topics as diverse as “shouldn’t the State Department be the one issuing this guidance?” and “what are the political issues around upsetting some country or another if this guidance goes out?”
(It almost boggles the mind. We know this is happening, so why are people worried about making any country already engaged in industrial espionage, breaking into critical infrastructure and so on Feel Bad About It? It’s like wondering if the grizzly bear had a bad childhood as he is gnawing on your leg. Do I really care if you were an unwanted cub? Stop chewing on my leg!)
In short, the theory of competitive advantage as applied to nation-states sounds great on paper, and may even work great to a point, but it does not take national security needs into account. A nation that is dependent upon others for key materials – like spare parts for their aircraft or microchips or food – can easily be at the mercy of others unless they have an alternate supply (and in fact, a secure supply).
I am not advocating buying everything from inside one country or (getting back to a corporate example) avoiding outsourcing at all cost. Rather, the issue is that while you can outsource services and offshore production/services/sourcing, you can't outsource risk. Even financial markets tell us that you can diversify some kinds of risks, but not market risk – the risk that the entire market will tank. For example, I “outsource” medical care in that I go to see a doctor regularly since I am not an MD. However, I have a responsibility to take care of myself (e.g., to avoid high risk behaviors that are potentially damaging to my health like excessive drinking, using illegal drugs or abusing legal ones). I can’t outsource that risk and I can’t pass along 100% of my health responsibility to a doctor.
Accordingly, whether you are a company looking at service or product providers, or a nation-state contemplating industrial policy, you need to consider risk with steely-eyed objectivity and act appropriately. You could even say that, while there is no one easy set of answers, a non-exhaustive list of potential solutions includes: thinking about country of origin in light of political, social and economic factors, as well as the state of law and law enforcement in the country, using proven suppliers; keeping better handles on your supply chain; keeping attuned to political and governmental actions in countries where you operate; and so on. Hoping geopolitical or business conditions never change, and that everyone you deal with in business has the ethics of the Boy Scouts is not risk management or even optimism, it’s fantasy.
I have had many occasions recently to recount – as a cautionary tale – the story of Wake Island’s defenders in December 1941, one of many fine moments in the history of the US Marine Corps. The Marines managed to sink a Japanese ship from a shore battery (yes, really) but ultimately, the Japanese prevailed. Among other ironies, where did the metal come from for the armaments the Japanese used to shell the shore installations on Wake Island? Scrap metal the US had sold to Japan. If we need reminding, the lesson is that you should never, ever, ever arm your enemies.
* Yes, I realize you don’t actually grow sugar but something sugar is refined from, like sugar beets, sugar cane, even corn (high fructose corn syrup).
For more information:
Book(s) of the Week:
The Omnivore’s Dilemma is one of the most thoughtful and thought-provoking books about food, where it comes from and the implications of how your food is grown. It will change the way you look at what’s on your plate. It’s well researched and yet deeply personal. The second, The Botany of Desire, is really fascinating look at four plants and their impact on the world. The ethical implications of “licensing plants” alone are worth the read (yes, the potato is one of the four plants).
You can find both of them and other works by Michael Pollan at:
A great book on the defense of Wake Island is Given Up For Dead:
A book on salt that includes a discussion of the British empire’s inter-empire monopoly on salt: Salt: A World History by Mark Kurlansky:
More on the Salt Tax:
A book about the history of the spice trade (who would think nations could be so combative over cloves?) is The Scents of Eden: A History of the Spice Trade:
A web site on Idaho birds:
And a picture of the white-throated swift:
About the Trusted Foundry Program:
The original paper on software monoculture that created such a stir
A really (really, really) good book on issues around genetic modification of food (it mentions the hubbub over kalo (taro)) is Uncertain Peril: Genetic Engineering and the Future of Seeds by Claire Hope Cummings:
More on the genetic modification of kalo (taro):
Absolutely nothing to do with any of the above topics, but a great video of one of my favorite Hawaiian groups (‘Ike Pono) doing one of my favorite songs (Ua Noho Au A Kupa). It is just really happy music:
If that doesn’t make you want to hula, there is no hope for you.
OK, and Bobby Moderow, Jr. of Moanalua doing "Koke’e" (which I just love):