Schneier on Security

Nile • June 11, 2016 8:36 AM

In layman’s terms, the cyber risk they’re modelling is the internal, ‘local’ risk within a system operating under dangerous external instabilities: to offer an analogy, it’s just another kind of ‘bang’ or cough or unwise footstep that can trigger avalanches.

I’m going to unpack that, using avalanches by analogy, because their conclusion’s quite a mouthful:

After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.

If I can make that comprehensible, I’d better start at the microeconomic scale: local risk, and precautionary rather than prudential regulation.

So lets set off into the mountains, where we see a ‘Danger! Avalanches!’ sign, and ponder the role of the authorities…

It is wise to heed the warnings, and it’s posting them is an essential service: there is a role for regulation in preventing certain kinds of ‘bang’ where there is heavy snowfall.

This is, however, ‘micro’ scale, in terms of economics and analogies.

The ‘macroprudential’ approach is all about the fact that there is too much snow.

That, in itself, can be managed: economic policy is all about analogies and governments have more control than you might think, over the ‘geography’ and ‘weather’ – ‘climate’, even – leading up to economic avalanches.

That’s macroeconomic policy.

Prudential regulation is about ensuring that we don’t build our essential infrastructure under likely avalanches; and that anything significant we build, up in the mountains, should be individually resilient.

This prudence ventures into ‘macro’ when we regulate against excessive interdependence – it’s not enough to build for individual resilience, we have to regulate against a tendency to an excessive interdependence that brings down the other buildings when there is an ‘isolated’ (or a not-so-isolated) failure.

And, above that, we must consider macroeconomic policy: we don’t have ‘Weather Gods’ but we do have some command over the climate, if we choose to wield it.

So here, at last, I have a point to this extended ramble: ‘cyber’ isn’t just a source of ‘bangs’ and triggers for an economic avalanche. It’s fragile technology, shovelling millions of tons of ‘snow’ onto existing pikes of risk through the sheer volume of transactions.

It is also, if you wish to delve into analogy, the widespread use of fragile technology making snowbanks frictionless and faster when they start to move, and chaining all the houses in the valley onto one another, so that their individual resilience is meaningless if one or two of them are overwhelmed.

I will confine myself to the analogy that our technology is more than just triggers and bangs and buildings: it’s millions of idiots with mechanical shovels, piling snow onto the sloping surfaces of our financial markets.

It is external and it’s macro scale, not just an internal ‘local’ risk within an institution.

This is where the ‘cyber’ part moves over from the local regulation – no loud bangs, don’t construct a dam there, check the building codes before you build a house up in the mountains – into macroeconomics: there is much more snow and it moves faster and it’s on such a scale that we must model it as ‘climate’ rather than the weather of the day.

…And the code and infrastructure are ridiculously fragile.

Note, also, that I don’t pick out ‘security’, in the narrow definition of our mitigating a maliciously act: I refer to the general fragility of our source code and our electronic infrastructure. I saw some of that, up close and personal when we recoded all the dates in banking systems in the nineties, and I can assure you that the comms and network code we’re using now is even flakier.

Snow, and flaky, and the risk of avalanches work all too well as the analogy of choice here: and just as some technologists can only think of better snowshoes and a chalet built on stilts when they consider risk and mountaineering, so too do some economists and authors of reports on ‘cyber risk’.