Is 85% of US Critical Infrastructure in Private Hands?

Most US critical infrastructure is run by private corporations. This has major security implications, because it’s putting a random power company in — say — Ohio — up against the Russian cybercommand, which isn’t a fair fight.

When this problem is discussed, people regularly quote the statistic that 85% of US critical infrastructure is in private hands. It’s a handy number, and matches our intuition. Still, I have never been able to find a factual basis, or anyone who knows where the number comes from. Paul Rosenzweig investigates, and reaches the same conclusion.

So we don’t know the percentage, but I think we can safely say that it’s a lot.

Posted on May 17, 2021 at 6:00 AM64 Comments

Comments

michael tat May 17, 2021 7:38 AM

This estimation is incorrect – and in a different sense from yours.
What is formally classified as ‘private hands’ are not ‘private’ if a bit deeper research is conducted – such as a Swiss doctoral thesis by Glattfelder (2013).

The author looked in ownership of 43000 non-small corporations from 116 countries, and found out that the graph structure reduced to a slightly over 1000 banking and financial corporations in a position of control of 60% of all corporations in the set, and that an even smaller number (100+) of major bankster financial corps controlled about 40% of the corporations. At the same time this core belonged to other core members, and was not controlled from outside by any strangers.

THIS IS WHAT WORLD POWER STRUCTURE IS, objectively measured through the corporate network ownership structure – and this bankster domination easily explaines why mega-corporations act in concert (rather than arbitrarily warring) when strategic initiatives are launched by the ‘Deep State’.

One example from the IT world was the ‘total information awareness’, then flourishing as cloud storage, cloud computing, newer OS versions which no longer belong to individual purchasers, but having a controlling mind of their own located somewhere outside on the corporate Net etc, etc, etc

CRITICAL US STRUCTURE may belong to ‘private’ corporations – but it has never been truly private, as corporate control networks ensure their military-style compliance even if there is no federal law compelling them to do so, they will act ‘voluntarily’ as ordered.

And then A QUESTION ARISES: why mass media and political activists try to conseal this reality and push alarmist points of view to the exclusion of reality-based evaluations?

Z.Lozinski May 17, 2021 7:47 AM

I think we need to start by defining Critical Infrastructure. You can’t measure what you cannot define. There is probably valid arguments about what to include, but here goes:

  • Airports and safety critical equipment (de-icing, fire and rescue, ground control radar)
  • Air Traffic Control Infrastructure (secondary radar, ATC centers)
  • Cloud infrastructure: Cloud data centers for enterprise services (AWS, Azure) and consumer services (Facebook)
  • Communications Infrastructure – Mobile Networks (2G to 5G)
  • Communications Infrastructure – Fixed networks (PSTN, ADSL etc)
  • Financial services: retail payment networks (Mastercard, Visa)
  • Food storage and distribution: warehousing, cool-chain,
  • Fuel: Refining, transport and distribution pipeline(s), ports/terminals, local gas stations
  • Internet infrastructure: backbone, exchange and peering-points, submarine cable
  • Navigation: Global Navigaiton Satellite System (eg GPS, Galileo, GLONASS)
  • Pharmaceutical: distribution and storage for the WHO essential medicines list (about 1000 items)
  • Ports: container ports and cranes, bulk ports, fuel/LNG terminals
  • Power: electricity generation, electricity distribution, electricity network control (signalling)
  • Power: gas production and distribution
  • Rail: rail signalling, permanent way, marshalling yards, passenger stations, level crossings
  • Road: Long distance road network (US Interstate, German Autobahn), road signalling, bridges
  • Time: distribution of accurate time signal(s)
  • Water infrastructure: reservoirs, distribution pipes, sewage and drainage, water treatment plants, standpipes

Put the list like that and 85% in private hands looks like an underestimate … off the top of my head in the US ATC, GPS and time are the only ones in the public ownership.

Interesting question do we need global agreement on the integrity of these systems .. note the number of places above saying “signalling” ..

Peter Galbavy May 17, 2021 8:11 AM

Ha! Losers! In the UK it’s closer to 100%. All the utilities are in private hands, mostly foreign – many foreign government owned (EDF etc.) including nuclear plants. Communications, all private. Almost all public transport is private, only the roads seem to be in public hands, but all the management and maintenance seems to be outsourced anyway. All waste collection, recycling and disposal.

About the only thing that isn’t is the military. No, wait, yes it is – at least large chunks of it are.

Weather May 17, 2021 8:33 AM

1)don’t attack medic’s, same as war time.
2)power electrical is off limits.
3)can attack offenses institutions, like UAVs
4)Transport based on desil is out.
5)Facebook open game
6)manufacturing is ? Can add to escalation.
7)food supply ,all of it is off limits.
8)2nd stage espionage, is gaver Intel ,OK but needs mointior by home country.

Sandman May 17, 2021 9:28 AM

I don’t think public hands would be any safer against Russian hackers. There are lots of public school districts which have fallen victim to ordinary malware extortionists.

I think two things could help here. One is decentralization. Whether infrastructure is held publicly by many local jurisdictions or privately by many companies, the U.S. is better off if hacking one location doesn’t take down the entire country. The second thing is international norms. If Russia cares enough, it will get through any cyber defense any infrastructure manager creates. The diplomatic fallout has to be high enough to not be worth whatever benefit they get.

Bruce has already written about how bad the U.S. has been on punishing state hacking, presumably because the U.S. wants to keep hacking as well. I don’t think this stance is good for the domestic security of the U.S. It certainly harms other countries which find themselves in an inconvenient relationship with some superpower or another.

Cris Perdue May 17, 2021 9:45 AM

It doesn’t bother me that so much critical infrastructure is in private hands.
Does it really bother you? I think it’s inevitable that much critical infrastructure is going to be in private hands, and it doesn’t matter deeply whether it is 10 percent or 85 percent. Anyway, the government doesn’t take much better care of the critical infrastructure that is in its own hands unless it is directly military or perhaps diplomatic.

Isn’t it really standards and requirements that we need, backed up properly resourced oversight. Back when I worked at Sun Microsystems, the NSA took an interest in any uses we made of encryption, and I had a nice conversation with someone from the NSA about a very minor bit of cryptography that was in a product I had responsibility for.

“Hello, I’m from the NSA, and we need some information about your handling of certain infrastructure. Yes, that’s right, it’s all part of national security.”

koby May 17, 2021 9:47 AM

“Most US critical infrastructure is run by private corporations. This has major security implications”

… that’s a subjective generalization with heavy political ideological bias.

It begs the question: how much ‘critical infrastructure’ should be in private versus government control ?

U.S is nominally a free society with a free economy based fundamentally upon private property.
Thus, it’s very logical to expect that 95%+ of any infrastructure should be firmly in private hands.

Also, the critical, unstated, and highly subjective assumption here is that the government is much much better at protecting critical infrastructure than private corporations and citizens.
Yet, the Federal government itself has been unable to protect its own systems — there have been huge penetrations/hacks of critical Federal systems recently.

And note that when the government wants something done technically it usually hires private corporations/businesses to do it, or at least sell it the necessary items.

Z.Lozinski May 17, 2021 10:05 AM

We learned some interesting lessons about critical infrastructure over the last 50 years. What is less clear is how widely (or well) these have been understood.

  • Fuel supplies for power stations to generate electricity. We learned that in the UK during the industrial disputes of the “three-day week” in the 1970s. And had to re-learn it 27 years later, in 2000, during the fuel-tanker drivers strikes.
  • Fuel supply pipelines. We have know these are critical since the 2005 fire at the Buncefield oil storage facility, which affected the fuel supply to Heathrow airport. 16 years later Colonial was hit by a cyberattack.
  • During the early months of Covid-19, during lockdown, supermarkets in the UK ran out of flour for baking and never resupplied. There was never a shortage of flour: bread never ran short. It was the supply of small paper bags for retail distribution that failed as the supplier shut down …
  • We are seeing occasional, so-far small-scale, disruption of the GPS signal. The hope is that it is low-level criminal activity (disrupting tachographs to record driving hours). As a state-level attack it would be very disruptive.
  • Data about the supply chain .. NotPetya demonstrated that without accurate meta-data, your entire supply chain for imports is broken. You cannot open all 18000 containers on a triple-E container ship when it docks to check them.

With the proposed UK Telecom Security Bill, the Code of Practice is a reasonable attempt to articulate good practice for telecom network security. Other industries, we don’t have anything.

Peter May 17, 2021 10:05 AM

@Sandman

I think that Bruce’s point is that being government controlled gives the entity options (and responsibilities) that may not be available to a corporation.

For example -> the recent pipeline hack. If the pipeline had been government controlled, they wouldn’t have shut down the pipeline, and might not have paid the ransom. A company is obligated to act in a way that maximizes their own profits, so they had to shut everything down the moment billing stopped working. A government entity could weigh the lost revenue against damage done elsewhere (fuel shortages, refinery shutdowns, etc.)

Also, I don’t think it is fair to compare a school district against a piece of critical infrastructure. No one in the federal government cares if a school district has issues, but they absolutely care about national infrastructure, and could make plenty of resources available to help them.

Chuck Pergiel May 17, 2021 10:24 AM

It doesn’t matter who owns the companies, what we need is a more secure internet protocol. The Colonial Pipeline hack should wake up some of bean-counters to the fact that they should be looking at improving their security.

j.a.duke May 17, 2021 10:46 AM

To elaborate on @Sandman, putting any local or state (and probably federal) government agency or department up against most hackers isn’t a fair fight-the hackers would win more often than not. I don’t have hard and fast statistics to back this up, but just reading through news articles over the last few years (yes, I know that if someplace isn’t hacked, it isn’t newsworthy), there doesn’t seem to be effective safeguards in government, in addition to private companies.

Cheers,
Jon

Clive Robinson May 17, 2021 10:46 AM

@ koby,

that’s a subjective generalization with heavy political ideological bias.

Just wrong.

Ir has nothing to do with politics but the very real issues of “freemarket behaviour”.

The”Free market” through the idiocy of investors and company officers almost always enters a downward spiral of stupidity.

Where this has not happened can almost always be easily shown to be the quality and type of regulation.

Interrstingly when “regulation” gets “captured” or “weakened” by investors and or company officers through the likes of legaslitive “de-regulation” or a swotgh to “self regulation” it’s not very long befor the downward spiral sets in and people start getting hurt, maimed and killed or worse.

Contrary to the mantras MBA’s in the US get taught by rote, regulation almost always is benificial to the market as it provides increased resiliance thus stability and can easily ride out short term issues.

I would have thought that the “Supplie Line Issues” during COVID that has killed so many jobs etc would have been a wake up call, to get beyond the stupid party political posturing and name calling, but apparently not.

Makes me wonder if the US citizens are going to wake up to the fact of the “US way of life” is so badly harming them, before it eventually and seemingly inevitably kills them at an earlier age than the First World average. Go look and you will find not just Second World nations, but some Third World nations with better life expectancy than quite a large part of the US… And don’t think I’m picking on the US, have a look at the UK figures… Life exorctancy in West London suburbs is around 81year, go twrnty miles over to East London and it’s down to 52years…

Something for people to think about.

Z.Lozinski May 17, 2021 10:48 AM

@Peter,

Governments have the option to add additional regulations for critical infrastructure, even when it is in private ownership.

In the USA telcos already have to provide 911 service, plus lawful intercept (wiretap on presentation of a warrant). In the UK this is being extended so that telecom operators will be required to implement best-practices for security. e.g security of access to sensitive (administrative) functions will require MFA. Real-time control plane information will not be allowed to leave the UK.

What is required is political willingness to require private firms to implement additional security around critical infrastructure. If you suggested this today in Ireland, which has seen its health service and hospitals attacked by ransomware over the weekend, you would get the required political support.

lMg May 17, 2021 11:44 AM

@Z.Lozinski

nope, US governments ain’t constitutionally free to just seize or control (“regulate”) private property as they please, though they frequently do so illegally. that democracy rule of law stuff is so annoying to political rulers.

JonKnowsNothing May 17, 2021 12:03 PM

@All

“regulation” is most commonly presented as a “detrimental requirement” for business to provide or perform. A form of punishment for the over exuberant application of capitalist ideas. A method to restrict or impede the full impact of capitalist economics.

“regulation” is also a perfect barrier to competition. Having baseline requirements that can only be met by a particular level of corporate funding, provides a safety backstop against other companies that might provide the same services.

On one side, it is protection for consumers against corporate harm, on the other side it prevents open competition between businesses.

Similar aspects follow down to local levels where permits, building codes, zoning and ordinances are promoted as Public Good but in reality are either competition restriction or a form of local funding from fees that transfer directly to those authorities.

A good question to ask is this:

  • If the requirement is to improve economic value and to open competition, can you provide that service as defined tomorrow without massive infusion of capital?

If the answer is NO, then that item is not as it is represented.

Big fish, little fish, minnows and whales. NIMBY/NAMBI

===

NIMBY, an acronym for the phrase “not in my back yard”
NAMBI, an acronym for the phrase “not against my business or industry”

A Local Ordinance/Zoning tl;dr

  • the difference between 2 buildings is defined by whether it has a “kitchen or ability to heat food” (oven, microwave, stove, cook top, electric skillet, rice cooker, toaster).

The ordinance specifies “kitchen”; it does not specify if hay-boxes or high tech versions of hay boxes also constitute a kitchen. The ability to boil water via an electric tea kettle may or may not qualify the building as having a kitchen.

You pay your application fee and see what pops out the other end.

Z.Lozinski May 17, 2021 12:27 PM

@IMg,

“nope, US governments ain’t constitutionally free to just seize or control (“regulate”) private property”

I disagree, and so does the US Government, plus the Australian, Canadian, French, German, UK governments and European Commission.

May I draw your attention to 47 USC 1001-1010, the Communications Assistance for Law Enforcement Act (CALEA) from 1994, which does exactly this in regard of telecommunications networks. There was a lot of industry opposition at the time, mostly to do with the cost of implementation. In the end everyone agreed and the law was passed. Courts have not overturned it.

See also the Modification of Final Judgement (1982).

The short version is governments can regulate, when regulation is important enough to the public interest.

Denton Scratch May 17, 2021 1:17 PM

“Critical infrastructure”

Critical to who? I mean, if we’re saying “unqualified critical”, then it MUST not fail, right? I’d say the same if it was “critical” for a large part of the population.

Private corporations have their own motivations and logic, which doesn’t include prioritising continuity and reliability in their systems, even if they acknowledge that those systems are critical.

In the UK in the 80s, we privatised a whole bunch of government services that were natural monopolies (and IMO critical): gas and electricity supply springs to mind. Artificial markets were set up, to create the appearance of competition. The result is the opposite of transparency: there are scores of providers, all with different tariffs that make price-comparison hard. There are numerous websites here that try to pierce the fog (for a commission). There is a regulatory department, within government, to regulate this artificial market. Market participants are regularly fined.

bigmacbear May 17, 2021 1:19 PM

Of course, 87.9% of all statistics on the Internet are made up on the spot, including this one.

SocraticGadfly May 17, 2021 2:20 PM

Various thoughts:

@michaeltat: It’s still private hands. Given the US, who’s to say that it might not be the reverse of what you claim, and that Amazon is instead hiving off CIA data on its cloud for private Amazon use? I introduce you to Glennwald giving all of Snowden’s snooping to Omidyar.
(Side note: Bruce, why didn’t Snowden contact you or Banford instead of Glennwald anyway?)

@Koby @Sandman : At least some of the federal security state breaches were of private systems, IIRC, like the big NSA leak. And, Snowden himself was a private contractor. Otherwise, what Clive said.

@Weather Such rules have always been “observed in the breach” in many cases.

JonKnowsNothing May 17, 2021 4:20 PM

@All

MSM report on the difficulty in determining who/what/where owns the lands in Australia. It details some of the issues in play with determining (who/what/where) (is/are) “critical infrastructure” in the USA.

One might think that land/deeds/title are more defined than the concept of “critical infrastructure”, but it varies and even when considered to be legally determined, is subject to historical revisions.

The English Longbow was once considered “critical”; firearms and cannons removed that designation.

===

ht tps://www.theguardian.com/australia-news/ng-interactive/2021/may/17/who-owns-australia

ht tps://en.wikipedia.org/wiki/Longbow

  • In the Middle Ages the English were famous for their very powerful longbows, used en masse to great effect against the French in the Hundred Years’ War, with notable success at the battles of Crécy (1346), Poitiers (1356), and Agincourt (1415).[4] During the reign of Edward III of England, laws were passed allowing fletchers and bowyers to be impressed into the army and enjoining them to practise archery. The dominance of the longbow on the battlefield continued until the French began to use cannon to break the formations of English archers at the Battle of Formigny (1450) and the Battle of Castillon (1453).

(url fractured to prevent autorun)

Winter May 17, 2021 4:47 PM

Transportation and communication infrastructure has always been critical and has always been controlled by the “government”, be it roads in the Roman empires, or canals in the Chinese empire, or the postal, telegraph, and telephone services and railroads in European empires.

But this has always meant that the state had to contribute funds, one way or another, to these infrastructures. How they did it varies, but all these examples were build out and maintained by tax money, state monopolies, or other collective funding.

Ideological resistance and a failing tax base seem to make the difference in the USA. Where other rich countries, and people, make sure important infrastructure like, say, levies and bridges, are kept in working order, Americans cannot be bothered and a city can be washed away, and bridges collapse, because no one wants to pay taxes.

It seems Americans even believe potholes are a fact if life instead of a sign of failure.

Chris May 17, 2021 4:52 PM

Is private ownership of critical infrastructure a problem or is the issue really just that the “85%” factoid is accepted as truth with no evidence? The 10% of my brain that I consciously use tells me that bad data lead to bad public policy. This figure can be abused to justify passing laws allowing private actors to “hack back” at attackers.

lurker May 17, 2021 6:58 PM

@Bruce

… because it’s putting a random power company in — say — Ohio — up against the Russian cybercommand, …

Is it Russian hackers this week? A CRINK in every cornflakes packet? Choose your adversary carefully, although when one has a knife between one’s ribs it is difficult to give much thought to the guy across the street with a gun.

Mr. Rosenzweig approaches the corollary of this thread’s headline by claiming that all Chinese critical infrastructure is controlled by the state, without any hint of its “ownership”. In post-Maoist China state control over private companies is achieved on several levels. The first of these is Confucian morality applied by the owners themselves, as while making personal gain they should ensure their actions are for the benefit of society as a whole. This contrasts with the US ideals formed in a young pioneering nation where the rule was every man for himself.

An interesting view of the ownership and operation of infrastructure is provided in 桓寬: 鹽鐵論, Huan Kuan: Discourses on Salt and Iron[1]. It is claimed that this same mindset still rules the world’s second largest superpower[2]. Keep your eye on the Bear and the Dragon.

It shouldn’t matter who “owns” the infrastructure, so long as it is operated and maintained for the benefit of all, including the present owners and users. If the infrastructure is attacked by criminals within the nation, then LEAs should have the means to deal with that. If the attack is from foreign agents the rules of conduct between nations allow action diplomatic and/or military.

[1] https://en.wikipedia.org/wiki/Discourses_on_Salt_and_Iron

[2] Jin Guantao & Liu Qingfeng: The Transformation of Chinese Society (1840–1956): The Fate of Its Ultrastable Structure in Modern Times, Chinese University of Hong Kong Press, 1993

Clive Robinson May 17, 2021 7:14 PM

@ Winter, ALL,

But this has always meant that the state had to contribute funds, one way or another, to these infrastructures. How they did it varies, but all these examples were build out and maintained by tax money, state monopolies, or other collective funding.

Availability costs, if you put a tarp over a tree branch it will shelter you for a little while until, it fails, the tree fails or the wind gets up. But give it a month or so, and you need to start anew. A tarp is what 15 bucks for 50 square feet of shelter (or less). But replaced four times a year so about $1.2/SqFt/year. And trees, well they just tend to be around, till they crash / burn down one way or another and occasionally explode when lightning does it’s thing.

But put in a bit more work by chopping down the tree, seasoning the wood, turning it into lumber and shingles and you can make a roof good for a few years maybe a half decade or so with dried softwoods[1]. A lot longer if they are treated or naturaly preserved such as with oak lumber and ceader shingles maybe the rest of your life or even your grand childrens (50-100years or longer). You also get to cover what 1000 square foot provided you maintain it. But at, what cost, well alowing for pitch and effectively a double layer you need 2500 SqFt of shingles at about $10/SqFt that give you 50years for 1000SqFt so 10/50 gives $0.2/SqFt/year probably with less labour all told and many other financial benifits of better reliability and insulative properties. Tarps might be cheap as a quick fix but nobody would seriously consider them as anything other than emergancy or very temporary shelter.

But corporate short term policy is “go with tarps, the first time and every time” after all it’s not them that are sheltering. And the share holders they want annual or more quick returns, not having to wait a decade to see good returns…

But… all of course assuming you don’t get hit by a hundred year storm or worse that turns not just the shingles into weapons grade frizbies but the lumber frame into matchwood and splinters. They do happen and what was a “Hundred year storm” a century ago, now appears to be once a decade or less these days…

One of the things the free market does is remove resiliance to anything outside of “normal” operating as they drive for the mythical “110% performance”. Thus availablity, except out of very very small excursions from “normal” does not exist in the corporate world. So unless they are ordered to do so, and subjected to real oversight and significant punishment, fails to carry out investment accept at the lowest cost or maintainence other than “to look nice”. The result as the US finds out more and more regularly, is critical infrastructure outages so often they are now considered “normal”…

But what does this realt mean? Well for one thing it’s also grossly in efficient from the point of view of society, it’s also environmentally unacceptable bryond the point of disaster. Why? Because “outages are the norm” people by their own generators, and store large quantities of fuel usually very poorly which is not just inefficient the fuel loss and spoilage ends up causing harm to the environment and other catastrophes (spoiled fuel poured in drains might be “out of sight” for some but very definately leathal for many others. All of which reduces life expectance (most hydrocarbons beyond the simple ones are detrimental to organic processes, even alcohol is a poison and they appear to aid in the trigering of cancers, diabetes, liver failure, heart failure and all sorts of neurodegenerative disorders, possibly even dementia that effects increasing number over the age of 35). Likewise when combusted fuels produce other “tars” and complex hydrocarbons, the brown colour on pie crusts, bread, toast, cakes and the outside of roast meats etc, might taste nice, but they all contain carcnogenic compounds just as tabaco and wood smoke does.

But early death by poisoning, is not the only concern fuels are not just easily flamable, they are often volatile and in some cases can make fairly impressive explosions (look up FAE and the likes of grain silo explosions manhole covers being flung many feet etc[2]).

Thus the likes of Pacific Electricity and Gas by their corporate “free market” policy are inflicting early mortality and property loss onto their customers. Thus the customers get higher longterm medical and insurance costs that are wildly disproportional to PEG’s extreamly short term savings.

However “critical” is another way of saying “to big to fail”, which means that much of the corporate profits are predicated on either the “hot potato game” or being “bailed out” by “The insurer of last resort” which is normaly said to be “The Government” but is more correctly the citizens through taxation and wildly inflated costs in other areas.

If people actually do the math, the corporate policy is by far the most inefficient and least reliable way of running a supply process.

But you do not get taught that on a US MBA course, because that is not what the Chicargo School economists want you to know. Because if you do, those big fat grant funds they get from corporate backed “Think Tanks” for telling corporate types “greed is good” but wrapped in psudo scientific / mathmatical mumbo jumbo, might just stop.

So remember when it comes to “understsnding and salary” back in the 1930’s Upton Sinclair’s observation is even more valid today, than it was nearly a century ago, when there was a lot less impediment to that sort of behaviour other than the public view point, backed still by tar, feathers, rails, and “rough music”… Maybe it’s time to get out the tin plates, pitch forks and barrels of tar again…

[1] With softwood if you know what you are doing you can “distill out” turpentine and other “aromatics” that if painted on dryed wood act as preservatives and keep the shingles and wooden frame servicable for several decades. However those hydrocarbons are bad not just for the bugs but just about every living thing, so it’s now illegal to use them in a lot of parts of the world.

[2] What ever you do do not do this, it’s not even something “trained experts” should do. But fresh flour if you dry it out when mixed in the right quantities with air, and subject to a small spark from static electricity from synthetic cloathing, can make for very powerfull explosions that will crush people to death in confined areas. So for that matter does very fine sugar (icing) oh and “non dairy creamers” you can look up some of the fun Myth Busters had demonstrating this, from long distances behind safety screens in the wide open…

Joe K May 17, 2021 7:41 PM

Most US critical infrastructure is run by private corporations.
This has major security implications, because it’s putting a random
power company in — say — Ohio

I’ll see your Anytown, Ohio, and raise you a Flint, Michigan.

Flint scene – Fahrenheit 11/9 (2018) | 5:35 | Michael Moore
https://www.youtube.com/watch?v=cvlcI2TmfdI

— up against the Russian cybercommand, which isn’t a fair fight.

Oh, my bad. Are we only playing with fake scenarios?

Parker May 18, 2021 3:58 AM

@lurker,

that “Discourses on Salt and Iron” article on Wiki is interesting. Looks like the Chinese had Reagan-style “less-governmentism” already during the Han-era before 81 B.C.E.

I think part of this American cybersecurity problem is though (for corporations) the desire to maximize profits and (for smaller towns and local governments) the need to reduce expenses. As a consequence infrastructure is often operated with outdated operating systems or minimalistic protections.

Clive Robinson May 18, 2021 5:09 AM

@ Parker, lurker,

often operated with outdated operating systems or minimalistic protections.

If you are lucky…

Many systems do not have an Operating System, nor do they have any kind of protections.

In fact many especially embeded systems are written “to be tested” thus give the equivalent of Super User / Front Pannel control to who ever gets in the comms path.

Which was fine back in the early 1980’s when resources were both minimal and expensive and only used inside what was a closed thus secure environment.

But the world has moved on driven by a downward spiral of supposadly “being more efficient” or more correctly “Short term Profit maximization by reckless long term cost minimization”.

The result in a “target rich environment” with few attackers is,

1, The risk of attack is probabilistic.

2, More attackers will be attracted in by “easy success”.

3, Easy success builds dependency.

4, Successful attacks increase.

5, Belatedly security gets fractionaly pushed up.

6, But dependency forces circumvention.

7, Which means attackers build attacking skills, whilst still being able to satisfy dependency.

It’s like teaching people to climb mountains…

Three points to note,

A, If you have communications outside of a secure boundry you are vulnerable.

B, Small increments in security just make attackers stronger.

C, Probability means that the fact somebody has not been attacked does not mean they have good security, thus “Best Practice” selected for “by not being attacked” is less reliable than a dice roll.

I’ll let others draw their own conclusions and thus the lessons to be learned.

But a little reality for people to think about,

As you drill down you find, all secure systems are built with insecure subassemblies and components.

Thus “It’s what you do, with what you have got” that determins success or not…

Winter May 18, 2021 6:10 AM

@Clive
“Well for one thing it’s also grossly in efficient from the point of view of society, it’s also environmentally unacceptable bryond the point of disaster. ”

In the end, “infrastructure” is a public good. Public goods are what makes society possible, living together is more efficient than living apart to the point that for humans, living apart is a slow way to die.

And there is good, theoretical and empirical evidence that public goods are best paid for by taxation.

For instance:
Financing of Public Goods Through Taxation in a General Equilibrium Economy: Theory and Experimental Evidence
hxxps://papers.ssrn.com/sol3/papers.cfm?abstract_id=1950643
(URL fractured for your protection)

We compare general equilibrium economies in which building and maintenance of a depreciating public facility is financed either by anonymous voluntary contributions or by taxing agents on their income from private production. Agents start with an endowment of private goods and money, while the government starts with an endowment of public good and money. All private goods produced are tendered for sale in exchange for money in a sell-all market mechanism. Agents’ proceeds from sale are taxed, and they individually allocate their private goods between current consumption and investment in production for the following period. The optimal levels of supply of the public good, and tax rate to sustain it over time, are defined and calculated for infinite and finite horizons. These equilibrium theoretical predications are compared to the outcomes of laboratory economies when (1) the starting public facility is either at or below the optimal level; and (2) the tax rate is either exogenously set at the optimal level, or at the median of rates proposed by individual agents. We find that the experimental economies sustain public goods at about 70-90 percent of the infinite horizon but considerably more than the finite horizon optimum. Payoffs (efficiency) is at 90 percent of the infinite horizon equilibrium level even when the rate of taxation is determined by voting. Starting conditions play only a minor role for outcomes of the economies, as efficiency and the stock of public good adjusts to about the same level irrespective of the starting level. These results contrast with rapid decline in provision of public goods under anonymous voluntary contributions, and point to the possibility that the social institution of government enforced taxation may have evolved to address the problem of under-production of public goods through anonymous voluntary contributions.

(note that it has already been established that companies generating public goods is identical to voluntary donations for public goods)

Clive Robinson May 18, 2021 10:03 AM

@ Winter,

In the end, “infrastructure” is a public good.

Which is most efficiently and environmentally friendly way to do it.

Thus you either misunderstood me or misquoted me, as the passage of mine you quoted is where I was describing a private corporate policy under common stock shareholder influence which is almost always “short term” and thus results in a “race for the bottom”.

There are some private organisations where the shareholders ate not common stock holders and their influence is the more sensible long term “re-invest and grow” policy. Whereby rather than issue profit that carries taxation, the money is used for plant, R&D and acquisition. Often such businesses do not raise capital by common stock but by mortgaging existing holdings, which has the advantage that the company owners can decide what does and does not become “common knowledge” about the companies actual assets, earnings, and investments.

As for “held by the public” often such organisations are criticized very vocally by “vested interests” a classic example would be Rupert “the bare faced lier” Murdoch and News International Corp against “Public Broadcasters”. Public broadcasters tend to be stable where as NI is so desperate for cash as it sinks down hill rapidly it has to get the Australian Government to pass “naked theft” legislation to keep it eveb vaguely close to being afloat.

When you think about “critical infrastructure” as the customer you want,

1, Availability
2, Reliability
3, Stability
4, Longevity

And similar which a “race for the bottom” corporate can not supply.

Regulation is an attempt to give the customer what they want from critical infrastructure, whilst also giving some freedom to producers.

Unfortunately whilst regulation is onown to not just work but improve markets for all, those that run corporates want to “eviserate for profit”.

Koch Industries are an example, where the owners wanted to buy their way into full control of only two major political parties in the US. Something that should scare every customer extreamly deeply, as one sign of what such eviseration does is the behaviour of Colonial Power when it shut it’s critical supply of fuels and feedstock etc.

Winter May 18, 2021 10:39 AM

@Clive
“Thus you either misunderstood me or misquoted me, ”

Probably mixed up parts of the text and not quite understanding what you were trying to say.

oneofthose May 18, 2021 12:38 PM

The Internet changed everything and not always for the better. Before the Internet:

  • Utility companies had to have workers on site or on-call with a short reaction time to handle emergencies. Now they use remote monitoring, which isn’t secure.
  • There was no partial outsourcing of technical work; it was completely done in one location. Now the different locations need to communicate with each other via email and other vulnerabilities.
  • Communications were done via telephone or fax. Now they’re done via VOIP and email, both of which are vulnerable.
  • For national security work, all work was done in tempest tanks, which were not vulnerable. See above.
  • Etc.

Human behavior has not changed. We had disasters due to incompetence, but they were always localized.

Pipelines and other essential utilities must be regulated by the government — by technocrats, not politicians — as we used to regulate pre-1984 AT&T. The libertarian fairy tale has proven to be an unmitigated disaster.

oneofthose May 18, 2021 3:20 PM

ABC wrote: “The alternative is Communism, with government takeover and nationalization of private assets.”

I agree with 1&1~=Umm; the above is nonsense. And the reviews for “A libertarian walks into a bear” are most amusing.

Here’s a data point. Germany, a country only slightly smaller than Montana, is the world’s third-largest exporter (ignoring the EU), after China and the US. It often does so with union representation on corporate boards (all large corporations do), something that would be unthinkable in the US. It has a heathcare system equal to the US. Yet it’s not communist, with people living a great life with plenty of world-class beer.

According to the CIA World Factbook, Germany has a slightly lower percentage of “population below poverty line” compared to the US, so Germany’s approach cannot be a failure.

The problem with libertarians is that they believe what they want to be true instead of what is actually true, not to mention being criminally selfish and ignorant of history. Ayn Rand was an evil witch.

David Leppik May 18, 2021 5:40 PM

There are plenty of examples of fragile public infrastructure and resilient private infrastructure, and vice-versa. In the US, roads and bridges are typically public, and often not well maintained. It has more to do with incentives than with specifically who owns what.

The most robust infrastructure has two qualities:

  1. There are quality-of-service guarantees, such that the maintainer is held to account when quality degrades
  2. Quality degrades often enough that the maintainer is never tempted to cut corners

Take bridges for example. When a bridge collapses, voters get angry. But bridges are designed to last 50 years, or 12-25 election cycles. Thus it makes sense for a politician to allocate funding to build a new bridge, but not to maintain an old one.

One solution is toll roads, which are financed through bonds which are paid back via usage fees. To sell the bonds, the government must have a maintenance plan which ensures that the road quality will stay high enough to keep people paying tolls. Degraded quality becomes costly long before the bridge becomes unusable.

Netflix is an example of robust infrastructure. Service outages are expensive but rare, so Netflix introduced Chaos Monkey to kill random services in production, so developers have to design their services for artificially unreliable hardware. Then they introduced Chaos Gorilla to simulate entire AWS region outages.

The analogous case for computer security would be for companies to be held to account for minor breaches and not just catastrophic ones. This is tricky, since the big ones might not get noticed for years. Perhaps insurers or other third parties should do regular, unannounced penetration tests, with companies penalized for low scores.

Winter May 19, 2021 3:47 AM

@David Leppik
“In the US, roads and bridges are typically public, and often not well maintained. ”

We were more interested in critical infrastructure like levies that protect against floods (New Orleans), power nets that collapse (Texas Freeze, various blackouts), oil pipelines that service large parts of the country (Colonial).

Most of these are not helped by toll-booths as they are either public goods (levies) or unavoidable monopolies (power nets). Internet broadband roll-out is another infrastructure failure in the USA.

I see no examples where critical infrastructure was kept robustly functioning that did not require tax-money and/or strong regulation (or strong competition). And Netscape is not critical infrastructure, the Cable and Internet broadband networks might be considered such infrastructure.

Anders May 19, 2021 4:53 PM

@SpaceLifeForm

Read this.

hxxps://gist.github.com/jesopo/45a3e9cdbe517dc55e6058eb43b00ed9

ROT13(NOP) May 19, 2021 6:48 PM

@oneofthose

My previous comment censored by a certy acronym-grabbing mainstream media channel.

ABC wrote: “The alternative is Communism, with government takeover and nationalization of private assets.”

The Cuban system, which the D’s are desperately trying to implement in P.R. and D.C. with a cranked statehood agenda.

According to the CIA World Factbook, Germany has a slightly lower percentage of “population below poverty line” compared to the US, so Germany’s approach cannot be a failure.

Nazism was a failure. The human experiment to eliminate poverty at Dachau, Auschwitz, and Buchenwald are examples of utter moral depravity and nothing else.

The problem with libertarians is that they believe what they want to be true instead of what is actually true, not to mention being criminally selfish and ignorant of history. Ayn Rand was an evil witch.

There is no God in Communism. Do not conflate atheism with liberty or libertarianism.

Communists believe everything will be okay as long as their way of life can be forced on people they don’t like against their will. This too is “vanity” — in the words of Solomon from Ecclesiastes — to compel involuntary human labor for the benefit of a brutal and thuggish dictatorship of the proletariat.

  1. And also that every man should eat and drink, and enjoy the good of all his labour, it is the gift of God.
  2. Wherefore I perceive that there is nothing better, than that a man should rejoice in his own works; for that is his portion: for who shall bring him to see what shall be after him?

Winter May 20, 2021 12:28 AM

@ROT13(NOP)
“My previous comment censored by a certy acronym-grabbing mainstream media channel.”

What you write about the D’s is demonstrately untrue (disinformation).

So this comment is a perfect illustration of @oneofthose:

The problem with libertarians is that they believe what they want to be true instead of what is actually true, not to mention being criminally selfish and ignorant of history.

The rest illustrates the second part of the quote and is the old religious and Libertarian extremism that describes the current world as if nothing changed since 80 years ago to hide the utter failures of Libertarianism in understanding and improving the world since then.

Your comment is such a ridiculous extremist argument that I suspect this is simply a new guise of the Troll-tool.

Winter May 20, 2021 1:00 AM

@SLF
“R.I.P. freenode”

See:
hxxps://www.theregister.com/2021/05/19/freenode_staff_resigns/

SpaceLifeForm May 20, 2021 5:13 PM

@ Clive, ALL

Did you ever have a SecurID token?

Are you sure you won the race?

Are you sure you can always win any race using MFA? I’m serious. Are you really sure?

I submit that you cannot unless you control the secret. There can not be any outside party.

https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

Moments later, his computer’s command line came back with a response: “File not found.” He examined the Rackspace server’s contents again. It was empty. Leetham’s heart fell through the floor: The hackers had pulled the seed database off the server seconds before he was able to delete it.

Clive Robinson May 20, 2021 5:50 PM

@ SpaceLifeForm, ALL,

I submit that you cannot unless you control the secret. There can not be any outside party.

Sometimes not even then, remember there are two ends of the link…

Look at it as a “One Time Passphrase”(OTP) system or “Transaction Authorisation Number”(TAN)[1] like any stream crypto system the strength is in the Keying Material (KeyMat). That is the KeyMat or in this case indovidial TAN’s have to be not only “only used once” they have to also “remain secret”.

However being truely random there needs to be one copy of the TAN list with the user and a copy held at the resource.

If the resource becomes compromised in some way then all the users TAN lists become vulnerable…

It’s the same problem as having “plain text password files”, which has been known atleast into seven decades…

Whilst the TAN lists could be stored encrypted, unless done the right way then all you do is “shift the problem” from copying a plain texy file to copying an encrypted file and then finding the encryption key on the resource.

It’s one of the things Secure Hardware Modules (SHMs) and Secire Enclaves were supposed to solve… Only they do not because we keep finding vulnerabilities with them.

One correct way to do it is to in effect store the encryption key with the user.

I won’t go into the implementation details but you can design the system such that the two TAN lists are infact entirely different and stealing one will give you no information without the other.

[1] https://en.wikipedia.org/wiki/Transaction_authentication_number

SpaceLifeForm May 20, 2021 6:09 PM

@ Clive, ALL

You really need to read this article in full.

If you can not connect any dots, then shame on you.

https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/

In fact, the Lockheed source says the company saw the hackers entering SecurID codes in real time, confirmed that the targeted users hadn’t lost their tokens, and then, after replacing those users’ tokens, watched the hackers continue to unsuccessfully enter codes from the old tokens.

SpaceLifeForm May 20, 2021 6:34 PM

@ Clive, Anders, ALL

It’s always phishing in the Windows pond, trying to catch Goldfish.

Remember, Attribution is hard.

From 2011-09-11

https://www.computerworld.com/article/2511039/rsa-spearphish-attack-may-have-hit-u-s–defense-organizations.amp.html

The hackers who broke into EMC’s RSA Security division last March used the same attack code to try to break into several other companies, including two U.S. national security organizations, according to data provided by the VirusTotal website.

Buried in the metadata of the attack files is another clue: a sign that whoever created the attack used a Chinese language version of Excel — Windows Simplified Chinese (PRC, Singapore). The attackers could have deliberately changed the file’s settings to make it look like it came from China, but Quintero believes it “was a simple oversight” on the part of the hackers.

The RSA hackers broke in using a basic social engineering attack. They sent an email that looked like it came from an RSA partner, online recruiting firm Beyond.com, with the simple message, “I forward this file to you for review. Please open and view it.”

SpaceLifeForm May 20, 2021 7:15 PM

@ Clive, Anders, ALL

SecurID is not PKI.

Also, NIST can FOAD.

https://www.reuters.com/article/amp/idUSBRE9BJ1C220131220

As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

RSA’s contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

“The labs group had played a very intricate role at BSafe, and they were basically gone,” said labs veteran Michael Wenocur, who left in 1999.

Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula “can only be described as a back door.”

Clive Robinson May 20, 2021 11:12 PM

@ SpaceLifeForm,

If you can not connect any dots, then shame on you.

I connected the dots a decade back, you can read my comments of the time up on this blog somewhere.

I worked out from the get go that RSA had done something extreamly stupid with their seed-storage.

Back then I assumed it was for sales support staff to help customers with finger trouble out quickly and what the RSA S&M people would consider efficiently. And I would have trotted out my mantra of “Efficiency-v-Security” along with the fact that what we called air-gaps were not sufficient (hence my reason for talking about energy-gaps).

Go back and read the article again, somebody is still not telling the truth there even a decade later… See if you can spot it.

lurker May 20, 2021 11:13 PM

@SpaceLifeForm

… with the simple message, “I forward this file to you for review. Please open and view it.”

Of course I’m not the target demographic, but the message is too simple. I would open and view it with /bin/less . One of my regular chores was snipping the juicy bits into a txt file, with full email headers, to send to our security honchos…

SpaceLifeForm May 22, 2021 12:32 AM

@ Clive

Well, besides the fact that it was not really air-gapped, the biggest thing missing is any talk about the relationship between the serial-seed data and the customer-id.

Yet, it had to be there.

Must not panic the customers. Must keep stock price up.

The attacker(s) would really like to have that tie-in between customer-id and the serial-seed data. Really reduces the effort needed to fully compromise an admin that has already been targeted at a specific customer.

Get a RAT on the admin computer. Watch, and collect logins. Collect SecurID tokencodes and timestamp them.

Using the exfiltrated serial-seed data, and using the RAT collected tokencodes and timestamps, figure out which serial-seed token is assigned to the targeted admin. Having the customer-id narrows down the list of serial-seed data to process.

Using the known algorithm, and the now identified serial-seed, you can then generate the required tokencode as needed, without even having to have a physical token.

Using the admin creds obtained via the RAT, the attacker can log in at any time. There is no 2FA anymore at that point. ‘Something you have’ is no longer required.

Reminds me of an event over 20 years ago where I was working. We stopped using SecurID and just said to everyone: No more remote access.

SpaceLifeForm May 22, 2021 1:05 AM

@ lurker

I would not describe it as ‘too simple’. How about astoundingly obvious phish bait?

A better phish message would be ‘here is the X’.

To review, you must view, and therefore open. Then again, there are a lot of stupid users out there, so if you spell it out for them, they may just bite.

As to capture with /bin/less, great idea if you have a maildir (not mailbox).

In this case, it was a dumb user with Windows. Apparently using Outlook.

Security Sam May 22, 2021 8:12 AM

Our frail critical infrastructure
Can be vulnerable to rupture
That an adversary may fracture
In order the goods to rapture.

SpaceLifeForm May 22, 2021 5:47 PM

@ lurker

In the ‘Land of Stupid User Tricks’, the dummy that opened the payload supposedly actually went into their spam folder and bit. Shiny golden hook and all.

lurket May 22, 2021 7:31 PM

@SpaceLifeForm: …the dummy that opened the payload …

Yes, I know all that. In my last dayjob one of my tasks was educating said dummies to spot the signs, sniff round the edges so to speak, before blindly clicking into perdition. I could advise the High Priests of the Firewall that a certain dummy shouldn’t be allowed out on the street, but the decision was above my payscale.

The optimist part of me is hoping for a limit to the breadth of human stupidity. The pessimist part is convinced there is no limit to the depth of that stupidity.

As others have referred to, it’s a sad state of affairs when a CIO is hired not for education and defence, but solely as a scapegoat for when things turn bad…

Clive Robinson May 23, 2021 1:40 AM

@ lurker, SpaceLifeForm,

The optimist part of me is hoping for a limit to the breadth of human stupidity.

Nature’s way of doing this is to “clean the gene pool” in an evolutionary process.

In effect “accidental death” before “breeding age”.

Back in the 1990’s whilst doing an MSc I asked those present “Is inteligence anti-Darwinian?” to which most replied “No of course not” slightly shocked that I should even think such an idea let alone voice it…

However just two of several observations to think about,

1, Science is turning more and more “stupid removing accidents” from fatal, to things to boast about whilst showing the scars to your buddies…

2, Intelligent people tend to breed later and have less children…

I’ll let others do the maths as to what expected effect these observations have on the distribution curve with time.

lurker May 23, 2021 1:08 PM

@Clive: “Is inteligence anti-Darwinian?”

My pessimist has long pondered the extension “Is modern medicine anti-Darwinian?” While the optimist observes that neither you nor I would be here today without it…

MarkH May 23, 2021 1:56 PM

I’m acutely allergic to eugenics, one of the most baleful conceptions of the past 120 years, and a key “enabling technology” (even though false) of the Nazi holocaust.

A favorite belief of the eugenics crowd (and they are everywhere, despite generations of debunking) is that intelligent people have a lower reproduction rate … therefore humanity is doomed to a progressive diminution of mean intelligence.

For a truly obscene depiction of this notion, I suggest some of the writings of American author Cyril M. Kornbluth.

Some of the implicit assumptions in that nutshell:

Human intelligence can be meaningfully quantified. Sure about that?

Human intelligence is strongly determined by parentage. Got proof of that?

Intelligence is a significant determinant of lower reproduction rate. Got proof of that?

I could go on, but wading through this thick stew of prejudices leaves me feeling soiled.

I suggest that a far more accurate model — and one supported by objective research and data — is that families with greater education and material resources have fewer children, with women’s educational levels as the primary determinant.

As to Darwin, the most thoughtful analysis I’ve encountered came from the late Kurt Vonnegut Jr, who imagined whales thinking, “if only we were bigger, we’d be more successful,” or giraffes thinking “if only our necks were longer, we’d be alright.”

The grotesquely outsized character distinguishing homo sapiens is the extreme development of neocortex, and the ultra-intensive exploitation of environmental resources that development made possible.

Vonnegut offered that thinking “what will save us is MORE intelligence” may be absurd as the hopes he imaginatively projected onto our mammalian cousins.

Clive Robinson May 23, 2021 7:19 PM

@ MarkH,

Darwin had issues, he did not publish for decades out of fear, of what we would describe as “religious fanatics” these days. He only published because another person published similar ideas to his own. But even then Darwin “watered down” what he wrote. In effect he “delayed scientific progress” out of fear for his own well being. If that was “Right or Wrong”, is easy to say when you are not the one in fear of what may happen to you and have legislation in existance that in part protexts you from the “crazies” and worse.

Evolution effects are seen in three areas,

1, The general environment.
2, The collective species.
3, An individual with respect to the species or environment.

The third is true because of genetic diversity within any given species. We have seen this with COVID where people are effected differently by any particular SARS-CoV-2 mutation.

Whilst the argument for “nature v nurture” continues apace for intelligence, I prefere to say it is an inate charecteristic not just of humans, or other primates, but entirely seperate and at best very differently related species. Most would be hard pressed to name a common ancestor between octopi and humans, but few who have studied octopi this century would argue that they do not possess intelligence. They certainly exhibit it’s traits via behaviours and the use of tools etc. Other non primate species again exhibit not just tool use but the abiliry to communicate it to others in their species (corvids).

But the real question is not intelligence, tool use, or the ability to communicate it, but the process of modifing the environment they are in by the process of organised learning (education).

It is fairly clear that mankinds progress has easily gone beyond basic manual tool use. We’ve developed various forms of “force multipliers” and “force modifiers” sich as the “throwing stick” that extends the reach of the arm considerably thus couples more energy into a spear. Likewise the bow which takes slow input energy into storage, and releases it very much more quickly, thus far extending the range and accuracy of an arrow. Simmilar applies to the sling shot or bolas, the latter importantly alowing game to be taken alive into captivity, thus start the domestication process that gives rise to animal husbandry.

We can see in the historical records that progression of technology in effect traveled with humans from one grouping to another. The specifics of the education progress are unknown but the progression of usage is fairly clear.

Arguably it is the education process that puts us ahead of other primates and creatures almost as much as the opposable thumb. It can only have come about as a result of evolution and in the process lifted mankind at a much greater rate than other species and importantly other members of the human race in different environments. There is very clear evidence that the environment shapes humans differently. Such as the box like cross section of thigh bones in indigenous Andean dwellers. The mutation favours mechanical lift over a more extensive angular range thus making walking up steep slopes and step cut paths easier. The native aborigines in Australia have way better eyesight and the ability to lower their body temprature during sleep thus making a considerable saving on energy.

But mankind has managed to modify it’s own genome in very short periods of time. If you look at the tolerance to alcohol, in Europe very few are alcohol intolerant we have “bred it out” due to drinking either wine or beer. The fermentation process tends to kill bacteria that effect humans detrimentally, thus drinking wine and beer, and eating pickled food gave significant health benifits to those who could tollerate alcohol. Those that could not either died from disease or accidents much earlier in life. However in the Far East especially Japan, they did not need to drink alcohol thus the petcentage of intolarant people was not far of half the population just after WWII. This change in the European genetics has occured in around 4000 years.

Pinning evolution down is in fact extrodinarily difficult… for instance mankind has increased polution significantly in the past century and a half. An argument was made that the polution had virtually killed of a species of moth. However further investigation showed that the species had mutated in this time, such that the colouring had altered significantly to blend in with the polution. So a very reacent man made effect to the environment in what was considered evolutionary term time scales, has changed a species almost entirely in less time… Which means we have to be carefull with what were once considered “extinct species” they may have undergone a rapid evolutionary change due to environmental change rather than becoming extinct.

Thus “survival of the fittest” is in fact an extrodinarily bad description for evolution, that actuallt favours adaptability and non specialisation.

MarkH May 23, 2021 8:24 PM

@Clive:

“survival of the fittest” is in fact an extrodinarily bad description for evolution

It’s bad, and Darwin publicly objected to it. I used “fitness” in quotes because public science education is so poor, that most people who would recognize the name Darwin probably associate his ideas with that foolish phrase.

The MarkH thumbnail formulation:

1, heritable traits which increase the reproduction rate of individuals tend to grow more prevalent in a species population;

2, the natural spread of such traits alters the nature of typical specimens over time; and

3, a sufficient accumulation of such changes can give rise to a novel distinct species.

Paleoanthropologists now believe that people who were essentially us in biological terms shared Earth with other hominids, perhaps including some of enormous antiquity.

My eyes got opened wider when I heard a scientist discussing the coexistence in Europe of Homo sapiens and Homo neanderthalensis. The two species even interbred, though that had not yet been shown at the time.

What distinguished H. sapiens, the scientist said, was “extremely intensive resource usage.”

It seemed clear to me that he wasn’t editorializing about “modern man” or even “civilized man” — he was, after the fashion of Linnaeus, speaking scientifically about a diagnostic to distinguish H. sapiens from hominid cognates, tens of thousands of years before civilizations, or even methodical agriculture.

Extremely intensive resource usage — that’s us! It’s easy to draw a line from large brains with exceptional cognitive/behavioral plasticity, through nimble forelimbs and mouths capable of forming many varieties of sound and inherited social tendencies, to the capacity for extremely intensive resource utilization without precedent in Earth’s timeline.

Here we are, incipient sacrifices to our own success.

Clive Robinson May 24, 2021 4:48 AM

@ MarkH,

Here we are, incipient sacrifices to our own success.

Ouch!

Thus it would appear the seeds of our own destruction were the seeds of our own genesis…

But is the diagnostic true?

We know that many species of humans exist. However quite a number did not go into extream resource usage.

There is a story you can look up about the discovery of the Kalahari Bushmen. They lived in an environment of plenty, sufficient that a scant 20mins of foraging provided the required daily sustinance. The bushmen then spent the rest of the day making at worst a very minimal impact on the environment. Their population was small and importantly they kept it stable, so in effect they were in balance with their environment.

They were discovered by a group of funded European descent explorers. When they returned their discovery was so shocking to the funding organisation they kept it secret for over fifty years.

In essence they were vitaly scared that it would destroy “The Protestant Work Ethic” that was socialy enforced on Europeans. If you deconstruct the work ethic and remove the religious mumbo-jumbo you end up with,

“You as members of the second and third estates, will work all day to receive the minimum you need to survive, any excess will be collected by the first estate without question or disobedience”

It is when you think about it, a psychopaths view of how the world should work for them. With the “first estate” now being the “entitled elite” which drives neo-con thinking. A thinking that not only is wrong has with COVID highlighted much of it which is false and distinctly prejudicial, via the likes of “Guard Labour”.

Quite some years back whilst developing a thesis about religion and it’s effects, I traced this sort of avarice or greed backwards, and it appears to have originated out of Europe and spread like a virulant disease. Interestingly it did not appear in Africa which at the time was claimed to be the cradel of mankind[1].

Thus it raises the question that the diagnostic might well be true, but originated in a specific place and then “spread outwards” over the last few millennia…

[1] The notion of Africa as the cradel of mankind is something that is disputable logically because when you looked at the supporting arguments they suffered from the “Hanging net issue”. In short the issue is seen easily by having a net laid out flat on the floor, you randomly lift a knot and every other part of the net appears to flow out from it pleasingly to the eye as it appears to have symmetry thus “be fit” at a subconscious level. The problem is “any knot will do” thus the subjective fitness is entirely false. Similarly I joke about another “subconcious subjective fitness” with the surface of a sphere. I say correctly that if you stood on the surface of a sphere all other people you see are standing beneath you. Which to many people actually makes them feel good… Because what they hear is “All other people… are… beneath you”. Anyone who can think sees through it as just an amusment, but some genuinely think it is some form of adulation… Which is scary.

AlexS June 9, 2021 10:15 PM

For most countries,100% of “critical infrastructure” is in private hands. About the only exception I can think of is North Korea, possibly Venezuela.

Evert government agency has outsourced part of their operations in some way, shape, or form. They have to. The local water department isn’t capable of making their own pumps, software, routers, etc. Similarly, the local water department will hire outside consultants and contractors to bring in knowledge, maintenance, overhauls, etc. All of these will be private.

Is this a problem? Mixed feelings on this. Incompetence isn’t limited to one side or the other. Plenty found in both. I’d argue at least the private sector has a profit motivation to get it right.

Regulation/Legislation has its place, but more often than not takes on a life of its own and the original problem it was designed to solve is forgotten. A few examples: 1) My current car can be shipped with a drivetrain that gets 85MPG. The US government refused to allow it to be brought in. So I’m stuck with the same car but only get 35MPG, and puts off far more soot & CO2. 2) Similarly, the same car’s headlights are crippled because the US headlight standards from 1963 are still being enforced despite newer technology being available. 3) Boeing 737MAX — when both the worst of regulation and the worst of the private sector get together and have a love-child.

Clive Robinson June 9, 2021 10:58 PM

@ AlexS,

My current car can be shipped with a drivetrain that gets 85MPG. The US government refused to allow it to be brought in. So I’m stuck with the same car but only get 35MPG

The reason there is an 85MPG drivetrain[1] is due to regulation to meet CO2 emmission requirments…

The auto industry was dying due to a downward tail spin spiral of “free market” stupidity and senior managment incompetence hiding behind rather sad marketing campaigns. Regulation for first safety, forced managment to bring in real engineering not the same old ineficcient pig iron box chasis designs with a new layer of chrome and similar “lipstick”.

Then other safety requirments got put on the auto industry driving further engineering and heralded CAM and CAD. It forced managment to also adopt different working practices.

Back in the 1980’s there started to be fuel and emmissions requirments that brought in further engineering advances and new technologies.

But most of this was not happening in the US where the solution managment chose to regulation was lobbying and Sports Utility Vehicles that avoided some of the regulations.

So you still have old pig iron and lipstick.

The problem with “legislation and regulation” is not the fact they exist, they are just another item in mankinds tool box, it’s how the politics behind them work.

You can give things fancy names like “regulatory capture” but at the end of the day, lunitics should not run the asylum, and foxes should not guard hen houses. It you want industry improvments you have to have regulation to not just have a level playing field, but one that’s not sinking into a swamp. For regulation to be effective it needs thorough independent oversight. Who should pay for that oversight, idealy the indistry concerned, but we’ve found that is to prone to coruption by the industry in various ways so as society generally benifits then arguably society should pay, either by a direct sales tax or by other tax. Direct sales tax is preferable because by carefull application it can hasten market change faster than other forms of regulation.

None of this is rocket science, but what boarders on the mystic is why the citizenry put up with the lobbyists, self regulation and the race to the bottom that edangers not just their lives but the lives of their as yet unborn descendants. Oh and also costs them significantly in money, jobs, health, mental wellbeing and decreasing life expectancy to name but a few.

[1] Assuming it is a real “85mpg” drive train, and,not one that “drives to the test”.

JohnK June 15, 2021 6:32 AM

I suspect those that believe Critical Infrastructure belongs in the hands of the government will point to last winter’s “Texas freeze”, and the incredible failure of private companies to plan for and respond to a catastrophic event.

Clive Robinson June 15, 2021 8:55 AM

@ JohnK, David,

I suspect those that believe Critical Infrastructure belongs in the hands of the government will point to last winter’s “Texas freeze”, and the incredible failure of private companies to plan for and respond to a catastrophic event.

It actually matters not a jot who owns the Infrastructure, critical or not.

It realy should not need to be said, but people arr clearly resorting to throwing political mantras and myths around rather than actually applying “critical reasoning”…

As you start to think about what is actually required to be done not the stuff and nonsense of rehtoric, you realise that certain thinking is just wrong.

Unfortunatly the wrong thinking aligns with a very short termist view point that is most easily expressed as “Grabbit and run”, by supppsed “investors” who actually behave like Viking raiders and similar of centuries gone by.

The main difference is that the Vikings could be “bought off” by Danegeld[1], but modern investors think nothing of either the company or the other shareholders that might take the more sensible view that longterm investment not fly by night investment results in better growth thus better long term returns.

Unfortunately some managment of infrastructure companies view their duty is to apease the short term investers, thus they in effect “sell the family silver” just to have them vist for a while.

Only it’s not the family silver they are selling but the companies future. Sensible and needed investment in the maintainence of assets is forsaken in retirn for impossible returns to short term investers.

Not that managment actually care their income is predicated on such behaviour. They think that they can like the investors “get in and get out” and in between profit greatly at the company and it’s,customers and other shareholders expense.

There can only be two real results from this,

1, The infrastructure becomes to fragile to even maintain.

2, The “grab it and run” mentality can only lead to market instabiliry then colapse.

But do the short term investors or senior managers care? No, their sociopathic behaviour and narcissistic traits make them believe they are “Masters of All” thus they will get out just in time to rinse wash abd repeate somewhere else…

But what if it does go wrong? Mostly short yerm investors are not playing with their money but other peoples, so they have no real skin in the game. Secondly if it does go wrong they just “walk away” and “start again” as they suffer no real penalties. Because they also know they are “to big to fail” thus will get bailed out by “The insurer of last result” which is the Government who tax the citizens who not just loose but have to pay atleast twice over for the priveledge of being robbed.

Thus it is not surprising that some think getting rid of the short term investors and just put the Govetnment in in charge which is what is going to happen anyway just reduces the cost and the pain to the customers come taxpayers who are the citizens.

But if that happens those short term investers do not have a game to play with other peoples money on which they take not just a percrntage of any profit but also take fees on any losses they create.

Thus they have to stop the Government any which way they can, which basically devolves down to bribary and coruprtion via lobbyists, sinecure jobs, nest feathering, corporate sponsorship and most importantly in the US political donations for “campaign funds” without which no US politician could get into nor remain in power.

When you see this you start to realise what needs to be done as a minimum, and what should be done in the longer term to protect the citizens from the 400 or so individuals vastly profiting from them.

So “Think and be free” or “Follow to the slaughter” the choice is that of the citizens if they are alowed it, which currently they are not in that stage managed nonsense that is US Politics…

[1] https://en.wikipedia.org/wiki/Danegeld

Socrates June 20, 2021 6:16 PM

A priori, 5/15 can’t be right! Everybody knows splits are always 80/20! 🙂

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.