I promise the dear reader that this will not be just a rant about how nobody takes security seriously or anything in that vein. Read on, and I’ll get to the actionable items. I just need to set some things up in order to give credence to my conclusions.
Some years ago, the Polish science fiction author Stanislaw Lem wrote an essay about weapons development titled “The Upside-Down Evolution”. In it, Lem called out several interesting trends: miniaturization, dehumanization, and deformalization. The key trend gave the essay its title: rather than developing smarter and smarter AI, the true breakthrough Lem foresaw was not in artificial intelligence, but in artificial instinct. Lem postulated that a weapon need not be coded to handle all types of situations. It only needed to be able to perform a certain range of tasks under certain conditions, nothing more.
Combined with miniaturization and dehumanization, limited weapons systems – artificial insects, in Lem’s parlance – also allowed for the deformalization of war. No more a matter of exchanged ultimatums and formal declarations, war in Lem’s future would be constant and acts of aggression difficult to attribute. Consider a swarm of artificial insects each carrying a fractional amount of fissile material that converge on a location to create a critical mass for a nuclear explosion. If all the artificial insects are destroyed in the explosion, who could say what actor or actors was behind the event? Could it be an attack by a foreign power or a false flag attack used to justify an attack on another foreign power? Or could it be done to frame a third party?
Once deformalized like that, warfare would be constant. Natural disasters could be no more than just that, or they could be the products of an attack by a hostile party. There would be no way to tell the difference.
While we are yet to see Lem’s artificial insects on a grand scale, we *do* see the next closest thing – cyberattacks.
Cyberattacks check all the boxes of the upside-down evolution. They are mere digital streams of signals – miniaturized. They are often products of algorithms – dehumanized. They are always out there, always attacking in the ways they are set up to attack – deformalized. And they only do that *one* set of operations that they have to do – artificial instinct.
Lem’s essay did not go into matters of defense except to say that the need for uniforms, marching, parade drills, and generals all went by the wayside. At best, those were worthless vestiges of another age. At worst, they hindered responses that had to be just as rapid and ruthless as the attacks. Lem only considered nation-states, but we now live in an age with a myriad of players having access to these attacks – and a myriad of defenders still trying to fight the last war.
Old-timers will remember Clifford Stoll’s epic, The Cuckoo’s Egg. The story is of a human tracking and trapping another human. At the time, the FBI was uninterested in the case, as no large sum of money was involved (less than $1) and no classified files were accessed by the attacker. While we may look back on that and shake our heads the way modern combat veterans would react to how various World War One generals dismissed the power of the machine-gun, that was the FBI still fighting the last war.
Well, Stoll went on to write in 1995 that the Internet was just a fad and would never catch on as a platform for commerce and information exchange. Yes, he still kicks himself over that article, but at least he’s aware of the irony and how outdated that thinking was. And though I talk of a mindset fighting the last war, that was the 1986 mindset. People today may have moved beyond that, but not much. Most are still expecting a Stoll-like boffin to do the investigative work to catch the baddies and bring them to justice. That’s because the events described in The Cuckoo’s Egg are those of a previous war.
To be perfectly honest, most firms aren’t even thinking about fighting a war. They’re not built to do so. At no point is there an MBA class on Sun Tzu’s Art of War that ever tells the students, “You know, this really isn’t allegorical when it comes to IT.” I know this because I have yet to work with a customer in the business world that doesn’t underline the principle that security won’t interrupt business as usual.
I’m sorry, but that’s quite the paradox, Mr. Customer. Do you want business as usual without security, or do you want to change how you do business in order to have security? Are you still forming soldiers into phalanxes of spearmen for operations on an open field of battle, or do you plan to tell them about the need to disperse and entrench so as to avoid being overwhelmed by large-area effect weapons? If still the masses of spearmen, I have a rude surprise waiting for them when the drone with a fuel-air explosive arrives on the scene…
… and even that analogy is out of date, as the actual attacks coming at us every day are not even needing drones in order to do their damage. Worse, because we put emphasis on doing business first, we’re only looking at security as a bolt-on. That means the underlying systems will always be more vulnerable that necessary.
So what keeps this article from being another mass of groanings about how things are? What are my fixes, my takeaways that businesses can put into place? All right, all right, I’m ready to get to my point.
You’ve got to apply upside-down evolution to your systems. Doing so will give them higher immunity and better resiliency against attacks. It will mean more interruptions to business, but of less total time than what would happen to your business if there was a successful denial of service attack against it. Moreover, the interruptions will be localized, not general.
Automate your responses to any breach of standards, and make those responses harsh. Do not exempt anything. I grant that the last sentence is more a starting negotiation position than a final state, but I stand by it, all the same. When the endpoint or server or application goes wrong, shut it down immediately and get it fixed just as fast. Then, when it comes back online, it is fresh and ready to defend itself.
And if your shutdown actually caught an attacker, so much the better. The swift action meant limited damage. Do you know how Taiwan had such a low infection rate in the recent pandemic? It shut down ALL travel to the island. Nations that made exceptions got hit hard. Taiwan made no exceptions, and that swiftness and harshness saved lives.
What is your return on investment? Your business stays open, allowing you to continue to get returns on all your other investments, that’s the ROI. The coming years will see attacks that are more miniaturized, more dehumanized, more deformalized, and more artificially instinctful. Trying to stay open 24/7 in that world will be like leading those spearmen in a charge against a tactical nuclear warhead. Automate, be strict, and accept small downtimes now instead of permanent downtimes later. Fight the current, upside-down evolution-born war, not the one where we trace a 1200 baud modem connection back to Bremen after months of investigation.