I was at the RSA Conference in Chengdu, China last week, giving a couple of sessions on “Keys and Clouds” and “The Pillar of Trust: where Big Data meets Security”, the latter jointly with my colleague and fellow blogger Branden Williams. I’ll be writing (and speaking) more about both these topics, but there was another subject that struck me particularly strongly over the course of the conference: the complex dynamics of the systems in which our security products and strategies must operate and the difficulty of anticipating both the positive and negative consequences of those products and strategies.
The first impetus to these thoughts occurred shortly after I arrived at the hotel in Chengdu.
I’m giving a presentation in Norway in October and thought I’d take a look at what flights might be available from Zürich. So I fired up a browser. Instead of my usual Google search home page, I got a “site not available” message. “OK,” I thought. “Google and China? I know what that’s about.” So I went to the bookmarked travel site that I typically use. But instead of the usual site, I was redirected to the China version of the site – which provided information only about flights in China.
Annoying, but not a big deal. Still, it struck me that this was a classic instance of a simple system trying to regulate a complex system, one of the best ways of understanding unintended, unwanted and unanticipated consequences (see this blog by Alex Tabarrok). After all, my immediate response was to think about ways to get around the restrictions, to break out of the system of imposed controls so that I could get free access into the larger system of the internet. It also reinforced the strategies I had put in place to deal with problems like this, starting with bringing a special stripped-down laptop on the trip rather than my usual work computer.
The next morning, after the keynotes, I attended Tatu Ylönen’s session on SSH. Tatu invented the SSH protocol and is the founder and CEO of SSH Communications Security. Towards the end of the session, as Tatu was discussing the advances that his company is making in management of SSH keys, he remarked that the success of SSH as a protocol and product has resulted in often thousands of SSH keys in an enterprise, creating the significant issues in management of large volumes of keys that Tatu is working to address. Once again, I was struck by the system-level issues that Tatu was confronting. In this case, the extremely effective run-time capabilities of the SSH protocol have to be integrated within a larger system of deployment and key rotation, particularly because of the attacker/defender dynamics within which the protocol operates.
Branden, Jason Rader and I decided to visit the Panda Research Center while we were in Chengdu. So early Wednesday morning we took a taxi to the center, getting there soon after it opened. It’s a wonderful park with impressive bamboo forests, beautiful lakes, striking views across the valley and a rope bridge that aspires to be a trampoline. It was definitely fun to see the pandas, but I was also struck by the statement on one of the signs that the red pandas were not always accessible to visitors because of “inbreeding depression”. Not that the pandas needed more serotonin , but that the population was generally of reduced fitness and needed to be protected. The Panda Research Center provides effective security for the pandas in the face of loss of habitat, but the isolation and limitation that protect the panda population also have clearly unwanted and unintended – though not necessarily unanticipated — consequences.
As I wrote in an earlier blog: “looking at security from a system perspective has the benefit of encouraging a more intentional mind-set regarding what the system as a whole is intended to accomplish.” Our goal as security professionals should be to define, design and implement this larger system, not just point products and tactical responses to threats. Art Coviello, RSA Executive Chairman and EMC Executive VP, stated this even more emphatically in his keynote at RSA Conference China: “We want to nurture an ecosystem of trust in the digital world.” A systems perspective also helps in thinking about the consequences of our security strategies, products and processes. We need to understand the dynamics of security, bringing to bear the full range of tools that can help us understand those dynamics. Only with that understanding can we anticipate, understand and address consequences that can otherwise undermine the security technologies, processes and organizational structures that we put in place.