A Security Lesson from the Dinosaurs

Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

camarasaurusYou might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

  • Taking a superficial view of evidence
  • Not comparing logical conclusions to examples of modern data
  • Avoiding analysis and basing beliefs on the misguided work of others
  • Looking strictly at hard evidence and ignoring behavior
  • Hyper-focusing on dramatic scenarios

Sound familiar?

Cyber “Pearl Harbor”

It’s no secret that cyberspace has quickly become the world’s next battleground. The United States and Israel were widely speculated to have delivered a mighty blow to the Iranian Nuclear Program with the Stuxnet Virus and now Iran has fought back attacking the web sites of American financial institutions, Bank of America and J. P. Morgan Chase.

Despite the magnitude of these web-based attacks, I don’t think the public necessarily understands how devastating cyber warfare could become. With nearly all business featuring some sort of online component and so much of our day-to-day activities utilizing web-based technology, a cyber terrorist could effectively cripple everything from bank accounts, telecommunications, medical facilities, utilities, transportation … you name it. Perhaps this is why U.S. Secretary of Defense, Leon Panetta offered a rather dire warning last week:

“The collective result of these kind of attacks could be a cyber Pearl Harbor,” warned Panetta. “An attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nations and create a new profound sense of vulnerability.”

I bet that quote got your attention! The reality of such an immense attack can certainly be debated, but the question of whether the United States is ready and able to protect its interests is certainly a topic that should be at the forefront of any discussion regarding terrorism and world war.

Heather Roff, a Research Fellow with the Eisenhower Center for Space and Defense Studies at the United States Air Force Academy, penned a great post this week for the Huffington Post that discusses the conclusions we can draw from Panetta’s speech and how prepared the United States is to defend it cyber borders.