- BlogInfoSec.com - https://www.bloginfosec.com -

Securing Complex Systems

There is a cartoon by Jacob Samuel in The New Yorker magazine of March 30, 2015 that shows a warmly dressed gentleman holding a placard on which is written: “We are being CONTROLLED by the random outcomes of a complex system.” As with so many New Yorker cartoons, one is left to decide on your own exactly what is being referenced. The system could be geopolitical, environmental, social, and so forth. It could be the Internet or the Internet of Things or the critical infrastructure. It could be the specter of artificial intelligence or wearable computers where our every move and thought is monitored and the systems respond on our behalf. Certainly with the prospect of autonomous road vehicles, added to existing automatic pilots for planes and trains, it would seem that we are losing control of many of the activities that we formerly managed.

I choose to think of complex systems as those systems of systems that arise when you combine security-critical information systems and safety-critical control systems. And I consider that perhaps, because of my InfoSec bias, the cartoonist might be thinking that our loss of control in general and privacy in particular is due to the randomness involved in many of these systems.

As an aside, there has been a fair amount of work done on differentiating complexity from complicatedness and it is necessary to understand the somewhat subtle differences between the two in order to be able to evaluate whether or not we are subject to outcomes that we cannot possibly hope to secure. This is the quandary of those cybersecurity professionals seeking to manage the security of complex systems. The main difference between complicatedness and complexity is that the former is deterministic in that you can predict outcomes based on inputs and system state. With the latter, particular outcomes are not predictable and there is a large amount of uncertainty involved.

Perhaps the main unrecognized reason why we InfoSec professionals are having such a hard time trying to manage security and privacy is that they are treating systems as merely complicated and are not allowing for the probabilistic nature of the complex systems that are indeed confronting us. Until we change this erroneous perspective we will continue to apply inappropriate tools that are not having the impact we were hoping for. As the cartoon character points out, outcomes of complex systems are random and dealing with their unpredictability should lead to different approaches to shore up security and protect everyone’s privacy. More on this another time.