Thursday, October 22, 2009

Review: Analogies and Cyber Security

Here is a short review of the paper "What Analogies Can Tell Us About the Future of Cyber Security" by David Sulek and Ned Moran, published in the proceedings of the CCD COE Cyber Warfare Conference.

In the paper they explore the potential dangers that come with using colorful analogies like cyber Pearl Harbor, cyber Katrina, cyber 9/11 etc. In order to deal with these dangers they propose to start with developing a detailed issue history. A well written issue history helps determine which analogies apply. They give a short example in the form of the cyber issue history that, among other things, lists what is known, what is unclear and what is presumed about the topic.

They then provide a framework for exploring cyber analogies. It consists of two dimensions: one axis representing inspiration (hope and possibility) vs desperation (fear and danger) and the other systemic (evolution) vs disruptive (revolution). They give some examples for each: invention of the telegraph was an inspiring event, as it created new possibilities to communicate. On the other hand, the Y2K bug represented a potential danger to the computer systems. World War I was a linear, systemic result of military build-up, whereas 9/11 was a disruptive, revolutionary event. I think the first pair of examples is a good fit, but I am not so sure about the second. One could argue that there is an evolutionary line of developments that lead to both tragedies, we just haven't taken the time to really reflect on the reasons for, the facts of and the aftershocks of the 9/11 attacks. But I digress.

They spend the rest of the paper analyzing four cases from each quadrant of the model as a potential fit for cyber security. The four cases are the Strategic Defence Initiative (inspiration, evolution), the Cold War (desperation, evolution), the [US] National Highway System (inspiration, revolution) and finally, Pearl Harbor (desperation, revolution). Each case reveals interesting overlaps with cyber. However, each also has its discrepancies, so no clear match emerges.

They sum up their analysis in four points:
  1. There is no single analogy that works for cyber.
  2. Cases that balance inspiration and desperation leave the strongest impression on history.
  3. Many analogies used today are at the extreme ends of the model.
  4. It is important to build a good timeline for an issue, in order to understand the reasons for events.
Overall, it is a nice read and an interesting analysis of the four cases. I may not agree with the interpretation of historical events, but then again, the model is meant to be an abstract tool to describe analogies. As such, there will always be opportunities to interpret events in different ways.

The main point for me is to review the cyber analogies that I have used in the past. The analysis of the four cases has given me some food for thought and hopefully, next time I blurt out with something, I remember to also offer caveats.

As always, the paper itself is much more detailed and I recommend reading it in full.

No comments:

Post a Comment