There Be Dragons

It’s a sorry fact of human nature that you have to be fooled at least once before you can hope to avoid being fooled again. Based on some recent reading material, spanning two different but strangely comparable realms, I herewith reaffirm this wisdom: Absent persuasive experience, abstract threats are insufficient motivation for developing truly effective countermeasures. It will take a devastating cyberattack to focus concerted attention on real solutions.

What have I been reading? A Government Accountability Office report with the unambiguous title “Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities” and a book of essays by journalist William Langewiesche called The Outlaw Sea: A World of Freedom, Chaos and Crime.

The GAO report on the middling efforts of DHS to safeguard cyberspace disperses blame in several directions: a dearth of institutional stability in DHS’s formative period, its struggle to attract top talent, the slow pace in forging successful partnerships on all fronts and more. But its that lack of persuasive experience that seems a plausible cause as well. One of my colleagues, CISO Carlos Mena, observes that President George W. Bush has a rogues gallery of al-Qaida leaders on his desk, and when one of them is captured or killed, Bush X’s out the face. Says Carlos, “This is a major priority for him.”

By contrast, the disordered fabric of cyberspace offers the president no vivid equivalent of X-outable terrorist mug shots. More important, there have so far been no catastrophic loss-of-life cybersecurity events to stiffen the spines of the shock troops whose job is to secure that infrastructure. So far, as the GAO report makes clear, DHS has succeeded only in developing an orderly framework of good intentions to apply to the wholly intransigent domain of cyberspace. Too much work yet remains to be done to declare even midrange success.

In fairness, it seems likely that no matter how robust the defenses, there will always be ready weaknesses to exploit. The Internet is vast and deep, its possible points of failure too numerous to inventory. In an architecture of interconnectedness, the lowest common denominators can be shockingly low indeed.

Which brings me to my second realm: the planet’s oceans. Langewiesche’s The Outlaw Sea characterizes the worlds watery parts as fraught with nearly ineradicable chaos, unamenable to genuine regulation. There are dangers from modern forms of piracy, from aging decrepit vessels that fly flags of convenience and endure only lax inspections, from unqualified or unvettable crews, and from virtually undetectable terrorism.

The commercial imperatives of the world’s free-market economies confound efforts to make shipping safe and secure. Because commerce demands to be as nearly frictionless as possible, there are always havens for the greedy corner-cutters, the habitually noncompliant, and the criminals and terrorists. In the vastness of the oceans, anything can be hidden. Pirated or unsafe ships can be repainted and renamed while still at sea, frustrating efforts to find them. Even where standards are adequate, enforcement is either lazy or corrupt. And even where there are reasonable efforts at vigilance, the scope of the problem overwhelms available resources.

In Langewiesches book, we see something comparable to what DHS has been trying to achieve. An odd sort of international cooperation imposes an orderly framework of maritime law and regulation upon the worlds nations. But the jurisdiction of nations ends only a few miles out to sea. Beyond that, anarchy takes over and is thriving. The portions of cyberspace that appear to be easily governable are also relatively small. For all of it, the medieval admonition of “There be dragons” applies. In addressing real conditions of lawlessness, it is important not to be lulled by our own well-intentioned creations—law and order.