Signalling Security
What Dancing With The Birds can teach us about risk: Testing Positive
Sorry for the late letter this week (and lack of a quote) This was a trying week for me, but I’ll be back to normal with some longer pieces as I dig into Dostoevsky’s “Crime and Punishment” next week!
Risk Developments this letter:
Testing Positive
The Risk Dance
On the island of New Guinea off the coast of Australia, deep in the rainforest, exist a species of birds with brilliant plumage that perform elaborate mating dances. Millenia before economists coined the term signalling the 1970’s to describe education credentials and the job market, or even before Thorsten Veblen described the Conspicuous Consumption in 1912, these birds-of-paradise had figured out the importance of signalling. In a resource rich environment, with few predators, males spent more and more resources to demonstrate their evolutionary fitness and win the sexual selection game. Once you understand the concept, you begin to see it everywhere.
Education, employment and mating are just a few areas that signalling commonly comes up, but anytime there is an information asymmetry, signaling can be useful. Other areas the topic is relevant includes in person work, financial risk, and security. The pseudonymous blog post, by an information security professional, titled “They want us to be compliant, not secure” complains about the challenge of interpreting signals in security. It is explicitly the job of auditors to assess the signal not the underlying system, as pointed out in this thread of responses on Hacker News. This may seem like an extreme statement, but you see it all the time in the accounting world, where auditors sign all opinions with the disclaimer that their beliefs about the company are contingent on the good faith of management.
The difficulty here is that professional signal assessors are not fraud detectors. For a great blog on what dishonest signals look like in accounting, see Francine Mckenna’s writing at The Dig. A system that relies too heavily on signals can build an elaborate edifice, like the dancing birds-of-paradise, but this signalling arms race can increasingly siphon off resources from purposes with real utility.
One reason birds-of-paradise can afford to spend so much energy on looking good and dancing is that there are few natural predators of the adult birds. Species that can’t afford to spend energy on signalling are constrained by their environment. They either face many threats or have fewer resources. One reason dishonest signals, known in business as fraud, or in information security as spoofing, is so effective is because the previous signalling regime works so well. As Byrne Hobart pointed out in “The Right Amount of Fraud” (subscriber post) there is was a tradeoff between expediency versus exactness of the Paycheck Protection Program. Some fraud was, in a sense desirable in one round of the game, but since society is structured as a series of repeating games, the stability of signalling is destabilizing.
The difficulty is that in a resource rich environment, there is little natural selection by what biologists call viability, and lots of selection on fecundity. That is, signalling dominates survival as the main selection mechanism for passing on genetic material. Going public used to be a reliable bellwether for a startup that had matured, but Nikola’s ill fated reverse merger managed to slip through. Being able to raise lots of capital is usually a high fidelity signal for future startup success, but Theranos proved that capital and board members aren’t always the most reliable signal. The business world has been a resource rich environment for well over twenty years, and the continued low interest rate policy isn’t changing anytime soon.
Coming back to signalling in information security, is it easier to be secure or to “take security seriously?”
In a previous letter, we discussed Equity Funding Corporation of America, and how they perpetrated accounting fraud using information technology. Eventually the ponzi scheme got too big to conceal and law enforcement caught on. Dishonest signals can sometimes grow to be too expensive to maintain, but security signalling is unusually cheap. For those more interested in security than signaling there are only a few solutions:
Reduce competition - lessening the pressure on the signaling arms race
Increase enforcement and penalties - driving up selection by viability
Create more credible signals - providing alternatives for good faith actors
These three solutions align with the three schools of International Relations thought (realism, liberalism and constructivism), covered by this letter before, and like the three schools they are not mutually exclusive. Reducing competition in the signalling arms race may work for naturally oligopolistic sectors like finance and government, and it helps explain why those industries can afford to pour so much money into their cybersecurity programs, but monopolies/oligopolies impose other large costs on society. Liberalism puts more faith in rule of law and norms to regulate or self-regulate bad actors who may harm the whole system, but this solution has its drawbacks as well. First, it presupposes omnipotent, competent and scrupulous legislative, regulatory and administrative bodies. Second, it will force some otherwise good companies out of business for bad cybersecurity. The last option is the most appealing, but the hardest to conceptualize. What would more credible signals look like? Perhaps software guarantees, submitting to significant voluntary oversight or greater transparency through open source, bug bounties and other methods of reducing information asymmetry.
Ultimately, signalling, as with the birds-of-paradise, will be a part of the security world for a long time to come. The issue is not compliance or security, but how can compliance serve the interests of security. A world with less signalling is not a better or more secure world, but a world with better signals is. Few understand. Birds know this.
Risk Developments
This week I moved for the second time in a month (all I can say is moving sucks and moving twice sucks more than twice as much). I was planning on not doing a risk development section this week, but there is one story I had to talk about...
Testing Positive
As promised, SolarWinds saga isn’t over yet. New broke this week that the U.S. government is formally sanctioning six Russian cybersecurity firms: ERA Technopolis; Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation, Neobit, Advanced System Technology, and Positive Technologies in response to the SolarWinds breach, attributed to the Russian foriegn intelligence agency, the SVR.
It’s unclear what effect these sanctions will have. Sanctions in general are not terribly effective tools in diplomacy and this may be especially true in hacker circles, where a government record can sometimes be a badge of pride. Increasing the notoriety of Russian organizations already mostly decoupled and insulated from the West may just be empty signalling.
It’s hard to know what to do about an adversary that refuses to play by any set of common rules. As tense as things are between China and the United States, there is a shared sense of danger from destabilization. Russia, since the fall of the Soviet Union, has had very little to gain and nothing to lose in the current economic order. Until a shared story is created that brings Russia into the world economy, the petulant behavior will continue.
Gratitude
Big thanks to Byrne Hobart, Francine McKenna, 62726164 and Jeremiah Grossman.