Saturday, March 23, 2013

Schneier: Security, technology, and why global warming isn't a real problem

In the Fever Days after September 2011, I wrote a bit about "the cost of havoc". The premise was that technology was consistently reducing the cost of havoc, but the cost of prevention was falling less quickly.

I still have my writing, but most of it is offline - esp. prior to 2004. As I said, those were the times of fever; back then we saw few alternatives to a surveillance society. Imagine that.

Ok, so that part did happen. On the other hand, we don't have Chinese home bioweapon labs yet. Other than ubiquitous surveillance, 2013 is more like 2004 than I'd expected.

The falling cost of offense/cost of defense ratio remains though. Today it's Schneier's turn to write about it… (emphases mine)

Schneier on Security: When Technology Overtakes Security

A core, not side, effect of technology is its ability to magnify power and multiply force -- for both attackers and defenders….

.. The problem is that it's not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They're more nimble and adaptable than defensive institutions like police forces. They're not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side -- it's easier to destroy something than it is to prevent, defend against, or recover from that destruction.

For the most part, though, society still wins. The bad guys simply can't do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced?

I don't think it can.

Because the damage attackers can cause becomes greater as technology becomes more powerful. Guns become more harmful, explosions become bigger, malware becomes more pernicious...and so on. A single attacker, or small group of attackers, can cause more destruction than ever before...

.. Traditional security largely works "after the fact"… When that isn't enough, we resort to "before-the-fact" security measures. These come in two basic varieties: general surveillance of people in an effort to stop them before they do damage, and specific interdictions in an effort to stop people from using those technologies to do damage.

Lots of technologies are already restricted: entire classes of drugs, entire classes of munitions, explosive materials, biological agents. There are age restrictions on vehicles and training restrictions on complex systems like aircraft. We're already almost entirely living in a surveillance state, though we don't realize it or won't admit it to ourselves. This will only get worse as technology advances… today's Ph.D. theses are tomorrow's high-school science-fair projects.

Increasingly, broad prohibitions on technologies, constant ubiquitous surveillance, and Minority Report-like preemptive security will become the norm..

… sooner or later, the technology will exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a bio-printer, or turn our electronic infrastructure into a vehicle for large-scale murder...

… If security won't work in the end, what is the solution?

Resilience -- building systems able to survive unexpected and devastating attacks -- is the best answer we have right now. We need to recognize that large-scale attacks will happen, that society can survive more than we give it credit for, and that we can design systems to survive these sorts of attacks. Calling terrorism an existential threat is ridiculous in a country where more people die each month in car crashes than died in the 9/11 terrorist attacks.

If the U.S. can survive the destruction of an entire city -- witness New Orleans after Hurricane Katrina or even New York after Sandy -- we need to start acting like it, and planning for it. Still, it's hard to see how resilience buys us anything but additional time. Technology will continue to advance, and right now we don't know how to adapt any defenses -- including resilience -- fast enough.

We need a more flexible and rationally reactive approach to these problems and new regimes of trust for our information-interconnected world. We're going to have to figure this out if we want to survive, and I'm not sure how many decades we have left.

Here's shorter Schneier, which is an awful lot like what I wrote in 2001 (and many others wrote in classified reports):

  • Stage 1: Universal surveillance, polite police state, restricted technologies. We've done this.
  • Stage 2: Resilience -- grow accustomed to losing cities. We're  not (cough) quite there yet.
  • Stage 3: Resilience fails, we go to plan C. (Caves?)

Or even shorter Schneier

  • Don't worry about global warming.

Grim stuff, but I'll try for a bit of hope. Many of the people who put together nuclear weapons assumed we'd have had a history ending nuclear war by now. We've had several extremely close calls (not secret, but not widely known), but we're still around. I don't understand how we've made it this far, but maybe whatever got us from 1945 to 2013 will get us to 2081.

Another bright side -- we don't need to worry about sentient AIs. We're going to destroy ourselves anyway, so they probably won't do much worse.

No comments: