Normal Chaos as a New Way of Looking at Cybersecurity Research
Linking Hindsight to Foresight in Cybersecurity Research
by Dr. Mike Lauder and Dr. Timothy Summers
On October 3, 2017, Computing Community Consortium (CCC) Council Member and Cybersecurity Task Force Member Dr. Nadya Bliss published an exceptional blog article giving the charge that it was time to implement a forward-looking research agenda in cybersecurity.
Massive data breaches containing large amounts of personal information, such as the 143 million records stolen from Equifax, now seem to be common place. The general sentiment around the Equifax breach is that “the breach was due to complete and total corporate negligence”. With hindsight commentators have noted that the system patches needed “to address the known vulnerabilities were available for two months before the Equifax attackers entered the system”. This has caused the industry and government to point fingers at the company’s executives and some are calling for an overhaul of the regulatory system.
Yes, Equifax did allow this breach to happen. This point was firmly proven when former CEO, Richard Smith, suggested that one person and a bad security scanner were the sole cause of the breach during his Congressional testimony. His response was called “ham-handed” and “simply unacceptable”. And perhaps more informed regulation could provide a solid foundation for companies to respond more appropriately in the future. But it doesn’t address the charge made by Dr. Bliss and the CCC that we need to establish a forward-looking research agenda in cybersecurity.
A recent analysis in the Harvard Business Review implies that cybersecuity and more specifically the regulatory framework are “painfully behind the technological advancements”. There has also been a striking response from the technical community. In 2016, the United States Office of Science and Technology Policy (OSTP) made recommendations specifically regarding user-centric tools for identity management.
The article from the CCC suggests a number of issues that the computing research and cybersecurity communities might address. These are an increase in cyber literacy, the accountability of executives and regulators, development of organization-centric tools and methodologies for risk assessment and resilience, and the development of ways to reduce the impact of data that has been compromised. This response raises the question about what the cybersecurity community has learned from other fields that attempt to manage various forms of jeopardy and are the unintended consequences of the pursuit of a particular social benefit. Here we see the industry suffering from what Prof. Brian Toft calls “distancing by differentiation”: to précis this idea, it is when one sector fails to learn from others because it concentrates on how it is different rather than seeing the areas of commonality. Not everyone in the cybersecurity community has prescribed to this approach. In 2012, Carl Landwehr encouraged us to consider making progress in the domain of cybersecurity by “drawing on historical examples from architecture and navigation”. However, the vast majority of the cybersecurity industry has neglected this advice causing the sector to be condemned from what Toft calls a “failure of hindsight”. We therefore see the Equifax breach and other recent breaches as proof that the current thinking around cybersecurity isn’t working. Normal Chaos provides a different way of thinking about the issues involved.
To this end, we suggest that the cybersecurity community should extend its literacy over the subject of “organizational failure” by reviewing and learning from wider study. As one example, we offer the idea of Normal Chaos which I introduced in the article by Dr. Bliss:
We use the term normal chaos to describe contexts and situations that are too complex for us, as humans, to truly understand the cause and effect relationships embedded within them. Normal Chaos recognizes that such complex situations produce constant uncertainty, change and unexpected occurrences that negate our plans and reduce our ability to control the events around us. This requires and encourages us to re-adjust constantly as our plans are unlikely to be enacted exactly the way that we envision. It’s time that we recognize that management actually spends most of its time adapting to changing circumstances, especially in cybersecurity.
To illustrate our point, if we take a broader look at the computing research agenda presented by the CCC from a more general perspective of organizational failure:
- We see cyber literacy encompassed with Diane Vaughan’s phrase “seat of understanding”. This phrase has been defined as “having the training, knowledge, experience, and current data required to make the appropriate judgements” and this provides a much clearer goal in the drive for cyber literacy.
- Within the wider study of accountability and where the subject is only addressed in general terms, accountability just becomes a banquet for lawyers and politicians. If the cybersecurity community is to pursue the issue of accountability and for any measure to be effective, it has to focus on ensuring that the accountability is personal. Meaning that the individual is given “skin in the game” — they must have personal jeopardy in the event of a data breach.
- If we look at regulating for an outcome per se, we see that it does not work. Within the field of safety regulation the argument previously swung towards regulation but it now recognizes the ineffectiveness of this approach. The safety field is now looking at a much more sophisticated mix of mechanisms as they acknowledge that there is no simple panacea to their problem.
- We see the final two issues, that of “risk assessment and resilience” and how to reduce the impact of a failure, a cyber breach, to be an issue of process. This is about seeing what might go wrong, developing foresight, appreciating the implication if it does go wrong. This is where a highly developed “seat of understanding” is required. And then acting either to prevent it from happening, to reduce the possibility of it happening or assessing the impact if it happens. Here the cybersecurity community should aim to set the highest benchmarks across all the related industries and then living up to them. To do this the industry must know what others do.
So, how does this relate to normal chaos? Normal Chaos gives people another way of appreciating what is happening around them. It can be seen to be about increasing understanding and therefore adding to the “literacy agenda”. As part of understanding the truly complex world within which we have to operate is the understand that “failure is inevitable”; this may be because, at one end of the range of possibilities, due to the incompetence of some agents within the system or, at the other, due to some unexpected emergent characteristics of the system. This feature seen within Normal Chaos is already part of the cybersecurity conversation but not recognized as such.
Senator John McCain, as quoted by Dr. Jamie Winterton during her Senate testimony, warns that “rapid development and deployment of information technology by American businesses and by our government has created new vulnerabilities. The entire information domain has become a potential battle space”. Wherever there are vulnerabilities there is always the possibility that someone will seek to exploit them as no defensive system should ever be considered infallible.
Dr. Keith Marzullo, Professor and Dean of the College of Information Studies at the University of Maryland College Park has stated that “breaches are going to continue, which implies that we need to increase our focus on issues in remediation and recovery”. Here we see wise council that moves the focus from mainly being on prevention to being on a greater balance between prevention and reducing the impact of breaches.
Another key implication of Normal Chaos unwittingly highlighted by Dr. Bliss is our limited ability to control our lives. She points out that “the actual (Equifax) breach occurred months before it was disclosed”. Here we see that organizations and individuals were exposed to jeopardy over which they have no control and even have no knowledge or expectation.
We see Normal Chaos providing a new framework for our thinking on cybersecurity. It provides a way to look at what is going on and to develop a greater appreciation (literacy) of its impact. But can Normal Chaos do more?
As well as reducing our tendency to “failure of hindsight” by looking at cybersecurity more broadly and learning from wherever we can, Normal Chaos can also be used to promote foresight. Enterprise risk management, that embraces the issue of cybersecurity, recommends both a top-down as well as a bottom-up approach to risk assessment and management. Normal Chaos, with its focus on the viability of structures, patterns of activity and energy flow around a system or organizations can provide executives and senior management with the language to stimulate their discourse on cyber matters as it will provide them with a new way of looking at the subject.
The one place where we disagree with Dr. Bliss is when she suggests that it’s time that we recognize that “breaches will continue to happen unless something changes”. We completely understand her logic here; however, we believe that due to the complexity of life that some breaches are inevitable. It is the role of cybersecurity professionals to make it as difficult as possible for breaches to occur, to react as quickly as possible to close a breach and to make it as difficult as possible for perpetrators to benefit from the stolen data. Experience in other fields shows that reliance on regulation is not enough: regulation can only be used effectively to address a very limited number of incidences. It is more important to develop a sophisticated “seat of understanding” within the community and Normal Chaos is offered as a way to start.
This article was written by Dr. Mike Lauder and Dr. Timothy C. Summers on behalf of the Normal Chaos Group, a collective of scholar practitioners dedicated to research on organizational advancement. The Normal Chaos Group also includes Dr. Nneka Abulokwe and Dr. Hugo Marynissen.
