Sunday, September 21, 2008

System Survivability, Individual Responsibility, and Critical Infrastucture Protection

The financial upheavals of the last week have highlighted some the of cliches of critical infrastructure protection I've heard over the years.

First is the notion of "public-private partnership" that is necessary for the successful operation of these public services we all depend on to keep us sliding back into the dark ages of decaying big box stores with empty parking lots that are the fare of post-apocalyptic movies and fiction.

Meaning the government can not do it all and that industry and government agencies must work together to protect the integrity of the system.

Several weeks back I heard somebody from DHS on C-SPAN Radio (perhaps it was even Secretary Chertoff himself) talking about how individual asset owners have best suited to make the risk decisions (based on self-interest) to implementing controls. The government could not and should not make those decisions. At best they should define standards to raise the bar. There is a certain logic to this but it assumes that said individuals and organizations can think strategically and not take shortcuts that achieve short term objectives. Buy that flatscreen (or new laptop!) you cannot afford. Or that 4000 square foot house in the suburbs you cannot afford.

Although history has yet to be written it is obviously clear that this did not happen with the financial markets or with individual Americans. And we see the financial analogue of home users not implementing best practices (patching, firewalls, wireless security) resulting in zombie armies launching attacks that undermine the critical network infrastructure.

If enough individuals make risky decisions, the integrity of the system is compromised.

When confronted with regulation the class response from the private sector is that it stifles innovation. This was the argument you heard from vendors such as Microsoft or Cisco when the spectre of regulation was raised with regard to software security or product liabilities. The market it will handle it.

Obviously that did not happen and it should to be a wake up call for those in Critical Infrastructure (the financial sector is one, remember? I hate it how the power folks think they are the only one) that if things get out of hand that result in system collapse, the government will (and should) step in to preserve its integrity.

Of course the second cliche is the complex interdependencies among systems.

What more do you need to know? A Chinese bank hold some fraction of the mortgage for your house in Skokie or Phoenix or Plano.

Tomorrow ought to be interesting on the market. I'm wondering how many other folks put in sell orders for some of their mutual funds over the weekend with the goal of getting more liquid in uncertain times.

As I fed my 9 month old at lunch today I couldn't help but think about the future. Are the times as tumultuous as the pundits proclaim? What does a global economic meltdown really look like? And channeling Cormac McCarthy's the Road, how long does it take from the first flash in the distance to the point you wandering through the countryside with shopping carts with a revolver with 2 rounds left.

No comments: