Speed, Scale, and Critical Infrastructure: Three Truths and a Lie, Part Two

December 16, 2015
Raising the Bar: Post by Emily Frye

In Part One, we focused on a truth for which we must account: if infrastructure today involves cyber, physical, and human factors, then we need to be cognizant of foundational limitations in each of those areas. We talked about those limitations as:

  • Cyber: We are only as secure as our weakest cyber link
  • Physical: Security and resilience have to be addressed where ownership and control reside, which generally falls where physical infrastructure operates – at the local or regional level more than the national or international level
  • Human: Trust does not scale (for good reason)

In Part One we focused on physical infrastructure. Today, we turn to human factors.

The X Factor: Who Can I Trust?

Among humans, trust is not scalable. A lot of literature exists on the social and evolutionary aspects of tribes, clans, and similar constructs – including business networks. Today, most of us have global networks of both business colleagues and social contacts. How many of your LinkedIn connections are people you have “met” virtually but not face-to-face (or perhaps only once or twice)?

Now, think about the professional colleagues whom you trust. They are likely people you've had considerable in-person exposure to over a period of time, right? You have looked them in the eye. You have watched how they behave. You have observed whether others in the environment rely on their words. Trust takes time. It takes a track record.

Judging the trustworthiness of others is a slow process, but it is a reliable one. It is hard for people and institutions to forge enough trust to band together and protect one another's backs, and for good reason --the fear associated with allowing others to see weakness often comes from painful experience.

This kind of phenomenon was observed and described in some of the early work of Amitai Aviram, a respected scholar on private ordering. He highlighted the fact that effective information sharing (and by extension, response) occurs when preexisting trust networks are already in place.

Here’s an example:

Thirteen years ago, I was at a working meeting inside the New York Federal Reserve Bank. Everyone in the room was a lawyer working on cybersecurity policy issues. I had a relatively new BlackBerry, as did most of the others. Suddenly, our host called me into the hallway.

"We've just identified your BlackBerry as the source of a virus that’s started to circulate in our group." He sounded panicked. "What do you want to do?"

Looking back, there were all kinds of reasons why I should have been concerned: I was in a room full of high-powered lawyers who might, a) not want to deal with me anymore, or b) view this as an ideal test case for cybersecurity liability. Further, I was the general counsel of a company whose business centered on cybersecurity.

But, instead, without thinking it through, I rushed back into the room and announced – "We've got a problem." Everyone rallied around discussing the problem, identifying a solution, and fixing all affected devices; then we resumed the appointed task. It was over fairly quickly.

This experience highlights human limitation and strength: pre-built trust allows people to reduce risk more quickly, so they can stop threats from affecting a much broader community.

How might we leverage this observation in an enormous and complex cyber-ecosystem? What kinds of pre-existing trust networks are available? Regional protective bodies, with their longstanding trust investments in the physical infrastructure world, can in theory play a meaningful role if they expand to managing cyber risk as well.

Leveraging Pre-Built Trust Networks

Here's the bottom line: Cyber threats move at network speed; cybersecurity moves at the speed of human trust. And human trust scales only to a point – to a geographical level where intimacy is possible: regions.

Ten years ago, we weren't even thinking about the triangle of cyber-physical-human as a converged threat space. Today, we have to. Robust cybersecurity will exploit the good that human relationships have already built in that space – meeting people where they are – rather than attempting to generate wholly new arrangements among relevant actors.

We are seeing steps toward regional approaches to cybersecurity – of note, the Cyber Resilience Institute and the Western Cyber Exchange – but to date, there are no regional bodies focusing holistically on the cyber-physical-human converged space.

At the same time, as one astute reader responded to a prior post, "… the key assumption holding us back is the belief that there is a final answer… this is a situation where we face a paradigm shift requiring a new way of thinking. The thought that there isn't a solution that the government can buy is scaring many people." It’s important to remember that regional organizations and stronger relationships do not represent a silver bullet. There isn’t one.

Linking and leveraging existing regional relationships into the broader security arena, and creating new relationships, offers hope for leverage into this messy space. How do we help physical resilience bodies become cyber-physical-human resilience bodies? How do we help cyber information sharing and threat-distribution bodies connect in relevant ways to physically focused protection and resilience bodies? That’s the challenge. What do you think? Share your reflections here.

  1. Speed, Scale, and Critical Infrastructure: Three Truths and a Lie, Part One
  2. Speed, Scale, and Critical Infrastructure: Three Truths and a Lie, Part Two