June 15, 2007
-
security and insecurity
Insecurity is a fascinating word for a profound concept. It is a word that I have rarely used
or thought about until recently and that makes me wonder as to the why
of it. Many seem to instinctively rely on the concept of “insecurity”
as an essential pillar of their self view or their world view. I don’t
disagree, its just that I think I have spent much of my mental energy
on its opposite, the concept of security.Now I will try to turn directly to the concept of insecurity but I
think in order to gain any traction in my understanding I will have to
start with the opposite concept and work my way back from there. This I
think is a reasonable approach when trying to get a grip on any concept
that begins with an “in”, since it means the term is essentially bound
to its opposing entity.The way I have come to understand security is like Linus Torvalds said
in a talk I watched online recently, “security work is all about
networks of trust” (yes, many others have said similar things…). When you understand security in that fashion lots
of things fall into place that don’t otherwise make sense if you think
of security as walls or locks and keys or any other such mechanism. It
also makes concepts outside of typical physical security more coherent.
“monetary security”, “mental security”, “emotional security”, “job
security”, they all can be understood under the same framework. They
are all about who you trust and who they trust and so on and of course
all along the line asking the questions of why do you trust, or why
should you trust and so on.Businesses build up their security network by hiring people. They have
no choice in this matter. The core of any businesses security is who
works for them. No matter of fancy software or clever locks and gates
will make a damn bit of difference if there is an inside man in your
business. What’s more you have to hire somebody so you have to pick out
of a usually rather large pool of applicants people to work at the
industry. You have to try to find somebody in that group that you can
can trust. Not only do they have to trust the people that they hire,
but implicitly they are also trusting the people who the people that
they hire trust as well and so on down the line. Trust is essential in
the hiring process since a breach of trust could run deeper than just
having an unreliable untrustworthy employee who doesn’t get his or her
work done, it could open up a business to severe liabilities.This is why businesses take so much stock in the recommendations of
their employees even though objectively we might argue that this is
unfair to perfectly capable applicants who are applying without that
inside support. A business that hires someone recommended by an
employee is explicitly extending that network of trust. They are
banking on the trust they already have for that employee being directly
applicable to the person that employee knows on the grounds, sometimes
shaky grounds, that the person wouldn’t have recommended another for
the job if the person didn’t in some significant way trust that person.Another strategy businesses use to try and secure themselves is to do
background checks. Now interestingly enough these background checks are
themselves all about digging into someone’s trust network in order to
validate the degree to which the person can be trusted. The
investigators go around talking to family members and friends of the
person, direct or indirect acquaintances to try and find out what the
people who the person trusts thinks about the person and to try and
make sure the network is a real existing thing. Sometimes to dig deeper
an investigator may go to the people who the person trusts trusts and
so on down the line validating the testimony and sincerity of each
interviewee against the others looking for inconsistencies that might
set off alarm bells making someone not trust another person.Now that we understand that basic idea of security, let’s turn now to
the idea of insecurity in the same context. Insecurity then obviously
would be a lack of security. Explicitly that means a break in that
network of trust, a node that cannot be trusted or a communication line
between nodes that leaks to others outside of the network who are not
trusted entities. Communication lines are easy, you just try and secure
the lines as much as possible. No matter how trustworthy your people
are, it is pointless if anyone can sit outside a business with a laptop
and ease drop on all of their data. It is also along the same lines
important for a business to not just worry about internal communication
but work as hard as possible to empower their employees to have secure
lines of communication with the people that they trust. Obviously you
ask them not to blabber about company secrets to others, but
realistically you have to acknowledge that some employees probably will
blabber. It is inevitable. If you are really concerned about minimizing
the risk of insecurity and not just about having someone to blame when
a security breach occurs, you will work to ensure your employees
outside of work communications are secure as well. That could mean
anything as simple as buying them a secure home computer system or as
complex as paying for their home in an area that the business feels is
secure against outside influence.Insecurity in the nodes themselves is a not harder. How do you really
know ultimately if a person is trustworthy? Or more to the point in the
real world, how much trust should you put in each node and when?
Employers often have to decide between various amounts of information
to provide to each employee. How open should they be? How closed
should they keep the circle? One of the things that makes it complex
is the nature of humanity. People respond by being more trustworthy
when they are trusted. They become less trustworthy when they feel
information is being withheld from them or that they are interact in a
less than open environment. So businesses must balance the need to
treat each employee on a somewhat equal level with the simple fact that
in any network not all nodes are equally trusted.Now anyway, insecurity in other matters beside the physical is
similarly about dealing with breaches of trust. Actually, when the term
insecurity is applied to other matters it is usually not about actual
known insecurities. Rather we are most concerned about “feelings of
insecurity”. That is, that sense one might have that one or more of
nodes or connections in their network of trust is not secure or more
often lacking evidence to determine whether or not it is secure, the
feeling that maybe perhaps they put too much trust in one or more nodes
too quickly or with too little justification.Insecurity can arise from a lot of things. Sometimes its just
suspicions and intuitions. There can be a feeling that things aren’t
quite right based on subtleties that an outside observer would not
recognize and sometimes which a person themselves could not describe to
others. Other times insecurity can arise from hard evidence that is
impossible to ignore though sadly far too easy to misinterpret. Still
other times insecurity can be heightened by stresses on the system.
Since all security networks are based on rational decisions that we
make and reaffirm day by day, any time when we start to doubt our
decision making processes or when our mind is not processing at 100% we
will likely start to doubt our trust network as well. Certainly
“impending” major events fall into that category of adding stresses to
a system. All the more so if the events require choice that is not
wholly governed by rational thought to begin with and thus subject
inherently to distrust.There are other ways insecurity can come about as well. One of the
biggest is through misinformation. You can get that misinformation from
all sorts of places, but most often it comes from communication with
untrustworthy entities, or entities that can be trusted but not about
matters for which they are being consulted. To throw out a trivial
example, a web forum is really no place to go for trustworthy advice
about anything for the most part and yet people rely on getting advice
from random people on the web all the time. Most of often they get
information that flatters them or fulfills their expectations and they
trust it on those grounds rather than its necessary basis on reality.
That can have a huge distorting effect on one’s trust outlook. But
much more often I think people become insecure by reasonably consulting
with people that they do trust and have good reason to trust, but about
matters for which the people they trust don’t have enough information
to form valid judgments. Those people aren’t being deliberately
deceptive, but they may well provide information or advice that is bad
through their ignorance. There is a subconscious component of this
too. We are likely to provide our trusted entities with just enough
information to form the opinions that we want them to form and thus
much like the random jaunt to the web forums for advice, you take back
the information that flatters you and affirms your pre-existing
judgments or at least makes making those judgments easier. Consultation
is never guaranteed to be effective but it is far more likely to be if
being based upon a shared information base that is similar in scope.
Also, disinterested advice is likely to be more helpful than those who
have self interests bound up with the matter of discussion.Perhaps the most obvious cause of insecurity in the inward cause.
People feel insecure about something when they doubt themselves. In
other words all trust networks have a subjective central node, a “you”
as it were. That node forges connections with other trusted entities.
If that node comes to distrust itself, then it will distrust the
connections it creates. It is like having your home computer with a
virus on it. You can’t really do anything with that computer until you
get rid of the virus, because every connection it makes, every image it
shows you, every avenue of communication you have with the computer is
untrustworthy. The computer has been compromised. You have to distrust
everything about it until the situation is rectified.So with ourselves. If we feel we are “compromised”, that is inherently
incapable of making trustworthy judgments, we will be distrustful of
others and feel insecure. Even if this arises later on, a person is
likely to start to doubt earlier trustworthy judgments not made while
“compromised”. One wonders about his or her inherent nature much like
you might wonder if your infected computer was ever really “secure” to
begin with. Maybe hackers were there messing with my stuff all along!
And it could be true of course, but that kind of self-distrust is
radically disruptive and dangerous.Tightly bound with this idea of self-doubt induced insecurity is the
idea of external-doubt induced insecurity. Recall what I said earlier,
people are likely to become more trustworthy when they feel trusted.
Sadly, the opposite is not an equal but a greater force. When you feel
that the entities you trust don’t trust you in return it will make you
question why that would be or how that could be and thus start to doubt
yourself and hence as a consequence you start to doubt your trust
network decisions and feel insecure.So those are some of the ways in which insecurity can arise I believe.
And of course in the real world, it’s never just one of those things…And when there is more than one, there is the possible and likelihood
of good old feedback loops that grow insecurities further and broader
than they were before. The simplest example, person A doesn’t trust
person B so person B doesn’t trust person A causing person A to trust
person B even less and so on. Worse, when person A starts to feel
insecure, person A might make insecure judgments about whom to trust
and then those untrustworthy entities could provide information that
increases person A’s insecurity. Person B might start to feel insecure
and that insecurity inhibits their ability to handle their work load
making person B feel even less secure. And so on and so forth.One of the biggest signs of a trust network starting to break down is
when entities start actively looking for hard evidence upon which to
base their pre-existing insecurities. Why? Because if and when data is
found, (and there’s almost always something to be found) it accelerates
the feedback mechanism. ie it will seem like the ultimate breach of
trust on all sides eroding whatever foundations remain within the trust
network. Businesses go through a very hard time when there are scandals
involving management investigating their employees directly. This
usually leads to pretty massive exoduses of employees who choose to go
elsewhere where they feel they will be more trusted. Only those
businesses that have a strong foundation of trust built upon many years
tend to avoid such a calamity.But there’s a much better example of trust-network collapse in the real
world than wire-tapping scandals. It’s what’s happening in the United
States as a whole after 9/11. Really I’ve never seen such a more
massive and swift trust breakdown amongst two larger groups. In the US
currently we live in an era of radical distrust for both our government
and our fellow citizens. The most “open” and “free” country in the
world is under the grips of what I can only call a kind pf mass
internal psychosis. There was a story on npr one day not long ago that
made me cry it was so indicative of this problem. It was describing a
kind of grotesque distortion of a political debate between two radical
members of the Left and the Right in a part of the world evenly
ideologically riven between the two groups. It was a kind of sick and
terrifying farce in that both sides virtually ignored each other,
catered to their respective crowds and there were no attempts
whatsoever of trying to gain any sense of shared understanding with the
other side. These people were neighbors living in the same country
under pretty much the same circumstances but as far as they were
concerned those neighbors had become “the enemy”. Trust was no longer
even an option. It is as if the trust network of the US is riven in
half along strict ideological lines.One way you can sort of see how this is happening is looking at the way
in which communication is occurring in the US. Politics has become
almost entirely about finding ways to attack and discredit your
political opposites. To that ends we are constantly investigating one
another trying to find that smoking gun that we generalize and prove
that “those people” don’t have our best interests at heart and that
“those people” can’t be trusted and are dangerous to be around. And we
find it. Again and again we find reasons to hate one another
solidifying our distrust. And all the while that insecurity we feel
increases. Our uncertainty about the future increases and we live in
perpetual doubt. Mark my words, we are heading toward a very bad place
politically if this current trend continues. Fortunately I do see signs
of it abating a little so only time will tell.This of course brings me to the heart of the idea of insecurity, the
true cause of causes, and it should be obvious what is by now since it
often serves the role as the true cause of causes of pretty much
everything I write about. Funny that. The human experience is driven by
such a few small but profound concepts that give rise to a plethora of
varied interesting ideas.Anyway, what is that cause? You guessed it. Fear.
Post 9/11 ideological rifts increased in the US not decreased. Why is
that? Because we’re afraid. Why do we distrust each other and
ourselves? Why do we do stupid things? Why do we think harmful
thoughts? Why do we live false lives and make dangerous decisions? Why
do we look outside ourselves for validation and support? Why do we take
everything so seriously? Because we are afraid. I’ll just leave it at
that.So alright then if we understand what insecurity is: a breach in a
network of trust. And we understand what causes it: fear. Can we say
something now about what stops it? What to do about it?The answer actually derives pretty directly from the analysis we’ve
already gone through. To heal insecurity, you build a network of trust.
And by that I mean actually a network on a lower level than the
trust-network between people. I mean to build a network of trust
between events and choices. One trustworthy act that implies or creates
another. One word of honesty that leads to another. Connections between
ideas and words and thoughts and actions. Trust here to feel more
confident about trust there and less fear of distrust elsewhere.It sounds so obvious that we must naturally think “oh that will never
work”. And it might not. Not all networks of trust can be reformed at
all. And some that are reformed are not reformed in the same way. The
new connections that take the place of the old severed ones might have
to go across different pathways. If there are any opportunities to
build those connections even at the smallest level than the possibility
of the elimination of insecurity exists no matter how destructive the
downward spiral of insecurity can seem. The answer to a downward spiral
is an upward spiral and such a spiral can only arise moment by moment
piece by piece. It’s never fast and can never be rushed. It’s a day by day kind of a thing.Some might question whether every breach of trust should be healed, and
there may be some good arguments that not all should. But I tend to
disagree. Security seems to me to always be better than insecurity and
it’s always beneficial to have some level of trust of others if at all
possible than none.Of course there is one other aspect of building security that I’d like
to touch on that people often forget to take into account. And that is
the sometimes inherent value of taking security risks.Again turning to the business world as an example, some companies come
to realize that they have to take considerable risks with their
security to be able to establish deeper long term security. The
simplest example is hiring students fresh out of school. For those, a
business has no record of that students trustworthiness in a business
setting to go by. They don’t have particularly relevant testimony to
base their decision upon. What’s more the very young are more likely to
leave and look for another job taking their knowledge with them.And yet if a company only hires people who have been in the industry
for a while that lack of risk taking can be extremely detrimental to a
companies long term chances of success. You need the influx of new and
fresh ideas that students bring and you need people who are young and
can learn quickly and be very adaptive.Another good example is when a company chooses to hire someone who is
known for being willing to break into computer networks for their own
gain as an expert to advise on securing the business. This probably
isn’t a big risk but it certainly can be perceived at one. Indeed in
general it would seem risky to hire anyone who has already proven that
they are smarter than you and willing to do things to your detriment
for their advantage. And yet, betimes this is the best thing you can
do. That expertise you won’t get anywhere else and to get the best work
you need the most intelligent people you can get. But each person you
hire is a risk.Amongst governments, security risks are essential too. Governments
often need to ally themselves with untrusted enemies in order to
achieve some ends. The enemy of my enemy is my friend and all that.Now how come taking big security risks can work out? Surely if you are
starting off with a foundation of distrust that would lead to spiraling
insecurities like the kind I’ve described above wouldn’t it? The
answer is, not necessarily. When you take a security risk, it often
means putting unfounded and even unjustified trust in an entity. And if
there has been any theme at all to this giant essay of random musings,
it is that trust yields trust and vice versa. So if you take a risk in
adding a node in a trust network to an entity that you might have good
reasons not to trust that node may eventually become a node worthy of
your trust and perhaps even one day your most trusted node of all. Of
course you tread cautiously in such matters.Actually, all initial connections are leaps of trust in this manner. We
rarely have any *good* reasons to trust anyone a priori. It’s just that at any
given moment in our lives we are so grounded in trust-networks that we
often find it difficult to distinguish to what extent we are making or
strengthening a connection on faith alone versus a connection on
reason.But what I am trying to say here is that both kinds of connections can
turn out to be valuable. Sometimes taking the greatest risks can prove
to yield the greatest benefit. Sadly though, we never know.
