When Chaotic Systems Collide: The Dance Between Biology and Cybersecurity
Sam Curry is a member of the Cyber Resilience Think Tank, and a guest writer for Cyber Resilience Insights.
Author Yuval Noah Harrari in Sapiens highlights an important distinction between types of chaotic systems: first order systems can be extremely complex and adaptive and hard to predict, but there is no intelligence in the system. For instance, meteorology is a first order chaotic system where a hurricane is a threat; another example might be biology where a virus is a threat. In neither case does the threat pause, analyze and choose a path based on your behavior to take shelter or to quarantine a population.
Chaos Systems Explained
By contrast, second order chaos systems like economies where the threat is a competitor or perhaps human populations where criminals are the threat have this intelligent, malicious adaptation. In other words, the most scary opponents we can imagine remain Human beings with motivation, resources and opportunity.
Cybersecurity is a second order chaos system. No matter what you do to predict behavior, there’s a chance that the measures you take will be intelligently outmaneuvered. This is more than mutation and adaptation, it is the ghost in the machine that is thinking, stalking and continuously improving and developing.
Right now we have the collision of two chaotic systems on one another in-and-around cybersecurity: we have the novel coronavirus as first order chaos, a biological system forcing us to change our Human behavior as we shelter-in-place and practice social and physical distance discipline. This is changing the landscape and behaviors, the norms of Human interaction and the vulnerability topography in ways that directly impact a second order chaos system: the interplay of Humans in attack or defense.
Switching metaphors, we are like a population of crabs where some percentage of us is always moulting seasonally: when crabs grow they shed their exoskeleton and become vulnerable for a while they grow a new exoskeleton. I am not an expert at all in the moulting of crabs, but still: imagine a moment when hard-shelled crabs on the beach suddenly, out of their normal cycles, jettison their exoskeletons. Maybe it’s pollution, solar flares or some other natural phenomenon, but predators at that point will circle and start to pick off targets of opportunity.
Regardless of the cause, a first order chaos system is impacting a population and a second order chaos system responds. In some ways this is directly analogous to what is happening in the workforce right now: we have all effectively switched to work from home, and many of us are on machines we never used for work, are using a brand new system or even using the computer we have always used but will be faced with the feeding frenzy of the predators in the online ecosystem.
Don't Panic, We Can Mitigate Damage Through Cyber Resilience
However, we shouldn’t panic. Tracking the natural system that triggered the situation is critical as a first order of business. However, the predators don’t immediately and perfectly exploit these new vulnerabilities. They move to the choicest targets, use the techniques they already have ready and seek the low hanging fruit first. This is good to some degree because it means we know to protect the low hanging fruit and start to plan for covering progressively smaller risks, mitigating damage and moving.
We don’t have to move to cover it all immediately and we don’t even have to be faster than the person next to us, as many are fond of claiming. While there is some truth in that, this is where the most important virtue of security can come to the forefront: your rate of improvement. This is the single biggest advantage of a security program. How you improve the practice of cybersecurity is the competitive advantage in cyberconflict, not just being harder to hack than your neighbour or achieving a perfect score in an audit (like that ever happens!).
So as we work from home and adapt, remember the basics and work on your first derivative and second derivatives: your rate of improvement and how that is improving. Enumerate your risks, limit scope of breaches, ensure anti-fragility and resilience, monitor and improve intel, lean in on detection and get good at whittling away the risk in your registry that you keep fresh. After all, the biggest problem in security remains alignment to the business and having a dialog with the business in a time of crisis, when there’s existential panic in a clear way; taking acceptable risk for acceptable return is the key. You can do anything; you just can’t do everything.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly