Wednesday, March 05, 2008

Infrastructure Protection in the Ancient World

In preparation for my career as an Air Force intelligence officer, I earned a bachelor of science degree in history at the Air Force Academy. (Yes, not a bachelor of arts degree. Because of the number of core engineering, math and science classes -- 12 I think? -- the degree is "science". At a civilian school I would have qualified for a minor in engineering, so I was told.) I really enjoy history because anyone who takes a minute to look backwards realizes 1) nothing is new; 2) we are not smarter than our predecessors; and 3) we enjoy the same successes and suffer the same mistakes.

With this background you might expect me to like reading Michael Assante's paper Infrastructure Protection in the Ancient World. (The link points to a summary written for CSO magazine. You can learn a little more about Michael at INL employee to advise next U.S. president on cybersecurity.) I did indeed find the paper interesting because it compares the security of Roman aqueducts with the security of the modern electricity grid. I would have preferred a comparison of ancient water systems with modern water systems, but Michael is a former electric utility CSO.

This quote resonates with me:

By the time the Romans realized the real risks they faced it was far too late. Much like today, the consequences are not fathomable without a clearly demonstrated threat.

Those words remind me of my post Disaster Stories Help Envisage Risk.

I hope to read more of these sorts of comparative papers.

7 comments:

Leeroy said...
This comment has been removed by a blog administrator.
Keydet89 said...

Richard,

I can't tell you the number of times I've listened to someone attempt to quantify risk to a CxO by starting off with, "...a hacker could...". Ugh. Even with a demonstration by pen-testers or (please, God, end my suffering now) "ethical hackers", is this really enough, or does the CxO simply say, "well, of course you were able to gain access...we paid you tens of thousands of dollars to do so."

...the consequences are not fathomable without a clearly demonstrated threat.

Define "clearly". TJX? Probably not...how many organizations think, "Yeah, but that kind of thing happens to other people, not me"?

Unfortunately, "clearly demonstrated" does not come until someone has accessed your infrastructure, stolen your customer's data, and used it to commit fraud, ID theft, etc.

LonerVamp said...

Nice article, post, and comments. :)

This certainly resonates a few thoughts...

1) Would security exist without insecurity? Follow-up: Does that mean there really is no "winning" of the fight?

2) Security is still, ultimately, about economics, not about a priori security.

3) No matter what, we often are taken to being doom and gloom no matter what happens. Old technology is vulnerable and needs replaced? New technology may/will introduce vulns? To many, it really sounds like we may as well not do anything since the sky is always falling to us. :) This can cause inaction.

4) How often do we think about home security and being violated by a burglar? Compare that with how often people actually take action (spend time and money) to do something to prevent it. Now, compare that to the reaction people have after being violated, or if their immediate neghborhood is being victimized.

5) Do you fix something that isn't broken? And how do you define broken?

6) We have always made poor security risk decisions, but in the last 20 years, the world has fundamentally changed around us. The Internet and computer systems have made what were acceptable security risks of the past, hyper-efficient enough to challenge entire markets and mindsets. From info-sharing to affecting millions of people in minutes with little effort.


I do disagree in one of your history points above, Richard, but it might just be me looking at it differently. I do think we are smarter than our predecessors. Perhaps a better word for it might be more informed. We know things about physics and science and bacteria and chemistry that could only be postulated in the past (and everything else explained with superstition). We've built upon these truths and discoveries and have been able to move forward beyond.

John Ward said...

"History doesn't repeat itself, but it does rhyme" - Mark Twain

Anonymous said...

As I've remarked to my past, present, and soon to be future employers and clients "The winds of disaster fuel the fires that bring change."

LonerVamp said...
This comment has been removed by the author.
LonerVamp said...

Go me! This is what I meant to say in #3 above:

"No matter what, we often are taken *as* being doom and gloom..."