Maginot Lines
An old friend stopped by out of the blue this afternoon and we chatted. It’s been a tough year for socializing so I was grateful to see her. She gave birth at the peak of the lockdown restrictions in an isolated hospital ward and I wasn’t able to visit her and her husband in the traditional way. Zoom has its limitations. We’re just now coming out of the Covid era and it was good to see her in person again.
But there was a reason she was free today. Her employer’s computers all froze up and operations came to a complete halt. This is a healthcare company and suddenly all the patients’ records were inaccessible and the usual communications between people and equipment ceased. The day before was the conclusion of this non-profit operation’s annual fundraising campaign. No one in a position of authority would say what exactly happened, but it was pretty clearly a ransomware attack.
I mentioned this to my next door neighbor who works at a university medical lab doing clinical trials and he said his systems were similarly compromised three weeks ago. Again, no one at the top said anything specifically, but it's widely believed that the hospital paid the ransom. Evidently establishments have insurance against such things these days. That got me wondering how many places are experiencing these attacks that we just don't know about.
Another friend who does high level security for a prominent tech company here in San Francisco says everyone will eventually be forced to migrate their operations to one of a handful of very large certified operations like Amazon, Microsoft, or Google that has the staff and technical ability (people like her) to fend off these attacks. She also explained that each of these enormous systems backs up their operations on each others equipment for multiple redundancy in case one fails. This transition to centralized infrastructure is likely to be forced on everyone not just by government regulators, but by insurance company mandates and inter-company negotiations as a prerequisite for doing business.
This level of uniformity and centralization is both good and bad. It means small and medium attacks will be managed much more effectively. But it also suggests that we're putting all our eggs in a handful of giant baskets that are ripe for more sophisticated disruption on a massive scale.
That got my tech friend and I talking about the difference between complicated systems and complex systems. A complicated system is linear in nature and requires lots of detailed processes and procedures to be strictly followed so as to guarantee a good outcome. That’s what she does at her company. But a complex system is amorphous, random, and unpredictable. Erratic complexity can overwhelm a complicated arrangement if the disruption isn’t sufficiently anticipated in advance. Geeks will go down a rabbit hole of computer coding minutiae to resolve one kind of threat, but be oblivious to the risks of something unrelated to their field.
I can imagine any number of actors remotely pulling the plug on some obscure segment of America's delicate systems as part of an asymmetrical attack. Those aircraft carriers in the Persian Gulf or South China Sea and nuclear submarines in the Arctic might not be as effective as we think if the lights suddenly go out back home. I’m told by people in a position to know that this sort of thing can “never happen” because there are safety protocols in place. But I’m not convinced. It all feels a bit like a new Maginot Line.
