Security & society: please answer me one simple question

Just back from an IBM “deep dive” into the deep and vexed question of security and society. IBM makes a considerable effort with these, inviting a couple of dozen external people to each of a series of eight events looking at trillion dollar questions with wide social and geographic impact. This is a demanding task, rigorously cross-disciplinary, and ideally needing government input. To work, it needs corporate participants to have gone through some sort of Cluetrain Manifesto metamorphosis (ie to speak in a natural voice not a corporate one) plus a dynamic and energising process and environment (as I write these very words our facilitator joins me in the Tegel Business lounge, we get into good conversation and I nearly miss my plane).

I think my reflections are of three sorts:

- how we approach the exam topic: security and society (see below)
- IBM culture and the culture of security (to follow here)
- the heart of Berlin, what it means and how it has changed (to follow on personal blog)

We met in the very plush Hotel Adlon in Berlin, the reconstructed bombed-out 1920s building on a site by the Brandenburg Gate that lay between East and West, next to the Holocaust memorial, and heavily fortified British and US Embassies.

Parts of the conversation I was frankly uncomfortable with; I’m sure I contributed a fair measure of discomfort. That’s probably no bad thing. I sensed, perhaps unfairly, that we had to fight a “shallow-dive” instinct to look for rich clients with branded security problems to which solutions could profitably be applied. There were hushed conversations about the eye-watering growth in markets for automated analysis of surveillance output and guileless suggestions about how we could derive extra revenues by extracting marketing data from security cameras in shopping malls.

Security people have to be matter-of-fact about unpleasant things. They take refuge in euphemisms, and label or brand their enemies so the threat is more clearly defined. But sometimes they seem hard-wired with dangerously wrong assumptions. We heard that only 2000 people had been “affected” by the World Trade Centre attack, and that we have yet to see the results when something “really significant” happens. In this Weltauffassung ”AQ” is the mainspring of our thinking; the driving business need against which we sell products and services. But...but...but...2000 people were killed in New York; literally millions have been directly “affected”. Meanwhile what has happened in the Congo, Iraq and elsewhere - Katrina, tsunami - is already “really significant”. Hey, there are food riots in six countries as we speak: is that not significant?

Let’s not have a world in which dangerous fringe religious fanatics set priorities for us. Let’s think harder, set our own priorities, and act to pre-empt less enlightened people.

There’s a sense of “our” security. But who are “they”? Who are we frightened of? Why are they scared of us? Aren’t we all in this together?

My alternate reading list for Berlin started with Oxford Research Group’s analysis of the greatest causes of global and regional instability and large-scale loss of life. The top four are:
- Climate change
- Competition over resources
- Marginalisation of the majority world
- Global militarisation

Terrorism - by AQ or anyone else - is terrible, and criminal. But ORG’s evidence does not place it among the top four threats. ORG goes on to argue that our responses to these threats fall broadly into two sorts (tho I note the argument of the radiantly expectant Prof Sadie Creese that these are interrelated):

1. control paradigm – an attempt to maintain the status quo through military means and control insecurity without addressing the root causes, or
2. sustainable security - cooperatively resolve the root causes of those threats using the most effective means available

Note: don’t call the second option “soft”. There’s nothing soft at all about hardcore pacificts. Pulling triggers is easy. Putting up walls or CCTV is easy. Love is hard.

So, my question, which I sought several times without success to have asked, is this:

What is the proportion of our resources (time, money, people, effort, thinking, innovation, technology) we currently put into the first sort of security vs the second? And if we were being entirely rational and evidence-based about the risks we face and the realistic possibilities of our actions having any effect on them, what proportion would we put into the first, and what into the second?

I wasn’t able to persuade the organisers to put this question to the group on the day. So I’ll try now, after the event, to do so alongside the group thank-you emails that are going round. Glad of your comments. Just click “comments” if you’re not already on the comments page, cut the bit below, paste it & complete the percentages (50:50, 80:20, 100:0 or whatever) below:

% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today ---%
Sustainable security today ---%

...that rationally we should invest (once we’e thought about it and considred the evidence) in
Control paradigm ---%
Sustainable security ---%

(Answers are impressionistic. “We” can mean you, your company, country, or the world - it doesnt matter which)

Published by William Heath on 17/04/08 at 9:24am

Comments

Control paradigm today 95%
Sustainable security today 5%

...that rationally we should invest (once we’e thought about it and considred the evidence) in
Control paradigm 40%
Sustainable security 60%

Reply by Joe Sample on 04/17/08 at 11:28 am
As ever, Schneier is totally on the money on this stuff. Take a look at http://www.schneier.com/book-beyondfear.html

The problem is partially that control activities are more visible, more voteworthy, and *feel* more like action than sustainable activities.

Reply by Stefan Magdalinski on 04/17/08 at 12:01 pm
Control paradigm today 99%
Sustainable security today 1%

...that rationally we should invest (once we’ve thought about it and considered the evidence) in

Control paradigm 10%
Sustainable security 90%

Reply by Simon Banton on 04/17/08 at 12:45 pm
Philip Virgo writes
================================
Control Paradigm Today - 99%
Sustainable Security - 1%

Control Paradigm - 10%
Sustainable Security - 90%

The control paradigm fails because it alienates the majority of the population by focussing on protecting the ruling elite (political, military, economic). It may make arms and surveillance salesmen rich but also fuels the “revolution” it is intended to prevent.

However, the dichotomy is false.

Sustainable security (Calvert style as practised in Malaya in the early 1950s) is also the best control paradigm.

Go into the jungle (inner city, political and religious websites et al)and isolate (intellectually, socially, emotionally etc.)the men of violence.

And as Calvert found, sex is a more effective weapon than guns, surveillance or propaganda.

It is the girlfiends, sisters, wives and mothers who will wean the majority of adolescent fighters away from the misogynist puritans who create and police the world’s terrorist groups - leaving only the rump of the paranoid and psychophic to be hunted down and removed.

But turn that argument round 180 degrees and you can see why the application of Calvert’s doctrines is so unpopular with the gerontocraries that rule most of the wotld.

Reply by on 04/17/08 at 12:49 pm
I’m reminded of a time early in my career, when computers were (only) mainframes, holding super-confidential information on behalf of our clients. Many of our clients were surprised at what they perceived as the lack of ‘tough’ security at our data centre, which they would like to have seen surrounded by barbed wire, electric fences and guard dogs (as indeed was the fashion at the time).

Our philosophy (which I believe still to be right) was to assume that regardless of external physical measures, anyone determined would manage to get into the data centre “Just say, ‘Im from IBM, here to fix ....’ and you’ll get there. Instead, we put all our resources into the software environment, to ensure that even if someone had complete access to the mainframe, they wouldn’t be able to access secure client data… and the data itself was fragmented in physical ways which no single individual, even in our company, could put together.

So, my answer to the question is (re future investment):

I suspect current practice is 90% on control, 10% on sustainable, but going forward, should be reversed:

5% on the control paradigm (mainly to give everyone a bit of visible comfort that we’re thinking about it); 95% on sustainable security measures.

Assume the bad guys can gain access, get all the tools they need, and make whatever plans they wish… we’ll NEVER be able to stop any of that. What we have to do is work out quickly how to detect the threats, and second (longer term) try at least cut down the inclination to do these terrible things.

Reply by Fred Perkins on 04/17/08 at 1:11 pm
Robin writes to say:
I’m limited to email access via my phone bu the mo, so can’t follow the link. . But wonder whether fixing the symptoms - repeatedly - might be most attractive to a large professional services firm. . . .

Reply by on 04/17/08 at 6:54 pm
Control paradigm today 90%
Sustainable security today 10%

...that rationally we should invest (once we’e thought about it and considred the evidence) in
Control paradigm 20%
Sustainable security 80%

Great posts and good points above. Very important issue.

Reply by Lee Bryant on 04/18/08 at 10:10 am
Ben writes
Control paradigm today [95]%
Sustainable security today[___5__]%

...that rationally we should invest (once we’e thought about it and considred the evidence) in
Control paradigm [___50__]%
Sustainable security [_50____]%

Reply by on 04/18/08 at 11:53 pm
This is a tough question with a lot of nuance.

Comment 4 from Philip Virgo drawing on the experience in Malaysia is very good.

It reminded me of the 2002 International Conference of Data Protection & Privacy Commissioners in Cardiff, on 11 September 2002 (ie exactly 1 year on). Over a subdued lunch that coincided with a televised memorial service at New York’s ‘Ground Zero’, we hear a remarkable speech from a retired Royal Navy officer and recent member of the ‘D Notice’ committee (which seeks to prevent publication of national secrets).

He gently brought to attention the range of recent violence, especially in Europe, making particular mention of Bader-Meinhoff, Red Brigades, Northern Ireland, Basque country etc as well as South Africa.

Then he gently reminded us of how difficult it was to define ‘terrorism’ and noted that a huge proportion of the ‘terrorism’ in Northern Ireland had been funded out of the United States over many decades by people who thought they were helping a righteous cause.

If I remember correctly, he also noted how Nelson Mandela had been transformed from terrorist to an individual of the highest standing.

He went on to make the point that the transformation in Northern Ireland, already becoming publicly obvious even if it was formalised some years later, was due to 2 things:

1. Rotting the fish from the head down - infiltration of the warring parties, finding the leaders perpetrating the violence & dealing with them directly in a number of ways. Some of this involved fighting violence with violence, but used the conceptual equivalent of the stiletto rather than the machete.

2. Getting to the underlying causes, including generating economic recovery.

On this basis & interpreting the ‘we’ as global effort (which means we have to add in such things as the cooperative and ‘soft’ support we give each other, the ‘bobby on the beat’ neighbourhood support, open source approaches to security etc, etc) here are my suggested responses:

Control Paradigm Today - 60%
Sustainable Security - 40%

Control Paradigm Preferred - 40%
Sustainable Security - 60%

Reply by Malcolm Crompton on 04/19/08 at 3:08 am
Gosh, William, this is a biggie, possibly THE BIGGIE!

The contrast between actual and preferable proportions is very clear, but much less so is the journey we—all people, races, religions, nations, politics, customs, cultures…—MUST take to get from now to then.

At the root of all this is an action that might seem utterly logical and appropriate to the actor at the time (consider access to clean drinking water), which provokes a reaction by another actor, based on equally rational thinking (hey, don’t dam the river!)

I’m thinking that some of the approaches described in Freakonomics—http://freakonomicsbook.com/thebook/index.html—might stimulate further thought void(0);

Reply by on 04/19/08 at 6:19 am
My friend maria writes from Cairo
100 percent control paradigm, at least around here.
Also, this has been going on for so long (27 yrs martial law) that there is no alternative, no thinking pp in power to alter the paradigm. When it collapses, therefore, what can we expect? Another total control paradign, only in someone else’s hands. Use of force does not/cannot create new conditions, cannot resolve anything. It is just, plain lowest common denominator dumb.

Reply by on 04/19/08 at 8:50 am
Jim writes (thinking on UK national level)
...that we currently invest in
Control paradigm today [95]%
Sustainable security today[5]%

...that rationally we should invest (once we’e thought about it and
considered the evidence) in
Control paradigm [50]%
Sustainable security [50]%

Reply by on 04/19/08 at 8:52 am
Paul writes
Part of the difficulty is really knowing what the question means. It is
clearly trying to guide you towards giving 90 or 100% to sustainable
security, so I have rebelled (slightly!).

Paul

% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today [___90__]%
Sustainable security today[____10_]%

...that rationally we should invest (once we’e thought about it and
considred the evidence) in Control paradigm [___70__]% Sustainable
security [___30__]%

Reply by on 04/19/08 at 8:54 am
Mike writes to say
Questions below seem to me to be very heavily loaded in favour of 2) and I’m sure responses will reflect this! I gladly fall into line, prefering smart policies to dumb ones However, I imagine the defenders of control paradigm 1) would say, root causes are all very well, but the amount of firefighting we have to do is determined by the number of fires out there…

...to which proponents of 2) would say, if the bath’s overflowing, you can focus all your resources on mopping up - or you can try and turn the tap off....
...amd also to invite me to a meatfest. I wonder what the Kurds in the Best Mangal would say about this?
Reply by on 04/19/08 at 9:16 am
My friend Mike (whom IBM really ought to engage for it’s long-term strategic planning) suggests a rephrase of the question
You could describe control paradigm in terms close to the ones it would use for itself, e.g.:

Control paradigm - we need to protect our citizens and close down the options for terrorists wishing to grab headlines by harming them

(They’re not saying ‘don’t address the root causes’, that’s just not what *they* do)

This makes the choice a little fairer - do we actually want to compromise 1) for 2)?

Reply by on 04/19/08 at 9:33 am
Henry P. writes
% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today [_70____]%
Sustainable security today[_20-30____]%

...that rationally we should invest (once we’e thought about it and
considred the evidence) in
Control paradigm [_35___]%
Sustainable security [_65____]%

Reply by on 04/19/08 at 6:17 pm
JJ adds in email
% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today [_____95]%
Sustainable security today[_____5]%

...that rationally we should invest (once we’e thought about it and
considered the evidence) in
Control paradigm [_____15]%
Sustainable security [____85]%

Reply by on 04/20/08 at 4:11 pm
David Price writes
A really interesting question—and to be provocative I want to suggest a different perspective.

Defence spending in the UK is currently around 2.5% of GDP—having fallen steeply from 25% in the early 50s and hovering above 10% from the early 70s to the early 90s. Cleary, there’s more to the Control Paradigm than defence expenditure—indeed, there’s more to defence expenditure than is expressed in the defence expenditure figures—but, nonetheless, it would appear that
the majority of expenditure occurs outside the Control Paradigm.

Again to be provocative, you might argue that the majority of expenditure outside the Control Paradigm expresses our current Sustainable Security strategy (centred, as it is at the moment, around economic growth and stronger economic interrelationships).

From this perspective, the challenge ahead is less about re-aligning the balance of expenditure between the Control Paradigm and Sustainable
Security, and more about redefining our conceptual model of Sustainable Security at a time when facets of the current sustainable strategy appear to be fuelling rather than damping down emerging security threats.

Furthermore, the Control Paradigm and Sustainable Security strategies co-exist because our Sustainable Security strategies are imperfect (all of the time) and break down (some of the time)—and the transition between Sustainable Security strategies is often uncertain at best and traumatic at worst.

So to be provocative: I suggest that the balance between the Control Paradigm and Sustainable Security strategies tends towards 20:80—and that the key issue is not the balance per se, but ensuring that each strategy is specified, implemented and updated as efficiently and effectively as possible.

Reply by on 04/20/08 at 8:26 pm
Steve writes to say
Could I also propose a third category - Bruce Schneier’s ‘Security Theatre’ - where you look as if you’re doing something, but what you do has little impact either on the effects of insecurity or the root cause.

I’d suggest percentages are about 50% theatre, 40% control, 10% sustainable; where rationally it would be 0% 30% 70% (you may need to do control so that you buy time for the sustainable to work).

Reply by on 04/20/08 at 10:22 pm
Stefan writes to say
I am tempted to be a bit contrarian here, partly because of the way the question is posed.

Even in our current world, the control paradigm is a small part of how we live our lives. My security in walking down the street comes only in small part from control, much more from social norms. It is itself part of the problem that security is taken to be synonymous with the control paradigm, which leads to the backward logic that security is increased by increasing control, of which argument airports have become the reductio ad absurdum. But most of our lives are not in airport mode. I sit happily with complete strangers in buses and restaurants without having searched their bags or their persons. I started buying things online ten years ago or more, my bank account is unmolested and my identity remains my own.

That’s no reason for a panglossian refusal to see what is going on in the world, still less to generalise from a comfortable middle class British perspective. There are without any doubt real threats which require a control paradigm response (at least in the short term, say a generation or two). It is though a reason for refusing to accept an unshaded, manichaean view of the world.

And so to the answers, where ‘we’ is all of us, doing the things we do:

% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today [___5__]%
Sustainable security today[__95___]%

...that rationally we should invest (once we’e thought about it and considred the evidence) in
Control paradigm [__3___]%
Sustainable security [_97____]%

And if that looks unambitious, that shift would represent a 40% reduction in control focus.

Reply by on 04/21/08 at 8:01 am
It is pretty clear to me that the two modes and mindsets of security planning are interdependent. If one is heavily invested in the former, it indicates they have failed in the latter.

I will answer: Control 50% - Sustainable 50%

Hopefully the balance will shift in favor of sustainable dialog. Regardless, control is not a substitute for diplomacy, and effort towards sustainable security measures should be -increased- as an adjunct to military commitment, in such a way as to maintain this balance when investment in the former is necessary.

Reply by Tim on 04/21/08 at 10:42 am
Picking up on a couple of the points made by others, I think the time dimension is critical here. The challenge is how to move away from immediate responsive (tends to equal control paradigm) security to longer term sustainable ways of being secure as a by-product of how we do everything else.

So a control based immediate response to 9/11 was the right one (whether it was the right control based response doesn’t matter in this context). The bit that’s missing is the challenge to ourselves of how and over what time period we move back away from the control paradigm to the social paradigm. What will have to be different in the world before we can keep our shoes and shampoo intact when getting on our plane? Who has the objective of managing the journey back along the continuum?

That’s an easy and obvious example. The more general - and more difficult - point is that the analysis of the balance and the trade off has to be dynamic rather than static.

Reply by Stefan on 04/21/08 at 12:56 pm
Anna B writes to say
% of our time/money/resources/innovation effort…
----------------------------
...that we currently invest in
Control paradigm today [___70__]%
Sustainable security today[_30____]%

...that rationally we should invest (once we’e thought about it and
considred the evidence) in
Control paradigm [___40__]%
Sustainable security [__60___]%

Reply by on 04/23/08 at 12:20 pm
...and Charles L writes to say
% of our time/money/resources/innovation effort.
----------------------------
...that we currently invest in
Control paradigm today [_55__]%
Sustainable security today[_45___]%

...that rationally we should invest (once we’e thought about it and
considered the evidence) in
Control paradigm [__5___]%
Sustainable security [__95___]%

Reply by on 04/23/08 at 12:21 pm

Next entry: Anthropologists baffled by onanistic totem

Previous entry: Does this InfoCards press release qualify PR person Kersti as a possible IdealGov author?

Ideal Government

Let's say what we want from e-enabled government. Let's observe government first-hand. Let's say "Wouldn't It Be Better If" (WIBBI). Become an ethnographer of bureaucracy today! It beats getting frustrated with public services.

Comment

Anyone is free to comment. Or mail with an article if you want to be an author. I'll post it up and send you a password. This whole thing is supported by Kable.

Authors

Member List

Sign up for new articles

Security & society: please answer me one simple question

Comments

Ideal Government

Categories

Comment

Authors

Sign up for new articles

Copyright

Designed by...

Statistics

Security & society: please answer me one simple question

Comments

Ideal Government

Categories

Comment

Sponsor

Authors

Sign up for new articles

Copyright

Designed by...

Statistics