If there is any doubt that complexity is out of control in the computing world (as it has forever been in biology, economics, ecology, etc.), think of the various types of computing specialists who are now focused on issues that were almost unheard of a decade ago. IT professionals now expend substantial resources detecting and cleaning virus and worm infections, patching operating systems and other software, modifying firewalls, updating virus detection software, updating spam filters, and so forth. There are computing epidemiologists who seek to identify new viral outbreaks before too much damage occurs. And there are computing pathologists who dissect new viruses and worms such as Stuxnet to see how they work. Is this not like the world of multicellular life, where small viruses and bacteria constantly vie for life’s energy and replicative power?
Civil engineers who create steel bridges have a saying that "rust never sleeps." The comparable maxim in computing ought to be that "complexity never sleeps." As computing professionals work to reduce complexity, all too often their efforts actually exacerbate it because the already complex systems are far beyond our comprehension.
Much of the runaway complexity is inherent in what we are
now asking computing systems to do: principally to participate in ever
more complex networks of machines. In addition to the increasingly
complicated human-controlled client PCs on the net, the Internet now
includes PDAs, cell phones, web cams, bar-code readers,
RFID sensors, credit-card readers, and microphones for VOIP telephony
Effectors such as digitally controlled pumps
and valves, traffic light controllers, music synthesizers, and all
manner of household appliances increasingly have web interfaces.
Software in one machine interacts, often in unforeseen ways, with
software in many other computers. And not all of that software is
benign. If a hacker hijacks your coffee-maker, you may be irritated,
but not threatened. If he hacks into your bedroom baby-cam or
the system that controls traffic lights between home and work, it goes
beyond irritation. If he hacks into the system that controls the pumps
and valves at a large oil refinery, chemical
plant, or nuclear power plant it can become a disaster. And if this
hacker works for a cyber-crime gang, or al Qaeda, or for an unfriendly
nation state, things get rapidly worse. Consider, for example, the July
2009 attack on national resources in the
US and South Korea (perhaps by a North
Korean cyber warfare group, or perhaps not). Or the recent US/Israel
Stuxnet virus attack on the centrifuges in the Iranian fuel enrichment
site at Natanz. The recently discovered "Flame" virus aimed at Iran and
other Middle East regimes is by far the most sophisticated virus yet.
Microsoft Update certificates and can install key loggers, turn on
microphones and cameras, sniff the local network, and much more.
Yet the complexity of the elements in the Internet (PCs, iPhones, routers, server farms, etc.), not to mention the complexity of their interactions, seems to provide an ever-growing smörgåsbord of unanticipated and unprotected opportunities for surprises. Unpatched Windows PCs, especially if IE is the browser, are easy marks for recruitment into bot-nets that exploit the weaknesses and complexity of the Internet for cyber crime and cyber warfare.
Truly, the network is the computer these days,
and that network is under attack. Researchers
at the Internet Storm Center estimate that, on average, an
unpatched Windows PC connected to the Internet will survive for about
20 minutes before it's compromised by malicious software.
Twenty minutes is less than the time it
takes to download and install the necessary patches to protect the
machine. Such attacks are accelerating dramatically.
Symantec claims that unique malware variants increased to 403 million
by the end of 2011. The capabilities and sophistication of
viruses and worms continues to evolve as well. A
worm discovered a few years ago “
install a ‘sniffer" seeking to use
infected computers to capture login and banking [account/password]
information from other computers on the same network. These days that
Researchers have discovered the possibility of viral
via flaws in the 802.11 wireless adapter driver that can
work even when the machine is not connected to the network.
Just because your wireless is enabled and looking for
a network could be enough. So, you can take your laptop
into a Starbucks and get infected before you sit down with
your coffee! "Out of Control" is an understatement.
It is tempting to believe that the only solution is to redouble our efforts to control complexity. True enough, we should continue to construct better engineering solutions to each problem: reduce complexity, create more perfect firewalls, and better structure the interactions between all computers under our control. But we must also understand that such measures are at best stopgaps. As Tahar Elgamal points out, “ The hard truth of network security is that while many approaches are good, no individual effort makes the network completely safe. Implement enough fixes, and you only succeed at making your network more complex and, hence, more ungovernable, with solutions that wind up acting at cross-purposes.” The same can be said for each of the other specialized tasks in managing complex computing systems.
To successfully improve the security of our computing systems, we will need to modify our systems at an architectural level. To that end, I suggest that we learn from complex biological systems. This website explores four organizing principles that have evolved in multicellular living systems.
Contact: sburbeck at mindspring.com
Last revised 6/9/2012