Monthly Archives: September 2004

Force is not Security

In his book Linked, Albert-László Barabási (ALB) remarks:

“Real networks are not static, as all graph theoretical models were until recently. Instead growth plays a key role in shaping their topology. They are not as centralized as a start network is. Rather, there is a hierarchy of hubs that keep these networks together, a heavily connected node closely followed by several less connected ones, trailed by dozens of even smaller nodes. No central node sits in the middle of the spider web, controlling and monitoring every link and node. There is no single node whose removal could break the web. A scale-free network is a web without a spider.”

This is not news to those of us who were involved in USENET. For example, I ran ut-sally, which was the second node in traffic behind seismo. And there were many other nodes of varying degrees of connectivity and traffic. The most connected node also channged from time to time; earlier it was decvax, and then ihnp4.

ALB goes on to refer to Valdis Krebs’ topological examination of the 9/11 hijackers’ network, which indicated that even if the most connected person involved had been apprehended, the rest could probably have proceeded. ALB generalizes the point, noting that terrorist networks are themselves organized similarly.

John Robb has taken this idea further in his Global Guerillas blog, in which he examines in depth how such organizations thrive by decentralized funding and communications.

Force alone will not stop such organizations. This is not to say we can eschew force; in the best of all possible worlds that might be possible, but not in this one. Yet something else is also needed.

The solution is not as simple as McNamara thought when he left the U.S. government to join the World Bank; poverty alone is not the cause of terrorism, and wealth alone is not the solution, nor is lack of education the problem. Most of the 9/11 hijackers were not poor, and most suicide bombers are relatively highly educated by local standards. Nor are terrorism or suicide attacks unique to Islam; the only organization in the world to kill two heads of state (Indira Gandhi and Rajiv Gandhi) with suicide attacks is the Tamil Tigers, whose members tend to be Hindu.

There is a common cause of suicide attacks, according to a recent article in New Scientist:

“The decision to engage in suicide terrorism is political and strategic, Pape says. What is more, the aim is always the same: to coerce a government, through force of popular opinion (apart from a few isolated cases, modern suicide terrorism has only ever been used against democracies), to withdraw from territory the group considers its homeland.”
“The making of a suicide bomber,” by Michael Bond
and editorial from New Scientist vol 182 issue 2447.

This might indicate two ways of dealing with that particular problem: withdraw from the territory the terrorists consider occupied, or change ones government to something other than a democracy. Not only do those options not seem terribly atractive, but suicide terrorism is only one form of terrorism, and withdrawal isn’t the only demand of, for example, Al Qaeda.

ALB proposes eliminating the “underlying social, economic, and political roots that fuel the network’s growth.” And to offer “a chance to belong to more constructive and meaningful webs.”

Here’s another view on that:

“In the past few years, something has gone wrong in the broader relationship between the so-called West and the countries of the Arab and Muslim world. Distrust, recriminations and resentment have mounted. Minor misunderstandings or disagreements have taken on highly symbolic importance and fed the cycle of suspicion.”

“More dialogue per se may not guarantee better relations, but it can help and would at least reduce the barriers of ignorance. Thus we need a dramatic expansion of scholarship programmes and workplace exchange schemes so that more people know about life on the other side. Europe has been transformed through political and market integration, driven by supranational institutions. But the most successful EU programme has been the Erasmus scheme, which gives tens of thousands of students the chance to do part of their university degree in another EU country. Similar schemes also operate for professors and other categories of workers. Together with low-cost airlines, they have probably done more for European unity than the deadweight of the common agricultural policy. We need a similar scheme to link educational establishments in the West to those of the Arab and Muslim world. And, why not, we must also explore the possibilities of introducing low cost air travel on routes to and from the Middle East. There is no reason, other than politically inspired protectionism, why a ticket from London to Beirut or Jeddah should costs twice as much as one to New York. The overwhelming evidence suggests that if people are exposed to more factual information and different experiences, they moderate their views and factor in greater complexity. We may still differ on many things, but at least we should get the facts straight.”
“Why We Do not Get On? And What to Do About It?” by Dr. Steven Everts, Al-Hayat 2004/09/25

And of course the Marshall Plan and the Eurail Pass have probably had effect on U.S.-European relations because they involved many Americans and Europeans interacting.

Sometimes you have to fight force with force, but that alone only leads to more fights. The best way to fix a broken world network may not be to break it further. Better may be to make it more connected.

As McNamara said in 1966:

“The decisive factor for a powerful nation already adequately armed is the character of its relationships with the world.”

How do we get more nations to put that into practice?


Time for a de facto electronic mail authentication system?

David Berlind of ZDNet News says in “Catastrophic Loss for unencumbered Standards” that the IETF working group on the most promising mail authentication system has been shut down, due to technical and business differences among its participants, plus it seems Microsoft is trying to patent the solution the working group was working on.

That leaves Meng Weng Wong’s Sender Policy Framework (SPF) as the main non-proprietary solution in this space, not to mention the most widely adopted.

Berlind calls for the Internet mail industry to follow the precedent of the financial industry, in which the principal vendors banded toegher and set a de facto standard for Electronic Funds Transfer (EFT).

One of the most likely groups to do this has been meeting in DC yesterday and today: the Anti-Phishing Working Group. Both Meng Weng and someone from Microsoft are there, as well as representatives from many well-known Internet security companies and many companies affected by phishing and spam.

I don’t see an industry-wide standard coming out of this meeting, but there are more meetings planned in short order….


PS: Thanks to Bruce Sterling for blogging about Berlind’s article.

Internet2 This Week

I’m heading down to the Internet2 conference which is in Austin this week. They invited me to be on a panel tomorrow about Can we get ahead of the Crackers?

My answer is: yes, if we leverage technology with collective action. After all, force majeure events are aggregated; they affect multiple organizations. So strategies to pool risk across and beyond the pool of affected enterprises. This is what insurance does, and there are financial and other risk management strategies beyond that.

The panel will be webcast.


Reliability more important than Price in ISP selection

According to a recent survey by In-Stat/MDR,

  • “Seventy-three percent of respondents said service quality/reliability was the most important criteria in selecting an Internet service provider.
  • “Sixty-nine percent selected price.
  • “Twenty-one percent of respondents selected company reputation, knowledgeable customer service staff, and availability at multiple locations/national footprint.”

It seems that performance and reliability have moved ahead of price in picking ISPs, and availability, reach, and topology are also significant criteria. Apparently Scott Bradner has been right all these years he’s been saying that ISPs need to have a business model beyond price competition.

Given this situation, it would also seem that an ISP with a risk management plan would have a competitive edge.


What’s a cat bond?

Commenting on the previous post, Adam wants to know:

“But…but…what is a cat bond? How does it work? When does it pay? Does it have coupons? Who gets what risk with them?”

Fair enough.

Cat bond is short for catastrophe bond. A cat bond is somewhat like a municipal bond, except if the catastrophe occurs, the principal goes away to deal with the catastrophe.

Why would anyone buy a bond that could vanish? The principal of almost any investment could disappear, as many of us who invested in stocks in the late 1990s can attest. Even a municipal bond can be downgraded and thus lose value. And while the precise time of occurence of a catastrophe such as an earthquake, hurricane, flood, or wildfire may not be predictable, the probability of its occurence during, e.g., a ten year period is usually fairly well known, and not as susceptible to politics or market fads as some other investments. At the least, the risk of loss of principal of a catastrophe bond is not strongly correlated with risk of loss of principal of other investments.

And catastrophe bonds typically pay a higher percentage than other bonds.

Who buys them? Usually not individuals, rather lreinsurers, insurers, commercial banks, hedge funds, and investment advisors.

Who issues them? Financial houses, insurance companies, and hedge funds.

Why? To increase the pool of available capital to cover large risks.

For example? Packages of credit card debts, mortgages, or automobile loans. Force majeure events such as earthquakes, floods, and hurricanes.

The application of cat bonds to Internet force majeure events seems straightforward. Except, of course, that probability matrices are needed to write them.

Is that what you wanted to know, Adam?


WSJ on cat bonds

Hurricane Ivan has prompted the Wall Street Journal to publish an article about catastrophe bonds:

“Cat bonds first began to appear in the 1990s after insurers and reinsurers suffered financially from storms such as Hurricane Andrew that struck Florida in 1992 and the Northridge Earthquake that hit California in 1994. From 1989 to 1995, total insured property losses in the U.S. were $75 billion, 50% more than the property losses from the prior 40 years, according to Standard & Poor’s.”

They omit from the history lesson that cat bonds weren’t actually issued for earthquakes at that point because Warren Buffett had one of his companies issue insurance policies. Cat bonds did catch on, though:

“Reinsurance giant Swiss Re, for example, is a major issuer of catastrophe bonds. A year ago, under its Arbor program, Swiss Re issued six catastrophe bonds with four-year maturities and total protection for Swiss Re of $205 million.”
September 13, 2004
“Investors Who Bet On Storms, Disasters Gauge Trade Winds,”

Still, nobody is as yet issuing cat bonds for Internet outages, even though a single Internet worm could cost more than all three of Hurricanes Charley, Frances, and Ivan combined.


Ivan Meets Caymans

On Sunday 12 Sept 2004, Hurricane Ivan damaged the undersea cable that connects the Cayman Islands to Florida, disconnecting Cable & Wireless’ Internet connection to the Caymans, as illustrated in the animation.

Despite early news saying that Jamaica was also cut off, the same animation shows Jamaica connected all day. This is because the Jamaican node shown is on a different ISP and apparently a different undersea connection.

Observing the Internet directly can provide more information about some things than asking ISPs one by one.


Against the Gods

Some of you may have noticed this book over in the reading list:

Peter L. Bernstein: Against the Gods: The Remarkable Story of Risk

It’s an enjoyable context book, telling how modern probabilities developed out of gambling, how Lloyds grew out of a coffehouse, etc. I recommend it.


Congressional recommendations for Internet security

Previously I mentioned Government mandates in networking and security.

Here’s a Congressional subcommittee working on government recommendations in Internet security:

Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census
chaired by Adam H. Putnam of Florida, part of Rep. Tom Davis’ Committee on Government Reform.

Back in June, Rep. Putnam remarked:

“Make no mistake. The threat is serious. The vulnerabilities are extensive. And the time for action is now.”

So far, Putnam’s subcommittee has been collecting information and testimony. However, he may go farther:

“Rep. Adam Putnam (R-Fla.) last fall drafted the Corporate Information Security Accountability Act of 2003, which would require companies to button down their information systems. The bill has not yet gone before the House of Representatives, but many of the proposals in Putnam’s draft as well as other recommendations are being batted about in a working group created by the subcommittee Putnam chairs, the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

In the name of protecting national infrastructure, you may be asked to conduct annual security audits, produce an inventory of key assets and their vulnerabilities, carry cybersecurity insurance and even have your security measures verified by independent third parties, if the core features of the proposed legislation make it to the floor of the House. ”

So far, this appears to stop short of mandating technology; instead sticking to best practices. We’ll see.