We Are All Intelligence Officers Now

Good morning. Thank you for the invitation to speak with you today, which, let me be clear, is me speaking for myself, not for anyone or anything else. As you know, I work the cyber security trade, that is to say that my occupation is cyber security. Note that I said "occupation" rather than "profession." Last September, the U.S. National Academy of Sciences concluded that cyber security should be seen as an occupation and not a profession because the rate of change is simply too great to consider professionalization.[NAS] You may well agree that that rate of change is paramount, and, if so, you may also agree that cyber security is the most intellectually demanding occupation on the planet. 

 The goal of the occupation called cyber security grows more demanding with time, which I need tell no one here. That growth is like a river with many tributaries. Part of the rising difficulty flows from rising complexity, part of it from accelerating speed, and part of it from the side effects of what exactly we would do if this or that digital facility were to fail entirely -- which is to say our increasing dependence on all things digital. One is at risk when something you depend upon is at risk. Risk is, in other words, transitive. If X is at risk and I depend on X, then I, too, am at risk to whatever makes X be at risk. Risk is almost like inheritance in a programming language. 

 I am particularly fond of the late Peter Bernstein's definition of risk: "More things can happen than will."[PB] I like that definition not because it tells me what to do, but rather because it tells me what comes with any new expansion of possibilities. Put differently, it tells me that with the new, the realm of the possible expands and, as we know, when the realm of the possible expands, prediction is somewhere between difficult and undoable. The dynamic is that we now regularly, quickly expand our dependence on new things, and that added dependence matters because the way in which we each and severally add risk to our portfolio is by way of dependence on things for which their very newness makes risk estimation, and thus risk management, neither predictable nor perhaps even estimable. 

 The Gordian Knot of such tradeoffs -- our tradeoffs -- is this: As society becomes more technologic, even the mundane comes to depend on distant digital perfection. Our food pipeline contains less than a week's supply, just to take one example, and that pipeline depends on digital services for everything from GPS driven tractors to robot vegetable sorting machinery to coast-to-coast logistics to RFID-tagged livestock. Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?...

http://geer.tinho.net/geer.rsa.28ii14.txt