Engineers and Existentialists: How Critical Infrastructure Protection Turns Security Professionals into Philosophers

by rthieme on January 6, 2006

Engineers and Existentialists:

How Critical Infrastructure Protection Turns Security Professionals into Philosophers

by

Richard Thieme

Published in the Infragard Journal (Winter 2006)

A discussion of critical infrastructure protection in the larger context of public/private partnerships would seem to be a simple matter. I imagine that many security professionals, if they studied philosophy at all, did so in some 101 course that filled a requirement and spent much of the semester rolling their eyes at what seemed like excessive hair-splitting, professors making distinctions that had little relationship to the “real world” in which they would practice their craft.

So here’s the bad news: unless security professionals are willing to think deeply about their work, they can’t do their jobs.

In a stable world, one in which the boundaries that define us persist over a lifetime, we unthinkingly and  uncritically share assumptions. Our common vocabulary reflects that. Everyone says what they mean and means what they say. But alas, we do not inhabit a stable world. The boundaries that define everything from an “individual self” to nation states that are the basis of international law have morphed dramatically.

I imagine that everyone knows what I mean by “morph.” A dozen years ago when I asked audiences what “morph” meant, perhaps a fifth would raise their hands. These days, we all know because (1) everything is morphing and (2) the vocabulary of the digital technologies that have energized the transformational processes that are reshaping our world has become now part of everyday language.

Older security pros might notice that they have trouble talking to younger ones who were socialized by digital technologies and can’t remember a world lacking the Internet, video games, instant messaging, and cell phones. But it’s not just vocabulary. It’s how we think about reality all the way up.

Physicists say that scientific revolutions occur one funeral at a time. Security professionals aren’t dying fast enough for that to happen. That’s why we must become philosophers, reflective thinkers  willing to dig deep into the assumptions behind our words. We have to be willing to see what different things we mean by “infrastructure,” “public/private” and even “security” in the first place.

Our definitions of everyday reality have been altered by a contextual shift. It did not happen on 9/11 although that is the public marker we use to denote a great sea change in American life. Long before 9/11 I was speaking about the reshaping of social, political and economic realities in the image of distributed networks that would turn just-in-time inventory control into a steady supply of suicide bombers; I wrote about the emergence of anomalous trans-global structures that would change our assumptions about security compared to when nation states defined the battlespace.

The mind of society is the battlespace of the early 21st century. That’s why those who map new realities with a precise vocabulary are more capable of defending their loyalties and loves. It’s why security professionals have to be philosophers regardless of who signs their paychecks.

The difficulty we have defining “enemy combatants” is a symptom of the sea-change. The members of trans-global political structures who use terror and perception-alteration as primary weapons are—of course! isn’t it obvious, now?—not citizens of “nation-states.” The boundaries that defined those states are porous, semi-permeable at best, or even—seen from the right perspective—non-existent.

A NSA veteran told me, “People seldom ask the right questions when they come to security. The first question ought to be, how do we live in a world without walls?”

How do we define our various identities and therefore the entities we believe we must protect, in other words, when the boundaries that defined both individuals and nations have gone liquid? When “private/public” and “foreign/domestic” are distinctions that no longer hold? How can we talk about policies and the behaviors that hold us accountable to those policies without first defining exactly what we mean?

Like the Moliere character who did not know he was speaking prose, security practitioners—including those in the intelligence community, domestic police, and corporations—probably do not realize just how much responsibility they have for defining the field of action in the 21st century. They do it through scientific and technological R&D and the implementation of evolving technologies that in turn determine how people act. Security professionals are implicit thought leaders: the structures they create fuse with the people who use them and soon those people forget that there is any other way to work or think about things.

With that responsibility comes responsibility for the changes in society that they cause. A CIA veteran told me recently, “Failures to recognize potential (or obvious) issues [including ethical issues] during development cause BIG issues later. Once a tool is built and deemed usable – whether for operations or intelligence analysis – users take it and RUN.  If developers fail to see a problem, users will quickly become entwined in it.”

Anticipating future problems implicit in the application of new technologies requires a commitment by leaders and managers at critical moments in the life cycle of development. The social consequences for society must be brainstormed and discussed before, not after, the technology has been implemented. But social, psychological, and political implications are often not debated at all. Technologies are thought of as “just” technologies and responsibility for unintended consequences in the real world are sidestepped.

It is difficult enough to anticipate the future when we try. It is impossible if we don’t make the attempt.

Computer scientist Langdon Winner said: “To invent a new technology requires that society also invents the kinds of people who will use it; older practices, relationships, and ways of defining people’s identities fall by the wayside and new practices, relationships, and identities take root. In case after case, the move to computerize and digitize means many preexisting cultural forms have suddenly gone liquid, losing their former shape as they are retailored for computerized expression. As new patterns solidify, both useful artifacts and the texture of human relations that surround them are often much different from what existed previously.”

The distinction between private and public is one that has gone liquid. Through the nineties, the end of the Cold War and the evolution of American hegemony changed the focus of security. Economic espionage and competitive intelligence became more important, blurring distinctions between “enemies” and “allies.” In the trenches, we work with who and whatever works, period. One symptom of this shift was the rapid growth of the Society for Competitive Intelligence Professionals and the migration early on of professionals like Jan Herring from CIA to Motorola. Nation-state and corporate intelligence blurred; trans-global enterprises like GE or Microsoft challenged the loyalties of persons who “belonged” to GE or Microsoft while at the same time they were citizens of a nation with goals that were sometimes at odds with those of the corporation. Knowing cart from horse became increasingly difficult.

Inevitably the mission of intelligence and security altered. The intelligence community is sanctioned by law to break laws on foreign soil while the same activities are prohibited on American soil. But simple distinctions between “foreign” and “domestic” no longer hold in any meaningful sense. The convergence of enabling technologies of intrusion, interception, and panoptic reach, combined with a sense of urgency about the counter-terror imperative and a mandate from our leaders to do everything possible to defeat an amorphous non-state entity defined by terroristic behaviors rather than boundaries, borders, or even a clear ideological allegiance, has created conditions that frequently undermine traditional notions of law, ethics, and sanctioned behaviors. Distinctions that made sense in the past make sense no longer. “Breaking down silos” and blurring distinctions between police and intelligence work are often difficult to distinguish post-Patriot Act. Because the context that gave prior distinctions meaning has shifted, what was once “common sense” now seems crazy and vice versa.

Wisdom and insanity are contextual.

Security professionals have multiple loyalties. They carry a burden to produce on behalf of corporations, localities, and nations but increasingly feel cognitive dissonance caused by uncertainty as to who or what is defended. The changing focus in information security from network perimeters (which symbolize the boundaries of economic or political entities) to applications to granular data (which symbolizes individuals and their rights) illustrates the difficulty in defining an infrastructure because there is a prior difficulty in defining structures in and of themselves.

Operating in that zone of ambiguity can lead to confusion about mission, expectations and execution. That is why, during times of rapid change, leaders can not over-communicate. Uncertainty and anxiety often interfere with hearing clearly, not because people are bad, but because it’s human nature. Clarifying assumptions is not a “touch-feely” exercise of the kind that many disdain. It’s a necessity that prevents shaming and blaming the morning after the unintended consequences of ambiguity and complexity have manifested themselves.

Private/public partnerships that wrestle with these perplexities rather than sweeping them under the carpet have a better opportunity of succeeding. As Marshall McLuhan said, “Nothing is inevitable so long as we are willing to contemplate what is happening.”

No wonder philosophy, security, and theories of management interpenetrate one another. Identity is function of boundaries. What we call “an individual” was defined by an arbitrary boundary that we take for granted which emerged only a few hundred years ago from a cultural shift during the Renaissance. An “individual” is a social construction of reality, not a physical reality. Before modern times, there were no individuals with human rights, property rights, or the sense of a proprietary self that we take for granted.

As societies grew larger and more complex, boundaries that defined them grew larger too. “Nation states” emerged in the past few centuries as organizational structures appropriate to the levels of political, social and economic complexity made possible by and a function of the speed of the flow of information. An awareness of belonging to a nation was one consequence of larger boundaries, the boundaries themselves a consequence of the hierarchical restructuring of society enabled by communication and information technologies.

This stuff matters! It matters because security, perimeter defense, police action, and intelligence gathering are all related to individual and national identities and who we think we are. Who we think we are defines what is permissible.

Security may now seem to be obviously a function of boundaries—but around what? Boundaries define the “other” that threatens “us.” “Us” is a felt experience of clan, tribal, and societal kinship, a genetic inheritance from Neolithic times.  Prior to the emergence of writing several thousand years ago, the “enemy” was the “Other” who was not a member of our tribe. But after the emergence of writing, the enemy morphed. In the major religions of the world, the enemy became that which in ourselves must be fought, resisted, or transcended.

This distinction is critical because the practice of security at all levels is carried out in the tension created by those conflicting definitions. Is the enemy within? Or outside? Frequent discussion of the “insider threat” is a symptom of this problem because an “insider” is determined by where one draws the line and computer security testifies to how much that can change in a short time; distinctions between criminals and terrorists or between patriotic dissenters and supporters of terrorism also blurs.

Yet … we continue to speak of individuals as primary actors and nation states as primary determinants of collective identity. We speak of security as if “we” who live inside one boundary are intercepting or penetrating others “inside” another boundary. But

current technologies make the notion of “interception” obsolete. Mostly American technologies constitute the physical framework and software/informational context of a global society. Boundaries between elements of the network, between the networks that make up the network, that is, are arbitrary. We live literally in a world without walls, and every attribute of a process or structure that broadcasts information about itself by any means can be detected. Information is often not intercepted but is engineered to come to us from the source. “Here” and “there” are also false distinctions.

One example of our dilemma is suggested by the existence of “hackers,” an emergent reality of the past couple of decades. Intelligence professionals were sanctioned to break foreign laws by nations, but suddenly these miscreants, i.e. criminal hackers,  were given permission to do the same by virtue of the technologies themselves. The threat to social order, that is, was defined not by one’s behavior – criminal hackers and security professionals often do the same things—but by perceived allegiance. By identity. By the line.

Security professionals have positions of leadership in this brave new world because they participate in creating the structures in which we live. The larger task is a calling not merely to defend and protect a perimeter but to stabilize a world and manage rapid flows of energy to ensure a modicum of social control.

But on whose behalf are we acting? Who do we serve? To what end? What are we defending and protecting?

How do we live, ni other words, in a world without walls?

No one said it would be easy, did they? As Machiavelli reminds us in The Prince:

Nothing is more difficult to take in hand,

more perilous to conduct,

or more uncertain in its success,

than to take the lead in the introduction of a new order of things.
#  #  #

Richard Thieme is an author, consultant and professional speaker focused on the implications of technology, religion, and science for twenty-first century life. He has keynoted numerous conferences in many countries for entities ranging from Microsoft Israel, Medtronic and GE to the FBI, the Pentagon, Los Alamos National Laboratory, and the US Department of the Treasury. His book Islands in the Clickstream (Syngress: Publishing: 2004) explores the issues raised in this article in depth.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: