IT Public Policy Blogs

Black Swans –Anticipating An Unexpected Eventuality

“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.” - Then United States Secretary of Defense Donald Rumsfeld.

Controversy never ceases to plague this quote, yet strangely I have always found something intriguing about it.

As history has shown, we are never well-prepared enough for the unexpected – from the dot-com bubble, to the 9/11 attacks, to the present subprime mortgage troubles. The ups-and-downs of the global economy tell us that things can and do ‘explode’ in a phenomenal way and that danger zones loom over us more often than one can imagine. However, history has a way of repeating itself in one form or another, leaving governments and companies to scramble for remedial cures often at high financial costs.

But why does all this happen time and again? Is there something we can learn from these events? In particular for those who deal with information security, is there a leaf that we can take out of recent history?

In my contemplations, I stumbled onto Nassim Nicholas Taleb’s exposition of “The Black Swan”, which arises from the debunking of the unassailable belief that ‘All swans were white’ with the 17th century discovery of black swans in Australia. Talking about "our blindness with respect to randomness, particularly large deviations”, Taleb describes a Black Swan as an event with the following three attributes – rarity, extreme impact, and retrospective predictability. The rise of the Internet, the personal computer, the first world war, as well as the 9/11 attacks are seen as examples of Black Swan events.

The metaphor of a turkey is given to illustrate the classical problem of making statements on risks based on past history. A turkey is fed for 1,000 days - every day lulling it more and more into the feeling that the human feeders are acting in its best interest. Except that on the 1,001st day, the butcher shows up and there is a surprise. The surprise is for the turkey, not the butcher.

Black Swan logic, according to Taleb, makes what you don't know far more relevant than what you do know, and that many Black Swans can be caused and exacerbated by their being unexpected.

Notwithstanding arguments for or against the Black Swan logic, a reflection worthy (to me) of further contemplation is the presence and the impact of what we do not know and what we do not expect. As global economies grapple with the subprime mortgage situation, startling discoveries and revelations point to the fact that there have been a great deal of risks that many had either not been aware of or chosen to ignore. In fact, concepts like risk management (or the lack thereof) have again become the hot topic for financial regulators and financial services institutions.

For companies in general and sectoral regulators, are there yet other ‘unknowns’ lurking out there that deserve a bit of the time and attention of management and executives before the unexpected comes to pass? Is there a danger zone that we can locate and are there mitigating policies and decisions to be made, despite imperfect knowledge of the ‘unknown unknown’?

For people responsible for IT security operations and regulations, there may well be useful parallels and lessons to be drawn. Events like 9/11 have led to heightened security awareness and security enforcement worldwide, in both areas of physical and information security. Governments and companies have become increasingly aware of the impact of such occurrences, infrequent and sometimes rare as they may be.

Catastrophic socio-economic consequences can arise with any attacks on critical infrastructure such as utilities for telecommunications, electric power, oil, etc. Incidents of outages caused by hacking of utility companies’ computer systems or propagation of malicious codes such as the Blaster worm, coordinated cyber attacks on a nation’s information network like the massive cyber attack on Estonia, and experiments on cyber attacks on critical infrastructure point to the dangers that cyber threats pose.

In the Asia Pacific region, much has indeed been done on these fronts and Symantec has been closely partnering Asia-Pacific governments in such efforts. For example, the Malaysian government has provided a US$ 13 million grant for the newly-inaugurated International Multilateral Partnership against Cyber-Terrorism (IMPACT), a global public-private initiative against cyber threats. Thailand has developed and enacted its new Computer Crime Act to deal with criminal offences relating to the integrity of computer systems and data. The Singapore government has rolled out its Infocomm Security Masterplan 2. The Australian government is reviewing its data protection regime and has put in place a framework to share information on critical infrastructure protection.

So has enough been done? It is tempting to arrive at this conclusion, especially since we have not yet witnessed any major incident of attacks on critical infrastructure or information security lapses causing as much widespread economic impact as 9/11 or the subprime mortgage situation.

Here, it is good to ponder about the metaphor of the turkey. The danger is that one assumes that one knows when one does not know, especially where imperfect knowledge makes it difficult to predict outcomes. Theories and empirical evidence that ‘there is little danger’ based on present-day statistics and limited understanding of the threat landscape, risk lulling governments and companies into complacency that all is well – these could well be famous last words.

In the Russian roulette of risks, governments and companies will unfortunately never be spared of the different types of threats. We have witnessed physical threats, housing bubbles, and now financial troubles – so what would it be next? It is better to ponder and act now than later.