By Dr Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice
Good cyber defence starts in the mind. It takes imagination and the ability to see events from a variety of perspectives. Good cyber defence can learn a lot from the art of Zen.
Beyond a black and white view
Is the glass half full or half empty? Are we winning or losing the cyber war? As students of Western philosophy we live in an Aristoteliean world of binary choices, black and white. We love to classify the world into two camps;, in or out, processed or in-process. The domain of cyber defence is a classic story of this type of thinking. Some now accept there is no boundary, just data, but it’s a hard habit to kick. We instinctively feel out of control when we confront situations like this.
Adopt the flexibility and balance of the Eastern world
In contrast, the history of the Eastern hemisphere has resonated with an entirely different world view, one in which the Yin and Yang of all life processes blend into one another. The famous Yin-Yang symbol is not static, it attempts to capture perpetual motion and form. Alternatively, the simplicity of a Japanese Zen rock garden with a few stones placed on a sea of raked sand is another expression of the balance inherent in the Oriental world view. They represent the essence of nature rather than its physical appearance, and as such are a useful metaphor for the cyber domain, which also mirrors the physical world.
However, this is not merely an abstract essay on ancient philosophy, because as the major cyber conflict that is currently raging across the net has a distinct East-West polarity. The way we see the world has a direct impact on the policy and business decisions we then make.
Give your cyber defence systems the resilience of a pagoda
Here’s an example I sometimes use in presentations:, the beautiful Pagodas in Japanese ceremonial gardens are an anomaly, as they are tall wooden structures that have survived for centuries in a major earthquake zone;t. They should have become firewood many years ago.! They stand because they are fluid, loosely- coupled structures with a resilient design that absorbs quake shocks like a sponge. In contrast, any modern rigid steel and concrete building design in that area gets shaken to pieces.
We need to reorient our design for all ICT systems, and especially cyber defence systems to reflect this philosophy of resilient flexibility. An excellent example is the work by Arun Sood(1) on adaptive Firewall design, using a mechanism known as Self-Cleansing Intrusion Tolerance (SCIT).
The same is true within our own bodies, which are never clear of pathogens. Our immune systems are engaged in a perpetual war against internal and external bio-invaders. On a good day they get the upper hand and we feel fine, but some days the e-coli bloom and we get to count the tiles in the bathroom for some hours. Likewise the internet will never be ‘clean’, i.e. free of malware. And this is the hard part to accept if you are a CISO, that this is actually a good thing! And if you’re a CISO it’s hard to accept that this is a good thing. The human cold virus is rather tedious, but it keeps our immune system trained and able to cope when flu or something more serious arrives.
Hence So back to the theme of Zen philosophy —, i.e. the real world is not a static tableau onto which we can project our business models; it is a churning sea of dynamic interactions and co-evolving actors, in which we must float, or sink.
1. Arun Sood, “Intrusion Tolerance to Mitigate Attacks that Persist”, Second Workshop on Cyber Security and Global Affairs, ETH, Zurich, 6 July 2010.