Brittle Systems

In the September 2002 issue of The Atlantic Thomas C. Mann wrote a profile of Bruce Schneier, one of the gurus of modern-day computer cryptography, and his current crusade to get back to basics on both electronic and physical security with decentralized, interlocking, people-centric approaches to monitoring and defeating attempted attacks. I fully agree with Mr. Schneier’s thesis but I lack his confidence that the rationality of his arguments will make any headway while the discussions are dominated as much by political considerations as by technical ones.

This letter was submitted to The Atlantic in response to Mr. Mann’s article, but was not published.

12 August 2002

Thomas C. Mann’s article about Bruce Schneier and the brittleness of security systems (Sep. 2002) reflects what I’ve been saying about the steps taken since September 11th to boost airline security. The centralized approach in extremis — ensure by radical rules and ruthless inspection that even minor hazards never make it onboard the aircraft — also ensures that, in the event one person manages somehow to slip something dangerous through, everyone else will be unarmed and unable to counter the threat. Personally, I would feel more secure surrounded by fellow passengers armed with pocket knives — a moderate but functional weapon of last resort — than surrounded only by a hope that everyone else was, in fact, disarmed at the security checkpoint.

What Mr. Mann did not address, but which I consider central to an understanding of the debate between centralized and dispersed security measures, is the degree to which the urge to centralization reflects not only a technological hubris but a fundamental cultural, social, and political trend that extends well beyond security issues. The same urge to centralize computer or airline security manifests itself in other areas of society and government, from gun control, to environmental regulations, to poverty relief programs, to management of the economy, to crime and punishment (e.g. the “war on drugs”) and even to religion which, at least in its fundamentalist aspects, attempts to centralize moral judgement. In all these cases, and in many others, there is a primary presumption that some authority, usually the government, has enough knowledge, wisdom, morality, and control to direct the activities of millions of people and institutions in a highly structured and centralized manner and without breakdown — often despite organized and active assaults from people who could take advantage of such a breakdown. And, in all the ways Mr. Mann and Mr. Schneier describe with respect to technological and security systems, such cultural/social/political systems are also brittle, prone to failure in spectacular fashion when the authority proves less knowledgeable, less wise, less moral, or less in control than their designers had anticipated.

I fear that in the modern cultural/social/political climate, Mr. Schneier’s plea for more distributed solutions to security problems will, except in the narrowest technical realms where logic and experience generally prevail, fall on deaf ears. Social and political biases of the public aside, our political and cultural leaders benefit from the increased power with which centralized systems endow them and such systems will continue to be the preferred solutions to most problems which fall, however unproductively, into the political realm.

© Copyright 2002, 2005, Augustus P. Lowell

Leave a Reply