[FRIAM] 5 agencies compromised

uǝlƃ ↙↙↙ gepropella at gmail.com
Sat Dec 19 17:43:32 EST 2020 

Well, that's *not* an analogy. The "supply chain" compromise is a systems/software aging/rot/refactoring issue. And while your and Dave's posts go at it to some extent, they lack any particular details of the solution that was compromised. It's nothing like cancer or immune systems, or even middle management.

Encryption-mediated "hotfixes" are a practical and reasonable solution to keeping a large collection of systems "secure". Where it breaks down (usually) is the humans who interact with it. And that includes both low and high tier humans in an organization. Highlighting the "middle management" is just more vague overgeneralization. Even Marcus' suggestion that there's a systemic bias toward org depth seems stereotyped to me.

The way I view it is that there are some of us (including robots and algorithms) who are brittle and some of us who are plastic. A frustration with, say, a DMV employee or a particular Bash script, is when the wiggle in the problem they're expected to address is larger than their wiggle. And that seems kindasorta scale-free, from the most focused specialist to the most synoptic CxO ... from the tiniest utility (like "ls" - listing files) to the broadest workflow (like continuous integration, nightly builds, and automated testing). What makes bureaucratic components seem broken is when/if they're not fit to purpose.

Dave's right to point out that treating the components as Kantian ends helps deal with that. But along with such agency comes complexity (component compositions are multi-faceted). And that implies both robustness and polyphenism for any given composition. This Lawfare post targets that lesson to some extent, with the concepts of "layered deterrence" and the asymmetry between offense and defense:

  https://www.lawfareblog.com/solarwinds-breach-failure-us-cyber-strategy

But, inevitably, that "layering" will be seen by some arrogant ill-fit-to-purpose components (at whatever scale in the org) to complain about onerous bureaucracy, cancerous fiefdom, or sucking up to the boss. The primary problem, as I see it, are people who *instantly* assert metaphors like "cancer" or whatever without making a sincere attempt to learn how the org *does* work, first. If it (that part of it, anyway) ain't broke, why assert that it is? And why not be concrete and specific about which particular *part* is broke, rather than asserting (by metaphor no less) the whole system is kerplunk?

The essence of my rant was to point out that bureaucracy is overwhelmingly good. We only *think* it's bad because of the "red stoplight problem". We grow a sense of entitlement because when the machinery works, we don't notice it. And the machinery almost *always* works. The tendency to immediately drop down a gravity well thinking about every time there was some tiny problem with it, and then claiming it's "cancerous" or has some kind of auto-immune disorder is *eschatological*. It sounds like that hypochondriac acquaintance we all have who catastrophizes every little twinge of discomfort.

On 12/19/20 9:09 AM, Steve Smith wrote:
> What about the systems/software aging/rot/refactoring analogy?
-- 
↙↙↙ uǝlƃ

More information about the Friam mailing list