[ISN] Islands in the Clickstream. The Cycle of Complacency. Dec 14, 2001

From: InfoSec News (isnat_private)
Date: Sun Dec 16 2001 - 23:05:26 PST

  • Next message: InfoSec News: "[ISN] Security hole leaves some Unix servers wide open"

    Islands in the Clickstream:
    The Cycle of Complacency
    In the world of computer security, it's called the cycle of complacency. 
    A critical incident - the NIMDA virus disrupts networks or a worm
    takes advantage of unpatched systems to install a trojan horse -
    raises the level of urgency. Everyone works overtime. A crisis
    mentality governs the workspace, and for once, everybody pays
    attention. The trivial concerns of the day before are eclipsed by the
    need to respond and respond now. Meetings are held to discuss
    appropriate security and system users actually change their behaviors.
    They understand that they are involved in a vague kind of cyberwar,
    one in which malicious mischief, competitive intelligence, and state-
    and network-supported cyber-reconnaissance are difficult to separate.
    They distinguish FUD (fear, uncertainty, doubt) from "appropriate
    paranoia" and act accordingly.
    Then the adrenaline rush subsides. The fight-or-flight level of
    intensity diminishes. New alarms are not followed by attacks. The
    reconnaissance of critical systems continues at a steady level that
    reduces it to background noise, "pings" echoing through the network
    like returns from submarine sonar.  Notices of new patches begin to
    fill in-boxes. Default positions re-set themselves to "routine."
    People get back to normal.  Pretty soon NIMDA and Code Red are blurred
    by the passage of time and all we remember is how little real damage
    they did to our way of life.
    It's called the cycle of complacency, and in America, we are in it
    both online and off.
    "The sense of urgency attending a critical incident," said Stanley
    "Stash"  Jarocki, a vice-president of Morgan Stanley and the President
    of the Financial Services - Information Sharing and Analysis Center
    (FS-ISAC), "has a ninety day half-life. After three months, people
    forget, you can't get money for security as easily, and those who
    raise the alarm are accused of crying wolf."
    Jarocki ought to know. Years of experience with government and
    corporate security have given him a good vantage point. The ISACs -
    financial services, electricity reliability, and telecommunications -
    are designed to facilitate sharing information between corporate
    members and NIPC, the National Infrastructure Protection Center of the
    FBI. But even on the front lines, organizational cultures continually
    frustrate the best intentions.
    Before September 11, my speeches on how technologies have reshaped
    organizational structures from the workplace up to the level of
    national and trans-national entities were often heard as if they were
    scary sci-fi movies, particularly when I talked about the implications
    of biotechnology and space war. People felt they were watching a
    movie, and regardless of momentary anxiety, the lights always came up
    and the audience shuffled toward the exits.
    Since September 11, I speak less about the implications of
    technologies and more about "Making Sense of Uncertainty." The closer
    one gets to Ground Zero, the more often audiences are on the edges of
    their seats - because they are living on the edges of their lives,
    leaning anxiously into the future with an enhanced awareness of what's
    at stake.
    Last week in New York I facilitated a conversation among members of an
    association who had not met since September 11. The meeting quickly
    became an opportunity to experience and manage the cold friction of
    their grief. That group was not in the cycle of complacency because
    they carried the devastation I had seen at Ground Zero in their
    The next day I returned to the midwest. The person on the next
    treadmill at a fitness center turned and said, aren't we fortunate to
    be in Wisconsin where we're safe?
    She was not jogging in place, going nowhere, as she seemed, but
    running at full speed into the cycle of complacency.
    We're a long way from grasping what it means to "be alert" in our
    daily lives the way we look both ways when we cross a busy street. It
    has not yet percolated through layers of denial that we are living in
    a war zone.
    It is a war zone, however. Honestly, it is, whether the enemy is a
    terrorist waiting for the signal to take a machine gun from under a
    winter coat in the mall or a home-grown hate group consolidating plans
    for spreading smallpox. The names of the haters are not the point.
    Besides, terror networks are nested, masks wearing masks. The effort
    to ferret out ultimate intentions and true identities will never be
    completed. In addition, collusion with those who launder money or
    profit from illegal drugs blurs the boundaries between hunter and
    hunted. Anyone who tries to map evil in the human heart gets a
    What will it take, I asked an veteran of the intelligence community,
    for people to get that the world is a war zone, that our lives are
    lived on the front lines?
    "A rising body count," he said. "Nothing else will make the point."
    After we talked about the likelihood of nuclear materials being
    readied for weapons and the incidence of non-standard diseases and the
    routes the germs might have traveled, I called another friend to
    discharge my anxiety.
    He tried to help by putting things in perspective.
    "Are you responsible," he asked, "for the well-being of the whole
    I thought long and hard before answering.
    If we're talking about "co-dependency" and grandiosity, then the
    answer is obviously no. But if we're talking about seeing who we
    really are, seeing that we are cells in a single body with a single
    consciousness on a planet threatened with death ... then the answer
    might be different.
    How can we use the vulnerability we feel at Ground Zero to short
    circuit the cycle of complacency and answer that question correctly?
    Ground Zero is not a place. Ground Zero is a state of mind into which
    we are driven when reality like a knife plunges into our false self
    and drives us into our true Self. In that moment, we know the answer
    to that question.
    So ... are you responsible for the well-being of the whole world?
    And if you're not ...
    who is? 
    Islands in the Clickstream is an intermittent column written by
    Richard Thieme exploring social and cultural dimensions of computer
    technology and the ultimate concerns of our lives. Comments are
    Richard Thieme is a professional speaker, consultant, and writer
    focused on the impact of computer technology on individuals and
    organizations - the human dimensions of technology and work - and
    "life on the edge." He also directs the Homeland Defense Network
    (HDN), a non-partisan, non-profit, independent grass-roots effort to
    create a positive informed response to the threat of terrorism
    Feel free to pass along columns for personal use, retaining this
    signature file.  If interested in publishing columns online or in
    print or employing Richard as a professional speaker, retreat leader
    or consultant, email for details.
    To subscribe to Islands in the Clickstream, send email to
    rthiemeat_private with the words "subscribe islands" in the body
    or subject heading of the message. To unsubscribe, email with
    "unsubscribe islands"  in the message. Or subscribe at the web site
    Islands in the Clickstream (c) Richard Thieme, 2001. 
    All rights reserved.
    ThiemeWorks on the Web:  http://www.thiemeworks.com and 
    ThiemeWorks  P. O. Box 170737  Milwaukee WI 53217-8061  414.351.2321
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 12:46:56 PST