?eople: 9/11 Commission And Risk Auditing

April 11, 2004

9/11 Commission And Risk Auditing

It is almost irrelevant whether one or the other individual might have prevented 9/11. To prevent a repeat of 9/11-scale attacks, we must ensure that the system has many redundant paths of (a) detection, (b) reporting, (c) action, (d) audit, and most important, (e) swift and serious punishment for any failure in (a) through (d).

If the system relied critically on roles filled by Bush, Rice, Clarke or any other lone and visionary wolf, the system was broken. Hyperventilation about particular roles will not fix the system.

Robust process design does not ignore human nature, malicious incompetence or political bias, it treats them as test cases. In 100 years, there will be humans not yet born filling the roles being reviewed today by the 9/11 commission. We must evolve the system so that success is independent of one or more (but not all) humans failing to execute their role.

The sustainable response to a distributed threat is a distributed defense. In August 2002, I wrote an algorithm that could be employed by any group of people for risk triage and or disaster response. It could be applied to workers in an organization or strangers in an aircraft. Civil defense systems and algorithms must precisely balance paranoia with liberty.

PairPair is a theoretical construct that could inspire practical derivatives:

... Instead of encouraging vigilante 'profiling and hunting of the bad guys', it would facilitate distributed discovery of 'good guys with whom I share geo-temporal risk'. It's a formalization of the kindergarten buddy system, for a network of adults.

The atomic relationship unit is a pair. The atomic risk unit is a pair of independent pairs for reciprocal due diligence. For the same reasons some high-security locks must be opened by two keyholders with strong incentives for non-collusion.

PairPair algorithm: take a subset S of people from a public crowd and group them randomly into N pairs. From S, join the N pairs into a circle by creating N-1 new pairs. At this point, every person is a node that intersects a pair of people pairs.

With this structure in place, people are free to engage in reciprocal disclosure according to their personal risk tolerances. There are two goals:

to provide a minimal randomized structure for temporary cooperation in a large group.
to ensure that anyone in an uncomfortable pair association has a designated path for recourse (the path of pairs on the other side of their pair).

In case of emergency, crime, disaster, or attack, the formerly random crowd is no longer random. They have a greater capacity for organized defense, assistance and evacuation.

... PairPair is a simple process for creating minimal non-colluding structure in an offline group.

The algorithm can be used to randomize whistle blowing (a.k.a. realtime auditing) channels. In a relatively static organization, randomization would be done often enough to preempt politicization.

Enron inspired the whistle blowing provisions of Sarbanes-Oxley SEC regulations. We can expect whistle blowing to be formally addressed by the 9/11 commision.

In computer security, we have both Bugtraq (realtime, adhoc, bottom-up reporting) and CVE (triaged, formal, top-down reporting). Neither is sufficient. Both are necessary.

Posted by dotpeople at April 11, 2004 01:25 AM