website tracking
War's New Frontier on Game and Player
plate_08_0814_g.jpg

War's New Frontier

Patrick Woods  //  August 18, 2008


It is time to start counting what we cannot count.

I

n man's more cerebral moments, we are fond of quoting a relatively well-known scientist: "Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted." Equally often, if not more frequently, we are also prone to a rather opposite type of observation: "Out of sight, out of mind," as well as, "If it ain't broke, don't fix it," are fitting examples.

There is a wealth of historical examples revealing that man has repeatedly not attempted to count that which cannot be counted, much to his later chagrin. A power outage in the northeast, a collapsed bridge in the Midwest, and escalating severities of terrorist attacks are but a few recent events in the forefront of my mind.

A network's cardiac arrest can be fatal.One may argue in a similar cliched vein, "Hindsight is always 20/20." Additionally, one may wonder how to count what cannot be counted. Within the contrast of Einstein's and well-worn observations lies a powerful explanatory device for human behavior, namely the economics of decision-making and more specifically, the concept of rational ignorance. We consistently find ourselves in a behavioral Catch-22. We are able to explain only after the fact why we did not attempt to count the then unquantifiable and now painfully discrete, but are unable to change present and future behavior.

Humans are reactionary creatures and focus attention on things we can sense, things we can quantify. As Russia's military and cyber invasion of Georgia demonstrates, the implications for the sustainability of Earth's technological heart, networking, are significant.

A network's cardiac arrest can be fatal; we need to attempt to count the value of a networked life.

Weeks before Russia's military invasion of Georgia, the small country's vulnerable internet infrastructure came under assault. As early as July 20th, various groups that monitor suspicious network traffic noted a stream of data blasted at Georgian computers, some pieces of which contained the message "win+love+in+Rusia" [sic]. Via a Distributed Denial of Service (DDoS) attack, in which too many requests in too short of a time span render a server unable to respond to legitimate requests, the site of Georgia's president, "media, communications and transportation companies," as well the National Bank of Georgia's site were taken offline for as long as 24 hours. These data streams were traced back to Russian origins, and some of the scripts controlling the attacks were similar to those of the Russian Business Network, or R.B.N., a criminal gang based in St. Petersburg.

If the attack was orchestrated by kids, anyone can be a soldier in a cyberwar.Whether the R.B.N. were directed by the Kremlin or were the masterminds behind the DDoS is unclear, but the fact that the attacks increased when Russian tanks rolled into Georgia alongside Russian ISPs' re-routing Georgian traffic indicates a significant level of coordination and malice. One researcher believed this attack was orchestrated by "some kids who got overexcited" which if true, is of deeper concern; anyone can be a soldier in a cyberwar. Georgia found reprieve by transferring hosting duties to Google. A quick glance at a diagram of how Georgia's network traffic flows highlights their vulnerability. Nearly all internet roads lead to and from Moscow.

I imagine you are asking yourself the same question I did when I first saw that diagram: how could Georgia not see this coming? Since the fall of the Soviet Union, Russia and Georgia have been at odds over Georgia's embrace of the West and NATO, with the two separatist regions Abkhazia and South Ossetia the pawns in the chess match. Last spring, Estonian sites fell under sustained attack, "prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis." Indeed, all security analysts noted the relative cheapness of launching a cyberattack: "There's broad agreement that cyberattacks can be so cheap and distracting as to be a no-brainer once bullets start flying." Even Vegas would not have laid odds to Georgia falling victim to this attack.

A quick thought experiment might explain why everyone and no one saw this coming. Suppose you are walking down the street past a convenience store and need a book of matches. You duck in to make a purchase knowing that on average, this convenience store charges more for goods than its competitor two blocks out of your way. And yet, you still purchase the matches knowing you are most likely paying more than you would elsewhere. Even more crucially, you pay more without knowing for certain the money you could save by buying cheaper matches at the other store.

One can understand chosen ignorance over 25 cents, but over network infrastructure?If you are an economic agent employing cost-benefit analysis to your decision making, then how is paying more for matches maximizing utility if you know you could buy matches cheaper — how much is cheaper is unknown — but refuse to make the effort to do so? This is an illustration of rational ignorance, where one perceives that it makes economic sense to remain uninformed. Given a current set of incomplete information, we make this choice when we feel the cost of amassing a comprehensive set of information about opportunity costs outweighs the benefit of consuming that opportunity cost. If the matches are 25 cents at the expensive store, and if you estimate that the time it would take to walk two blocks out of your way to the competing store and investigate prices is worth more than you would expect to save on the cost of the cheaper matches, then it makes economic sense for you to be rationally ignorant, to stay uninformed.

One can understand chosen ignorance over 25 cents, but over network infrastructure? How can this be when humans choose to be informed when the stakes are considerably less (e.g. buying a car)? The answer lies in the economic incentives of those selling internet service. Georgian ISPs acted economically when they invested only enough in infrastructure to service typical data rates, not torrents of bad requests from robot scripts. Moreover, switching their traffic through Moscow was probably most cost effective. How is a Georgian ISP supposed to assess the risk of a cyberattack, the economic damage brought upon its subscriber base, and then take according precautionary measures? The cost of completing that information set — if even achievable — would surely outweigh damages to an ISP's bottom line. This event would have negatively affected all Georgian ISPs' abilities to provide services, leaving little recourse for a subscriber base but to wait out the outage.

A Georgian ISP is not equipped to count that which cannot be counted: the net effect to society lacking internet access. Given their economic incentives, the ISPs' choices make sense, among which is an election to remain rationally ignorant. From a single firm's viewpoint, there was nothing broken about Georgia's reliance on Russian fiber optic cable and switching, and so nothing needed to be fixed. From a national viewpoint, however, the security risk is obvious, the economic damage untenable, and the cost of network redundancy trivial.

Does this imply that, like defense, a government has an active interest in preserving connectivity in its state? Are governments the only agents that can assess and bear all economic parameters in such a pursuit? In other words, contrary to discussion spurred by a previous piece, Speed Limits and Private Racetracks, is a government the only qualified doctor to keep a vital network healthy? We have little time to lose in answering these questions. It is time to start counting what we cannot count.





Articles by Patrick Woods

thumbnail_08_1222_stuffers.jpg

December 22, 2008



thumbnail_08_1121_evolution.jpg

November 21, 2008



G&P Latest

July 1, 2011



June 28, 2011




About  //  Editors  //  Contributors  //  Terms of Use