A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised?
Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.
Charlie Munger, as he is wont to do, went a bit further (from 2004):
I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.
They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis
It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.
What can we learn from all this?
Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):
It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.
So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.
There are some clear lessons for us in Information Security, err I mean Information Risk Management.
Margin of safety
Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.
Don't fall in love with abstractions
If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.
There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.
In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?
So you have to remember that top down and bottom up need to be combined.
Design for failure
Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.
Keep it simple.
They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.
So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.
Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later
"Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis?"
Not so much killed them, as manipulated them (as governments manipulate markets from the perspective of the free market advocate). The drive for multi-factor auth., for example, stacked the risk analysis in the favor of the consumer. In my experience doing analysis for banks, phishing, directly leads to very little primary loss for a bank. It is the secondary losses (where customers, regulators, shareholders and other stakeholders actually become threat agents acting against the bank) where the majority of the losses lie, and those from the regulators if the bank chooses to accept the risk due to phishing and not implement the compensating controls the government would like them to. That is, Multi-factor auth. for a bank, is actually more of a compensating control for the regulator threat community than for the "hacker" threat community.
Your comment on and use of the phrase "abstraction" assurance is fascinating. I'm sure the term means different things to different people (and perhaps you and I are using the same term with different perspective) but to me - the ability to handle various levels of abstraction usefully is a function of the quality of your model. Therefore, the only real way to "buy" abstraction assurance is to have great modeling.
Which brings us full circle to the original quote in my comment by Ian: because of regulator influence - the value from modeling is replaced by the value of due diligence.
Love the blog Gunnar. Quality stuff as usual!
Posted by: Alex | September 15, 2008 at 01:05 PM
Hi Alex,
One point on your example, the banks save a lot of money through ebanking and some banks only exist as ebanks. So the issue is if they can't make ebanking safe enough, then they will lose those cost savings.
Its not just the micro phishing event but the larger pictures, its what Bill Gates realized a few years back when he launched their software security initiatives - hey if this stuff isn't secure enough no one is going to buy SQL Server. Unfortunately, the banks are lacking a Mr Gates to help them realize this and at present they have other seemingly more pressing self inflicted wounds to attend to.
Posted by: Gunnar | September 15, 2008 at 01:21 PM