Last Friday (10/1/10), the SEC issued their report on last spring's Flash Crash. The Flash Crash led to, among other things, blue chip stalwarts like Procter & Gamble trading under $40, down from around $55 in a matter of minutes.
The parallels with what we see in infosec are stark, and there is a lot to be learned here. To add some context to the lessons learned in the SEC report and to examine what the report hits and misses, this is quite a well reasoned post (emphasis added):
<snip>
3) Waddell-Reed is basically a widows and orphans mutual fund manager that was trying to hedge an $81 billion equity position. So it is not like they were some wild eyed speculator using 100 to 1 leverage or doing naked shorting. What they were doing was 100% legal, 100% moral, 100% rational and probably prudent.
4) The SEC report should have come out directly and said they every single firm and exchange they investigated was acting legally, morally and rationally in their own self interest. The SEC did not directly say it, but the implication to the public is that Waddell-Reed is somehow the bad guy in the flash crash. ABSOLUTELY NOT TRUE. In fact, what the SEC should have said to the public was that there were NO bad actors involved at all. The markets were working 100% like people intended them to work. Nothing irrational about them at all.
5) The SEC did NOT lay out a definitive action plan to prevent another flash crash from occurring. The reason for this is simple. They have NO plan. The markets have changed dramatically in structure over the last decade or so. In the “old days” when all trades were physically done on the NYSE, you could easily have fixed a problem if it occurred in the markets.
6) These days, there are countless exchanges and “dark pools” where trading occurs. The NYSE specialists are now called “designated market makers.” In the old days, they single handedly had responsibility for maintaining an “orderly market” in issues there were responsible for. These days, there are really NO substitutes for specialists. The High Frequency Traders fill that role some of the time, but as we learned during the flash crash, they can and will simply stop trading if they feel it is in their best interest. Even if the Designated Market Maker wanted to maintain an orderly market, how can he do it on the non-NYSE exchanges and dark pools?
7) The SEC did get one aspect correct. Trading is best described as a marginally stable system. What we learned is that it is relatively easy to have the system go unstable and out of control. Think of a jet fighter flying 100 feet off the ground at Mach 1. If something goes wrong, you get a large earth crater in a few milliseconds. That is kind of what our markets have evolved to. Incredibly high speeds with not much margin for error.
8) If the SEC was honest and upfront with the masses, here is what they would say. “Welcome to 2010. This is how markets now work. We can not reasonably guarantee another flash crash will be prevented. Matter of fact, we suggest you plan on them as a normal part of the investing landscape. But don’t worry, we believe they have NO long term impact on the fundamentals of equity investing. If stocks irrationally flash crash again, they will shortly go back to their correct, rational prices.”
9) As a practical matter, I don’t know how to put the genie of “stable” markets back into the bottle. While it is theoretically possible to do, there is so much money involved, I can’t imagine rolling back the clock. Stated differently: “Dorothy, we are NOT in Kansas anymore. Tapping your ruby red slippers together three times will NOT take us back to the stable markets of Kansas.”
</snip>
The whole post is well worth reading, and the author's statements of how a network evolves ring true. The actors in the network evolve, the use cases on the network evolve, but do the safety and security mechanisms evolve in parallel? In this case as in so many others, its clear that the emergent behavior exposed the lack of safety in the system, even when the actors were not intentionally acting out of malice.
Networked actors are increasingly reliant on both the networked system and the behaviors of the actors. As new use cases are layered on top of the network, the behaviors of the other players matters. One way to protect yourself is to leave aside the theory of exogenous risk in a network (like roulette where the other player's behavior does not matter) and instead remember the risks we deal with are endogenous risk in our networks (like poker where the actions of the other players impact the outcome).
Another way to protect yourself is to heed the SEC that this is a marginally stable system at best so design for failure and build margins of safety.