With the recent spate of ransomware attacks, a great deal of emphasis has been placed on making our systems more resilient to these attacks. Despite this focus and extensive research on the topic of resilience, I have found that many security practitioners often misunderstand what resilience really means. Resilience is often mischaracterized as the capability of a system to be able to withstand disruptions and rebound to its previous state. This is a dangerous error — the ability to return a system to a prior state (e.g., restoring from backup) does not mean it is now sufficiently resilient. The mindset is inadequate and ignores the greater goal of resilience engineering, which is to adapt and improve.
To avoid missing this crucial aspect of resilience, I find it helpful to refer to another term introduced by author Nassim Nicholas Taleb in his thought-provoking book, Antifragile. Taleb argues that antifragility differs from resilience; resilience “resists shocks and stays the same; the antifragile gets better.” Although there are legitimate criticisms of Taleb’s book, there are some interesting takeaways and implications for our practice of security when we can establish a clearer distinction between the rebound aspect of resilience from the adaptability aspect of resilience (that is, antifragile).
Antifragility and Information Security
Taleb defines antifragility as an attribute of systems designed to get stronger when exposed to stress, like muscles. Conversely, fragile systems, like glass, break when exposed to stress. In other words, fragile systems are to be handled with care, whereas antifragile systems thrive when handled carelessly. But how would this concept apply to information and cybersecurity?
Taleb proposes that “information is antifragile; it feeds more on attempts to harm it than it does on efforts to promote it.” The act of suppressing information tends to draw attention to it causing it to propagate further, arguably more than if the information were intentionally and actively publicized. An example of information antifragility would be the DeCSS code, one of the first free computer programs capable of decrypting content on commercially produced DVDs. The Motion Picture Association of America’s attempts to suppress this code resulted in its broad proliferation.
This outcome is clearly not better for stakeholders who want to keep information a secret. For those striving for confidentiality, their goal is to make information more fragile so that it can be easily broken or rendered useless at their discretion. However, this can run counter to the interests of other stakeholders who may want sensitive data to be simultaneously fragile, resilient, and antifragile. Fragile so that information can be rendered useless at their discretion for security purposes. Resilient so it survives loss from destruction or operational IT outage. Antifragile so that it can be copied, shared, combined, enriched, and morphed into more useful forms for business-driven collaborations and data democratization. But is it possible for the same information to exist in all three states at once?
Information begins as fragile and then we make copies so that information can be resilient. To go from resilient back to fragile, we would have to destroy every copy in existence. However, the action to try to destroy every copy may draw unwanted attention and cause the information to tip into becoming antifragile instead. To further complicate things, the organization may desire the information to be antifragile within the organization but fragile outside the organization. How can an organization achieve the three-part goal of keeping information secret (fragile) while also ensuring its resilience and utility (antifragile)?
Applying the Barbell Strategy
To address the tension between these three states, Taleb suggests a strategy in the form of a barbell. The barbell strategy addresses risk with a two-pronged approach that combines extremes, hyper-conservative (fragile) and hyper-aggressive (antifragile), and minimizes anything in the middle (resilient). An example of this strategy can be seen in asymmetric encryption models, with the fragility of private keys and the antifragility of public keys. While we protect the former with extreme caution, we may treat the latter with reckless abandon.
If information can exist in these three states, then it is worth noting that many cybersecurity programs operate contrary to the barbell approach, prioritizing resiliency as a key part of their information security strategy, which puts weight in the middle.
If we believe that Taleb's barbell strategy is appropriate for information security, then whenever we come across something that a stakeholder wants to make resilient, we should seek to avoid adding more to the middle of the barbell by asking ourselves what we can do to make our assets either more fragile or more antifragile instead (with a stronger preference towards antifragile).
When we separate out the concept of fragility, resilience, and antifragility as Taleb has, it allows us to see more clearly the goals that we should strive for. This allows us to focus on not simply returning to a known good state after an incident, but conscientiously spending the time to learn from such events to evolve and improve.