Richard Ford,
Associate Professor, Florida Institute of Technology
When I was a young boy growing up in England, every child knew this familiar rhyme: “Sticks and stones may break your bones, but words will never hurt you”. As somewhat of a misfit at my school (weren’t all self-confessed computer nerds?), this little mantra stuck in my head. However, over time I learned that words spoken with cruelty say a lot more about the orator than the subject they are speaking on. The reality is that words can’t really hurt you… that is the message relayed by the simple childhood saying, and in context, it makes a certain amount of sense. Unfortunately, life is seldom that simple.
Words thrown about on the playground can sting, leaving bruises inside that are as clear as those from any fistfight. Similarly, it has become increasingly apparent that the words we use to describe computers and their insecurities can have a profound impact on the way in which we protect them. Being unaware of that simple fact is a surefire recipe for disaster.
In this article I’ll take a few minutes of your time to hopefully save you from a raft of verbally-inspired faux pas. First, we will take a look at the scientific basis for the idea that the words we use to describe a problem really do matter, and then we will look at a couple of good examples. Not only is the pen mightier than the sword, but it would appear that under certain circumstances it must be wielded with a great deal of care lest it cause self-inflicted damage.
According to linguists and psychologists, the idea that words affect cognition is of little surprise. A well-known theory, sometimes referred to as the Sapir-Whorf Hypothesis, tells us that the language that is used to describe something in the real world has a profound impact on the way we think about the problem.
This idea seems quite reasonable, especially when one breaks the issue down to a more fundamental level and speaks of linguistic determinism and linguistic relativism. Linguistic determinism captures the idea of words impacting thought. It is generally considered to be a spectrum, with some advocates arguing that language is thought and some arguing that language influences thought. Current science tends to place reality toward the “influences” side of this continuum.
The idea of a continuum links quite nicely with the second term: linguistic relativism. This property of language relates to how language tends to “compartmentalize” ideas. For example, consider a measure of temperature. One might describe a day as cool, mild, warm, hot, or sweltering. Of course, weather is a continuum; such demarcations do not exist in the physical world, but they are very much reflected by language. These linguistic compartments are arbitrary, and based upon the language that we are using to describe them. Thus, it seems fairly clear that the words we use to describe a problem can have an impact on our mental processes regarding it.
Armed with this knowledge, it is quite interesting to examine the language of computer security. In particular we turn to an area of security that is truly riddled with loaded language: Malicious Mobile Code. Note the wording there – for reasons that should be becoming clear, I really find the whole “virus” syntax desperately misleading. Indeed, for the remainder of this article, I am going to use the acronym MMC to refer to all forms of self-replicating code. Before this choice launches a thousand emails of complaint, let me say that I am fully aware that I am not following standard convention; this is entirely deliberate.
When a traditional book discusses MMC the biological analogy is so implicit that after a while it becomes second nature. One talks about computers becoming “infected”; such machines will later be “cured” by anti-virus software. Similarly, viruses “spread” from machine to machine, with suspicious machines becoming “quarantined”. Even popular models of computer virus spread draw heavily from the well-trodden field of biological epidemiology. The metaphor used colors the entire space, so much so that to suggest other analogies tends to meet with stiff resistance.
Even solutions in the antivirus space have drawn heavily from the imagery used. Disinfection obviously is the most common reference, but attempts have been made at file “inoculation” or “vaccination” as developing a “computer immune system”. In many ways, the imagery used has guided the sort of solutions that appear attractive. Nowhere is this more true than when one considers the role of diversity in our protection online.
When thinking about MMC, it is very easy to lend credence to the biological analogy – or word picture – that we tend to use. One implication of this analogy is that population diversity is very important from an epidemiological perspective. Diversity is a crucial component of species survivability in real world systems; it is very tempting to apply the same argument to computers.
In the biological world, a disease which killed every member of a species would represent a catastrophic outcome in terms of resilience. To this end, natural species tend to have a high degree of genetic diversity. This diversity means that it is more difficult for a single pathogen to wipe out every member of a group at once. Instead, some individuals have genes which predispose them to some amount of resiliency to a particular threat. This approach helps provide for species continuity, and is a crucial basis for system resilience in the real world.
Given the viral metaphor used to describe MMC, it is extremely tempting to apply this model to our online world too – indeed, many researchers have done exactly this. Prima facie, this approach seems reasonable: if all computers on the planet were susceptible to a particular worm, that particular piece of MMC would run rampant in minutes. Nobody would be immune… it would be the end of computing as we know it. Right? Well, yes… but that is really only half the story.
First, the danger with analogies is that they are just that: a picture of a real thing, not the thing itself. As such, it is easy to overstretch an analogy; one must always remember the limitations. That is made more difficult, though, when every word used to describe a topic is loaded with meaning.
Second, there are many important differences between biological systems and the Internet. For example, when one considers “extinction” (or other catastrophic events) one has to ask how many systems need to be destroyed for the Internet to cease functioning. Is it all of them? No, absolutely not. A large percentage? Nope. How about just the root DNS servers?
Finally, when applying an analogy it is easy to be directed to solutions that stem from this way of looking at the world. In this case the obvious solution is to follow the biological approach: genetic diversity. Put simply, the “obvious” idea is that having one OS in a dominant position is bad for the world.
The truth, of course, is much more complicated. The nature of computing is such that damage is highly disproportional to the simple numbers of computers affected by an outbreak. In a biological species, for example, if 50% of a population were to be killed by a pathogen, it is not a disaster: that sort of loss is acceptable, if not desirable (indeed, we note that culling the “weaker” members of a species can often be a good thing). Losing 50% of the computers worldwide is an unthinkable meltdown in business terms. Similarly, all computers are not created equally: some “computers” (in particular, core routers or DNS servers) have a disproportionate effect on overall system stability. The entire discussion of “diversity” online is so colored by metaphor and language it can be difficult to keep track of the science. Our language has helped cloud our thinking.
The example above is only one of many: it is easy to find places in computer security where the metaphor used drives the type of solutions that are created. This should be no surprise, as the idea that words affect cognition is fairly well accepted. However, when it is so common that one stops thinking of the real problem and one only sees the linguistically painted one, something is wrong.
Consider the firewall analogy. With code flowing all around the globe, with VPNs linking physically and on occasion logically disparate networks, and with network based threats becoming increasingly mobile, the model of a network as a trusted area with perimeter defense is become increasingly inaccurate. However, the way we think about network security tends to be driven by the language we use. Would we do security differently if we had come up with a different word picture? My belief is certainly yes.
By way of summary, this article represents a challenge to all its readers to critically reexamine the way in which we think about different aspects of computer security. As practitioners and researchers, it is extraordinarily easy for our thinking to become rigid and inflexible channeled only by our inexact linguistic representation of problems that can, in fact, be extremely sensitive to nuances that may not be well-conveyed by words. Question the language we use to describe security issues. Question the metaphors that are sometimes implicit in our thought. This is sometimes useful, but potentially a snare: look to the real physical system wherever you can. By finding a new way to look at familiar problems, new solutions will suggest themselves. Taking the path less traveled may yet lead to breakthroughs.