Tuesday, April 12, 2011

No, it really is "groupthink"

In an optimistic description of the cybersecurity industry, Marisa Fagan likens it to a "transactive memory system".

I disagree. I believe it's memetics. And an echo chamber. And worst of all, groupthink.


Memetics describes how ideas infect people's mind, like a virus. Once the community has been infected by an idea, it because "consensus" even though it's not based on any rational fact.

A good example was the Comodo hack, where the CEO claimed that the only possible explanation was that it was a state-sponsored attack (by the Iranian state). Almost every news story I read about the incident echoed that claim, and every discussion I saw by "experts" assumed that was the truth. That's because it fired up our imaginations, and neatly fit with the story that we already believed, that the Iranian government had an army of hackers, and they were intent on eavesdropping on activists by breaking SSL.

Luckily, the hacker came forward with compelling evidence (i.e. the private RSA key), which has caused this meme to disappear. But had that not happened, the community consensus would still be that this was a state-sponsored attack.

Echo Chamber

Our community is out of touch with the rest of the world. We believe that "security" is something inherently important, although few in the "real" world would agree with us.

An example of this is a post by Jeremiah Grossman claiming that security is a differentiator, that companies should spend more money making their products secure, because customers want more security in products and will buy those products that do the best security. Except it isn't true. The market doesn't care about cybersecurity. Moreover, the market doesn't have the ability to tell which products have the best security: if you spend a lot on security, your competitors will claim to be just as good, and nobody can tell the difference.

This is an example of the "echo chamber": we all tell each that security is important, we say things like "you can never have too much security", and we pat each other on the back for saying such wise things. But none of it's true.

I had a conversation with somebody that was complaining that we'd have good cybersecurity regulation in this country if it weren't for all the special interests getting in the way. I pointed out "but cybersecurity is itself a special interest". The guy paused for second trying to grasp the new concept, then responded "no, it's not, we want what's best for the country".


I keep meaning to post more on this, but in the meantime, read the Wikipedia article on "groupthink". In particular, pay attention to the signs of groupthink:
1. Illusions of invulnerability creating excessive optimism and encouraging risk taking.
2. Rationalizing warnings that might challenge the group's assumptions.
3. Unquestioned belief in the morality of the group, causing members to ignore the consequences of their actions.
4. Stereotyping those who are opposed to the group as weak, evil, biased, spiteful, impotent, or stupid.
5. Direct pressure to conform placed on any member who questions the group, couched in terms of "disloyalty".
6. Self-censorship of ideas that deviate from the apparent group consensus.
7. Illusions of unanimity among group members, silence is viewed as agreement.
8. Mind guards -- self-appointed members who shield the group from dissenting information.

These 8 points describe much of the debate in our community. For example, in response to criticism, I've heard groupthinky phrases "lead, follow, or get out of the way". At conferences, I've heard about the importance of "furthering the conversation" and "reaching consensus". These aren't robust thinking -- they are groupthink.

As for a "transactive" model

This "transactive" model of Marisa's doesn't fit my experience well.

Specialization: People don't actually specialize. Certainly, there are people that talk a lot about something, but that doesn't make them specialists. A good example was Gartner and IPS. Gartner became the acknowledged specialist market-analysists in the field, despite knowing little about it and being demonstratively wrong.

A specific Gartner analyst really hates me because he feels I ambushed him. A big customer invited Gartner and intrusion-detection experts to debate Gartner's claims that IDS was dead. Gartner claimed that no IDS could run faster than 500-mbps. I asked the customer's own engineers how fast they were running my IDS, and they said 800-mbps, thus disproving Gartner's claims.

That fact that IDS is still alive and kicking is also testament to the fact that Gartner was wrong.

Coordination: Marisa points to conferences as an example of "transactive memory", but the reverse is true. It is the ability to act without a lot of formal meetings that is the hallmark of this "transactive" model.

Credibility is totally misplaced. People get credibility in our industry by pimping themselves. Vendors market themselves. Market analysts (like Gartner) also market themselves. People with little ability nonetheless get "certifications". Hackers, using tools built by their betters, are able to gain notoriety despite being little more than "script kiddies". There are those with technical ability (e.g. Schneier) that really deserve respect, but they are in the minority.


If you read back through this blog, you'll figure out our true mission statement: to attack groupthink, the echo chamber, and memes. If "everbody knows" something, we at Errata Security are going to try to disagree.

Now Marisa has an interesting new perspective on things, and I hope she fleshes it out, but I think she'll end up being wrong: it really is memes, echo chamber, and groupthink.


davehull said...

Completely disagree with nearly everything you've ever written. Security sucks and we're doing most of it wrong. :b

Erwin FI said...

Well roared lion.
I'd only object to the use of the terms 'meme' and 'mememtics'. Without longer argument just check Wikipedia: Memetics

Unknown said...

"If "everbody knows" something, we at Errata Security are going to try to disagree." < which everybody knows.

Also, isn't it now vogue to attack groupthink? Last I heard, that's all the rage in the echochamber.

Robert Graham said...

I rarely see people in cybersecurity attack groupthink. Can you point to some examples?

Unknown said...

it's pretty common for much of the twitterati to bemoan the echo chamber. I actually thought you were being purposefully ironic at first because it's so common.