I'm delighted to be taking on the role of associate editor in chief (AEIC) for IEEE Security & Privacy. My own background is both as a practitioner in system evaluation at the specialist consultancy, Adelard LLP, that I founded more than 20 years ago, and as an
academic and research director of the Center for Software Reliability at City University London. My appointment as AEIC was proposed by the IEEE Reliability Society, and one of my aims is to promote a broader dependability and trust agenda in the magazine.
Currently, while I'm enjoying a sabbatical, I'm taking the opportunity to think about some infrastructure resilience and trustworthiness issues that we need to address.
In evaluating systemic risk and resilience, we come across a wide range of challenges from the infrastructure systems themselves, as well as from externalities. These challenges arise from the systems' complexity and adaptation: their interconnectedness and scale; their sociotechnical nature; nonlinear dynamics and evolution; multi-institutional and organizational responsibilities; uncertain threats and environment; and the wide range of timescales.
Complex systems are often not designed ab initio, but evolve, often in surprising ways. We must understand how incentives and regulation shape systems and how we can design a system's core so that it evolves in beneficial yet unanticipated ways. We need a balance between intelligent design and evolution.
One key concept in understanding complex systems is resilience. A resilient system is an adaptive system, one that responds to change, can survive and prosper when challenged, and can deal with attack and surprises. The term is powerfully suggestive, but we need some clarity if we are to design for it and evaluate it: we need to move from metaphor to usable models.
In trying to make the concept of resilience more operational, I find it useful to distinguish two types:
• resilience to design basis threats and events—this could be expressed in the usual terms of fault tolerance, availability, robustness, and so forth; and
• resilience beyond design basis threats events and use—this might be split into known threats that are considered incredible or so infrequent that they're ignored, and unknown threats.
We can often engineer systems successfully to cope with the first type of resilience, but the second type is a more formidable challenge. We might wish to make systems more heterogeneous and connected and with more resources to support the second type, but doing so might make them more expensive and suboptimal in terms of the first type of resilience.
A simple question to ask is "What is the system?" Infrastructure is often considered the basic physical and organizational structures and facilities needed for the operation of a society, but this can be an oversimplification. A significant observation is the importance of "soft" intangible infrastructures. For instance, trust between individuals, between individuals and organizations, and between these and the state is essential for service delivery. These intangibles are often hidden or ignored but come to the fore in times of crisis and disaster recovery.
As with so many other assets and resources, trust can be built up, destroyed, squandered, and undermined. If we are to understand resilience, we must take into account these essential, yet "softer" aspects and their relationship to the more tangible ones. We should be cognizant that these soft aspects are just as much the target of security threats as the more obvious physical and cyber systems.
Systemic risk, interdependencies, and resilience are just a few important dependability and trust themes—and are just some of the topics I'd like to see explored in IEEE S&P. Some issues are specific to certain sectors; apart from my own interests in critical infrastructure, I'm also concerned with the evaluation and communication of the safety of medical devices and heavily involved with nuclear refurbishment and new build. More generally, we need cyberinformed safety and must address the significant challenges in supply-chain risk management. However, I'm keen to see that the magazine's future dependability and trust sections reflect the readers' real-world agenda. As such, I'd love to hear from you with suggestions for focus and offers of contributions. (I can be contacted via email@example.com.) IEEE S&P has approximately 10,000 subscribers, with more than 40 percent outside the US, providing a powerful international platform for your views, so please do get in touch. In addition, in the near future, we'll be appointing two new editors to address trust and dependability. These are exciting developments, and I hope to get back to you in a later column with ideas for the future.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.