In a sense, WannaCry could be characterized as a ‘wicked problem’: so far, we have incomplete knowledge about the exact parameters of the attack and there is great uncertainty regarding the number of people actually involved. At the same time, Microsoft and the institutions hit by the attack have all suffered a large economic burden, while the interconnected nature of the attack has created significant problems and has had a spill over effect on the operation of various services, including, most notably, hospitals, transportation and telecommunication providers. Notwithstanding these features though, this specific cyberattack is not your typical ‘wicked problem’. Although it will be hard to fully solve, we will still be able to solve it in the end. This makes it less of a “wicked problem” and more of just another security problem. What is important though is what this attack tells us: the real “wicked problems” of the Internet is currently security (in a more general sense).
Discussions about Internet security have consistently been rampant though more lately. Most such discussions, however, focus more on the policy agendas of nation states than the concept of Internet security itself. Often, this takes the form of giving high priority and equating security with issues like human rights, economics, social injustice and the threat of using the Internet to carry out military threats. Such thinking is usually buttressed with a combination of normative arguments about which values of which people should be protected, and empirical arguments as to the nature and magnitude of threats to those values.
In our effort to understand – and, thus, attempt to resolve – security questions in the Internet, we face a significant limitation: we may know we have an overall security problem but we continue to fail to fully understand its scope, parameters and dimensions. And, with no definitive problem, getting a definitive solution becomes somewhat an impossible task.
To this end, in order to understand the Internet security conundrum, we need to understand the complexity in approaching ‘wicked problems’. Academic Tim Curtis says that a “wicked problem” is one in which “the various stakeholders can barely agree on what the definition of the problem should be, let alone what the solution is”. Sounds familiar? In addressing security questions on the Internet, the different stakeholders are normally in full disagreement of the exact problem: governments tend to approach security as a national policy issue; businesses see it as purely economic; for the technical community it is usually a question about the reliability and resiliency of the network; and, civil society sees the whole issue under human rights considerations.
This inability for agreement between affected and interested parties feeds into the mistaken perception that the security issue is somewhat broken. And, this creates the danger of security as a “wicked problems” to exist in perpetuity. As Curtis accurately argues: “Problems are intrinsically wicked or messy, and it is very dangerous for them to be treated as if they were ‘tame’ or ‘benign’. Real world problems have no definitive formulation; no point at which it is definitely solved; solutions are not true or false; there is no test for a solution; every solution contributes to a further social problem; there are no well-defined set of solutions; wicked problems are unique; they are symptomatic of other problems; they do not have simple causes; and have numerous possible explanations which in turn frame different policy responses; and, in particular, the social enterprise is not allowed to fail in their attempts to solve wicked problems.”
Perhaps you are beginning to see what I mean. The crux is what is preventing us from finding solutions to the security challenges – whether they relate to ransomware attacks, attacks on national security or attacks directly against the network.
So, we need to find a middle ground that will allow solutions for such ‘wicked problems’ to emerge. And, this middle ground is collaboration.
Lately, I have been thinking quite a lot about collaboration – the value it adds, the importance it carries and its ability to solve ‘wicked problems’. Along with Leslie Daigle and Phil Roberts, we have deliberated how collaboration can contribute towards providing a robust framework where solutions can emerge and answers can be found. So, we came up with the following features that can make collaboration work.
- There must be a unifying purpose. There can be any number of participants in a successful collaboration, and they can have a range of different perspectives on what a good outcome looks like, but the participants must be united in their desire for an outcome. The participants will have some shared sense of "good." It is likely that that sense of "good" will include something about collaboration itself. That is to say, the very act of collaborating to achieve an outcome will yield a better outcome than some other method.
- Involved participants are committed and focused. The experience of successful collaboration includes skillful contributions that move discussions and actions forward towards a desired outcome. These contributions are regular, consistent, and timely. In such an environment, distractions are discouraged. In order to move the work forward, exploring alternatives is necessary, but willful distractions are not acceptable.
- Forward action requires crossing boundaries and changing practices: Collaboration is more than the cooperation of individuals or organizations contributing their existing expertise. It ultimately requires action that reaches beyond traditional boundaries and/or creation of new processes. Competitors cooperate. New ground is explored.
- A successful outcome is measured in terms that are broader than individual gain. There is a desired "good" toward which people are collaborating. That "good" can be something grand and exciting for everyone, or can be some outcome that is the "least bad." Yet, this is measured across a broad range of participants, rather than from the point-of-view of any single individual. Participants accept that the outcome may not reflect any immediate advances for their own activities.
Whether this understanding of collaboration can solve all security problems, I do not know. What I know though is that it is a pretty good starting point. In fact, it is the only starting point. Governments need to disclose system security vulnerabilities as they discover them, businesses and the technical community must race to address them and users must demand that this is the case. This will only happen though if different actors talk to each other.
Note: Extracts taken from: Tim Curtis's essay The challenge and risks of innovation in social enterprises in Robert Gunn and Christopher Durkin's book Social Entrepreneurship: A skills approach.