My undergraduate honors thesis was on the ethics of US humanitarian assistance to Somalia in 1992. It tried to examine the political influences that determined who to assist and how much in a conflict zone. I just noticed a warning by Oxfam about this exact issue in terms of today’s American international security interests:

If you look at allocations in the course of this past decade to Iraq and Afghanistan, it’s much higher on a per capita basis than the aid given to the Democratic Republic of Congo, which is one of the worst places to live on Earth, and has been for a couple of decades. I think aid per capita at one point in Iraq was 18 times higher than the aid per capita in Congo, even though Iraq – despite the violence at the time – was considerably less badly off than the Congo.

The Deutsche Welle uses some highly charged language as an introduction to the issues:

Billions of dollars are being used for “unsustainable, expensive and sometimes dangerous aid projects” supporting short-term foreign policy and security objectives, while countries in desperate need are being overlooked, according to Oxfam.

Oxfam argues two points against letting security policy be tied to aid.

1. Military-related assistance can be perceived as tainted and a target of resistance
2. The military does a poor job identifying and managing assistance areas

They give an area just to the south of Somalia as an example:

If you look at the assistance that the US has given in northern Kenya, which is an area of security interest for the Americans, the US Army has built schools there and then forgotten about them or not ensured that there are teachers and materials for that school to be sustainable. We’ve seen that happen in many parts of Afghanistan as well. The assistance is badly done.

I recently wrote about a little-known US military project in a small African country, very likely to be related to security but portrayed as entirely humanitarian.

A blog post by the EFF has a curious phrase towards the end:

…the higher the stakes, the worse the security…

Sample size? The author clarifies that “worse” means “easily resolved”. This seems to assert a shade of negligence — a decision to not fix security even when it is easy. He tries to explain why this would happen:

I suspect the reason for this pattern is that organizations that handle life, health, and money do not think of themselves as software engineering organizations, and so seek to minimize engineering costs. Additionally, engineering-driven companies tend to be disruptive newbies who have not yet made a big enough impact on the market to control much important information.

I find his analysis lacking for at least a couple reasons:

1. Organizations that handle life, health and money do in fact think of themselves as innovators, not to mention software engineering organizations. Investment firms, for example, or research hospitals often have talented staff dedicated to inventing and building software and hardware.
2. Engineering-driven companies are not all “newbies”. They have been around for decades and they too have grown old.

My personal experience does not resonate with the EFF. Perhaps what the author is trying to say is more in line with what President Clinton described in his keynote speech at the RSA Conference today: “it is easier to think about solutions in developing nations than developed ones.” I resonate more with that.

Higher stakes (higher asset value) do not automatically bring worse security, in my experience. I have found environments that embrace change are easier to secure because they welcome regulation and will pay for innovative solutions. Conversely, those that resist regulation and fear change fall behind on some forms of security fixes. They tend to demand extensive risk-based analysis and cost predictions before they are willing to agree to apply even “easy” security fixes.

A developed environment, if I can borrow the term, is unlikely to allow a Windows XP-based system to be upgraded to Windows 7 when the system is critical (to life, health, money, etc.). The FDA may not allow any “easy” resolution of a security issue unless they have thoroughly tested for other potential harm. That is why “better security” is not typically measured only on whether a problem is “easily resolved” — resolution can introduce other unforeseen and greater problems that threaten the valuable assets.

The delays may drive an IT security professional mad because it seems incredibly slow compared to an easy fix for the problem they see. Yet, this is an opportunity in security to reflect upon greater principles and exercise caution: will an expedient change always bring “better security”?

At the RSA conference I ran into a Renesys speaker and he introduced himself to me as “we’re the company that broke the Egypt story on the Internet cut”. I asked whether Bahrain would go the same way. He skipped right past the prediction and instead said “It’s not the same right now, not at all. All their routes remain online and stable despite traffic fluctuation.” Of course I can respect this — it is much safer to report current events than predict new ones. Libya, for example…

Renesys confirms that the 13 globally routed Libyan network prefixes were withdrawn at 23:18 GMT (Friday night, just after midnight Saturday local time), and Libya is off the Internet. […] We wondered whether anyone would repeat Egypt’s strategy. Tonight, it appears that we have our answer.

Yes, we do. Bahrain still is able to directly upload video.