Are Cybersecurity and AI Following the Pattern of Cocoanut Grove?
Are we only fixing problems after they are tragic?
The Fire
The Cocoanut Grove Disaster took place in 1942 in the Bay Village neighborhood of Boston.
It was a tragic fire that ultimately resulted in the death of 492 people. You should take time after reading this to head over to Wikipedia and delve into the details1. I was thinking about the fire a few days ago and realized that it showcases an all-too-familiar human tendency to ignore problems until they are tragic. At Cocoanut Grove, many factors contributed to the scale of the disaster, not the least of which was that its only available exits were revolving doors. If you are ever in Boston, there is a memorial to the disaster on its former location, tucked away on a small side street. I suggest paying a visit2.
After the disaster, many laws and regulations were put in place to prevent similar tragedies. These addressed not only the revolving doors, but many other items now viewed as deficiencies. Examples included locking of exit doors, the use of flammable materials in interior decorations or the use of methyl chloride in air conditioning units. The building had been declared safe by the Fire Department just 10 days before the fire. The cumulative issues compounded to lead to a tragedy on a massive scale. To this day, Cocoanut Grove is the deadliest nightclub fire in US history and the third-deadliest single-building fire.
The Relevance
So why is this relevant to cybersecurity or AI?
Outside of the realm of experts and even inside its ranks, people refuse to believe that certain things will happen. Until they do. This is how best practices and regulation have lurched forward over the years. No one considers or even believes some of the possibilities could occur until they happen. And the fastest changes come with tragedy. Once there is a tragic problem, it gets attention from the public and politicians and usually swift action.
So where are the tragic problems in cybersecurity and AI?
In the cybersecurity realm, the recent attack on the NHS, indirectly through Synnovis, caused the cancelation of non-emergency procedures and delays in blood and other testing. In addition to the now familiar loss of personal data3, this attack came dangerously close to causing serious problems in at least two major Central London hospitals. The aftermath included a call for blood donations. Delays in blood tests were expected to continue for at least a month. I am sure that as more problems emerge, we are guaranteed to have attacks that will result in tragedy. It seems chillingly inevitable.
In the AI realm we have so far been lucky. This is most likely because we are still in the early stages of this AI revolution and the major systems have not come online yet. Again, I’m convinced it is really only a matter of time until we see a tragedy.
The Significance
Many advances in the governance and regulation of all technologies are reactive and not proactive. This comes as no particular surprise to me (or I’m sure to many of you who are reading this). We lurch from fix to fix and often scramble to keep up. There are a lot of factors at play here, but ultimately it’s all about risk assessment. We need to look closely and carefully at possible risks. We need to conduct tabletop and threat modeling exercises to better understand how our systems can be made more resilient.
Security practitioners cannot expect to get “it all” when it comes to budgets and resources. Nor should they expect to get nothing or next to nothing. We must continue to raise our concerns and make sure that security and AI governance in organizations is treated at the same level as fiscal governance and oversight of possible corruption4. And we must learn collectively from our mistakes, whether they are tragic or not.
Or take a detour now and come right back.
The current memorial is a plaque. A new memorial, more fitting for the magnitude of the tragedy, is currently under construction.
Another instance where the company in question will likely issue a statement that “your security is important to us” aka “our thoughts and prayers are with you” and then spring for identity and/or credit protection services.
I have previously discussed how I am grateful that the US SEC is taking cybersecurity risks more seriously and demanding that publicly traded companies do the same.