The Hacking Problem

Infrastructure resiliency is an important area of my research, and disruptions to infrastructure come from both natural and human actions. There is no need to mention the critical nature computers and networks play in modern society. The disruption to the essential Colonial Pipeline oil and gas distribution system got a lot of news a few weeks ago, and now the attack on the JBS food distribution company is causing disruptions and a lot of angst. Let’s look at three aspects of this: the impact of the disruptions themselves, the infrastructure security implications, and the role of both state sponsored and freelance cybercriminals.

First, the impact of the disruptions. Like with the Colonial Pipeline attacks, the JBS impacts should be transitory – but will probably end up being worse than it should be due to human behavior. Like the irrational pandemic inspired toilet paper runs last year, there will likely be a lot of spot shortages as people change their normal buying habits, creating a temporary supply shortage. Although modern logistics methods like warehousing-in-transit have reduced the safety margin, what people don’t think about is that supplies and distribution systems have slack build in to account for disruptions – and disruptions happen all the time due to maintenance, weather, and so forth. But that is all based on normal buying habits. When you horde or stockpile, you break that assumption, creating artificial shortages. Assuming the system is back online in the next day or so, price spikes and outages should be transient, but like disruptions from storms, may take a week or two to settle down. My guess is that if nothing breaks that shouldn’t, this will again have been a brief disruption.

As for the infrastructure implications, it’s an almost intransigent problem. It takes time to develop and deploy infrastructure. Even with fixed hardware, the firmware and software than runs on it takes time to develop, test, and deploy – and of course it is the ability to do remote upgrades and software changes that is the underlying cause of the problem in the first place. If you can access it to use it, much less upgrade it, you can probably hack it. The old DoD “Orange book” on computer security said the only secure computer was one that was unplugged with the hard drive removed. So while a lot can be done to improve security, ultimately there is no way to create a system that is both usable and completely secure against a determined, intelligent attacker. So like most things, the trick is to balance the two – maintain usability, but make it hard enough to keep out the amateurs, and have international standards, laws, and policies in place to deter and punish those who exploit system vulnerabilities.

And therein lies a key problem: governments use cybercriminals.

There is a love/hate, sometimes incestuous relationship between intelligence agencies, IT security companies, and cybercriminals. A not insignificant amount of the malware floating around was either developed, enhanced, or allowed to continue in play due to the action (or inaction) of intelligence agencies – including some well known episodes involving US intelligence agencies. Ironically, some of the most effective malware currently in circulation goes back to a hack of NSA and the release of their toolkit (ARS technica link). In addition, Agencies have been known to discover exploits, but because they are using them, don’t report them to operating system and software developers. IT and cyber security firms have been known to be complicit, in one at least one known case not fixing a hole until after No Such Agency had finished an operation requiring the exploit. And of course the need for computer virus protection, OS upgrades, cybersecurity consulting, etc. is a profitable business.

So it was remarkably hypocritical for President Biden to say that Russia bears responsibility for the hacks because the hackers (who in both cases seem to have only been after money) happened to be based there. Of course, President Putin didn’t really help matters when he “joked” …

Putin’s comments about hacking. Enki Research Photo, Moscow Kremlin.

“Hackers are free people, like artists: (if) they are in a good mood, they (get) up in the morning and draw. So hackers, if they wake up and read that something is happening in interstate relations and if they are patriotic, then they begin to make their contribution,” Vladimir Putin said.

Of course he went on to deny that Russia was sponsoring or exploiting hacking. While there have been cyberattacks in Russia, the security services pretty much hunts the criminals down and kills them. It is clear to these guys that if you’re going to do this, do it elsewhere. I’m not advocating that kind of quick “justice”, and the tolerance of domestic criminals who keep their crime offshore is something nations-states shouldn’t do, but in fairness it is absolutely not limited to Russia; the US is infamous for it with respect to other kinds of crimes, particularly essential and profitable but environmentally damaging enterprises.

In summary, treating cyber criminals as serious, dangerous criminals no matter where they are based or where their crimes are committed, is essential. Today one can kill with a computer by harming cyber infrastructure almost as easily as one can kill with a bomb. Therefore, as has been attempted with mixed success with nuclear weapons and biological warfare, nation-states need to put together frameworks to limit and prosecute the use of computer viruses and cyber attacks. That will be difficult – the system of international law and norms of behavior is in shambles (in no small part due to US actions over the last two decades, but that’s another story). The US, which pioneered these techniques, should take the lead in renouncing them and working with the international community to address the problem rather than hypocritically screaming about it in public all the while creating and using them in private (the US approach), or joking about it in public, making sure it doesn’t happen at home, but allowing it to occur elsewhere (the Russian approach).

Savannah’s Port and Megaships

Wednesday the largest ship to ever call at the Port of Savannah snaked its way up the Savannah River. The news coverage I’ve seen was all positive, basically echoing the press releases from the Georgia Ports Authority, commenting on the size of the crowds that came out to see the 1300 foot ship, and similar fluff coverage (link goes to WTOC TV). Entirely missing was the perspective that this kind of global commerce is destructive to local and national economies, and has created an unstable situation. The collapse of this system will create disruptions across the entire world. Sound dire? Well, this is doomwatch … so let’s look at two reasons this isn’t a good thing: economics and resiliency.

GPA Savannah Container Port (Enki Research Photo)

Economics: The economic implications of this kind of global shipping is often hidden. During the studies of the deepening of the Savannah harbor, and periodically since, the Georgia Ports Authority (GPA) trots out economic analyses of the “benefits” of the port. I’ll be blunt: these “analyses” are misleading – even bogus. One key problem is that all the numbers about local jobs or regional impact overlooks the lost manufacturing jobs, and the distortion of the US economy from a balanced producer/consumer economy in to a consumer dominant economy supported by a service sector. This is one of the factors behind the increasing levels of disparity in income in the US, and the depressed middle class sector in the country: those middle class, manufacturing and repair service type jobs disappear since cheap goods means it is more “cost effective” to import and replace rather than repair them when they fail or break. Of course, it is only “cost effective” if you ignore the resources wasted in a throw-away world, but that is a different issue.

You’ll notice when GPA reports statistics, they talk about containers and tonnage exported, rather than the overall value of imports vs exports. If you run the numbers that way, billions of dollars a year (and therefore tens of thousands of manufacturing and related jobs) flow out of the US to foreign countries, some hostile such as China. In other words, China is treating the US like an extractive colony – but the US goes along with it because US based companies profit from the somewhat lower retail prices, even though the average person sees only marginal benefits. Ten or even 20% lower prices doesn’t mean much if your neighbors are either out of work or working lower paying jobs, or your taxes are high to cover social costs. You have to look at the whole society impacts – not just narrow sectors.

One of the reasons behind the American Revolution was that Great Britain restricted certain kinds of manufacturing in the Colonies. It makes sense from a colonial/control standpoint: extract the raw materials, force the colonies to buy the finished products. That way the net value is not equal – money flows out of the colony and enriches the mother country, and makes the colony dependent on them. China has been doing this to the US for at least three decades now – and we’re actually cooperating with our own subjugation.

Resiliency: Lost in the discussions over the ports and global commerce discussions are the social stability aspects, in that a mostly consumer based economy is vulnerable and ultimately unsustainable. The COVID pandemic came very close to crashing the US economy and even stability of the society. Critical supplies such as plastic tubing almost ran out because no US companies make them, and the global system of moving goods and supplies came to a standstill with the quarantines and shutdowns. In the past a disruption might cause a rise in prices, but many critical goods are no longer manufactured in the US. The loss of supply lines – be it due to natural disaster or geopolitical instability – can rapidly spin in to a crisis since there is diminished or nonexistent ability to replace the lost sources of those goods.

Underlying all of this is a philosophical meta-question: what is the purpose of an economy? In the US, the purpose of the economy is primarily geared to create shareholder profit. Human factors such as the dignity of work, providing a sustainable livelihood for the average person, and social stability are all lost in the pursuit of maximum quarterly profits. The celebration of the arrival of the Marco Polo is that distorted worldview writ large.

So for a variety of reasons, the global system of commerce that has evolved in to massive transfer of the manufacture of goods that could be made anywhere to a few areas like China (generally with exploited/oppressed workers), all in the name of increasing profit margins, has created a hidden global crisis that could for a variety of reasons trigger a collapse of the economy – with societal turmoil following close behind.

Rather than celebrating, at least we should be mourning, and better yet protesting if we had any sense.

#Climate change: which “side” is more delusional?

One of the more catastrophic artifacts of America’s sharply split political system is that instead of one side being right and one side being wrong, both parties seem to be forced by their activists in to adopting positions that are driven by fringe ideology instead of rational thought as to how to solve any given problem. The looming climate crisis (which is really a complex energy/financial system crisis) is a perfect example. Which is worse? Hard to say, but let’s take a look at the two biggest delusions: there is no climate change, and renewables will save us.

The delusions of the R’s …

I’ve been involved in climate research for over 25 years, and as a scientist it still stuns me that anyone can possible say anthropogenic climate change is a hoax, or some kind if leftist plot, or whatever. I’ve blogged about this before. The data across interlocking disciplines like meteorology, oceanography, biology, geology/geophysics, all point in the same direction. You can argue over the details, and what to do about it, but you can’t argue over the big picture: humans have changed the earth’s climate system, and it is likely to enter a period of rapid change over the next century that will most likely prove highly disruptive both to humans and the natural world. However, as someone with a background in the geopolitical world, denying human impacts on climate doesn’t surprise me a bit – in fact, given how the crisis came to light, it was inevitable.

Some of the more outspoken scientists doing early research on climate really screwed up. I understand that they feared for the future and felt they needed to raise the alarm, but they overstepped the bounds of the role of scientists. Many of them in the public eye (such as James Hansen) crossed the line between science and partisan politics by advocating specific actions based on their political leanings. By the mid to late 1990s the impression had been firmly fixed in the minds of many politicians as well as members of the public that the science was politically biased. Combined with the religious component (as I discussed in the link above), this created a circumstance where the science wasn’t trusted. While it would have been a hard job to navigate the complex energy, financial, and societal response required by human impacts on climate, this false impression of political bias in the science has created an almost intractable situation.

and the D’s aren’t any better.

The situation on the Progressive side of the spectrum isn’t any better. By any rational metric the proposals floating around for the Green New Deal are technological fantasies, and are based more on restructuring society than the realities of trying to address the climate crisis. Take one small technical detail about so-called renewable energy: solar panels and wind turbines (much less batteries) are advanced electronic devices. They take a lot of Rare Earth Elements(REE) to make, and that presents two huge problems:
1) Mining and processing REE’s is an environmentally destructive process, basically being strip mining with lots of toxic (even radioactive) waste (more so than mining Uranium), not to mention using a lot of water.
2) Depending on how you crunch the numbers, there aren’t enough known REE’s on the planet for even a third of our present energy needs.

If it wasn’t so delusional and going to end so badly it would be mildly amusing to hear people rant about how fossil fuels are limited and using them is environmentally damaging, then in the next breath preach about the cleanliness and potential for solar or wind – which are by the same measures just as resource limited and environmentally destructive.

Maybe this guy wants the job of fixing things …

So what do we do? Like most things, anyone who says they have “THE” answer is, well, delusional. This is a very complex problem that crosses so many aspects of society. It won’t be easy, and it will take time – time we are running out of if we haven’t already. As I noted above, I think for the most part scientists should keep out of the political process. However, if I were acclaimed Imperator Caesar, Princeps Senatus, Tribunicia Potestas, Pontifex Maximus (which is the only way I’d take on the job), I think I could put together an approach to start down the path to a solution. But nobody presently in power would like it. The first thing I’d do is completely rework the system of global governance. The climate crisis is ultimately a failure of governance – and it isn’t the worst threat we face in that respect (I am convinced that the worst threat to humanity – and the environment – is conflict/war and the collapse of the complex system of resource allocation/distribution needed to sustain nearly eight billion humans). As for energy and resources, there really isn’t much choice for wide scale reduction of emissions given our present technology: immediate widespread use of nuclear for electricity generation, combined with a crash program for fusion and the development of a sustainable, high energy density method of powering transportation systems. There are other complex changes that need to be made, all of which will take time and some serious rethinking of how society functions. In other words, to fix this, the technology will piss off Progressives, and the social changes will piss off the Neoconservatives. So I just don’t know how our present angry, bifurcated political system can come up with a good plan without an outside force like a benign Emperor to make the two sides behave.

Yes, climate problem is a crisis, and we’ve wasted at least 25 years we really didn’t have to start dealing with it. But we need to sort out the technology and have a clear rational, compassionate path forward before upending our economy and society. Going down the wrong path will kill as many if not more people, and be at least as destructive to the environment, as doing nothing.

Hurricane Preparedness Week: Insurance

The National Weather Service (NWS) and Federal Emergency Management Agency (FEMA) are doing their annual Hurricane Awareness Week this week (link). I won’t try to echo that, but rather emphasize a couple of critical points. If you are in a hurricane risk area (and remember these extend far inland – if you include the risk of catastrophic flooding, the remnants of hurricanes can cause damage hundreds of miles inland), you need to take this opportunity before the season to make sure your insurance is in order. There are two big aspects of this: flood insurance, and deductibles.

Catastrophe insurance in the US is a fragmented, confusing mess. One of the biggest issues involves flood insurance. There is very little commercial flood insurance available in the US. For the average homeowner, the only option is the National Flood Insurance Program (NFIP) underwritten by the Federal Government. On the plus side, it’s pretty cheap since it is subsidized. If you are in a designated flood zone and have a mortgage, it’s almost certainly required as part of the loan, and so you probably got it as part of your insurance package. But if you don’t live in a flood zone or don’t have a mortgage, you may have been told you don’t need it. The thing is, most flood damage in dollar terms occurs outside the 100 year flood zones where the banks require it. There are complex administrative and technical reasons for this, not the least of which is that the FEMA Flood Zone risks as shown on the Flood Insurance Rate Maps (FIRMs) are a compromise between engineering, finance, politics, and (IMNSHO) a flawed statistical approach rather than a rational assessment of the actual risk of flood damage. Just because you are not in a designated flood zone doesn’t mean you are safe. Here is one example, from Tybee Island, Georgia:

NFIP FLood Zones, Tybee Island, GA. Click to embiggen

Any rational 100 year hurricane scenario will put Tybee entirely under water. Yet the brown and clear areas above are “above the 100 year flood plain.” If you live on Tybee, you need Flood Insurance. In fact, if you live in Chatham County, GA (the Savannah GA area), you need flood insurance, as there are few areas aside from the bluff along the river, and an area at the airport, that are high enough to avoid flooding in some 100 to 125 year flood events. The good news is that in the “X500” (brown) or “X” (clear) areas the insurance is inexpensive. You can look at the NFIP Flood maps online here (link – select “NFHL viewer”).

Inland it gets a bit trickier. Certainly consult the FIRMS, but again keep in mind these are rate maps – not flood risk maps. There are a lot of occult stream channels and topographic low spots that can flood in extreme weather events. Local knowledge or surveys can help with this.

Either way figure out your actual risk. If you are flooded from rising water, your normal homeowner’s insurance won’t cover it. Flood insurance has a 30 day waiting period – and most insurance companies won’t write policies of any kind (car, home, renter) once a storm forms – so don’t wait. Do this now. Even though it’s a Federal program, your regular homeowner’s insurance agent can set it up for you.

The second aspect to be aware of are deductibles. Almost all insurance policies now have catastrophe deductibles. Insurance companies argue that catastrophic events are so costly that without them they cannot cover losses, but that’s simply not true, as a study co-authored by the writer of this blog proved (who is way too modest to point out it won the 2014 Shin Research Excellence Award). It’s really unfair to the consumer. Before you bash on the insurance companies too much, though, it’s as much the fault of the fragmented and uncoordinated State Insurance departments. In any event, unless/until the system is reformed, we’re stuck with them, and the absurd proposition that if your roof is damaged by a 90 mph wind from a thunderstorm, your deductible might be $500, but if that same roof is damaged by a 90 mph wind from a hurricane, your deductible might be $2000 or more. So in your financial planning, be aware that your deductibles from a hurricane will be higher, in some cases much higher, than you might expect.

So please take the opportunity to review your disaster plans this week, especially your evacuation plans, and make sure your insurance situation is secure.

Major #Earthquake in #Greece

Major earthquake in Greece this morning (5:16am ET), just after noon Greece time, with multiple aftershocks that are still ongoing …

Earthquake just after noon 3 March 2021 in Greece

The quake was felt all over central Greece as well as in Macedonia, and Albania. It is likely there is extensive structure damage in the the area in purple on this map and economic impacts will likely exceed $2 Billion ($2.7 is the current estimate). Fortunately there are few major cities in the area of most likely damage, the largest being Larissa, a city of just over 160,000 people. So far fortunately no reports of injuries or deaths. Damage reports are coming in this morning US time, mostly of structural damage …

Cold Hard Cash: #cost estimate for the big freeze in #Texas

I’m starting to see a few estimates on the cost of this episode in the media, for what it’s worth here’s the Enki estimate … there is probably going to be on the order of $30-35 Billion in physical damage across the Southwest and Midwest, mostly in the form of water damage from busted pipes, of which about $20 Billion or so will be covered by insurance, making this a big but not catastrophic event for the suits. The economic hit on the other hand is probably another $40 to $55 Billion, making this a $80 to $90 Billion dollar episode when you roll together the physical damage, economic impact, and government budget hits. When you consider that a few hundred million dollars of mitigation efforts (efforts that were recommended as far back as 1989) could have prevented maybe all but about $10 Billion of that, not to mention all the human suffering and even loss of life, there should be a serious reconsideration of priorities and some well deserved finger pointing …

Still snow on the ground in the midwest as of Saturday afternoon …

Major #Earthquake in #Croatia

Over the last few days there have been a series of small earthquakes in Croatia. This morning US time (noon CET) a shallow M6.4 hit, and early reports are to have caused significant damage. At least one person has been killed, and the mayor of Petrinja reports “This is a catastrophe. My city is completely destroyed.” It is likely the death toll will be higher as the day goes on.

TAOS/EQ simulation of 29 Dec 2020 Earthquake in Croatia

Initial economic impact estimates are $4 to $5 Billion USD, with some models as high as $8 Billion. There are about 1.5 Million people in the hazard zone, and upwards of 150,000 people living in areas with a significant risk of structural collapse.

Cyclone Yasa and Fiji

While the snowstorm made headlines in the US yesterday, cyclone Yasa crossed the islands of Fiji yesterday …

TAOS/TC Impact estimate for Cyclone Yasa

Loss of life seems light, two deaths confirmed so far as of Friday morning US East Coast time, but damage is extensive. Fortunately the damage swath missed the more densely populated island of Viti Levu and main city of Sava, but it is still likely that Yasa caused upwards of $100 Million USD in damage. That may not seem like much, however for some perspective that’s around 1.8% of GDP, so it would be the equivalent of 360 Billion dollar storm hitting the US, or over three Katrina/Sandy class storms.

#Iota aftermath in #Nicaragua, #Honduras

Iota was downgraded to a tropical depression as of the 4am forecast this morning Wednesday 18 Nov). But that isn’t really the storm – although a Category 4 at landfall, the biggest impacts are inland due to landslides and flooding across northern Nicaragua and south/central Honduras. Communications is limited, and there are many areas that remain cut off from the floods caused by Hurricane Eta two weeks ago. This is a multi-phase, ongoing disaster that will only get worse as the weeks go on. Tens of thousands of people are in shelters in Nicaragua and Honduras, so it is likely there will be a spike in COVID cases in these countries in the days to come. Here is the present tropical analysis:

TAFB Analysis, Wed. Morning 18 November 2020

There is concern that the low pressure center forming off the coast of Panama, and the approaching tropical waves, will dump even more rain in the already saturated regions hit by Eta and Iota. It is very possible that we are looking at damage and, ultimately, deaths approaching the levels not seen since Hurricane Mitch in 1998.

There will be important foreign policy implications and decisions resulting from these storms. In the past, the economic privation and deterioration in the security status of Central American countries resulting from natural disasters triggers waves of migration towards the US. It is certain that (as seems likely at the moment) this will coincide with a relaxation in immigration restriction by an incoming Biden administration. While many try to put this in clear-cut humanitarian or homeland security positions the two political parties in the US have staked out, it’s not so straightforward. For one thing it ignores the impacts migration have on the original countries, something pro-immigration advocates tend to overlook. It is also destabilizing because many of those who leave are those who are the foundation of the economy. Then there is the danger of the migration routes themselves, and the exploitation of the migrants by gangs that fosters those criminal enterprises. Some countries encourage immigration because they see it as reducing their burden by getting the “surplus” poor populations out of the way – often “double dipping” by accepting US aid, but letting the security situation deteriorate so people leave anyway. All told, my position is that while we need to treat those who reach our borders with dignity and all humanitarian consideration, we should be aggressively supporting, stabilizing, and building up the countries of Central America so that people can (and will want to) remain in their homelands. We need to spend at least as much attention to economic development and assistance as we do to “security” (drug control) issues, which sadly is the prism through which the region is viewed. A comprehensive stabilization plan will be better for the region long term, as well as the United States.

The remains of Iota are probably going to end up in the East Pacific. The chances of it reforming are low at the moment. Aside from the low in the Caribbean noted above (20% chance) NHC also has an area in the central Atlantic tagged with a 20% chance for tropical development in the next 5 days. Even if something does get organized out there, while it might have winds approaching TC criteria, it will not likely be a real tropical system – it’s getting late in the year for that kind of thing out in the Atlantic.

Doomwatch, Tuesday 29 Sept 2020

Numerous potential flashpoints of doom out there … but nothing as of this morning above the “that might get bad soon.”

Tropics: Typhoon Kujira is off of Japan, no threat to land. Tropical Depression 18-E is off the coast of Mexico, again no threat to land. Closer to home (well, mine 🙂 ) a system is moving across the Caribbean that the global models are showing spinning up in a few days as it approaches the Yucatan Peninsula. NHC gives this a 50% chance of forming something in the next five days. Some of the usual suspects are already flogging the potential for the system to spin up. Here is what the GFS model is showing for next Wednesday, a sort of organized depression/minimal storm approaching the Mexican coast, and a second thing trying to spin up behind it …

DOOOOM! Or not. Probably not. But it might, so give me clicks! Or just relax and check back Friday.

but … models don’t always do so great in this kind of situation. They are getting better, but 7-10 days just isn’t there yet for anything other than entertainment purposes. A couple of things to keep in mind – note there is no “X” on the NHC map, just a diffuse area where something might form. Second, no discrete model runs or INVEST area ID has been assigned yet. The Tropical Weather Outlook doesn’t have the majik words “interests in <name of some area> should monitor the progress of this system.” So unless you are a die hard weather junkie, you’ve got plenty of other stuff to worry about!

Like the debate tonight between the raging dumpster fire and the older well worn house that looks comforting from the outside but has bats in the attic, rats in the cellar, and an ax murderer living in the spare bedroom.

Or the continuing slow burn of the COVID-19 Pandemic. I posted on this yesterday, and nothing I’ve seen in the last month or so says there is any progress – or significant new threats. As I write this the talking head on the radio news said “we have hit 1 million deaths, one fifth of those in the US.” Which is total bullcrap for reasons I’ve discussed before (globally there is a huge undercount; the US is about 5% of global population and if you take in to account the horrible reporting in most of the world, is about 5% of deaths, not 20%). Guess he doesn’t read this blog. Sigh.

The economy continues to send up flares, red flags, warning lights, and Edvard Munch style screams. But Congress is deadlocked over the aforementioned election thingee, there is no coordinated plan to try to stabilize things, so the ongoing collapse of key aspects of the economy like small businesses continues. The wave of potential defaults is on the verge of becoming a tsunami, and when that hits the over-leveraged capital markets, Bad Things Will Happen.

In the geopolitical world, Donbass, Nagorno-Karabakh, Syria, Greece-Turkey, and Libya all continue to smolder. The situation in Nagorno-Karabakh is especially dangerous and tragic, given the involvement of Turkey in another potential attack on Armenians (which has a long and tragic history). It is one of many complex “frozen” conflict areas like Ukraine and the Balkans that were suppressed during Soviet times, but have flared up since. Why does this matter to you? The various tangle of alliances and obligations can rapidly drag outsiders in. Oh, did I mention oil? Because oil is involved as well … of course.

Oh, and Tampa Bay winning the Stanley Cup? Which sign of the apocalypse is that?

So we wait and see what happens. There’s always stuff to worry about, and it is best to be proactive when we can. But if you have a family emergency plan (always keep a week of emergency food, containers you can fill with water on short notice, and a contact plan), a weather radio, and are taking COVID precautions (masks when going to enclosed spaces, distance, good hand hygiene), you’ve got most of the bases covered, so enjoy life and don’t worry about all the might be’s until they become “probably”s …