Distraction and denial - a lesson for cyber-security

High up in the Italian Dolomites, between the fine Baroque town of of Belluno and the chic resort of Cortina d’Ampezzo lies the incongruously anonymous and modern town of Longarone. In it, the tourist signposts all point to something called the Vajont Dam. Last weekend I visited the dam and discovered its extraordinary and appalling story, and the moral it holds for those of us in the cyber-security and biometrics industry.

The Vajont Dam is a beautiful and remarkable structure, a true engineering achievement. When finished in 1959, it was the tallest dam in the world. At 260m, it is 40m higher than the Hoover Dam near Las Vegas and nearly as high as the Shard in London. Its elegant curves contrast sharply with the abyssal crack that is the gorge of the Vajont river. It’s obvious why it seemed like such a good idea to build it – with a dam only 190m long, the designers could create an amazingly deep reservoir, holding over 150m tonnes of water to be used to help feed one of Italy’s biggest hydroelectric generation systems.

But on the night of 9th October 1963, the entire side of the mountain flanking the reservoir suddenly broke free, slid down and fell into the lake. Tumbling at 100km/hr, the mountain completely filled 2km of valley in under 45 seconds. Instantly, 50 million tons of water were punched out of the valley into the air. Inhabitants of the mountainside town of Casso high up overlooking the lake heard the monstrous thunderclap and watched as a wall of water towered over their heads, and they thought the world had ended. A gigantic mass of water was thrown clean over the top of the Vajont Dam in a wave nearly 200m high. That colossal wave plummeted down into the main Piave valley, exploding onto the town of Longarone with the force of the Hiroshima atom bomb, killing 2,000 people instantly. Nothing was left of the town except the church bell tower.

Today the valley behind the dam where the reservoir once lapped is filled with rolling hills, and the ground level is roughly where water level was on the night of the disaster. The road that used to flank the lake now snakes steeply up over the earth mass that has replaced it. In the main valley, Longarone has been rebuilt as a modern city, much as Hiroshima has been. It is impossible not to be impressed by the sheer monstrous scale and power of the event, the depth of the resultant human tragedy – and the extent of man’s folly.

The question of why the tragedy of Vajont happened has been much discussed over the last half century. I have not yet read the articles of that time in L’Unità by journalist Tina Merlin, who was prosecuted and acquitted for “disturbing public order” with her accurate warnings of the disaster to come, nor the 2005 memoir by Edoardo Semenza, the geologist who discovered the danger. In the 1990’s Marco Paolini wrote his famous theatrical monologue “The Story of Vajont” based on historical research and the writings of Merlin, bringing an understanding of the tragedy to a wider audience.

The pattern of events is fairly clear: as soon as the dam was completed and testing began by repeated filling and emptying of the reservoir, the mountain began to show signs of instability. Small landslides, big cracks in the mountainside, loud noises and increasing movement all indicated that there was something amiss. The dam owners, often accused of a callous disregard of the danger in pursuit of profits, appear to have been guilty of no such crime. It is obvious that the engineers and executives involved had absolutely no intention of killing 2,000 people and destroying whole communities. They diligently commissioned studies by several geologists (including Semenza, the son of the dam’s architect) and scale model experiments. The results were at first contradictory, sometimes puzzling and always ambiguous. As evidence mounted that there was serious trouble ahead, the senior managers dutifully reviewed studies and investigations, without ever managing to comprehend the magnitude of the danger facing them. As evidence mounted that a catastrophe was brewing, they went into denial. To me, the vast spectacle of Vajont is the very embodiment of denial.

Part of the trouble was that they were distracted by the wrong problem. The focal point of a reservoir is the dam – an expensive, highly visible investment, placing great demands on engineers and builders. The Vajont Dam and its hydraulic engineering deep inside the mountain were a huge achievement on a global scale – the fun bit of the project. Compared to that, bits of rubble toppling into the lake was really a very much less engaging problem. In the event, the Vajont Dam withstood the terrible blast, with only the top metre of its rim torn away. Today, you can walk across it on one of the regular guided tours and admire its smooth, undamaged curves.

Having worried so much about the dam, the managers were reluctant to get so excited about the banks of the lake, which were both duller and about which they could do little. When it became clear something had to be done, their dam-centric vision led to the construction of an immense tunnel to ensure that the valley river could bypass any eventual blockage of the reservoir. It’s odd they didn’t think deeply enough about the blockage event itself.

Signs of the paradigm shift were everywhere. The locals became increasingly frightened as a one metre crack opened up high on the mountainside, and began to widen daily. Successive reports described in increasing detail where the mountain would fail and why. Five hours before the catastrophe, the trees began to topple as their roots were torn away.

From experience, I know how seductive it is to see signs of a major shift underway yet interpret them in the context of the world as you would like it to be. Denial and distraction are powerful forces on all of us.

By coincidence, days before I visited Vajont, Wired Magazine reported on a recently published paper by the University of North Carolina (UNC). It described how current techniques of virtual reality, applied to photos such as public Facebook images, had been used to successfully spoof leading face verification systems. The UNC researchers built animated digital models of their subjects, and made them move, blink and even track with the movement of the phone. With good quality imagery, their success was total.

Up until now, most work on face verification has focused on the demanding and challenging problem of accurately matching faces. It’s the same with many biometric systems. Facial and other biometrics are rapidly gaining traction thanks to their many benefits. They are wonderfully simple to use, require no feats of memory and may require no special hardware. Focusing on the fun stuff, performance figures typically measure matching accuracy, competing to see how many zeros can be put after the decimal point. The complementary problem – that of distinguishing real people from physical or digital forgeries – has been relegated to an unquantified footnote by most industry protagonists.

The UNC paper changes all that. Suddenly, the industry is face-to-face with a vivid illustration of a new class of risk facing it. Financial institutions, governments, healthcare and Critical National Infrastructure providers, and indeed enterprises of all sorts, must acknowledge that the chief threat now facing this technology is the risk of forgery (and the associated risk of replay).

Such risks have mostly been consigned to the neglected slopes of the valley surrounding our metaphorical dam. Now I feel as if we have just heard the crack of a fissure opening. Forgery and replay attacks can use stolen credentials or those made public (on Facebook), they can be mounted on a huge scale; they can leverage malware on phones and can be hard to detect. As the UNC paper proves, they will fool even super-sophisticated matchers. Confronted with the new reality of these risks, the industry must adapt rapidly, or deal with the consequences of denial. 

I hope cyber-security failures never have the potential to wreak a level of human suffering comparable to those of geo-technics. Nevertheless, as leader of one of the companies which has begun to address this threat head-on with some success, and also as a recent visitor to the Vajont Dam, I urge both users and vendors in the biometrics industry to take this paradigm shift seriously, to respond and to adapt – before it is too late.