Early on in a paper evaluating IPsec (a protocol, now in wide use, developed to allow private and secure communication over the public and insecure Internet), authors Niels Ferguson and Bruce Schineier introduce what they call a rule of thumb:
The Complexity Trap: Security’s worst enemy is complexity.
They proceed to explain:
This might seem an odd statement, especially in the light of the many simple
systems that exhibit critical security failures. It is true nonetheless. Simple failures are simple to avoid, and often simple to fix. The problem in these cases is not a lack of knowledge of how to do it right, but a refusal (or inability) to apply this knowledge. Complexity, however, is a different beast; we do not really know how to handle it. Complex systems exhibit more failures as well as more complex failures. These failures are harder to fix because the systems are more complex, and before you know it the system has become unmanageable.
Not only can complex security systems break down and fail to be implemented correctly, most of us have been complicit in circumventing or simply ignoring security protocols that we find onerously complex.
While Ferguson and Schneier were focused on one specific security protocol, viewing complexity as the enemy is useful as a more general rule of thumb. In computer networks, more complexity introduces more moving parts that can break. More complexity reduces the certainty of how devices will interoperate when plugged in. More complex networks are more difficult to document properly, and when things do inevitably break, the problems take longer to diagnose and repair. Complexity can introduce a cascade of costs that flow downstream.
Then there is the realm of finance. In our highly financialized world, with its dizzying array of complex financial instruments, as we’ve recently seen complexity can become Death, the destroyer of worlds. Satyajit Das, a derivatives expert, book ends his book “Traders, Guns, and Money” with an account of his experience being an expert witness for an Indonesian noodle maker that was being sued by their bank. Their bank had convinced the noodle maker to engage in a financial transaction called a currency swap. Their income was in Indonesian rupiah, and the swap would convert their debt into dollars, with the goal of saving them money.
Imagine a very simple world economy, with two currencies: sticks and rocks. You make grog and sell it to people. They pay you in sticks. You take out a loan to expand your operations, so you have debt. However, the debt is to be paid back in rocks. You have sticks from customers’ payments, but how do you get rocks? Well, there is a currency exchange down at the corner. At the exchange there is a rate that determines how many rocks you can get for a stick, which can change over time. Currently the exchange rate is 1/1, an even exchange for sticks and rocks. Lets say at some point the exchange rate goes to 1/2, one stick is worth two rocks. This is great for you, without doing anything you have effectively halved your debt because you can get twice as many rocks for the same number of sticks (and hence pay off twice as much of your debt). How about the other way? What is it takes two sticks to get a rock? Your debt has been effectively doubled, because the same number of stick will only get you half as many rocks with which to pay off your loan.
That is called currency risk. Early in his interaction with the noodle makers, Das asks them “What about the currency risk? You have borrowings in dollars but no dollar income. If the dollar rose against the rupiah, then your dollar borrowings would show losses. Did you consider the currency risk?” Das’ clients can only respond “No risk, no risk.” because they were told there was none by their bank and they didn’t understand the transactions.
But that was only the beginning, the bank lead the noddle makers through a labyrinth of increasingly complex financial transactions with names like ‘arrears reset swap’ and ‘double up swap’. After the noodle maker got into serious financial difficulty (owing the bank a great deal of money), this all culminated in the bank setting up a new trade, in which the bank would get 4 million a month from the noodle maker, and the bank would pay the noddle maker a sum calculated from a complicated formula that hilariously always came to zero.
And it is complex financial instruments, with acronyms like CDO and CDS, and the unrecognized risk hidden within them that blew up, that lie at the heart of the global financial meltdown of 2008. One bracing thing to come out of the post mortem of the catastrophe was how little regulators understood the extent of the interrelation of the large banks and the systemic risk that posed , and how little understanding senior financial executives had of the complex mortgage related securities that sat in their institutions, ticking away and waiting to explode.
Complexity as a weapon
In another of Satyajit Das’ books, Extreme Money, he excerpts an Email from Fabrice Torre, a French employee of Goldman Sachs who sold a complex financial instrument that later exploded, to his girlfriend (yes he refers to himself as ‘the fabulous Fab’):
More and more leverage in the system. The whole building is about to collapse anytime now?.?.?.? Only potential survivor, the fabulous Fab standing in the middle of all these complex, highly leveraged, exotic trades he created without necessarily understanding all of the implications of those monstrosities!!!
We’ve all failed to read the fine print in any number of agreements we’ve entered into, our credit card terms hide any number of absurdly usurious clauses that will be activated at the slightest transgression. The complexity hides just how poorly our interests are being looked after (and just how well the interests of others is being looked after). Weaponized complexity, if you will. And it is aimed at us. Greg Smith, a Goldman Sachs alum, said recently in a 60 minutes interview, “The quickest way to make money on Wall Street is to take the most sophisticated product and try to sell it the least sophisticated client”.
Matt Taibbi put it this way in his book Griftopia:
Our world isn’t about ideology anymore. It’s about complexity. We live in a complex bureaucratic state with complex laws and complex business practices, and the few organizations with the corporate willpower to master these complexities will inevitably own the political power.
I don’t agree with the dismissal of ideology, but clearly our world is, and will increasingly be about complexity and those who can manage and exploit it. Take regulatory capture. Those with the money, will, interest, and focus can navigate the baroque, labyrinthine legislative structure and heavily influence the content of laws and regulations. Those of us without the time or energy to lobby our congressman or review the 10,000 pages of some new proposed legislation are often left out.
But what gives complexity added potency as a weapon is our intellectual vanity. Most of us have been asked if we understand after having something explained to us. Even if we don’t, “Do you understand?” is rarely a question we answer no to. We don’t want to look like an idiot in front of other people. And if the questioner is condescending, we certainly don’t want to give the asshole the satisfaction of a ‘No, I don’t understand’.
One simple way to fight back against complexity requires little time or energy. We must lose that fear of looking stupid, we must ask questions. We must admit when we don’t understand something and get answers that we do understand. For if we don’t understand something, it may very well be not because we are stupid, but because we aren’t meant to.