Energy, History, Sailing, Security

Sailing Safely after the America’s Cup Death

Leave a comment

I would like to write about the America’s Cup as I have not yet found a good source of information on recent events.

I am by no means an insider although I admit I’ve been racing high-performance catamarans for over a decade that are similar to AC boat designs and I work in risk management.

Perhaps there’s someone out there who can provide a more authoritative perspective, but in the meantime here’s my amateur and unqualified opinion on what recent accidents may mean for sailing in America.

It is too easy to say loss of life is a reality in high-risk events. Likewise it is too easy to say precautions are the obvious answer. The difficult question is whether the America’s Cup authority, known for bias and gerrymandering for self-serving victories, should be trusted with assessment and decision on risk.

Are multi-hulls dangerous?

For as long as I can remember sailors in the Bay have discussed that multi-hulls capsize ungracefully and permanently. Trimarans and Catamarans were banned in some of the large coastal races I’ve done (Monterey Bay) specifically because event sponsors and support wanted to minimize risk. Believe me, I would have sailed a multi-hull if the option were allowed; we would have cut our race time in half and less time on the water is arguably more safe. Subsequently, over the past three years at least, there has been discussion of whether someone will die when a 72ft carbon platform flips over.

Don’t get too worked up about multi-hulls, however. Speed is an essential ingredient in survival (boats can run from danger) and amateurs on multis in heavy weather have proven they can fare better than monohulls. We also have to admit boats with one hull are statistically more deadly. There are many, many years of data on monohulls involved in tragic and fatal accidents; not least of all was the recent and local Farrallones Tragedy.

Mining the data on events like the 1979 Fastnet disaster (15 deaths, 69 monohulls retired) and the 1998 Sydney-Hobart disaster (5 boats sank, 66 boats retired from the race, 6 sailors died, and 55 sailors were taken off their yachts, most by helicopter) has taught us a lot about risk.

One lesson is that chances of survival in difficult weather are significantly higher for boats over 35 feet long. This is related to the engineering. Larger boats are typically made to handle off-shore conditions and more continuous use than day-sailors.

If we dig a little deeper into lesson one, we find lesson two: pushing boats into heavy weather conditions creates unfair or at least unintended competition. Survival conditions impose a completely new set of criteria for success. Sailors of any experience know this well. I can think of at least a dozen hair-raising experiences I have had on boats and even some near-death moments. Here are a few relevant examples:

In 2003 a storm blew through Louisiana that decimated the A-Class Catamaran North American Championships. It was my first major race on a new boat and suddenly I found myself sitting among the top ten competitors in America. Why? I had grown up sailing so it was natural for me to drop into survival mode — get my boat across the line and to shore in one piece. It was sad for me to watch far better sailors, even Olympic medalists, crash and burn. They pushed on with their prior competition as I pulled back, sailing through an asteroid field of broken boats. Only 11 of us finished among more than 40 boats. It was a victory I didn’t want.

Similarly, I found myself crossing the finish line in 17th place at the 2005 A-Class Catamaran World Championships after the wind disappeared. Nearly 100 boats drifted. Again I switched into survival mode, pegged a line of breeze and swooped to a bitter-sweet victory over sailors usually far better than me. Although very exciting to be just seconds from top 15 in the world, it still was not a wanted victory.

First Place at SCYC
Me sailing an International A-Class Catamaran in light wind

I have many more examples but in 2012 I took a different role. I rode a rescue jet ski at the A-Class Catamaran North American Championships. I could barely operate the jet ski the sea state was so rough. Within just a few hours I had I rescued one of the best sailors in the world, who had become separated from his boat, as well as towed four capsized, dismasted and exhausted top-tier international competitors to shore. From this experience I wrote a detailed explanation on how to use tow lines and a power-boat to carefully rescue turtled (upside-down) high-performance catamarans.

Perhaps you can see why I want to articulate my thoughts on what is happening after the Artemis catamaran disaster. I’ve been thinking about multihull risk management for a long time.

Why does baseball stop when it rains?

Sailing has weather guidelines. Don’t sail when it’s too windy, don’t sail when it’s not windy. It should be as simple as canceling a tennis match or a baseball game. Instead it’s a complicated debate about who can “handle” risky conditions.

People talk about the Artemis accident in terms of boat sea-worthiness yet that’s not the correct focus of inquiry.

Here’s what I believe to be the real story on the America’s Cup accident. Team Artemis made a critical risk calculation error early in their campaign related to structural design. The boat was compromised when they tried to work around the rules. This led to an eventual critical failure and death.

What was the error? AC rules specify a limited number of days sailing on the water for the first 72 foot platform. This could in theory reduce research and design costs. Instead it created control evasion as teams wanted to source design data.

To get around the “sailing” rule Artemis put their AC72 “big red” on the water without a wing attached. They set out to accumulate data on hulls. Although this avoided using up precious days “on water” it required a different power source. Powerboats were attached by line to pull the platform at speed.

Preparation and study of load is where things went awry; the design of the boat was for wing strain, not arbitrary tow lines. As some might have expected the introduction of intense power loads damaged big red’s structure — the main beam that was designed to sit beneath a wing was cracked. The ultimate failure of “big red” on its last day on the water was related to the main beam failing…again.

Thus I think the Artemis accident should be seen as an unfortunate design failure, but not directly related to sailing. It was a failure to anticipate tow line strain coupled with continuing to sail on a damaged structure. It had nothing to do with abilities of any sailor on board (unlike the Oracle capsize, which was the result of pilot error during extremely difficult weather).

In fact it is easy to see how a wing, due to stiffness and subsequent efficiencies, actually puts less load on the structure than the cloth sails we used to use. So I hope people see why it is important to see that beam damage from being under tow should not be misrepresented as wing load risk or even foiling risk.

If we want to avoid a structural failure risk in future we must consider the Artemis disaster in terms of load edge-cases. Whether it is a tow line or a force 10 gale, applying unanticipated amounts of stress on untested structure is a recipe for surprise. You could say the same for airplanes or any structure. A massive storm, a line tied to the end of a wing…these are dangers to face outside normal operating conditions.

Tragedy and leverage

This leads me to the most controversial aspect of what has happened since the incident. There is a conflict of interest with a competition authority that is paid by the defending competitor. When they rule on design changes we have to ask if they are making decisions based on competitive advantage.

Plus we know that Oracle has been playing catch-up with their design. Their boat clearly was not designed to foil above the water. That is my guess why every time you see Oracle 17 in pictures they’re flying a hull, yet the other AC boats are flying level. If you’re foiling you don’t need to sail at any angle, right? You already have your hulls out of the water.

Oracle Hulls Unbalanced
Oracle Hulls Unbalanced

ETNZ Hulls Balanced
ETNZ Hulls Balanced

This is not to say the Oracle design team is entirely off target. I see some design innovation advantages (i.e. the giant pod beneath the mast assists with flow, effectively extending the force of the wing). The fact remains, however, that a defender playing catch-up to challengers is going to be under pressure to eliminate the gaps. Oracle already has demonstrated they are not above cheating to catch up.

It appears to me at first look that findings, supposedly related to safety, are aimed at eliminating challenger technology that Oracle sees as a threat to their victory. Safety is in danger of being used as an excuse to help the defender win instead of directly addressing real risks.

If Oracle plays a corruption card to win they deserve not only to lose the cup, they should be ashamed for doing exactly what they promised would end with their leadership. The cup has been steeped in a history of cheating and spying for advantage. Using the Artemis tragedy and safety for competitive leverage will take us to a new low.

The burden therefore is upon the defender and their race authority to transparently and clearly explain any required changes in terms of real risk. This is a critical moment of big data analysis of risk for Oracle; it can help or seriously hurt American sailing. I hope they use it wisely.

Security

Active Defense/Hack Back and “Complete Ignorance”

Leave a comment

I recently read a post about “Active Defense” or as some call it, hack back. I won’t reveal the author or the title so as not to disparage anyone. Certainly this topic is very sexy right now and many like to write about it, but most of articles I have seen constitute fear mongering with comments not based in fact or even sound theory, but ignorance of the topic, the laws, and the technology and appear to be an attempt to sensationalize the topic.

Yes, there is a problem. Yes, companies are suffering. Some of the companies have a legitimate complaint. They have done all they can and the government has tied their hands by saying things like, “if you hack back you are no different than the hackers.” A lot of companies, though, have no right to complain because their security really sucks, is like Swiss cheese and they are not willing to spend the money to fix it.

The blog I read recently quoted a former DoJ attorney who stated that it is illegal to go outside of your network and hack back at your attacker. In the next paragraph the writer quotes a so-called security expert who says his company has the capability to determine who attackers are and collect intelligence on them, and this is not illegal but good practice. The expert provides the usual, “do not try this at home,” warning. I will leave it to you to decide whether this warning is good advice or simply self-serving.

So here’s my problem: These quotes claim on one hand it is illegal to attack your attacker but on the other hand not to take the steps necessary to determine who your attacker is? If determining who attackers are was really that easy and clearly lawful everyone would be doing it. Most would admit the greatest challenge with cyber crime is determining who the attacker is, e.g. Attribution. One of the great claims by those who believe “Active Defense” is illegal and immoral is that attribution is extremely difficult and if you can’t determine attribution then you may be, “attacking an innocent victim.”

As a side note to the above comment, and as I have said in previous blogs, if someone has been compromised and their server is being used to attack my company, that person is NOT innocent. A victim like me, yes, but innocent, no. If I have to disrupt his server to protect my company then so be it. Chances are that server owner does not want the other hundreds or thousands of companies who are victims of his server attacks to know that he is the patsy attacking them due to his crappy security

So, I would kindly ask those who like to write about “Active Defense” to please do some research, think the process through, stop confusing the issue and stop writing fear mongering comments like, “you might start a war with China.”

Security

Active Defense: Attribution is just not that important

1 Comment

Imagine owning a company and realizing you have been hacked and the hackers are disrupting operations or stealing trade secrets, intellectual property, private information, or even money.  As best as you can determine this did not just happen but has been going on for a while.  You hired a company to do an incident response, clean up, patch the holes and get you back up and running.  They may or may not have claimed to have secured your network, but state in no uncertain terms that any action beyond what they have done would be illegal.  Within months you notice the same activity.  So, you call the company again.  More money, more time, and more meetings about how much is being lost.  Do you call law enforcement?  Do you continue with the cyber security company and keep paying them?  Do you have a data breach notice responsibility to shareholders, the board, and customers/clients? 

What you need is a clear and concise plan of action to follow in these situations.

When lecturing on “Active Defense” I often hear comments like, “hack back is illegal,” “without attribution you might hurt an innocent bystander,” or my favorite, “you might start a war with China.”  So what is “Active Defense”?  Many people equate it to hack back.  My definition of “Active Defense” is “a clear and concise process or plan for addressing a compromise to the security of your network and/or the loss or theft of data.”  The process begins with an incident response and could ultimately end with hack back.  It includes a series of predetermined check points requiring leadership/CEO involvement in making various decisions.  One of the first decisions is whether, based on the information available and/or gathered, the attack is a one-time occurrence or an ongoing intrusion/breach.  If it is determined to be a one-time occurrence the decision is easy, initiate an incident response plan, clean up, patch holes, and provide notifications required by law.  If the attack appears to be ongoing some of the follow-up on decisions may include: what end-state the company is seeking (find the hacker and prosecute, block the attack, get data back, etc.); what intelligence/information should be gathered; what tools/techniques should be developed and/or used and how; as information is gathered and options presented, which should be considered and pursued; and many more, most of which are all dependent on the facts, information available, best interests of the company, the fiduciary responsibility, etc.  At each stage and as each decision is made risk, liability and legal issues are discussed, evaluated, and factored into the decision process

Okay, so why is attribution not that important? 

Certainly, being able to identify your attacker makes life much easier for you and your company.  Even if you can’t identify the attacker, being able to identify who owns the server being used to attack you makes life simpler.  You can simply call the owner of the company whose server has been compromised and is attacking your network and work together to block the hacker.  If, for some reason, the owner of the compromised server will not work with you then you can proceed as if he is the hacker.  You might contact law enforcement or if for some reason that decision has been ruled out or, law enforcement for some reason is not able to assist, then you might decide to take action to block the attacks.  At this point the leverage you can garner against the server owner is pretty great.  Chances are his server is not only being used to attack you but many other companies as well.  The server owner will likely not want all of the other companies to know his compromised server is responsible for their pain, assuming they are aware of it.  When this fact is revealed to him he may suddenly be more than ready to negotiate and assist

In many cases though, you will not be able to determine the identity and/or whereabouts of the server owner. 

In that case, if you strike back and inspect the server attacking you, have you lashed out at an innocent bystander?  Many people claim just that.  I would argue this person is a victim like you, but innocent bystander, not even close.  Consider the 2006 movie “Firewall” with Harrison Ford.  His wife and daughter were kidnapped and the kidnappers, using this leverage, forced him to hack into a bank he was hired to protect and steal millions of dollars for them.  Now, granted, I like Harrison Ford, but, if he is stealing my money he’s not an innocent bystander.  He is a victim, but, if it is me or him, choices must be made.  Equally, if it is my company losing thousands or millions of dollars, then attacking the server being used to attack me seems like a pretty good option and it is “game on!”  This is where, depending on how you accomplish blocking the attack against your network, self-defense becomes a factor and part of the decision-making process.  I will leave self-defense for the next installment in this series of blogs entries.