Why Your Firewalls Are Mathematically Doomed: The Physics of Control in a Chaos Engine
We tend to treat cybersecurity as a resource problem: if we just had more analysts, faster logs, or better rules, we would be secure. But 70 years of cybernetic theory suggests the problem isn’t a lack of resources; it is a violation of fundamental laws of physics.
In Episode 3 of “The Morphogenetic SOC,” we leave biology briefly to explore Control Theory—the mathematical study of how systems regulate themselves. When applied to the SOC, the “Law of Requisite Variety” reveals why static defenses are mathematically destined to fail against adaptive attackers, and why “imagination” is the only metric that matters.
Here are the most critical takeaways on the cybernetics of defense.
1. The Law of Requisite Variety (Ashby’s Law)
W. Ross Ashby, the father of cybernetics, formulated a law that is as immutable as gravity: “Only variety can destroy variety.” In simple terms, for a defensive system (the regulator) to remain in control, it must have a number of available states (responses) equal to or greater than the number of states available to the attacker (the disturbance).
- Why it matters: Traditional security relies on static rules (low variety) to stop dynamic attackers (high variety). An attacker can mutate their code, change IPs, or alter their behavior in infinite ways. If your firewall has 1,000 rules but the attacker has 1,001 methods, the system must eventually fail. We cannot solve this by adding more static rules; we must build agents that generate novel “variety” (adaptations) as fast as the adversary does.
2. The Good Regulator Theorem
Building on Ashby’s work, the Good Regulator Theorem states that “Every good regulator of a system must be a model of that system.” You cannot secure a network effectively by just reacting to “bad things” (blacklists). The security agent must possess an internal, predictive model of how the network functions normally.
- Why it matters: This exposes the flaw in “reactive” security. A simple antivirus scanner checks for known signatures—it has no “model” of the operating system, only a list of bad files. A true “Good Regulator” (like an advanced AI agent) simulates the internal dynamics of the system it protects, allowing it to predict and counteract disturbances (attacks) before they cause irreversible damage, rather than just cleaning up the mess afterwards.
“The law of requisite variety says that variety must be controlled, if successful regulation is to be achieved… When confronted with a complex situation, there are only two choices – increase the variety in the regulator… or reduce the variety in the system being regulated.”
3. Requisite Imagination: Bridging the Reality Gap
While Ashby dealt with machines, Erik Hollnagel updated these laws for socio-technical systems (like a SOC) with the concept of Requisite Imagination. This addresses the dangerous gap between Work-as-Imagined (the neat, linear playbook written by management) and Work-as-Done (the messy, adaptive reality of the analyst).
- Why it matters: Security failures often happen not because the system broke, but because the “map” (playbook) didn’t match the “territory” (reality). Agents and analysts need “Requisite Imagination”—the capacity to foresee future states and potential failures that aren’t in the manual. If your security agents cannot “imagine” a new attack vector, they lack the requisite variety to stop it.
Summary: Security is ultimately a control problem. By respecting the Law of Requisite Variety, we stop building brittle walls and start designing “Regulators”—adaptive systems that maintain a model of their environment and generate enough variety to out-maneuver the chaos of the internet.
The Question: Does your security stack have enough “variety” to match your adversary, or are you just waiting for them to find the one state you didn’t write a rule for?