INVISVWhat can the Cretaceous-Paleogene (K-Pg) extinction event that wiped out the dinosaurs teach us about privacy and security policy and practice? And not just the event itself, but the process that led up to the Chicxulub discovery and the success of intellectual polycultures. Let's find out, in another installment of Where on Earth is This Thread Going.
66 million years ago most life on Earth was wiped out. For centuries, as the past existence of Mesozoic-era dinosaurs became more certain, their disappearance became all the more mysterious. What did it say about the planet that we live on, and our precarious place in it, that dinosaurs -- the dominant vertebrates for over a hundred million years -- could just disappear?
In the 19th and 20th centuries, many theories were proposed for why the dinosaurs died out -- everything you might expect and plenty of things that you might not. An asteroid impact had long been suspected by many, but nobody had found any evidence of it.
In the 1970s, researchers started to examine K-Pg extinction theories more seriously. In an Italian town dating back to the Bronze Age, Walter Alvarez found a mysterious, thin layer of clay that separated the time of the dinosaurs from the time of no dinosaurs. That layer of clay was found to have high levels of iridium. And the layer of clay wasn't just in Italy, but in Denmark, New Zealand, and elsewhere.
Iridium is rare on Earth but not rare in space. So, in 1980, they proposed their theory on the impact of an iridium-rich asteroid: that "[i]mpact of a large earth-crossing asteroid would inject about 60 times the object's mass into the atmosphere as pulverized rock; a fraction of this dust would stay in the stratosphere for several years and be distributed worldwide. The resulting darkness would suppress photosynthesis, and the expected biological consequences match quite closely the extinctions observed in the paleontological record."
The team that made this discovery was interdisciplinary. Geologist Walter Alvarez discovered the clay layer, brought in his dad, physicist Luis Alvarez, who then turned to chemists Frank Asaro and Helen Vaughn Michel. Asaro and Michel went hunting for iridium in the clay, expecting to not find much, and when it was off the charts they thought that they must have done something wrong.
But they still didn't have any direct evidence of an impact, just a thin layer of iridium-rich clay around the world, from right when dinosaurs went extinct.
Meanwhile, in 1972, fisherman Rudesindo Cantarell Jimenez noticed that an oil slick off the coast of Campeche, Mexico was messing up his nets. He led geologists of Pemex, the state-run oil company, to the spot, where a few years later they found what they named the Cantarell field, one of the largest oil fields in the world. The 1970s was a boom time for Pemex, with massive drilling and exploration.
But the focus on oil drilling for Pemex meant that their intensive geological work was laser focused on what would make them money: oil fields. Anything that was not about oil fields was irrelevant. In 1978, geophysicists working for Pemex found magnetic and gravity anomalies, which they thought was a clear sign of a massive impact crater. Pemex bosses disagreed, dismissing it as volcanic activity and barring the release of data. The geophysicists did manage to present their theory publicly, but it was largely ignored except by a lone journalist.
During the 1980s, evidence of an impact in the Gulf of Mexico was accumulating, with tektite glass -- formed in asteroid impacts and nuclear detonations -- showing up all over the region. A geology grad student from University of Arizona found indirect evidence near the Brazos River. But no direct evidence of an impact had been found.
Then in 1990 that lone journalist who'd reported on the Pemex theory told that former Arizona grad student about Pemex's findings. They found, with some sleuthing, that Pemex had been storing drilling samples from the region, for decades, in a repository in New Orleans.
Finally, they'd found it: the Pemex samples from New Orleans were first direct evidence of the asteroid impact. Meanwhile, others had been studying satellite data that showed a ring centered on a small town in Yucatan, Mexico.
These various teams pulled their findings together and in 1991 they published their results on the Chicxulub crater. But it didn't end there. For years naysayers didn't believe that it was the one true cause of the K-Pg extinction. Only in 2010 did an interdisciplinary team of scientists review the decades of evidence and conclude that, yes, it really was.
Pemex scientists, over the span of over a decade, had found evidence of an impact, but it was not what they were there for. Even those who wanted to publish their data couldn't overcome institutional reasons not to. As an organization, they had the data but no incentive to analyze it, release it, or accept alternative theories.
Those who were searching for scientific knowledge on the K-Pg extinction event weren't primed to hear it -- or even encounter it -- from some Pemex oil drilling geologists. A journalist had to, eventually, connect the dots.
Organizational incentives dominate most industries, so it's worth considering and celebrating pro-social norms where they exist.
Software vulnerability disclosure practices could have very easily gone another way, but the norm is that companies mostly disclose vulnerabilities and encourage bugfinding. There are plenty who don't, and try to use legal measures to prevent others from doing so, but largely that doesn't work.
In 2005, Diane Vaughan wrote an incisive analysis of the space shuttle Columbia disaster. She found that the engineers had 1) "normalized deviance" -- they no longer perceived anomalies that they should have, 2) a "culture of production" -- only show stoppers, but not incremental and accumulating issues, were worth slowing down for, and 3) "structural secrecy" -- while bad news was not hidden at an individual level, structural separation led to de-contextualization of risks.
Perception -- whether at the raw level of human vision or at the level of work taking place in an organization -- is purpose-guided. We see what we're looking for and what we want to see. What a person or organization isn't looking for and doesn't want to see is mostly invisible. Pemex as an institution wasn't looking for K-Pg extinction event asteroid craters, so they didn't find one despite seeing it over and over.
Governments have the job of collective risk management -- of managing risks that no one party would address or see themselves. Just a few months ago, NASA presented results of DART, which successfully deflected an asteroid for the first time.
There are collective risks both big and small in software supply chains, aggregation of user data by data brokers, solar-flare spawned Internet outages, core infrastructure security, and far more. These are the kinds of collective risks governments are well-positioned to mitigate, and no one organization can or is incentivized to. But it is on us all to get a government of and by the people to take action on these risks.
Polycultures are important. People have different skills, perspectives, and connections. They have different institutional incentives and roles, and collaborate with others in diverse ways. The problems of security and privacy aren't that different from a complex scientific discovery -- no one can get the job done alone.
We also see here that good journalism is essential to connect the dots that others don't connect. We need people like @briankrebs, @lorenzofb, @lhn, @drewharwell, @dell and so many more to see beyond the financial incentives that make it difficult for people to see the whole picture. Because even if incentives were aligned, no one perspective is sufficient to piece together a story of sufficient complexity.
Pete@invisv excellent, excellent thread. Thank you!
Eli the Bearded@invisv T. Rex and the Crater of Doom by Walter Alvarez came out in 1997. Seemed pretty darn clear before that came out. Your timeline seems biased to support your story
@elithebearded I'm not sure what you mean, but yes the Alvarez theory has been around since the late 1970s, like I mention, and the idea of an asteroid-caused extinction was around as a possibility for centuries also like I mention. What wasn't clear was *evidence* -- and that was what that final piece of the puzzle, from 1991 and then confirmed again in 2010 was about. By 2010 most laypeople were on board with the theory but the reason they put together a panel is that scientists wanted to be sure.
Even now there are alternative theories, such as that dinosaurs were already on the decline and even without the asteroid they might have gone extinct:
https://www.nature.com/articles/s41467-021-23754-0
Dinosaur biodiversity declined well before the asteroid impact, influenced by ecological and environmental pressures - Nature Communications
Dinosaurs are thought to have been driven extinct by an asteroid impact 66 million years ago. Here, Condamine et al. show that six major dinosaur families were already in decline in the preceding 10 million years, possibly due to global cooling and competition among herbivores.