Cybersecurity is increasingly central to discussions about the future of the Internet – and the future of everything that’s affected by the Internet. Last week I wrote about the need to shape our thinking on the Internet around its future rather than its past. This week I’m asking what that means for how we think about security.
What’s the problem?
Five starting points.
First, we have a problem (or a multitude of problems), and that problem’s inherent in what the Internet does and how it works. It allows us to share information/data/software between computers that are networked. That’s the point of it. It’s what gives it value but it’s innately insecure.
Second, it was not designed to be what it’s become today. The Internet’s pioneers created protocols and processes through which they could share data within small trusted groups. They did not expect their internet to become a global platform for governance, for commerce or for running daily life. If they’d predicted that, and the risks attached to it, they’d (presumably) have put security more firmly at its core. Instead, as it’s developed, the Internet community’s been catching up with each new threat.
Where’s the harm?
Third, those pioneers of the Internet expected that it would be used for “good” (at least as they saw “good”). But the Internet’s a tool for whatever people want to use it for. That includes, inevitably, those who want to use it for what others (most of us; some of us) would call “harm”.
In some cases, this means harm to the Internet itself. In very many cases it means harm through the Internet to others – individuals, governments, businesses, political opponents; through identity theft, disruption of governance or public services, fraud and industrial espionage, propaganda and disinformation, etc. In some case it means harm to others through harm to the Internet – for example through DDoS (distributed denial of service) attacks. There’s variation, as a result, in what different people mean by cybersecurity, which can confuse.
How big’s the problem
Fourth, the cybersecurity challenge has become more important and pervasive as the Internet has become more important and pervasive, particularly as it’s reached into the way we run our lives, governments run their business and businesses handle our information. If we want to rely on online banking and smart systems, then we need to trust them, and to trust them we need high standards of cybersecurity. Those cybersecurity systems must work for both service providers and service users. It’s in all our interests that they should.
Fifth, this challenge will become more difficult still as the Internet of Things and smart systems become more widespread. Most early IoT devices aren’t secure. The business driver for the IoT is going to be cheapness, not security. More and more smart systems will govern more and more of life. The opportunities to undermine them are going to burgeon. Evolving insecurity is going to be part of the evolving Internet.
Who is responsible?
A huge amount of time and energy is already being spent on cybersecurity: on stopping the threats that we already know or can immediately expect. This is happening in many fora, which are not well connected, and there are different views on who’s primarily responsible.
The IT industry would rather keep the management of security in its own hands because, as a representative of that industry put it in an event that I attended last week, it should be in the hands of experts. But that industry has its own interests to pursue here. There are conflicts between commercial confidentiality and collaboration for security. And experts in Internet technology aren’t experts in finance management or criminology or in the kind of threats arising for financial services and energy utilities.
Some governments share this industry perspective; others don’t. For them, cybersecurity is a threat to national security as a whole, from cyberwarfare, through terrorism, to economic welfare. Few national governments are likely to see global corporations, based outside their jurisdictions, as the best guarantors of their countries’ interests, or their own interests as governments.
Users have a variety of interests here, including ease of use and access, the protection of personal data, and protection against fraud. They can do some things to protect themselves, though many won’t. Ultimately, though, they are dependent on the quality of the software and the systems that they use.
Civil society organisations focus on access and rights aspects of cybersecurity and are wary of measures that they believe could undermine privacy or facilitate surveillance. Many of the mechanisms that are useful for protecting citizens against fraud can be used as easily to protect governments against democracy.
What about international standards?
There’s quite a lot of rhetoric about the need for multistakeholder participation in discussions around cybersecurity. Those different interests described above show why that’s necessary, but also illustrate a problem. There are widely different interests and perspectives – not just between government and business, but between, say, governments in the West, in China and in Africa; and between the giant cybercorps of Silicon Valley, their Chinese counterparts and smaller IT businesses that don’t have much influence in global cyber policy.
There are three problems here with international standards around cybersecurity. The first is that it will be difficult to build standards that resolve these different interests and perspectives. The second that it will be difficult to enforce them (especially in the Internet of Things). The third that it will be difficult to keep them up to date with the evolving Internet. Which is where I want to end.
I’ve attended several discussion fora lately on these issues. What’s struck me most is that they’re mostly preoccupied with current problems.
This is understandable because those problems are acute. Thousands of new threats appear daily. Agencies concerned with cybersecurity – from antivirus companies to national CERTs (computer emergency response teams) – have their work cut out just standing still. Some of the sharpest minds in cyberspace work on “the wrong side of the line” here. And the growing IoT will make the scale of current problems greater still.
But (my theme last week) if we’re to shape policy towards the Information Society, we need to do more than deal with current issues. We need, if we can, to get ahead of the game. I’ll give three illustrations of issues where I think more thinking’s needed now, by everyone concerned about the future.
Three challenges ahead
First, there are changes in the nature of digital devices, and the ways we use them, that we can predict.
Example one: IoT devices won’t just be made on the cheap in many different jurisdictions (to variable standards, with variable levels of security); supposedly secure ones will be faked, like Gucci shoes and Rolex watches.
Example two: within the next ten years, we’re likely to see IoT devices implanted in the body (the subject of next week's post). How does that change how we feel about our personal security?
Second, cybersecurity thinking needs to deal with more than just specific challenges; it must also address systemic changes that will arise within the coming digital society. Two examples again.
Data, in a digital society, are gathered by default. Traditional approaches to data protection, based on authorising data collection where it seems appropriate, won’t work in that environment. They need to be rethought.
Algorithms will make more and more decisions that affect our lives. How do we protect against the hacking of those algorithms?
Third, we know the pace of change. We know that many of the services and devices we’ll use in ten years’ time have not yet been developed, perhaps even envisaged. How do we plan cybersecurity for the “unknown unknowns” that we know there’ll be in future? Where is the scenario planning going on for this?
Cybersecurity is fundamentally important for the future of the Internet. It’s complex and encompasses many different threats and different perspectives. But it’s an essential enabler of the Internet and of the value it can bring; and it’s an essential disabler of the threats that the Internet can pose. It needs the positive engagement of all stakeholders, and that engagement must be forward-looking, not just based on problems that we know today.
Next week, implants: do we want them? will we adopt them? what will be their impact?
Image: Global Information Society Watch 2014 Communications surveillance in the digital age, 2014