Cybersecurity
A digital revolution has been taking place for the last 30 years and today we continue to witness rapid innovation.
The Internet is no longer just about sending emails, visiting websites and streaming music and videos.
Today, if someone switched off every digital and electronic device, the world would virtually come to an halt. Hospitals, transports, electricity, water and other utilities, shops, banks, offices, military networks, critical infrastructure and almost every product or service today relies on some sort of electronic device, often connected to the Internet. Indeed, it is estimated that there are around 50 billion devices connected to the Internet (these objects are referred as Internet of Things or "IoT"), which becomes even more significant when we compare it to the total world population which is comprised of 7.5 billion people.
There is actually a phenomenon, called electromagnetic pulse (EMP) that can switch off any electronic device by destroying every single component of it. It is no surprise then that many organizations are placing critical data backups in an EMP proof environment known as Faraday Cage.
97% of US Fortune 500 companies has been hacked. It is predicted that by 2020 most executive boards will include a Chief Cybersecurity Officer (CCO). Governments ' positions on cybersecurity are critical to the future of world relations, world politics and the Internet itself. Cybersecurity fears has led to the creation and rapid growth of various new governmental offices and bureaucracies, such as the US Department of Homeland Security's Cyber Security Division, the UK Office of Cyber Security and Information Assurance (OCSIA) or the Cyberspace Administration of China, and even dedicated military units such as the United States Army Cyber Command.
Cybersecurity is important for everyone because the potential damage from other people's choice of technology is not limited to only damaging them. It can affect the privacy, financial stability, and physical safety of many other people or of an entire nation.
Yet, for all its importance, there is a lot of lack of understanding, confusion, and misinformation about cybersecurity, even at high levels of responsibility and supposed expertise, mostly due to the novelty of the subject and to how quickly technology is continuing to evolve.
Most organizations and individuals' adoption and reliance on technology substantially outpaces their ability to keep it completely safe and secure. The capabilities of technology steadily run ahead of our ability to fully predict and mitigate its consequences. Furthermore, with the expanding adoption of cloud computing, we are increasingly relying on digital services that are often only partially under our control.
When sensitive information was stored on paper documents protection was relatively straightforward. Technological evolution has made information control several orders of magnitude more complex.
Cybersecurity is the protection of cyberspace (computers, networks, software, and data) from danger and threat with the goal of making it stable, safe, and resilient.
In order to define Cybersecurity in more depth, we shall first define the two components of the word: Cyber + Security. Cyber is a word extracted from cybernetics or cyberspace, so we will explore these first.
1. Cyberspace: a definition
The term "cyberspace" was firts used by science fiction writer William Gibson in a short story published in 1982. It was an amalgam of the word "cybernetics" (defined by Norbert Wiener as "the scientific study of control and communication in the animal and the machine" (1) from the Ancient Greek word κυβερνήτης , kybernētēs: shipmaster) and the word "space." Two years later, in his novel "Neuromancer," he defined Cyberspace as:
“Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding...”
Another interesting opinion on cyberspace and what it means for humanity comes from a passage in Michael Crichton' novel The Lost World where it reads:
“[..]Although personally, I think cyberspace means the end of our species." Yes? Why is that?" Because it means the end of innovation," Malcolm said. "This idea that the whole world is wired together is mass death. Every biologist knows that small groups in isolation evolve fastest. [..] now we're planning to put five billion people together in cyberspace. And it'll freeze the entire species. Everything will stop dead in its tracks. Everyone will think the same thing at the same time. Global uniformity. [..]”
The US Department of Defense, the entity responsible for both early computing and the first computer network ARPANET, over the years has issuded over a dozen different definitions of cyberspace. In its latest attempt dated May 2008 (2), the Pentagon defined cyberspace as:
'a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.'"
Simplifying, cyberspace can be defined as an environment in which digitalized information is created, stored and exchanged over computer networks.
Cyberspace as such isn't only a notional and virtual environment because it includes both physical computers and the components of network infrastructure, as well as the people who use the computers and build and operate the technology.
Cyberspace may be global, but it is not stateless and without geography. Since cyberspace relies on physical infrastructure and human users who are tied to geography, it is also subject to the notions of physical location, national sovereignity and property. At the same time, the geogrpahy of cyberspace is much more mutable than other environments.
While cyberspace was once a realm of communication and e-commerce, it has now expanded to include critical infrastructure from water to food distribution, power plants (including nuclear), electrical grids, healthcare, banking and transportation. Each of these are now bound together and linked via information technology, often through SCADA systems (supervisory control and data acquisition) that monitor and control processes such as balancing the level of chlorination in the water, adjusting the flow of gas heating homes, or executing financial transactions.
2. Security: a definition
Security is the state of being free from danger and not exposed to damage and loss from accidents or attacks.
Security is also the process for achieving that desirable state.
As the old saying went, the only way of keeping a computer completely secure is to turn it off. And even that might not be sufficient today given that most devices are connected to the Internet. The reality is that perfect security (implying absolute certainty of zero losses) would be infinitely expensive and impractical. The goal of risk management is to optimize the allocation of resources by minimizing both the security cost and risk losses experienced.
Risk is defined as the chance of injury, damage, or loss. Risk has two elements:
- chance (an element of uncertainty)
- potential loss
Generally, cybersecurity actions taken today work to reduce future risk losses.
Risk Management is a three-step process;
- identify risks
- select and implement counter-measures
- monitor losses and evaluate the validity of the first two steps of the process
References
(1) Cybernetics: Or Control and Communication in the Animal and the Machine. Paris, (Hermann & Cie) & Camb. Mass. (MIT Press) ISBN 978-0-262-73009-9 ; 1948, 2nd revised ed. 1961.
(2) Defense Department adopts new definition of 'cyberspace,' Castelli, Inside the Air Force, May 23, 2008.