Is Cybersecurity an Oxymoron?
Many years ago I lived in one of the less secure, less affluent parts of London. It was a neighbourhood where everyone knew someone who knew someone who had spent some time “at Her Majesty’s Pleasure”. Sure enough, one lunchtime when I had inadvertently left quarter of a pound of butter wrapped in a brown paper bag on the front seat of the car, the car window was smashed and the brown bag stolen. I was fairly sure there wasn’t a gang of butter thieves at work in the area, but the allure of a brown paper bag that could have contained something was sufficient to attract an apprentice Al Capone. So I thought laterally. How to prevent further break-ins? The answer was obvious, leave the car unlocked. After that, I never had another broken window.
Of course, the corollary was thereafter I didn’t leave anything in the car that might seem remotely interesting to a thief. Only the car itself, a small Renault, was stolen a few months later and turned up in an underground carpark minus two wheels. The policeman was very helpful, but informed me in all seriousness and with great gravity that no, he couldn’t tell me where a Renault garage was because it might be thought that he “was opportuning for the garage.” In the upside down world of thieves, imagination plays an important role. Thinking of how Alice in Wonderland might handle this situation, I asked if he could point me in the direction of three garages, and mention which one serviced Renaults. He pondered this question before pointing up the hill. “I think the one of the left serves Renaults,” he added helpfully, confirming that in life procedure and protocol are important.
The world of cyberspace and the Internet is also a “neighbourhood” of thieves. The global village is a den of iniquity, its architecture full of towers of Babel clustering in ever greater numbers. Anything that is connected is vulnerable to the local butter thieves, the opportunists, and the snatch thieves. When they get more organized as Al Capone they work on an industrial scale, be it for ransom money, selling numbers, blackmail, etc. The latest snippet from Edward Snowden is that security agencies have the ability to download into anyone’s smartphone software which will evade detection, leave no trace, can remotely turn your phone on and off, take pictures, listen in, copy text, etc. This comes as no surprise any longer to anyone familiar with these things. If you don’t want your content copied, spied upon or stolen, then don’t leave it in the “car”.
But that’s not very practical advice. Unless a person or a business keeps a clean PC or server disconnected from any other, the vulnerability will always be there. And even if disconnected, there would need to be an intermediate device to check all files and thumb drives before transferring data from a connected to a disconnected machine. Bugs inserted in devices and software at source is becoming yet another high security risk. In September, Apple had to remove over 300 pieces of software from its App Store that were infected at source, mostly it seems from China.
So the idea of cyber security no longer sounds plausible as a handle to describe the Internet neighbourhood. Cyber Insecurity would be a better one. It would also be a constant alert to all and sundry that absolutely nothing is guaranteed as safe. If this is so, then a change of perspective is called for. What are the costs and consequences of data being stolen (loss of IP for example) or revealed (personal information for example) and what price to pay to reduce the risk. Leaving the car door unlocked did not protect the car, but it minimized the risk of content loss and broken windows through a change in my behaviour. Hardware is not that important in the information age of cyber insecurity, and information that is shared is not at risk by definition. I got the car back because it was traceable. Can information be made traceable? Can it leave indelible footprints? If it can then of course anonymity goes out the window, unless there is an opt-in mechanism to watermark or not to watermark. The general point is, that we need much more public discussion and disclosure of the options, technical and behavioural, and possible alternative approaches. But beware, even simple innocent-looking cars can be fitted with information- deceiving filters! Thus, I still prefer Renault.