The space where all data exchange and communication of the Internet happens, cyberspace, is neutral. Nothing insecure adheres to it in and of itself. Insecurity is brought in by man who populates cyberspace, and by the tools that he has brought along. So how to regain security in this space – cybersecurity?
Vulnerability and Security – a Short History of Cyberspace
When cyberspace emerged in the late 1960s it was small, fenced and easily understandable. It was an idea of military research institutes and a few universities which thought about how to achieve data exchange and communication over long distances, in spite of disturbances in the transmission path. The challenge then was to provide security against external influences. It’s a false rumour that the underlying motive was to secure communication even after the explosion of a nuclear bomb. But it’s a well-invented one because it illustrates the kind of robustness they aimed for.
Indeed the basic idea was not to transmit data from A to B strictly via linear path anymore (offering only one way of transmission and therefore vulnerable), but flexibly via a network of connected nodes (offering many alternative routes of transmission). The openness of the Simple Mail Transfer Protocol (SMTP, the basis of e-mail) demonstrates how A’s security against attacks from B and vice versa was not an issue. It was about the provision and preservation of communication. As a result, there was not really the cyberspace. Instead there were many unconnected cyberspaces – single, small communication bubbles where a limited number of participants could talk to each other. Inside these spaces it was as noisy and dangerous as gets in the research community. Innocent times.
In the 1980s, the idea of interconnectedness was applied beyond individual communication networks. Whole networks were cross-linked with each other. This was the Internet, and this ‘network of networks’ is what moulds cyberspace as we know it today. It has not become smaller since, and neither has the number of those who reside in it.
As cyberspace was expanding and becoming more populated, at first with people only, it became noisier. Risks emerged which had not been there before. Some people were up to mischief trying to gain unauthorised access to the computers and networks of others. Soon it became advisable to protect your own environment with a sturdy fence. After a while, it became wise to build protective walls, to set up security checkpoints (a firewall), employ a few guards (run good anti-virus software) and keep everything up to date. With hindsight, this was a time of well-nigh equal fire power between the inhabitants of cyberspace. Life had become a little rougher, admittedly, but it was still alright. Security against each other in cyberspace was an issue, but not one that gave birth to disaster scenarios.
The World Wide Web
Cyberspace continued to grow, attracting more and more inhabitants. The main reason for this was the emergence of the World Wide Web and its expansion from the mid-1990s. Markets and opportunities emerged and developed, both for leisure and business. That was attractive for less tech-savvy people and businesses as well. The next boost followed soon, as mobile communication devices spread and connectivity became a thing. Access to cyberspace was easy now. He who had access to cyberspace was a part of something, because cyberspace accepts everybody.
However, all these attractive offers, all easy access to cyberspace, all increased connectivity caused an increase in vulnerability. There was no equality in fire power any more and the question of security against others in cyberspace became more significant, all the more when the attackers expanded their tactics. Protective walls, security gates and guards were still essential. But no serious attacker would run against them bluntly anymore as this had become less promising. Instead, a serious attacker would try to exploit vulnerability, covertly. Ideally without anyone taking notice of his coming and going, and perhaps even of his action. With this, cybersecurity against others had become a public issue. The need to protect oneself remained.
The growing complexity of the Internet, particularly since the advent of the Internet of Things, has led to an increased risk of damage. Simply put, today there is a lot more lying around that someone can break. Another difference lies in who tends to launch attacks these days. In the beginning there were individuals and, some time later, groups of individuals. But the cyberspace of today sees international criminal organisations and even states at work (which is how the concept of cyber espionage came about). Relatively few can take it up with calibres like this. Indeed it’s disturbing to think that some criminal organisations or states might have the knowledge and means to launch a terrorist attack in physical space using the Internet of Things.
In principle, most attacks take place the same way as at the beginning of the century: by trying to exploit existing vulnerabilities. But nowadays a serious attacker wouldn’t look for vulnerability in the security gate and the guard house alone (which is not to say that these were dispensable). Instead, he will try to exploit other vulnerabilities of the architecture. Preferably those which, due to increased complexity of the environment, are not commonly known and patched yet (zero-day vulnerabilities).
The Four Forces That Regulate
Facing the public aspects of this issue, governments tried to curb harmful behaviour in cyberspace in their own way, for example by enacting new criminal laws. They hit the wall quite soon. Used to govern over the physical space that is state territory (and everyone and everything inside), governments realised their authority over cyberspace was an indirect one at best, namely via the people and the physical communication nodes situated within their territory. The inadequacy of this is showing every day: traditional government measures to regulate human behaviour, notably laws, have less force in cyberspace than in physical space. While they do apply here, their effect there is limited. Someone who operates from a country where the authorities rarely prosecute Internet crime, and who knows how to attack the network of a company, needn’t care much about this being a crime at the seat of the targeted company.
Now, the law is not the only way to influence behaviour, regardless of which space. There are more ways, but their increased relevance for cyberspace had to be rediscovered in the early twenty-first century because their impact there is a more direct one than that of the law. They are: social standards – non-binding but predominantly accepted rules of behaviour which are supposed to contribute to a civilised coexistence. Market forces, which put a price tag to everything, including harmful conduct. But above all, it’s architecture – the architecture of cyberspace, which can open ways as much as it can set limits.
Cyber architecture is relevant because we’re no longer the only beings populating cyberspace. We were joined by autonomous software that, unlike us, does not lead a parallel life in physical space. Rather, cyberspace is its only habitat. There, neither law nor social norms nor market forces may hedge it. If at all, cyber architecture may.
Cyber architecture is also relevant because some objects which, like us, do exist in physical space, are also populating cyberspace now, like us. Machines with algorithms, aka robots, connected to the Internet. Indeed these machines have a purpose here, but to serve this purpose we’ve allowed them to (inter)act autonomously there. This is the Internet of Things, Industry 4.0, or whatever label we come up with. The software running in these physical objects may be amenable to influence by laws, social norms or market forces – albeit indirectly, as far as these aim at programmers. But an object in cyberspace which acts and learns autonomously may not be fazed by cyber law, cyber social norms or cyber markets at all. Such an object may only be influenced by way of the composition of cyberspace, by its architecture.
Cybersecurity as a Social Responsibility
This is the situation in the second decade of the twenty-first century. But if cyber architecture is of such major importance for cybersecurity, then this begs important questions. As far as cybersecurity is a matter of public interest, one question would be: who are the architects of today’s cyberspace anyway, at least those who create the large gathering places where we like to congregate? Are they Facebook, Google and Amazon, because we reveal and expose ourselves and our businesses on their platforms and because we use their services and access paths (social media, e-mail and office software, search engines, internet.org, Android)? How safe are we of them? By what direct (architecture) and indirect (law, social norms, market forces) ways do we regulate them?
Another matter of importance is our concept of life in the future – and our vision of its architecture (and architects). For example, Singapore’s Smart Nations initiative, launched in 2014, aims at improving the lives of citizens, creating more opportunities, and building stronger communities. Whatever this is supposed to mean in detail, it’s clear these purposes are to be achieved by using interconnected (‘smart’) information and communication technology. In other words: to a very large extent Singapore as a smart nation is to take place in cyberspace.
This necessitates a public security debate on cyber architecture, even more so because the smart nation is to make ample use of the Internet of Things. If smart nation means that cars (with and without drivers) will be connected to and communicating with each other and with the traffic control centre for the sake of increased safety and traffic control, if it means that water and energy are to be fed and passed through the pipelines and cables of the city efficiently, with the help of connected sensors – then and in other cases no malevolent third party should be able to usurp and sabotage the underlying cyber architecture.
This vision of a smart nation – and the security aspects that come with it – is to be realised through the four modalities described. But architecture will be the central element when it comes to securing the interconnected critical infrastructure of the city (power stations, traffic control centres). Then there are the upcoming Cyber Security Bill and amendments to the Telecommunications Act and Broadcast Act and Films Act envisaged for 2016. There’s the government’s stimulating announcement that it will increase spending on cybersecurity by 8 per cent. And there’s the announcement of cooperation between public and private sectors for the purpose of raising awareness in cybersecurity. Aha.
Cybersecurity as an Individual Responsibility
Other questions relate to cybersecurity as a private task. Everyone remains responsible for his lock, stock and barrel, either in physical space or in cyberspace. How well does the architecture of one’s own network withstand attacks from the outside? How can one ensure that nobody digs a secret tunnel into one’s inner sanctum?
No one wants to enable an attacker to hack his company’s network and access sensitive customer information and trade secrets. Nor does anyone wish for an attacker to gain unauthorised network access to a factory and to modify, subtly, its manufacturing processes so that the machines produce spoilt or inferior goods.
One’s Own Back Yard
With regard to the former, it’s of utmost importance to close a security hole after it has become publicly known. While this is trivial, this doesn’t always happen, for various reasons. Apart from that, state-of-the art cyber-architectural protective measures comprise the deliberate segmentation of networks and restricted access privileges between the segments. Related to this are access and usage privileges – for human users and applications. In this context, there are network operating systems which allow applications to execute data in specific memory segments only (data execution prevention). This includes operating systems which assign memory address areas randomly (address space layout randomisation).
It’s a social norm in IT security circles to inform each other about vulnerabilities and, if necessary, to sound the alarm quickly. In principle, this non-binding rule applies to the IT security department of a company as well. But there’s a fear of punishment by the market when a company has to admit a hacker has attacked it successfully. This fear has merit although shamefaced silence will do nothing to solve the problem itself. On the contrary, as soon as it emerges the company tried to cover up such an incident, PR disaster usually strikes in addition to the attack. The market’s punishment for both might be even worse. Proper communication, on the other hand, can enable a company to share expert information within IT security circles and ensure that the reaction of the market will be prudent and proportionate.
Legal measures to further private cybersecurity are those of private law. They include contracts with customers, suppliers and service providers, which anticipate and allocate risks reasonably. They also include knowing what will be relevant, court-solid evidence in the event of a successful attack from outside, and how to secure such evidence.
Beware of Robot Spiders from Mars
The history of nearly fifty years of cyberspace is a history of the colonisation of an undiscovered country. We come across discoverers and explorers, pioneers who ventured into the new areas. After them came the brave who found the first settlements. This drove culture and trade, both of which spread in a minimum of time. Villages grew to be cities, cities to be – nations? (The nation of Google? The nation of Facebook?) A certain kind of order and constitution emerged, claiming to meet the needs for security of the time. The more complex a society becomes the more complex its security needs. Because the vulnerabilities are complex.
What’s next? With the advent of the Internet of Things, the boundaries between cyberspace and physical space seem to blur. Yet another complexity boost. It will probably cause data exchange and communication to become easier, but not simpler. We should just make sure to maintain an appropriate level of security. Security is, after all, a prerequisite for freedom – in any space.