Patorikku

Patrick Dahm – That German-Singapore Lawyer

cyberspace cybersecurity internet patrick dahm arbitrator

Security in Cyberspace, Fifty Years into Its Colonisation

The space where all data exchange and com­mu­nic­a­tion of the Inter­net hap­pens, cyber­space, is neut­ral. Noth­ing insec­ure adheres to it in and of itself. Insec­ur­ity is brought in by man who pop­u­lates cyber­space, and by the tools that he has brought along. So how to regain secur­ity in this space – cyber­se­cur­ity?

Vulnerability and Security – a Short History of Cyberspace

When cyber­space emerged in the late 1960s it was small, fenced and eas­ily under­stand­able. It was an idea of mil­it­ary research insti­tutes and a few uni­ver­sit­ies which thought about how to achieve data exchange and com­mu­nic­a­tion over long dis­tances, in spite of dis­turb­ances in the trans­mis­sion path. The chal­lenge then was to provide secur­ity against extern­al influ­ences. It’s a false rumour that the under­ly­ing motive was to secure com­mu­nic­a­tion even after the explo­sion of a nuc­le­ar bomb. But it’s a well-inven­ted one because it illus­trates the kind of robust­ness they aimed for.

Indeed the basic idea was not to trans­mit data from A to B strictly via lin­ear path any­more (offer­ing only one way of trans­mis­sion and there­fore vul­ner­able), but flex­ibly via a net­work of con­nec­ted nodes (offer­ing many altern­at­ive routes of trans­mis­sion). The open­ness of the Simple Mail Trans­fer Pro­tocol (SMTP, the basis of e-mail) demon­strates how A’s secur­ity against attacks from B and vice versa was not an issue. It was about the pro­vi­sion and pre­ser­va­tion of com­mu­nic­a­tion. As a res­ult, there was not really the cyber­space. Instead there were many uncon­nec­ted cyber­spaces – single, small com­mu­nic­a­tion bubbles where a lim­ited num­ber of par­ti­cipants could talk to each oth­er. Inside these spaces it was as noisy and dan­ger­ous as gets in the research com­munity. Inno­cent times.

The Internet

In the 1980s, the idea of inter­con­nec­ted­ness was applied bey­ond indi­vidu­al com­mu­nic­a­tion net­works. Whole net­works were cross-linked with each oth­er. This was the Inter­net, and this ‘net­work of net­works’ is what moulds cyber­space as we know it today. It has not become smal­ler since, and neither has the num­ber of those who reside in it.

As cyber­space was expand­ing and becom­ing more pop­u­lated, at first with people only, it became nois­i­er. Risks emerged which had not been there before. Some people were up to mis­chief try­ing to gain unau­thor­ised access to the com­puters and net­works of oth­ers. Soon it became advis­able to pro­tect your own envir­on­ment with a sturdy fence. After a while, it became wise to build pro­tect­ive walls, to set up secur­ity check­points (a fire­wall), employ a few guards (run good anti-vir­us soft­ware) and keep everything up to date. With hind­sight, this was a time of well-nigh equal fire power between the inhab­it­ants of cyber­space. Life had become a little rough­er, admit­tedly, but it was still alright. Secur­ity against each oth­er in cyber­space was an issue, but not one that gave birth to dis­aster scen­ari­os.

The World Wide Web

Cyber­space con­tin­ued to grow, attract­ing more and more inhab­it­ants. The main reas­on for this was the emer­gence of the World Wide Web and its expan­sion from the mid-1990s. Mar­kets and oppor­tun­it­ies emerged and developed, both for leis­ure and busi­ness. That was attract­ive for less tech-savvy people and busi­nesses as well. The next boost fol­lowed soon, as mobile com­mu­nic­a­tion devices spread and con­nectiv­ity became a thing. Access to cyber­space was easy now. He who had access to cyber­space was a part of some­thing, because cyber­space accepts every­body.

How­ever, all these attract­ive offers, all easy access to cyber­space, all increased con­nectiv­ity caused an increase in vul­ner­ab­il­ity. There was no equal­ity in fire power any more and the ques­tion of secur­ity against oth­ers in cyber­space became more sig­ni­fic­ant, all the more when the attack­ers expan­ded their tac­tics. Pro­tect­ive walls, secur­ity gates and guards were still essen­tial. But no ser­i­ous attack­er would run against them bluntly any­more as this had become less prom­ising. Instead, a ser­i­ous attack­er would try to exploit vul­ner­ab­il­ity, cov­ertly. Ideally without any­one tak­ing notice of his com­ing and going, and per­haps even of his action. With this, cyber­se­cur­ity against oth­ers had become a pub­lic issue. The need to pro­tect one­self remained.

Powerful Attackers

The grow­ing com­plex­ity of the Inter­net, par­tic­u­larly since the advent of the Inter­net of Things, has led to an increased risk of dam­age. Simply put, today there is a lot more lying around that someone can break. Anoth­er dif­fer­ence lies in who tends to launch attacks these days. In the begin­ning there were indi­vidu­als and, some time later, groups of indi­vidu­als. But the cyber­space of today sees inter­na­tion­al crim­in­al organ­isa­tions and even states at work (which is how the concept of cyber espi­on­age came about). Rel­at­ively few can take it up with cal­ibres like this. Indeed it’s dis­turb­ing to think that some crim­in­al organ­isa­tions or states might have the know­ledge and means to launch a ter­ror­ist attack in phys­ic­al space using the Inter­net of Things.

In prin­ciple, most attacks take place the same way as at the begin­ning of the cen­tury: by try­ing to exploit exist­ing vul­ner­ab­il­it­ies. But nowadays a ser­i­ous attack­er wouldn’t look for vul­ner­ab­il­ity in the secur­ity gate and the guard house alone (which is not to say that these were dis­pens­able). Instead, he will try to exploit oth­er vul­ner­ab­il­it­ies of the archi­tec­ture. Prefer­ably those which, due to increased com­plex­ity of the envir­on­ment, are not com­monly known and patched yet (zero-day vul­ner­ab­il­it­ies).

The Four Forces That Regulate

Facing the pub­lic aspects of this issue, gov­ern­ments tried to curb harm­ful beha­viour in cyber­space in their own way, for example by enact­ing new crim­in­al laws. They hit the wall quite soon. Used to gov­ern over the phys­ic­al space that is state ter­rit­ory (and every­one and everything inside), gov­ern­ments real­ised their author­ity over cyber­space was an indir­ect one at best, namely via the people and the phys­ic­al com­mu­nic­a­tion nodes situ­ated with­in their ter­rit­ory. The inad­equacy of this is show­ing every day: tra­di­tion­al gov­ern­ment meas­ures to reg­u­late human beha­viour, not­ably laws, have less force in cyber­space than in phys­ic­al space. While they do apply here, their effect there is lim­ited. Someone who oper­ates from a coun­try where the author­it­ies rarely pro­sec­ute Inter­net crime, and who knows how to attack the net­work of a com­pany, needn’t care much about this being a crime at the seat of the tar­geted com­pany.

Now, the law is not the only way to influ­ence beha­viour, regard­less of which space. There are more ways, but their increased rel­ev­ance for cyber­space had to be redis­covered in the early twenty-first cen­tury because their impact there is a more dir­ect one than that of the law. They are: social stand­ards – non-bind­ing but pre­dom­in­antly accep­ted rules of beha­viour which are sup­posed to con­trib­ute to a civ­il­ised coex­ist­ence. Mar­ket forces, which put a price tag to everything, includ­ing harm­ful con­duct. But above all, it’s archi­tec­ture – the archi­tec­ture of cyber­space, which can open ways as much as it can set lim­its.

New Inhabitants

Cyber archi­tec­ture is rel­ev­ant because we’re no longer the only beings pop­u­lat­ing cyber­space. We were joined by autonom­ous soft­ware that, unlike us, does not lead a par­al­lel life in phys­ic­al space. Rather, cyber­space is its only hab­it­at. There, neither law nor social norms nor mar­ket forces may hedge it. If at all, cyber archi­tec­ture may.

Cyber archi­tec­ture is also rel­ev­ant because some objects which, like us, do exist in phys­ic­al space, are also pop­u­lat­ing cyber­space now, like us. Machines with algorithms, aka robots, con­nec­ted to the Inter­net. Indeed these machines have a pur­pose here, but to serve this pur­pose we’ve allowed them to (inter)act autonom­ously there. This is the Inter­net of Things, Industry 4.0, or whatever label we come up with. The soft­ware run­ning in these phys­ic­al objects may be amen­able to influ­ence by laws, social norms or mar­ket forces – albeit indir­ectly, as far as these aim at pro­gram­mers. But an object in cyber­space which acts and learns autonom­ously may not be fazed by cyber law, cyber social norms or cyber mar­kets at all. Such an object may only be influ­enced by way of the com­pos­i­tion of cyber­space, by its archi­tec­ture.

Cybersecurity as a Social Responsibility

This is the situ­ation in the second dec­ade of the twenty-first cen­tury. But if cyber archi­tec­ture is of such major import­ance for cyber­se­cur­ity, then this begs import­ant ques­tions. As far as cyber­se­cur­ity is a mat­ter of pub­lic interest, one ques­tion would be: who are the archi­tects of today’s cyber­space any­way, at least those who cre­ate the large gath­er­ing places where we like to con­greg­ate? Are they Face­book, Google and Amazon, because we reveal and expose ourselves and our busi­nesses on their plat­forms and because we use their ser­vices and access paths (social media, e-mail and office soft­ware, search engines, internet.org, Android)? How safe are we of them? By what dir­ect (archi­tec­ture) and indir­ect (law, social norms, mar­ket forces) ways do we reg­u­late them?

Smart Nations

Anoth­er mat­ter of import­ance is our concept of life in the future – and our vis­ion of its archi­tec­ture (and archi­tects). For example, Singapore’s Smart Nations ini­ti­at­ive, launched in 2014, aims at improv­ing the lives of cit­izens, cre­at­ing more oppor­tun­it­ies, and build­ing stronger com­munit­ies. Whatever this is sup­posed to mean in detail, it’s clear these pur­poses are to be achieved by using inter­con­nec­ted (‘smart’) inform­a­tion and com­mu­nic­a­tion tech­no­logy. In oth­er words: to a very large extent Singa­pore as a smart nation is to take place in cyber­space.

This neces­sit­ates a pub­lic secur­ity debate on cyber archi­tec­ture, even more so because the smart nation is to make ample use of the Inter­net of Things. If smart nation means that cars (with and without drivers) will be con­nec­ted to and com­mu­nic­at­ing with each oth­er and with the traffic con­trol centre for the sake of increased safety and traffic con­trol, if it means that water and energy are to be fed and passed through the pipelines and cables of the city effi­ciently, with the help of con­nec­ted sensors – then and in oth­er cases no malevol­ent third party should be able to usurp and sab­ot­age the under­ly­ing cyber archi­tec­ture.

This vis­ion of a smart nation – and the secur­ity aspects that come with it – is to be real­ised through the four mod­al­it­ies described. But archi­tec­ture will be the cent­ral ele­ment when it comes to secur­ing the inter­con­nec­ted crit­ic­al infra­struc­ture of the city (power sta­tions, traffic con­trol centres). Then there are the upcom­ing Cyber Secur­ity Bill and amend­ments to the Tele­com­mu­nic­a­tions Act and Broad­cast Act and Films Act envis­aged for 2016. There’s the government’s stim­u­lat­ing announce­ment that it will increase spend­ing on cyber­se­cur­ity by 8 per cent. And there’s the announce­ment of cooper­a­tion between pub­lic and private sec­tors for the pur­pose of rais­ing aware­ness in cyber­se­cur­ity. Aha.

Cybersecurity as an Individual Responsibility

Oth­er ques­tions relate to cyber­se­cur­ity as a private task. Every­one remains respons­ible for his lock, stock and bar­rel, either in phys­ic­al space or in cyber­space. How well does the archi­tec­ture of one’s own net­work with­stand attacks from the out­side? How can one ensure that nobody digs a secret tun­nel into one’s inner sanc­tum?

No one wants to enable an attack­er to hack his company’s net­work and access sens­it­ive cus­tom­er inform­a­tion and trade secrets. Nor does any­one wish for an attack­er to gain unau­thor­ised net­work access to a fact­ory and to modi­fy, subtly, its man­u­fac­tur­ing pro­cesses so that the machines pro­duce spoilt or inferi­or goods.

One’s Own Back Yard

With regard to the former, it’s of utmost import­ance to close a secur­ity hole after it has become pub­licly known. While this is trivi­al, this doesn’t always hap­pen, for vari­ous reas­ons. Apart from that, state-of-the art cyber-archi­tec­tur­al pro­tect­ive meas­ures com­prise the delib­er­ate seg­ment­a­tion of net­works and restric­ted access priv­ileges between the seg­ments. Related to this are access and usage priv­ileges – for human users and applic­a­tions. In this con­text, there are net­work oper­at­ing sys­tems which allow applic­a­tions to execute data in spe­cif­ic memory seg­ments only (data exe­cu­tion pre­ven­tion). This includes oper­at­ing sys­tems which assign memory address areas ran­domly (address space lay­out ran­dom­isa­tion).

It’s a social norm in IT secur­ity circles to inform each oth­er about vul­ner­ab­il­it­ies and, if neces­sary, to sound the alarm quickly. In prin­ciple, this non-bind­ing rule applies to the IT secur­ity depart­ment of a com­pany as well. But there’s a fear of pun­ish­ment by the mar­ket when a com­pany has to admit a hack­er has attacked it suc­cess­fully. This fear has mer­it although shame­faced silence will do noth­ing to solve the prob­lem itself. On the con­trary, as soon as it emerges the com­pany tried to cov­er up such an incid­ent, PR dis­aster usu­ally strikes in addi­tion to the attack. The market’s pun­ish­ment for both might be even worse. Prop­er com­mu­nic­a­tion, on the oth­er hand, can enable a com­pany to share expert inform­a­tion with­in IT secur­ity circles and ensure that the reac­tion of the mar­ket will be prudent and pro­por­tion­ate.

Leg­al meas­ures to fur­ther private cyber­se­cur­ity are those of private law. They include con­tracts with cus­tom­ers, sup­pli­ers and ser­vice pro­viders, which anti­cip­ate and alloc­ate risks reas­on­ably. They also include know­ing what will be rel­ev­ant, court-sol­id evid­ence in the event of a suc­cess­ful attack from out­side, and how to secure such evid­ence.

Beware of Robot Spiders from Mars

The his­tory of nearly fifty years of cyber­space is a his­tory of the col­on­isa­tion of an undis­covered coun­try. We come across dis­cover­ers and explorers, pion­eers who ven­tured into the new areas. After them came the brave who found the first set­tle­ments. This drove cul­ture and trade, both of which spread in a min­im­um of time. Vil­lages grew to be cit­ies, cit­ies to be – nations? (The nation of Google? The nation of Face­book?) A cer­tain kind of order and con­sti­tu­tion emerged, claim­ing to meet the needs for secur­ity of the time. The more com­plex a soci­ety becomes the more com­plex its secur­ity needs. Because the vul­ner­ab­il­it­ies are com­plex.

What’s next? With the advent of the Inter­net of Things, the bound­ar­ies between cyber­space and phys­ic­al space seem to blur. Yet anoth­er com­plex­ity boost. It will prob­ably cause data exchange and com­mu­nic­a­tion to become easi­er, but not sim­pler. We should just make sure to main­tain an appro­pri­ate level of secur­ity. Secur­ity is, after all, a pre­requis­ite for free­dom – in any space.

The Ger­man ver­sion of this art­icle can be found here. [Die deutsche Fas­sung dieses Artikels fin­d­et sich hier.]

 

Previous

Singapurischer Internationaler Handelsgerichtshof eröffnet

Next

Singapore to Ratify Hague Convention on Choice of Court Agreements

2 Comments

  1. Francis B

    Fas­cin­at­ing. Also, the video is hil­ari­ous!

Leave a Reply

Powered by WordPress & Theme by Anders Norén