Phil Quade

The Digital Big Bang


Скачать книгу

It incentivized us to fill in gaps in our data collection that we didn't feel obliged to before.

      For example, the maps of the world from 750 years ago had elaborate drawings of mid-ocean whirlpools and sea monsters—here be dragons—mid-continent mountain ranges, and other physical phenomena. Faulty thinking, and the desire to warn of the dangers of sea exploration, led mapmakers to fill in what they did not know.

      In contrast, the maps of the Scientific Age were drawn with large blank areas, showing where we had no data. It was not until we admitted that we in fact had very little idea what was beyond the horizon, or mid-ocean or continent, that we began exploring those areas and filling in the missing pieces that led to a much better understanding of our world.

      The pull of curiosity about basic principles reduced the fear of the unknown and prompted the physical world's golden age of scientific education.

      Now we must make the same leap in cybersecurity. We need to stop quaking at the cyber threats—real and imagined—and get down to the business of defining how to navigate and master those threats.

      On October 29, 1969, the first message was sent over what would eventually become the Internet. Meant to be the word “login,” the letters “L” and “O” were sent from researchers at UCLA to a team at Stanford. Then the system crashed. (We'll pause while you chuckle about that first crash.)

      When it was constructed and deployed, the Internet served as a communication platform for a tightly restricted group of specific users.

      With the advent of packet switching—the division of information into smaller blocks to be transmitted and then reassembled, pioneered as a Cold War strategy—that communication became a viable, though intensely limited, reality.

      Internet pioneers got speed and connectivity right—the digital big bang's equivalent of matter and energy. Their goal was a secure, distributed widespread computer communication system, and they achieved that goal.

      Because the digital transmission of information was so restricted in both users and data, the use of ARPAnet was governed by a shared sense of trust that was informed and enforced by security clearances, professional accountability, and total lack of anonymity.

      With this assumption of trust, things went off-kilter. That assumption thwarted the parallel development of security, particularly trustworthy authentication, that could have supported the speed and connectivity that would make the Internet transformational.

      The assumption of trust that was still deep within the DNA of the Internet became a huge problem the moment the public could go online. On an increasingly vast and anonymous network, that trust soon transformed from guiding philosophy to greatest weakness. As more people arrived, the Internet quickly became a newly discovered continent of naïve users, systems, and networks to be exploited and hacked for digital fraud, grift, or simply to prove it could be done.

      Since those first hacks, the field of cybersecurity has struggled to catch up and compensate. Mitigating the weakness—the wrongful assumption of trust and the lack of strong authentication—while still balancing the essential benefits and fundamentals of speed and connectivity, remains an enduring challenge of cybersecurity today.

      For all the stunning power of its speed and the vastness of its data, the Internet is shockingly fragile and fallible. We're propping it up, sometimes with ridiculously complex schemas and other times with little more than digital Popsicle sticks and Elmer's glue and, for high-end applications, duct tape.

      The Internet is fast, anonymous, powerful, and profitable—all factors that have accelerated its use and deployment—while at the same time prone to malicious exploitation, with terrible potential for criminality and sabotage. The continuing series of breaches of organizations of all levels of sophistication shows what a huge problem we have.

      The widening breadth of cybercrime is a direct reflection of our expanding global attack surface—and the increasing commodification of threat. The digital criminal barrier for entry that individuals and organizations alike must defend against is lower than ever. Today, it can be as easy to purchase a cyberattack as it is to buy a cup of coffee, and often even cheaper. We must defend ourselves from near constant silent digital attacks on the fabric of our societies, all roiling beneath the surface of an increasingly interconnected world.

      Today, there is little difference between cybersecurity and national, even global, security. As we have seen time and again in reported malicious cyber activity—often in chilling reports of narrowly averted attacks—we can be reached at the most foundational levels by nearly anyone, from anywhere.

      With so much at stake, it's time to borrow a page from the Scientific Revolution:

Scientific Revolution Cybersecurity Scientific Revolution
Admit our ignorance (redraw the earth's maps). Acknowledge what we got wrong (authentication).
Use steadily increased strategies for becoming masters of our physical domain (sail oceans, fly planes, explore space). Implement steadily stronger strategies to become masters of the cyber domain.
Replace fear with curiosity. Replace outmoded assumptions and strategies with rigorous fundamental strategies that build up to advanced strategies.

      We can achieve better cybersecurity by thinking like physicists and chemists, by postulating and outlining the theorems and proofs necessary to master the cyberspace domain. As critical as these fundamentals are, though, they can easily be overlooked or forgotten by a digital culture that looks myopically to the near future, placing short-term gains ahead of long-term stability and sustainability.