As vast as cyberspace is, so too are the threats, exploits and damages that seem to multiply by the day through this network of computer interconnections around the globe — elements that are shaping a new normal which is not yet fully understood.
One of the most important legacies of the 20th century is the construction of the Internet and the creation of cyberspace. As a network of millions of computers and their interconnections, the Internet already penetrates most, if not all, parts of the world.
These networks’ interconnections shape the changing spaces of human behavior, enabling new forms of interactions and empowering individuals, groups, private and public entities and just about everyone everywhere. Early in the 21st century, the Internet and cyberspace were considered matters of low politics — routine and predictable, well below the proverbial “radar screen.”
But this did not last long.
Almost overnight, matters of low politics were catapulted to the highest of high politics, all with a new vocabulary reflecting new behaviors, new ways to communicate and new threats to the security of individuals, groups, firms, states —anyone that uses the Internet.
Today, cybersecurity is high on everyone’s radar, as a powerful new reality that is penetrating all facets of cyberspace. On a near-daily basis we read of damages to hardware, software, content, products, processes.. No one is immune. No one is safe.
This new reality — with the variety of threats, exploits and damages that seemingly multiply day by day — creates new markets, new business opportunities, new strategic concerns and threats to our collective views of law and order. These elements are shaping a new normal which is not yet fully understood. But they are clearly anchored in the nature of the hardware, ever changing uses and functions enabled by evolving software and fueled by the power of human ingenuity.
When the Internet was designed, threats to security were not central to the basic architecture nor to the core design principles.
Cyberspace is built as a layered construct where physical properties — cables and wires, computers and servers, for example – enable a logical framework that allows communication between people and information. This is managed by a complex and decentralized system that is as diverse as it is vast. It is supported by an even more complex system of actors, constituencies and interests.
More generally, cybersecurity refers to the safety and resilience of each of these elements and their interactions. The fact that different analysts define cybersecurity in different ways is a powerful reminder of the story of the blind men and the elephant.
This story, a proverb, appears in many cultures in many different forms. It points to the difficulty of understanding realities that we do not have much information about (the elephant), and to the various ways of drawing conclusions based on very partial evidence (the blind men). It is even a useful parallel. By way of helping clarify the nature of the “elephant,” we now consider three different sources of threat to cybersecurity. These are rooted in; vulnerabilities due to Internet architecture and incomplete institutional mechanisms; the growth of tools, methods, and pathways of threat; and multipliers of damage, most notably, those embedded in the Internet of Things (IoT).
The Internet, as we know it, carries some built-in barriers to cybersecurity, easily exploitable for creating damage. Attribution – the inability to identify the actor responsible for the malicious act. Location can be closely approximated, but identity is not assured. Anonymity – network properties, notably those of The Onion Router (TOR), allow users to use the Internet anonymously. Autonomy – the lack of oversight or accountability for key entities, such as Internet Service Providers (ISP). In some countries almost anyone can become an ISP—and Certificate Authorities who are burdened with little accountability to anyone. Absent incentives – to manage management markets for malware, coordinate strategies for containing damage, or impede the expansion of intrusive tools and mechanisms.
Among the key features of the overall threat landscape are the intents and capabilities of actors, pathways through networks, access to target system, choice of damage type and mechanisms. Malware is now part of our normal vocabulary, as are markets for malware and bounty programs. Ransomeware, a recent addition to the threat landscape, is increasingly common.
And cybercrime is downright familiar. In the absence of an international encyclopedia of consequences of threats to cybersecurity, we are left to our own devices to best organize information about tools and mechanisms. Each of the blind men uses his or her preferred mode of organizing the ever-growing stock of incidents.
All of this is part of the new normal.
At the same time, with this “bad” news comes some “good” news. Investments in cybersecurity continue to grow, fueled by competition, business incentives and visions of success. The new normal is creating its own optimism in the search for new and innovative methods for managing the security of cyberspace, a most critical legacy of the 20th century.