What is philosophy of cyber security yet again?

The short answer to that question is that it's something that's not yet there but that ought to be invented. It is no secret that we have, in the last twenty years or so, built a world that is radically different from what came before, and that we are in the middle of some sort of technical curve to an unknown destination.

We now have the internet, and many of the 'disintermediations' that were driving the 'dotcom' boom of the late 1990s are now more or less reality. If you doubt this, ask your local author, musician or filmmaker (and yes, in New Zealand these sort of people are 'locals'). And where have all the bookshops gone?

Along the road we know that we have a problem with 'security' in that world, and it is unclear what to do about that and how a possible solution might work. To many it seems that the powers that be are always just asking for more and more control over data and metadata, and run undisclosed 'dragnet' operations on our connections. At the same time, judging only from our mail inboxes, virus and spam writers run unchecked. Little wonder that many feel that these 'powers that be' are asking for more control, and then delivering little.

It is a good question whether a philosophy of all of this is possible. I think it is. Like many good philosophical questions, this problem can be phrased in terms of a dilemma between two fairly easily understood extremes. The truth then at first seem to lie somewhere in the middle. But good philosophy usually gives it a little twist.

In the case of security versus surveillance I think the extremes are this:

1. A (Hobbesian) state of nature, in which each internet user is on their own. A lot of innovation happens, along with a lot of good self-organisation and a lot of bad stuff. The closest we have to something like this in real life is probably the deep web, or darknets. Contrary to public opinion, there is life on the deep web apart from weapons and drugs, but it's not a place to go (digitally) unarmed.
2. A total surveillance state, in which internet crime is quickly stamped out, along with dissent and free speech. The closest we would have to this world is the Chinese firewall. And there seems to be no shortage of politicians in the West who want to take us into this direction too.

Can the future lie somewhere between these two extremes? A first answer to this question would be that it has to - neither alternative is on its own acceptable as a future model for the internet.

A second answer, and one that I've heard given, is that it makes sense to give up some of our freedoms from the Hobbesian internet in order to have some security, and that a Hobbesian 'social contract' with a central power is required to keep the net relatively secure and free. For several reasons that answer - when it comes in the form of the Hobbesian deal - doesn't satisfy me. Hobbes was, for starters, not a democrat, so it is hard to see how such a future state of the internet will align with our wider democratic institutions. My hunch would be that it probably can't, and that a democratically uncontrolled central power would, little by little, take us into the total surveillance horm of the dilemma.

A third answer, and I think the right one, is that we need to rethink the notion of 'security', 'freedom', 'dissent' and so on for a digital world. We sacrifice a lot in the name of security, but to me it seems pertinent that we do not even have a robust philosophical candidate definition for what 'security' actually is. As such, the concept is woolly and vague, an ideal frame to attack all kind of ill-conceived notions of 'security measures' to.

So I think what's necessary is a philosophical twist. That twist has to start by asking some pertinent questions, and coming up with some new principles governing our digital beings. That is what philosophy of cybersecurity is about.

Wait, another new research area?

As time goes by, I'm sort of painfully aware that I'm using this blog to announce some new research topic, like this post on theoretical terms, that then subsequently doesn't happen. I could of course delete these posts, since I'm pretty sure they are interesting to no one and are not informative. However, I'll leave them for now - maybe in the future I may want to pick them up again.

With the increasing interest in cybersecurity, which is what I've been doing over the past 10 years or so, I find the spare time that I have to solve these sort of 'pure play' academic puzzles is sort of lacking.

That doesn't mean these puzzles are not interesting, but for now, they just are not interesting enough.

Operational Implications of the Cyber Security Threat Stack

Cross posted from the Leiden Safety and Security blog:

Looking back on 2014, one can say that 2014 has been the year of the hacker. The world over, cyber security agencies, and cyber securitycompanies, are reporting an increase in the number and the complexity of cyber-attacks. In University of Auckland's IT Security Team in 2014, we have had to deal with more, and with more complex, attacks than before. Such developments place significant demands on cyber security teams. If one thing stands out about cyber attacks, it is that they do not come in one variety. Another thing that can be said is that a single cyber attack is lonely: many incidents now consist of multiple ‘attacks’ using a variety of tools.

For people in business, universities, government and as individuals, the question then arises how we prepare for yet another increase in the number and complexity of cyber security incidents. One particular tool that we use in our team is the threat stack. Used with some caution, the threat stack allows forward planning of our defences against the sort of attacks that we can expect in the next 12 months.

The threat stack is a categorisation of attacks indexed by likely actor and motivation. As shown in the table, it indexes cyber threats from fairly innocuous experimentation, primarily by researchers, to advanced cyber crime and advanced persistent threat. In 2013, Richard Stiennon extended it by adding surveillance to it. At its simplest level, the threat stack can be interpreted as a measure of the motivation and sophistication of a particular group of attackers. It is also possible to attach an approximate timeline to the threats, indicating when these threats were most prominent, and the maturity level of the threat.