The word “cybernetics” comes from the Greek root “kybernetes” which means one skilled in steering or governing. It’s the same root used in the word “cyborg,” a portmanteau of “cyber” and “organism,” and the difference between a cyborg and a robot, is that a cyborg is a human, augmented or aided by mechanical or technological devices, which the popular mind usually envisions as being onboard or built in, so to speak, with the robot being purely technological. Cyber Security, then is literally protecting or assuring the ability of the designated, appropriate helmsman; defending the proper governing authority over our augmentive and assistive technologies. But even here there is an insider threat; with the dichotomy between human and technology, which is the one doing the steering?
I argue that we have reached a point in development where we have very nearly completed the development of the ability to offload the governing responsibility to the technology. I also argue that this is a mistake. This isn’t news, though, and you don’t have to take my word for it; science-fiction has been warning of this since the end of World War II. Yet we continue to ignore the parables and illustrations.
Cyber Security, properly conceived and exercised, is a human activity and not a technological one. Automation of security processes is a tool, but human gatekeepers must forever, be a part of the architecture. And we resist this necessity, because it is hard to do. It is hard to control other human beings. It is hard to make them do the right things: don’t open emails from people you don’t know, digitally sign your communications, don’t log on with administrative credentials….
The pursuit of centralization and standardization in IT, in the name of security, is an attempt to address this problem; to control risk by controlling means, which means controlling behavior. It also relies on false premises.
First, there is the idea that control is equivalent to security. Control is rigid. Control lacks resilience. Standardization reduces an organization’s flexibility, and thus its agility. These things come with having options and a variety of tools and resources. The very concept of networking is about resilience-it is the reason that ARPA began researching the Internet-a decentralized network that would be survivable because it was resilient. And now the effort is to reign it in? Control, standardization, and centralization have their place, but they require balance and consideration, otherwise they degrade security. Just as the wise commander knows he cannot be strong everywhere and to try makes him strong nowhere, the concepts of mass and maneuver still apply, but even the military minds engaged in this effort are missing it. The concepts to consider are separation of responsibilities and the avoidance of single points of failure, yet we are heedlessly barreling down the road to a day when a single breach has the potential to compromise everything. Decentralization limits risk. A single breach may devastate one node, but the rest are able to continue on, including being able to provide relief to the distressed node.
The second false premise is the way security is pursued. We do so without heed to the need for utility and also by eschewing the human as insecure, seeking only security through technology. It is, or should be, axiomatic that the utility of a system is inversely proportional to its security. I can produce for you a completely secure system. It will also be completely unusable. A computer, with all its ports filled with epoxy, cabled to nothing, and neither connected to power nor powered in any way. Naturally this is defeating of the purpose. Any system which is useful is inherently vulnerable, and there is only one way to address that essential vulnerability, that is by imposing sufficiently aware, trained, and educated humans as gateways. Had at any time, Chelsea/Bradley Manning been challenged on need to know, the Wikileaks breach that followed would have been limited or prevented. The system had no way to accomplish that, but a first line supervisor could have. Humans are flawed, but, and the endless stream of vulnerability patching on all systems of whatever origin should attest, so are the technologies that they create. There is no perfection to be found here, and we should give up acting as though there were. Emmanuel Kant said, “From the crooked timber of humanity, nothing straight was ever made,” and technology comes from us.
Consider the, human, attempts to deliberately compromise or exploit security through viruses. When Dr. Fred Cohen coined the word “virus” for malware in his 1986 Ph.D. thesis he may have been far more right than he may have known. Not only does the infection behave in many striking ways like a virus, but proper Cyber Security habits among a workforce and the general population works much like immunization, to include the concept of “herd immunity.” The immunized population defends not only themselves individually, but all those with whom they commune electronically as… well.
To give it a more martial analogy, most everyone has seen the movie 300. Recall the conversation between Ephialtes, who would later betray the Greeks, and the Spartan king, Leonidas, as the king explains in utilitarian terms why the crippled exile cannot fight with them on the battlefield; his physical limitations keep him from properly raising his shield to defend himself, and in being so disabled, cannot, therefore, also defend his fellow warriors. Ephialtes was unable. Most of the users in our formations simply choose not to. A very few may not know better, but that’s extremely unlikely in this day and age with good information a near constant drumbeat. Like the Soldier who falls asleep on guard duty, regardless of the reason, they not only endanger other lives, but will likely be the first to fall in any attack that comes their way. It takes humans, policing humans, to achieve Cyber Security. The failure to correctly prioritize the human over technology is pervasive. It is also far older than the information age. The Army would far rather invest in laser range finders, programmable grenade launchers, and rifles with brochures that assure leadership that qualification rates will improve than in the time to actively train and develop real marksmen, and so, they will rather prioritize training time to the far easier, and far less capable FM radio systems than to train on high-frequency radios that overcome every terrain obstacle. So it’s no wonder that they will gladly spend millions on racks full of blinky lights rather than to educate their formations not to open suspicious email attachments….
We have to decide, will we steer the technology, or will we be steered by it?