Cybersecurity Theory and Myths

David Opderbeck put together a terrific cybersecurity conference at Seton Hall today. I was on a panel discussing cybersecurity policy and legal theory. The audience was primarily law enforcement and practicing attorneys, so I asked, “What are you doing here?” In good academic fashion, I proceeded to (try to) answer my own question – why is a theory of cybersecurity useful?

Currently, “cybersecurity” is a term that utterly lacks coherence. It encompasses threats including malware, identity theft, hacking, intellectual property infringement, denial of service attacks, espionage, and acts of war by nation-states. It tries to address risks to end users, administrators, ISPs, utility companies, financial institutions, defense contractors, and the government. In short, we’re unhelpfully subsuming a congeries of technical and legal policy concerns under a single rubric. They don’t fit. This is a significant reason for the disparity between apocalyptic rhetoric about cyber-threats (reminiscent of doomsday predictions about the Y2K bug) and the admitted lack of meaningful progress on cybersecurity in the last decade. Our current conception of cybersecurity hinders us in prioritizing among these issues and then focusing on the most relevant threats.

This is the role of theory: it provides an organizing framework to rank competing concerns, to measure progress in addressing them, and to make and justify the inevitable trade-offs that occur. Theory helps guide policymakers to the most pressing problems, and helps us assess how they’re doing at resolving those issues.

My suggestion for a cybersecurity theory is to focus on information – in particular, on access to, alteration of, and integrity of information. I spell this out in Conundrum, which is forthcoming in the Minnesota Law Review, and which I’ve blogged about before. We need a new theory of cybersecurity, and I think this one could be helpful in practical ways.

The conference also reminded me of how new this field is, and the degree to which multiple professions and disciplines are struggling with its challenges. Sometimes this is frustrating, as one keeps hearing the same tropes raised again and again. So, I present you with today’s Top Four Cybersecurity Myths:

  1. Cyber terrorism: it does not exist. There are no – repeat, zero – documented incidents of cyber-terrorism. The idea that al-Qaeda will use virtual reality technology to train terrorists here in America (which I heard today) is simply ludicrous. Bin Laden didn’t even use e-mail! And anyone who’s tried streaming Hulu over a wireless connection will appreciate just how hard it is to use high-bandwidth apps even in a broadband environment.
  2. Supply chain exploits: again, there’s simply no evidence that China, or anyone else for that matter, is planting covert code in computer chips or laptops. This is conspiracy theory stuff.
  3. Cybersecurity can be solved: several speakers today talked of getting to the point where we “solve” cybersecurity. Given our success at solving IP infringement, identity theft, and even physical security, I think it’s safe to say that we will at best manage cybersecurity. It’s like the flu: we can turn it into a nuisance with occasional bad outbreaks.
  4. “No one cares more about civil liberties than Cyber Command and the National Security Agency.” Yes. The NSA would never illegally eavesdrop on U.S. telephone calls and e-mails, in violation of the Foreign Intelligence Surveillance Act and the Fourth Amendment. (I stopped listening to Mark Young, who works for Cyber Command, after this gem.)

Thanks to David, Denise Pinney, and everyone at Seton Hall and Rutgers who made this a great event!

4 Responses to “Cybersecurity Theory and Myths”

  1. […] via Info/Law, Cybersecurity Theory and Myths. […]

  2. I think Mark Young is right about the NSA caring about civil liberties. If they didn’t care, how would they know how to violate them so effectively?

  3. Overall, your points are solid here. I only take exception to your contention that cyber terrorism does not exist.

    “Terrorism” is always such a loaded term whose definition is fuzzy at best, but I would classify many of the actions we’ve seen from Anonymous and similar hacktivist groups this year as such (or as “freedom fighters” if I’m finding them sympathetic today).

    Perhaps you want to use a definition of “terrorism” that includes significant loss of life, but that seems overly narrow. I’d prefer “action taken by civilian groups, without formal governmental support, that is meant to instill fear and is undertaken as a means to achieve political ends.” Under that definition, we’ve definitely seen cyber terrorism already.

  4. It seems contrived to exclude “formal governmental support” from the definition of terrorism, almost as if someone were trying to gloss over past actions and existing policy of various governments. I suggest as a reference definition for terrorism itself the motive-neutral one put forward by Eqbal Ahmad in 1998