Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid • Gideon@AGSgo.com
It’s time we redefined information security (infosec). I suggest the following: preventing our adversaries from harming our interests using data as a medium.
The more standard definitions for infosec, which talk about such things as eavesdropping and modifying and destroying data and access thereto, are leaving too much behind. We are in a cyberwar, facing an adversary who is constantly exercising imagination and skills to develop attack scenarios that we have not begun to conceive of. If we limit our role to defending against known attacks, we secure an inferior position. We’re behind from the start.
We are not only overwhelmingly more vulnerable than our often shadowy adversaries, we are also heavier. We are afflicted with multistory, vertical command-and-control hierarchies that asphyxiate ideas as they pop up from the bottom. We are big, widespread, and burdened by a coordination challenge, by an authorization spread, and by political obstacles. We have a large footprint, and our rules of engagement are well-known and widely advertised.
By contrast, our enemy is invariably smaller and nimbler. And, perhaps, smarter. Alas, not only don’t we have any control over how much imagination is exercised by our adversaries, we cannot even measure, and can hardly estimate, its bounds. We must solemnly concede that the next Alan Turing may have been born on the wrong sides of the tracks.
We must also note that as much as we enjoy the power of our conviction, a growing number of our adversaries are powerfully motivated by the realization that the cyber arena is the only place where they have a chance against their perceived Goliath. The computer is their slingshot, and some of them believe that they fight the Biblical battle against the “money changers.” The “Occupy Wall Street” crowds likely include first-class hackers who wrongly view digital money flow as the province of the “top 1%.” And every time Bank of America or another “filthy rich” organization levies surcharges, user fees, or “transaction adjustments,” another wave of hackers joins our assailants. Much as technically savvy jihadists are far more dangerous than playful geeks, so a wave of smart hackers propelled by the noble cause of social justice imperils our systems far more than ordinary black hats.
We can only defend against threats that we have had the imagination to conceive of. And if we restrict our thoughts to a narrow definition of infosec, we discourage the blue-sky “what if?” questions that can help us meet our cyberwar challenge.
Consider this: A system programmer was once handsomely paid to carry out a nominally harmless act: create several files containing garbage. No eavesdropping, no theft, no falsified communication, just meaningless files. The purpose was unknown to the perpetrator himself. The files were discovered by security officers, who suspected they contained sensitive information, or data useful for a planned hack attack. It was quite worrisome because the encryption was unyielding. The entire security team was galvanized by this “find.” not realizing the files could not be decrypted because they were random data to begin with, and that the purpose was a diversion from a very elaborate attack that took place at the same time. The classic information-security definitions do not include this cyberwar scenario.
How do you classify a scheme in which the chief security officer of a financial institution finds himself defending against a frivolous sexual harassment suit, designed for no other reason than to distract him from shop security? Or the case where a bank employee was paid to carbon-copy his e-mails to a particular bank official who, a few days earlier, had left his cell phone in a cab. He got it back the next day. Alas, his phone contained a self-recorded audio note of all his active passwords.
Increasingly, data crimes involve many participants whose actions don’t narrowly qualify as incurring legal liability—except through the broad redefinition I propose here. This definition will allow victims to resort to civil courts for redress, and will give the government solid ground to go after cybercriminals, using the corresponding definition that it is a federal crime to intentionally harm the good order of federal agencies using data as a medium.
When, long ago, IBM sold only typewriters, they called them “business machines,” and kindled the imagination to make them evolve into computers. A broad redefinition of computer security will give us a clear advantage in the imagination race of this unending cyberwar.
