Spies—inherently, with good reason—are a world apart. Most of us, even inside the Beltway bubble, simply don’t get to know what they know until someone in intelligence deigns to share with the press.
Despite the occasional tidal wave of leaks, Wiki- or otherwise, the Internet hasn’t much changed that. But the hard limits of public knowledge about secret matters of state are no excuse for the profundity of popular ignorance around cybersecurity and “infosec.” The longer this problem persists, the more it will be compounded—by superficial coverage, conspiratorial blather, and all the characteristic ills of mainstream and social media alike. Our adversaries can only be expected to take covert and overt advantage. It is long past time to bone up.
In one way, this is easier said than done. If the media wants to combat ignorance and fake knowledge, broad-based coverage of basic cybersecurity facts would help. Technological advances marketed not long ago as “like magic” are woven into an information fabric so opaque to the ordinary American’s gaze that it is now often the subject of magical thinking. Even worse, stale and outdated metaphors plucked from centuries past are routinely used to make false sense of infosec problems and would-be solutions.
Let’s put the gory details to one side in favor of the most widely embraced educational feature of the Internet: the tutorial. To deal Americans back into the debate over cybersecurity, they need a fundamental conceptual walkthrough. Absent that, they’ll continue to flail, confused and reactive, as their elected and unelected officials lurch with decreasing legitimacy from crisis to crisis. And the mainstream media, no matter how devoted to the truth, will create and reinforce mistaken impressions certain to warp policy judgments and rattle political nerves even worse than they already are.
You Can Still Get Impartial Basics
Given how deeply connected most people have become to the Internet, it is especially sad and alarming how low the popular baseline still is on cybersecurity. When is a hack a hack? When is it actually a problem? What’s weak infosec? What are the minimum must-haves for responsible security hygiene?
The answers to questions like these are not well known by everyday people or widely disseminated by media outlets. People do not know where to find the answers, or even how to pose the right questions. Throw in contending ideological agendas and a similar level of miseducation among more than a few politicos, and it was utterly predictable that the election year debate over Russia, China, Assange, and all the rest would be a hodgepodge of inanity. After the ordeal of 2016, many people probably intuitively doubt there’s an “impartial” view of cybersecurity basics.
Well, there is. Perhaps the best illustration is one of the most fundamental to grasping good infosec today. Consider one of the most prevalent and damaging real-world metaphors ported into cybersecurity from the era of the Crusades or the Black Plague. Many people still think of infosec as an exercise in building good castles. To reach back even further, to ancient China and Rome, people assume that infosec is coextensive with putting walls along borders. The bigger and thicker the wall, the better the cybersecurity, full stop.
Problem? It’s not just a matter of using shopworn old metaphors. Some of them—such as the human immune system or a well-trained militia—actually still map pretty well onto infosec. But the castle or wall metaphor relies on a kind of security technology that has been far surpassed online.
With a few minutes’ reflection, you can grasp the immediate logical corollaries of those metaphors: because the only way to get at your stuff is through the wall, any unwanted interaction with the wall is an attack, and any breach of the wall is a scary crisis. In the real world of infosec, where good security hygiene is in place, those corollaries are as invalid as the metaphors that give rise to them.
Think of Information Security as an Immune System
Return to the idea of infosec as an immune system. It is very hard to say the body is healthy unless it is demonstrably responding to ongoing unwanted invasions—sorting good bacteria from bad, fighting off viruses in order of priority, and toughening up as a result of limited, non-catastrophic exposure to infection. This is just about the opposite kind of security setup as in the castle or wall scenario.
It’s not that you want to welcome enemies past “the gates,” of course. It’s that good cybersecurity means taking as a given that you will always be situated in an information ecology, where boundaries are porous by degrees and necessity, and where the inflow and outflow of information and people—often with much less than perfectly clear intent—is the rule of the environment, not the exception.
That brings us to the metaphor of a good militia—or mafia. The concept of the circle of trust is familiar from organized crime no less than the art of war. In fact, the real concept is one of circles, plural, with key people and key information at the center of concentric rings with porous, shifting borders.
Here, there are no moats with drawbridges leading to peepholed impregnable gates. Here, unwanted and initially mysterious advances are routine and expected; contingencies are in place for probes that violate too many circles of trust; records are made and kept, and institutional memory built, regarding who and what can be trusted or not; and the security of the system is recognized to be measurable by its ability to handle breaches and solve mysteries, not just its ability to prevent them.
This is the beginning of common-sense, practical, popular wisdom about just what infosec is and just what our reasonable expectations around participating in a nationwide infosec system should be. Start here, and soon, with hard work and some luck, many Americans will begin to intuitively understand how nation-states and citizens ought to reapply the infosec model to the physical world. They’ll come to grasp that the era of big borders is over, and the task is to refocus and adapt our approaches to issue areas that range from national security and immigration to health care and critical infrastructure to land, sea, air, and ultimately space transportation.
But until popular and elite education catches up to the new but surprisingly comprehensible reality of cybersecurity, we’ll have a difficult time getting the future off the ground. After a few keystrokes, our foes around the world will lift their glasses and cheer.