Dan Geer: In cybersecurity, expectations drive reality
The worst laws are those that are unenforceable, so what would we hope our lawmakers say about data collecting and sharing technologies that are not yet critical but soon will be?
Kathy Willens/AP
Now that we need cybersecurity protections to the degree that weÌýdo, to whom does the responsibility devolve? The worst laws areÌýthose that are unenforceable, so what would we hope our lawmakersÌýsay about technologies that are not yet critical but soon will be?
Do we forbid becoming critically dependent on them when it is notÌýtheir design but rather the sheer magnitude of their adoption thatÌýis what makes them critically essential?
If a sharing economy is to be preferred, then are owners' privilegesÌýdue to wax while renters' wane, or the other way around? Is theÌýpool of shareable things in a sharing economy akin to the capitalÌýin the banking system – something to regulate lest a demand surgeÌýcause a run on available liquid assets?
Once an expectation of constant contactability congeals, a coordinationÌýmindset eclipses a planning mindset; "I'll shoot you a text when IÌýget there," rather than, "I will be there at five minutes 'til two."
If you act on your expectation that information should be free,Ìýthen someone still pays, just not you and hence you are not theÌýcustomer, you are the product. In due course, ever more personalizedÌýadvertising supporting ever richer free information means a small-sÌýsurveillance structure to power that very personalization.
Years of political capital have gone to making insurance, which isÌýto say risk pooling, mandatory and yet to forbid insurers to makeÌýrisk-informed pricing (the entire premise of Obamacare, gender-neutralÌýlife insurance, assigned risk pools holding miserable drivers,Ìýetc.).
The Internet of Things is running a 35 percent compound annual growth rate, meaning that in due course, its parts, each and severally, can onlyÌýmorph into critical infrastructures. Their selling proposition isÌýeither an expectation of mental leisure, "You don't have to worryÌýabout XYZ any more," or else an expectation of insight, "How manyÌýcalories did I burn in that last game of tennis?" In short order,Ìýyou won't be able to get along without them.
We are in a sea change of expectation with respect to what cybersecurityÌýis and is for. The pervasive, eager willingness to collect andÌýshare information, to deploy sensors, to delegate management ofÌýdaily life, to entrust health to the prerogatives of algorithms isÌýboth cause and effect of information ever more digitally available.Ìý
Heretofore, the great triad of cybersecurity goals was confidentiality,Ìýintegrity, and availability. The great power of data fusion appliedÌýto that growing cataract of shared data means that confidentialityÌýand the gate keeping of data access supporting it can no longer beÌýthe pinnacle goal of cybersecurity, perhaps not even a goal at all.Ìý
If we are to have all-electronic health records and regular monitoringÌýby everything from our toilet to the breathalyzer in our car – allÌýthe while the majority of medicines transition to being genomicallyÌýpersonalized – we had better be sure that it is data integrity thatÌýis paramount.
That triad of confidentiality, integrity, andÌýavailability may now contract to integrity and availability and doÌýso because that contraction is the logical outcome of our expectations.
In so many words, First World democracy is less choosing who getsÌýwhat title but rather what guarantees we want applied after theÌýfact to things we adopted out of their irresistibility. An expectationÌýof riskless life is the hallmark of adolescence. Perhaps all I amÌýsaying is that cyberspace is solidly adolescent – too young toÌýtake over but too big to ignore.
Yet in the end, reality always wins and wishful thinking alwaysÌýloses. That eventuality may not be instant, just as John MaynardÌýKeynes put it when he said, "The market can remain irrational longer than you can remain solvent," but on the relentlesslyÌýaccelerating time scale of data accumulation, I don't think thereÌýis a long wait in store.
My bet is that data protection soon meansÌýsome mandate ostensibly guaranteeing that data are untampered withÌýplus, where required, that data can been assuredly deleted. TheÌýmore we depend on data, the less we can keep it in a locked box butÌýthe more we will rely on it being correct.
Dan Geer is the chief information security officer forÌýIn-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader US intelligence community.
Ìý