NOTE: I’ve completed preliminary research to arrive at the line of reasoning represented in this plan/draft. Probably goes without saying, but I’m still performing research and what I’ve so far established in this draft will likely become much more focused as I learn more. In particular I’ve taken this initial time to better understand and ground my own political perspective from which my critique on private Cybersecurity practice flows. This essay will become more focused on specifics as I find a more objective way to discuss the surrounding complexity in which it operates. Thank you for the guidance and the opportunity for a mid-term review of the project, it’s very helpful! – Loren
- Introduction
The field of private Cybersecurity is burdened with the mitigation of risks which are not within its purview. I will begin by evidencing this statement, briefly highlighting how this effect is partially caused by practices within the industry itself, but in larger part an effect of the environment within which it operates. From the viewpoint that the Internet has become a tool of hegemonic globalization, I’ll propose that the unreasonable expectations are symptomatic of the displacement of political dilemmas otherwise unaddressed, and not unaddressable, by security practices. Finally, I will conclude by directing a few recommendations to the field from this perspective. refs: The Standard Cybersecurity Model Is Fundamentally Broken, Cybersecurity is failing due to ineffective technology
- Internal issues: Technocentrism and Sensationalism
“Computer security, cybersecurity or information technology security is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide” — Wikipedia, Cybersecurity
Security and Technological Panaceas: There is a bias towards solving technical problems, and a correlated poor track record in considering and addressing the critical human factors which (ref)… (WORK IN PROGRESS)
Sensationalism in the media surrounding cyber threats obscures the real impact of successful cyber-attacks and exaggerates the scope of possible future attacks. Unfortunately, this tendency is routinely capitalized upon within the marketing of Cybersecurity services. There is reliable research demonstrating that the real impact of cyber-attacks, and the looming threats, are both overstated (ref, ref, ref). For example, there’s a recurrent concern of a cyber-attack at the national level, commonly referred to as a “digital Pearl Harbor”. In my research however I’ve found evidence that, due to the resiliency and redundant nature of the Internet itself, such attacks are highly unlikely and possibly untenable (ref). Debatably this bracing fear is a vestigial inheritance of Cold War fears (ref).
ref: Cyber-noir: Cybersecurity and popular culture,
- External Issues: The Internet is Political / Mission Impossible
The Internet: “a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols.” — (ref)
Beyond this purely technical definition, “The Internet” additionally implies a series of political and social realities familiar, potentially somewhat invisible, to the Western audience. Since the introduction of the public/commercial Internet in the mid-90s there has been dramatic slippage from origins as a network backbone for US military communication and the international sharing of research. The consensual deployment of a bounded Classical Liberalism in the form of a network of sharing or research across national boundaries was extended to become a hegemonic deployment of economic Liberalism. The Internet of today is many things, but a premier tool of globalization starkly among them.
This transit was not happenstance, but a problematic sleight-of-hand inured to this era. While there is a political motivation determining this effect, the technical architecture of Internet protocols in their current implementation doesn’t provide means for limiting it.
The Internet transparently spans national boundaries and does not differentiate competitive and the commercial forces from the civic and cooperative. Globalization collapses delineations in similar ways and its active and passive proponents have little reason to support them.
In reaction to unwelcome influences of globalization a threat actor is as likely, if not more, to attack Google than the US government. Private Cybersecurity operates within a fundamentally political field while bound by private corporate interest leaving it unrealistically tasked with mitigating and otherwise anticipating risks which arise pervasively from such implied conflicts.
refs: The Difference Between Classical Liberalism and Libertarianism, The Influence of the Internet on globalization process
Conclusion: Recommendations for Improving Cybersecurity Practice
Sketch of recommendations so far: FOCUS! Stop perpetuating FUD; Stop complaining about underfunding and get clear on the scope of practice and push back with a more nuanced political conversation; Explore and build deeper relationships between the public and private sectors (In what ways have Cybersecurity professionals successfully collaborated with the government, be it on policy or actual deployment of Cybersecurity solutions?)
refs: Cybersecurity is too big a job for governments or business to handle alone, The Cybersecurity 202: A group of industry, government and cyber experts have a big plan to disrupt the ransomware crisis
