The Big Picture

THE SUBJECT AT hand is the safe transfer, storage and access  to meaning—between individual human beings (or a single human being)—and by means of computers and networked computer systems.

Our aim has been to develop a full-blown treatise on the subject matter of Cybersecurity; the same being one which comprises a formal and systematic exposition of the key principles / axioms of Cybersecurity in general (for the first time).

Ergo, over the coming sections, we shall develop a new top-level theory of secure point-to-point system(s) for private communication of meaning. Along the way, we identify—a logically consistent—set of terms, principles and recommendations; with which to characterise and compare-and-contrast the different security system types. Largely, implementation details will be cast aside—but (hopefully) not at the expense of lucidity, rigour and/or truthful analysis.


Quest For Absolute Security

In any case, we shall ask: what does an ideal security system look like—what are its specific features—and how can we deliver absolute security? Oft-times manufacturers put forward the view that a particular networked system is immune to hacking/spying as a result of this fact—or for that pre-eminent reason— and/or simply because it uses that method etc. But if there is a key lesson of the cybersecurity field—it has been that no single defensive technique is a source of ultimate safety—rather it is the whole system that must be secure, by design, implementation and operation. Today’s systems must anticipate future attacks. Any comprehensive system—whether for authenticated communications, secure data storage, or electronic commerce—is likely to remain in use for five years or more.

Consider also the lifetime(s) of any/all datum copies! The system (plus copy protections)—must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won’t be time to upgrade it in the field. Patently, the designer does not (and cannot) know what will be the precise user-case scenario(s)—or specific nature(s) of the complex technological environment(s—in which a particular communication system will be used.

Hence what can be done? In a nutshell, it is my belief that we must—fight for the right—to recognise, know and comprehend what are the underlying principles—plus assumptions—used in each case.  Accordingly, we need an open, valid—all-encompassing— theory of information security—and primarily to define what it actually means (logically, philosophically, technically and socially) to keep information safe.

Ergo, and by means of this treatise as specified in the associated book and website, we henceforth submit a new (unified) theory of Cybersecurity.


Blindspots

Doubtless, it is a truism that sometimes one cannot see the wood-for-the-trees in terms of identifying the precise relationships between the technical (structural) aspects of how a system works and its varied—and perhaps unpredictable (functional) influences on the wider human/social world. A blindspot may exist in terms of understanding how a system operates to produce certain functional outcomes.

Sometimes (or often) we do not have a full understanding of how—or why—a system works structurally; and due to factors such as the diversity, complexity, atomicity and the partial invisibility of operational situation(s), plus due to the presence of hidden/ unpredictable influencing factors and/or unknown/ arbitrary low-level design features etc. But if any blindspot(s) also exist for the designers/ operators, then it may be that we are all in very serious trouble, because it would appear that nobody knows—or can begin to explain—what may be the functional effect(s) of our systems, computers and machines.

Accordingly, we (the users) must be able to understand (at the very least) what are the operating principles/assumptions for our communication technologies; and in particular how, when, where and why; they interrelate with wider social workflows to form everyday communication systems. But in terms of present-day systems, this is precisely what we often do not have—knowledge of the ways in which our systems may (possibly) fail to live up to our expectations in the future (ref. forever is a very long time!).


Missing Laws/Principles/Axioms

It has been our position that for—information-security —missing are axiomatic principles/laws—or founding definitions/propositions related to the ‘human-side’ of the equation. Consequently, we shall endeavour to bring truth, unity, clarity and logical structure—or holism—to the topic of socially secure communication.

I need hardly remind the reader of the very real problem(s) facing anyone who wished to obtain certainty in relation to protecting the privacy of his/her digital communications. Many people believe that absolute security is, quite simply, impossible to achieve. Why should this be the case? And why is there a widespread belief that—it is somehow inevitable—that current systems must be fundamentally insecure? Patently, the answer relates (partly) to the countless data-breaches that occur on a daily basis.

And astoundingly, it seems that the very same people who advised us on cybersecurity—the world’s top experts—have actually helped the NSA build encryption back-doors into vast numbers of computers, phones and networked devices. Unfortunately however, these same back-door(s) are available to hackers. Nevertheless, perhaps the NSA have done us all a favour—by (inadvertently) exposing an industry—information-security—that is rampant with false-promises and undelivered guarantees. Professor Phillip Rogaway has recently written an article entitled ‘The Moral Failure of Computer Scientists’— and in relation to this specific issue (2016).

What can be done to bring belief/trustworthiness—back to the eld of information-security? Perhaps we can begin by asking: what is the nature of private communication? In this respect—we offer up a quick hint—by suggesting that privacy and security (for interpersonal communication(s))—may be fundamental human right(s). I know that related issue(s) are contentious—and much debated—but surely we (as a people) should at least consider the implications of the United Nations Declaration of Human Rights—with respect to the free exchange of ideas (i.e. protection of open/private/secret thoughts). We might even consider creating an Information-Security Declaration of Human Rights (or techno-rights)—in terms of the provision of founding principles—for computer, system and machine design(s).

Placing such (utopian?) ideas aside, we must acknowledge that networked communication system(s) exist in a dangerous—and unlawful—environment that is analogous to the American Old or Wild-West. Whereby countless unsafe-actors represent real danger(s) to communicated private-datum(s).


Seeking Solutions

What can be done?  How can we bring confidence, trust and principled design—plus predictability—back to the field of Cybersecurity? Well firstly, we need full disclosure/agreement—and in relation to valid founding principles for the field of cybersecurity (plus related: axioms, definitions, logics, designs and policies etc)—and in order to be able to build truly effective communication tools.

Evidently, it is necessary to bring the computer back to an original purpose—interpersonal communication without spies/hacks/data-breaches.

In summary, we must impel designers to work on more effective solutions when it comes to information-security; using rational/ethical principles based on logically consistent—and publicly visible/critique-able— definitions, axioms, concepts and theories. Ergo, my hope is that—the Treatise On Security— introduced here—can prove useful for application to future point-to-point system(s) for private communication of meaning.

In coming section we shall develop the founding principles, concepts, laws and axioms that makeup our new theory of Cybersecurity, but just as a taster we list all the axioms together here for your convenience. Note that it is unlikely that the first-time reader will understand the—how, why and where—of these axioms without first reading the associated book and website sections; so he/she should go there first.


System Access Gateways

Our new theory of Cybersecurity is grounded on a set of core principles, as depicted in the Cybersecurity System Access Gateways (CSAG) diagram.

The CSAG diagram teaches that in order for a Datum or Datum-Copy—existing on a networked computer system—to have its inner meaning ‘extracted’ by either a legitimate user or else an illegitimate intruder—then that same party must first possess a means of opening up a PHYSICAL GATEWAY in order to see/touch the physical FORM of the Datum held on a Media of Storage, Transfer or Access (i.e. obtain a physical copy). 

Next on said media the party traverses one or more VIRTUAL GATEWAYS to obtain the Datum’s raw format (i.e open a virtual copy). Finally the party in question—must decode the Datum’s inner meaning or CONTENT by traversing one or more of 3 kinds of MEANING GATEWAYS: named as the Metrical, Selectional and Descriptive layers—which may be nested together, one on top of another, in a russian-doll fashion.

Cybersecurity is then defined simply, and completely, as the continuous processes of PROTECTING (i.e. Locking, Blocking and/or Concealing) all necessary GATEWAY types—that is defending the Datum’s inner meaning from unwarranted disclosure—whilst at the same time ENABLING legitimate users to access said Datum’s inner meaning by means of readily accessible system GATEWAYS. QED.

 

Infographic_A7

SCF 1.0 – InfoGraphic A

Cybersecurity System Access Gateways

Source: ‘The Science Of Cybersecurity’ (2017) – by Alan Radley