Back to the roots
Why cyber security needs more collective intelligence
At the beginning, there was nothing. A few monster computers would heat the basement of some prestigious universities, crunching numbers for mathematicians and physicists.
But one day of the late 1950s, a handful of tinkerers pushed their curiosity and skills out their usual playground (the Tech Model Railroad Club at MIT) to collectively explore and hack these monster computers, for the sheer pleasure of learning-by-doing, for mastering complicated computer technologies, and for unlocking their immense potential, beyond scientific needs.
These early hackers also demonstrated the importance of openess to enhance complicated technologies. And for a large part, they have managed to impose an open culture, in which problems and their solutions are shared among a broader community.
The early years of Internet
Ten years later, the research division of the Pentagon called ARPA (now DARPA), launched ARPANET. It was a project to establish reliable communication protocols between computers — a network that would become the Internet .
ARPANET was initially tested and deployed accross universities and research centers, starting in 1969 on the West Coast, with University of California Los Angeles (UCLA), Santa Barbara (UCSB), Stanford (via the Stanford Research Institute now SRI International), and University of Utah. In 1970, ARPANET reached the East Coast (Cambridge, Massachusetts), grew all over the United States, and finally crossed the Atlantic towards Norway in 1973.
With a culture of community-based open software development, and with the technology to let information travel freely and instantly over larger distances, the basic building blocks for uncontrolled evolution and growth were in place.
Vulnerabilities emerge
ARPANET expanded worldwide as an academic network. Already in 1988, there were concerns on the number of connected computers. Robert Tappan Morris, a graduate student at Cornell University, decided to gauge the size of this new Internet, with a program that would replicate and spread across the network.
A programming error made this program execute on a computer as many times as this computer was contacted, leading to processing overload, and ultimately to the crash of thousands of machines across the netowork. While unintentional, the Morris Worm was the first ever recorded instance of a damaging virus spreading across a computer network. Ironically, since computers crashed following their infection, the Morris Worm also failed in its measurement goals. (And by the way, measuring the exact size Internet has become an increasingly complicated problem, of great scientific interest, and with no definitive answer.)
Freedom for all meets concerns about cybersecurity
In 1994, with The Gore Bill (after former Senator and Vice-President Al Gore), ARPANET began to operate as a commercial network and was renamed the Internet. Growth followed: companies and consumers connected their computers and started interacting at an unprecedented pace.
More than ever before, the human factor became a critical dimension of security and privacy in this new connected and networked (cyber) space, while also unleashing the power of massive online collaboration. This spirit was evident in Usenix forums and IRC channels (chats), and was followed by open source software development and collaborative Wikipedia editing, for example.Later, mass collaboration reached a mature consumer industry with modern social networks such as YouTube, Facebook, and Twitter.
And today, the Internet has expanded into the physical world. Smartphones are geo-located and allow contactless payments; self-driving cars cruise California Highways 101 and 280 (between Palo Alto and San Francisco); smart-meters regulate the power grid and follow our energy consumption at home; and ubiquitous biosensors record a number of intimate physiological signals. For the latter example, the technology holds promising applications for tracking personal health almost in real time, and for sharing emotions seamlessly on social networks.
Since its beginnings, the purpose of the Internet was to let information flow as fast and freely as possible. This openness was crafted by hackers for their own advantage, following from their techno-hippie ideology — sharing ideas, problems, and solutions was both the purpose and the means of achieving a smarter world with more freedom for everyone.
In many ways, the collaborative approach at the roots of the Internet is also successful for ensuring cybersecurity and combatting cyber threat . Take the disclosure of software vulnerabilities, for example, which are submitted to software editors by those who discover them, but fully disclosed after a pre-defined period of time (regardless whether the software editor has taken any action yet or not).
Yet cybersecurity itself has been deeply impregnated by a culture of secrecy, perhaps inherited from its inception in the defense industry.
For cybersecurity, go back to the roots
The Internet security industry has largely failed to recognize that cybersecurity should be designed on the very same fundamental rules that govern the Internet — openness.
Unwillingness to publicly acknowledge and discuss security problems has left cybersecurity behind. Many cybersecurity practitioners have been insufficiently challenged on their capabilities to adapt to ever changing threats. Lack of accountability has led some security experts to consider themselves as the sole holders of knowledge.
Meanwhile, insufficient disclosure of security problems such as software vulnerabilities and data breaches has left most Internet users with a false sense of security, which in turn has undermined concerns.
As cyber attacks turn out to be increasingly massive, disruptive, and somewhat scary, more people (even large organizations) realize that they are insufficiently protected and don’t have the tools to remedy their security and privacy problems on their own.
How do people reasonably avoid leaving digital traces in retail stores (e.g., Target) or banks (e.g., J.P. Morgan), which are likely to fail at protecting their personal information? What can people do to prevent governmental agencies from breaking into their favorite email or chat services for unclear purposes?
Trust in cybersecurity could not be more broken than it is today — at the very moment when cyber attacks are increasingly carried out against individuals, large organizations, and governments.
We — scientists, security practitioners, governments, everyone — need to recognize that cybersecurity is made more efficient by complying with the very rules of the Internet. Everyone shall have the opportunity to be empowered with the necessary tools to protect her or his own information assets at the desired level. Open source projects, with software and source code publicly available, offer the opportunity to be challenged by anyone (even though critical security issues also occur with open source software).
Trust must be restored. To do this, security should be challenged from a variety of viewpoints in a constructive way, possibly publicly or at least by a community with a strong sense of the founding Internet hacker ethics.
“Without ethical culture, there is no salvation for humanity.” Albert Einstein.
This requires collective intelligence through cooperation, primarily between large companies and governments in charge of our most critical assets: power-grids, transportation systems, business and financial systems, communication networks, and personal data.
In February 2015, President Obama signed an executive order to promote sharing of security data between large organizations and the Federal government. This is a first step towards a cybersecurity policy that aligns with the culture of openness to restore trust and build more effective collective intelligence among the security community.
It remains however unclear how a policy promoting data sharing may actually change a deeply ingrained culture of secrecy, since the very process of disclosing information about security incidents may be used for the purposes of spying or surveillance.
Another future policy may include the promotion of bottom-up innovation. Disruptive startups have been the landmark of Internet innovation, and cybersecurity may be disrupted in similar ways. However, because cybersecurity is highly technical and sensitive, entry barriers remain high: designing cutting-edge security products requires significant and specialized expertise.
It comes down to this: better and broader education on cybersecurity is required, which again involves spreading knowledge in a more open way to enable more learning-by-doing, and to enhance collective intelligence through collaboration — just as the first hackers did to begin the computer revolution.
