Friday, November 23, 2018

Navigating Cyber

Back in the mid-1970's, I was an undergraduate studying Cybernetics and Instrument Physics in the Department of Cybernetics at Reading University in the UK. I was attracted to the ideas of feedback and control theory introduced by the MIT mathematician Norbert Wiener in his landmark book, Cybernetics: Or Control and Communication in the Animal and the Machine, which I had devoured in my final year of high school.

Those ideas were eventually subsumed into a variety of specialized fields - missile guidance systems, bionics, artificial intelligence, economics and econometric modeling, ecology, general systems theory and others. Meanwhile, my own journey took me into electronics, personal computing hardware, software, operating systems, software development, networking and eventually, the destination for many of us old jacks-of-all-trades, computer security.

Titles are more a matter of fashion than semantic precision, so in due course, I became an information security consultant - or, for added gravitas, an information assurance consultant. Whatever it was called, it was a long way from my starting point of cybernetics.

And then, suddenly, the circle closed. "Oh, you work in cyber security?", I was asked.

And so several years of teeth grinding began.

The term "cybersecurity" began its rise to popularity thanks to a National Security Presidential Directive issued late in the George W. Bush Presidency. NSPD-54 of January 8, 2008. The accompanying memorandum (now declassified) defines "cybersecurity" to mean "prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation".

The prefix "cyber", in this context, seems to relate to the next definition: "cyberspace", which means "the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries".

The term "cyberspace", in turn, was coined by the science fiction author William Gibson in his 1982 short story collection Burning Chrome, but really popularized in his novel Neuromancer. Wiktionary suggests it is a "Blend of cybernetics + space".

So, where does "cybernetics" come from? Although Wiener coined the modern meaning with his 1948 book, its etymology begins with the Ancient Greek, κυβερνήτης, ("kubernetes") which means a steersman, pilot or navigator. The κυβερνήτης was the man holding the steering oar at the rear of a galley (something I know from another course at Reading, The History of the Warship, taught by an eminent materials scientist with a classicist bent, Prof. J. E. Gordon). It was the steersman's job to keep the ship on course, despite the vagaries of wind, tide and currents, maintaining a course for the next headland.

It is from this root that we get the word governor - originally referring to the centrifugal governor, an arrangement of spinning brass balls which levered a valve open and closed to regulate the speed of a steam engine - perhaps the earliest example of a feedback system applying proportional control.

And of course, the same root gives us the terms govern, government and governance. The latter is important in information security - corporate governance is the arrangements for oversight of management which acts to correct things when an enterprise is "off course", and leads in turn to information systems governance and information security governance.

So, in that sense, we're still in the realm of cybernetics.

The change from information security to cyber security has wrought some changes, though. The former term encompasses information in all its forms; it extends beyond computer and network security to cover paper (which is why we have information handling rules for classified documents, cabinets, safes, etc.) as well as tacit knowledge. But "cyber" carries other connotations - it abandons the physical world and replaces it with allusions to robots, androids, Dr. Who and the Cybermen and the online world.

On the other hand, "cyber" also connotes machines and brings us to the world of cyber-physical systems - drones, autonomous vehicles, industrial control systems, power plants, factory and warehouse robots, and even bionic devices such as pacemakers, bionic limbs and implantable cardioverter defibrillators. While risk management for infosec specifies impact on information assets in dollar terms, now we have to think in terms of injuries and life safety.

When people talk about "cyber security", though, what do they actually mean? In my experience, they're really talking about the security of things connected to the Internet, and securing systems against attacks delivered via the Internet. This tends to de-emphasize insider attacks, taking us back to the firewall-centric, M&M model of information security: hard and crunchy on the outside, but soft and gooey on the inside. That view was always problematic - all the more so with the move to deperimeterization and cloud services.

In the end, we still don't have a well-defined term for what we do - "systems security" might be the most appropriate, in my view. But at least you know why, when you talk to me about "cyber" ("cyber all the things!") you are met with a quizzically raised eyebrow.

You keep using that word; it does not mean what you think it means.