Tuesday, September 29, 2009

"Where Computer Security Meets National Security"

I read an interesting article by Helen Nissenbaum, on "Where Computer Security Meets National Security" (2005) [pdf, Springer link] .

She starts with a good point that the "traditional" computer security, developed in the technical community and focused on the protection of a computer (system) is difficult to port into national security terms, where damage to life, economy, morale and reputation is the core worry. She argues that the "technical computer security" focuses primarily on ensuring confidentiality, integrity and availability, even though there is a push to extend this to ensuring overall "trustworthiness" of a computer system (including resilience etc.).

She calls the competing national security conception cyber security (a term that has grown more popular since then). According to her, cyber security is most concerned with three problems:
  • using computer networks "as a medium or staging ground for antisocial, disruptive, or dangerous organizations and communications." In other words, propaganda, phishing and a host of other soft threats;
  • using computer networks to attack the critical societal (information) infrastructure, or the hard threats; and
  • using computer networks against computer networks. I may misunderstand her reasoning, but I think computer networks in the larger sense (Internet infrastructure, SCADA systems, public services on the internet) are also part of the critical information infrastructure, and I would combine the last two categories into one.
I found it interesting that she illustrates how computer security can be used in various moral (protect users from harm) and immoral ways (protect the interests of the company, while limiting the usefulness of the product to the end user).

She then reviews the concept of "securitization" by the Copenhagen School. Essentially, it means that unlike "realist" methods, there are more threats than just military aggression and there are more targets as well (state + religion, economy, environment etc.). Furthermore, securitization is a process of making something into a security issue (especially in the eyes of the public). In her words: "In general, to securitize an activity or state-of affairs is to present it as an urgent, imminent, extensive, and existential threat to a significant collective."
[Note: An interesting concept and something to be studied later.]

The next chapter shows some steps how cyber security has been securitized, including a funny interlude about how the music and film industry is trying to securitize the P2P threat against their obsolete business model. She also covers some examples of cyber space shown as a potential battle space and it's asymmetric nature.

Getting to the meat of the issue, she compares the two approaches:
  • Computer security recognizes a broad range of the degree and type of harm, while the cyber security assumes that the threats are dire or existential.
  • Computer security focuses on protecting the "individual nodes" (people, computers), while cyber security looks at "collective security."
  • Computer security rests on the moral foundation of protecting from harm, while the moral aspects of cyber security can vary depending on the securitization process.
An important question she brings up is when is securitization warranted? When is a threat dire enough to become a national security issue that is handled in secrecy, and potentially in ways not common to a democratic state? She argues that there is lack of reliable data on the size of the threat from the computer security perspective, as research is focused on (potential) vulnerabilities, while reporting of actual incidents is hap-hazard at best. She also touches on the issue that the same attack can be viewed in many different contexts (criminal, national defence, activism etc.).

She concludes that in the end, the "technical computer security" approach might be better, as it provides security at the user level and thus still allows us to use the net for the core purpose of sharing information and ideas. The highly securitized state controlled approach, on the other hand, raises questions about privacy, freedom of speech etc.

To sum up, a very interesting article with much food for thought. I found several interesting insights here and I am sure that more will pop up later. If anything caught your eye, I recommend reading the article in full, as there are many details that I did not cover.

No comments:

Post a Comment