The Digital Big Bang. Phil Quade
Читать онлайн книгу.
information far beyond the communications themselves in order to better enable the routing, storage, and recovery of the data entrusted to them by their owners (for instance, the so-called metadata, which includes routing information and other attributes such as geolocation, the specifications of operating and system software being employed, and so forth).
And as these devices become increasingly mobile (keeping the people who employ them connected to cyberspace and its panoply of services, regardless of the location of either the device or the user), the once straightforward task of associating a device with a person or a location has become a much more complicated affair. Attendant changes in the underlying economic model of how service providers charge for their wares have enabled even greater user and device agility by replacing per-call and location-based charges with flat-rate plans that simply charge users for access to global communications services anywhere in the world. Legal regimes that determine privacy rules or the status of property rights based on the physical location of a device now have to sort out the complex reconciliation of the data, device, and person, which may be actively and richly associated with one another, despite their being physically located in three (or more) disparate locations. Coupled with the reality of one person employing multiple devices, often concurrently, the actions associated with a single individual may be manifested in cyberspace as a collection of personas operating simultaneously in multiple locations across the planet. The consequence is a legal regime dependent on tenuous mapping of the physical to the virtual world, and there is ambiguity about which nation-state's rules should be employed in determining what constitutes reasonable behaviors and acceptable consequences for exceeding them.
THE IMPORTANCE OF THE VERTICAL AND THE VIDEO
As imperfect as any static representation of cyberspace might be, the model is now complete. The components of the model have been layered in a manner that presents the whole of cyberspace as if captured in a still photograph. But although it is useful to consider any particular layer in isolation in understanding the building blocks of cyberspace, its operations can only be understood by analyzing the interaction of and between the layers as users and processes leverage cyberspace to achieve their end purposes. To wit, whereas it is easy to perceive that cyberspace enables one user to communicate directly with another (an activity that may be perceived to take place horizontally across the people layer of this model), the reality is that users interact with their devices. Those devices connect to one another using communication pathways heavily influenced by controlling logic and so forth, thus effecting a flow of data and actions that is more vertical than it is horizontal—up and down the layered stack. And although it is tempting to consider cyberspace as being principally comprised of the technology components of the stack (the middle three layers), the whole can only be understood by considering these layers and their intimate relationship with the outer two layers: People and geography.
Insofar as a hinge makes little sense in the absence of both the door and the wall, so it is with cyberspace and its intimate weave of people, technology, and geography. It is also impossible to exaggerate the dynamic and roiling nature of these vertical connections as communications, transactions, modifications, and additions surge up and down, to and from, across the length and breadth of cyberspace. The result is very much like a living organism, varying in character and scope from moment to moment, defying all attempts to statically define its character or its properties. This latter point has significant implications for security insofar as the constant creation and lapse of connections combines with the inexorable transformation of software, hardware, and user behaviors to make the task of defending cyberspace quite literally the defense of a moving target. And so it is that the metaphor of a video constitutes a truer character of the result than does a still photograph. Put another way, the dynamic and ever-changing interactions between the layers must be considered to understand and, more importantly, predict the true nature of cyberspace in action.
IMPLICATIONS
When considered as a whole, the model offers a means to understand properties that derive from the interaction of the constituent pieces. Four key attributes come immediately to the fore:
More than Technology
As tempting as it is to think of cyberspace as technology alone, it is impossible to understand, predict, or meaningfully influence its operations without considering the impact of people, geography, and the policies and practices that attend to them.
Characterized by Convergence
Cyberspace is characterized by a massive convergence of people, technology, and data on an exponential scale. The model would suggest that this convergence occurs on any given layer and between all the layers. More importantly, when you connect to cyberspace, it may be understood that the whole of it connects to you. Security professionals strive to reduce or mitigate unwanted connections, but the drive to connect is an unstoppable force within cyberspace. This leads to the increasing use of the term IoT to describe a seemingly inexorable trend to connect everything to everything—refrigerators, cars, power plants, and more—all connected to, in and through cyberspace. As a result, system designer and user choices about whether and how to connect must be driven by an up-front consideration of the implications of convergence versus an approach that says “I'll solve that problem when I get to it” (users get that problem when they connect to it). Furthermore, as previously noted, convergence and geography do not easily mix in a world that applies distinct and different rules based on physical location. Cyberspace will require both collaboration and normalization across these boundaries, though clarity on the part of those wielding jurisdiction based on geography regarding locally expected behaviors and consequences would be a valuable down payment to reconciliation across locales.
Wealth, Treasure, and More
Cyberspace quite literally contains—more than simply referencing or coordinating the management of—wealth and treasure. And given the enormous efficiencies offered in synchronizing the aspirations and actions of both people and systems, cyberspace is increasingly used to coordinate and carry out essential functions of critical systems, from electrical power generation to financial markets to diplomacy, collaboration, and even the conduct of war. As noted by Dr. Mark Hagerott of the United States Naval Academy's Cyber Center, a transformation in human affairs is taking place in which sensing, thinking, and acting, even in physical space, are increasingly delegated to the web of hardware and software serving human endeavors across the length and breadth of cyberspace. Humans' natural desire to impose rational controls on the result will succeed only if we move beyond creating rules about technology to crafting broader rules of governance for the interaction of people, technology, and systems (taking into consideration rules and policies rooted in geography).
Ever Changing, Never Secure
The impressive performance of technology in massively improving processing power, bandwidth, and user experience across the past 50 years of the silicon revolution is widely understood as an iconic representation of the times (sometimes referenced as Moore's law for hardware, but there have also been exponential improvements in software, visualization, and the collaboration that collectively aids in pushing cyberspace capacity to new heights). Less well appreciated is the fact that changes in features, capabilities, and behaviors are driven as much or more from the bottom up as from the top down by a virtual army of entrepreneurs. The result of this and unsynchronized changes in user behaviors and software (which often lag behind or precede changes in hardware) make it almost impossible to define and impose a comprehensive and enduring description of how things behave, let alone work, in cyberspace. This can rightly be considered a feature for those who await the next marvel from their favorite technology providers, but this same attribute makes the prospect of defending the wealth and treasure held within cyberspace, and the critical systems and processes dependent on the resilience and integrity of cyberspace, a virtual tail chase. Every change to technology, software, or user behavior portends a possible tear in the fabric of security overlaying the whole. The reality of this inexorable and unsynchronized change offers a fundamental choice as to whether