“The physicality of data and the path to cybersecurity” was originally published from Forbes, July 28, 2021 David Krueger is the co-founder and vice president of Absio Corporation’s strategy and co-inventor of Absio’s software-defined distributed key cryptography (SDKC).
This article is the second in a series on the physicality of data. The first part is here.
Over the past 25 years, cybersecurity failures have risen sharply in number and severity.
The purpose of any cyberattack is the data – ie. digitized information that is created, processed, stored and disseminated by computers. Cyberattackers seek to steal, damage, obstruct or destroy data. Users, software, hardware and networks are not the goal; they are vectors (paths) to the goal. For data protection, the current strategy, “protection in depth”Seeks to exclude every possible vector to the data by erecting multi-layered protections. The bad news: It’s mathematically impossible.
Let’s do an easy text task; you won’t even need a calculator.
1. Count the vulnerabilities: Add any type of user (human or computer), hardware, software, and network that currently has an exploitable vulnerability.
2. Count the vectors: Add the total number of users, networks, and instances of software and hardware that contain the vulnerabilities listed above.
Multiply the vulnerabilities by vectors to get “complete cyberattack potential. ”
Now, let’s understand “total cyberProtection potential ”:
1. Add any currently available protections, including technological protections and human protections, such as cybersecurity training and education.
2. Remove undeveloped protections, either due to 1. insufficient staff for cybersecurity, money and time, 2. the fact that it does not yet exist due to the delay between the detection of vulnerabilities and the development of defense and 3. the fact that vulnerabilities are known by cyber attackers, but unknown to cyber defenders.
3. Remove the raised defenses that 1. cyber attackers can defeat and 2. are incorrectly implemented.
Which is greater, total potential for cyber attack or total potential for cyber defense? The potential for cyber attack is always greater than the potential for cyber defense.
Deep protection cannot close every vector every time, not only because possible attacks always outweigh possible defenses, but also because cyber warfare is extremely asymmetric. If a cyber defender scores 1,000,000 and a cyber attacker scores 1, the cyberattack wins.
So why is deep protection recommended if it can’t work? Because this is the only possible strategy if the data is inherently insecure. Cyberattackers need to stay away from data.
The software produces data objects in accordance with the design. Data is inherently insecure because software does it. (To find out why software vendors no longer make self-protecting, self-targeting data, see the first article from this series.)
Production. We don’t think of computers as miniature manufacturing plants, but they are. They receive raw information in the form of language (human or machine), sound and images and convert it into physical data objects consisting of models of ones and zeros that are applied to “quantum small” physical substrates: microscopic transistors, electrical pulses, light, radio waves, magnetized particles or CD / DVD pits.
The data object is like other types of man-made, mass-produced physical objects – certain physical properties allow production systems to build data objects according to design, creating objects that can be “processed” – that is, combined with other objects, stored, reused, modified, copied, shipped or discarded.
Design. The information was first digitized in the early 1950s. The software controlling the production and processing of data objects was primitive, so the first data objects had to be simple. The objects had only two components: digitized information (data) and metadata (data data) – name and physical address, so that the objects could be found later. Anyone with access to the software can find, reuse, modify, delete or copy data objects without restriction. Because the data objects were shared by saving a copy to another destination, each copy was unrestricted for reuse – and that’s the problem.
Most data objects today use the same almost 70-year-old design: ordinary data / metadata objects, which are inherently vulnerable because they do not have the built-in capacity to protect themselves or direct their own use.
If the software controls the design and production of data objects, can it produce self-protecting, self-targeting data? Of course you can. The design and production of physical data objects are controlled by the software vendor. So how is data protected and directed?
Self-defense. Data objects are protected by encryption, which makes them unusable if captured by cyber attackers. Unfortunately, little existing or newly produced data is encrypted. When it is, it is usually only partially applied. Most encryption only applies to copies of data placed in third-party encryption enclaves, which means potentially n the number of copies outside the enclave remains defenseless – and cyberattacks know exactly where to look. The only way to achieve full coverage encryption is to apply it by default. The software that creates the data encrypts data objects at creation, and the software stores and transports the data encrypted.
Self-targeting. Cybersecurity fails when cyber attackers gain control of the data used in violation of a predetermined set of rules. General cybersecurity rules and usage policies include restrictions on who, on what hardware, where geographically, when, for how long, and for what purposes the data may be used. The data is made self-directed by software, closely linking the decryption rules and the rules for using decrypted data to the data itself, so the rules go wherever the data goes.
Designing self-protecting, self-targeting data involves compromise: credentials have been stolen, the network has been hacked, malware has been installed and negligent / malicious insiders are working. Why? Because, as we have seen, it is impossible for deep protection to close every vector, every time.
So what is the path to cybersecurity? It begins with the recognition that the production of inherently vulnerable data triggers a cyber attack. By their very nature, vulnerable data is the cause; cyberattack is its logical effect. If cyberattackers can only get unusable data, they don’t have much reason to attack.
The movement is accelerating as business leaders, government leaders, and individuals constantly ask themselves and their software markers a simple question: “Why do I use software that unnecessarily puts my organization’s (or my customers’) data at risk?”
New and existing applications can automatically encrypt data and add usage rules to it – and they should. So, keep asking the question until the software vendors answer, “Your data is not at risk; we have made it self-defending and self-directed ”- and we will get to where we want the road to cybersecurity to take us.
You may also want to read: The physicality of the data and the path to Possession of personal data. When data was first digitized in the 1950s, no controls were built in to protect it from unauthorized use or misuse. The confusion between the information in our minds and the physical data stored on computers hinders efforts to control how our data is used.