Wednesday, February 16, 2011

Insecure about Security

Bruce Schneier, Chief Security Officer for BT, has got at least one thing right.  In her article this morning previewing the RSA security conference here in San Francisco, Maggie Shiels, Technology Reporter for BBC News cited Schneier’s attack on the use of phrases like “cyber warfare,” dismissing them as “emotive rhetoric” that “does not match the reality.”  This is true as far as it goes, but where does it actually take us?

Like it or not, emotive rhetoric is a fundamental part of human nature.  Where human relations are concerned, it is basically a less violent way of whacking a mule with a two-by-four in order to get its attention;  or, as Warren McCulloch would say, it provides a way to keep others from biting your finger when they should be looking at where you are pointing.  This happens to be a case in which there are a variety of instances of behavior on the Internet that serve as pointers, and it is unclear whether Schneier is bothering to look in the right direction.  Instead, he seems to prefer quibbling over the rhetoric itself, at least if we are to take his words, as quoted by Shiels, seriously:

Stuxnet and the Google infiltration are not cyber war - who died?

We know what war looks like and it involves tanks and bombs.

These are the sorts of words I used to hear in those never-ending bull sessions that took place among undergraduates at MIT, back when I was one of them.  They come from immature minds that never heard of Carl von Clausewitz, let alone thought of reading him when there were much cooler things to do in the laboratory (say I, pleading guilty on all counts).

Yet the Internet is now experiencing phenomena that amount to standing Clausewitz’ most famous aphorism on its head.  Where once war was diplomacy by other means, the flourishing of malware has opened up a world of “war by other means.”  The question is no longer one of what war is but of the more fundamental exercise of domination and the motives behind such exercise.

RSA may have begun as a cryptography conference, but the underlying theme has always been security.  Since I do not attend this conference, I am not sure how often the conferees revisit the implied question, “Security against what?”  However, I suspect that there is some agreement that, at its basic level, we all worry about secure protection from sociopathic behavior, whether it involves destruction of data or physical harm (or threat) to life or property.  Tanks and bombs are the physical instruments of such sociopathic behavior;  but on the Internet that behavior manifests itself “by other means.”  I would have thought that anyone in today’s telecommunications business would have recognized that this is where the real problem lies, but I keep forgetting that specialists rarely seem to look at fingers pointing beyond the horizons of their respective specialties.

No comments: