Cybersecurity is a Little Bit like a Lot of Other Things

Cybersecurity is a relatively new field. 

From a scientific or engineering point-of view, to call the field immature would be kind. 

The predominant metaphor within the field until the last year or two has been the concept of the fortress – a fortified, discrete structure composed of sequential defensive perimeters designed to protect the crown jewels (critical data) at the center.

In the picture above, the lines represent one or more security controls (firewalls, ACL’s, etc.) while the space between each pair of lines indicates a security zone.  This model is entirely defensive & primarily relies upon the assumption that an attacker must traverse & defeat several tiers of increasingly restrictive security controls in order to compromise critical resources.  This model has the dual advantages of being conceptually simple & operationally practical to implement.[1]  During the early years of the Internet this model was also congruent w/ the physical architecture of most networks — & it worked most of the time.

In the past several years several factors have combined to obsolete this metaphor.  Virtualization — the abstraction of services from unique physical devices is probably the largest contributor; but, multiple interoperable IP radio networks, IPv6, & the quite amazing proliferation of mobile devices have also contributed. 

The increasing frequency of successful cyber breaches is probably the best argument we have for revisiting the fortress metaphor.

I’m all for metaphors because they allow us to abstract what we know in one conceptual domain to a different conceptual domain.  In other words, metaphors allow us to take what we know about a model of a particular part of the world & apply that model to a different part of the world. 

The results of this type of exercise can lead to spectacular rewards – consider that almost all of modern genetics is based on the simple metaphor of a ladder, or that in microelectronics the movement of electrons is often described by the metaphor of a fluid moving through a pipe.  DNA is not a ladder, nor do electrons behave like a fluid, but these metaphors have allowed us to make significant theoretical & practical advances in both fields.  Cognitive linguists (the people who think about this stuff more than I do) are both convinced & convincing when they argue that most abstract thought is founded in metaphor.  There is a cycle at work here – metaphor to model to more sophisticated metaphors to more complete models & so on.

Infectious Disease is now the hottest metaphor that people use when discussing cybersecurity.  Nasty software is said to spread like the flu.  Vaccination & hygiene have been proposed as deterrents to these digital diseases.  Organizations have been advised to beef up their digital immune systems.  FS-ISAC has become the CDC of the financial sector.  

The cyber-threat as disease metaphor is better than its predecessor.  For example, it allows us to discuss risk in a new way.  For example, when discussing a cyber-incident in the context of this new metaphor, the severity of the incident can be described as being more like a cold than an Ebola infection.  It should be simple & obvious to anyone that the latter is a bigger problem than the former.  The disease metaphor also allows us to create a new model for cyber-defense.

Cybersecurity as disease is a better metaphor but, it is not in any way complete.

Cybersecurity as metaphor is difficult. A large number of these have been proposed – warfare, criminal activity IRL, game-theory, market incentives, futures, & externalities, straight on physical security, etc…

To my mind, cybersecurity is a little bit like a lot of other things & that’s what makes encapsulating it into a single metaphor so difficult.

[1] It’s interesting that this model puts the crown jewels in the center of a bull’s-eye

: – /