Dan Geer: In cybersecurity, expectations drive reality

The worst laws are those that are unenforceable, so what would we hope our lawmakers say about data collecting and sharing technologies that are not yet critical but soon will be?

Kathy Willens/AP

November 19, 2015

Now that we need cybersecurity protections to the degree that we do, to whom does the responsibility devolve? The worst laws are those that are unenforceable, so what would we hope our lawmakers say about technologies that are not yet critical but soon will be?

Do we forbid becoming critically dependent on them when it is not their design but rather the sheer magnitude of their adoption that is what makes them critically essential?

If a sharing economy is to be preferred, then are owners' privileges due to wax while renters' wane, or the other way around? Is the pool of shareable things in a sharing economy akin to the capital in the banking system – something to regulate lest a demand surge cause a run on available liquid assets?

Why you have the right to obscurity

Once an expectation of constant contactability congeals, a coordination mindset eclipses a planning mindset; "I'll shoot you a text when I get there," rather than, "I will be there at five minutes 'til two."

If you act on your expectation that information should be free, then someone still pays, just not you and hence you are not the customer, you are the product. In due course, ever more personalized advertising supporting ever richer free information means a small-s surveillance structure to power that very personalization.

Years of political capital have gone to making insurance, which is to say risk pooling, mandatory and yet to forbid insurers to make risk-informed pricing (the entire premise of Obamacare, gender-neutral life insurance, assigned risk pools holding miserable drivers, etc.).

The Internet of Things is running a 35 percent compound annual growth rate, meaning that in due course, its parts, each and severally, can only morph into critical infrastructures. Their selling proposition is either an expectation of mental leisure, "You don't have to worry about XYZ any more," or else an expectation of insight, "How many calories did I burn in that last game of tennis?" In short order, you won't be able to get along without them.

We are in a sea change of expectation with respect to what cybersecurity is and is for. The pervasive, eager willingness to collect and share information, to deploy sensors, to delegate management of daily life, to entrust health to the prerogatives of algorithms is both cause and effect of information ever more digitally available. 

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

Heretofore, the great triad of cybersecurity goals was confidentiality, integrity, and availability. The great power of data fusion applied to that growing cataract of shared data means that confidentiality and the gate keeping of data access supporting it can no longer be the pinnacle goal of cybersecurity, perhaps not even a goal at all. 

If we are to have all-electronic health records and regular monitoring by everything from our toilet to the breathalyzer in our car – all the while the majority of medicines transition to being genomically personalized – we had better be sure that it is data integrity that is paramount.

That triad of confidentiality, integrity, and availability may now contract to integrity and availability and do so because that contraction is the logical outcome of our expectations.

In so many words, First World democracy is less choosing who gets what title but rather what guarantees we want applied after the fact to things we adopted out of their irresistibility. An expectation of riskless life is the hallmark of adolescence. Perhaps all I am saying is that cyberspace is solidly adolescent – too young to take over but too big to ignore.

Yet in the end, reality always wins and wishful thinking always loses. That eventuality may not be instant, just as John Maynard Keynes put it when he said, "The market can remain irrational longer than you can remain solvent," but on the relentlessly accelerating time scale of data accumulation, I don't think there is a long wait in store.

My bet is that data protection soon means some mandate ostensibly guaranteeing that data are untampered with plus, where required, that data can been assuredly deleted. The more we depend on data, the less we can keep it in a locked box but the more we will rely on it being correct.

Dan Geer is the chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader US intelligence community.