Phil Quade - The Digital Big Bang

Finally, the richness of communications steadily increased to the point that a given communication began to represent more than a simple reflection of thoughts or values held outside the domain. The communication, in transit or stored, began to be valuable in its own right, often as a unique representation of thoughts, wealth, and treasure. Financial transfers, cash accounts, corporate secrets, and pictures are now all stored, often with no backup in the physical world , in cyberspace. Gone are the days when colored rectangles of paper, printed stock certificates, and passbooks served as the primary means to represent financial assets (it is likely that the term passbook , in wide use throughout the 1970s, is completely unknown to those born thereafter). Passbooks have been replaced by ones and zeros that are stored, traded, earned, and lost in cyberspace alone.

The control logic layer represents the logic embedded in the billions of devices, computers, and other smart components comprising the physical infrastructure of cyberspace. While the spread and ubiquitous presence of this logic make it impossible to literally observe a physical manifestation of this layer, its effect is no less real and is, more importantly, essential to an understanding of the behaviors of cyberspace's fundamental properties. Indeed, the extraordinary efficiency of cyberspace in routing, storing, correlating, and rerouting increasingly massive and complex flows of information is almost wholly dependent on the delegation of these tasks to the logic embedded in this layer.

This is the layer that makes it possible for computers to interact with one another without human interaction as they make the myriad choices needed to sustain coherent and orderly interactions among billions of human and machine users interconnected through cyberspace. The result gives rise to what is increasingly referred to as the Internet of Things, or IoT: Machines interacting with other machines, all programmed to anticipate and exceed the expectations of people who have little direct involvement with, or even understanding of, the technological complexities involved.

The device layer completes the model. This is perhaps the most visible component of cyberspace, since devices connect users to the services available within and from cyberspace. They include personal computing devices, smartphones, desktops, tablets, and navigation units—an ever increasing and diverse mix of hardware, software, and ubiquitous apps. Their role is to capture, present, and manipulate information according to the user's preferences and the designer's specifications. Importantly, the latter of these two influences is not always evident, as these devices capture and transmit information far beyond the communications themselves in order to better enable the routing, storage, and recovery of the data entrusted to them by their owners (for instance, the so-called metadata, which includes routing information and other attributes such as geolocation, the specifications of operating and system software being employed, and so forth).

And as these devices become increasingly mobile (keeping the people who employ them connected to cyberspace and its panoply of services, regardless of the location of either the device or the user), the once straightforward task of associating a device with a person or a location has become a much more complicated affair. Attendant changes in the underlying economic model of how service providers charge for their wares have enabled even greater user and device agility by replacing per-call and location-based charges with flat-rate plans that simply charge users for access to global communications services anywhere in the world. Legal regimes that determine privacy rules or the status of property rights based on the physical location of a device now have to sort out the complex reconciliation of the data, device, and person, which may be actively and richly associated with one another, despite their being physically located in three (or more) disparate locations. Coupled with the reality of one person employing multiple devices, often concurrently, the actions associated with a single individual may be manifested in cyberspace as a collection of personas operating simultaneously in multiple locations across the planet. The consequence is a legal regime dependent on tenuous mapping of the physical to the virtual world, and there is ambiguity about which nation-state's rules should be employed in determining what constitutes reasonable behaviors and acceptable consequences for exceeding them.

As imperfect as any static representation of cyberspace might be, the model is now complete. The components of the model have been layered in a manner that presents the whole of cyberspace as if captured in a still photograph. But although it is useful to consider any particular layer in isolation in understanding the building blocks of cyberspace, its operations can only be understood by analyzing the interaction of and between the layers as users and processes leverage cyberspace to achieve their end purposes. To wit, whereas it is easy to perceive that cyberspace enables one user to communicate directly with another (an activity that may be perceived to take place horizontally across the people layer of this model), the reality is that users interact with their devices. Those devices connect to one another using communication pathways heavily influenced by controlling logic and so forth, thus effecting a flow of data and actions that is more vertical than it is horizontal—up and down the layered stack. And although it is tempting to consider cyberspace as being principally comprised of the technology components of the stack (the middle three layers), the whole can only be understood by considering these layers and their intimate relationship with the outer two layers: People and geography.

Insofar as a hinge makes little sense in the absence of both the door and the wall, so it is with cyberspace and its intimate weave of people, technology, and geography. It is also impossible to exaggerate the dynamic and roiling nature of these vertical connections as communications, transactions, modifications, and additions surge up and down, to and from, across the length and breadth of cyberspace. The result is very much like a living organism, varying in character and scope from moment to moment, defying all attempts to statically define its character or its properties. This latter point has significant implications for security insofar as the constant creation and lapse of connections combines with the inexorable transformation of software, hardware, and user behaviors to make the task of defending cyberspace quite literally the defense of a moving target. And so it is that the metaphor of a video constitutes a truer character of the result than does a still photograph. Put another way, the dynamic and ever-changing interactions between the layers must be considered to understand and, more importantly, predict the true nature of cyberspace in action.

When considered as a whole, the model offers a means to understand properties that derive from the interaction of the constituent pieces. Four key attributes come immediately to the fore:

As tempting as it is to think of cyberspace as technology alone, it is impossible to understand, predict, or meaningfully influence its operations without considering the impact of people, geography, and the policies and practices that attend to them.

Cyberspace is characterized by a massive convergence of people, technology, and data on an exponential scale. The model would suggest that this convergence occurs on any given layer and between all the layers. More importantly, when you connect to cyberspace, it may be understood that the whole of it connects to you. Security professionals strive to reduce or mitigate unwanted connections, but the drive to connect is an unstoppable force within cyberspace. This leads to the increasing use of the term IoT to describe a seemingly inexorable trend to connect everything to everything—refrigerators, cars, power plants, and more—all connected to, in and through cyberspace. As a result, system designer and user choices about whether and how to connect must be driven by an up-front consideration of the implications of convergence versus an approach that says “I'll solve that problem when I get to it” (users get that problem when they connect to it). Furthermore, as previously noted, convergence and geography do not easily mix in a world that applies distinct and different rules based on physical location. Cyberspace will require both collaboration and normalization across these boundaries, though clarity on the part of those wielding jurisdiction based on geography regarding locally expected behaviors and consequences would be a valuable down payment to reconciliation across locales.