Phil Quade - The Digital Big Bang

For example, the maps of the world from 750 years ago had elaborate drawings of mid-ocean whirlpools and sea monsters—here be dragons—mid-continent mountain ranges, and other physical phenomena. Faulty thinking, and the desire to warn of the dangers of sea exploration, led mapmakers to fill in what they did not know.

In contrast, the maps of the Scientific Age were drawn with large blank areas, showing where we had no data. It was not until we admitted that we in fact had very little idea what was beyond the horizon, or mid-ocean or continent, that we began exploring those areas and filling in the missing pieces that led to a much better understanding of our world.

The pull of curiosity about basic principles reduced the fear of the unknown and prompted the physical world's golden age of scientific education.

Now we must make the same leap in cybersecurity. We need to stop quaking at the cyber threats—real and imagined—and get down to the business of defining how to navigate and master those threats.

A masterpiece of international collaboration, the Internet has its roots in the desire to share computing and information resources and the US Department of Defense's goal of establishing connectivity via computers in the event of a nuclear attack that destroyed telephone systems.

On October 29, 1969, the first message was sent over what would eventually become the Internet. Meant to be the word “login,” the letters “L” and “O” were sent from researchers at UCLA to a team at Stanford. Then the system crashed. (We'll pause while you chuckle about that first crash.)

When it was constructed and deployed, the Internet served as a communication platform for a tightly restricted group of specific users.

With the advent of packet switching—the division of information into smaller blocks to be transmitted and then reassembled, pioneered as a Cold War strategy—that communication became a viable, though intensely limited, reality.

Internet pioneers got speed and connectivity right—the digital big bang's equivalent of matter and energy. Their goal was a secure, distributed widespread computer communication system, and they achieved that goal.

Because the digital transmission of information was so restricted in both users and data, the use of ARPAnet was governed by a shared sense of trust that was informed and enforced by security clearances, professional accountability, and total lack of anonymity.

With this assumption of trust, things went off-kilter. That assumption thwarted the parallel development of security, particularly trustworthy authentication, that could have supported the speed and connectivity that would make the Internet transformational.

With the passage in 1992 of the Scientific and Advanced-Technology Act, research and academic institutions started using this early Internet. Security shortfalls were generally understood, but the circle of institutions that had access remained small and tight-knit. It wasn't until 1993, and the release of the first web browser that Internet access became mainstream. At that point, both the Internet and its security, or lack of security, achieved greater significance.

The assumption of trust that was still deep within the DNA of the Internet became a huge problem the moment the public could go online. On an increasingly vast and anonymous network, that trust soon transformed from guiding philosophy to greatest weakness. As more people arrived, the Internet quickly became a newly discovered continent of naïve users, systems, and networks to be exploited and hacked for digital fraud, grift, or simply to prove it could be done.

Since those first hacks, the field of cybersecurity has struggled to catch up and compensate. Mitigating the weakness—the wrongful assumption of trust and the lack of strong authentication—while still balancing the essential benefits and fundamentals of speed and connectivity, remains an enduring challenge of cybersecurity today.

For all the stunning power of its speed and the vastness of its data, the Internet is shockingly fragile and fallible. We're propping it up, sometimes with ridiculously complex schemas and other times with little more than digital Popsicle sticks and Elmer's glue and, for high-end applications, duct tape.

The Internet is fast, anonymous, powerful, and profitable—all factors that have accelerated its use and deployment—while at the same time prone to malicious exploitation, with terrible potential for criminality and sabotage. The continuing series of breaches of organizations of all levels of sophistication shows what a huge problem we have.

Perhaps what is most amazing (or at least ironic) about cybercrime is how this masterpiece of technological collaboration and human connection is so often exploited to gratify human impulses. Distributed denial-of-service (DDoS) attacks, phishing emails, and ever-evolving scams manipulate recipients for the purpose of mass theft and extortion. From data corruption to identity theft, malware to man-in-the-middle attacks, the crimes that cybersecurity must mitigate and prevent run a gamut that only seems to get broader. Attacks are not only launched by criminals but also by rogue nation-states. Over time, these attacks become more destructive and less difficult to perpetrate.

The widening breadth of cybercrime is a direct reflection of our expanding global attack surface—and the increasing commodification of threat. The digital criminal barrier for entry that individuals and organizations alike must defend against is lower than ever. Today, it can be as easy to purchase a cyberattack as it is to buy a cup of coffee, and often even cheaper. We must defend ourselves from near constant silent digital attacks on the fabric of our societies, all roiling beneath the surface of an increasingly interconnected world.

Today, there is little difference between cybersecurity and national, even global, security. As we have seen time and again in reported malicious cyber activity—often in chilling reports of narrowly averted attacks—we can be reached at the most foundational levels by nearly anyone, from anywhere.

With so much at stake, it's time to borrow a page from the Scientific Revolution:

We need to stop expecting our network operators to continuously run ahead of ever more sophisticated attacks. You can't outrun the speed of light.

We can achieve better cybersecurity by thinking like physicists and chemists, by postulating and outlining the theorems and proofs necessary to master the cyberspace domain. As critical as these fundamentals are, though, they can easily be overlooked or forgotten by a digital culture that looks myopically to the near future, placing short-term gains ahead of long-term stability and sustainability. Cybersecurity is a marathon—not a sprint.

As our connectivity expands and deepens, the strength and intractability of these fundamentals only becomes more apparent. And more necessary.