The Centralization Strikes back!
One of the reasons of Internet’s exponential growth was the lack of centralized control – in all its aspects. In the early days of the millennium, both the creators and the users of the “invention” called Internet were amazed at their achievement. Internet was called “dumb network” and many commentators attributed the growth and adoption of Internet because of being a dumb network. One of the characteristic of Internet’s architecture was higher layer’s complete agnosticism of the lower layers. For example, when we send an email using an email client, the application does not care whether the connection at the end is through wire, wireless, cable, microwave and how are the devices connected below.
After some 25 years of evolution, Internet is no longer a curiosity. It is a part of our everyday life – directly or indirectly. It has deep political ramifications now and events of Tahrir and Taksim Square demonstrate that political power cannot ignore it. Centralized power taking interest in a de-centralized but profoundly powerful apparatus will trigger debate regarding the magic words “control”, “regulation”, “centralization” and “monitoring.”.
Unlike Internet, telephone network (voice carrier and circuit switched network – not a dumb network but intelligence at the centre and not at the periphery) was built by Government and the whole industry started as a state monopoly. From the peripheral devices, no powerful attack could be launched.
Intelligence at the periphery (freedom of the user to choose ever powerful devices) and lack of centralized control combine to provide us with an un-anticipated consequence: A single device powered by proper know-how can inject a small stream of “data with malicious intent” and can cripple the whole structure.
Cyber-security in its essence has to fight this architectural legacy.
The players and their conflicting interests
Cyber-security has many players and notables are as follows
- Technology – manufacturers, integrators and developers
- Government – of all types – we find interest by each type of the spectrum – from totalitarian to liberal democracies
- Business – a deal with the Devil in a sense when we find businesses scared to death regarding the security of their data
- Civil Society – This group, with its various shades has one thing in common – concerned about Government control on the medium.
It has its knights and villains too and all too often the distinction is not as clear as we would prefer to. This will remain to be so. This is not new. In all ages of history, established power used all means, including semantics to create an image of those who are really or perceived to be against it.
The Next Evolution – IoT
The legacy as mentioned earlier is not addressed well enough. The political under-currents are subterranean and business interests are clear and straight : to get as many as paying customer as possible for services released or milk the existing users to generate ad revenue.
Internet of things, from business perspective is to make more and more aspects of our lives as “billable component” or into a metric that can be channeled as “ad revenue.” An user was a dot in the network connected but IoT means that each user will be a network of things. Here again, the sensors and other appendages, by their design are vulnerable and no one ever thought that a toothbrush needs to be protected becoming a weapon that can injure the carotid artery while operated remotely. Hard IoT means a huge investment on all the connected devices on security front and that is not ideal for mass production. It can be assumed that this architecture will follow and will mimic the previous architecture.
Conclusion
- Cyber security is not some new disease where researchers will find some vaccine sooner or later. It is a structural aspect of the way we have been forced by historical forces to live our lives.
- Major architectural overhaul is impossible. Just like history shows empires break and give birth to city states / principalities and then again combine to form an empire – cyber security will oscillate between two extremes: centralized security and user end security.
- Centralized security will be having bureaucratic entropy to deal with and the security at the user end will be more feasible to enforce and easier to implement.
- The first and foremost is user awareness and this is the first and the last step.