The CIA Triad and Thinking in First Principles (Part 3 of 3)
My last post ended up speculating that the root of cybersecurity is related to the concept of uncertainty. The utility of such a claim is near zero, but the philosopher in me finds the notion comforting. If uncertainty is at the core of cybersecurity, then there is no equivalent F = ma that cyber practitioners can manipulate to build empirically, verifiably, wholly secured systems. That’s obviously unfortunate, though probably not surprising.
This reinforces an idea I would imagine most people working in cybersecurity hold true: perfect cybersecurity is likely not empirically achievable, at least not economically (I’m looking at you, Vernam cipher!).
The good news would be that the concept of uncertainty has a basis in statistical physics and information theory, both of which are rooted in probability. So, the best that we should expect is a probabilistic understanding of the security of a system. To wit, while I’m not expecting to find an F = ma solution to cybersecurity, the idea of probability being central to cybersecurity does open the door to perhaps finding a H(X) = –∑p(x) ∗ log(p(x))-related solution with the relative security of a system quantifiable to some probabilistic distribution. I’m not certain how comforting that is to others, but for me, it’s at least a start.
Above, I reference entropy: H(X) = –∑p(x) ∗ log(p(x)) [1]. It turns out that historical and contemporary theory and philosophy of information has a lot to say about information’s relation to statistical mechanics and thermodynamics [2], [3]. Several years ago, when I first started this journey to understand the foundations of cybersecurity, I dismissed the idea that cybersecurity may have a fundamental basis in physics. Today, I’m not so sure. Right now, my standing hypothesis is that cybersecurity stems from uncertainty. If this is so, we have tools from physics and information theory that we can use to gain insight into our systems and how best to protect them.
We are working on this right now, and this forum will be one of the conduits we use to share what we find. Right now, we are exploring the idea that security is generally related to the protection of value/meaning [4], [5]. However, in information theory, the concept of “meaning” is considered irrelevant [1]. Trying to reconcile these two statements leads me to ask, “If modern technology was developed consistent with a theory that meaning is irrelevant, yet meaning is precisely what we are trying to protect, might this help to explain why cybersecurity is so challenging?” In the meantime, even though we don’t have all the answers, that doesn’t mean that we shouldn’t defend ourselves and secure our systems as best we can with the tools we have.
Contributor
Nicholas Seeley
Senior Vice President of Engineering Services, Engineering Servicesnicholas_seeley@selinc.comView full bio[1] C. Shannon and W. Weaver, “The Mathematical Theory of Communication,” p. 131.
[2] M. Tribus and E. C. McIrvine, “Energy and information,” Scientific American, vol. 225, no. 3, pp. 179–190, 1971.
[3] P. Janich, What is information?, vol. 55. U of Minnesota Press, 2018.
[4] D. A. Baldwin, “The Concept of Security,” Review of International Studies, vol. 23, no. 1, pp. 5–26, 1997.
[5] A. Wolfers, “‘National security’ as an ambiguous symbol,” Political science quarterly, vol. 67, no. 4, pp. 481–502, 1952.
Contribute to the conversation
We want to hear from you. Send us your questions, thoughts on ICS and OT cybersecurity, and ideas for what we should discuss next.
Video
SEL cybersecurity expert challenges the concept of zero trust and shares thoughts about the connection among trust, risk, and complexity.
Video
Nicholas Seeley examines the risks of various cybersecurity solutions and whether they increase complexity, decrease complexity, or increase observability.
Video