What does it mean to be secure in cyberspace? To begin to understand the idea of cybersecurity, it’s worth reflecting on the fundamental elements of security in the physical world. Doing so will reveal how several important aspects of physical security are lost in cyberspace. While cryptography alone cannot replace them, the essential role of cryptography is to provide tools from which security can be constructed in cyberspace.
A Typical Day
You get up in the morning and find a bill in the mailbox from your energy supplier, which you promptly arrange to pay. You’re not feeling well (especially after paying the bill), so after breakfast you go out, lock the door behind you, and catch a scheduled bus into town. At the local pharmacy you discuss your symptoms with a pharmacist, who recommends some medication. You pay cash and return home. By the afternoon, you’re on the road to recovery.
That’s just a snapshot of one part of a normal day in the physical world we live in. This world consists of tangible objects and physical interactions, many of which require us to be in specific geographical locations. Let’s begin by considering how secure this world is. In other words, how well protected is this world from threats that could cause us harm?
For those of us fortunate enough to live in relative peace and prosperity, most days in the physical world are quite uneventful in terms of “bad things” happening directly to us. We hear about alarming incidents every day in the media, but most of these are exceptional, which is what makes them “news.” Since we seem to do a good job of staying secure in the physical world, it’s worth identifying some of the features of this physical world that provide protection.
Let’s consider what bad things could have happened during your typical day. Although engaging in this exercise may require worst-case thinking bordering on the paranoid, it is precisely through contemplation of what might go wrong that security processes are established. Hopefully, after doing so, you’ll still be willing to get out of bed in the morning!
An Atypical Day
You get up in the morning and find a bill in the mailbox, which appears to be from your energy supplier but is, in fact, from a fraudster who is attempting to trick you into sending money, which you promptly do. You’re not feeling well (you’d be feeling much worse if you knew what you had just done), so after breakfast you go out, locking the door behind you. As soon as you’re gone, a burglar picks the lock and breaks into your home. Meanwhile, you catch a bus into town. Unfortunately, you discover, the bus has been hijacked. By some miracle, you manage to escape from the bus in town. At the local pharmacy you discuss your symptoms with someone in a white coat who resembles a pharmacist but is, in reality, a psychopath on the run, who prescribes some poison. The fake pharmacist later relates your medical problem to the town gossip, and within hours the whole town knows you are unwell. You pay cash but, to add insult to injury, your change contains a fake coin and a forged banknote. You return to your freshly burgled home with your toxic medicine. The end.
This is an utterly ridiculous story. Interestingly, however, each paranoid segment of this fable must have at least been contemplated by somebody, sometime, since we have security processes in the physical world that are designed to prevent most of these unfortunate events from happening. The first day is “typical” and the second “atypical” because of three different aspects of security—security mechanisms, security context, and threat likelihood—each of which is worth some consideration.
The Physical Things That Make Us Secure
We use various tools and techniques to establish security, which I will call security mechanisms. Let’s review some of the security mechanisms that might have been used during your typical day.
Mailboxes come in a variety of forms. Some mailboxes simply provide protection against the weather, while others feature a physical lock that requires a key to open. Some homes have letter boxes (mail slots) on the front door, rather than mailboxes. Letters delivered through such a slot are protected from external threats by the physical lock on the front door itself, although not against internal threats (such as the family dog).
Your mailbox contained a letter, which arrived in an envelope. An envelope offers a degree of physical protection to the contents from threats such as rough handling during the delivery journey. An envelope also protects the contents from being seen by anyone other than the intended recipient. This protection is relatively weak, since envelopes are flimsy and easily opened. However, perhaps the most significant security provided by an envelope is that anyone opening it during its journey normally needs to break a seal. Unless this is done with great care, the recipient will notice the intrusion.
The letter you received allegedly came from a large organization. The familiar logo of this organization was emblazoned on the envelope and its contents. The letter had a familiar look and feel in terms of general layout, fonts, and use of language. All of these features are, to varying degrees, security mechanisms.
Your front door had a physical lock. Although some modern homes have electronic access control systems, most door locks are still mechanical. While some locks require the insertion of a key, others activate as soon as the door is shut. You will later see, from a cryptographic perspective, that the difference between these two types of locks caused a revolution.
The bus you rode was a familiar-looking vehicle, sporting expected company branding and route number. The driver displayed a badge, including a name and photograph alongside an official logo. The driver possibly wore a company uniform and possessed the key to the bus.
The pharmacist also displayed an official name badge. Or, more likely, you recognized the pharmacist because you had been to the pharmacy before. Both the pharmacist’s face and voice are security mechanisms. The conversation with the pharmacist took place aside from other customers, with quiet voices used to prevent others overhearing. The medicine the pharmacist prescribed was in a sealed container. The packaging was branded, had an informative label, and perhaps bore a stamp from the pharmacy itself.
Finally, there was the cash. Coins have lettering and other embossing to make them hard to counterfeit. Banknotes feature many different security mechanisms designed to make them difficult to forge, including watermarks and holograms. More fundamentally, the look and feel of cash are perhaps the security mechanism most readily verified.1
The physical world is full of security mechanisms, and each one is designed to counter a variety of specific threats that could imperil the objects they are designed to protect.
The Importance of Security Context
Perhaps more subtle is the importance of security context in the physical world. By this, I mean the setting in which events take place, and against which we interpret and make sense of their security. Context is something we tend not to focus our minds on, yet it plays an important background role in our assessment of security in the physical world. Once you start to focus on context, you will notice how informative it is.
Returning to your typical day, the letter in the mailbox was from an organization you expected to receive payment notices from. Indeed, it was from an organization that regularly sends you such requests, at relatively predictable times. Had the energy bill arrived one week after you paid the previous bill, you might have been suspicious. The size of the requested payment is also informative, since it can be interpreted within the wider context of your typical energy use. The precise value might well have caused surprise, but it most likely fell within an expected range.
The bus runs on an advertised timetable, so when an apparently normal bus arrived at approximately the correct time, there was no reason to doubt it was a genuine bus. Had the bus been extremely late, had it been driven erratically, or had the driver looked lost, you would probably have had some concerns.
Behind the pharmacy counter was someone who not only looked like a pharmacist but, more importantly, behaved like a pharmacist. They reacted to your conversation professionally and discussed your medication in a knowledgeable way. You would surely have become concerned if the pharmacist had smirked during your conversation or seemed confused while preparing your medication.2
Even cash involves some context. If you had tried to pay for your medication with a note of much higher denomination than the cost of the medicine, the pharmacist might have hesitated and checked the validity of the cash you were offering.
In the physical world, security context is really important. We are often advised: “If you see anything suspicious, please report it to a member of the staff.” What this really means is: “If you see anything out of context, please raise the alarm.”
What Are the Odds?
We also assess security by forming an opinion of how likely it is that a perceived danger could materialize. The likelihood of an unpleasant event occurring is not normally possible to calculate in any precise way, but during our lives we develop a gut feeling as to how realistic many threats are.3
Our instincts suggest the atypical day is absurd. Why?
Do fraudsters exist who attempt to cheat you for financial gain? Yes, they absolutely do, and there are plenty of them around.4 They have many potential targets, however, so the chance of your being singled out is relatively low. Would they deploy a fake energy bill as a means of conducting fraud? To do so, they would need to produce a letter that looked like a genuine payment notice. They would also have to overcome the context concerns raised previously, about the scheduling and amount of the deceptive bill. Such a fraud would take effort and would need to be highly personalized. These requirements don’t make the fraud impossible, but there are many easier scams with greater chances of criminal success.
Similarly, while burglary is always a risk, on most days a specific house, even one in a less-than-desirable neighborhood, is not broken into. Buses are rarely hijacked, and pharmacists are not normally serial killers. These bad things could happen, but we know, largely through our inherent understanding of the physical world, that they probably won’t.
The Security of the Physical World
Your atypical day in the physical world is a nightmarish fantasy consisting of a series of improbable events, which a combination of security mechanisms and security context render even more unlikely. Three features of the physical world contribute to this unlikelihood.
The first is, literally, the materiality of the physical world. Most of the previously described security mechanisms rely on the use of core physical senses. The letter in the post looked correct, you recognized the pharmacist, the cash felt right, and so on. We use these senses in all aspects of our lives and are accustomed to deploying them to help us make security decisions. Indeed, we are born with an understanding of some types of physical threat. For example, research suggests that babies have an innate fear of spiders and snakes.5 We learn about other threats in the physical world as we grow. Through a combination of nature and nurture, we equip ourselves with an ability to apply our senses to form a notion of security in the physical world.
The second important feature of the physical world is familiarity, since we have considerable experience of living in the physical world. This doesn’t mean we comprehend all aspects of it, but we’re used to making sense of the physical situations we find ourselves in. We may not know exactly how a bus works from a mechanical perspective, but we do understand what a bus looks like, how to catch one, and what it feels like to be on a normal bus ride. Many of the security mechanisms, and some of the security context relied upon during your typical day, relate to familiarity. The letter in the mail looked right because you had seen many such letters before. The bus seemed to be a normal bus, and it showed up at a familiar bus stop at an expected time. In the physical world we tend to feel vulnerable in new situations precisely because they are unfamiliar. We are cautious around strangers. If the payment demand had arrived in a handwritten envelope, with an international stamp, and had requested payment to a foreign bank account, then you would have been highly unlikely to pay it.
Finally, there is the situational aspect of the physical world. People and objects are physically located in both space and time in ways we are able to reason about when making security decisions. Had the bill been fraudulent, it would still have needed to arrive in your mailbox at the appropriate time in your payment cycle. Had the bus been hijacked, the hijacker would have needed to physically board the scheduled bus and take command of driving it. A psychopathic pharmacist would have had to turn up at the pharmacy on a day when the regular pharmacist was not working. None of these breaches of physical security are impossible, but the situational aspects make them challenging. The terrorists who hijacked and then crashed aircraft in the US on September 11, 2001, not only had to train as pilots, but then had to get themselves onto different aircraft that were flying to nearby locations at about the same time.6 Their actions were horrific, but the situational security challenges they overcame in order to conduct this attack were extraordinary. So remarkable, in fact, that nobody had previously even imagined a threat of this nature could occur in the physical world.
We are material people, used to securing a material world. The problem is that cyberspace is somewhere else entirely.
A Cyber Day
It’s time to consider a different type of day: a cyber day.
You get up in the morning and check your email. Amid a flurry of spam is a payment notice from your energy supplier, which you promptly arrange to pay. You’re not feeling well but, thanks to the joys of cyberspace, there’s no need to leave home in order to seek a remedy. Instead, you type your symptoms into a search engine, which directs you to an online pharmacy. You order some medication, pay online using your bank card, and await delivery of the goods.
Or what about this?
You get up in the morning and check your email. Amid a flurry of spam is a payment notice that appears to be from your energy supplier but is, in fact, from a fraudster who is attempting to trick you into sending money, which you promptly do. You’re not feeling well, so you type your symptoms into a search engine, which directs you to a website advertising medication at a remarkably reasonable price. The search engine shares your symptoms with several partner organizations, one of which is your life insurance company, which decides to increase your premium as a result. You order some medication and pay online using your bank card. Unfortunately for you, the “pharmacy” website is hosted in the spare bedroom of a small house in Ruritania7 and dispatches products of questionable safety. It also has several side “businesses,” one of which consists of quickly making a series of online purchases using your bank card details. Another involves remotely installing some software onto your computer, giving the Ruritanians control of your machine and allowing them to trawl through your files for anything of interest, including passwords and financial data. You might not have left your home, but you’ve certainly just been burgled. It’s been a bad cyber day.
Which of these two cyber days is “typical”? It is natural to hope that the second version is less likely. While this is probably true, my description of the second day is certainly not the flight of imagination of your preposterous atypical day in the physical world. The bad cyber day is plausible. Indeed, elements of it are common. How so?
Online fraud of the type first described, the fake bill, is much easier to conduct in cyberspace than in the physical world. For one thing, it’s substantially cheaper and easier to send out millions of fake electronic demands for payment into cyberspace. While most will be ignored, it only takes one or two successful responses to make such a fraud worth conducting. The fake digital payment demand is also harder for a customer to detect, since much of our digital communication lacks the variety of form and style we obtain from physical equivalents.8
When we type information into a search engine, we have very little idea what happens to the search data. It vanishes into cyberspace and is, at least in theory, available for the company behind the search engine to process in any way it desires. Once the search results put us in contact with an online merchant, all we potentially have to gauge the honesty and quality of this merchant is the text and images on the website, as well as the language used and prices offered. If we are unfamiliar with the merchant, then, to an extent, conducting business with them involves a leap of faith. Most people fail to appreciate how easy it is to set up an online business in cyberspace and present a seemingly genuine merchant website from a bedroom in Ruritania.
Using the details of someone else’s bank card to make purchases online is likely to be a successful crime until a fraud engine at the bank questions the resulting purchase patterns, by which point it may be too late. For this reason, the stealing and selling of bank card details is one of the major criminal industries in cyberspace. Remotely installing harmful software on a computer is also straightforward, typically just requiring an unsuspecting user to click on a link or download an attached file. Such malicious software can, for example, easily scan a computer for potential passwords and bank details. Worse, it can remain on the computer and act as a digital “spy” in perpetuity.9
A bad cyber day is much, much more likely to occur than your atypical day in the physical world.
The Insecurity of Cyberspace
Cyberspace, whatever and wherever it might be, is undoubtedly a very different kind of place from the physical world. This distinction has significant consequences for security in cyberspace. To see why providing security in cyberspace is particularly challenging, it is worth reflecting on what is different with regard to the three features of the physical world discussed previously.
First, cyberspace is inherently not physical. Of course, elements of cyberspace such as data centers, computers, routers, and wires are part of the physical world. However, the information relating to, and being produced and processed by, these components is not physical. Information in cyberspace is represented by digital data. You can’t pick digital data up, feel it, or stuff it into an envelope. Indeed, it’s the nonmateriality of digital data that allows us to do such amazing things with it. We can copy it, transform it, and transfer it at lightning speed around the planet. Being able to represent and utilize information digitally has been truly revolutionary.
Because digital data is not physical, very few of the security mechanisms we use in the physical world are appropriate for protecting digital information. It’s true that we can securely store a USB memory stick by locking it in a drawer, but the moment we want to use the information on this device, we have to connect it in some way to cyberspace, and then the physical protection is no longer effective. We need very different kinds of security mechanisms in order to secure cyberspace.
Nor is cyberspace particularly familiar. That’s not to say we aren’t used to going about our daily lives in cyberspace. We have, after all, come to depend on looking for information on the web, many of us buy and sell goods over the internet, and we use social media platforms to keep in touch. We are thus increasingly comfortable with using cyberspace. But are we familiar with cyberspace itself? How many of us have even the vaguest understanding of how all this is possible? Few people know how a computer works, let alone how computers are programmed, how they connect with one another, and how they exchange information. And few people understand the workings of systems that process information in cyberspace. Where does data we submit to cyberspace really go? Who can see it? What do they do with it? To most of us, cyberspace is magic. We press the button and—abracadabra—stuff happens.10
This lack of familiarity with cyberspace brings dangers, since, without even a basic intuition of what cyberspace is and how it works, we conduct ourselves in cyberspace somewhat blindly, relying on systems to do the “right things” on our behalf. The security implications are significant, for this lack of familiarity with cyberspace renders us naive and exposed. We don’t identify when things are going wrong, or indeed what could go wrong, because we don’t understand how things work when they’re going right. If you see anything suspicious, please report it to a member of the staff. That’s not going to happen if you have no inkling of what suspicious might even look like.
Most fundamentally, we lack the basic commonsense principles that govern our security decision-making in the physical world. In cyberspace people do amazingly risky things they would never contemplate in the physical world, such as sending postcards to burglars when they go on holiday (sending out-of-office messages and posting live holiday photos online),11 emblazoning their bank account details on a T-shirt (buying goods from an untrustworthy website), and installing surveillance cameras all over their home and publicly broadcasting the feed on live television (overzealously using social media). On the savannahs of Africa our ancestors instinctively knew, when approached by a lion, that they should sprint for the nearest tree, and so do we. We don’t need a second thought to lock the front door of a house in the middle of a big city when we’re not at home. In cyberspace, however, we have very little established “cyber common sense” to call upon. We don’t see open electronic doors, let alone know how to lock them shut. We fail to spot digital lions, even when they are pacing back and forth across our screens.
Finally, cyberspace is liberated from the constraints of physical situation. This is arguably the greatest advantage of cyberspace. We can sit in our own home and buy from stores, chat with friends, view photographs, do business, and plan outings anywhere in the world. It’s incredible that we can do this, and even more amazing that we’ve come to expect it.
However, we’re not the only people who can do things from far away. So, too, can those who wish to act against our interests. A fraudster intent on making illegal money can seek targets anywhere in the world. As can a government or corporation intent on extracting information about our daily lives. In the physical world, most threats come from the things around us. In cyberspace, threats come from anywhere.
The Nub of the Problem
The three aspects of security identified at the start of this discussion are worth returning to in order to reflect on the potential for insecurity in cyberspace. Let’s consider these in reverse order.
First, for many potential types of danger, the threat likelihood is much higher in cyberspace than in the physical world. Ordinary folk going about their daily business in the physical world tend not to be the target of fraud by Ruritanian criminals. They are much more likely to be such a target in cyberspace.12 Only a totalitarian state would go to the lengths of monitoring the daily lives of all its citizens using purely physical techniques, such as deploying a pervasive network of informants.13 It’s becoming increasingly easy to do this in cyberspace, without people even realizing it’s happening.14
Second, our ability to utilize context in making decisions about security is weaker in cyberspace. Should we trust this website? It’s often hard to answer such a question. This is a difficulty we rarely encounter in the physical world, where the look and atmosphere of a shop’s premises provide a rich source of contextual intuition. If someone knocks at your door and asks personal questions about your bank account, you are unlikely to cooperate. But for many people, a fraudulent email alleging to be from their bank and asking such questions may not raise the same level of concern. Freed from the security provided by physical context, we are less equipped to reason about security threats.
Finally, the basic security mechanisms around which we build security in the physical world are not appropriate for cyberspace. We can’t whisper an email, place a wax seal on a digital document, or easily recognize the shopkeeper behind the counter of an online store.
Cyberspace has shrunk the world, bringing many potential dangers much closer to home. Cyberspace is a place most of us don’t really understand. Worse still, our traditional security tools cannot be used there. It seems we have a problem.
Cryptography to the Rescue
I’ve painted a dark picture about the potential for security in cyberspace. It’s true that the dangers are real and the challenges to providing security are significant. But most of us use the internet daily without too much nastiness coming our way. Is this merely good fortune?
It would be wrong to suggest there is no notion of security in cyberspace. Many of the perils of cyberspace are understood by experts, and much of our technology has been built with a degree of security in mind. Things may not be perfect, but “perfect” security does not exist, neither in cyberspace nor in the physical world.
Most fundamentally, any notion of security in cyberspace needs to be built around core security mechanisms suitable for protecting digital information. If we can construct effective digital security mechanisms to replace the likes of locks, seals, and face recognition, we can then embed those tools into wider systems and processes for protecting our activities in cyberspace. Ideally, we can use these tools to emulate the level of security we experience in the physical world. If we’re lucky, we might occasionally even get more security in cyberspace.
This, in a nutshell, is the crucial role that cryptography plays. Cryptography provides a suite—a tool kit, if you like—of security mechanisms that can be deployed in cyberspace. These cryptographic tools are each, on their own, quite simple security mechanisms that can be used to perform essential tasks such as hiding digital information from unauthorized eyes, detecting changes made to an electronic document, or identifying a computer. However, these mechanisms, when combined in clever ways, can be used to build extremely complex security systems, such as those required to support secure financial transactions, protect electronic power distribution networks, or conduct secure online elections.
Cryptography on its own does not, cannot, make cyberspace secure. Establishing a notion of security involves many different aspects, not simply the provision of security mechanisms. However, although home security is not just about locks on doors, it’s hard to imagine how to secure a home without the use of locks. Likewise, cryptography alone does not secure banking networks, but the global financial system would certainly collapse without cryptography.15