We want to start this journey by asking a simple question: what is a cybersecure (or, simply, secure) system? Some people believe that there exist properties, such as confidentiality, which are necessary conditions for a system to be “secure”. Let us take the case of confidentiality which, when it holds over a piece of information (or a chunk of data), guarantees that information cannot be “understood” but from those who know a certain secret. As an example, if we replace any letter in IBM with the next in the alphabet, we obtain HAL, and only those who know that we’ve used the next letter will be able to understand IBM when they see us writing HAL. Even when a confidentiality algorithm (procedure) is perfect no one would dare to say that it is secure in general, but only insofar security is restricted to confidentiality (confidentiality isn’t sufficient for security). Now, what would change if, instead of confidentiality, we’d consider any other property? What if we say that for a system (or a piece of code) “being reviewed by that guy” is a necessary but not sufficient cybersecurity property? Or what if we say that “having nicely painted blue wires” makes a system secure insofar security is restricted to having nicely painted blue wires? Obviously, they say, not ANY property but SOME specific properties can be considered cybersecurity properties! Interesting… and how do we know which property is a cybersecurity property? Well, that’s the tricky part.
Everything started with the famous CIA-triad and the belief that confidentiality, integrity, and availability could be raised among other properties as glorious cybersecurity properties! It’s obvious, they say, if the great CIA-triad doesn’t hold, a malicious human being could read your messages, alter them, or even prevent you from sending any messages!
[I know you may be tempted but, please, don’t start chasing other properties or digging into the details of them, it has already been done (from the 70s on).] The desire of listing and detailing these properties is natural, occurs frequently to cybersecurity researchers when left alone in their habitats. You can hear them whispering: “if we knew all of them… it would be just a matter of time before all of our systems become really-really-secure”. The thing is… why after 40 years systems are still insecure? Let’s have a closer look at what we are doing here.
One day we wake up and an annoying hacker is altering all the WhatsApp messages we send. Integrity is the property that would make sure no one would be able to mangle with our messages. We pray very hard our oracles and, pufff, integrity it is! But now, something else is happening, we cannot send any message anymore.
We are using WhatsApp, we know that when a message is sent it shows a little grayish tick, and while it is sending a message, we get a little grayish clock. Every message we now try to send has a little grayish clock, how is that even possible? Can’t we communicate with WhatsApp anymore? What that heck is that annoying hacker doing now?! The hacker is disrupting the service, we need availability! We thus kneel and pray for availability and once more our prayers are listened to and we see that all our little clocks are now little ticks.
Just when we thought our troubles were over, we find out that all our messages are now being published all over the place. They are on Twitter, Pastebin, everywhere. You fool, you forgot about confidentiality. The prayer must be hard this time for the oracles to answer but we don’t give up and eventually we obtain confidentiality. Now things are secure, aren’t they? We got the CIA-triad covered; we must be secured. But this is when something unexpected happens. We get a phone call from Alice, our long-time friend. She’s mad at us for sending that nasty message to her just about 10 seconds ago. But we didn’t send any messages, how is that even possible? Oh no… the hacker is now sending messages and pretends to be us. But how, that’s not possible… we’ve got the CIA-triad, we must be safe and yet, we are not!
While many people believe the problem is generated by hackers, we believe the problem is the great master beyond any insecurity manifestation: the approach of the practical man!
This is the approach of the practical man, he who lives his life and then thinks about it, he who finds solutions then problems. Undoubtedly, it takes a lot of effort for the practical man to constantly run in the circle “give me a new cybersecurity issue and I’ll define a cybersecurity property for it”. But that effort is compensated by a HUGE amount of money! A 50+ Billions in Europe alone are given yearly to practical cybersecurity solutions. But what if we wanted, for once, to spend 2 cents in understanding the problem? After all, what is a cybersecure system? Let’s assume that a cybersecure system can be found in our reality, it’s like a very shy animal in a vast and intricate forest where all animals look similar. So, we know its name (cybersecure system) and… an expert reaches us and says:
Expert: I know what a cybersecure animal looks like, we experts have a description of it.The cybersecure animal is brown! It is necessarily brown.
Us: Really?! Have you ever seen it?
Expert: No, but if it wasn’t brown, it wouldn’t be brown.
Us: Ooook, I’m really confused, what’s your problem again?
Expert: No! Listen to me! It’s like cybersecurity properties. A cybersecure system must be confidential otherwise it wouldn’t be! it must be brownnnn!
Us: What the… why?! Why should I care about confidentiality or being brown? I just want a secure system!
Expert: It also must be 21 cm tall!
Expert: It’s like integrity, otherwi…
We look at the expert and something horrible happened! He has become a practical man. Suddenly, everyone is a practical man. There are no scientists around us, no philosophers, no professors, no ideas… everything is a practical solution for a practical problem in a world of dark practical men. And this is where we leave the practical expert (or, as we call him today, a cybersecurity researcher). They really sound smart at first, they are researchers, aren’t they? They are supposed to tell us the properties to prevent insecurities but, it turns out, they are just searching for insecurities and then mitigating them with ad-hoc properties; they are… searchers!
Still, we have nothing but the name of an animal (cybersecure) that doesn’t want to be found. It’s probably brown and 21cm tall, like any other animal in our forest. Finally, we stop searching for that animal, it seems impossible to find it. Let’s have a coffee and read a book, relax, and go with the flow.
Days passed, then weeks, and months. We almost forgot about that weird cybersecure animal. We spent our time in understanding science and its philosophical aspects and, weirdly enough, it seems that the practical approach (of understanding new concepts out of the experience) is not the only way and, maybe, not the best or not even the right way. And suddenly, we think back to the cybersecure animal… could it be that… we made a terrible methodological error? So, we go back to the practical expert.
Us: I was wondering… maybe… we could try to… start from some pure form of sensible intuition, such as space, and reason exclusively analytically, in the abstract, to formulate a sort of transcendental view of a cybersecure system. Sounds fun, right?
Expert: Did you mean the CIA-triad?
Us: What!? No, I don’t care abo… hufff… I mean, we should reason abstractly and search in this abstraction the concepts or properties that allow us to predict a certain phenomenon. We should not induce universal properties from experience or empirical experiments.
Expert: What do you think I’m doing?! I’m the expert! I abstract, I create… You and your mumbo jumbo, out of my expertise!
Us: No, wait, I didn’t express myself. Look, a hacker was altering my messages and I changed my system so that the hacker couldn’t change them anymore. But then he found another way to piss me off, and I found another way to block him and this went on and on and on… So, I thought, the hacker wasn’t doing anything wrong, he was just using the system. I now have a skeptic approach to life, there’s no right nor wrong.
Expert: Are you insane? Do you want to let hackers do what they please, steal money, information and…
Us: No no no… I understand why we believe hacker’s behaviors are wrong sometimes but, they aren’t technically doing something which is against what the systems allow them to do. We always fixed the system, not the hacker, he kept doing what he liked. So, it seems that a system is idealized as a set of behaviors (what the system is supposed to do) and realized with another (often mostly inclusive) set of behaviors (what the system actually does).
Expert: What I hear is mumbo jumbo, stop thinking and start solving problems or fuck off that way!
Sadly, we move away from the expert and from their world of practicality. In science, abstract theories are tested against what they predict; we want a cybersecurity theory general enough so that we can empirically test it regardless of its domain of application. A theory that can be used to predict the cybersecurity of a system or all its insecurities so that attacks, at least, won’t come as a surprise.
There must be another land, another realm where we can find the cybersecure animal. Maybe, when we find the cybersecure animal we can squeeze it to prepare a potion, something that cures the practical experts from their practicality.
End of first act.