Sunday, August 12, 2018

What does threat cumulativity mean for the future of digital technology and cybersecurity

In recent years, most of my presentations about cybersecurity have included a slide titled "Security is cumulative". I made the slide when a group of business people asked if I would speak to them about cybersecurity. As usual, I said I would be delighted to do so, but it would help me to know what aspects of the subject they wanted me to address. The conversation continued like this:
  • Them: “You’ve been at this for a long time, right?” 
  • Me: “Yes, I guess I’ve been researching security for about 30 years.“ 
  • Them: “Well, why not talk about the top five or six things that you’ve learned.” 
Why not, indeed. The idea appealed to me and so I created a new slide deck to capture my thoughts and my first thought was this: security is cumulative. Beneath it I wrote words to this effect: To protect information systems and the data they process you have to anticipate and defend against new threats while also defeating old threats.

Ever since I wrote that, I have seen confirmation after confirmation that it is correct. Of course, there’s probably some confirmation bias at work, but consider these recent news stories
That is five examples in 10 days – July 26 to August 4, 2018 – five headlines that reflect the reality that “security is cumulative”. While many information security professionals have, over the years, stressed the need to learn from history, I think this aspect of cybersecurity, this need to defend against an accumulating list of threats, deserves a name, so I am suggesting this one: threat cumulativity.

Here is my proposed definition of threat cumulativity: the tendency of new technologies to spawn new threats that do not displace old threats but add to them.

Of course, there will be objections to this term, starting with "cumulativity is not a word" and "everybody knows this already." Well, cumulativity is a word, as I will explain in a moment. As for "everybody knows this already" let me be blunt: that is one of the most persistent errors in security thinking, kept alive by security experts who are out of touch with the relationship between technology and people.

To be clear, if you are a security expert, you probably do know that threats are cumulative. But there are a whole bunch of people whose work impacts security who have not internalized the implications of this phenomenon. I think that having a term to describe the phenomenon will help to spread awareness of its implications.

Another objection to "threat cumulativity is likely to be: "you mean risks, not threats, so you should be talking about risk cumulativity." This is a non-trivial point and so I am going to address it in a separate article. But I think there are good strategic reasons for using 'threat' here rather than 'risk'.

As for cumulativity, it is a term used in linguistic semantics to describe an expression (X) for which the following holds: "If X is true of both of a and b, then it is also true of the combination of a and b. Example: If two separate entities can be said to be "water", then combining them into one entity will yield more "water"." (Wikipedia)

Now, I am not an expert in linguistic semantics, but I do happen to have a decent degree in English Language and Literature. To my way of thinking, appropriating cumulativity for the security lexicon is a valid use of the word, one that can help people understand - and defend against - the phenomenon it purports to describe.

I will be writing more about threat cumulativity and furnishing examples of how it appears - to my eyes at least - to spell trouble for new technologies, some of which are the object of much hope for future prosperity.

Note: the illustration at the top of the article is from the works of Vauban, a pioneer in physical security, namely fortifications.