Thursday, September 24, 2009

A cybersecurity taxonomy

I recently chaired a panel on “Cybersecurity and Digital Identity” at a USC roundtable preparing for the APEC Ministerial in 2011.

The links between cybersecurity, digital identity and trade were not immediately obvious to me, and since security isn’t an area where I can even pretend to have expertise, it forced me to think through the topic from the ground up.

I ended up reframing the topic as “the protection of assets in the digital age.” Not “digital assets”, although some assets are undoubtedly digital. Some concrete assets have digital dimensions: for example, a compromised SCADA system can deprive a city of its water supply. This is a new risk because the use of standardized/open solutions and the growing internet connections between SCADA systems and office networks has made them more vulnerable to attack. And while a person’s reputation isn’t digital as such, information technology has changed how reputations are constructed, disseminated, and need to be protected.

The next step is to categorize the assets that need to be protected, and for that one can consider various attributes. One useful categorization is the motive for threatening assets; I submit that Sex, Money, and Power are the three important motivations (in all things!).

Sex is about status – high status improves reproductive success; into this category would fall hackers who build exploits to show their prowess, and people who want to build a digital persona.

Money refers to economic motivations, whether protecting intellectual property rights in content through encryption, or building botnets for fraud or blackmail.

Power is perhaps least talked about until recently: it’s the pursuit of national interest through IT, e.g. “cyberwar”. The assets in question include critical national infrastructure, and sensitive intelligence.
As an alternative nomenclature to sex, money, and power, one might think of Fame, Fortune, and Foreign Affairs.

The motivations of sex, money, and power can be mapped against another categorization, that of the asset context. In increasing order of scale, the contexts are the personal, the corporate, and the national (aka social, commercial, and political). (However, note that global corporations actually operate at both a national and transnational scale.)

With these two categorizations, one can then plot topics on a handy grid (apologies about formatting; I haven't grokked how to import tables into blogger):


Context

Personal

Corporate

National

Assets

Reputation

Money, goods

Personal safety

Reputation, brand

Intellectual property

Tangible assets

Employee & customer safety

Business continuity

Critical infrastructure

Intelligence

State assets, incl. military

Political power structures

National wealth

Sex (aka fame)

Privacy

Harassment

Defamation

Brand hijacking, web defacement

Embarrassment

Threats (by motive for attack)

Money (aka fortune)

Fraud

Identity theft

Botnet recruiting

Theft of goods

Appropriation of know-how

Diverted compute capacity

Extortion

Advantage national champions

Create non-tariff barriers

Power (aka foreign affairs)

Suppression of speech, access

Appropriation of IPR

Reduce ability to compete

Intelligence gathering

Degrading infrastructure & assets

Demoralizing populations



A few notes:

Threats to assets come in various flavors, notably appropriation, destruction, and constraint of use

Trade occurs both within and between columns, that is, between individual people and between individual companies, as well as between people and companies. Likewise, at a different resolution scale, between nations.

It helps to distinguish between the What vs. the How. Security doesn’t appear explicitly in the table, and neither does digital identity; both are means to end (“how) of protecting assets (“what”). Other means (they do overlap) include encryption, digital rights management, and norms, rules and treaties.

No comments: