The links between cybersecurity, digital identity and trade were not immediately obvious to me, and since security isn’t an area where I can even pretend to have expertise, it forced me to think through the topic from the ground up.
I ended up reframing the topic as “the protection of assets in the digital age.” Not “digital assets”, although some assets are undoubtedly digital. Some concrete assets have digital dimensions: for example, a compromised SCADA system can deprive a city of its water supply. This is a new risk because the use of standardized/open solutions and the growing internet connections between SCADA systems and office networks has made them more vulnerable to attack. And while a person’s reputation isn’t digital as such, information technology has changed how reputations are constructed, disseminated, and need to be protected.
The next step is to categorize the assets that need to be protected, and for that one can consider various attributes. One useful categorization is the motive for threatening assets; I submit that Sex, Money, and Power are the three important motivations (in all things!).
Sex is about status – high status improves reproductive success; into this category would fall hackers who build exploits to show their prowess, and people who want to build a digital persona.As an alternative nomenclature to sex, money, and power, one might think of Fame, Fortune, and Foreign Affairs.
Money refers to economic motivations, whether protecting intellectual property rights in content through encryption, or building botnets for fraud or blackmail.
Power is perhaps least talked about until recently: it’s the pursuit of national interest through IT, e.g. “cyberwar”. The assets in question include critical national infrastructure, and sensitive intelligence.
The motivations of sex, money, and power can be mapped against another categorization, that of the asset context. In increasing order of scale, the contexts are the personal, the corporate, and the national (aka social, commercial, and political). (However, note that global corporations actually operate at both a national and transnational scale.)
With these two categorizations, one can then plot topics on a handy grid (apologies about formatting; I haven't grokked how to import tables into blogger):
| | | | Context | |
| | | Personal | Corporate | National |
| Assets | | Reputation Money, goods Personal safety | Reputation, brand Intellectual property Tangible assets Employee & customer safety Business continuity | Critical infrastructure Intelligence State assets, incl. military Political power structures National wealth |
| | Sex (aka fame) | Privacy Harassment Defamation | Brand hijacking, web defacement | Embarrassment |
| Threats (by motive for attack) | Money (aka fortune) | Fraud Identity theft Botnet recruiting | Theft of goods Appropriation of know-how Diverted compute capacity Extortion | Advantage national champions Create non-tariff barriers |
| | Power (aka foreign affairs) | Suppression of speech, access | Appropriation of IPR Reduce ability to compete | Intelligence gathering Degrading infrastructure & assets Demoralizing populations |
A few notes:
Threats to assets come in various flavors, notably appropriation, destruction, and constraint of use
Trade occurs both within and between columns, that is, between individual people and between individual companies, as well as between people and companies. Likewise, at a different resolution scale, between nations.
It helps to distinguish between the What vs. the How. Security doesn’t appear explicitly in the table, and neither does digital identity; both are means to end (“how) of protecting assets (“what”). Other means (they do overlap) include encryption, digital rights management, and norms, rules and treaties.
No comments:
Post a Comment