LC: I think you’ve taught cyber security? I was wondering if you could in some sort of reasonable fashion break down what cybersecurity actually is.
SS: So there are three main goals in cybersecurity are summarized in the acronym CIA. C stands for confidentiality, where you want to encrypt stuff so that if somebody gets their hands on it they can’t figure out what it is. Encryption preserves the confidentiality of the message. There’s a lot of work done in various crypto systems that make it very hard to break but easy to encrypt and decode.
The I is for integrity, and integrity refers to the ability to change the content of the message. You could have a crypto system where, say you want to encrypt a financial transaction. I agree to send ten dollars to Lukas and it gets encrypted. Well even if it’s encrypted, it’s possible in some encryption systems to modify it, maybe insert some characters. Maybe instead of ten dollars it could say send 10 million dollars. You have violated the integrity of the message, you have changed the message. It is still confidential and encrypted, but you’ve lost the integrity.
The third letter, the A, is for availability. This is particularly true when you have these denial of service attacks. So in the old days you had things like fax machines. You could keep sending faxes to a machine and anybody who wanted to use the machine for any legitimate purpose wouldn’t be able to. But now you do that with a network. You can bombard servers. Particularly in protocols that have state. If they have state, then the server has to remember the state of the transaction–that there is an open tcp connection. And so if it has a table to keep track of all the open tcp connections, if you bombard it you can overflow the table and break the computer.
And various malware and viruses combine different aspects of these. Some of them can affect the availability, they can tie up your machine. Some of them engage in espionage. Today we had a speaker in the class from the law school, Scott Shapiro, who among other things studies cyberwarfare. There’s a spectrum of cyber-exploits. One is cybercrime where you go in and try to steal money or something. Another is cyberespionage, where you go in and try to get information from foreign governments or a company. Then you have cyberconflicts, where you go and your try to annoy or somehow disturb the target. In the analysis of what comprises a conflict, you have this CIA element. You can do it by compromising the confidentiality, the integrity, or the availability, and any of those consequences can be adverse for the target. Shapiro made the point that hardly any of these would ever rise to the level of war, that war has a very different characteristic and he actually argued that in today’s world, the people who are going to engage in these sort of cyberconflicts are sort of the weaker players in the global stage–North Korea, Iran, and actually Russia. Russia actually isn’t a strong player, Russia’s GDP is smaller than Italy’s.
Wow I didn’t realize that.
Well since the price of oil has come down, it has been hurting. But the point is that these are actors who aren’t going to engage in a regular war because they would be overpowered by the West, but they can express their grievances through these unilateral actions which they often don’t admit to. If you declare war on something, you declare it! If you don’t do this, we’ll keep bombing you or whatever. But he said that what’s called cyberwar is not really war, it has this different flavor. And it turns out that most of us don’t have to worry about that but we do have to worry about phishing and stealing our passwords and data breaches. It’s a never-ending story.