Modern field guide to security and privacy

Dan Geer: In cybersecurity, expectations drive reality

The worst laws are those that are unenforceable, so what would we hope our lawmakers say about data collecting and sharing technologies that are not yet critical but soon will be?

Kathy Willens/AP

Now that we need cybersecurity protections to the degree that we do, to whom does the responsibility devolve? The worst laws are those that are unenforceable, so what would we hope our lawmakers say about technologies that are not yet critical but soon will be?

Do we forbid becoming critically dependent on them when it is not their design but rather the sheer magnitude of their adoption that is what makes them critically essential?

If a sharing economy is to be preferred, then are owners' privileges due to wax while renters' wane, or the other way around? Is the pool of shareable things in a sharing economy akin to the capital in the banking system – something to regulate lest a demand surge cause a run on available liquid assets?

Once an expectation of constant contactability congeals, a coordination mindset eclipses a planning mindset; "I'll shoot you a text when I get there," rather than, "I will be there at five minutes 'til two."

If you act on your expectation that information should be free, then someone still pays, just not you and hence you are not the customer, you are the product. In due course, ever more personalized advertising supporting ever richer free information means a small-s surveillance structure to power that very personalization.

Years of political capital have gone to making insurance, which is to say risk pooling, mandatory and yet to forbid insurers to make risk-informed pricing (the entire premise of Obamacare, gender-neutral life insurance, assigned risk pools holding miserable drivers, etc.).

The Internet of Things is running a 35 percent compound annual growth rate, meaning that in due course, its parts, each and severally, can only morph into critical infrastructures. Their selling proposition is either an expectation of mental leisure, "You don't have to worry about XYZ any more," or else an expectation of insight, "How many calories did I burn in that last game of tennis?" In short order, you won't be able to get along without them.

We are in a sea change of expectation with respect to what cybersecurity is and is for. The pervasive, eager willingness to collect and share information, to deploy sensors, to delegate management of daily life, to entrust health to the prerogatives of algorithms is both cause and effect of information ever more digitally available. 

Heretofore, the great triad of cybersecurity goals was confidentiality, integrity, and availability. The great power of data fusion applied to that growing cataract of shared data means that confidentiality and the gate keeping of data access supporting it can no longer be the pinnacle goal of cybersecurity, perhaps not even a goal at all. 

If we are to have all-electronic health records and regular monitoring by everything from our toilet to the breathalyzer in our car – all the while the majority of medicines transition to being genomically personalized – we had better be sure that it is data integrity that is paramount.

That triad of confidentiality, integrity, and availability may now contract to integrity and availability and do so because that contraction is the logical outcome of our expectations.

In so many words, First World democracy is less choosing who gets what title but rather what guarantees we want applied after the fact to things we adopted out of their irresistibility. An expectation of riskless life is the hallmark of adolescence. Perhaps all I am saying is that cyberspace is solidly adolescent – too young to take over but too big to ignore.

Yet in the end, reality always wins and wishful thinking always loses. That eventuality may not be instant, just as John Maynard Keynes put it when he said, "The market can remain irrational longer than you can remain solvent," but on the relentlessly accelerating time scale of data accumulation, I don't think there is a long wait in store.

My bet is that data protection soon means some mandate ostensibly guaranteeing that data are untampered with plus, where required, that data can been assuredly deleted. The more we depend on data, the less we can keep it in a locked box but the more we will rely on it being correct.

Dan Geer is the chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader US intelligence community.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Dan Geer: In cybersecurity, expectations drive reality
Read this article in
QR Code to Subscription page
Start your subscription today