|Credit: Perceivin da multi dimensions|
The genesis of this idea began with my first book in which I used the science fiction metaphor of a parallel universe to describe cyberspace: "a mysterious, invisible realm existing in parallel to the physical world, yet able to influence it in countless ways" (p.xiii). It's also why I've opposed the classification of cyberspace as a fifth warfighting domain. The Department of Defense as well as national and international law enforcement agencies have been relying upon traditional models to combat offensive cyber operations of all types with only marginal success. The information security community whose mission is to build software that protects private and government networks has failed miserably in executing that mission. In fact, some of their core principles such as publicizing vulnerability research may be causing more harm than good. The latest innovation is the rise of anarchist clusters like Anonymous and LulzSec who seemingly breach government and corporate websites at will. It has become clear to me that false assumptions about the battlespace have produced ineffective, possibly harmful defensive strategies and that we have to start fresh.
I've laid out some baseline principles that underlie recommended modalities or modes of action. In addition to my own interest in Complexity theory and Quantum physics, my thinking in this area has been greatly influenced by a research paper published by JASON in November, 2010: "Science of Cyber Security".
- Cyberspace is an artificially constructed environment that is only loosely tied to the physical universe and is not constrained by three dimensional space, therefore there are few apriori constraints on either the attackers or the defenders.
- It is not possible to definitively measure a level of security as it applies to the general operation of information systems (JASON).
- Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy
- Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.
- Transparency such as commercial anti-virus systems and InfoSec research favors the adversary. Secrecy favors the defender.
- For the adversary, trust is more important than identity. Since the Internet favors anonymity by design, defenders may achieve more success by breaching an adversary's trust loop than identifying who the adversary is.
I intend for this project to evolve into something more tangible in relatively short order but I don't expect it to be well-received. There's a lot of money invested (and being made) in the current flawed model and there's no scientific method that can be applied to the field of cybersecurity to help persuade skeptics. Absent scientific evidence, the best reason for corporate executives, military planners, and government policy makers to force themselves to explore and consider alternate paradigms like this one is the rapidly growing popularity of anarchistic hacker crews like LulzSec who will continue to thrive in the antiquated security environment that we've created up until this point. It's time to not only change the game, but the dimensional universe that the game is played in. Yes, we can do that in cyberspace.