(In support of the email below, but perhaps a little OT to the original thread): I don't think you've taken that concept far enough. The security state of the internet (or any network really) at a given moment in time is (in my untested opinion) the aggregate result of a series of decisions made and actions taken by authorized roles in legitimate capacities somewhere on a timeline. (If there are illegitimate actions able to be taken by authorized or unauthorized roles, the ability to implement those actions by those roles is the result of legitimate actions/roles earlier in the timeline.)
You can model the entire state this way - technology is just a physics-limited proxy for those decisions/actions. This means that if you really want to control/manage/influence/predict/comprehend an environment over time, you really must conceptually start with the human aspects or you risk relatively massive conceptual mis-alignment. On Tue, May 28, 2013 at 8:08 PM, Eric <[email protected]> wrote: > Something a lot of people don’t get about the internet is that it’s more of > a policy artifact than a technology artifact. > > The reason we got the internet we have, and not whatever the incumbent telco > industry was working on 30 years ago, isn't because the organizers picked > the better suite of crufty network protocols. It’s because they adopted, > championed, and defended a crucial set of policy principles, e.g. end-to-end > (i.e. “the stupid network”), open standards, open access, etc. > > If you think of the internet mainly as a bunch of packet switching devices, > it's easy to quibble with the naval metaphor: “Container ships are > expensive, packets are cheap.” “Network latency is measured in > milliseconds, not nautical miles.” Etc. > > But seen through the internet-as-policy lens, the naval metaphor makes a lot > of sense: the legal jurisdiction of the playing field is international. Law > enforcement is mostly absent. Commercial operations are basically on their > own. Bandits can attack with impunity, for the most part. Etc. > > At least in maritime scenarios 500 years ago, a private operator had the > benefit of long-established and generally agreed-upon doctrines of > self-defense and self-help. Not so much in cyber. > > My first point being that in this particular policy discussion, it helps to > recognize the internet as a figment of policy more than anything else. And > my second point being, modern cyber law doctrine isn’t even to the level > that maritime was 500 years ago. Folks are starting to recognize this, and > we're seeing signs that we're on the cusp of a major push to bring it up to > date, one way or another. > > > > On Fri, May 24, 2013 at 11:32 AM, Keith Seymour <[email protected]> wrote: >> >> We're all driven by metaphors. They make complex subjects easy to discuss >> without getting lost in the details. They also allow you to think creatively >> about the subject and gain new insights. I think Dave's metaphor works well >> for both of these purposes. >> >> Sure the ships are cheaper, sure they are faster but ours are just as fast >> and cheap as theirs so the advantage needs to be that ours are more >> effective. Bits have to get there and it's still better that they arrive >> without alerting the defender. Bits still have to be stopped and searched >> and filtered, better if the attacker doesn't know it's happening. >> Controlling the commons is what made the British huge and our copying that >> is a lot of what helped us become great - we were able to control what other >> nations did in the world. >> >> One similarity to the ocean analogy is there are only certain points that >> connect a nation to this commons. If you can control the commons and these >> points you can manage what nations are allowed to do there. The difference >> is that the Navy can only stop, turn around, capture, or sink a cargo from a >> controlled nation. In cyber you could board the vessel and weaken the >> springs in the cargo of assault rifles without the owner knowing. This makes >> you ever more powerful because your opponent believes their cargo is >> arriving intact and their plans are moving forward successfully. >> >> Replacing nuclear deterrent in the modern power structure is interesting >> because it's entirely asymmetrical. First world nations are completely >> vulnerable and have no real retaliation. If the attack were as Ben puts it >> 'removing air conditioning and microwaves' and the only retaliation a first >> world nation has is nuclear which would be considered an excessive response >> in world view. Iran could reverse the economic embargo on the US by shutting >> down email mail services in all of the fortune 500 companies, and there >> isn't much the US can do about it legitimately. >> >> This new playing field is very interesting because like never before it >> puts companies' in the position of directly defending themselves and >> everything that's valuable about them against criminals, terrorists, and >> nation states. Governments that don't understand that, or aren't able to >> protect their citizens will have a difficult time of it. >> >> >> >> >> >> >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > -- Art & Security --> http://sintixerr.wordpress.com _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
