On IT-Infrastructure security as a complex, not necessarily complicated, task
Every society builds upon functioning infrastructures which are kept as free from bugs and manipulations as possible. That is all the more true when it comes to critical information infrastructures, i.e. information and communication technology, which can be conceived as nerve fibre and are vital to and of particular importance for society. Data, information and knowledge of any kind are being exchanged via these infrastructures. The incapacity or destruction of such systems would have a debilitating impact on societal functions. The “Internet”, consisting of its many networks connected by peering has enormous significance for the individual, society, value chains and public management. Yet, at the same time, they are an Achilles’ heel of modern society.
IT-security faced with the conditions of networked society and the Internet is a matter of security under the conditions of complex systems. Primarily, a system can be described as an entity of linked and interconnected elements (variables) which interacts with other systems, e.g. by being networked. The elements relate to each other in a certain manner of interaction and dependence. With an increasing degree of networking among the individual elements and the dynamics associated therewith, complexity increases. With their chains of cause and effect complex systems lack transparency for observers and are not always readily comprehensible and transparent.
The current basic conditions underlying IT security design are those of complex systems. Just as when developing the internet, neither in case of critical infrastructures security were no essential parameter for the design. Attacks from outside were not present in the risk scenarios (security perspective). Rather, one concentrated at the first place on the stability of the operational procedure (safety perspective). This model of security now meets changed basic conditions. Computers are ubiquitous and dependencies on IT processes make unpredictable cascading effects more likely, strong and innovative attackers work highly professional with instruments easier to handle, interlinked systems are rarely to isolate, by using manipulated hardware and software, technical norms and standards, IT security environments are compromisable and therefore inherently unsecure. Encryptions can be hacked too quickly and too frequently by brute-force-method. The list could be extended at will. The essential point is that the number of security gaps in all informations technologies and applications are classified by experts in unison as critical. Besides, they can in part hardly be found.
By using intelligent networking i.e. with the aid of information and communication technologies in further areas of infrastructures optimizing processes and increasing productivity, complexity will further increase with a rising trend. For instance, cyber-physical systems are discussed under catchwords as ‘Internet of Things’, ‘Industry 4.0’, ‘Smart City’, ‘Smart Grids’ and ‘E-Health’. Communication can no longer only be thought of one between persons but also between and among machines (machine to machine).
Features of networked societies were and still are object of intense research in many areas. Considered from the historical point of view, cybernetics, from which are derived prevalent internet prefixes like in cybersecurity and the foundation of system theories, is that interdisciplinarity which is concerned with (self-)organisation, regulation and control of complex systems. Not coincidentally, one of the founding fathers, Norbert Wiener, experiences a noteworthy renaissance. A key term of cybernetics is named feedback, i.e. a process, in which two parts are effected by information in a loop mechanism.
The law, too, must adjust to the conditions of the network society. The current European proposal for a directive to increase the network and information security across the European Union (NIS Directive) and the envisaged German IT security act (IT-SiG-E) do use an instrument which can be understood as similar to a feedback loop.
Plans for regulations provide in each case to introduce the so-called incident notification (Art. 14 (2) NIS Directive Proposal resp. § 8b (4) IT-SiG-E). The operators of critical infrastructures shall notify to the Federal Office for Information Security (BSI) as competent authority incidents having a significant impact on the security of the core services they provide.
In this respect it is consequent that democratically legitimated actors in the area of IT security can only make decisions on the basis of a valid overview of the situation and act accordingly. The notifictions of cyber security incidents constitute information and knowledge at least enabling to gain a revised picture of the status of complex systems. Since both public and (predominantly) private actors on national, European and international level are involved in guaranteeing IT security, in future, an optimal information flow between all stakeholders in the area of law, technique and politics will be even more important. The knowledge of security gaps may help to build better systems.
Remaining in the metaphor above, the challenge then would be to construct an architecture of a democratic feedback model. If the accumulated knowledge was distributed on a wide basis and if a transparency according to a principle of a graduated public were created, complexity in systems critical for security could be coped with, security would be made verifiable, for example, by public discussion, code review and public security gaps databases and thereby more democratic.
1. see for an example for ICT infrastructure and its dependency on energy as a meta-infrastructure: Bericht des Ausschusses für Bildung, Forschung und Technikfolgenabschätzung: Gefährdungen und Verletzungen morderner Gesellschaften – am Beispiel eines großräumigen und langandauernden Ausfall der Stromversorgung, 2011, Drucksache 17/5672; available here: http://dipbt.bundestag.de/dip21/btd/17/056/1705672.pdf.
2. see Niklas Luhmann, Die Gesellschaft der Gesellschaft, 1998, p. 144: ”Ohne Beobachter gibt es keine Komplexität” [“There is no complexity without observer”].
3. see Sandro Gaycken, Cybersicherheit in der Wissensgesellschaft: Zum Zusammenhang epistemischer und physischer Unsicherheit, in: Christopher Daase, Stefan Engert, Julian Junk (Hrsg.), Verunsicherte Gesellschaft – Überforderter Staat – Zum Wandel der Sicherheitskultur, S. 109 ff.
4. for a succint description see Marjory S. Blumenthal / David D. Clark, Rethinking the Design of the Internet: the End-to-end Arguments vs. the Brave New World,” ACM Transactions on Internet Technology, Vol. 1, No. 1 (Aug. 2001), S. 70 ff. (93), die das Modell des frühen Internets beschreiben als “a group of mutually trusting users attached to a transparent network”.
5. see https://ec.europa.eu/digital-agenda/en/cyber-physical-systems.
6. http://www.theatlantic.com/technology/archive/2014/06/norbert-wiener-the-eccentric-genius-whose-time-may-have-finally-come-again/372607/; see from the perspective of Governance research: Guy Peters, Information and Governing: Cybernetic Models of Governance, in: Oxford Handbook of Governance, p. 113 et seqq.
7. see Karl-Heinz Ladeur, Das Recht der Netzwerkgesellschaft, ed. by Thomas Vesting und Ino Augsberg, 2013.
8. in this sense see, for example, German Federal Constitutional Court on the collection and processing of data for statistical purposes, BVerfGE 65, 1 (47) – “Volkzählungsurteil”: “Die Statistik hat erhebliche Bedeutung für eine staatliche Politik, die den Prinzipien und Richtlinien des Grundgesetzes verpflichtet ist. Wenn die ökonomische und soziale Entwicklung nicht als unabänderliches Schicksal hingenommen, sondern als permanente Aufgabe verstanden werden soll, bedarf es einer umfassenden, kontinuierlichen sowie laufend aktualisierten Information über die wirtschaftlichen, ökologischen und sozialen Zusammenhänge. Erst die Kenntnis der relevanten Daten und die Möglichkeit, die durch sie vermittelten Informationen mit Hilfe der Chancen, die eine automatische Datenverarbeitung bietet, für die Statistik zu nutzen, schafft die für eine am Sozialstaatsprinzip orientierte staatliche Politik unentbehrliche Handlungsgrundlage”.
9. see for this tendency the European legislation and the Directive on the re-use of Public Sector Information: http://ec.europa.eu/digital-agenda/en/european-legislation-reuse-public-sector-information; see for the idea of “Government As a Platform”:Tim O’Reilly, in: Daniel Lathrop / Laurel Ruma (ed.), Open Government – Collaboration, Transparency, and Participation in Practice, 2. Chapter; available here: http://chimera.labs.oreilly.com/books/1234000000774/index.html.
10. as an introduction see Zehnter Zwischenbericht der Enquete-Kommission “Internet und digitale Gesellschaft” – Interoperabilität, Standards, Freie Software, BT-Drs. 17/12495, in particular p. 44 et seq.; available here: http://dipbt.bundestag.de/dip21/btd/17/124/1712495.pdf.
Image flickr, Armando G Alonso, Complexity of Railways in Paris
This post is part of a weekly series of articles by doctoral candidates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact firstname.lastname@example.org.
This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact email@example.com.