{"id":18263,"date":"2014-06-29T17:24:40","date_gmt":"2014-06-29T15:24:40","guid":{"rendered":"https:\/\/www.hiig.de\/?p=18263"},"modified":"2018-07-09T13:25:29","modified_gmt":"2018-07-09T11:25:29","slug":"on-it-infrastructure-security-as-a-complex-not-necessarily-complicated-task","status":"publish","type":"post","link":"https:\/\/www.hiig.de\/en\/on-it-infrastructure-security-as-a-complex-not-necessarily-complicated-task\/","title":{"rendered":"On IT-Infrastructure security as a complex, not necessarily complicated, task"},"content":{"rendered":"

Every society builds upon functioning infrastructures which are kept as free from bugs and manipulations as possible. That is all the more true when it comes to critical information infrastructures, i.e. information and communication technology, which can be conceived as nerve fibre and are vital to and of particular importance for society.[1]<\/a><\/sup> Data, information and knowledge of any kind are being exchanged via these infrastructures. The incapacity or destruction of such systems would have a debilitating impact on societal functions. The “Internet”, consisting of its many networks connected by peering has enormous significance for the individual, society, value chains and public management. \u00a0Yet, at the same time, they are an Achilles\u2019 heel of modern society.<\/p>\n

IT-security faced with the conditions of networked society and the Internet is a matter of security under the conditions of complex systems. Primarily, a system can be described as an entity of linked and interconnected elements (variables) which interacts with other systems, e.g. by being networked. The elements relate to each other in a certain manner of interaction and dependence. With an increasing degree of networking among the individual elements and the dynamics associated therewith, complexity increases. \u00a0With their chains of cause and effect complex systems lack transparency for observers and are not always readily comprehensible and transparent.[2]<\/a><\/sup><\/p>\n

The current basic conditions underlying IT security design are those of complex systems.[3]<\/a><\/sup> Just as when developing the internet, neither in case of critical infrastructures security were no essential parameter for the design.[4]<\/a><\/sup> Attacks from outside were not present in the risk scenarios (security perspective). Rather, one concentrated at the first place on the stability of the operational procedure (safety perspective). This model of security now meets changed basic conditions. Computers are ubiquitous and dependencies on IT processes make unpredictable cascading effects more likely, strong and innovative attackers work highly professional with instruments easier to handle, interlinked systems are rarely to isolate, by using manipulated hardware and software, technical norms and standards, IT security environments are compromisable and therefore inherently unsecure. Encryptions can be hacked too quickly and too frequently by brute-force-method. The list could be extended at will. The essential point is that the number of security gaps in all informations technologies and applications are classified by experts in unison as critical. Besides, they can in part hardly be found.<\/p>\n

By using intelligent networking i.e. with the aid of information and communication technologies in further areas of infrastructures optimizing processes and increasing productivity, complexity will further increase with a rising trend. For instance, cyber-physical systems[5]<\/a><\/sup> are discussed under catchwords as \u2018Internet of Things\u2019, \u2018Industry 4.0\u2019, \u2018Smart City\u2019, \u2018Smart Grids\u2019 and \u2018E-Health\u2019. Communication can no longer only be thought of one between persons but also between and among machines (machine to machine<\/i>).<\/p>\n

Features of networked societies were and still are object of intense research in many areas. Considered from the historical point of view, cybernetics, from which are derived prevalent internet prefixes like in cyber<\/i>security and the foundation of system theories, is that interdisciplinarity which is concerned with (self-)organisation, regulation and control of complex systems. Not coincidentally, one of the founding fathers, Norbert Wiener, experiences a noteworthy renaissance.[6]<\/a><\/sup> A key term of cybernetics is named feedback<\/i>, i.e. a process, in which two parts are effected by information in a loop mechanism.<\/p>\n

The law, too, must adjust to the conditions of the network society.[7]<\/a><\/sup> The current European proposal for a directive to increase the network and information security across the European Union (NIS Directive) and the envisaged German IT security act (IT-SiG-E) do use an instrument which can be understood as similar to a feedback loop.<\/p>\n

Plans for regulations provide in each case to introduce the so-called incident notification (Art. 14 (2) NIS Directive Proposal resp. \u00a7 8b (4) IT-SiG-E). The operators of critical infrastructures shall notify to the Federal Office for Information Security (BSI) as competent authority incidents having a significant impact on the security of the core services they provide.<\/p>\n

In this respect it is consequent that democratically legitimated actors in the area of IT security can only make decisions on the basis of a valid overview of the situation and act accordingly.[8]<\/a><\/sup> The notifictions of cyber security incidents constitute information and knowledge at least enabling to gain a revised picture of the status of complex systems. Since both public and (predominantly) private actors on national, European and international level are involved in guaranteeing IT security, in future, an optimal information flow between all stakeholders in the area of law, technique and politics will be even more important. The knowledge of security gaps may help to build better systems.<\/p>\n

Remaining in the metaphor above, the challenge then would be to construct an architecture of a democratic feedback model. If the accumulated knowledge was distributed on a wide basis[9]<\/a><\/sup> and if a transparency according to a principle of a graduated public were created, complexity in systems critical for security could be coped with, security would be made verifiable, for example, by public discussion, code review and public security gaps databases and thereby more democratic.[1]<\/a><\/sup><\/p>\n

\n

<\/a>1.<\/sup>\u00a0see for an example for ICT infrastructure and its dependency on energy as a meta-infrastructure: Bericht des Ausschusses f\u00fcr Bildung, Forschung und Technikfolgenabsch\u00e4tzung: Gef\u00e4hrdungen und Verletzungen morderner Gesellschaften – am Beispiel eines gro\u00dfr\u00e4umigen und langandauernden Ausfall der Stromversorgung, 2011, Drucksache 17\/5672; available here: http:\/\/dipbt.bundestag.de\/dip21\/btd\/17\/056\/1705672.pdf<\/a>.
\n<\/a>2.<\/sup>\u00a0see Niklas Luhmann, Die Gesellschaft der Gesellschaft, 1998, p. 144: \u201dOhne Beobachter gibt es keine Komplexit\u00e4t\u201d [\u201cThere is no complexity without observer\u201d].
\n<\/a>3.<\/sup>\u00a0see Sandro Gaycken, Cybersicherheit in der Wissensgesellschaft: Zum Zusammenhang epistemischer und physischer Unsicherheit, in: Christopher Daase, Stefan Engert, Julian Junk (Hrsg.), Verunsicherte Gesellschaft – \u00dcberforderter Staat – Zum Wandel der Sicherheitskultur, S. 109 ff.
\n<\/a>4.<\/sup>\u00a0for a succint description see Marjory S. Blumenthal \/ David D. Clark, Rethinking the Design of the Internet: the End-to-end Arguments vs. the Brave New World,” ACM Transactions on Internet Technology, Vol. 1, No. 1 (Aug. 2001), S. 70 ff. (93), die das Modell des fr\u00fchen Internets beschreiben als “a group of mutually trusting users attached to a transparent network”.
\n<\/a>5.<\/sup>\u00a0see https:\/\/ec.europa.eu\/digital-agenda\/en\/cyber-physical-systems<\/a>.
\n<\/a>6.<\/sup>\u00a0http:\/\/www.theatlantic.com\/technology\/archive\/2014\/06\/norbert-wiener-the-eccentric-genius-whose-time-may-have-finally-come-again\/372607\/<\/a>; see from the perspective of Governance research: Guy Peters, Information and Governing: Cybernetic Models of Governance, in: Oxford Handbook of Governance, p. 113 et seqq.
\n<\/a>7.<\/sup>\u00a0see Karl-Heinz Ladeur, Das Recht der Netzwerkgesellschaft, ed. by Thomas Vesting und Ino Augsberg, 2013.
\n<\/a>8.<\/sup>\u00a0in this sense see, for example, \u00a0German Federal Constitutional Court \u00a0on the collection and processing of data for statistical purposes, BVerfGE 65, 1 (47) – \u201cVolkz\u00e4hlungsurteil\u201d: \u201cDie Statistik hat erhebliche Bedeutung f\u00fcr eine staatliche Politik, die den Prinzipien und Richtlinien des Grundgesetzes verpflichtet ist. Wenn die \u00f6konomische und soziale Entwicklung nicht als unab\u00e4nderliches Schicksal hingenommen, sondern als permanente Aufgabe verstanden werden soll, bedarf es einer umfassenden, kontinuierlichen sowie laufend aktualisierten Information \u00fcber die wirtschaftlichen, \u00f6kologischen und sozialen Zusammenh\u00e4nge. Erst die Kenntnis der relevanten Daten und die M\u00f6glichkeit, die durch sie vermittelten Informationen mit Hilfe der Chancen, die eine automatische Datenverarbeitung bietet, f\u00fcr die Statistik zu nutzen, schafft die f\u00fcr eine am Sozialstaatsprinzip orientierte staatliche Politik unentbehrliche Handlungsgrundlage\u201d.
\n<\/a>9.<\/sup>\u00a0see for this tendency the European legislation and the Directive on the re-use of Public Sector Information: http:\/\/ec.europa.eu\/digital-agenda\/en\/european-legislation-reuse-public-sector-information<\/a>; see for the idea of \u201cGovernment As a Platform\u201d:Tim O\u2019Reilly, in: \u00a0Daniel Lathrop \/ Laurel Ruma (ed.), Open Government – Collaboration, Transparency, and Participation in Practice, 2. Chapter; available here: http:\/\/chimera.labs.oreilly.com\/books\/1234000000774\/index.html<\/a>.
\n<\/a>10.<\/sup>\u00a0as an introduction see Zehnter Zwischenbericht der Enquete-Kommission \u201cInternet und digitale Gesellschaft\u201d – Interoperabilit\u00e4t, Standards, Freie Software, BT-Drs. 17\/12495, in particular p. 44 et seq.; available here: http:\/\/dipbt.bundestag.de\/dip21\/btd\/17\/124\/1712495.pdf<\/a>.
\nImage<\/sup> flickr<\/a>, Armando G Alonso, Complexity of Railways in Paris<\/p>\n

This post is part of a weekly series of articles by doctoral candidates<\/a> of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact presse@hiig.de<\/a>.<\/h4>\n