In previous blogs, we discussed the fact that data is physical and inherently controllable. Much like I can move a candy bar from the left side of my keyboard to the right, leave it there in anticipation, and slap away a hand intent on stealing it, it’s possible to physically control where data goes, where it remains at rest, and who can access it. What does this say about data ownership? Quite a bit, as it turns out.
In every field of engineering, there is a grace period when the engineers doing the heroic work of making a complex and highly valuable new technology work can escape liability for poor performance, failures, or damages caused by what they build. That grace erodes as the technology becomes commonplace. Eventually, usually through a combination of litigation, legislation, regulation, and evolving insurance requirements, liability and responsibility for failure starts being pinned to the engineers who designed and built the failed system.
Information was first digitized in the 1950s, thus ushering in the dawn of data. Then, as now, software was used to create and process data, and like most new technology inventions, security was not inherently built in. Software developers didn’t feel the need to apply controls to the new data objects created. Anyone with access to the software and the rare, expensive computer on which to run it could open, read, modify, delete, or copy this data without limits.
Our current concept of cybersecurity is to defend against attacks and remedy failure by erecting more and better defenses. That’s a fundamental mistake in thinking that guarantees failure. Why? Because it’s mathematically impossible for a defensive strategy to fully succeed, as explained in the previous installment of this article series. Another even more fundamental mistake in thinking is that cyberattackers are the cause of our woes. They aren’t. They’re the effect.
Data is just the geek word for information, right? If I were to provide information about the room in which I write this, I might say that it’s 10 feet by 8 feet with a 12-foot ceiling. You’d realize that it’s a comfortable but not overly large space. To put that information into a database, you would use software to enter each dimension into the appropriate cell and save it to your device’s hard drive. Although this description seems straightforward, the information I just conveyed to you and the corresponding data in a database differ in important respects. Without understanding the distinction, we will always struggle to think accurately about data ownership, privacy, and even cybersecurity.
This article is the second in a series on the physicality of data. Cybersecurity failures have been trending sharply upwards in number and severity for the past 25 years. The target of every cyberattack is data — i.e., digitized information that is created, processed, stored and distributed by computers. Cyberattackers seek to steal, corrupt, impede or destroy data. Users, software, hardware and networks aren’t the target; they’re vectors (pathways) to the target. To protect data, the current strategy, “defense in depth,” seeks to shut off every possible vector to data by erecting layered defenses. Bad news: That’s mathematically impossible.
This article is the first in a series on the physicality of data. I’ll follow up with additional installments of this series over the next several weeks, so check back to see those as they become available. All of us tend to conflate the word “data” with the word “information.” Usually, that’s OK, but collapsing data on a computer and information into one thing rather than two separate things makes thinking accurately about data ownership difficult.