Digital Insecurity is the new Digital Security

So, time to just rip that band-aid straight off.  Beyond certain limited applied intellect, influence and effect it must remain true that in any ultimate sense of the term “security” that there is no such thing as data security. The collaborative and cooperative is forever restrained by the competitive and this competition is strongly marked by diverse self-interests and criminal conspiracies cutting corners to illicitly trawl commercial, corporate and institutional networks with about as much difficulty as cracking open fortune cookies; a crumpled piece of paper within the crumbling cookie of firewall and encryption announcing in comic sans font that: “all your base are belong to us”.

A dramatic reconfiguration of business models and corporate ontology is not entirely unthinkable at this point in proceedings and by the dull LED light of all available evidence. Corporations and their business models are attempting to squeeze the square peg of traditional assumptions concerning security, secrecy and the nature and role of information systems into the round hole of digital transformation. Questions could be asked of senior management concerning the implicit organisational inertia of corporations, nation states and global watchdogs. Where the primary concern is the protection of individual and collective information resources across companies, institutions and corporations, and where the networks upon which these breaches and vulnerabilities exist have been designed from the outset as open networks, protocols and fundamentally interconnected systems – what retrospective actions of security remediation can even be considered at this late stage of the game ? Handing over network monitoring to Artificially Intelligent software agents ? Creating parallel (segregated or air-gapped) networks for popular, public deployment in which security is embedded as a fundamental principle in the architecture and design of protocols, hardware and software ?

If nothing is truly secure, or at least nothing that influences the lives, lifestyles, personal finances and digital identities of the majority of network (i.e. internet) users, public institutions and commercial corporations – what actions should be taken or might even be plausibly considered to remediate or restructure network protocols and technologies ? On digital security, the endless tide of breaches, hacks and a disintegrating public confidence in the safety of their personal data has led to a brief spike in public hyper-sensitivity and security awareness, followed shortly after by the endemic desensitisation perhaps inevitable in an information environment in which we are all continuously bombarded with narratives and opinions. A fundamental economic principle of oversupply applies: when there is too much of one thing (i.e. information) made readily available, the perceived value of any specific item becomes perceived as devalued and is easily drowned out in a cacophony of commercial or ill-informed network media and transient cultural buzz.

There is, at least on the social engineering side of the security vulnerability equation, a curious enigma. That same outrageously successful commercial internet culture and business momentum has, as much as supporting and reflecting blue-sky science and technology aspirations, created a consuming public that is also under endless transition and metamorphosis and for whom attention spans have shrunk to the average length of a Spotify or YouTube commercial. For this evolving ecosystem and public subjectivity for whom superficialities and attention spans have blurred into one single strobed flashing information experience, how is it intelligibly even possible to reinforce the importance of what little the public can actually do to protect their own data against breach and theft ? The enigma here is that the proliferation of information and communication technologies which have harnessed, harvested and positively cultivated this consuming digital subjectivity and public (not to mention cotporate, national or international) dependence on these technologies, this digital subjectivity is itself already commercially “groomed” to be open, available and vulnerable to the often insidious ontologies and organisational goals of corporations. The vulnerabilities are in the software, the hardware and – fundamentally – in the culture and “wetware” between the ears of human beings.

We might add to the implicit vulnerabilities embodied in internet users two other non-trivial vectors of insecurity. First, particularly well-suited to the chronically cynical amongst us, is that vulnerabilities and back-doors to computer and network systems also serve a purpose: the epithet “cui bono ?” may give us pause for thought but the conclusions or results of such hypothetical adventures of intellect are your own to cultivate. Second, and somewhat more mundane, is the consideration that the efflorescence of cybersecurity institutes, consultancies, corporate tenancies and assorted organisational functions, departments and roles – all of this is as subject to human incompetence, psychological factors and the countless other inertial and structural limitations that bureaucracies and hierarchical administrations are heir to. Organisational practices fundamentally do not maintain sufficient velocity to successfully address the issues of security; it is also of the nature of functional sub-components that the dual organisational purpose of assigned function or task and human self-interest in continuity of personal tenure and solvency generates implicit friction and turbulence between desired end-states and actual achievements.

The cat of internet security is not only out of the bag. It has escaped the bag, crapped on the keyboard, shredded the curtains and lacerated the hands and legs of those who have attempted to stop it from getting out the front door and onto the street. The insecurity of the digital world is implicit, ubiquitous and unrelenting. The reason that no one has been able to provide sufficient, comprehensive and integrated responses to digital security is that no sufficient, comprehensive and integrated response to digital security actually exists.