Cyber security is an issue that has attracted widespread attention. The state of affairs is partly caused by the growing influence that advancement in Information Technology has had on the society. On the one hand, technological growth has eased human life; while, on the other hand, such development has come at a heavy cost which borders on compromising the security of users. The present paper assesses cyber security leading to the conclusion that the concept is an oxymoron. In other words, it is difficult to guarantee cyber security in the contemporary world.
Over the recent past, it has become increasingly evident that protecting information communication systems from cyber-attacks is challenging. There have been deliberate efforts made by many unauthorized people to gain access to private/public information and communication technology (ICT) systems. The primary objective of such attempts includes stealing, disrupting, damaging data, or carrying out other illegal actions. Many observers expect both the number and severity of cyber threats and crimes to increase in the next few years. The fact that the number of cyber security breaches grows proportionally to the pace of development of ICT systems leads to the argument that cyber security is an oxymoron since cyberspace is inherently insecure and currently it seems impossible to protect any digital data.
It is noted that most cyber-attacks are not fatal. However, successful breaches in critical infrastructure have far-reaching ramifications. In the case of attacks on important public objects, the outcome is likely to be dire. In this regard, the need for effective measures to address cyber-crimes is apparent.
Cyber Security: The Concept
Protecting ICT systems alongside their content is popularly known as cyber security. Without a doubt, the concept is both broad and fuzzy. Although useful, the term lacks a precise definition since it refers to either one or three of the following components, as elucidated by Fischer:
1. A collection of activities and measures aimed at protection from attacks, disruptions, or threats to computers and their networks, related hardware and software, as well as information contained or communicated, such as software and data, in addition to aspects of cyberspace;
2. The quality or state of protection from the multiplicity of the above or related threats; and
3. The wider field of endeavor targeted at implementing or improving activities or quality of protection.
Based on the above definitions, it is clear that cyber security as a concept is contentious and difficult to define owing to its extensive components. The three aspects allude to a scenario where cyber security is partly equated to information security.
The United States Federal Law (44 U.S.C. §3542(b) defines information security as the protection of information, and/ or information systems from unpermitted access, disclosure, disruption, use, destruction or modification for any intentions. In essence, integrity is a critical attribute as it pertains to the impropriety in information modification, destruction, or mischievous use. As a result, one of the objectives of cyber security is to ensure non-repudiation as well as authenticity of information.
Confidentiality is also a concern that cyber security seeks to address. In its simplest form, it focuses on the preservation of authorized restrictions on disclosure and access, and means of protecting individual privacy as well as proprietary data. Availability is also considered since the term relates to ensuring that the access and use of data is both timely and reliable.
The controversy surrounding cyber security extends to the appropriateness of its use when discussing other concepts including privacy, sharing of information, surveillance, and intelligence gathering. Privacy denotes the capacity of a person to control or restrict access to his/her individual information by other people. Consequently, positive cyber security should protect the privacy of participants on electronic platforms. However, shared information is likely to include some data that is considered private by given observers. Cyber security can serve as a way to protect individuals from unanticipated surveillance and information gathering from protected systems. However, in instances where the aim of the discussed concept is to advance protection against cyber-attacks, activities of such nature are likely to influence cyber security. Besides, surveillance through monitoring information flow within a system is an important attribute of cyber security.
Cyber Security Risks
According to Fischer, risks associated with cyber-attacks are influenced by three factors, namely: the threat (who is the attacker), vulnerability, and the impact of the attack. In cyber security, managing the risk posed to information systems is fundamental.
Threats emanate from people who engage in cyber-attacks. Generally, such dangers fall into one or more categories that include: spies, criminals, nation-state agents, hackers and terrorists. Criminals have the objective of gaining monetarily from the access to confidential information through as extortion or theft. Spies also steal classified data due to their special interests. Moreover, nowadays, spying moves away from individual to organizational/state level of competitive rivalry. For nation-state agents, the primary goal is to carry out missions to benefit a nation's strategic objectives. On their part, hackers attack private information for gains other than monetary-based ones. For terrorists, cyber-attacks are intended to attain warfare objectives.
Vulnerabilities abound in cyber security issue. In many ways, this field involves attackers and defenders. In practice, ICT systems are complex which makes them predisposed to various loopholes. The possibility of such opportunities encourages attackers to keep searching for weaknesses. However, defenders often have ways to protect ICT systems against attacks. Despite the possibility of devising defense mechanisms, challenges persist. For instance, intentional or inadvertent actions by insiders continue to pose a threat. Moreover, vulnerabilities in the supply chain also present challenges to defenders making efforts to ensure security. Such susceptibility can lead to the insertion of malicious hardware or software in the acquisition or supply process. In essence, it is clear that despite the efforts to secure ICT systems, actions of attackers pose a real danger.
Impact of Cyber-Attacks
The impact of cyber-attacks can be devastating. For instance, successful breaches have the potential of compromising the integrity, confidentiality, and availability of ICT services. Information stored or communications being channeled through ICT systems once compromised might lose their usefulness. Moreover, the information might be altered to yield negative or unanticipated results. It is noted that cyber espionage or cyber theft is associated with infiltration of proprietary, financial and personal data. In such circumstances, the attacker stands to gain at the expense of the victim. Other activities such as denial-of-service attacks are likely to slow or block legitimate users/ owners from accessing an ICT platform. In addition, botnet malware give attackers the control of a system which they use to attack other systems. In the case of attacks on industrial control networks, breaches pose the danger of destroying important equipment.
Efforts to reduce the risks posed by cyber-attacks must be supported. According to Fischer, mitigating this problem involves three aspects. The first step is to remove the source of a threat through, for example, reducing incentives for cybercriminals or closing botnets. The secondly phase, which is hardening ICT systems, would help in resolving vulnerabilities. In this regard, training employees and patching software should be considered. In the third stage, possibilities of reducing the severity of impacts should be explored. In this regard, having backup resources would be critical towards ensuring the continuity of operations.
Referring to the Sapphire/Slammer/SQL Server Worm spread, Sen remarked that the Internet exists at the whims of those in a position to destroy it. In essence, the author agreed that cyber security is an oxymoron. Sen quoted the Cyber Security Chief during the Bush Administration that the events surrounding the spread of the work was indicative of the vulnerability that ICT systems faced. Essentially, the Sapphire Worm, which was easily developed, posed a major problem as it spread to hundred thousands of machines within 15 minutes. The Worm disabled root servers which serve as the core of the Internet traffic. In addition, it caused routers to malfunction. As a result, some airline flights were either delayed or cancelled. The banking sector also suffered, since its activities also flopped. Perhaps, the cancellation of a national referendum/ election in Canada was the fatal result.
Although the effects of the Worm spread were far-reaching, it is evident that with slight modifications, the outcome would have been worse. Advanced or sophisticated attacks on the Internet vulnerabilities would pose grave or devastating results. As long as loopholes remain on the Internet, and countries all over the world maintain enmity, the risk of incurring greater losses resulting from cyberspace attacks remains real. Further, it would be erroneous to assume that the level of damage caused in the past will be the same in the future. The risk of more damaging results remains topical as well.
Although questions have been raised about the effects of the viral and malware attacks, worm attacks such as the one described above pose a problem similar to terrorism. For instance, such claims that multiple servers can be crashed, and an election would be canceled because of cyber-attacks pose serious ramifications. However, to a certain extent, cyberterrorism might be overused or abused, as Singer and Friedman observed. However, it is an accepted fact that this phenomenon has the potential to scare users of the Internet. In such a case, the ease to do business online can be eroded since people are likely to keep off.
In the second place, if one considers cyberterrorism as using computers to further the objectives of traditional terrorism, the possibility of having a concurrent traditional terrorist attack and Internet blackout increases. If such a move succeeds, the chances of instituting adequate and timely responses would suffer. As a result, the impact of terrorism would have been enhanced by cyberterrorism.
In the third place, one needs to consider cyberterrorism in line with the violation of freedoms that are inherent within an open society. The same goals are set in the case of traditional terrorism which targets to impede freedom in societies. Without a doubt, it is true that many systems exist at mercy of individuals who have the capability to destroy or damage them. The same case applies to the Internet. Perhaps, more persons exist, who are capable of writing codes that are more devastating than the Sapphire Worm. However, because of different reasons, they do not do so. As a result, instead of trying to identify faults on the part of individuals who are pointing out the loopholes, intelligent persons need to determine the extent to which the society depends on the Internet; find the way to manage without the Internet if it goes down, and define measures necessary to make it resistant to potential attacks.
Effectiveness of Measures Addressing Cyber Security
Cyber technology is useful despite the challenges. Peter Kim observed that technological advancement has brought many opportunities, although, at the same time, contributed to compromising the safety of users. There is hope of taming or remedying the threats posed by the insecurity problem, despite the popular view that cyber security is an oxymoron. In particular, the use of digital certificates and cloud computing are thought to be useful approaches to mitigating the concerns. However, as the current section depicts, measures aimed at protecting cyber users have not guaranteed security.
The usefulness of digital certificates as a form of protecting online users is common. They work as a form of encryption and authentication. According to Peter Kim, the dependability of the systems is always in question since cracks are found. For examples, the Public Key Infrastructure certificate has shown weaknesses. In brief, digital certificates that are thought to be useful in protecting online users do not provide a guarantee of data/ communication security.
Many authors who have studied digital certificates technology have concluded that they are not entirely secure. Gajek, Jensen, Liao, & Schwenk, are among the scientists who have researched digital certificates. According to the above authors, the certificates are crucial in cryptographic systems that are based on either public or private key pairing within the context of the Public Key Infrastructure (PKI). Such certificates are important in binding public keys and identities. Digital certificates validate information thus enhancing security.
However, digital certificates can be compromised. Recent attacks on PKI networks have confirmed fears that the protection of online data and communications is a disturbing concern. According to Fischer, many ways to direct attacks on individuals, organizations and governments that use the certificates have been devised. One of the methods that have been employed to compromise digital certificates is the theft of code-signing certificates. Private keys associated with the certificates are used to unleash malicious software. For example, hackers compromised Bit9 security, and took a certificate which was used to spread malware. Stolen digital certificates such as Java applet have also been employed to attack Internet users. Hence, the security of such measures remain questionable.
The Opera Company attack led to the stealing of certificates that were used for malicious missions as well. In addition, stolen Adobe certificates have also been utilized to spread malicious software. Moreover, it is possible to program malware to snatch code-signing certificates. The implication is that digital certificates do not guarantee security since cyber crooks can compromise them.
The issuance of inappropriate or weak certificates is also a concern regarding the functioning of digital certificates. For instance, Peter Kim indicated that DigitCert has been responsible for selling inappropriate certificates that were used to sign viruses. DigiCert Sdn has also been at fault by issuing 512-bit RSA keys without certificate extensions. Two of the company's certificates were as well found to have been used to sign malware applied in phishing attacks against other certificate-issuer entities. Peter Kim also noted that a technical hitch by TURKTRUST facilitated the issuance of certificates which were employed to mimic Google servers. The above cases also contribute to affirming the position that cyber security is an oxymoron given the existence of loopholes that allow attacks on ICT systems.
One of the common concerns when using digital certificates involves installing illegitimate certificates instigated by malware. Instances of such nature entail configuring infected systems to fail to detect anomalies. For instance, Browser Helper Object distributed an illegitimate Verisign certificate that operated as a Trusted Root Certificate Authority. The object infected systems' ability to react to security warnings. The above case also affirms that preventing attacks is difficult, thus the view that cyber security is an oxymoron is justified.
In each industry, Certificate Authorities (CA) are mandated to control the issuance of certificates. Every CA is expected to use bullet proof security established based on Hardware Security Modules that have triple or dual safe and authorization rooms to guard servers under the protection of Internet Air Gaps. One of the primary concerns in such an arrangement touches on the party to assign the responsibilities of CA.
Cloud storage is one of the ways that are proposed to curb the insecurity that comes with ICT development. Whether it is possible to enhance security of online users through cloud storage is questionable owing to a number of challenges that have emerged in the past. In particular, security and privacy issues remain as it comes to the use of cloud storage. The application of network and virtualization technologies are some of the developments involved in cloud storage that raise concerns. To ensure privacy and security of users, networks are expected to be secure themselves.
Data separation is one of the main concerns regarding cloud storage. The function is critical when one service provider serves more than one organization. Peter Kim observed that it is necessary for service providers to eliminate intentional or inadvertent access to another entity’s data. In practice, cloud storage providers rely on virtual machines and hypervisors to draw a distinction between clients’ data. Despite the presence of such measures, the security and privacy of data stored in cloud services are not guaranteed.
Data encryption is also seen as a method that has been critical towards the enhancement of security. Despite the role it plays in data security, it is possible to compromise it. According to the author, encrypted data can be intercepted while in the transmission process. Thus, the widespread perception that cyber security is an oxymoron is supported.
In the past, hackers have infiltrated private networks. Targeting companies’ certificates, which are supposed to protect online users, pose a serious security problem. The issue is further complicated based on the inability of the target organizations to detect and respond to the threats in time. In other cases, entities have failed to develop robust measures that enhance protection. For example, Gajek et al. observed that from 2008, MD5 hashing algorithm had inherent weaknesses that hackers used to develop cryptographic items, and forge digital certificates. Given that a number of organizations continue using such certificates, the threat remains.
Based on the above information, digital certificates and cloud storage are some of the measures that have been undertaken to mitigate the security concerns relating to cyber engagements. Digital certificates facilitate the authentication of web pages. The possibility of creating fake digital certificates is one of the aspects that compromise cyber security. In addition, the possibility of creating malware that mimics software presents a big challenge to cyber security. In essence, digital certificates have been compromised in the recent times such that they cannot be relied upon for cyber security. Thus, the ineffectiveness of cyber security measures supports the concept that cyber security is an oxymoron.
Operating within cyberspace is essential for many people. It is also apparent that many opportunities emerge from technological advancement. However, mitigating the problems that emanate from the fast development remains a big challenge. In a bid to respond to some of the emerging concerns, various measures such as digital certificates are considered. However, evidence shows that entities that use certificates from trusted sources encounter some concerns, too. In particular, hackers are likely to breach organizational networks. The possibility of experiencing more attacks increases after breaching an organization’s network. Violators of certificates use stolen certificates or compromised ones to create malware or build websites with the intention of hoodwinking Internet users.
Regardless of the security concerns, the paper establishes that the Internet and related ICT developments have greatly influenced the way people live and conduct business. It is also apparent that advancements in technology have created opportunities, and, at the same time, brought new threats. Although efforts have been made to maximize the benefits while reducing the negative effects, cyber security is an oxymoron since it cannot be guaranteed in the contemporary world.