Everyone now has a stake in the healthy functioning of communications and control networks, in the devices and services dependent on these networks, and by implication, in all the complicated infrastructure required to keep networks, devices, and services operating.
There is no simple answer to the question of what cybersecurity is. This is because both cyber and security can implicate different concepts and values.
“Cyberspace” is an artificial, complex, constantly changing creation. In a sense, every time one connects a new device to the Internet, that act changes the contours of cyberspace. As we grow dependent on the Internet, more of our activities can be affected by cyberspace vulnerabilities.
Traditional cybersecurity focused on the confidentiality, integrity, and availability (the “CIA” triad) of computers, data, and networks. But today a larger set of interests are often included in the concept of cybersecurity. Security can come from many efforts, ranging from traditional technical interventions to procedural ones, policies, design, and social norms. Cybersecurity is a social and political field as much as a technical one.
Privacy is a separate, related interest to security. It, too, is contested and difficult to define. To begin, we suggest reading about the six high-level attributes of privacy that Professor Dan Solove identifies in Conceptualizing Privacy.
Privacy and security relate to one another both as concepts and as practices. Security is necessary for privacy, but at the same time, we can imagine forms of security, such as the panopticon of the prison or the surveillance apparatus of an authoritarian state, that are privacy-denying.
Security is not evenly distributed. We have to ask the questions “security by whom” and “security for whom” when making cybersecurity policy decisions. As discussed further below, the cybersecurity field has long lacked diversity and placed barriers in front of women and underrepresented minorities who seek to join the field. This undermines security conceptually and in practice, because decisions to promote security can simply be an exercise in risk shifting, with some parties better, and others worse protected.
Security is a privileged value. That is, in policy circles, actors assume that security is a valid social interest worth protecting. But as noted above, “security” is a contested concept; people may be talking of different things when they advocate for investing in it. Further, as the internet grows, cybersecurity’s scope increases. This might cause us to see more human activities through a security lens. As the word security has attached to concepts such as the homeland, security takes on a charged political meaning. Professor Helen Nissenbaum, in the classic article Where Computer Security Meets National Security, explains why we might not want to see the world through a security lens. Nissenbaum explains that the security lens colors our perception of policy issues. The security lens might obscure the moral worth of the underlying activities we are securing, it might cause us to accept unreasonable costs of that security, and it might cause us to accept less democratic political processes, because after all, matters of security are often entrusted to government executives–through militaries and police–instead of more democratic political structures.
Cybersecurity’s moral basis frays as actors stretch the concept from the protection from corporeal harm to economic protectionism, the protection of intellectual property, or the promotion of societal interests in stability or “harmony.”
Taken together, these issues show why we do not see cybersecurity as a good in itself, but rather as an instrument that is increasingly important to secure the values we most cherish in society. The struggle is to recognize cybersecurity in context: liberal societies must promote the forms and applications of security that are freedom enhancing while identifying and rejecting those that are not.