Cybersecurity in Context E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

About the Authors

Preface

Acknowledgments

About the Companion Website

Introduction

Why Cybersecurity?

Why Cybersecurity

in Context?

Outline of This Book

Notes

I: What Is Cybersecurity?

1. What Is Cybersecurity?

1.1 What Is the

Cyber

in Cybersecurity?

1.2 What Is the

Security

in Cybersecurity? The “CIA” Triad

1.3 Encryption Is Critical in Cybersecurity

1.4 Cyber

power

: How Insecurity Empowers and Undermines Nations

1.5 Is Disinformation a Cybersecurity Concern?

1.6 International Views

1.7 Conclusion: A Broad Approach

Notes

2. Technology Basics and Attribution

2.1 Technology Basics

2.2 Attribution

2.3 Conclusion: An End to Anonymity?

Notes

II: Cybersecurity’s Contours

3. Economics and the Human Factor

3.1 Economics of Cybersecurity

3.2 The People Shaping Internet Technology and Policy

3.3 The Human Factor—The Psychology of Security

3.4 Conclusion

Notes

4. The Military and IntelligenceCommunities

4.1 Why Cybersecurity Is Center Stage

4.2 Are Cyberattacks War?

4.3 Computers and the Future of Conflict

4.4 Cybersecurity and the Intelligence Community

4.5 Conclusion

Notes

5. Cybersecurity Theory

5.1 Deterrence Theory

5.2 Security Studies: Anarchy, Security Dilemma, and Escalation

5.3 Economic Theory: The Tragedy of the Cybersecurity Commons

5.4 The Public Health Approach

5.5 Gerasimov and “Hybrid War:” Information Domain Revisited

5.6 Barlowism as Theory

5.7 Conclusion

Notes

III: Cybersecurity Law and Policy

6. Consumer Protection Law

6.1 Federal Trade Commission Cybersecurity

6.2 FTC Adjacent Cybersecurity

6.3 The Limits of the Consumer Protection Approach

6.4 Conclusion

Notes

7. Criminal Law

7.1 Computer Crime Basics

7.2 Computer Crime Incentive Contours

7.3 The Political/Economic Cyber Enforcement Strategy

7.4 Cybercrime’s Technical Dependencies

7.5 The Major Substantive Computer Crime Laws

7.6 High-Level Investigative Procedure

7.7 Live Monitoring

7.8 Conclusion

Notes

8. Critical Infrastructure

8.1 What Is “Critical Infrastructure”

8.2 Political Challenges in Securing Critical Infrastructure

8.3 Cyber Incident Reporting for Critical Infrastructure Act of 2022

8.4 Technical Dynamics

8.5 NIST Cybersecurity Framework

8.6 Alternative Approaches to the NIST Cybersecurity Framework

8.7 The Other CISA—Cybersecurity Information Sharing Act of 2015

8.8 Conclusion

Notes

9. Intellectual Property Rights

9.1 IPR Problems: Context

9.2 Protection of Trade Secrets

9.3 Copyright and Cybersecurity

9.4 Online Abuse and IP Remedies

9.5 Conclusion

Notes

10. The Private Sector

10.1 There Will Be Blood: Risk and Business Operations

10.2 The Politics of Sovereignty

10.3 The APT Problem

10.4 The Security Breach Problem

10.5 Hacking Back: CISA (The Statute) Revisited

10.6 The Special Case of Financial Services

10.7 Publicly Traded Companies and Cybersecurity

10.8 Cybersecurity Insurance

10.9 Conclusion

Notes

IV: Cybersecurity and the Future

11. Cybersecurity Tussles

11.1 A Public Policy Analysis Method

11.2 Software Liability: Should Developers Be Legally Liable for Security Mistakes?

11.3 Technical Computer Security Versus Cybersecurity Revisited

11.4 Encryption and Exceptional Access

11.5 Disinformation Revisited

11.6 Conclusion

Notes

12. Cybersecurity Futures

12.1 Scenarios Methods

12.2 Even More Sophisticated Cyberattacks

12.3 Quantum Computing

12.4 Automaticity and Autonomy: Artificial Intelligence and Machine Learning

12.5 The Data Trade and Security

12.6 The Sovereign Internet

12.7 Outer Space Cyber

12.8 Classification Declassed

12.9 Attribution Perfected or Not

12.10 Conclusion

Notes

V: Further Reading and Index

Further Reading

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1 Competing definitions of cyberspace sometimes include the user and...

Table 1.2 With the triad in place, we can discuss attacks as affecting just ...

Table 1.3 How might we replace security “balancing” with a consideration of ...

Table 1.4 Contours and consequences.

Table 1.5 Definitions of cybersecurity differ greatly among the most importa...

Table 1.6 Changing input in any way creates a (very) different hash value of...

Chapter 2

Table 2.1 Significant “wake up” moments in Internet insecurity.

Table 2.2 Attacks can happen at any layer (or across different layers) of th...

Table 2.3 Attacks can happen at any layer (or across different layers) of th...

Table 2.4 Attacks can happen at any layer (or across different layers) of th...

Table 2.5 Just as there are different attacks possible in different layers o...

Table 2.6 Mapping criminal suspicion onto investigatory powers.

Table 2.7 Legal process of tracing online behavior. To this day, lawyers and...

Chapter 4

Table 4.1 Significant “wake up” moments in the military.

Table 4.2 The Badfort Crowd does cyber (significant Russian cyberattacks).

Table 4.3 Nations design their cyber operations so they avoid triggering int...

Table 4.4 Cyber conflict may allow an attacker to choose the level of damage...

Table 4.5 Significant “wake up” moments in the intelligence field.

Table 4.6 Significant “wake up” moments in the intelligence field—continued....

Table 4.7 The intelligence community uses “estimative language” and signals ...

Chapter 5

Table 5.1 The nuclear analogy, so popular in cybersecurity thinking, is a ba...

Table 5.2 Herman Kahn developed the concept of an escalation ladder to order...

Chapter 7

Table 7.1 The webs: surface, deep, dark.

Table 7.2 Getting data as an investigator.

Table 7.3 Legal standards for communications data.

Chapter 8

Table 8.1 Significant “wake up” moments in the critical infrastructure field...

Table 8.2 The 16 CIs and their sector-specific agencies.

Table 8.3 Credit cards follow a high-level pattern. Let’s analyze a test car...

Chapter 9

Table 9.1 Creative lawyers and activists have found several practical ways t...

Chapter 10

Table 10.1 Significant “wake up” moments in private sector cybersecurity. No...

Chapter 12

Table 12.1 Significant and difficult-to-foresee shifts relevant to security....

List of Illustrations

Chapter 1

Figure 1.1 Attackers posted this Tweet to the account of AP News in 2013.

Figure 1.2 Under 39 USC §3685, publishers with access to special, discounted...

Chapter 2

Figure 2.1 ARPAnet/MILNET geographic map, April 1984.

Figure 2.2 A trusted root certificate (Apple later removed this certificate)...

Figure 2.3 This world map of submarine communication cables illustrates seve...

Figure 2.4 In 1970, in a now declassified document, Willis Ware and colleagu...

Figure 2.5 In the intelligence context, agencies have tried to homogenize th...

Chapter 3

Figure 3.1 The text of the phishing email used to attack John Podesta.

Figure 3.2 A failed attempt to induce ChatGPT to create a phishing email.

Figure 3.3 A slightly modified query results in a high-quality phishing emai...

Figure 3.4 Another phishing email created by ChatGPT.

Chapter 4

Figure 4.1 John Boyd’s OODA framework. Military strategists have contemplate...

Figure 4.2 To illustrate the scale and complexity, consider this matrix of c...

Figure 4.3 Militaries have developed multiple generations of autonomous “sen...

Figure 4.4 The designs for Lockheed Martin’s F–35, the most expensive weapon...

Figure 4.5 The suspiciously similar Shenyang J-31 is thought to be based on the ...

Chapter 5

Figure 5.1 The Great Seal of the United States has always featured an eagle ...

Chapter 6

Figure 6.1 Imagine different standards for liability for insecurity.

Chapter 7

Figure 7.1 These alleged Russian hackers appear in a 2020 DOJ indictment....

Figure 7.2 The SDN search tool and Russian hackers sanctioned under the CYBE...

Figure 7.3 January 6 investigators used a “geofence warrant” sent to wireles...

Figure 7.4 Hundreds of warrant applications can be found on ECF/PACER (the d...

Chapter 8

Figure 8.1 The Aurora Generator Test.

Figure 8.2 The “core” of the framework is organized around five important “f...

Figure 8.3 Drilling down one level, take the identify goal. NIST states oper...

Figure 8.4 What’s this acronym salad in “Informative References?” The NIST p...

Figure 8.5 Executives like NIST because their organizations can be placed in...

Figure 8.6 Finally, here is the payoff for CISOs. NIST allows them to explai...

Chapter 9

Figure 9.1 A year after the APT1 report, the Department of Justice indicted ...

Chapter 10

Figure 10.1 An example of a risk assessment matrix. Public domain from Wikim...

Figure 10.2 This is the bizarre threat that Sony Pictures received from the ...

Figure 10.3 According to the Department of Justice, this email was a spearfi...

Figure 10.4 This version of the “Kill Chain” developed by the US Navy antici...

Figure 10.5 A 2016 study plotted different kinds of “active defense” being c...

Figure 10.6 This is the certificate that New York regulators created to cert...

Chapter 12

Figure 12.1 President Trump wrote, “The United States of America was not inv...

Guide

Cover

Table of Contents

Title Page

Copyright

About the Authors

Preface

Acknowledgments

About the Companion Website

Introduction

Begin Reading

Further Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

iv

xiii

xv

xvi

xvii

xix

xxi

xxiii

xxiv

xxv

xxvi

xxvii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

479

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

Cybersecurity in Context

Technology, Policy, and Law

Copyright © 2025 by John Wiley & Sons, Inc. All rights reserved, including rights for text and data mining and training of artificial technologies or similar technologies.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data Applied for:

Hardback ISBN: 9781394262441

Cover Design: WileyCover Image: © posteriori/Getty Images

About the Authors

Chris Jay Hoofnagle is Professor of Law in residence at the University of California, Berkeley. He is affiliated faculty with the Simons Institute for the Theory of Computing and the Center for Security in Politics and an elected member of the American Law Institute. Author of Law and Policy for the Quantum Age (Cambridge University Press, 2022, with Simson Garfinkel) and Federal Trade Commission Privacy Law and Policy (Cambridge University Press, 2016), Hoofnagle is also of counsel to Gunderson Dettmer Stough Villeneuve Franklin & Hachigian, LLP, and serves on boards for Constella Intelligence and Palantir Technologies.

Golden G. Richard III is a Professor of Computer Science and a Fellow of the American Academy of Forensic Sciences. He has over 40 years of practical experience in computer systems and computer security and is a devoted advocate for applied cybersecurity education. He is Professor of Computer Science and Engineering and Director of the Cyber Center at Louisiana State University, where he also directs the Applied Cybersecurity Laboratory. He works mostly in memory forensics, malware analysis, exploit development, reverse engineering, systems programming, and operating systems. His first floppy drive cost $600 and required financing; despite that, he’s still very much alive.

Preface

Chapter image: John William Waterhouse, Penelope and the Suitors (1912), Aberdeen Art Museum.

Source: Aberdeen Art Gallery and Museums Collections/Public domain/https://emuseum.aberdeencity.gov.uk/objects/2543/penelope-and-the-suitors?ctx=3a10837e3d37278fd9e6a15f386c4aabaee1455e&idx=3.

Cybersecurity is a grand challenge of modern society. This textbook introduces the challenge as a highly complex and interdependent social problem, meaning that cybersecurity can only be managed, not solved. This is partly because the integration of computing into every aspect of our lives will imperil our safety in unpredictable ways. Furthermore, the complexity of both computing devices and the attacks against them is continuously increasing. Terrorists in the last decade created chaos by forcefully commandeering physical assets. Attackers of the future might confuse our self-driving cars, cause our appliances to catch fire, or even change our perception of reality.

We also believe that cybersecurity requires multidisciplinary training in order to understand its contours; thus this textbook attempts to capture the rich complexity of cybersecurity by incorporating insights from economics, political science, computer science, information theory, and psychology.

We wrote this textbook in order to reduce cybersecurity students’ workload. Learning cybersecurity from primary literature is labor intensive and often results in confusion because of latent disciplinary assumptions. For instance, literature in the political science field might proceed from assumptions very different from computer science. This textbook helps the student see these assumptions and how people of different disciplines talk past each other.

Because cybersecurity changes so rapidly, we have attempted to set down the basics here. The textbook sets up instructors to discuss the controversies of the day in the classroom. Our goal is to explain both the technological realities of the Internet and how those realities interact with cybersecurity policy and regulation. We have omitted many of the specific statutes and regulations underlying those policies because they change so rapidly. Instead we focus on the reasons, purposes, and history of cybersecurity policy. We think that students who know these elements will be better analysts.

A note on secrecy, classification, evidence, and language. Much of cybersecurity is a “dark art.” No one really knows the true extent of cyberattacks and cyberespionage. We do our best to relate what is publicly known, but at times we rely on speculative sources. We tend to emphasize evidence that has external signals of legitimacy, such as when knowledgeable insiders specifically point to publicly available material. However, much of what we know comes from law practice, our personal experiences, and discussions with people in the field. Caveat lector!

Many of our students hold security clearances, and so this textbook relies only on open-source information. There are no Snowden or Manning documents in this textbook.

Elements of this textbook are designed to assist in making assignments and driving discussion questions.

Question — Discussion Questions. Invitations to discuss an issue appear in boxes like so. Students: Be ready to discuss these questions in class.

Exercise — Assignments. Assignments are formative evaluation opportunities. Assignments appear in boxes and typically require the student to prepare some kind of writing for discussion or grading.

▄

▄ Example — Key Anecdotes. Stories about cybersecurity incidents appear throughout the book to address the problem that vulnerabilities are abstract and analysts often need a concrete example of an exploitation to understand the associated risks.

▄

We have decorated the book with many images from the ILIAD and the ODYSSEY. Why? Both works illustrate an important value in cybersecurity: the Greek concept of mētis. Mētis, the Greek Titan mother of Athena, represented both wisdom and cunning. As James Scott observed, “Broadly understood, mētis represents a wide array of practical skills and acquired intelligence in response to a constantly changing natural and human environment.”

Mētis presents a dilemma: we are ambivalent about tricks and tricksters. On the one hand, we admire tricksters. Thucydides observed, “it is generally the case that men are readier to call rogues clever than simpletons honest, and are as ashamed of being the second as they are proud of being the first.”

Yet on the other, tricksters can wreak havoc. Homer put the clever and their tricks at the center of the story—Penelope’s loom, Circe’s potions, Athena’s disguise as Mentor, Achilles’s disguise at the court of Skyros, Patroclus’s donning of Achilles’s armor, Helen’s perfidies, Athena’s interference with the Trojans’ strategic deliberations, and Odysseus’s too-many-to-enumerate schemes. These are sources of delight as much as fear.

Emily Wilson, in her recent translation of the ODYSSEY, opens the work by describing Odysseus as “complicated.” And so are our feelings about the modern tricks detailed in this book.

December 2023Berkeley, CABaton Rouge, LA

Acknowledgments

We are grateful to everyone who supported this work. They are Elsa Hahne, Victoria Bradshow, Nandhini Karuppiah, Gaurav Lalsinghani, Sakthivel Kandaswamy, Bruce Schneier, Kavin Shanmughasundaram, and Aileen Storry.

Chris Jay Hoofnagle: Many thanks to the students who have participated in Cybersecurity in Context and the Future of Cybersecurity Working Group.

Golden G. Richard III: Thanks to all my students in the Applied Cybersecurity Laboratory, to LSU for providing an amazing work environment, and to Elsa Hahne for basically everything.

About the Companion Website

This book is accompanied by a companion website:

www.wiley.com/go/hoofnagle/cybersecurity

On this website, you can find the teacher’s manual, which contains discussion prompts and guides to elicit points from students, and summaries as well as model outcomes for the exercises.

On the book’s author-maintained site, you can find the virtual machines and lab exercises: https://cybersecurityincontext.com/.

Introduction

Chapter image: Odysseus offers Polyphemus the Cup, DALL-E V3 (2023)

Why Cybersecurity?

Imagine a future you. You work in cybersecurity. It’s Monday morning and you:

Analyze whether a series of posts on social media are the product of authentic user activity or part of a coordinated attempt to influence understanding of a political issue.

Help a client investigate a security incident to determine its severity

Inspect a suspicious software package that was emailed to your COO. Within the software, you find that malicious code seeks to steal valuable trade secrets from your company.

Inspect the logs of recent voter registration changes at the Secretary of State’s office. You learn that someone has systematically changed the registration records of voters from poor neighborhoods around the state.

Test a network to determine whether an adversary can access devices on the network and take them over.

All of these functions are performed by analysts, digital forensics investigators, malware analysts, and penetration testers. Such positions are widely available with employers often desperate to hire qualified candidates. Not only are these functions critical in realizing the value of free speech and privacy—the hallmarks of liberal democracy—they also pay well. The median pay for information security analysts is just over $110,000.1 Highly-skilled candidates may make several times this much, or more. And even better: the U.S. government projects that the field will grow over 30% in the next decade.2

Cybersecurity offers a ladder to the top ranks of corporations. Nowadays, chief security officers are executive vice presidents—top level executives—rather than subordinates to a chief information office. Some cybersecurity experts now sit on corporate boards of directors.

Cybersecurity is an intellectually stimulating field where experts are struggling to develop theory that accurately captures what the field means for governments and society. To illustrate this, we draw your attention to the artwork that decorates the chapters of this book, taken from the ILIAD and ODYSSEY. This chapter is decorated with Odysseus’s plan to escape the cave of the giant cyclops Polyphemus. Recall from the story that Odysseus convinces Polyphemus that his name is “Noman.” Odysseus intoxicates Polyphemus with wine while his soldiers sharpen a stake and use it to blind the giant once he loses consciousness. Polyphemus calls for help, but makes the mistake of telling his friends “Noman is killing me,” and thus the rescuers leave confused. Once Odysseus has escaped, he announces his true identity to Polyphemus, setting the story in motion. Odysseus’s self-attribution is an act of hubris, as irresistible as it was injudicious. Polyphemus hurls a rock at Odysseus, nearly hitting his ship, which is drawn back to the shore by the impact of the rock. While Polyphemus fails to capture Odysseus that day, knowledge of Odysseus’s name tightens a net around the hero’s fate, imperiling his future and causing many losses of his soldiers.

Conflicts in cybersecurity often have these same dynamics—anonymity, the tricking of a victim into creating a vulnerability, rapid action that serves the attacker’s goal, misleading the victim about the identity of the attacker, sometimes attribution of the true identities of attackers, along with many avenues of pursuit against the wrongdoer. As you consider the allegory, know that thinkers in cybersecurity are not certain whether cyberattacks are most like the deception surrounding Odysseus’ name, the wine, or the stake. As cybersecurity evolves, it may take the form of one or all three of these elements.

There are numerous roles for cybersecurity experts with a focus on policy and law. Security disputes among nations require careful study of country characteristics, history, and national security policy. But more broadly, policy students can find stimulating careers at the local, state, and federal levels in scores of agencies that have security sensitivities.

Both lawyers and technically trained students can have a rich future advising clients on security breaches and helping them secure their systems.

You can do good in cybersecurity in the setting of your choice. The military, the intelligence agencies, private companies, non-profits—in particular, human rights groups, and consulting firms all need cybersecurity analysts.

While sometimes “security” is used to smash freedoms, at the same time, we cannot have any freedoms without some amount of security. We cannot have freedom of speech or freedom of association or freedom from privacy intrusions or even freedom to do business when people can threaten our bodies and minds. Nor can we have a functioning government and military that is safe from adversaries without cybersecurity. This means that as a cybersecurity professional, others’ freedoms are in your hands. Whether one can speak, find friends to speak with, get treated by their physician, or just operate a business without getting ripped off is up to cybersecurity experts.

We want you to keep an open mind about security as a key societal value. Providing security for people is a core responsibility of governments. Governments must change their security policies as society and technology evolve and create new threats to personhood. At a high level, much of this textbook is about the struggle—even the failure—of governments to adapt to the new security problems brought about by the Internet.

The private sector performs many government-like roles in security and it has been profoundly effective. Yet, the private sector owes people different duties and has different responsibilities than government. Problems in security have dragooned the private sector into many situations—such as investigation of cybercrimes and even conflicts with other governments—that imperil revenue and raise tricky ethical issues.

Why Cybersecurity in Context?

As much as we need security to secure our freedoms, too much security—or the wrong security—obliterates freedom. This is one reason why this book is titled Cybersecurity in Context. Security as a value can be problematic. It has to be applied with care. Here is the balance we have to achieve: We need enough security so people can enjoy their freedoms and rights. At the same time, we must prevent the creation of a security state, a political body that prioritizes itself over citizens’ welfare.

We will show how not all problems need to be thought of as security issues. In fact, there are a wealth of alternative ways to approach insecurity that do not involve police or militaries. We will see security solutions that use markets, psychology, consumer law, and even concepts drawing from public health.

Finally, we want you to excel in cybersecurity as a professional who understands the technology and the policy of the field. The need for technical analysts to understand these issues is obvious, but managers and executives also need to understand both the technological capacities and limits of systems, and be able to balance capabilities with larger organizational priorities. Those larger priorities range from straightforward economic incentives to the increasingly complex politics of operating an organization. It might seem esoteric today, but we promise that a grounding in international relations, legal principles, and even individual psychological forces will help you better understand cybersecurity.

To help you understand the technology, we have created a series of technical exercises that illustrate fundamental problems in cybersecurity. These exercises are separate from the book and standalone, but will be useful to readers looking for a more technical grounding in cybersecurity and for cybersecurity classes with a hands-on, technical flavor. These exercises are available on this book’s website, https://cybersecurityincontext.com. The exercises require access to a set of virtual machines that we have created, which are available via the website. These exercises are optional and the book can stand on its own as an introduction to important topics in cybersecurity.

Outline of This Book

The first part of this book explores the most important elements that shape the playing field on which cybersecurity problems emerge and are managed. We begin with an overview introducing the meaning of cybersecurity. We then turn to the technology of the Internet, with the aim of explaining why it is so difficult to secure complex networks. The following chapters explain how economics and psychology affect security investment and shape attack and defense. We include a chapter on the military in this first part because the military, we argue, was the first major actor to wrestle with cybersecurity, and it made profound insights in the field in the 1960s and 1970s. It’s humbling to learn that some of the challenges realized by the private sector in cybersecurity were first encountered and addressed by the military 40 years earlier, yet many of the lessons learned were obscured by classification. The first part concludes with an overview of the different theoretical approaches applied to cybersecurity problems.

The latter half of this book delves into the most important substantive cybersecurity regulations—the consumer law, criminal law, critical infrastructure protection, intellectual property rights, security breach notification, and public company regulation. We use a framework approach that identifies key principles and approaches because laws and policies constantly change. Our goal is to prepare you for the uncertainty and change inherent in this field, because no one has fully worked out the best way to manage cybersecurity.

The book concludes with cybersecurity conflicts and futures: scenarios to provoke thought on how security—and your career—might change.

Notes

1

See

https://www.cyberseek.org/heatmap.html.

2

See

https://perma.cc/7QQW-M2VS.

IWhat Is Cybersecurity?

1 What Is Cybersecurity?

1.1 What Is the

Cyber

in Cybersecurity?

1.2 What Is the

Security

in Cybersecurity? The “CIA” Triad

1.3 Encryption Is Critical in Cybersecurity

1.4 Cyber

power

: How Insecurity Empowers and Undermines Nations

1.5 Is Disinformation a Cybersecurity Concern?

1.6 International Views

1.7 Conclusion: A Broad Approach

2 Technology Basics and Attribution

2.1 Technology Basics

2.2 Attribution

2.3 Conclusion: An End to Anonymity?

1.What Is Cybersecurity?

Chapter Image: François Morellon La Cave and Nicolas Vleughels, The Shield of Achilles (18th Century).

Source: FG Waller Fund/Rijksmuseum Amsterdam/Public domain/http://hdl.handle.net/10934/RM0001.COLLECT.413649.

Chapter Learning Goals

What is cyberspace?

What is cybersecurity?

How do concepts of confidentiality, integrity, and availability relate, and are these concepts expansive enough to encompass cybersecurity concerns?

What is encryption and why it is a central technology in cybersecurity?

What are the politics of labeling a challenge a “security” problem?

What is cyberpower?

What does it mean to conceive of information problems like disinformation as a security problem?

This chapter discusses key framing questions: What are the contours of cybersecurity? How do different stakeholders understand cybersecurity and how may these conceptions conflict? Are there principled ways to bound cybersecurity? As we surround ourselves with networked technologies, does cybersecurity become a universal form of public regulation? How should we manage the phenomenon that as we see Internet communications through a security lens, we tend to downplay concerns about due process and free speech?

As these questions make clear, we cannot understand cybersecurity without also studying other disciplines. There are risks from a blinkered approach: those who ignore the larger contexts may be analyzing some element in cybersecurity, but they are not seeing the whole picture.

There are other reasons to pursue a multidisciplinary approach. Multidisciplinarity is important for understanding cybersecurity and for understanding other actors in the field. In cybersecurity, experts from different disciplines agree on facts and yet come to different conclusions about implications and policy impact. We will visit examples of disciplinary disagreement throughout this text.

Cybersecurity is an unbounded problem that cannot be cleanly extricated from an array of other social problems and interests. What this means is that cybersecurity has to be managed. In fact, cybersecurity will never be “solved.” Instead, concerns about whether we can trust devices, networks, and the information present in them will persist and we will need to adjust to manage the problems that arise.

Cybersecurity professionals need to be flexible. In managing cybersecurity, one finds few approaches that all stakeholders accept as good. Instead, one finds that management approaches must accommodate competing interests and values. This means that leadership and even management positions in cybersecurity require soft skills, such as negotiation and compromise, as much as hard skills, such as programming and technical design.

In formal terms, cybersecurity exists in a conceptual category known as a “social mess” or “wicked problem.”1 Problems of this type tend to have common elements, such as a lack of structure, unclear boundaries, and dynamic effects that require adjustments to policies. Cybersecurity’s deep complexity, its “messiness,” requires it to be understood in different contexts.

Definition 1.0.1 — Wicked Problem. A wicked problem or “social mess” is a kind of challenge characterized by contradictory and changing requirements. Such problems are insoluble or difficult to solve. Yet, such problems can be decomposed into smaller, more tractable challenges.

Whether one approaches cybersecurity from the lens of the military or from that of an ordinary user will skew the conception of cybersecurity problems, the fit of solutions, and the balance of compromises among important values embedded in communications systems. We believe no single discipline or profession can bring cybersecurity problems to heel.

1.1 What Is the Cyber in Cybersecurity?

The very definition of cybersecurity is unclear and shifting. Understanding cybersecurity requires a discussion of what cyberspace and security might mean. Here, we explain the complexity and tradeoffs involved in defining cybersecurity’s contours (Table 1.1).

Let’s start with the term cyberspace. This term is dated, but we are stuck with it. Cyberspace is a dominant social, economic, and even emotional force in our lives. Cyberspace is an artificial, highly complex, human creation. Thus, cyberspace changes with time, and those changes will have political, economic, and social consequences.2

Cyberspace is broader than just the Internet, but a discussion of the Internet is helpful to define the larger, growing concept of cyberspace.

At the highest level, the Internet can be thought of as decisions by people to connect their computers to each other. Instead of a local network or a private network used by a single corporation, the Internet is a network of publicly available networks. This means the Internet is both publicly and privately owned by communications companies (AT&T, for instance), governments, content companies (from the New York Times to Google), and even by homeowners in the form of their personal computers. This mixture is not static; it is ever changing as people connect devices to the public Internet. If you buy a camera today and connect it to the Internet, you have just embiggened the Internet.

Table 1.1 Competing definitions of cyberspace sometimes include the user and a concept of how information shapes users’ ideas.

United States Department of Defense, DOD Dictionary of Military and Associated Terms (2021)

“A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers…”

Israel Government Resolution 3611, Advancing National Cyberspace Capabilities (2011)

“…the physical and non-physical domain that is created or composed of part or all of the following components: mechanized and computerized systems, computer and communications networks, programs, computerized information, content conveyed by computer, traffic and supervisory data and those who use such data.”

The Ministry of Foreign Affairs of the Russian Federation, Convention on International Information Security (2011 draft)

Russia styles cyberspace as an “information space,” defined as “the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself.”

National Research Council/National Academies

“…the artifacts based on or dependent on computing and communications technology; the information that these artifacts use, store, handle, or process; and how these various elements are connected.”

This might sound banal, but extraordinary abilities to communicate and control emerge from these connections. We will revisit these powers as “network effects” later in the text. Under the most limited definition of cybersecurity, different networks, their servers, and connective media (from fiber optic to satellite carrier signals) are the “cyber” of cyberspace.

Question 1.1.1 — Technological Change. Can you think of an innovation or new service that will fundamentally change how people use the Internet? What new security implications might it raise?

▄

The early consumer Internet was dominated by companies that provided access to walled-garden style services (we seem to be returning to this today in the form of Facebook/Meta and various apps that cabin the user). Membership in early service providers CompuServe or Prodigy meant a connection to many thousands of other users, news, and even in-network email, but initially, these services did not connect users to what most think is the Internet—the World Wide Web (Web). Instead, users stayed within the offerings provided by the service. These were private networks.

Definition 1.1.1 — Walled Garden. Closed-platform security approaches called “walled gardens” restrict users to certain content, applications, or devices.

The Web emerged in the early 1990s and it competed with private networks such as America Online—in fact, the private network companies portrayed the Web as dangerous and licentious. Companies like America Online claimed to offer a safer, walled-garden experience.

Definition 1.1.2 — The Web. The World Wide Web is an Internet information system typically accessed through a web browser.

Most people think the Web is the Internet. And most people spend most of their Internet time on the Web. But it is important to know that the Web is just one application of the Internet.

Consider How Technological Change Alters “Cybersecurity”

As a human invention, cyberspace is not a static thing. It changes and, as a concept, has grown. Consider how its changes have widened the scope of cybersecurity, and how future changes might alter our sense of what is needed for cybersecurity.

Dialing in

The early private “walled gardens” and early Internet required users to take action to connect, by dialing in, using a modem connected to a phone line. Nowadays, most users are connected by default, providing attackers with more opportunity to exploit our devices when they are constantly on and connected to the Internet.

Evolving connections

Early Internet users connected by phone line, later by cable TV service, fiber optic cable, wireless (LTE and 5G), and satellite. Each change in physical media changes the risk landscape in cybersecurity and incorporates new actors in the cybersecurity mélange. For instance, with the advent of wireless and satellite connections, computer security has to contemplate radio-frequency attacks, solar flares, and even outages caused by rain or other environmental factors.

The cloud

Cloud computing enabled users to outsource—that is, use someone else’s computer—for their data storage and processing. This means user data is controlled by third parties that, on the one hand, may be more expert in security than the average user, but, on the other hand, the cloud company becomes a more enticing target for attackers because of massive centralization of user data.

Internet of things (IoT)

Cybersecurity reaches into every aspect of our lives as we connect a wide variety of devices, from light bulbs to door bells to “smart” refrigerators, to the Internet. These devices typically are inexpensive and many are vulnerable to attack, and, in turn, they can be organized into botnets to infiltrate networks and attack other services. One disturbing trend is that many devices do not allow users to opt out—for example, a “smart” stove might not function correctly without an Internet connection, even though Internet connectivity clearly isn’t required for a gas oven to bake something.

Apps

Apps often make functions on mobile phones more convenient. But every installed app gives adversaries new “threat surfaces” to attack. Many apps are accidentally insecure, but some are deliberately so in order to enable spying on the user!

Body-wide networks

In what Andrea Matwyshyn has termed the “Internet of bodies,” people may eventually have a network of corporeal devices. Thus far, devices like fitness trackers just collect data, but in the future, computer–brain interfaces and other devices may act on data by affecting the physical functions of the body.

Dominant platforms

As vendors gain dominance and serve many clients, they become attractive targets of hackers—single points of failure that enable compromises at scales impossible before computing. For instance, imagine if the most widely used word processing software were compromised. Pretty much every institution in the world might be affected.

Spread of Internet Protocol (IP)

Legacy devices—from industrial control systems to decades-old satellites—are moving from proprietary software systems to IP. With the transition to IP, it becomes easier to attack these systems because vulnerabilities are more general and more well known than those in obscure legacy systems, most of which were never designed to be connected to a broader network.

In the early days of the consumer Internet (the 1990s and early 2000s), users “went online.” That is, they took some affirmative step to connect a device to the Internet, typically by using a phone line to connect a computer to an Internet service provider. Thus, decades-old phone networks, then cable television, fiber optic, and then wireless phone access became key mechanisms to reach the Internet, each raising new cybersecurity concerns. As companies develop satellite-based broadband for consumers, that infrastructure will also become a fundamental part of cyberspace.

Nowadays, we are constantly connected to the Internet, perhaps through several devices and through various ways of connecting.

Question 1.1.2 — Real World Versus the Virtual World. Do you consider the “real world” to be different than your online experiences? If so, why? If not, what key factor would have to change in order for you to consider cyberspace as being completely integrated with your existence?

▄

So, what is cyberspace? As important as the concept is, there is no international consensus defining its exact contours. Different nations conceive of cyberspace differently, and this can lead to different policy outcomes.

1.1.1 Cyberspace’s Places and the Problem of Internet Sovereignty

Whatever cyberspace is, it exists in “places.” That is, the constituent parts of the Internet are physical devices that exist in physical places. When we use the Internet, data originate in a physical place: in a computer that runs in a specific nation-state. As data traverse the world, the data are copied at other places.

The Descriptive and the Prescriptive

Cybersecurity presents difficult public policy issues that are challenging to discuss. Just take the debate surrounding racist hate speech. Some think hate speech is a cybersecurity problem, because it can foment violence and thus undermine collective security. Others might oppose such framing, for fear that efforts to suppress hate speech will result in dangerous forms of censorship.

Our models for engaging in such a debate are poor, even debased. On television, we see exemplars that model argument as personal, on both left- and right-wing news shows. These models may be entertaining, but they are often not enlightening. Instead, we must seek to understand other people; not just their arguments, but also the assumptions that they operate from. We ought to make arguments with evidence. We should never make policy discussions personal, in part for pragmatic reasons. We all disagree some of the time, but to be effective in a work environment, we need to build coalitions among people who cannot always agree.

There are several techniques to engage a difficult question without personalizing the argument. One key approach is to distinguish between description and prescription. That is, we should start by analyzing the communicative intent of a speaker. Is the speaker attempting to describe a situation, that is, state what the situation is? Many listeners hear a descriptive narrative and mistakenly believe that the speaker endorses the narrative.

A prescriptive or “normative” account is different than a descriptive one. When a speaker prescribes, they say what they think the world should be like. For instance, in an academic article, an author may start out with a dispassionate description of a phenomenon, but later in the writing, make a normative argument (an argument that uses norms) to prescribe how the phenomenon should be dealt with.

We suggest the following approaches to have civil discussions:

Understand intent Start from the presumption that we are all earnest, participating with goodwill, and persuadable. Is your classmate intending to

describe

or

prescribe

?

Understand the different uses of words

Are you certain that you understand others’ uses of words? Could key terms have a different meaning to others? You can start by just asking, what do you mean by “x”?

Understand assumptions

Might the other have fundamentally different assumptions about the world? Disagreements over core values, such as the bounds of “personal responsibility,” may underlie higher-level positions about policy.

Seek to understand before arguing

Before you counter a description or prescription, ask yourself: have you taken the time to understand it? Can you restate another’s argument accurately and charitably?

Argue with evidence

Once you understand the other side, marshal evidence to argue. Identify whether your evidence challenges the descriptive or the prescriptive account.

Be humble

No one knows all the facts and no one has universal experiences. Reflect on times that you have been wrong. It’s okay to be wrong; the world won’t end!

People are not their arguments

People can change their minds. And one thing this book will make clear is that even if you disagree with someone on a certain issue, there may be other areas where you can work together. Don’t allow a disagreement on x stop you from collaborating on y.

Understand that people often cannot change their mind in the moment

Argument is a process that changes minds over time. In the moment, one may not be able to just immediately change their mind. One might need to reflect and interrogate one’s ideas in private. The need to maintain dignity might cause people to appear to be inflexible during an argument. Remember: it’s a brave act to say “you know what, now that I’ve considered your point, I was wrong.”

Turning back to racist hate speech, imagine how this method could de-escalate an otherwise contentious disagreement. One might find that everyone agrees on the descriptive account that hate speech is dangerous and stokes violence. Evidence instead of emotion could be marshaled to support the extent of the danger. The participants might ultimately disagree about the prescription for hate speech, but we can find common ground in its description and in our assumptions.

Some conceive of cyberspace as placeless, as a kind of abstract layer that emerges from the physical components of the Internet. For instance, science fiction writer William Gibson wrote about cyberspace as a “mass consensual hallucination.” Many civil libertarians adopt this “nonspace” metaphor for cyberspace in order to remove the Internet from the traditional power rationale of states: physical jurisdiction.

Yet, the framing is deceptive for a reason that is obvious today: the Internet cannot function without a physical reality nor can it work without complex agreements among nations for interconnecting networks. The physical reality of the Internet means nations can degrade, deny, disrupt, and even destroy the Internet.

The Internet sovereignty nations, such as Russia and China, use geography to police the Internet. Internet sovereignty nations attempt to control the Internet by using power over infrastructure to control content. In this way, Internet sovereignty nations are pursuing information security goals rather than computer security ones. For instance, a nation may favor a domestic competitor or it may even require a foreign competitor to house user data in-nation so police can easily access records and data.

Definition 1.1.3 — Internet Sovereignty. A series of legal and technical requirements that vests control over computers, networks, or data based on geographic borders. The goal of these nations may be to secure information rather than computers, networks, and data.

Many Internet sovereignty states are kleptocracies with values and worldviews different from western governments. Western governments hope kleptocracies will liberalize if exposed to western values and marketplaces. However, kleptocratic leaders may care more about local control than enriching or improving their country. Keeping up the struggle against the West may itself be rewarding, as it solidifies their power and relevance even as citizens suffer.

The Internet sovereignty states have learned to use language that sounds as if they are advancing individual human rights and freedoms to advocate for more local control over the Internet. That is, kleptocratic nations like Russia will invoke local self-determination and the value of decentralization—notions supported in principle by civil libertarians—to argue for more control over Internet governance. It is important to recognize that the language may be classically liberal, but the intent is illiberal. The Internet sovereignty nations intend to use local Internet governance to “secure” their citizenry from information these nations do not like—this is cybersecurity as censorship.3 At the same time, these same nations use disinformation to undermine democratic norms.

The Internet sovereignty debate leads to a paradox. Cyberspace as a “nonplace” is nonsense from a technological perspective. But from the perspective of political economy, understanding cyberspace as a nonplace, one not subject to Westphalian sovereignty (meaning, each nation has exclusive sovereignty over its own territory), may be a good hedge strategy to promote freedom. If any nation can exercise control of the bits that traverse its borders, we could find ourselves with a censornet, with China, Iran, or Russia filtering political discussion, the United States filtering copyrighted content, and other nations blocking pornography and so on. Thus, believing in a placeless cyberspace is a useful political myth that might promote more collective freedom. It is as Elliott Smith once said: a distorted reality is now a necessity to be free.

Exercise 1.1 — Cybersecurity in China, Iran, and Russia. How do the government leaders of China, Iran, and Russia conceive of “cybersecurity,” and are their conceptions congruent or incongruent with the discussion in this book? To answer this question, your instructor will divide you into three groups.

Group A

Focus on China. Please read this article and be prepared to present the motivating logic of “cybersecurity” to the Chinese: Lindsay JR. The impact of China on cybersecurity: Fiction and friction. International Security 2014; 39:7–47 available at

https://perma.cc/E86Y-UE9G

a

Group B

Focus on Iran. Please read this article and be prepared to present the motivating logic of “cybersecurity” to the Iranians: Eisenstadt M. Iran’s Lengthening Cyber Shadow. Washington Institute for Near East Policy, 2016 available at

https://perma.cc/P3QE-LG2F

Group C

Focus on Russia. Please read this article and be prepared to present the motivating logic of “cybersecurity” to the Russians: Connell M and Vogler S. Russia’s approach to cyber warfare (1rev). Technical report. Center for Naval Analyses Arlington United States, 2017 available at

https://perma.cc/E2PC-98S2

b

As you prepare for class, here are some sample questions you should be ready to discuss. At the highest level, these questions probe the “why” (why does the nation use cyber) and the “what” (what are the capabilities) of the studied nation.

What are the highest-level policy issues that shape your assigned nation’s use of cyber attack and defense?

What are your assigned nation’s policy priorities in cybersecurity?

What are your assigned nation’s biggest threats (i.e., what is the threat model—only focus on

strategic-level

threats, the kind that could destroy a nation)?

How much offensive cyber does your country use?

What are the most clever attacks used by your assigned country? What do these tell us about the nation’s capabilities?

The China–Iran–Russia articles are aging. They are the most teachable articles we can find on the subject. Are there relevant developments we should discuss that update these articles?

▄

aOptional reading: An important, lengthy work in this space is Liang Q and Xiangsui W. Unrestricted Warfare. PLA Literature and Arts Publishing House, 1999 available at https://perma.cc/PDG9-ZYJ2. This 1999 work written by two PLA colonels contemplates how China—technologically inferior to the United States—might nevertheless develop a series of new conflict techniques to overcome American power. Much of the book’s argument can be understood by just reading its 8th chapter.

bOptional Readings: for those who want to go deeper on Russia, here are the documents that define the so-called Gerasimov Doctrine. If you read Russian, the original report is Gerasimov V. The value of science in prediction. Military-Industrial Kurier 2013; 27 available at https://perma.cc/D7QR-HBFX. Two commentaries are valuable: Bartles CK. Getting Gerasimov right. Military Review 2016; 96:30–38 available at https://perma.cc/HZ6V-2935 and this translation with commentary by Russia expert Mark Galeotti: https://perma.cc/AXS5-85Y9

Now that we have considered the changing thing/nonthing that is cyberspace, we can turn to the “security” of cybersecurity.

1.2 What Is the Security in Cybersecurity? The “CIA” Triad

Traditionally, computer security focuses on the confidentiality, integrity, and availability of computers, data, and networks. This is known as the Confidentiality–Integrity–Availability (CIA) triad. Each CIA value has broad and narrow interpretations.

Definition 1.2.1 — The CIA Triad. There is a widespread consensus that computer security should seek to protect confidentiality, integrity, and accessibility.

Confidentiality could be thought of narrowly as secrecy, or more broadly as the set of rules surrounding who is authorized to access information. In either conception, security overlaps with privacy concepts about selective disclosure of information.

Confidentiality’s different interpretations make it an ambiguous term. To lawyers, confidentiality refers to a legally protected interest that imposes duties and can be enforced with penalties. Under a legal approach, the purpose of disclosure matters a great deal. Confidentiality might allow liberal disclosure of information, yet the information would still be considered protected. For instance, a doctor might disclose medical information to other doctors, to insurance companies, and to pharmacies for treatment purposes without violating confidentiality. But gossiping about a patient does not serve the purpose of treatment and is a violation of the duty of confidentiality.

To computer scientists, confidentiality can mean something very narrow: whether information is secret or not.

Question 1.2.1 — Injuries from Confidentiality. What injury does a person suffer when an unauthorized person obtains confidential information? What if the attacker obtains the data, but does not realize it, or never reads or looks at it? How about this: what if an attacker obtains confidential information, and then posts it somewhere online for others to see. Have those other people who looked at the stolen information wronged the victim?

▄

Integrity refers to the quality of data. Integrity can be conceived of narrowly as data free from corruption. In this sense, integrity means data have not been deleted or altered in a way that is inconsistent with the expectations of the data’s owners.

Broader conceptions of integrity also bring in privacy and data protection interests. From a privacy lens, the word “integrity” includes concepts such as whether data are accurate. Thus, even if an attacker did not change the data, integrity could be poor if the data were inaccurate. Relatedly, integrity can pertain to whether data are up-to-date (data might be too old to be used) and whether the data are relevant for some use (for instance, to decide whether to issue credit to a consumer) (Table 1.2).

Question 1.2.2 — Injuries from Integrity. What injury can a person suffer when an unauthorized person changes data? Is this worse than confidentiality attacks?

▄

Table 1.2 With the triad in place, we can discuss attacks as affecting just one or more of the interests in data and services. But are these concepts expansive enough to address society’s concerns?

Confidentiality

An attacker might obtain access to information meant to be secret to a small group of people.

Integrity

A malicious program might subtly change values in spreadsheets or other documents, resulting in difficult-to-detect business disruptions or failure of a kleptocracy’s ICBM program.

Availability