Security has many dimensions, depending on the situation. People secure boats by tying them to a dock, secure loans from financial institutions, or secure promises with a handshake. People feel less secure, or insecure, when they doubt their own abilities, when they lose their privacy, when a thief steals their wallet or purse. Thus, security is a psychological as well as a physical state of feeling—as well as being—protected from loss, breach of trust, attack, or any real or perceived threat.
The word security is widespread and appears in many contexts, from the United Nations Security Council and the nuclear and environmental security councils worldwide to national security, social security, and neighborhood security watch groups formed to keep homes safe from burglars. The term has become enshrined as well in the Department of Homeland Security, which describes itself as working "to keep America safe" with one program slogan of "Don't be afraid, be ready." Closely related terms include safety and fear. Fear is a feeling, not always rational, of agitation and anxiety caused by the perception of danger. In the United States, in 2001, about 1,000 people died from airliner accidents, including those who died in the crashes of September 11, 2001, while in the same year, more than 42,000 people died in automobile crashes. Yet after the September 11 attacks, many people refused to fly and opted to drive. They no longer felt secure in airliners, even though they faced greater risk on the roads.
In between self-reliance and the appeal to religion (which places ultimate "security" in the divine), the most general efforts to enhance security involve science, technology, and politics. Many scientists, for instance, argue that insofar as fear arises from ignorance, scientific explanations of phenomena reduce superstition and increase understanding, thus promoting security through knowledge.
From earliest times human beings have also depended for their very existence on the technologies of food gathering, production, and preparation, as well as those that provide clothing and shelter. Technology, especially in the form of medicine, has a long history of combating the insecurity of disease. Virtually all forms of engineering propose to render human productivity and products more secure.
To protect technological gains, however, provisions for political security are a further requirement. The rise of the first civilizations was closely associated with the development of technologies of military security. In order to obtain civil security, people have even given their allegiance and surrendered their rights to emperors, kings, and governments. According to the English philosopher Thomas Hobbes in the Leviathan (1651), this compact between people and leaders is necessary because people naturally lack traits that would ensure mutual security. For Hobbes, people are essentially selfish creatures with no concern for or connection to one another. Because humans are largely unsuccessful and constantly warring, they trade away their freedom and individuality in order to gain stability, law and order, a predictable future, leisure, and enjoyment. While other philosophers take a less dim view of human nature, all agree that security is essential for society, production, trade, and culture.
Hobbes and other early modern philosophers also argued that state security would not only protect technological achievement but also promote it, and that security could be enhanced by turning those desires for material welfare that might otherwise lead to warfare between nations to a general warfare against scarcity. Although the pursuit of security thus plays important roles in virtually all modern technologies, the more explicit appeals to security are undoubtedly found in the discussion of computers and the military.
Computer and information professionals are at the front line of ensuring the confidentiality, integrity, operability, and availability of information systems and data. Under the umbrella of those words come physical threats stemming from floods, hurricanes, sandstorms, and other natural disasters, as well as unintentional harm from careless use, and of course intentional harm from thieves, hackers, or terrorist attack. The focus of computer and information security often narrows to the means, such as encryption, passwords, and biometrics, rather than examining the motivations and goals of security. Among the many dimensions of this broader field are various levels of security, false senses of security, intrusive burden of security, and much more.
It is particularly important to differentiate between the ordinary and the national levels of security (Nissenbaum, Friedman, and Felten Internet article). The ordinary level comprises assurance of safety from the threats mentioned above, such as natural disasters, human error, or unwanted trespass. Computer and information professionals take what measures they can to protect from ordinary threats.
The national level, however, includes more extraordinary measures of action. In the name of national security, nations pursue extreme measures. As Helen Nissenbaum, Batya Friedman, and Edward Felten described it,
The cause of national security can be parlayed into political measures as well: a lifting of typical restraints on government activities and powers, especially those of security agencies. We may see also a curtailing of certain freedoms (e.g. speech, movement, information), a short-circuiting of certain normal democratic processes (e.g. those in the service of openness and accessibility), and even the overriding of certain principles of justice.
Thus, in some instances, ordinary security is trumped by national security, and the individual is left with fewer rights and feeling less, not more, secure. For example, national identity cards have only limited potential to enhance security but also entail an array of serious risks and other negative characteristics (Weinstein and Neumann 2001). Governments might impose national identity cards and people might agree to them out of fear, rather than out of a rational need.
Specific Issues of Computer and Information Security
In most areas, governments, institutions, and manufacturers give people visual reassurance that they are protected from harm. Security is signified by armed guards standing at a checkpoint, childproof tops on pharmaceutical products, and locks on doors, windows, and cars. Banks are often solid structures, giving depositors the reassurance that their funds are safe. Screen savers can be password protected, although breaking through such protection is trivial. Whether effective or not, these measures calm and reassure people.
In the realm of computers and information, the physical and psychological aspects of security are more elusive, because the digital world is often devoid of the visual cues that lead people to feel secure. How can a user know that a document has not been altered, that no one has eavesdropped on a conversation, that an order comes from a real customer? Challenges include authenticating data and users, maintaining data integrity, and ensuring the confidentiality of communication.
The lack of transparency of technological devices easily renders end users both insecure and dependent. Although this is a problem associated with many technological appliances such as radios, refrigerators, and air conditioners—devices that few can repair or even explain—the lack of "transparency" is peculiarly salient in computers, which are themselves increasingly integrated into other devices—to make the DVD player, car, or toaster "smart," but leaving the users feeling powerless and "dumb." When devices make people feel dumb, they also make them feel less secure.
What about the security threats of private spyware products? Not only do people have to be worried about governments or corporations spying on them, increasingly individuals have available sophisticated technologies for spying (spouses on each other, parents on kids, and so forth).
Another (closely related) issue: False security is provided by deleting computer documents, as some criminals have discovered to their chagrin. Computer professionals can recover many deleted files, even of non-criminals.
Security measures themselves can become burdensome, as when users have too many passwords to remember. Fear focused on one area may leave another more vulnerable. Indeed, professionals who concentrate too narrowly on the machine and wires and airwaves may overlook the danger of a disgruntled employee or an electromagnetic weapon. Research by Rebecca Mercuri into the dangers of electronic voting provides a cautionary tale, for this perceived cure for election errors and interference may result in the potential for even greater fraud.
Thus computer and information security are elusive goals that professionals aim to attain through technological fixes such as encryption, firewalls, and restricted networking. Sometimes these efforts are undertaken because of actual attacks and interference, and sometimes they are applied to allay fear or provide users with a sense of security.
Basic Issues of National and Military Security
The second most common area in which questions of security play a prominent role is that of national and military security. During the Cold War (1945–1990) the primary national security issue was nuclear weapons, and spies were sent into countries to learn more about them. Attempts to enhance nuclear weapons security and safety involved both controlling scientific knowledge that might be of use to an enemy, especially by means of secrecy, and engaging scientists and engineers in the development of technologies thought to enhance national security, technologies that ranged from "fail-safe" command and control techniques to monitoring and surveillance devices. The demand for secrecy in some scientific research was nevertheless often argued to be a distortion of the scientific ideal, insofar as this ideal is committed to the production of shared knowledge. Indeed, some scientists argued that secrecy was actually counterproductive, and that greater security could be had through more openness in science.
As for spies, in the United States there were witch-hunts and other wide-ranging and over-reaching investigations by government that ruined the careers of innocent people and left many feeling insecure and vulnerable. The McCarthy hearings of the early 1950s involved telephone wiretaps and other intrusive acts used on innocent people.
With the end of the Cold War, the promotion of secrecy in science in the name of national security became less pronounced, but was sometimes replaced with the promotion of secrecy in science and technology in the name of corporate security and economic competitiveness. Then, with the advent of the so-called war on terrorism (2001–), needs for secrecy and control in science for national security reasons again became a prominent issue.
One specific example concerns biodefense and the boom in building high-security "hot labs" where the deadliest germs and potential bioterrorist weapons can be studied. Although the need for level 3 and level 4 biosafety labs and associated security measures are real, scientists such as David Ozonoff at the Boston University School of Public Health worry that there may be insufficient safeguards "to prevent work that violates the ethical standards of the scientific community" (Miller 2004). Stanley Falkow of Stanford University has even decided to destroy his own plague cultures rather than work under the new security regulations, pointing out the danger of security driving away talent (Miller 2004).
As these and other examples show, security needs will not abate, for they are deep in the human psyche and are built into the contract between people and their governments. Keeping security measures in balance with other values, such as freedom of speech and the pursuit of knowledge, poses a continuing challenge.
For more extensive discussion of this issue, see "A Difficult Decade: Continuing Freedom of Information Challenges for the United States and its Universities," available at http://www.murdoch.edu.au/elaw/issues/v10n4/woodbury104.html.
MARSHA C. WOODBURY
SEE ALSO Aviation Regulatory Agencies;Biosecurity;Building Destruction and Collapse;Computer Ethics;Computer Viruses/Infections;Freedom;Hobbes, Thomas;Information Ethics;Police;Privacy;Telephone;Terrorism.
Miller, Judith. (2004). "New Biolabs Stir a Debate over Secrecy and Safety." New York Times, February 10.
Weinstein, Lauren, and Peter G. Neumann. (2001). "Risks of Panic" (Inside Risks column 137). Communications of the ACM 44(11): 152.
Mercuri, Rebecca. "Electronic Voting." Notable Software. Available from http://www.notablesoftware.com/evote.html.
Woodbury, Marsha. "A Difficult Decade: Continuing Freedom of Information Challenges for the United States and its Universities." Available from http://www.murdoch.edu.au/elaw/issues/v10n4/woodbury104.html.
Computer security has been a consideration of computer designers, software developers, and users for virtually as long as the computer has existed. As any Internet user knows, computer security is a critical factor in the web-connected e-world. It is also important in business, industry, and government, where internally networked computers create an environment in which confidential or proprietary data must be protected from unauthorized access.
Computer security measures can be broken into three basic components and functions:
- Identification: "Who are you?"
- Authentication: "OK, I know who you are, but prove it."
- Authorization: "Now that I know you are you, here's what you can do in my system."
Computer security attempts to ensure that "the good guys" (authorized users) are able to access the systems and data they desire, and that "the bad guys" (unauthorized users) do not gain access. Although this is a simple idea, the implementation and maintenance of strong computer security is not easy. Multiple vendor equipment, different operating system environments, ease-of-access requirements, and (not the least) difficult users all make for hurdles in the continued operation of effective security measures.
The history of computer security starts, of course, with the earliest computers. The UNIVAC (Universal Automatic Computer) and ENIAC (Electronic Numerical Integrator and Computer) were each relatively secure due largely to the fact that the machines were housed in locked buildings or complexes and had few, if any, additional computers connected to them. However, it was not long before the power and capabilities of the computer expanded the number of connected users. As a result, computer designers and programmers had to consider computer security.
The development of computer security has mirrored the evolution of the computer itself and its expanding capabilities. As more and more computer devices—primarily personal computers (PCs)—have been linked together, the need for computer security has grown. Possibly the most significant impact on computer security has been the Internet. With the advent of worldwide connectivity and around-the-clock access to computer systems and data, computer security experts have struggled to keep pace.
Here is a brief timeline of significant computer security events. Notice that as computer network capabilities have grown, so have the security concerns.
Memory Protection Hardware; Partitioning, Virtual Memory (1960).
Since the late 1950s most computers contain special registers to define partitions of memory for use by separate programs and ensure that a running program cannot access the partition of another program. Virtual memory extended this by allowing each object to be separately protected as if it were in its own partition. Partitioning and virtual memory capabilities provided one of the first security protection measures in early multi-user environments.
File Access Controls (1962).
Beginning in the early 1960s, time sharing systems provided files for individual users to store personal or private information. The systems were secured using file access controls to allow the owners to specify who else, if anyone, could access their files and under what circumstances. The Massachusetts Institute of Technology (MIT) Compatible Time Sharing System and the University of Cambridge's Multiple Access System were the first examples of this kind of security.
One-way Functions to Protect Passwords (1967).
Password protection was the first user-centered security feature. The authentication system used during login stores enciphered images of user passwords but not the actual passwords. This protects passwords from being divulged if an attacker happens to read the file.
Multics Security Kernel (1968).
The Multics system at MIT made security and privacy one of its central design principles. The designers paid very careful attention to identifying a small kernel of system operations which, if correct, would guarantee that all security policies of the system would be followed. This design signified the importance of security to the computer's basic programming.
ARPANET (1969) and Internet (1977).
The ARPANET (Advanced Research Projects Agency Network) was the first wide-area computer network. It started in 1969 with four nodes and became the model for today's Internet. This inter-connectedness increased the risk of unauthorized user access from outsiders and raised awareness of security issues to network administrators and owners.
Unix-Unix System Mail (UUCP); Mail Trap Doors (1975).
UUCP allowed users on one UNIX machine to execute commands on a second UNIX system. This enabled electronic mail and files to be transferred automatically between systems. It also enabled attackers to erase or overwrite configuration files if the software programs were not correctly configured. Since there was no central administration of UUCP networks, the ARPANET command-and-control approach to controlling security problems did not apply here. By 2000, the Internet had many of the same characteristics.
Public Key Cryptography and Digital Signatures (1976).
Cryptography is the ability to scramble messages based on a "secret," prearranged code. Public-key cryptography enables two people to communicate confidentially, or to authenticate each other, without a prearranged exchange of shared cryptographic keys. Although cryptography had been around for many years, this was the point at which it was integrated into the development of computer security.
First Vulnerability Study of Passwords (Morris and Thompson, 1978).
This study demonstrated that password guessing is far more effective than deciphering password images. It found that a very high percentage of passwords could be guessed from user names, addresses, social security numbers, phones, and other information stored in the user identification files. Password guessing remains a major threat today.
RSA Public-key Cryptosystem (1978).
The RSA public-key cryptosystem is the oldest unbroken one of its kind that provides both confidentiality and authentication. It is based on the difficulty of determining the prime factors of a very large number as used in the secret code. RSA provided a quasi-standard in the emerging field of computer cryptography.
Electronic Cash (1978).
As businesses moved onto the Internet, the means to pay for services or goods did as well. Electronic cash is one way to accomplish this. It cannot be easily created, it is anonymous, and it cannot be duplicated without detection. The protection and security of "e-cash" became yet another concern of security professionals; it continues to be a major issue.
Domain Naming System of the Internet (1983).
As the ARPANET grew, the number of computer devices became large enough to make maintaining and distributing a file of their addresses unwieldy, and the network maintainers developed a system to enable quick, simple name lookups. The Directory Name Server (DNS) dynamically updated its database of name and address associations, and became yet another target for hackers and "spoofers."
Computer Viruses Acknowledged as a Problem (1984).
Computer viruses are deceptive software programs that can cause damage to a computer device, most notably an individual PC. The challenges of such malicious code were first formally recognized in a study published in 1984. Coupled with growing network capabilities, viruses became a serious threat to computer security practitioners and individual users.
Novel Password Schemes (1985).
By the mid-1980s, many alternatives to reusable user passwords were being explored in order to circumvent the weakness of easily guessed configurations. Callback modems relied on the authentic user being at a fixed location. Challenge-response systems allowed the authentic user to generate personalized responses to challenges issued by the system. Password tokens are smart cards that generate a new password with each use. Each of these alternatives attempted to strengthen the basic password scheme.
Distributed Authentication (1988).
Authentication servers are computer devices that allow users and system processes to authenticate themselves on any system using one set of data. The data can be updated globally, and the server can pass proof of identity back to the user or process. This proof can be passed to other servers and clients and used as a basis for access control or authorization. Given the advance in distributing computing power both geographically and across platforms (servers), this advancement allowed security to keep pace with these new configurations.
Internet Worm (1988).
The Internet worm was the first large-scale attack against computers connected to the Internet. Unlike a virus, it transmitted itself actively through Internet connections. Within hours, it invaded between 3,000 and 6,000 hosts, between five percent and ten percent of the Internet at the time, taking them out of service for several days. It caused much consternation and anger, and highlighted a vulnerability of large networks.
PGP (1989); PEM (1989).
Electronic mail lacks protection against forgery, alteration, and interception. Privacy-enhanced Electronic Mail (PEM) and Pretty Good Privacy (PGP) provide all these services. As the Internet grew, so did the demand for these security services to help ensure user authentication and protection.
Anonymous Reposting Servers (1990).
These computer servers obscure the identity of the poster or sender by substituting a random string for the sender's name. Some retain the association between sender and random string internally to facilitate reply messages. These services make tracing the original user nearly impossible.
Wily Hacker Attack (1986) and Book (1992).
An attacker (hacker) intruded into computers at Lawrence Berkeley Laboratory, apparently looking for secret information. Cliff Stoll, an astronomer turned system administrator, detected the attacker from a seventy-five cent accounting discrepancy. Using a variety of techniques, Stoll helped authorities arrest the attacker, who was being paid by a foreign government. This event helped highlight the vulnerability of all systems and the need for widespread computer security.
Network Sniffing; Packet Spoofing; Firewalls (1993).
Internet protocols were designed on the assumption that no one could access the actual wires and listen to the packets of data. In recent years, attackers have hooked up computers to do just that. These methods of "sniffing" have been used to detect passwords. The attackers also engage in "spoofing," or using the same computers to transmit their own packets, with false identification fields, as a way of gaining access to systems. Firewalls are routers that attempt to filter out these "spoofed" packets. Sniffing and spoofing became key security concerns as the Internet grew.
Java Security Problems (1996).
Java is a language for writing small applications, called applets, that can be downloaded from an Internet server and executed locally by a Java interpreter attached to the browser. The design goal is that the interpreter be highly confined so that Trojan horses and viruses cannot be transmitted; that goal has yet to be met. Java has had several security problems related to malicious applet designers reading, altering, and deleting information supposedly outside the constrained environment.
Concerns about computer security will grow as computer system capabilities increase. Hackers eager to beat a new security challenge, as well as unauthorized users intent on accessing data for criminal or malicious purposes, will continue trying to circumvent security protocols designed to protect data, equipment, and users from their efforts.
see also Association for Computing Machinery; Ethics; Privacy.
Russell, Deborah, and G. T. Gangemi Sr. Computer Security Basics, rev. ed. Sebastopol, CA: O'Reilly & Associates, 1992.
se·cu·ri·ty / siˈkyoŏritē/ • n. (pl. -ties) 1. the state of being free from danger or threat: the system is designed to provide maximum security against toxic spills job security. ∎ the safety of a state or organization against criminal activity such as terrorism, theft, or espionage: a matter of national security. ∎ procedures followed or measures taken to ensure such safety: amid tight security the presidents met in the Colombian resort. ∎ the state of feeling safe, stable, and free from fear or anxiety: this man could give the emotional security she needed.2. a private police force that guards a building, campus, park, etc.3. a thing deposited or pledged as a guarantee of the fulfillment of an undertaking or the repayment of a loan, to be forfeited in case of default.4. (often securities) a certificate attesting credit, the ownership of stocks or bonds, or the right to ownership connected with tradable derivatives.PHRASES: on security of something using something as a guarantee.
Security Service official name for MI5.
Protection; assurance; indemnification.
The term security is usually applied to a deposit, lien, or mortgage voluntarily given by a debtor to a creditor to guarantee payment of a debt. Security furnishes the creditor with a resource to be sold or possessed in case of the debtor's failure to meet his or her financial obligation. In addition, a person who becomes a surety for another is sometimes referred to as a "security."