Originally Published 2012-06-14 00:00:00 Published on Jun 14, 2012
Information security has to move beyond its traditional concepts if it needs to cater to the special demands of governance. Knowledge is for cutting. For long, it has been in the hands of the bureaucrats. It?s time that we snatch it.
Transforming information and security
Archaeology and history are like twin brothers in a Bollywood potboiler. No one really knows for sure who Ram is and who’s Shyam. Maverick French philosopher and sociologist Michael Foucault complicated this neat relationship by digging up a long-lost brother called Knowledge. In his book Archaeology of Knowledge, Foucault, who famously suffered 50-odd fractures during his pitched battles with the French police on the streets of Paris during that tumultuous 70s show of free love, world peace and abundant marijuana, focused the spotlight on the relationships of power and the creation of what eventually gets referred to as knowledge. In saying that knowledge is not for knowing, but for cutting, Foucault forever changed the conventional understanding of information and knowledge.

Foucault couldn’t have imagined that his over 40-year old insight would end up having more relevance today, especially when access to the right information and knowledge is the difference between good governance and the lack of it. Technology, particularly Information Technology, is like an iceberg. What’s discussed and debated is what’s visible. And what’s visible is the engineering, software, hardware, applications and computing systems. But it’s what’s not visible that has the potential to transform the existing relationships of power and the creation of what could constitute as the next generation of knowledge. The hidden part of the iceberg, one that’s not visible, is the mode and manner in which complex power relationships of a society mould the adoption and adaption of technologies imbibing them with a value, which then transforms not just the technology but the very relationships of power that influenced it. Technology has the potential to empower and, ironically, also disempower. It’s only when technology is intersected with a social logic can its empowering potential be fully understood and exploited.

Information Security is bedeviled by the iceberg effect. Most discussions are about new protocols, authentication techniques, standards and advancements in encryption. No doubt they are important, especially when sensitive personal, business and government information is increasingly stored and accessed on digital platforms. But then, as Foucault might say, information has never been about informing. The moment one looks at securing it with the explicit purpose of restricting its accessibility, information enters the realm of power and its curious dynamics. In such a scenario, to exclusively conceptualise Information Security as a purely technical issue is not only simplistic but inaccurate. Therefore, to reconceptualise Information Security using the prism of good governance is both a challenge and an opportunity.

The basic premise of Information Security is simple. It starts with a truism that every piece of information has the potential to be important. Information deemed to be important by a person, group of people, institutions, companies and governments needs to be secured. There are two reasons for it. Firstly, the information that is being secured need not be accessed by anyone deemed inimical either to the person/group/institution/company/government that owns that information or to the information itself. Secondly, the information that is secured should be easily accessible by the person/group/institution/company/government in a manner of their liking and timing.  The key conventional concepts of Information Security that have evolved over a period of time have this simple premise as their foundation.

The first concept of Confidentiality was derived from the need of intelligence agencies, especially the Central Intelligence Agency (CIA), to keep their lines of communication and information flow secure. Today, confidentiality is the core principle of Information Security and denotes the ability of a system to prevent the disclosure of information to what the system defines as unauthorised individuals or systems. The best example of the concept of confidentiality at work is when a transaction over the Internet requires either a credit or a debit card number. Typically such a transaction requires the buyer’s card number to be transmitted to the merchant and from the merchant to a processing network, usually a payment gateway. Confidentiality in such a system is enforced by three methods:

  1.Encrypting the card number during transmission
  2.Limiting its trail by restricting the number’s storage in databases, log files, backups and printed receipts
  3.Restricting access to where the number is actually being stored.

If any or all of the three methods fail, it is considered to be a breach of confidentiality.

The second concept of Integrity is somewhat contested and over the years its definition, scale and scope have expanded. But it’s generally accepted that the concept is based on the principle that data in transit and data that’s stored and recorded should not be modified except when initiated by the owner of the data in a detectable and traceable manner. The simplest way to understand it is when you send a mail across to someone the concept of integrity ensures that content of the mail is not modified while in transit.

The third concept of Availability is not contested at all. It’s a simple principle of making information available when it is needed. It’s precisely this concept that’s at the core of business continuity. In short, there should be availability of adequate processing power, in-built software, hardware, power redundancies to deal with outages, and security systems to prevent denial-of-service attacks. Underlying this concept is the principle of customer-focus and satisfaction.

The fourth concept is Authenticity. The basic principle behind authenticity is that when two or more parties are conducting a transaction there must be a way in which each can safely say that the other is exactly the one who s/he is claiming to be. It’s a mechanism to validate that data, transactions, communications and documents, including electronic documents, are genuine.

The fifth concept is that of Non-repudiation. This is a critical component for e-commerce. It essentially ensures that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Digital signatures and public encryption keys, for instance, are examples of authentication and non-repudiation.

These concepts are the core pillars of Information Security today. Together they have created an eco-system for digital commerce and business transactions. Take a single concept off the equation and the entire electronic transaction economy collapses. That’s the importance of Information Security. Everything from risk management, assets management, security policy, assessment, evaluation of threats and vulnerabilities from worms, trojans to viruses are dependent on these concepts

But governance is a different kettle of fish. Of course, like digital commerce, there are secure financial and non-financial transactions, data exchanges and mandatory identity profiling in governance-driven dealings. But the eventual outcome of a governance-based transaction is completely different. Governance is moving away from a framework focusing exclusively on compliance to one of an on-demand public utility. People expect governance systems and institutions to simplify their lives. Most of their expectations, and consequently expected outcomes, are non-financial in nature and are of service orientation. To borrow a terminology from cloud computing, governance is turning into a Delivery as a Service (DaaS) model. Governance is no longer an on-premises compliance matrix. It’s becoming a decentralised customer-service system.

This is an intellectual and a real challenge for Information Security. It has to move beyond its five basic concepts. There are several new principles that it seriously needs to consider in order to integrate itself with demands of DaaS model.  There are organisations like OECD and the US-based National Institute of Standards and Technology (NIST) that have already defined these concepts in detail. OECD in 2002 suggested nine new concepts: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. NIST has proposed 33 principles. (For those of you keen on reading more about it please refer to http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf).

Today, relevant information that is required by people like you and me is just not allowed to reach us due to the presence of several roadblocks. Some of them are created inadvertently, but most of them are created by a bureaucracy fearful of an empowered community. It’s only when information is freely circulated among the members of a community for a period of time will it acquire the contours of knowledge. The transformation of information to knowledge is a long and painful process, where a certain collective and subjective set of constantly-changing values interprets the information and creates a common sense out of it. Quite obviously, the bureaucracy does not want such a knowledge system to develop because it will take away its means and modes of exercising power over us; like asking us to attest three copies of a government-issued smart card by a gazetted officer as proof of identity.

The Information Security community, sadly, has been wearing blinkers on this issue till now. It needs to get out of its comfort zone and start re-evaluating its fundamental principles to include other concepts necessary for establishing an open and transparent governance system. If it doesn’t, there is every chance that the Information Security systems employed for e- and m-governance initiatives will turn out to be one ‘more lever of power’ that will be exercised by the bureaucracy to mediate our access to ‘our own’ information. Foucault was absolutely bang-on. Knowledge is for cutting. For long, it has been in the hands of the bureaucrats. It’s time that we snatch it.

(R. Swaminathan is a Visiting Fellow at Observer Research Foundation. He is also a Fellow at National Internet Exchange of India.)

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.