Security enables trust; trust enables security. It is a dichotomy.
When I was teaching Learning Tree’s System and Network Security Introduction, an online participant asked my opinion on the FBI-Apple case (the FBI hadn’t dropped it, yet). We discussed some of the issues, and the conversation quickly turned to trust. We both agreed that the issue of trust was critical to the discussion.
I subsequently did some Googling about trust and security. I learned two things: trust is the basis for security, and security is the basis for trust. Both are right (mostly).
A few years ago Bruce Schneier said in an interview, “Security exists to facilitate trust. Trust is the goal, and security is how we enable it.” That makes sense. If we think about why we bother to have cyber security at all, it is because of trust. The example I use in the introduction to security course is this:
I bought dinner last night with a credit card. I do not know the restaurateur personally, and he does not know me. Because we each trust the credit card company, I can eat dinner, and he can get paid.
That is an example of what we call “third-party trust.” The credit card company acts as a trusted third-party. We trust them because we believe they are secure. Likewise, if I wanted to send money to a friend in England, it would likely be done via the Society for Worldwide Interbank Financial Telecommunication (SWIFT). They manage the confidentiality and integrity of those transactions. In other words, security facilitates the trust. But we have to trust the intermediaries, or at least, their security or neither scenario would work. Or would it?
Most readers have heard of Bitcoin. Bitcoin uses a technology that does not require trust of the parties transmitting or receiving money. Instead, users trust the mathematics of encryption. According to an article on Squarespace.com referring to parties using Bitcoin, “while they lack trust they are able to interact using a payment instrument that relies on cryptographic security rather than legal protection. Bitcoin can act as a trust replacement and can enable efficient markets in the most untrustworthy environments.” The specific technology used is called a “blockchain.” It is a bit complex to get into here, but basically, it is a distributed database that keeps track of transactions. It is used in more applications than just Bitcoin, and you can learn a bit more on Wikipedia. “Blockchains” allow us to work in untrusted environments (even those with significant distrust!).
So, now we’re back to the dichotomy – whom do you trust? The answer may even be “nobody,” if you trust encryption. But then that’s security enabling trust, or maybe the trust in security enabling trust. Or something like that. It can be circular, and that’s kind of why it’s fun.
Who do you trust?