In the olden days, like 1988, I had an idea: What would happen if we Weaponized computers, networks and the internet (such as they were at the time)? Right after I wrote Terminal Comprise (subsequently renamed Pearl Harbor Dot Com, the basis for Die Hard IV) to flush out the ideas in a fictional format, I testified before Congress and told them unless we took drastic pre-emptive defensive steps, the likelihood of an Electronic Pearl Harbor increased. I was labeled Chicken Little.
In my follow-up non-fiction book, Information Warfare, I formalized my taxonomy model. Class I Information Warfare: privacy, massive identity theft and surveillance. Class II Information Warfare: unrestricted corporate and national espionage. Class III Information Warfare, out-and-out cyber-conflicts between nation states and the emergence of powerful cyberterrorism capabilities. Unfortunately, I was right.
In 1995, after various intelligence agencies stopped coming by the house, and the UK un-banned my book, a series of napkin sketches in Warsaw became the genesis for my next published work, Time-Based Security. But I was not satisfied. I wanted a more comprehensive solution. On the beaches Perth I asked myself some questions:
What if…
- Security can be quantified? Actually measured?
- Security Vendors can be measurably compared and held to account?
- We can solve Phishing… Spam… data exfiltration…DoS… Fake News…and more?
- Security can be mathematically justified?
- We’ve just been looking at security in the wrong way?
What if there is a provable way to win the CyberWars?
I think I’ve got a way.