The world of computing is not new, but our exposure to it is. In the series introduction, we explore the origins of digital computing and the nature of our modern predicament.
19 JUL 2024
Edward von der Schmidt
Coined by Norbert Wiener, a distinguished mathematician interested in feedback, the word cybernetics comes from Greek and means “steersman, or helmsman, or pilot” (1). This is unfortunately lost in today’s cyber, an ambiguous term invoking something to do with computers that probably calls for the attention of someone else. This scope is far too limiting. Cyber really extends to and beyond all things digital – anything that can be represented by numbers. Computers and the code they run (instructions and data) (2) are themselves part of a constellation of information systems that include us and define our world.
Representing things numerically and using integrated electronic circuits or chips to wield numbers near the speed of light (with only a small set of basic instructions, arithmetic, and logic) gave rise to modern computing. Digitally encoding or translating information has changed the ways in which we communicate, learn, and connect, transforming our societies and what we are capable of. Without proper context or reference, ‘cyber’ can be dismissed too readily. In reality, digital computing is everywhere, along with the data we process.
Brian Kernighan emphasizes this: digital is universal (3). We have a universal language to represent discrete information (binary, or 0s and 1s). We have universal digital processors that can follow simple but comprehensive instructions to recognize, interpret, and manipulate symbols whose meaning is arbitrary until defined by context. The Internet is a universal network that can transport choice digital information from one computer to any other. Finally, digital processors and systems are universally available. The smartphone in your bag, pocket, or hand is not only a gateway into your life but also a connected, universal machine, capable of interacting with and being accessed by any other computer in the world – or simply one nearby.
Arbitrary representation in binary comprises a powerful, generalized mechanism for encoding and manipulating information. We have implemented and integrated these machines to astounding effect, as we have the data that these systems sense, process, record, and transmit. Communities, customs, laws, and institutions have not kept pace with the repercussions of our digital innovation, leaving us with complicated challenges that implicate fundamental rights. The software and systems we rely on to orchestrate digital processing may not be visible or possible to touch, but the ultimate consequences of their use or misuse are every bit as real. These issues will not resolve themselves, at least not favorably – we need to learn, understand, and navigate them together.
The Machine
How did digital computing come about in the first place? Computers are not new – the term once referred to people tasked with manual calculation. Many have long sought easier and faster ways to deal with figures, especially as they relate to conflict and commerce. Decades after the invention of the Jacquard loom, which could weave patterns according to prearranged cards and left many without work, Ada Lovelace arguably established herself as the first programmer when she thoroughly detailed Charles Babbage’s proposed “Analytical Engine” (4). She composed her analysis a century before digital computers even existed.
While Wiener and others worked on mechanical computers such as MIT’s differential analyzer, Kurt Gödel demonstrated in 1931 that consistent formal systems of logic were necessarily incomplete. Not every statement that arises from a particular set of axioms and rules can be proven or dis-proven without introducing contradictions that allow for both – to be and not to be, as it were. Published two years before the Nazi purge of Göttingen, Gödel’s discovery quelled the ambition of logical formalism, which had envisioned a general mechanism to produce all valid theorems (5).
These incompleteness theorems were profound. As Hal Prince notes, “Gödel helped show that the world was not as tidy and predictable as someone at the beginning of the century might have had reason to believe” (6). Confined to a fixed system of logic, provability and truth were mutually exclusive. To make this claim, Gödel leveraged Cantor’s theory of sets and employed an abstract grammar formalized by Alfred Tarski, recursion (i.e. using two truths to infer a third), to iteratively define unique numbers that could stand in for logical statements or propositions.
Building upon Gödel’s theorems and numerical representation, a young Alan Turing proved in 1936 that consistent formal systems of logic were not just incomplete but were also undecidable (7) – you could not determine from given axioms and rules of inference alone whether a theorem was even provable or disprovable. Turing’s results may not have been published absent the considerable influence of Max Newman, who was struck by Turing’s ingenuity in solving what had once been considered an ‘unsolvable problem’ (8). Turing had worked independently but was not first to the post; Alonzo Church and Stephen Kleene used a different approach to arrive at the same place (9).
Turing’s path was unique: he defined a theoretical machine that could actually perform the logical steps required in his proof, replete with instructions for it to operate on its own by proceeding from one configuration or state to the next. He based the machine on simple tasks that required little thought and in principle could be done by a person with a pencil. Scan one symbol square at a time and follow the appropriate instruction. Move along a line to another square. Write a mark or erase it. Incredibly, “through combinations of these simple operations, the Turing Machine can perform any computation that can be done on modern digital computers” (10). Succinctly, “Computable Numbers had come up with a precise, mathematical definition of the concept of ‘machine’” (11). Turing gave us a mechanism to meaningfully engage with logical abstraction in a manner that had not been possible.
Apart from memory and speed, Turing showed that all digital computers are equivalent. These universal machines – constructed to handle any computable or recursively definable number to any chosen degree of precision – ultimately required two symbols. There is power in this duality: arbitrary meaning can be assigned to 0 and 1 when taken logically and may be reduced to empty or non-empty, equivalent or not. The same 0 or 1 could be a number, an evaluation (true or false), or any other element of a complete, mutually-exclusive pair. With apologies to Konrad Zuse, who independently produced designs for a digital computer before Turing’s paper and even built the first such automatic computer (12), the universal digital computer remained theoretical. A singular thesis changed its course.
Written by Claude Shannon in 1937 and published the following year, “A Symbolic Analysis of Relay and Switching Circuits” laid the foundations of communication theory. In it, Shannon described how symbols and simple operations could be physically realized through open and closed circuits. Familiar electronic relays and switches could be used to transmit and receive messages in binary and to model propositional logic by means of voltages or currents. Existing ideas and technologies from telecommunications could thus be employed to bring the universal machine to fruition. A colleague of Shannon’s suggested that the 0s and 1s that signaled information be called binary digits, or bits (13), which debuted in “A Mathematical Theory of Communication” (1948). Bits of digital information were exactly what could be processed by a digital computer.
The manner in which Turing and Shannon met reminds us that such achievements did not occur in a vacuum but were accelerated by the demands of war. Secretly tasked with cracking German encryption ciphers at Bletchley Park (a fact that would go unheralded for thirty years), Turing was sent on a classified trip to Bell Telephone Laboratories in New York in 1943; his visit was approved directly by the White House (14). Turing met Shannon at Bell Labs and, among other research, he learned about progress in speech encryption projects including ‘Project X’, which converted audio waveforms into discrete values before manipulating them to produce the “equivalent of a one-time pad system for speech” (15). This allowed for confidential transatlantic calls between the US and UK, without fear of interception, at the height of World War II. At the dawn of digital computing, privacy was paramount.
Our Machines
Generations of inventive engineering endowed these abstract constructs with literal form. The first automatic digital computers of the mid-20th century spanned entire warehouse floors and used punched cards to store and run programs; there were no high-resolution displays. The invention of the transistor at Bell Labs in 1947 introduced semiconductor amplifiers and solid-state electronics (16) to begin an inexorable march toward smaller and faster hardware. Concurrent with the debut of the integrated circuit, IC, or chip (which soon prompted Moore’s Law), Martin Davis built on the work of Turing, Kleene, and others to formally treat computability and unsolvability in 1958. With it, Davis more firmly established the foundations of theoretical computing and paved the way for rapid advances in programming software.
As newly imagined uses for digital processors emerged, the need to automate the allocation of pooled resources grew. In 1969, Bell Labs’ Ken Thompson and Dennis Ritchie borrowed the Compatible Time-Sharing System (CTSS) developed in 1961 to build the first version of Unix (17), the predecessor to Linux and other so-called *nix variants (e.g. macOS) used by the vast majority of our devices today. Early on, Unix transitioned from being written in assembly code (direct, human-intelligible instructions one step removed from machine 0s and 1s) to high-level C (a human-readable system programming language further removed from the hardware).
Although C needed to be compiled (translated into binary code that a machine can understand), it was portable – the language and its standard library could be compiled to run consistently on different hardware platforms. Operating systems were no longer tied to the specific hardware running them. Moreover, programs written in C could be compiled to run on any operating system with the language and standard library installed. C remains the lingua franca of hardware and systems programming and was used extensively in developing computer vision (18).
The golden age of Unix at Bell Labs, with its spirit of global collaboration and technical rigor, slowly faded in the 1980s. Commercial licensing came into force, competitors emerged, and lawsuits proliferated. Meanwhile, hardware and operating system considerations yielded our attention to memory technology and faster chip processing. We increasingly shifted our focus toward graphical applications and large-scale data aggregation. The physical constraints of early computing abated, the costs of data storage plummeted, and broader digitization accelerated in earnest. Developers sought to implement more demanding algorithms or idealized processes (19) to take advantage of constantly improving capabilities. Our collective preoccupation shifted almost exclusively toward applications, and more insidiously, data collection.
Then the machine came home. Growth in personal computing dovetailed with the dawn of the World Wide Web in the early 1990s, giving rise to a new cohort, the digital consumer, and the dot-com mania that followed. We moved our shopping and correspondence online, oblivious to architectural and programming risks that lingered where we did not care to look. Our connections, communications, and experiences became increasingly digital, encouraged by greater bandwidth and transfer rates that allowed us to share and consume more on exponentially more powerful devices.
Wireless technologies followed suit, removing the need to be tethered to any one place. Laptops and smartphones gave us the power of Turing’s universal machine on the go. Before long, we threw caution to the wind and put chips and transceivers in everything – even devices in our bathrooms and bedrooms – to fill out our so-called Internet-of-Things (IoT). Apart from empty marketing assertions that we accepted at face value, security considerations were out of sight and out of mind. No one could be allowed to do anything that bad anyway, right?
Incentives
We use digital technologies as-is – take it or leave it. Companies are not legally responsible for what we do with their hardware or software, nor are they legally responsible for what their hardware or software does to us. They are simply not required to secure what is offered. This greatly reduces any motivation to keep us safe from defects, malice, and other harms if addressing them would entail any cost to the vendor, particularly when other disincentives might prevail.
In effect, our devices and software are defective when sold. Apropos, an especially harmful fallacy is that they are secure by default. This assumption is catastrophic – they are not. Most consumer devices ship without critical security features enabled. There is almost nothing easier to hack (i.e., to assert control of a system, usually without authorization) than a device that is fresh out of the box, especially if you immediately connect to the Internet to update your OS. As a regular person, you cannot fully secure an Internet-exposed device, whether directly connected or not. If your device has a radio (Bluetooth, Wi-Fi, NFC, etc.), it is Internet-exposed. Most of our digital devices have one. When push comes to shove, airplane mode will only apply to you.
To make matters worse, computers broadcast their presence and availability to any and all local devices. They are designed to connect easily. These are universal machines speaking a universal language with access to a universal network. You can only make it marginally more difficult to exploit them, monitor their activity, and hope you are not worth the trouble. Once your computer is compromised, all of its capabilities and data will soon belong to someone else.
If you do attempt to harden or secure your digital environment (you certainly should, lest you be judged negligent), there are still countless ways for others to effectively gain controlling access to your various machines – from virtually anywhere. If the incentives are great enough, it only takes a well-resourced adversary and a momentary lapse. Much of this is or can be automated. If you believe your password will save you, remember that your device is typically unlocked while you are using it. Then know how easy it is for another computer to crack and bypass password mechanisms (20). Alternatively, social engineering can use an abundance of publicly available information to make more educated guesses and light work of breaking in. If your only personal defense is security by obscurity (viz. you have no defense apart from what the OS gives you by default and hope to be or remain hidden), know that an operator will have no difficulty finding you and gaining access.
Most of the technology we pay for is also licensed. Vendors exclusively retain all significant rights, and licensees pay to make use of goods and services for a given interval, without ownership. Companies understandably prefer recurring revenue over one-off sales, a trend exhibited by the transition to subscription models. Tools and services for cybersecurity (which is just security) are a lucrative revenue stream, particularly when few see much need to understand digital risks themselves. Why ship secure equipment and software when people and businesses will make recurring payments for this privilege? Why fix what you left broken for free?
Despite marketing assurances of privacy and security, the actual terms we agree to in mandatory EULAs (End-User License Agreements) make no representations or warranties and disclaim any and all responsibility for hacking and its parade of synonyms; they usually mandate arbitration to resolve disputes. Marketing claims of privacy and security are also qualified – your devices could be secure if you had access to the knowledge and resources to make them so. These claims are worthless. Unless you are a company with dedicated teams handling this on your behalf, you probably cannot and will not. Even if such assurances are egregiously untrue, they will be protected by the courts as “non-actionable corporate puffery” (21). Translation: “not a big deal to us”.
We are on our own. If someone else does anything untoward to your device or with control of it, you will be held responsible for the consequences and no one else. Attribution consistent with evidentiary standards will be impossible to obtain for most, especially in a world of spoofing and proxies that hide true IP (Internet Protocol) addresses. It is easy to dismiss such concerns by telling ourselves that we are not important enough for crime to happen to. If that were the case, one could argue that we are not important enough to find help, either. Many hacking incentives have little do with us. Criminals impersonally target unassuming victims for many reasons, including lateral movement, botnets, identity theft, crypto-jacking, and illicit data laundering,
When you have enmeshed, interoperable systems that lack effective access control, whether or not your communications and activity will be intercepted, recorded, or otherwise manipulated is a function of incentive and opportunity; the former need not be financial. Who would have reason to access or manipulate your devices and information? What is stopping them, if anything? These lines of inquiry warrant more than a passing thought.
The answer to the last question is very little. Public understanding of information technology is lacking, along with the impetus to enforce acceptable behavior and boundaries; we are numb to breaches. Standards and laws are scant and exist to benefit businesses. Law enforcement resources are scarce. The law’s familiarity with digital computing and its possibilities leaves very much to be desired; arbitrary distinctions that erode constitutional safeguards certainly do not help (22).
The lack of suitable protections has become increasingly problematic in our connected world. Any number of incentives and means exist to pursue information without authorization. For regular people, satisfying the CIA triad (Confidentiality, Integrity, Availability) is just not possible. If there is a great enough incentive to hack you, it will happen. Any device can be hacked for a price.
Trust
In most cases, we do not even need to be hacked at all. The sheer volume of information that we have volunteered and that has been harvested unwittingly or unwillingly has made open source intelligence (OSINT) wildly effective when phishing fails. As much as they pretend to be, our devices are very far from anonymous. They are configured to be found and to connect in ways that are invisible to us. All that remains is to tie device information and usage to a particular person, which can be trivial. We handle this ourselves with voluntary tagging, geospatial tracking (or “location services”), automatic time updates, and our all-consuming social media. We cannot trust us with ourselves. Even when we do not capriciously consent to this collection, companies carry on with it anyway.
The information that our machines process and store also defines our digital selves. Basic facts such as your IP address, hardware vendor, and operating system version can be collected by fingerprinting techniques to uniquely identify your device, which can then be tied to you and those you know. When you know how, where, and when, you can infer who, what, and why. If you can place someone’s interactions in time and space and incorporate all publicly available context, you can map out a great deal of a person’s life (and others’). This may include things that people may not be consciously aware of themselves, like pregnancy. This digital representation of you will be incomplete and invariably inaccurate, but it can and will be used against you by anyone with sufficient incentive.
This is all the more concerning given that when you are online, your devices are you. Various computers broker most of our interactions with the external world. Devices that process and store your information are part of your home. Digital information about you is how you are perceived by most of the people you keep in touch with. In exchange for convenience, we have invited strangers into our most private settings and surrendered our rights and identities to them.
How did the intellectual triumphs of the 20th century devolve into unaccountable digital commercialism and rampant surveillance? We trusted that there were legal and ethical obligations and systems in place that would protect us. The companies we trusted cannot even secure themselves. In the meantime, we allowed our relentless pursuit of intelligence and monetization to overwhelm any responsible discourse regarding the consequences of technological deployment, which can be latent and indirect but no less consequential. Unsatisfied with methodical research and measured implementation, we embraced unguided and unchecked innovation in any direction on the whim that the out-sized benefits, to the extent that they existed, would eventually accrue to us.
We have hardly minded attendant personal and societal costs. Apathetic to risks we could not fully appreciate, we entrusted industry experts, corporations, elected officials, law enforcement, and the courts to honor their obligations to respect and uphold our rights in a domain we have all elected to know little about. We have expected that someone else would take care of these problems for us. Digital abstraction has disintermediated responsibility and consequence. Now we are in the storm.
Just because we have conceded such collection, however, does not mean we must continue to or that we cannot define proper use and dissemination of our data. We must. Undefined digital behavior is permissible. What is not illegal is allowable and will be leveraged. In threat modeling (23), you plan for trusted third parties like Certificate Authorities (CA) to betray or fail you (because they do). We need to embrace this “zero-trust” mentality ourselves. We have taken truth and authenticity for granted. Now we must choose a new path.
Our Decision
Our digital ecosystem is not sustainable. We have built a data economy with no safeguards or transparency. As a result, we need to behave as though we were in public in the privacy of our own home. Software may be intangible, but we are not, and neither are the consequences we have been left to bear. No matter. We cannot afford the indulgence of resigned apathy. As Paul Cornish reflects,
Yet in spite of these [cyber security] risks and anxieties, the world is becoming ever more deeply dependent on the digital environment. When dependency of any sort is unmanaged and unmitigated, it can soon become the basis of vulnerability.
[…]
It makes little or no sense to approach cyber security from a narrow perspective […] concerned only with protection from threat, danger, harm, and loss. The security of cyber space is as much technological as it is commercial and strategic; as much international as regional, national and personal; and as much a matter of hazard and vulnerability as an opportunity for social, economic, and cultural growth (24).
We can demand better, not just from businesses and governments but from ourselves. We can be thoughtful about the information we share, with whom, and how. We can legislate privacy rights and provide for civil action. We can bring software representations and warranties in line with other industries and require security updates at the vendor’s expense. Companies can lead by example, eschewing the collection of every possible bit of context while improving their asset security in the process. If we require data at all, we should take only what we need. If we collect data, it is our responsibility to safeguard it. We do not have to wait to get started.
All is not lost: the digital landscape has yet to be fully defined. Social expectations and
standards establish customs, which shape laws and define permissible behavior. We must choose to understand the digital world and to recognize our relationship with it. We must decide to examine our behavior and tendencies and consider how a breadth of modest improvements can become self-fulfilling. When we use our devices, we should do so with intention. Better still, use them less.
...
We may take our cue from the machine by taking one simple, deliberate step at a time. We must first find our bearings before charting our course. To that end, we will explore many facets of this domain in the inaugural Datum Research series, “Why You Should Care About Cyber”.
Charles Petzold, The Annotated Turing: A Guided Tour through Alan Turing’s Historic Paper on Computability and the Turing Machine (Wiley, 2008), 336-7. Two years after Cybernetics: or Control and Communication in the Animal and the Machine (1948), Wiener followed with The Human Use of Human Beings: Cybernetics and Society in 1950.
Charles Petzold, Code: The Hidden Language of Computer Hardware and Software (2E; Microsoft Press, 2023).
Brian W. Kernighan, Understanding the Digital World: What You Need to Know about Computers, the Internet, Privacy, and Security (2E; Princeton University Press, 2021), 256-257.
Kernighan2021, 8.
Hal Prince, The Annotated Godel: A Reader’s Guide to his Classic Paper on Logic and Incompleteness (Homebred Press, 2022)
Prince2022, ix.
“On Computable Numbers, with an Application to the Entscheidungsproblem” (in Petzold2008).
Andrew Hodges, Alan Turing: The Enigma (The Centenary Edition: Princeton University Press, 2012), 111-112.
Kleene later demonstrated that the results of Gödel, Church, and Turing were fundamentally equivalent.
Petzold2008, vii.
Hodges2012, 250.
Paul E. Ceruzzi, Reckoners: The Prehistory of the Digital Computer, From Relays to the Stored Program Concept, 1935- 1945 (Greenwood Press, 1983), 10.
Kernighan2021, 25.
Hodges2012, 247.
Ibid. 80 years later, you might recognize OTP codes as the numbers you enter to authenticate certain logins.
Petzold2023, 190.
For a first-hand account, see Brian Kernighan, UNIX: A History and a Memoir (Kindle Direct, 2020).
Fei-Fei Li, The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI (Flatiron Books, 2023)
Kernighan2021, 75. Processes are running programs
Multi-factor authentication (MFA; something you know, something you have, something you are) can be a great help, but less so if you are relying on vulnerable software services to provide it.
See SEC vs. SolarWinds Corp et al (2024).
To give an example, exploitation is treated differently than other computer crimes. Somehow, breaking into a system to change its configuration in order to record and surveil it is different than breaking into a system to change its configuration in order to do anything else.
See Adam Shostack, Threat Modeling: Designing for Security (Wiley, 2014).
Paul Cornish, Ed. The Oxford Handbook of Cyber Security (Oxford University Press, 2021), 1-2
Sources
[Ceruzzi1983] Ceruzzi, Paul E. Reckoners: The Prehistory of the Digital Computer, From Relays to the Stored Program Concept, 1935-1945. Greenwood Press, 1983.
[Cornish2021] The Oxford Handbook of Cyber Security. Ed. Paul Cornish. Oxford University Press, 2021.
[Gödel1931] Gödel, Kurt. “Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I”. Monatshefte für Mathematik und Physik 38, 1931, 173-198 [in Prince2022]
[Hodges2012] Hodges, Andrew. Alan Turing: The Enigma: The Centenary Edition. Princeton University Press, 2012.
[Kernighan2020] Brian Kernighan, UNIX: A History and a Memoir. Kindle Direct, 2020.
[Kernighan2021] Kernighan, Brian W. Understanding the Digital World: What You Need to Know about Computers, the Internet, Privacy, and Security: Second Ed. Princeton University Press, 2021.
[Li2023] Li, Fei-Fei. The Worlds I See: Curiosity, Exploration, and Discovery at the Dawn of AI. Flatiron Books, 2023.
[Petzold2008] Petzold, Charles. The Annotated Turing: A Guided Tour through Alan Turing’s Historic Paper on Computability and the Turing Machine. Wiley, 2008.
[Petzold2023] Petzold, Charles. Code: The Hidden Language of Computer Hardware and Software: Second Ed. Microsoft Press, 2023.
[Pierce1980] Pierce, John R. An Introduction to Information Theory: Symbols, Signals and Noise: Second, Revised Edition. Dover, 1980.
[Prince2022] Prince, Hall. The Annotated Godel: A Reader’s Guide to his Classic Paper on Logic and Incompleteness. Homebred Press, 2022.
[Turing1936] Turing, Alan M. “On Computable Numbers, with an Application to the Entscheidungsproblem”. In [Petzold2008].
[Turing1946] Turing, A. M. “Proposal for Development in the Mathematics Division of an Automatic Computing Engine (ACE)”. A. M. Turing’s ACE Report of 1946 and Other Papers. Ed. B. E. Carpenter and R. W. Doran. The MIT Press, 1986.
[Turing1947] Turing, A. M. “Lecture to the London Mathematical Society on 20 February 1947”. A. M. Turing’s ACE Report of 1946 and Other Papers. Ed. B. E. Carpenter and R. W. Doran. The MIT Press, 1986.
[Shannon1938] Shannon, Claude E. “A Symbolic Analysis of Relay and Switching Circuits”. Transactions American Institute of Electrical Engineers. Vol 57, 1938.
[Shostack2014] Shostack, Adam. Threat Modeling: Designing for Security. Wiley, 2014.