Remove The Abstractions To Improve National Security

When I started my career as a software engineer I had a passion for information security. My education taught me that securing digital information could be accomplished by adding protections from one of three categories: something you have, something you know, and something you are. Something you have could be a key or bank card. Something you know a password or bank pin. Something you are is a biometric attribute such as a fingerprint, retina, or DNA.

At that most basic level, application security did not change throughout my career. Despite all of the new ways people thought they came up with to secure information, the solutions always could be categorized as one of the three basic protection mechanisms. Microsoft for example came up with their passwordless login which is just drawing on a picture. This is simply protecting information using something you know or in other words a password. Two-factor authentication is generally implemented by a code being sent to your mobile device after you enter your password. In this case, the phone is something you have, and the password is something you know. Virtually any type of protection mechanism for digital information will fit into one of the three categories.

There is however one principle that most software developers forget as they attempt to implement secure systems. That principle is to remove the abstractions created by the software. Data gets stored on a physical medium. Working in the virtual world of software a developer does not have to concern himself with the physical layer of data storage. Therefore as more time is spent writing source code the basics of physical data storage are often forgotten. The truth about security is anything that an engineer attempts to secure is real and must ultimately be secured by a physical medium. This is somewhat difficult to accept for a developer who could build a system they believe is perfectly secure but the system is compromised simply by opening the device and bypassing the application security.

For example, if you wanted to bypass a password on a hard drive you might start by booting up the device and trying to exploit the operating system. But what if you can't find a flaw and the device is locked? Maybe then you would use a forensic operating system to access the information on the drive. What if the device was broken but the hard drive plate was still intact? A person who understands the data is polarized sectors on the plate would open the device and remove the plate so they could read it with another system. Once you can read polarized sectors on the plate you can identify the sectors that represent the operating system and then identify the location the password is stored. Using the operating system's password encryption algorithm to encrypt a basic password you can overwrite the existing one and boot the drive. The key takeaway is the magnetized bits that represent the secure operating system cannot protect the magnetized bits that represent the password. You need physical security protection mechanisms because software security can be bypassed.

Information can now be written with DNA. This too is a physical medium consisting of the bases adenine (A), cytosine (C), guanine (G), and thymine (T). Adenine is composed of carbon, hydrogen, and nitrogen atoms and pairs with thymine. If you know how to write to DNA whatever is stored can be changed. There is no software system that can prevent a knowledgeable person from writing whatever they want. Another example of information storage is the memories in your brain. When you remember something long-term it actually causes structural changes in neurons. So what happens when you are asked to implement a software system that writes to the brain?

As we further advance into an era of genetic engineering, quantum computers, and brain-computer interfaces it is important to reevaluate how you view security and the projects you are willing to work on. Far too often developers agree to work on software that ends up destroying national security. The concept of removing abstractions and understanding that it takes physical mechanisms to secure data is important. If you find yourself writing software that communicates with the brain remove the abstractions and ask yourself how can a person's brain be secured from the energy writing to it. If there are no physical security mechanisms already in place that needs to be addressed. Software alone will never secure data because magnetized bits cannot physically stop anyone. Take the time to understand if the physical layer of security is sufficient for you to ethically work on a software system. This will significantly help our national security.