A few days ago I was presented with an interesting question: What is the difference between Content Protection and Cyber Security? These domains of Information Security are so different and unrelated, that the difference in their definition is more or less the entire definition of both. This question, however, was asked in the context of the factors that make each of these problems hard to solve. Both problems are hard ones, and seem to require more than the state of the art in security can provide; yet they are hard problems for completely different reasons.
Content Protection refers to protecting multimedia (or other) content, that is consumed by a user. Protection is against the user violating usage rules, such as by illegal sharing of the content. Cyber Security typically refers to the protection of national critical systems against logical attacks, that is, against attacks exploiting the facilities’ Information Technology (IT) components, i.e., hacking. Both problems are hard, but they are hard for completely different reasons; so different that it is difficult to assess which one is harder. Let us see how each domain is harder than the other.
Among the biggest differences is the attacker profile. Content protection is mostly against the user. Some users are more capable and some users are typical end-users who merely browse the interface or look for files accessible through USB. If the protected content consists of feature films, or of highly priced books, then some criminal gangs may join the circumvention effort as well. The Cyber Security case is obviously different, with attackers spanning foreign intelligence agencies, terrorist groups, military, and what not.
Moreover, content, as opposed to critical infrastructure, is protected statistically. Even avid proponents of Content Protection solutions do not elude themselves into believing that the solution is, or could ever be, perfect. We often hear slogans such as “managing risks”, “increasing the bar”, and my favorite: “keeping the honest people honest”, in the context of Content Protection, to suggest that it is all about reducing the number of offenses, rather than about eliminating them. Unfortunately for Cyber Security, working “often” is just not good enough, and the honest people are not of a concern to start with.
Just to clarify: security is always about risk management, and complete security is seldom believed to be obtainable. However, in the case of Content Protection, the bar is initially put at a somewhat lower level, also because (i) cost is a critical factor, since retail consumer devices are often involved, and (ii) the protected Content is a plural secret, i.e., a secret that is known to many, and thus can leak with an equal effect wherever the chain link happens to be weaker at a given time.
So far in this discussion, Cyber Security seems as a harder problem. It needs to be protected against more powerful opponents, it is largely perceived as more critical because it often relates to public safety, statistical coverage is not enough, as a single attack may cause enormous damage, and cost cannot be used as an excuse to keep the bar down. Cyber Security calls for higher assurance than Content Protection. Nevertheless, this coin has a flip side to it.
Content Protection is done in an environment that is not favorable to security, and sometimes has to work on platforms that are designed almost as if to make Content Protection impossible.
The key fact that makes Content Protection so difficult, is that it goes against the legal user, the owner, of the device on which it is deployed. Many of these devices are open, that is, they provide their owner with full control over what they run. Digital content is just bits, bits on an open platform can be known to the owner of the platform, and knowledge can inherently be copied. This simple chain of facts makes Content Protection on open platforms a lost battle, at least in theory. On closed platforms, the situation is more optimistic, for as long as the platform actually remains closed. Keeping platforms closed is not an easy task in the face of hacker communities striving to find exploits that will allow opening them.
Therefore, at least in the information-theoretic sense, the Content Protection problem on open platforms is not just hard, but plain unsolvable. Solutions are provided, by utilizing obfuscated code, runtime checkers, and other tricks designed to get an advantage over the attacker who has complete visibility of the platform. These solutions work, sometimes to an acceptable extent. Yet at large, Content Protection on open platforms is the story of a security designer playing hide and seek with an attacker. Some people prefer “cat and mouse”.
This is not the usual case of security engineering. Security engineering is typically about the engineer of a system having an inherent leverage over the attacker. Security engineering to a large extent is the art and science of capitalizing on this inherent leverage, for providing assurance and/or robustness in the face of an attacker. For example, when developing a firewall, or any other access control system, the underlying design assumption is that the module designed by the security architect is architecturally privileged to decide if a transaction (e.g., an access request) is to be honored or not. In the firewall case, the filtering logic runs on the firewall hardware platform exclusively, and sees the requests as data which it decides if it shall copy to the destination port or not.
Content Protection on open platforms does not follow this paradigm. Cyber Security typically does.
Cyber Security is hard, because it involves well motivated, well funded, and highly capable, attackers. It also involves assets of extremely high value, the protection of each being individually critical. However, Cyber Security is security engineering “by the book”. The platforms on which the countermeasures are typically deployed are owned by the defender, who has an architectural advantage over the attacker, at least until he makes a defender-initiated mistake and gets it lost, or until the hardware is compromised (again, because not strong enough hardware was chosen.) It is still not an easy challenge, because hardware is not always secure enough while remaining within budget, and it is extremely hard to implement a complex system without introducing flaws, but this has always been the security engineering game.
Content Protection on open platforms has lower assurance aspirations. The assets are mostly of a collective value, so security should only work most of the time, and is only judged statistically between breaks and fixes. However, countermeasures shall be made effective also on platforms where the defender has no advantage for being the defender. His countermeasures can be circumvented while being correct, just because they were not hidden well enough.
There is absolutely no room for “not fair!” statements when discussing security. However, the distinction between a defender with an architectural advantage, and a defender without such advantage, is helpful for setting expectations from security technologies and for comparing challenges.