https://www.youtube.com/shorts/KcfgSKHsC4Q

The security of Information Technology (IT) systems forms the foundation of every Digital Public Infrastructure (DPI). Without proper IT security, privacy cannot be achieved. IT security focuses on three key goals:

Confidentiality: Ensuring that information is only accessible to authorised individuals or systems. This means preventing unauthorised access, disclosure, and interception of sensitive data.
Integrity: Guaranteeing that information is accurate, complete, and trustworthy. This involves preventing unauthorized modification or deletion of data, and ensuring that data is consistent and reliable.
Availability: Ensuring authorized users have timely and reliable access to information and systems when needed. This includes protection against denial-of-service attacks and maintaining operational systems for legitimate use. </aside>

IT security is not a static goal to be achieved, but an ongoing process in which the system must constantly adapt to new potential attacks and incorporate measures to become resilient against them. Much like new biological viruses or bacteria a system’s defences must constantly evolve to incorporate strategies against new threats. This also means that absolute IT security is never achievable. The more complex a system becomes, the higher the likelihood of failures. Ultimately, human users and administrators are often the weak link leading to the compromise of a system.

<aside> 💡

Complex systems have failures and mistakes will always happen. This is why it*s important to recognize that hacks, leaks and data breaches are common. There are also many jokes about this sad reality.

https://www.youtube.com/shorts/bBKdR0Y2bC8

</aside>

IT-Security is maintained by ensuring that the utilized technology used incorporates the latest state-of-the-art precautions against attackers. However, there is also a procedural dimension of security that involves how individuals are interacting with the system, what protocols humans have to follow when they are granted access to data and how security incidents are identified and managed.

<aside> 📌

Failure to uphold the IT security of a DPI system could result in severe societal consequences in the event of an attack.

</aside>

When a DPI becomes unavailable, it can impact every aspect of life where people rely on it to carry out their daily activities. Access to essential services might be cut off if the system is not operational even for a brief period of time. When a DPI is integrated into more areas of life, such as payment, health, public transport, or social media logins, downtime will affect all these sectors simultaneously. Even a short downtime of a few days could create turmoil in society at large.

An important concept of IT security is threat modeling.Threat modeling is a proactive approach to security that aims to identify and address potential threats before they can be exploited. It's a way of thinking about security from an attacker's perspective to understand how a system might be compromised. This process helps teams understand potential risks, prioritize security efforts, and build more secure systems.

IT-security is not a state, but a process. A system is only reasonably secure at any given time when facing a particular class of attacker. Cybercriminals, multinational corporations or state level actors have very different capabilities to undermine the Security of any given IT-System.

<aside> 📖

Case Studies: Countries have demonstrated their ability and willingness to use cyberattacks to foster strategic goals and also to disable the infrastructure of another country. The more a country depends on their DPI, the more it will become a lucrative target for its adversaries.

</aside>

Cyberattacks also carry the risk of data being stolen or manipulated. With the advent of cryptocurrencies we have witnessed the rise of a new business model for cybercriminals that extort ransom for the data they have gained access to. DPI that is not properly secured not only risk the exposure of massive amounts of personal data, it also makes a country vulnerable to these types of attacks.

In a way every DPI that is widely used becomes a single point of failure. It is important for civil society to raise questions about the level of security any DPI offers and what would happen in case of a successful attack. Furthermore, it is vital to establish a Responsible Disclosure Policy and Bug Bounty programs to increase IT-Security allowing independent security researchers to expose vulnerabilities to the vendor and subsequently to allow for a democratic debate about security.

Security by Design

Security by Design is a fundamental approach to developing secure systems by integrating security considerations throughout the entire design and development process, rather than adding security features after a system is built. This proactive methodology ensures that security is an inherent characteristic of the system rather than an afterthought. Security by Design principles include minimising attack surfaces, implementing least privilege access, defence in depth strategies, and conducting regular security testing.

Adding security after the system is already being built is dangerous and expensive. Any user data already in the live system or any parts of society already dependent on it, are exposed and affected by a security incident. Adding security after the system is built might also be burdensome and is always more expensive than to have it as a design principle from the start.

Security by design is an operational principle that must be continuously adapted to counter new attacks and incorporate emerging technical protection mechanisms. However, it can also be embedded in law, ensuring that any entity building a DPI is legally required to implement it from the start.

Security by Design

Backup and Restore