Although cyberspace is pervasive, most of its structures are invisible to us even when we are using them. We interact with it via phones or computers, but the servers that power web sites and allow us to manage our bank accounts, to book travel and hotels, and communicate using email or social media are not easily appreciated. The “plumbing” that connects our interface devices and these services is also almost entirely hidden. Making this huge, complex system so unobtrusive and seamless from a user perspective is a major success.

However, from a security perspective, the invisible nature of cyberspace creates an issue—people have no intuition about how it works, and so cannot easily judge which actions are potentially dangerous. It's a bit like visiting a tourist-focused city and accidentally straying into a bad neighborhood simply by not realizing that such neighborhoods exist. It's hard to assess the risk of any particular action in cyberspace, and many of the “rules” come without explanation, or ar least without meaningful explanation, that would enable users to understand when rules have reasonable exceptions. For example, a common rule is “don't open email attachments from people you don't know” but this is often unworkable in practice. If you don't know that From: email addresses can be spoofed then the apparent converse “it's ok to open attachments from people that you do know” will sometimes lead to unfortunate actions.

Younger people, who have grown up with the Internet, are in some ways savvier about the dangers, but even they can easily be blind to risks and taken in by those who exploit cyberspace for their own purposes. Education about cyberspace can help, and that's the purpose of this book, but a little learning is a dangerous thing (Alexander Pope).

The problems of cybersecurity can be traced back to the early days of what became the Internet: Arpanet, a network that connected government and university computers, and which assumed that all of the participants were trustworthy and accountable. As a consequence, security issues were not considered seriously in the design of Arpanet's basic working—and many of those designs are with us still. The fundamental problem is backwards compatibility: each new development had to continue to allow existing computers, networks and systems to work together, even as the size and scope of the overall system exploded. Arpanet was also designed to survive a nuclear attack, and so was designed in a distributed way. This design lives on in cyberspace today. There is no overall management of cyberspace and decisions are made by a messy collaboration of stakeholders.

In many ways, the Internet is a victim of its own success. From that initial small set of connected computers, it grew to include more government and university computers, including internationally. In the early 1980s telephone companies got into the act, allowing dedicated connections between computers that were in different cities, and then allowing computers to connect by dialing one another and communicating data over phone lines that had been designed for voice.

The introduction of the World Wide Web in 1995 marked another shift in connectivity. Suddenly individuals had a “killer app” for getting information from businesses and governments, including those far away; and these businesses and governments needed large computers to serve these web pages to those who wanted them. At about the same time, email, previously limited to academics, became a pervasive way of communicating for ordinary people.

Browsers and servers developed new functionality, Servers no longer simply provided content, but enabled interaction with users, including allowing users to upload content. Once again, a mechanism designed for one use was adapted to do things for which it had not been designed, and the new uses have overwhelmed the old.

In another dimension, what changed was the scale of cyberspace as billions of people, more than half the world's population, acquired devices that enabled them to participate; and as servers became bigger and faster in response.

Cyberspace just grew. There was no central planning; interesting people came up with new ways to use the existing infrastructure and systems and they mostly didn't think much about the security issues they were creating in their hurry to create the new great thing. As a result, cybersecurity must work in a world where security was never designed in, and so must be retrofitted with as much effectiveness as possible. Unfortunately security isn't the kind of property that can be added in—to be really effective it must be thought about at every stage of the design and implementation. As we shall see, attempts to design countermeasures to address the security weaknesses of many parts of cyberspace are necessarily contrived and so relatively ineffective.

This is, of course, a bonanza for criminals and some national governments who are able to exploit the security weaknesses for their own purposes. There is an arms race between those who want to exploit security weaknesses and those who are trying to make cyberspace more secure. The efforts to improve security are often sabotaged by users who prefer convenience to security. A number of actors, while giving lip service to security, actually prefer considerable leakiness Many Internet businesses (and some governments) use security weaknesses to collect data about Internet users that would be more difficult to collect if cyberspace were more secure. For example, many Internet businesses try to collect phone numbers from their users, under the guise of making authentication more secure, but their real motive is that knowing someone's phone number allows access to another large trove of data about them.

One of the reasons that improvements in cybersecurity have been weak and piecemeal is that there is no central governance. Control of cyberspace is split between international bodies that manage some aspects but have no real power; the owners of the infrastructure, such as the pipes that connect countries and across countries; the (quondam) telephone companies that provide phone connectivity and also tend to own large communications infrastructure; the businesses that provide large servers (for web sites and computation) such as Apple, Amazon, and Google; and national governments. All of these stakeholders have different incentives, sometimes very different, and so developments are the result of a tug of war between competing interests. Most would claim vigorously that security is important, but this tends to translate into action only weakly if at all as other interests compete with or outweigh it. Even with the best will in the world, retrofitting security is difficult so it is not surprising that there is overall little appetite for it.

International cooperation about cyberspace is difficult. In some ways it's the first post-Westphalian¹ system. Although the Internet stretches into every country on earth, national governments have little control over it. They would like to have more, but their citizens demand access to apps and capabilities that are incompatible with national control.

A number of countries have tried to (re)construct national borders in cyberspace. The effort to control traffic that passes across such borders has had only limited success, and not for want of trying. Even if traffic could be controlled, every country still ends up using the same hardware, systems, apps², and ways to move traffic and so faces all of the same security issues that result. All of these pieces can become vehicles for covert activities. No country is a cyberspace island, entire of itself.

Chapter 2 provides an introduction to what is happening under the covers in cyberspace, that is, how the interfaces we use to browse the web or send email or otherwise act in cyberspace actually work. Chapter 3 discusses how content is protected by encrypting it, both in flight (as it moves from one place to another), and at rest (when it is stored somewhere). Chapter 4 describes the security issues for the nodes that make up cyberspace, the edge devices such as phones and personal computers that we all use, and also the more-powerful computers—called servers—that provide web pages and web-based services and the ability to carry out large computations. Chapter 5 describes the security issues for the pipes that move data around the world, from the intercontinental undersea cables to the Bluetooth connection between your phone and your earbuds. Chapter 6 describes the security issues associated with setting up and managing the configurations of nodes and pipes so that they can work together as they should, even when something goes wrong. Chapter 7 describes the security issues associated with higher-level activities, the ones that we as users interact with directly. This includes email and the use of the World Wide Web (henceforth, the Web). Since blockchains are a hot topic, and one with substantial, complex security issues, we also discuss it.