1st Law of data security

22nd January 2024


1st Law of data security: ‘We can design a system that’s proof against accident or stupidity; but we can’t design one that’s proof against deliberate malice…’

Arthur C Clark’s (ACC’s) Law appears in Chapter 28 of his 1968 book, 2001: A Space Odyssey, after we discover that the spaceships AI system, HAL, resolves conflicting information in its training data by murdering the crew. HAL is the party with ‘deliberate malice…’

The book includes predictions about AI, iPads, video calls and spaceflight and data security – ACC’s Law says that every product is somehow vulnerable to ‘deliberate malice…’

NIST incorporated “can’t design … against deliberate malice…” in the ‘Zero-Trust Architecture’ –assume your network is insecure because you can’t trust the stuff people will attach to it

Use ACC’s Law when you buy tech, ask the seller “is the design proof against accidents or stupidity?” and “can your engineers design against ‘deliberate malice…’?”

If they say yes – get the supplier to accept liability due to data breaches, if they defer to the wisdom of ACC and NIST and say no, just assume the data on the phone, TV, computer or software you are buying is going to be compromised

The tech industry can disprove ACC’s law by creating an email system that safe to use, showing that ACC’s Law is flawed. The development and test methods used can then be shared to ensure all products can be designed to be safe from ‘deliberate malice…’

My own view is when a product is created the vulnerable surfaces are based on the skills of the designers, subject to the commercial constraints they are operating under. When the product is launched those with ‘deliberate malice…’ can pick apart the product and develop different attacks. Inevitably the tools and knowledge that the bad guys use are subject to Moore’s law and will only improve.

When we designed Countermark, we used encryption, code design and blockchain to give high levels of data security, we are aware of other organisations (like GS1) that mandate QR codes with no security – QR codes are an electronic form of plain text and an established vector for fraud and malware.

Let’s do this:

1)     Update every information security policy, IT job description, data system operating procedure and product instructions to include ACC’s Law

2)     Possibly call this law ACC’s 1st Law and start think about ACC’s 2nd Law addressing the risk of putting conflicting data into AI systems

3)     Ensure that all software is proof against accidents and stupidity, also stop punishing users for data breaches, when what they do (like open an email) falls into the “accident or stupidity” category. The software industry, according to ACC, should be able to keep people safe when they open emails

4)     Regard vulnerable software as non-conforming product to be rejected and returned if it does not work as stated

5)     Use Countermark instead of QR codes


For more information go to https://countermark.com