Here at KOW, we do talk a bit about cyber issues and all that, from time to time. (Heck, some of our contributors have even made quite a name from this type of thing. Dave Betz, Thomas Rid, and Tim Stevens). There is a feeling, though, that we in the ‘hard security’ fields (those concerned with military, police, and intelligence affairs) tend to get cybersecurity wrong. We don’t do well at strategy at the best of times, it is claimed, but do even worse when it comes to strategies in the cyber domain.
Now, dear Reader, if you know me, you know that I am a bit of a Luddite, a bit of a technophobe, and a bit of a curmudgeon. So colour me as surprised as the next guy to find myself at the 8th Internet Governance Forum (IGF) in Bali, Indonesia last week. (The location had nothing to do with my attendance, by the way). This post is the first of two containing my reflections on security and the internet, as prompted by the proceedings of the IGF.
Let me start by stating that, contrary to my low expectations, far from being a ‘geek-fest’, an orgy of übertech, a smorgasbord of terms like ccTLDs, IoT, and the like, there were actually some very interesting points being raised in Bali, which should have a direct bearing on how we (in the War Studies/International Security communities) regard the idea of internet security.
It’s the governance, stupid.
In the ‘Internet ecosystem’ there are several existing notions of how the Internet should be governed. First, there are those who believe that it should be regulated by states, along the same lines of other forms of communications regulation. States should control access to the internet, through licensing, auctions of frequencies, and protections of both the rights and responsibilities of operators and users. Governments worry that freedom is really a veil of secrecy for terrorists, pedophiles, and drug-dealers. From this point of view, the internet needs to be subject to the same kinds of controls as ordinary life is.
Second, there are others who believe that the internet should be viewed as a commodity, and left to the market and the various commercial entities to sort out. States should take a very hands-off approach, letting the ‘invisible hand’ of the market allocate usage of the internet in the most ‘efficient’ way possible.
Third, groups of technical experts, those involved in the actually engineering and construction of the Internet, see the entire thing as being beyond anyone’s control. They believe that technology itself is the only restraint on the Internet, and are not much bothered by arguments surrounding content filtering, or localized routing, preferring to look at the ways and means, and not the ends, of these options.
Fourth, there are others who view the internet as a sort of digital commons, a place for all to express their various interests and concerns. This commons should be a free domain—access should be unfettered, privacy respected, and content uncensored.
Not surprisingly, those who espouse these approaches do not always get along. State-centric proponents have come under fire recently, as Edward Snowden’s revelations have confirmed what many have long suspected: states are hungry to know everything that goes on across the web, eager to look into every nook and cranny, all under the aegis of national security. Commercial players, too, have been seen to attempt to crowd out others on the ‘Net. For instance, they want assurances—from states—that the frequencies or web addresses they buy will enjoy the kind of property rights they would in the ‘real world’. Furthermore, commercial players—like Google and Facebook—are claiming user data as their own, be it meta-data or selfies or GPS locations, much to the chagrin (and sometimes surprise) of users. User groups assert that the internet is being ruined because of the actions of governments and firms: privacy, access, affordability, grassroot ‘DIY’ projects and the advantages of anonymity are all becoming increasingly difficult to maintain in a world of government snooping and industry monopolies.
Now what, I hear you ask Dear Reader, does this have to do with KOW? The key conclusion that I arrived at is that, unsurprisingly, issues of internet security are entangled with issues of political philosophy and, somewhat more interestingly, social identity. The corollary of this conclusion is that this is precisely why we do cybersecurity so poorly: we ignore this entanglement. Just like in real life, security is a subset of governance, which is a function of politics, in all its glory and misery. Security cannot stand alone, separate from the larger issues, separate from the larger community or ecosystem. A simple statement, but one with some often unheeded implications.
What is the Internet?
For any of this to make any sense, a set of questions of primary importance must be addressed. The problem is that this set of questions is almost completely unanswerable. What is the Internet? To whom does it belong? Is it an extension of the telecommunications infrastructure, and therefore regulatable in the same way telephone networks are? Some people think so—most states do. The main UN agency dealing with the internet pre-dates the internet and the UN. Originally the International Telegraph Union, formed in 1865, the ITU believes there is a linear link from the dots and dashes of the telegraph to the 1s and 0s of the internet. That perspective shapes a great deal of its policy thinking when it comes to internet governance and security. As we move into the next frontier of the internet (such as the Internet of Things, where your fridge will share your eating habits with Google and the NSA—not necessarily in that order), will such a perspective remain relevant?
Some believe that the internet is fundamentally different from anything else that has come before it. It is not just a network, but a common good, not just an information superhighway, but an on-ramp to development. People in developing countries do not see the internet as merely as a commercial commodity, but rather a lifeline—the lifeline—to a better life for them and their children. It is both a medium and a conduit for social interaction. The governance of something so existential, many feel, cannot be left to a handful of states or firms. To deny, or even to fail to facilitate, access to someone is seen as a matter of grave importance. One participant at IGF put it, hopefully with some hyperbole, thus: “Internet shutdowns by governments and operators is [sic] a cybercrime against humanity.”
What’s it all about?
It is clear from the conversation going on here that there is no universally appreciated perspective. Just as there are a number of ideas about governance, there are several points of view about security. Allow me to put forward several of the ideas floating around, some explicit, some unarticulated.
1. Security is about trust. And trust is about expectations. While governments might think their massive, pervasive surveillance is about increasing security, it might actually be reducing the level of trust people have in the Internet and in government. For instance, the technical ‘internet security’ people, those responsible for keeping the ‘physical internet’ ship-shape (finding and removing botnets, for example) insist that the level of cooperation and information exchange that they rely on to sort out (remediate) networks following attacks actually decreases when ‘national security’ entities become involved. Having ministries of defence or homeland security, or intelligence services, being actively involved in a ‘incident’ actually reduces the likelihood of the issue being resolved quickly. It is felt that their involvement lowers the level of trust, something which has not been an issue—even across borders—at the technical level. So there is a trade off between national security (was that attack a form of cyber terrorism or even cyberwar?) and internet security (was that attack a single incident of vandalism or does it represent something more widespread?). A less secure internet (caused by a lack of trust and therefore reduced collaboration across borders) is likely to be a better conduit for attacks that could impact national security. If security is a product of trust, we can assume that the product of hypocrisy, deceit, and suspicion is distrust, which in turn engenders insecurity.
2. In terms of politics, the Net has permeable membrane. Even those who do agree with a ‘state first, top down’ approach to internet security (and governance) disagree about which states should be in charge. Brazil—championing a ‘non-US centric’ agenda along with India and South Africa—has rocked the community here by announcing a ‘non-summit’ to be held in Rio in April, dealing with issues of internet governance. They are proposing a new UN agency (!!) to be established in order to ‘coordinate’ all the existing ‘organs’ of the internet, including ICANN, ITU, and IGF. While this is an immediate reaction to the revelations of Edward Snowden, it is easy to detect a connection to wider political debates. This is an outgrowth of the BRIC movement, indicative of the growing political confidence of countries, like Brazil, and their public flexing of muscles/thumbing of noses at the dominance of the US.
3. Certain ‘technical issues’ themselves are sometimes used as cloaking devices, hiding larger political agendas. For example, even something as mundane as the fight against spam has, in some countries, been hijacked as a way of imposing content filtering, restricting freedom of speech. Similarly, items that at first blush seem to be no-brainers, are not universally agreed upon by all internet players. Surely the kinds of harm that we seek to limit off-line should be discouraged, or better yet, eliminated, on-line? Not necessarily. One IGF participant tweeted, “Governments use excuses like child pornography and similar cases in order to regulate internet but this must stop.” Perhaps in echo, at the end of the IGF, the Indonesian chair proudly announced that his country “guarantees online freedom of speech, but also protects its citizens from pornography and anti-Islamic propaganda on the Internet.”
4. Just because it is not ‘state based’ does not mean it is universally legitimate. Commercial organisations, like ICANN, Google, Facebook, or Amazon, are viewed as American organizations, with all the baggage that comes with that moniker. ICANN touts itself as being legitimate because it is commercial, but it is seen by many as just another red, white, and blue hegemon. Cooperation, co-option, and collaboration, and calumny are mixed to form a rather toxic stew, made up of a commercial broth with states holding the spoon. As one participant made clear to ICANN in a workshop, “Policy authority for non-tech issues is not safer in your hands than with governments.” There are allegations that corporations, like Facebook and Google, are actually monetizing their cooperation with US authorities. The logic is that they are being ‘reimbursed’ for the information that they pass on. And what has been reported as their ‘making it harder’ for the US to snoop is in fact just now ‘more expensive’ for the government—and more lucrative for the firms themselves. This is not going to be regarded as a good thing by many internet users. As usual, a Freudian slip might just give the game away. Speaking on a panel about internet surveillance, Google representative Ross LaJeunesse that his “country…company” had legitimate concerns about internet governance.
5. Governance of the internet is about more that just rules. One NGO, The Internet Society, believes that because “The Internet is for everyone… [we need] to find the next social structure that will guide the Internet in the future.” Many traditionalists, including security experts, are not thinking about ‘social structures’ when it comes to security. Indeed, they are looking at rules and regulation, and the kinds of technological tools and tricks that can be designed or exploited in order to put them into practice. (Backdoors, sidedoors, trapdoors—the word was used so much I expected to see Jim Morrison stroll in at any minute). When they think of the internet, they think about ways of making ‘it’ secure, and about ways of securing us from the dangers that lurk within it. Traditionalists take it for granted that states will be at the fore, providing solutions. They look for ‘coherent’ strategies, and expect others to ‘collaborate’ and ‘cooperate’ in order to achieve our objectives.
State-centric actors (such as security agencies) try and cut through what they regard as supercilious and superfluous utopianism about the internet. By doing so, they may be able to put in place the kinds of systems that allow them to monitor chat rooms or read your ‘meta-data’, but they may never be able to gain or maintain real legitimacy, much less trust. This, of course, may not keep the leadership of the NSA or the CIA awake at night, but it does not sit well with commercial companies who, rightly or wrongly, are judged as being wholly compliant with the requests of these agencies. Nor, increasingly, does it do much to cheer up ‘friends and relations’ to know that their head of government’s handy is an open-line. This week, the White House seems ready to admit that there should be ‘surveillance constraints’.
If this sounds like politics, and not technology, or even threats and risks, that’s because it is. Security is an offspring of politics. Neglecting that basic truth often stymies our attempts to make our world—real and virtual—safer.
Thus endeth part one. My next post in this series will look at the implications of the diversity of actors involved in Internet governance and how maintaining their identities shapes the way they view how internet security should work.