Cyber-security for people? Or nations?

The Internet is organized around “autonomous systems” — independently managed networks most of which are privately owned or, if public, managed at the agency or department level. The current institutional structure for public governance, on the other hand, is organized around nation-states.

That disjunction encourages some actors to construct Internet security as a national security issue. Political claims that invoke “national security” can inflate budgets and provide for more effective political mobilization within bureaucracies and the political class. A recent report from a “Commission on Cyberspace Security for the 44th Presidency” assembled by the Center for Strategic and International Studies (CSIS), a Washington DC-based think tank with longstanding roots in Cold War dialogue, exemplifies this problem. Written late in 2008, it urged the incoming President to proclaim that “cyberspace is a vital asset for the nation and…the United States will protect it using all instruments of national power.”

Rather than conceiving of the Internet as a global space where individuals and organizations interact and routinely confront issues of crime and vandalism, the CSIS report attempts to make a national security perspective the basis for a comprehensive revision of all laws, technologies and organizational structures around cyber-security. This is a fundamentally misguided approach; it warps policy perspectives, militarizing what are in essence civil problems and subordinating the protection of people and households to the protection of vaguely defined “national” interests conceived in terms of rarified inter-state rivalries.

Contrast the CSIS approach with the more accurate and carefully considered conclusion of a report published by a Dutch research agency in collaboration with a U.S.-based academic institute:

“Because the internet has no natural political boundaries, national boundaries are not effective to partition cyber security policy responsibilities. And even though security is a basic public sector concern, and typically regulated at the government level, the bulk of the capability for dealing with cyber security risk is not in the hands of governments but lies with the private or semi-private sector entities that actually manage and operate the ICT infrastructure.”

That report gets it right.

The critical starting point of any intelligible discussion of cyberspace “security” is to ask: security of what? Against what threat? Starting from these questions, one can identify four different levels of security, based on the degree of societal aggregation. Each level has its own distinctive problems and appropriate solutions; and as we shall see, major confusion can result from conflating them.

The first level is the security of the individual end user or household. Security problems at this level pertain to crimes against a specific person, and to the security of his or her networked facilities. The infrastructure components that need to be “secured” are the desktop personal computer and its operating system; the sensitive and private personal data that might be stored on it; the mobile phone; the channel from the ISP to the home. Individual end users are the most common target of the spammers, the phishers, the spyware and adware producers. Security breaches at this level are small-stakes in relative terms, but the number of targets is large and, like all civil crime, the activity is persistent and ongoing. Thus in aggregate terms the individual-household level of security is probably the largest and most important, rivaled only by the organizational level (see below).

The second level pertains to organizations. Organizations are units of coordinated social activity that involve larger groups of people. They typically have their own information systems, dedicated network facilities, software applications and sensitive or proprietary information. This category includes both commercial/private sector organizations and public departments and agencies. Organizational security can be compromised through network intrusions and disruptions, theft of valuable data or intellectual property, or denial of service attacks and blackmail. Organizations might face a broad variety of attackers. The most damaging attacks have come from criminals interested in economic gain, but the source of breaches might also be competitors or disgruntled or dishonest insiders. Much more rarely, the threats might come from foreign states and intelligence agencies. Security breaches at the organizational level are usually more difficult to carry out and hence fewer in number, but each incident has potentially larger effects. (TJ Maxx) The stakes of informational security at the organizational level rise as more organizations rely more on information systems for their operations, or base their business model on online service delivery or on the production and distribution of information or knowledge.

The third level is what might be called threats to national security. These are threats that target either the state as a whole or which pose some kind of systemic threat to the economic and social activity that sustains an entire nation. Defense against this kind of a threat is a collective good and requires a holistic view of societal interdependence. Threats at this level, however, come from a very small and limited class of actors. First and foremost, such threats come from other states. Secondarily they can come from well-organized terrorist groups with some kind of grievance against a state or a society. Even more rarely, such a threat might come from mass, coordinated civil disturbances generated from within a society, as in Estonia. To pose a security threat of this order, the attacker must choose vulnerable points of general interdependency, such as electrical power grids, key telecommunication facilities, or financial networks, and impose sufficient damage to disable them for significant periods of time.
It is difficult to see how attacks on and through cyberspace alone, however, can mount a credible threat to national security without being supplemented by more physical means of action such as invasions, occupations or bombings. The attack on Estonia’s cyberinfrastructure was damaging, for example, but until and unless it was backed by a threat of physical invasion or occupation it was more like a form of harassment or protest than a threat to the government itself. What made the Georgian incident so interesting and chilling was its possible linkage to a physical invasion and the secession of a territory.

Finally, with respect to the Internet one must also mention the possibility of a transnational or even global security threat, one that would disrupt or disable elements of the Internet infrastructure without regard to which particular nation or society was affected. An attempt to disable all of the DNS root servers, for example, could slow or stop most internet traffic for a time – and there have been such attempts. Protection against these kinds of threats is a collective good, but obviously the nation-state is the not most suitable institutional expression of the affected collectivity. Given our current institutional arrangements, defense against such threats requires international and transnational cooperation.

There are, then, at least 4 distinct levels of social organization at which network threats occur. The fallacy of many current discussions of information security is to valorize and exaggerate threats at the national level, and to conflate national security issues with the more mundane but actually more common and pressing problems of organizational and individual/household security.

Most of the societal risk from Internet security problems occurs at the individual and organizational levels. It is possible that major and systemic lapses in security at these lower levels, especially within government agencies, could cumulatively contribute to a true national security problem. For example, if the information infrastructures of nuclear power plants, banks, and military agencies were so porous that sensitive information could be gathered and used as part of a coordinated attack by a determined enemy, then organization-level problems might become national-level problems. But this is true if and only if there is an attacker whose object is the destruction of the state or a major disruption of society (as opposed to merely breaking into or stealing information from a particular agency). As noted before there are very few attackers with either the motivation or the resources to do this. Nothing confines such enemies to cyber-disruptions; they would choose any line of attack that was the most cost-effective and damaging, including especially physically destructive methods. And insofar as such enemies exist, they can and should be handled through military channels and methods, not through sweeping Internet and communications policy focused on the civilian sectors.

At the individual/household level, it is true that the problem of botnets creates massive externalities, but here again, most of the actual problems caused by botnets are felt at the organizational and household level, and many actors have incentives to fight against them. While there is a legitimate policy debate over whether stronger governmental action is needed (e.g., by imposing liability on software producers or intermediate liability on ISPs), we add nothing substantive or useful to that debate by redefining it as a “national security” issue.

3 comments

  1. Anonymous

    Excellent analysis, Milton. The only thing I would add is that the reason this analysis has a hard time reaching an audience is the phenomenon you described in the one-but-last paragraph: many threats at the lower levels can be framed as national security threats. As a policy narrative, it is very difficult to argue against these scenarios. That there is a more limited class of actors involved doesn't really help. You only need a few. Add in some stuff about asymmetric warfare and the narrative becomes al but unstoppable.

  2. Anonymous

    False dichotomies don't do much to enhance understanding, or security, Milton. In fact they probably have the opposite effect.
    Categorically asserting that something is an individual or organization-level threat, and/or that remedies can only be sought at the individual or enterprise level represents the same kind of category error(s) that would result from the assertion that only national interests and/or government solutions are possible. Both claims rely on implicit assumptions about the absolute superiority of one kind of power or actor or solution over the other in some abstract theoretical sense, and thus fail to reckon with the historical fact that changes in security arrangements are almost invariably driven by *events*.
    In all likelihood, If some function or institution that is deemed to be “truly critical” by some influential interest — governmental, societal, or commercial — is subjected to a crippling Internet-based attack, the debate about whether government or private parties were to blame will last somewhere between zero and (small number) minutes, after which decisive action will follow. If that happens, and enough private actors continue to possess the means to act effectively in a coordinated fashion, then in all likelihood the established precedent of private “self-governance” mechanisms will continue to be the norm for the Internet. If private actors fail to do so, either because of lack of consensus or an erosion of their ability to take effective coordinated action, then the theoretical inferiority of government action will quickly become debatable, as the intervention of national government actors will inevitably cause the contours of the Internet to shift in ways that will make it more tractable to national level laws and enforcement mechanisms.
    Arguably, wishing that this were not so, asserting that such an outcome would be inefficient or suboptimal, and/or encouraging individual private sector actors to “go their own way(s)” in hopes of becoming absolutely ungovernable are all less likely to produce your desired outcome than to have the opposite effect. The global Internet will never be sustainable through pure bilateral “counterparty surveillance” alone, any more than was/is the now crippled global financial sector. Pretending otherwise invites the same fate. –Tom Vest