Governing cybersecurity or the Internet? Report on our workshop

Participants at the 3rd annual IGP workshop went for a deep dive into the complexities of governance as it pertains to the Internet, cybersecurity, and national security. Held in Atlanta on the Georgia Tech campus, the 25-person workshop featured a complementary mix of academic researchers, industry representatives and military and public policy practitioners. The theme was: Who Governs – States or Stakeholders? Cybersecurity and Internet governance. It was based on the premise that cyber security claims have increasingly been used to enmesh various aspects of the Internet in foreign policy and military conflict, as well as in other national forms of regulation and control. Internet governance, on the other hand, is widely seen as something that should be subject to cooperative global governance in which state actors and nonstate actors participate as equals, and national territorial divisions are minimized.

Most of the papers presented at the meeting will be reviewed, revised and published in a special issue of the journal Digital Policy, Regulation and Governance. Adding flair to the event, the WannaCry incident broke out in the middle of it (though no one there was affected).

Concepts and history

The panel opening the workshop was based on a concern about the current tendency for cybersecurity-related discourse to dominate the way we approach many of the established problems of Internet governance. Milton Mueller’s paper, Is Cybersecurity Eating Internet Governance, contended that “cybersecurity and internet governance reflect competing conceptual frames for understanding and guiding our approach to policy and governance.” But what is the difference between Internet governance and cybersecurity governance and how can they be reconciled?

Computing historian Bradley Fidler provided fascinating background to that question. He explained how in the evolution of the ARPA Net one model made security the responsibility of the endpoints, and another (AUTODIN II) relied on a security architecture that was embedded within the network infrastructure itself. Fidler concluded that the victory of the end to end model over the integrated model led to a path-dependent separation between networking and security researchers, and (in the civilian sector) a system of technological and governmental traditions built around a foundationally unsecure internet. “Insofar as networking and cybersecurity research continues to be understood as two separate professional domains, or even policy circles,” he concluded, “that distinction should be challenged.”

Louise Marie Hurel, a Brazilian researcher, described how the consolidation of calls for cybersecurity is producing new international norms, institutions, technical standards and other governance-related mechanisms. Her paper analyzed the institutional mechanisms where Internet and cybersecurity governance processes overlap. She then entertained the question: how can we address cyber security in a more granular way so as to capture it as part of a wider field of dynamics?

Having been to a number of events full of the usual suspects in cyber/IR, it was really quite refreshing to interact with a new community. –Jon Lindsay, University of Toronto Munk Center.

Google’s Senior Advisor for International Policy Will Hudson agreed that cybersecurity governance interacts with Internet governance. Cybersecurity must be discussed in the context of the broader economic and development aspects of the Internet, he said. A global, open internet is one of the most important things that cybersecurity policy should attempt to protect.

In his comments as a discussant, and later in his paper presentation, TU Delft cybersecurity researcher Michel van Eeten challenged the concepts of governance that were put forth. In his view, most of the real internet and cybersecurity governance is located in the operators who have control of platforms and essential resources. This is true, Mueller countered, but the freedom of those operators to make decisions is contingent upon an Internet governance model that allows distributed, decentralized and often transnational decision making, and that model may be threatened by growing links between national security and cyber security. Van Eeten acknowledged that states are much more prominent as offensive actors, but did not see any dramatic new initiatives inserting states into a stronger role in defense. “The fights among the two governance models is a debate that seems by and large decoupled from how security governance actually functions.” Van Eeten also raised questions about whether the whole concept of Internet governance is meaningful; as the Internet permeates every aspect of society. “Internet” cannot be considered a coherent space of governance, but would be broken down into different sectors such as health, media, and so on.

Interaction with General Breedlove

The next event was a lively conversation with General Phillip Breedlove, Distinguished Professor at the Sam Nunn School of International Affairs and former NATO Supreme Allied Commander for Europe. Breedlove has a direct relationship to what he called “weaponized espionage”: seven years of his emails were obtained through hacking attributed to Russia, and DCLeaks published the emails in an attempt to undermine his leadership of NATO. According to Breedlove, an Advanced Persistent Threat such as that posed by Russia will challenge self-governance of the Internet. He believes that our nation should be more actively involved in responding to such attacks, but contended that the U.S. has decided not to compete on the field of information warfare. “When are we going to take the field and compete?” he asked.

Participants were lining up to interact with General Breedlove. In response to one question he admitted that our “nose is not clean” regarding interference in some foreign elections, but maintained that the U.S. did not play a role in manipulating the Ukraine. Asked whether there is a contradiction between using CNE (computer network exploitation) on nations we want to be our partners, he replied that spying on each other doesn’t prevent us from cooperating against a common enemy; we are doing espionage, but not weaponizing it. When one participant observed that some answers to questions about how to respond to the Russians are not commensurate with our values, Breedlove replied that “this is the question of the hour.” There are actions that we should never do, he said, but there are also gray areas, and drew upon his experience with collateral damage estimates in conventional warfare. Asked how to respond to information warfare in kind without getting into domestic propaganda, Breedlove said that the U.S. should not do domestic propaganda. We eventually ran out of time.

The institutional landscape

The next session attempted to look holistically at the governance of cybersecurity. A paper by Brenden Kuerbis and Farzaneh Badiei is the first step in a larger project providing a coherent empirical picture of the cybersecurity institutional landscape. Drawing upon institutional economics, they distinguished between three distinct governance structures at work in the production of cybersecurity: markets, networks and hierarchies. A table analyzing how these different governance structures interact in both ex ante and ex post efforts to achieve cybersecurity led to a tentative conclusion that ex ante methods to govern cybersecurity via standards and regulations seemed to be less flexible and effective than ex post methods, where all three governance structures could be seen at work.

A presentation by Arastoo Taslim of CyberGreen, which describes itself as a “global community to measure and improve cyber health,” showcased its development into an informational resource capable of advising governments, CERTS and other actors in the cybersecurity arena.

The talk by Michel Van Eeten began by emphasizing how disconnected the discourse about cybersecurity governance is from actual control of cybersecurity. He defined governance as “policy-driven control over internet resources, systems and services,” and stated that control emanates from ownership. Van Eeten saw very few mechanisms that connect multistakeholder governance processes to actual control or influence over how cyber resources are allocated and administered. Most people who style themselves as “stakeholders” in political governance circles lack any direct connection to operational control, he added. Worse, the top four conferences in cybersecurity, according to van Eeten, almost never mention governance; there is “very crude and simplistic thinking” in that world about how to solve the problems that are in fact governance problems.

In his talk, van Eeten raised a very interesting question: how are property rights changing because of security threats and vice versa? But his paper did not provide a theoretically grounded analysis of this, relying instead on a macro-description drawn from Bruce Schneier, namely that cloud computing and closed platforms are shifting more control to big companies and many software dependencies reduce the property rights of device and equipment owners. He did, however, provide a meta-analysis of three of his empirical measurement projects and explained how the data they generate can provide insight into cybersecurity governance issues.

The discussant for this panel was Microsoft’s Senior Director of Cybersecurity Policy and Strategy Angela McKay, who is also a Georgia Tech alum. As an executive at a major platform operator, she appreciated the way the Kuerbis-Badiei paper pulled out the nuance that is often missing in public policy conversation about cybersecurity. We have to think about the interplay of markets, hierarchies and networks, she said, rather than a polarity between hard assertions of government power and no government involvement. McKay’s comments developed an intriguing concept of “horizonticality.” Horizontal factors cut across the entire ecosystem with uniform requirements and standards, whereas on top of that are vertical business unit or sector-specific requirements that must respond to the unique risks of those environments. What we need is some form of ‘horizonticality’ that meshes the two, but she did not provide concretes. Reinforcing the sharp distinction between societal cybersecurity and national cybersecurity in the paper presented by Mueller, McKay called for clear separation between measures that increase security for all, and forms of security that are only relevant to geopolitics and particular states. She also expressed a concern that state intervention becomes an exercise in compliance more than an improvement in security.

New institutions?

The next day of the workshop focused on proposals for new global institutions and on the relationship between cybersecurity and content-based “information warfare.”

The topic of new institutional proposals was addressed by Duncan Hollis of Temple law, Jan Nuetze and Angela McKay of Microsoft, and Jon Lindsay of the University of Toronto. Hollis presented an idea for a cybersecurity federation modeled on the Red Cross, an idea he is working on with Tim Maurer of the Carnegie Institute. Hollis contended that international institutions are a “third way” distinct from the states vs. stakeholders workshop frame: an international institution created through private ordering. The history of the Red Cross as a voluntary society based on humanitarian concerns, which states both recognize and commit to leaving alone, is highly pertinent to cybersecurity governance. The issues facing the Red Cross share characteristics with cybersecurity along multiple lines, including heterogeneity, duration, persistence, distribution, dynamism, and distrust.

Next up was the Microsoft team, elaborating on its call for three institutional innovations in the cybersecurity space: a “Digital Geneva Convention” (DGC). The DGC is actually a brand name for three global governance initiatives. One is a binding governmental agreement with 10 key commitments; the second is a Tech Sector Accord in which major platform providers commit themselves to neutrality vis a vis states and geopolitical conflicts; the third is a global Attribution Organization. Acknowledging that we already have some idea of how to apply the laws of war to cyber, the proposed convention is intended to address many state-initiated attack scenarios that fall short of war. Neutze took account of the many existing governmental efforts to promote responsible behavior in cyberspace, such as the UN GGE and the G7 declaration, but noted two severe limitations on them. With respect to states, they are only voluntary agreements and we need to move to binding commitments; and the dialogue needs to be more multi-stakeholder.

Dr. Lindsay made three main points challenging panic about cybersecurity. 1) Cyberspace itself is an institution; protocols are agreed rules and its workings rely on trust and cooperation amongst the connected parties. Software, according to Lindsay, “is essentially an incomplete contract that is flexible enough to deal with a wide range of unforeseeable situations without requiring renegotiation each time.” 2) Because cyberspace is such a thickly institutionalized environment, restraint is built into actor incentives.  “Hackers have more in common with intelligence or terrorist operatives in an alien society who must depend on their wits and tradecraft to survive, as contrasted with uniformed soldiers who can call for fire support to reduce enemy resistance.” Like parasites and hosts, their survival depends on the continued functioning of the cyber ecosystem. 3) Conflict is less dangerous than normally assumed: “low risk but low impact cybercrime is prevalent, high risk but potentially high impact cyberwarfare is rare, and targeted espionage falls somewhere in between.” Responding to the Microsoft paper, Lindsay noted that actors strategically choose to enter the gray zone below the threshold of war.

Critical discussion initially focused on the start-up costs and barriers to new institutions. US hegemony over the early Internet eased the creation of ICANN. The NetMundial conference in April 2014, which successfully mobilized a broad range of actors, was followed by the failure of the NetMundial Initiative, which had mostly the same backers and attempted to draw from the same community. The Red Cross model has a less steep startup cost because of its federated model, it was noted, and the attribution organization proposed by Microsoft seems to fit in well with Hollis’s idea of a cyber-federation. Lindsay was asked: What traction do we get on the cybersecurity governance problem by thinking about the Internet as an institution and software as incomplete contracts?

Several participants were impressed with the way in which a private corporation such as Microsoft was willing to break out of its purely commercial role and think so systematically about global governance. Apparently they see trust in their products as a global public good, which implies a need to detach themselves from alignment with states. How many of the global platforms are willing to do this and how many of them are not American?

Content regulation and info war

The intense controversy surrounding the U.S. Presidential election has led to the militarization – at least in rhetoric – of many aspects of media and public communication, as well as the ‘weaponized espionage’ to which General Breedlove referred.  This session examined the classic distinction between information content and cybersecurity in US policy. Its recent erosion in the wake of the Russian DNC hack, fake news, terrorist use of social media and related cases of foreign influence on domestic politics has important implications for Internet governance.

Professor Hans Klein began by developing a simple conceptual model of what he called information warfare. Distinguishing between the state and society, he looked at information warfare as an indirect attack of one state on another state via the medium of messages directed at the opposing state’s society. He then turned to the topic of Russia Today (RT) and presented the results of a content analysis of RT he did with doctoral candidate Karl Grindal. In Klein’s telling, RT looked more like an alternative media source, similar to left and right wing domestic critics. Indeed, he showed that many of the critiques the FBI made of RT could equally apply to the progressive left. Klein combined his defense of the legitimacy of foreign-sponsored media as alternative new sources with a critique of the biased, monopolistic, homogenous US mainstream media. The quantitative data analyzed by Grindal, however, noted the change in the diversity and sources of information presented on RT after the annexation of the Crimea. Post-invasion, there were markedly fewer domestic sources and more Russian sources aired on RT.

Jaclyn Kerr described a striking change in tone about internet communications, a turn toward a paradigm of “information security” which does not view content and technical cybersecurity as separate. Ten years ago, Internet was seen as a “liberation technology,” and the control of authoritarian regimes was thought to be based on insulating citizens from information. In the last year Internet communications has come to be perceived more as a threat in liberal democracies, whilst authoritarian regimes use more subtle forms of information manipulation designed to change the discourse rather than blocking it; e.g., enhanced surveillance; kompromat; intermediary pressure; crackdown on independent media; computational propaganda, bots, trolls. This creates new challenges to the freedom of expression paradigm and affects Internet governance.

Shawn Powers, Executive Director of the U.S. Advisory Commission on Public Diplomacy, presented some of the findings from the ACPD’s recently released report: Can Public Diplomacy Survive the Internet? Powers focused on the chapter on computational propaganda, which describes many of the automated and AI techniques used to operate social media bots. Computational propaganda and bots can be used to suppress others as well as amplify

Discussant Jon Lindsay responded to Kerr and Powers by characterizing the problems as adverse selection in the classic Akerlof sense. What kind of signals, he asked, could be made bot-resistant? Biometric keys? Lindsay heard echoes of the counterinsurgency literature in Hans’s paper and cited US Naval War College’s Colin Jackson article, Information is not a Weapons System, where it is argued that marketing is a better model than warfare. Second discussant Milton Mueller began by noting that he, like Kerr, had noticed the abandonment of the content/cybersecurity distinction in the US over the past year, and now the reaction to the DNC hack during the election has accelerated the stampede down that path. He stated that he rejects any definition of media as a cyber weapon, and asked what has made us lose confidence in the rationality of an environment of free expression? These are new and interesting problems, but there is no convincing evidence that departures from the basic paradigm of a free and open information environment will improve the situation. He added that we have been dealing with commercially-motivated attempts to game and manipulate the information environment for some time: spam, search engine optimization (SEO), clickbait. Facebook and other platforms have very strong incentives to find ways to deal with fake news, just as ISPs dealt with spam and Google dealt with SEO gaming and manipulation.

The papers from the workshop should appear in the last 2017 issue of Digital Policy, Regulation and Governance.


2 comments

  1. Pingback: Governing Cybersecurity or the Internet? Report on Our Workshop - Voices at Temple
  2. Pingback: A Global Cyber-Attribution Organization – Thinking it through |