The Internet is organized around “autonomous systems” — independently managed networks most of which are privately owned or, if public, managed at the agency or department level. The current institutional structure for public governance, on the other hand, is organized around nation-states.

That disjunction encourages some actors to construct Internet security as a national security issue. Political claims that invoke “national security” can inflate budgets and provide for more effective political mobilization within bureaucracies and the political class. A recent report from a “Commission on Cyberspace Security for the 44th Presidency” assembled by the Center for Strategic and International Studies (CSIS), a Washington DC-based think tank with longstanding roots in Cold War dialogue, exemplifies this problem. Written late in 2008, it urged the incoming President to proclaim that “cyberspace is a vital asset for the nation and…the United States will protect it using all instruments of national power.”

Rather than conceiving of the Internet as a global space where individuals and organizations interact and routinely confront issues of crime and vandalism, the CSIS report attempts to make a national security perspective the basis for a comprehensive revision of all laws, technologies and organizational structures around cyber-security. This is a fundamentally misguided approach; it warps policy perspectives, militarizing what are in essence civil problems and subordinating the protection of people and households to the protection of vaguely defined “national” interests conceived in terms of rarified inter-state rivalries.

Contrast the CSIS approach with the more accurate and carefully considered conclusion of a report published by a Dutch research agency in collaboration with a U.S.-based academic institute:

“Because the internet has no natural political boundaries, national boundaries are not effective to partition cyber security policy responsibilities. And even though security is a basic public sector concern, and typically regulated at the government level, the bulk of the capability for dealing with cyber security risk is not in the hands of governments but lies with the private or semi-private sector entities that actually manage and operate the ICT infrastructure.”

That report gets it right.

The critical starting point of any intelligible discussion of cyberspace “security” is to ask: security of what? Against what threat? Starting from these questions, one can identify four different levels of security, based on the degree of societal aggregation. Each level has its own distinctive problems and appropriate solutions; and as we shall see, major confusion can result from conflating them.

The first level is the security of the individual end user or household. Security problems at this level pertain to crimes against a specific person, and to the security of his or her networked facilities. The infrastructure components that need to be “secured” are the desktop personal computer and its operating system; the sensitive and private personal data that might be stored on it; the mobile phone; the channel from the ISP to the home. Individual end users are the most common target of the spammers, the phishers, the spyware and adware producers. Security breaches at this level are small-stakes in relative terms, but the number of targets is large and, like all civil crime, the activity is persistent and ongoing. Thus in aggregate terms the individual-household level of security is probably the largest and most important, rivaled only by the organizational level (see below).

The second level pertains to organizations. Organizations are units of coordinated social activity that involve larger groups of people. They typically have their own information systems, dedicated network facilities, software applications and sensitive or proprietary information. This category includes both commercial/private sector organizations and public departments and agencies. Organizational security can be compromised through network intrusions and disruptions, theft of valuable data or intellectual property, or denial of service attacks and blackmail. Organizations might face a broad variety of attackers. The most damaging attacks have come from criminals interested in economic gain, but the source of breaches might also be competitors or disgruntled or dishonest insiders. Much more rarely, the threats might come from foreign states and intelligence agencies. Security breaches at the organizational level are usually more difficult to carry out and hence fewer in number, but each incident has potentially larger effects. (TJ Maxx) The stakes of informational security at the organizational level rise as more organizations rely more on information systems for their operations, or base their business model on online service delivery or on the production and distribution of information or knowledge.

The third level is what might be called threats to national security. These are threats that target either the state as a whole or which pose some kind of systemic threat to the economic and social activity that sustains an entire nation. Defense against this kind of a threat is a collective good and requires a holistic view of societal interdependence. Threats at this level, however, come from a very small and limited class of actors. First and foremost, such threats come from other states. Secondarily they can come from well-organized terrorist groups with some kind of grievance against a state or a society. Even more rarely, such a threat might come from mass, coordinated civil disturbances generated from within a society, as in Estonia. To pose a security threat of this order, the attacker must choose vulnerable points of general interdependency, such as electrical power grids, key telecommunication facilities, or financial networks, and impose sufficient damage to disable them for significant periods of time.
It is difficult to see how attacks on and through cyberspace alone, however, can mount a credible threat to national security without being supplemented by more physical means of action such as invasions, occupations or bombings. The attack on Estonia’s cyberinfrastructure was damaging, for example, but until and unless it was backed by a threat of physical invasion or occupation it was more like a form of harassment or protest than a threat to the government itself. What made the Georgian incident so interesting and chilling was its possible linkage to a physical invasion and the secession of a territory.

Finally, with respect to the Internet one must also mention the possibility of a transnational or even global security threat, one that would disrupt or disable elements of the Internet infrastructure without regard to which particular nation or society was affected. An attempt to disable all of the DNS root servers, for example, could slow or stop most internet traffic for a time – and there have been such attempts. Protection against these kinds of threats is a collective good, but obviously the nation-state is the not most suitable institutional expression of the affected collectivity. Given our current institutional arrangements, defense against such threats requires international and transnational cooperation.

There are, then, at least 4 distinct levels of social organization at which network threats occur. The fallacy of many current discussions of information security is to valorize and exaggerate threats at the national level, and to conflate national security issues with the more mundane but actually more common and pressing problems of organizational and individual/household security.

Most of the societal risk from Internet security problems occurs at the individual and organizational levels. It is possible that major and systemic lapses in security at these lower levels, especially within government agencies, could cumulatively contribute to a true national security problem. For example, if the information infrastructures of nuclear power plants, banks, and military agencies were so porous that sensitive information could be gathered and used as part of a coordinated attack by a determined enemy, then organization-level problems might become national-level problems. But this is true if and only if there is an attacker whose object is the destruction of the state or a major disruption of society (as opposed to merely breaking into or stealing information from a particular agency). As noted before there are very few attackers with either the motivation or the resources to do this. Nothing confines such enemies to cyber-disruptions; they would choose any line of attack that was the most cost-effective and damaging, including especially physically destructive methods. And insofar as such enemies exist, they can and should be handled through military channels and methods, not through sweeping Internet and communications policy focused on the civilian sectors.

At the individual/household level, it is true that the problem of botnets creates massive externalities, but here again, most of the actual problems caused by botnets are felt at the organizational and household level, and many actors have incentives to fight against them. While there is a legitimate policy debate over whether stronger governmental action is needed (e.g., by imposing liability on software producers or intermediate liability on ISPs), we add nothing substantive or useful to that debate by redefining it as a “national security” issue.