Nagging questions in cybersecurity research  12.4.10

It doesn’t happen too often that you read about a conference or a workshop and think: Now, that was about time! Internet governance is about to undergo some fundamental changes, states are getting ever more involved, mostly for addressing internet security problems. A plethora of questions need to be resolved to deal with these problems with well designed institutions. And yet, as far as I can tell, there is no major research programme on internet security governance going on anywhere on this planet. Hence, the workshop “Europe And The Global Information Society Revisited: Developing A Network Of Scholars And Agenda For Social Science Research On ‘Cyber Security’” could not have been launched more timely.
The Center for Media and Communication Studies at the Central European University (Budapest, Hungary), in partnership with the Centre for Global Communications Studies at the Annenberg School of Communications (Philadelphia, USA) will convene 30 selected experts next week at CEU in Budapest for a Strategic Workshop sponsored by the European Science Foundation (ESF). As flattering as rather undeservedly, I will be on a panel discussing the relations between cybersecurity on the one hand and International Relations, governance and institutions on the other. Following, my take on some blind spots in internet security research from a social scientific perspective.

The disruptive nature of the internet has been acknowledged and can be experienced in a wide range of societal dimensions. It has changed and still is changing the ways we communicate, how businesses are organised, how people collaborate, how we produce, exchange and consume informational goods. The internet is making inroads in domestic and international communications. However, the impact of the internet on the core institutions of organising security and the institutional necessity for organising internet security is still nebulous.

Cybersecurity can be seen as the umbrella concept for technologically related problems that are institutionally and in terms of governance addressed in fundamentally different ways: disturbance of infrastructural performance, internet-based crime, warfare and terrorism. As to practical governance, any of these problems needs to be properly assessed, empirically evaluated and practically addressed with appropriate means and institutions.

This is where the problem starts: Empirical analysis seems to be insufficient in nearly all the aforementioned security dimensions. While everyone seems to agree on that cybercrime amounts to billions of damages, the numbers vary widely. Analysis are often funded and executed by persons or organisations with vested interests, problems occasionally exaggerated, hyped and securitised, numbers overblown, not set in context. Hence, the scale of internet security problems and their respective risks need to clarified.

Regarding institutions, we are currently witnessing the emergence of a state-driven internet security architectures as an attempt to deal with cybercrime-type internet security problems. Internet security policy seems to be more and more driven by actors that have always played a crucial role in nation states’ security politics: governments, states, international organisations, police forces, military and intelligence agencies. In a sense, national security institutions are reclaiming the state’s sovereignty to regulate whatever is within their territories. It is arguable whether this institutional approach will solve internet security problems such as phishing or botnets.

Ongoing debates in most Western countries on, e.g., web-filtering are framed by those in favour as a necessity to overcome a lack of enforceability of national criminal laws (sexual criminal law, property law, treason, other types of content regulation). The argument of non-enforceability is based on a) the lack of reach of national law enforcement agencies beyond their jurisdiction and territorial borders, b) the lack of cooperation of foreign national LEA, c) the agility of perpetrators to change their locus of action, technologies and tactics, d) slowness of legal international cooperation, e) unlawfulness of direct cooperation between national LEA and foreign non-states actors such as ISPs , f) non-cooperative stance of rogue countries. The question here is whether those national approaches are caused by a lack of institutional adaptivity on the side of national legislation, by entrenched interests of national security authorities and other societal interests or justified by the nature of the problems. The idea of evidence-based governance suggests that we should know the empirics of the scale of the problem and effects of regulation before regulation is proposed.

Currently, internet governance is characterised by institutional diversity, and likewise, internet security problems are addressed by different organisational and institutional forms. These differences can be found in criteria like the degree of state involvement in policy formulation, policy implementation or security operations, the degree of hierarchical forms of steering, the degree of information sharing, the kind of threats to internet security or the kind of objects of internet security dealt with by the governance form. The diversity of current modes of internet security governance and provisioning seems to be underexamined. The same holds true for the relationship between concurrent modes of governance/provisioning.

New technologies in general allow for reorganising existing organisational, political and production processes. With the rise of the internet, not only new types of security problems have evolved, but also new ways of organising tasks and processes on any societal level have become possible. We need to explore and assess new possibilities in security provisioning and their normative consequences.

The geopolitics of internet security governance and provisioning is another topic lacking thorough research. The role of the internet has played a stunningly minor role for IR theorists for quite a long time. The trend of nationalising regulatory capacities highlights the necessity to analyse and assess the internet as a strategic resource for national politics and foreign policy strategies. Likewise, the idea of networked internet politics and the role of private actors therein, their consequences on shared democratic political values and institutions requires more thorough examination.