And then you read an update by the commercial community of technical experts on Industrial Control Systems. According to their assessment, the ICS industry acts deaf and akin to the automotive industry in “Fight Club” (mentioned in the scene in which the automotive white-collar insomniac protagonists meets Tyler Durden on the airplane): it’s cheaper to let systems go bust occasionally and pay for some clean-up than to preventively fix the systems. Industrial control systems are still highly buggy, a group of ICS security researchers around the consultancy Digitalbond have tried to showcase at their SCADA Security Scientific Symposium (S4). For experts in the field, this is common knowledge for more than a decade.

The technical ICS geniuses at the S4 conference put all the blame to the vendors, such as Siemens, General Electric, Schneider Modicon, Rockwell Automation, SEL, or Koyo Automation. But is that easy? My experience from general IT, not ICS admittedly, tells me that life is more complicated. Independent consultancies, which are bound to specific vendors, have certainly no incentive to blame existing or prospective customers. More substantially, while there might be customers with inadequate security procedures out there, I highly doubt that knowledge about notorious insecurity of a particular set of artefacts doesn’t exist somewhere in customer companies and doesn’t climb up the communication ladder to the CIOs or CSOs. If owners are not interested in getting their 20-years old ICS fixed, a vendor interested in subsequent orders wouldn’t want to embarrass itself and its clients by being utterly explicit about the risks or the security hick-ups of the installed base of legacy systems.

The financial sector and the nuclear industry serve as nice role models for dealing with, as we institutional-economics-infected researchers call it, negative externalities of societal or technical systems. For both system vendors and owners of such infrastructures, inactivity is a viable option to respond to publication of vulnerabilities. Why would you want to spend millions on hardening your chemical facilities against a rather hostile hack into its control systems? If shit hits the fan, writing off your production site and transferring the external costs to the public is probably the most economic approach. Just make sure that the downfall of one site doesn’t bring down the complete parent group as with this TEPCO guys who failed to install proper economic firewalls inside their group. There are no columns or rows for the rhetoric of cyber-warfare in the Excel sheets on which executive boards of infrastructure owners rely in their decision making. The ongoing installation of insecure systems and components is certainly is worrying.

The great potential realigner of incentives aka public authorities have have remained rather calm on this issue, too. For Europe, Kroes is gunning for “providing the right incentives“, but we don’t know yet what the Commission will come up with eventually. Hohlmaier, rapporteur of the European Parliament on Cybersecurity issues and with a constituency in Siemens land, has been likewise silent on this, Google tells us. Inaction by incompetent or unwilling operators of information and industrial infrastructures might pose risks for the public at large. The public might want to live with some risks. Or prefer to have incentives realigned, i.e. get regulations installed that force vendors, customers or third parties to invest into security measures. For the last couple of years, policy makers, researchers and public authorities have been obsessed with “incentivising” third parties such as ISPs to make up for the failures of vendors and customers of ICT systems. For industrial control systems, I don’t see this option. It’s either the vendors and/or the customers (owners of infrastructures) that need to take the bill. Or learn to live with the risks. Just like we did with financial and nuclear systems.

A “senior” participant remarked:

“It is so big it does my head in.”

But why? The author notes:

“Because this stuff is all mashed up. The interconnectedness of cyberspace breaks down borders and distinctions around which societies and states are organised.

It mashes up people and geography. …

Cyber mashes up functions. …

Cyber mashes up the trivial and the critical. …

It mashes up weapons. …

Finally, the internet mashes up state and private … “

Release often, release early:

By definition we need international co-operation. … So we should start with something small and build out. I see it as a quilt, a patchwork…  The role of NGOs, think-tank and private experts in sensitising governments, without it seeming a form of electronic imperialism, is important.

The role of states:

Whatever the threat, it seems to me that the private sector will be involved in almost all responses. One working group made the point that “knowledge implies more responsibility”.

Indeed, indeed. Operationally, cyber security rests on those who control the components that make up the internet.

In any case, it is hard to translate rules and practices of war. Two examples: – Is private industry ready to be the warfighter? – How do you put red crosses on hospitals and orphanages? Do we have to put them on separate networks, ie, create a “dot.humanitarian” domain? Here we start to move into polders. Should we create “dot.secure” areas? People are willing to give up a lot of privacy in social networking. It seems to me that they would be wiling to do it for security.

★

“We should not wait for our own Prince of Wales moment in cyberspace.”

Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.

In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.

Besides that, the message is:

But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.

Therefore, cyber strategies are necessary:

The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.

How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.

★

Answer from Austria by Leon Aaron Kaplan, CERT.at:

“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”

Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:

There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers

Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.

Lessons from Germany and Japan.

Summing up:

1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

★

According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.

Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.

Has Touré really called for “round the clock Internet surveillance”?

Anyhow, the design of coastweek.com makes me feel 15 years younger.

★

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.

I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.

Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.

Update. Joel Harding with regard to Microsoft’s role in botnet response:

DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?

★

The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however comes with the inbuilt bathroom cell to wash off the blood, sweat and tears of parliamentary representative duties and meet and greet the lobbyesse du jour for background talks on lobby terms in a hopefully descent restaurant. There have probably been many discussions on internet security in the weeks ago as the European Parliament is heading for a couple of decisions relating that very topic.

There is, for one, the more simple institutional and organisational question of what to do with ENISA. Giles Chichester doesn’t literally say, “Shut it down”, but the eurosceptic and conservative English MEP is apparently close. For the Greek and Crete fans of ENISA, Chichester likely amounts to a major annoyance with his attacks on the location and its surroundings. The parliament’s focus on these formal problems instead of the agency’s mission and resources is somewhat inappropriate. The decision to host such an agency on Crete, as beautiful as it is for leisure purposes, is slightly awkward indeed, given that one of its crucial roles is to foster networking among internet security stakeholders in Europe. And networking works better if you’re not located at a paradisal back of beyond. But these aren’t the crucial topics.

Chichester, who is the Rapporteur of the European Parliament for the ENISA legislation, raised an interesting question in a parliamentary debate in 2008:

“Has the Commission seriously considered the possibility of replacing ENISA immediately by other, more appropriate, mechanisms, such as a permanent forum of stakeholders or a network of security organisations? Is it sure that network and information security must necessarily be addressed by means of a European agency, when the ENISA Management Board is not able to justify this? ”

The overall majority in the European Parliament certainly does not share Chichester’s fundamental ENISA critique, euroscepticism doesn’t go down well in the EP for a reason. On the contrary, MEPs supporting plans to strengthen ENISA‘s role, make Greece to build up the necessary infrastructure (international schools e.g.). Often enough, British euroscepticism has been a tool, a leverage for getting better outcomes in discussions in Brussels. The same probably goes for this case. Nevertheless, the discussion when a network of smaller organisations serves a task better that a central single one is certainly interesting not only of academic interest. When would you want to go beyond existing functions provided by a network of actors and start to merge its features into a distinct organisation or bureaucratic body? For sure, a comparison of transactions costs will help you to find the optimal organisational approach, yet that doesn’t save you from the laborious task to find the figures to fill into your Excel comparison sheet.

The current trend in internet polity, not only in Brussels, is to create distinct bodies, organisations, and task forces to report directly to the mandating body. Politicians want quick access and information to those responsible for internet security and want to easily delegate responsibilities and task to these internet security organisations. ENISA and similar bodies serve as proxies for internet security-related knowledge, able to formulate recommendations for the Brussels cabal at request. I can wholeheartedly comprehend the difficulties of grasping the complexities of internet security politics and polity. An aspect in this networks-vs-states debate that probably needs more examination is insecurity among decision makers caused – an insecurity that is caused by insufficient or contradictory information.

ENISA hence, among other tasks, conducts studies and research about existing response capabilities in Europe, commissions and co-authors reports on specific internet security issues, collects yellow-pages like information on existing response organisations, creates networking opportunities for security operations teams and experts. ENISA’s role itself is by and large not operational, for now at least. Many of these tasks could theoretically be delegated to e.g. TF-CSIRT, consultancies, research institutes, research programmes or the EU Commission bureaucracy. It’s just easier (lower transaction costs) for politicians to have all these capabilities bundled into one agency. Internet security bodies in fact represent a layer of attribution and trustworthiness for politicians when dealing with non-attributable and allegedly semi-trustworthy networks.

ENISA’s products might help to make trans-european incident response more effective and efficient. But, operational internet security can only be achieved by collaborative networks of first and foremost owners of private networks and their operational staff. Additional inter-organisational managerial or political governance layers above do not necessarily help to increase operational internet security. But they can ease the knowledge-problem in the political sphere. So, inserting an overseeing bureaucratic layer above actual internet security provisioning is rather predictable and hence boring outcome. The Commission’s solution to dealing with the problem to link the internet security networks with the state is their PPP approach, which in effect is collaboration between government sphere with multinationals. Yet, the internet security community comprises more actors than mere internet and security companies. From a societal perspective, I’m wondering whether the likely increases in costs of providing internet security (bloated governance regime, professionalisation and PPPification) will match the gained costs of reduced insecurity.

It has a staff of mere 10 members, 6 of which from BSI, 2 from the domestic intelligence agency (Bundesamt für Verfassungschutz), 2 from the Federal Office of Civil Protection and Disaster Assistance. The most senior position appears to be the ‘Speaker’, held by the BSI president, which might imply that the Centre is just a department of the BSI or a trans-organisational task-force rather than a distinct organisation. The Centre’s task is to share information about incidents, vulnerabilities, forms of attacks, categorise incidents, detect vulnerabilities and propose activities.

In addition, Berlin plans to set up a National Cyber-Security Council under the auspices of Merkel’s ICT advisor. No details reported here, but is sounds like a discussion group bringing together government, industry, security bureaucracy, telcos and the like.

The main function of Centre and Council likely is to gather information and data related to internet security and to provide decision makers in politics with timely recommendations how to proceed in this new field of internet security governance. Kind of a national über-CERT. But we have no details here, alas.

Noteworthy for students of internet security governance is the institutionalisation of collaboration between technical IT security experts and intelligence. Previous large-scale dDos attacks have shown that technical side can get the upper hand over attackers if intelligence manages to provide information about them.

But the main issues are not dDos attacks or similar obstructive attacks. Espionage, especially for economic purposes not only between China and the West, but also among Western states, has alarmed policy makers and media alike. Early February, Germany’s leading conservative newspaper FAZ wrote in an article caption “A Worldwar“: “As Western allies spy Germany day in, day out, one or another cyberattack could be attributed to them.” Stuxnet was allegedly developed by the US and Israel.

The mentioned article has an example of another trend in internet security governance: A call to arms for internet security experts. We’ve heard that before. In Tom Friedman’s 1998 “Techno-Nothings” column. And more recently in the Estonian Cyber Army concept or in Richard Clarke’s book “World Wide War.” Looks like politics is approaching those communities indispensable for internet security. Only the modes of approaching differ: sometimes careful, sometimes clumsy, and sometimes coercing.

Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.

Menaces, threats, risks, dangers require responses, yet which? Military and strategy circles have for years tried to establish their role in “cybersecurity”. NATO, and first and foremost military circles in the US, have pushed cyber security for years. US Vice Secretary of Defence has constantly stressed the necessity for NATO to build up cyberwarfare capacities since he took office in early 2009. After the Estonian 2007 cyberattacks, NATO set up it Cooperative Cyber Defence Center of Excellence in beautiful Tallinn, Estonia.

The polity of internet security governance

The Centre is first of all a research institute that works on legal issues just as well as it explores potential scenarios of cyber warfare and the overall institutional design of internet security. Eneken Tikk concluded a brief paper on that, called “Global Cyber Security – Thinking About The Niche for NATO“. According to her analysis, NATO’s role in the busy organisational architecture of internet security and its place next to other “international cyber security organisations” should be in dealing with cyber warfare and cyber terrorism as her illustrative matrix shows:

Tikk states that “for NATO, the challenge will be to exploit and fit into the already existing, somewhat fragmented, cyber security organization implemented by nations.” NATO’s unique contribution should lie in contributing to provide input for the task of “Cyber armed attack response” as her following matrix shows:

NATO’s role therein

But how would this translate to the operational level? What actually should these organisations be responsible for? Which problem should they address that so far is orphaned and makes real internet security threats? NATO’s secretary general, Anders Fogh Rasmussen quoted it as a “new form of permanent low-intensive warfare” (n-tv.de). While it is unclear what he referred to, an Estonian security expert recently linked permanently ongoing DDoS attacks to the notion of cyberwar. (3Sat.de, in German, but sequences with English speaking persons are subtitled and not dubbed.) In the very same TV programme, Estonian’s secretary of defence describes his cyber army, a concept which was received by some with raised eyebrows.

At the Munich Security Conference in February, internet security was planned to be one of the top topics, until it was relegated by the upheavals in the MENA region. Munich security conference is a remarkable institution by itself. No decision making, only talks by military top dogs from military, politics, diplomacy and foreign politicy/securtiy think tanks and selected academics. Only talks, hence no decisions on internet security. It hosted a range of remarkable discussions, most noteworthy among them the 2003 showdown between Rumsfeld and then German Minster of Foreign Affairs Fischer (“and excuse me, I am not convinced”, Telegraph.co.uk).

A month later, NATO defense minsters “shape cyber defense policy”, as DefenseNews headlined last week by copying the underlying message of the NATO press release:

“Computer Incident Response Centre is being brought up to full operational capacity by 2012. This means investing in equipment and creating cyber response teams to systematically help member states that request assistance, the official said.” And: “The concept also refers to the need to integrate cyber threats into NATO’s defense planning. Defense ministers are expected to approve a renewed NATO cyber defense policy and establish a strategy at their next meeting in June.” (DefenseNews)

With the usual vague terms, NATO included the cyber dimension into its Strategic Concept last year in its Lisbon meeting. The “security environment” as perceived by NATO would require such provisions:

“Cyber attacks are becoming more frequent, more organised and more costly in the damage that they inflict on government administrations, businesses, economies and potentially also transportation and supply networks and other critical infrastructure; they can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability. Foreign militaries and intelligence services, organised criminals, terrorist and/or extremist groups can each be the source of such attacks.”

To address looming security concerns, NATO will:

“develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyber-defence capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations.” (NATO, Strategic Concept for the Defence and Security, Lisbon, Nov 2010)

Communities and the ICT industry as security aides

But how could this practically work, given that large infrastructures basically are owned by private enterprises? The initial assumption amongst many presumably is: it ain’t work. So, getting back to Stuxnet, the stance of the industry understandably comes across pretty laid-back. A board member of the German Bitkom, the association of the internationally rather neglectable German IT industry told in a recent interview (in German): “Stuxnet is a wake-up call – what we now need is security-engineering, not activism in sight of a threat of cyber-war”. A wake-up that, from the industry’s perspective, allows to stay in given institutional beds just a little bit longer.

National and international security organisations (think of police, military, departments of justice and interior etc) however perceive the situation influenced by their organisation’s agenda. They tend to ask existing internet security actors to pioneer new ways – ways that for better or worse include the trotted paths of security provisioned by states and international organisations. Tikk’s paper rightfully observes issues that haven’t been addressed so far by the current institutional design of internet security; she also rightfully observes gaps in “horizontal, cross-organisational coordination and responses”. But is a hierarchical organisation in the secretive military realm the appropriate organisation to solve these horizontal coordination problems? My initial assumption would be: I can’t think of any organisation that is less suited for the job given that much of internet security provisioning requires networked collaboration based on at least partial openness. But then: states are actors in the internet security governance field, they have their national security concerns based on internet-borne threats.

The fundamental question in internet security governance currently and in the years to come is who’s going to transform whom: traditional security organisations the internet security community or vice versa.

How could an security organisation be responsible for or dominate something it does not control? A look into Richard Clarke’s recent World Wide War helps illuminating it. To ensure the proper defence of national information security infrastructures, Clarke calls for coercing the private sector into securing the cybersphere and built resilience into their system design and network architectures.

While Clarke’s book certainly helps to reframe the discourse on internet security governance and aims at increasing the acceptance of a massive state-driven shift of control for the sake of general security, the Estonia government and its Ministry of Defence have already taken steps that could be interpreted as rather drastic. Estonia is notorious for its all-encompassing and innovate usage of the internet. Besides, its role in internet security governance is quite interesting. Only a couple of weeks ago in the run-up to the latest Nato summit, its head of stated called for for an extended mandate and build-up of capabilities for NATO in the field of cyber security.

Geopolitics to meet operational internet security?

But obviously, there is a conflict among NATO members to which degree responsibilities should be transferred to NATO. The Estonian press release on the meeting between President Toomas Hendrik Ilves and US Cyber Force Commander and NSA director Keith B. Alexander said: “President Ilves described NATO only focusing on defence systems of the alliance and its allies for the purposes of cyber defence as “short-sighted”. Instead:

“We have no other choice today – NATO must enhance the importance of cyber defence in joint activities, operative planning, the drafting of emergency plans and management level, including, for example, the organisation of cyber exercise.” (president.ee)

It reads as if Estonia wanted to slip under some kind of “informational umbrella” and the US might actually be able to offer something akin to it, but not every NATO member would be willing to transfer their informational responsibilities to the NATO. (Estonia: NATO needs an extensive cyber shield) Responsibility of NATO solely or primarily for protecting its very own networks must be the lowest common denominator among NATO allies and a sign of diverging internet security interests. Any transfer of competencies beyond that, be it global monitoring capacities or supranational incident response facilities, is presumably related to considerations belonging to a field called: the geopolitics of internet security governance.

• In the summer of 2011 the cabinet will publish the National ICT Crisis Plan. This plan will include a exercise plan, which aligns both national and international exercises.
• The ICT Response Board (IRB), a public-private joint venture which gives the crisis decision making organisations advice on measures to combat or counteract large-scale ICT disruptions, will come into operation in 2011 and will be placed as a function in the National Cyber Security Centre.

Similar to Europe’s EP3R strategy (European Public Private Partnership for Resilience), Dutch governments bets on public-private cooperation. Obviously, states can’t claim sole responsibility for internet security neither on the governance, let alone on the operational level. Major, to say the least, chunks of the internet (as an infrastructure) consist of private networks (ISPs) and “owned” components. Nevertheless, internet security governance departs from traditions of internet governance inasmuch as it doesn’t even try to pretend to have the shiny facade of a liberal, open, democratic and a what-else kind of multistake-holderism. In internet security governance, governments and their international agencies haven taken the driver’s seat – at least when it comes institutionalisation and organisation of internet security.

Anyhow. Coming back to the Dutch strategy, I’m looking forward to reading the fine print of the ICT Response Board, e.g. funding, oversight, judicial form, members, non-members. But, I’m sure, we’ve yet to see the inclusion of the highly acclaimed civil society into internet security governance matters.

• Internationally focus will be on reinforcing the cooperation in the operational response between the CERT organisations in Europe and besides that the goal is to reinforce the International Watch and Warning Network (IWWN) which currently functions as informal globally operating consultation in the event of ICT incidents.

I’ve seen that International Watch and Warning Network (IWWN) mentioned numerous times, though I have yet to find a thorough description of it. New Zealand’s Centre for Critical Infrastructure Protection has the following: “The IWWN was established in 2004 to foster international collaboration on addressing cyber threats, attacks, and vulnerabilities. The IWWN provides a mechanism for participating countries to share information to build global cyber situational awareness and incident response capabilities.” Members: AZ, CA, FI, FR, DE, HU, IT, JP, NL, NZ, NO, SW, CH, UK, US. According to the Dutch strategy paper, it “functions as informal globally operating consultation in the event of ICT incidents”.

• The social impact of a large-scale terrorist attack on or via the Internet can be substantial. The Terrorism Combating Alerting System (ATb) will therefore be expanded with a cyber component and drills will be carried out.

How will this “Terrorism Combating Alerting System” be linked with privately owned networks?

• The Ministry of Defence is developing knowledge and capacities to be able to operate effectively in the digital domain. The maximum goal is to achieve options for the exchange of knowledge and expertise with civil and international partners. In addition, studies will be carried out on how the Ministry of Defence can make knowledge and capacities available for its third (primary) task within the ICMS (intensification of civil-military cooperation) agreements.

“Exchange of knowledge”, “intensification of civil-military cooperation”. I’m wondering what the stance of the Dutch and other Western governments on the Estonian idea of a “cyber army”, i.e. the potential subjugation of the internet security community under military command lines, is.

• A cyber education and training centre (OTC) will be founded.
• In order to further enhance the resilience of the own networks and systems, the tasks of the Defence Computer Emergency Response Team (DefCERT) will be further expanded in the coming years. In addition, investments will be made in increasing the security awareness among the personnel and there will be accreditation of systems and processes.

Strings of vagueness attached: The role of military CERT appears to be restricted to defending military networks. Given the common technical foundation of both cyber-annoyances and incidents touching “national security”, how could that work?

Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”

The NATO Source Alliance news blog of the Atlantic Council reports:

Now …[Estonia] is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command. …
Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.

DefenseNews:

The new NCDU initiative will see the Total Defense League form a special liaison group to correlate its activities and intelligence with the CCD-COE.

So much for the plans of the Estonian Ministry of Defence.

The RIA (Riigi Infosüsteemide Arenduskeskuse, the Estonian Informatics Center, CERT-EE is part of that) is under supervision of the Ministry of Economic Affairs and Communications. The RIA will soon be promoted to a national authority (Riigi Infosüsteemide Amet), the RIA website tells us. I haven’t found an article in Western media about it, so Google Translate kindly helps out:

The government today approved the draft of National Informatics Centre will from 1 Agency in June 2011. The new Office will expand the state information systems dealing with security issues, and can be attached to the Inspection Department.

RIA Director Epp Joab, “created in the cybersecurity office is organizing three different roles. First, we develop the system further security measures. Continuous development of security measures are necessary because the risks of rapid technological progress, changing and improved attacks. Another is the role of planning in cybersecurity, and preventing the situation is monitored. Here we have prevention and IT professionals engaged in training, we now pay more attention to planning and monitoring. Third, arrange an emergency law and the state supervision over compliance with the Public Information Act. “

“Cyber security strategy for 2008-2013″ states that are most important in ensuring a comprehensive cyber security management system. This means that there must be both public and private companies providing vital services to prevent service interruptions caused by küberintsidentidest and the need to be able to quickly restore service.

However, it is clear that security incidents can not be completely ruled out. This means that Estonia has the potential to respond to incidents quickly, and effective manner. To this end, first mapped potential information security risks, weigh their implications and then take the necessary security measures. Because security is very expensive, and some risks will always remain, the owners of information systems and critical services necessary to obtain an independent assessment of whether the selected security measures are adequate. The new Authority will verify that the public and private critical information systems should be built up and stored securely.

Also, the Agency will infosüstemide introduced by the new laws. It is necessary that different systems can function together from the moment of creation. … RIA restructuring of cybersecurity and the need for additional resources related to the enlargement of the area is 12.9 million euros a year.

(Some paragraphs with a presumably better translation can be found in an interesting blog that covers Estonian economic affairs, “Government to found Estonian Informatics Board“.)

So, the Ministry of Defence aims for an interesting organisational approach that could be called “voluntary conscription services”. Whatever that means. The new authority under the auspices of the Ministry of Economics and Communication is to “arrange an emergency law”. The question the news above incite is whether government authorities would bypass management levels of infrastructure providers and command reconfigurations of internet components to ensure the functionality of domestic internet systems?

Irrespective of the answer, traditional security hierarchies have a problem with regard to internet security provisioning. Their institutional genes to expand their competencies into any domains that needs some security, is stymied by some internal and external factors: They appear to not have the skills on a scale necessary to guarantee the infrastructural security of the internet, nor, most importantly, do they own all those infrastructural components and resources.

From a global perspective, the conclusions that are drawn from this conscription idea are even more important. The Atlantic Council blog calls this organisational approach, which would include a central military command and conscription of cyber security experts, a “role model”. How would existing internet security communities react to the warm breath of embracing security hierarchies? Loyalty to the community that might then no longer represent the idea of self governance? Raise their voices? Or chose the exit doors and leave the communities? Would, just in case substantial “exit” looms, “conscription” be the instrument to bar just that?

The idea of “conscription” is surprising considering that the internet security community has managed to keep the internet up and running for decades – despite the fear-mongering of rhetoric patterns like “Digital Pearl Harbour” in the nineties and its later, similar successors. A somewhat popular discussion in social sciences, the so-called the Timuss-Arrow debate, provides some helpful insights into what happens when a production system based on voluntariness is transferred to one based on external motivation like the market. – telling story for those disturbing the structure and principles of volunteers. Yochai Benkler sums up the consequences on the volunteers’ thinking and motivation:

Extrinsic motivations [market incentives, i.e. money; for my argument here: the motivation to avoid the whip of superiors in the command chain] are said to “crowd out” intrinsic motivations [e.g. to voluntarily help to keep the internet up and running in times of an attack] because they (a) impair self-determination—that is, a person feels pressured by an external force, and therefore feels overjustified in maintaining her intrinsic motivation rather than complying with the will of the source of the extrinsic reward; or (b) impair self-esteem—they cause an individual to feel that his internal motivation is rejected, not valued, leading him to reduce his self-esteem and thus to reduce effort.

Given that reduced effort of volunteering internet security expert is the least you would currently want, one could hypothesise that one of the greatest internet security risks is the subordination of volunteers under a formalised command-chain.

The political situation:

In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?

Blurring definitions of cyber war and cyber espionage…

Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.

The cybergeddonists’ false scenarios:

The most common cyber-war scare scenarios involve America’s electrical grid. … There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines…. …an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems.

Stuxnet:

If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran… The real hazard of Stuxnet, he [Schneier] added, might be that it was “great for those who want to believe cyber war is here.”

On Army General Keith Alexander (head of US cyber command, director of NSA):

One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks.

Military-civilian relationship:

If the military is operating in “cyberspace,” does that include civilian computers in American homes?

Encryption as he solution for the cyber security problems (citing John Arquilla):

“We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” … “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

A Maginot line mentality (citing Marc Rotenberg, EPIC):

“The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”

Clipper-Chip 2.0:

The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.

A long list of interviewees and sources:

Jonathan Pollack, Whitfield Duffie, Jeffrey Carr, “a retired four-star Navy general”, John Arquilla, Marc Rotenberg, Howard Schmidt, “a senior official in the Department of Homeland Security”, William J. Lynn III, James Lewis (senior fellow at CSIS), Bruce Schneier, J. Michael McConell, Army General Keith Alexander (head of US cyber command, director of NSA), “a defense contractor” (“one of America’s most knowledgeable experts on Chinese military and cyber capabilities”), Richard Clark (cybergeddonist, security contractor and Bush’s man for cybersecurity, “poison gas clouds…”), J. Michael McConell (Bush’s second director of National Intelligence, now cybergeddonist and security contractor, “Our cyber-defenses are woefully lacking”).

1. There is a lack of empirical analysis undertaken by social scientists, who are not affiliated with biased agencies engaged in turf-wars or the fear-mongering security industry, about the scale, quality and impact of internet security issues. Furthermore, existing institutions have hardly been researched.
2. Ongoing debates in the political sphere often refer to an lack-of-enforceability argument. More often than not, these arguments fail to be backed by scientific findings.
3. The geopolitical dimension of internet security is under-researched.
4. The potentially disruptive impact of internet-based collaboration on traditional security provisioning processes is to be explored. We can observe these discourses about new forms of distributed collaboration everywhere, but not in the field internet security governance.

The main issue for social sciences however to provide guidance for institutional and organisation design for internet security governance.

Ad-hoc defense system protecting railway embankment against Danube flood

The goal is to overcome the “problem of discovering workable political institutions for a community … that was created by a formidable revolution in technology; … and many of its common problems are beyond the power of nation states to solve.” This is a quote from the 1958 book, World Peace through World Law, by Grenville Clark and Louis B. Sohn. The community they refer to is nothing less than humanity or the community of world citizens that had been turned from a diverse, distributed, unconnected set of ethnics, tribes and nations into one community facing the fate of extinction by the invention of nuclear and hydrogen bombs. One can very well argue whether assured mutual destruction was the wisest answer humanity could have found for this problem.

Luckily, internet security problems aren’t that grim as the security problem caused by military use of nuclear technology — despite all that cyberwar/cyber-terror/cyber-Pearl Harbour/cyber-9/11/cyber-Katrina rhetoric. Societal risks are not only caused by internet security problems. The political reactions to them, the emergent institutional design and patterns of internet security governance can pose as grave a problem. The underlying threat for, well, relatively and somewhat open societies is that the responsibility for the security of the communicational nerve system is transferred to political, administrative and bureaucratic bodies which are characterised by secrecy, clandestiness, non-transparency and national egoisms. Traditionally, security-provisioning was owned by agencies that have just these characteristics. If, however, societies do not want to pass control of the internet to such institutions, the options are the following:

• Security institutions are substantially changed by adding transparency, openness, attributability and direct more direct involvement of citizens.
• Responsibility for internet security is distributed over complex, multiple layers with daunting attribution and legitimacy challenges. Responsibilities will be divided along criteria such as geography, jurisdictions, scale and scope of impact, ownership of resources and infrastructures, locus of expertise.

The risk inherent in internet security governance is to end up with governance institutions that are neither transparent, legitimate, far from citizens’ influence, non-inclusive or separatistic and do not allow for clear attribution. Which would equate to: insecurity through internet security institutions.

Two intense days of workshopping at the Central European University produced a stunningly long list of open questions and – as Rummy would have called – things that we now know we don’t know. Things decision makers however should know before jumping to conclusions in the delicate area of internet security, surveillance, filtering and what else. One of the well-connected participants with intimate knowledge about cybersecurity circles estimated that some 90 percent of knowledge about cybersecurity had been developed by brains sitting in the Pentagon or it’s contractors offices. For the sake of societal values such as openness and transparence, time is ripe to look at internet security from a decisively different angle.

It speaks volumes about the state of European internet research, that roughly half the number of the workshop participants were flown in over the Atlantic. Necessarily so, as the workshop organisers pointed out, given the lack of European social scientist studying internet security governance especially in Eastern European countries.

Anyhow, it’s going to be very interesting to see where this thing is heading to once, if at all, the European Science Foundation will pour some drops out of its funding buckets onto this promising undertaking.