1. There is a lack of empirical analysis undertaken by social scientists, who are not affiliated with biased agencies engaged in turf-wars or the fear-mongering security industry, about the scale, quality and impact of internet security issues. Furthermore, existing institutions have hardly been researched.
2. Ongoing debates in the political sphere often refer to an lack-of-enforceability argument. More often than not, these arguments fail to be backed by scientific findings.
3. The geopolitical dimension of internet security is under-researched.
4. The potentially disruptive impact of internet-based collaboration on traditional security provisioning processes is to be explored. We can observe these discourses about new forms of distributed collaboration everywhere, but not in the field internet security governance.

The main issue for social sciences however to provide guidance for institutional and organisation design for internet security governance.

Ad-hoc defense system protecting railway embankment against Danube flood

The goal is to overcome the “problem of discovering workable political institutions for a community … that was created by a formidable revolution in technology; … and many of its common problems are beyond the power of nation states to solve.” This is a quote from the 1958 book, World Peace through World Law, by Grenville Clark and Louis B. Sohn. The community they refer to is nothing less than humanity or the community of world citizens that had been turned from a diverse, distributed, unconnected set of ethnics, tribes and nations into one community facing the fate of extinction by the invention of nuclear and hydrogen bombs. One can very well argue whether assured mutual destruction was the wisest answer humanity could have found for this problem.

Luckily, internet security problems aren’t that grim as the security problem caused by military use of nuclear technology — despite all that cyberwar/cyber-terror/cyber-Pearl Harbour/cyber-9/11/cyber-Katrina rhetoric. Societal risks are not only caused by internet security problems. The political reactions to them, the emergent institutional design and patterns of internet security governance can pose as grave a problem. The underlying threat for, well, relatively and somewhat open societies is that the responsibility for the security of the communicational nerve system is transferred to political, administrative and bureaucratic bodies which are characterised by secrecy, clandestiness, non-transparency and national egoisms. Traditionally, security-provisioning was owned by agencies that have just these characteristics. If, however, societies do not want to pass control of the internet to such institutions, the options are the following:

• Security institutions are substantially changed by adding transparency, openness, attributability and direct more direct involvement of citizens.
• Responsibility for internet security is distributed over complex, multiple layers with daunting attribution and legitimacy challenges. Responsibilities will be divided along criteria such as geography, jurisdictions, scale and scope of impact, ownership of resources and infrastructures, locus of expertise.

The risk inherent in internet security governance is to end up with governance institutions that are neither transparent, legitimate, far from citizens’ influence, non-inclusive or separatistic and do not allow for clear attribution. Which would equate to: insecurity through internet security institutions.

Two intense days of workshopping at the Central European University produced a stunningly long list of open questions and – as Rummy would have called – things that we now know we don’t know. Things decision makers however should know before jumping to conclusions in the delicate area of internet security, surveillance, filtering and what else. One of the well-connected participants with intimate knowledge about cybersecurity circles estimated that some 90 percent of knowledge about cybersecurity had been developed by brains sitting in the Pentagon or it’s contractors offices. For the sake of societal values such as openness and transparence, time is ripe to look at internet security from a decisively different angle.

It speaks volumes about the state of European internet research, that roughly half the number of the workshop participants were flown in over the Atlantic. Necessarily so, as the workshop organisers pointed out, given the lack of European social scientist studying internet security governance especially in Eastern European countries.

Anyhow, it’s going to be very interesting to see where this thing is heading to once, if at all, the European Science Foundation will pour some drops out of its funding buckets onto this promising undertaking.

Gathered under the umbrella of the Shadowserver Foundation, a group of engineers and scientists have scrupulously gathered evidence and background information about the activities of the Conficker botnet. They have known for months that millions of machines worldwide had been infected with Conficker malware. Yet, no one reacted, only shoulders were shrugged. At govcert.nl in October, many were contemplating how to proceed with Conficker.

Starting today, Shadowserver let’s everyone know where these Conficker-infected machines are. The move is a valuable contribution to increase global transparency about the somewhat obscure botnet problem.

An interesting example from Germany immediately sticks out. 1&1, a big hosting and medium-sized accessed provider, had initiated an internal initiative against botnet-infected customer systems earlier this year. Today, only ten IP addresses and 0% of their routed space are assigned to infected machines. For customers of Deutsche Telekom, which hasn’t announced a similar program, things look worse: 0.1% of all IP addresses or more than 32,000 IP addresses belong to a Conficker-infected machine.

However, the German national ICT security agency (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the association of the German internet business, eco (Verband der deutschen Internetwirtschaft), have cooperated on botnet issues at least since October 2008.

A workshop on botnets in early February 2009 addressed topics such as data-exchange between ISP regarding information from systems such as honeypots, abuse systems, spam traps (email analysis), DNS analysis, IDS/IAS (anomalie detection) or harmful websites. This information provided by ISPs could then be complemented with external data sources. Given the lack of published data, it is not clear which techniques ISPs actually use to exchange data today.

Another workshop on botnets, obviously organized by eco, took place in early February 2009. One of the speakers was Frank Ackermann, senior legal counsel to eco, who talked about judicial aspects of botnet fighting. According to Ackermann, “ISPs are interested in moderate filtering” of spam. Thus, politics should be discouraged from strict anti-spam regulation.

The programme of another joint eco-BSI workshop, the 7th German Anti Spam Summit mid-September 2009 on conficker, has sessions like “Status Quo central botnet disinfection call center DE” and “Legal Guide on Technical Approaches against Botnets” listed. According to the programme, Dr. Lothar Eßer, Head of Division Internet Security of BSI, also attended this session.

In late November 2009, eco mentioned in a summary of their IGF09 activities that it is going to build a “Botnet Disinfection Center” in a joint effort with BIS and several providers.

So, Germany will get it’s public-private anti-botnet center. According to eco’s press release, eco and BSI will establish a user-support center. ISPs will forward customers with infected machines to a website which provides tools and descriptions for removing malicious software from their machines. In addition, users with infected computers can call a special hotline with experts assisting users in removing harmful software.

—-

Upd. 9.12.; 16.12: changed headline, added the paragraph with eco’s press release; corrected typos

Britain’s new Internet law — as bad as everyone’s been saying, and worse. Much, much worse. – Boing Boing Including 3-strikes, stricter video-game ratings, ISPs forced to deliver data with content industry, business secretary gets carte blanche to come up with stricter regulations.
“It’s a declaration of war by the entertainment industry and their captured regulators against the principles of free speech, privacy, freedom of assembly, the presumption of innocence, and competition.” (BoingBoing)

US
The cyberwar plan, not just a defensive game – Nextgov
Stupid headline – who would think that cyber-warfare is about defense only.
„Computerized tools to penetrate an enemy’s phone system“, „computer viruses and malicious software programs that can disable electrical power systems, corrupt financial data, or hijack air traffic control systems“, „cyber-intruders have probed our electrical grid“ (no, not the squirrel terrorists), “we’d have cadres of people who’d know how to do that”, “Military forces fight for the ownership of that domain [cyber-battlefield]“, “Defense Department graduates only about 80 students per year from schools devoted to teaching cyber-warfare”, ” proposed building a military “botnet,” an army of centrally controlled computers to launch coordinated attacks on other machines”. “The risk of losing control of a weapon provides a powerful incentive not to use it”

See also: National Journal Magazine – The Cyberwar Plan

Who’s in Big Brother’s Database? – The New York Review of Books
Degree of surveillance measured in electricity bills: 70 millions per year http://bit.ly/3DwW49

Information Security News: NIST Drafts Cybersecurity Guidance
“tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits”; “more onus on applying risk management throughout the lifecycle of IT systems”. Yawn.

[ISN] Inside the Ring – Chinese, Russian cyberwarfare
Like nuke-counting in the eighties.
Noteworthy: a new Cyber Security Alliance 14 tech firms form cybersecurity alliance for government — Government Computer News

Australia
Australian government overhauls national cyber security arrangements – Government & Policy “against increasing online espionage and attacks on critical infrastructure”, new CERT Australia, Cyber Security Operations Centre (CSOC), details undisclosed

EU
Automated Social Networking Surveillance Systems Statebook is going to be developed!?

====
How the Internet Ruined Newspapers, TV, Music, Movies, Microsoft – Newsweek 2010, The Internet: A Decade of Destruction – Internet Use/New Technologies „wherever companies were profiting by a lack of transparency or a lack of competition, wherever friction could be polished out of the system, those industries suffered“ – What about national political institutions (in the wider sense) then?

My focus currently is on bottom-up processes to provide internet security, like task-forces and working groups that are set up in an ad-hoc manner to tackle with the lates security phenomenon. Academics, engineers, experts and geeks from all over the world collaborate to provide. The way in which they are addressing security problems resembles what could be called peer production of internet security. My interest is to learn to what extent this mode of security provisioning is used, the settings in which we can observe it and whether this mode is sustainable or not. And how this all relates to internet security and the overall structure of internet security in general.

The internet is a tool that already has fundamentally changed business processes and business models. It is too early to tell what its long-term impact on societies and politics will be. Debates about ‘freedom’ on the internet have been going on for a while, such as if and how the internet fosters freedom of expression, or how authoritarian internet governance approaches could suppress individuals’ rights. The practices of internet security provisioning will have decisive consequences for the shape of ‘freedom’ on the internet.