This is indeed going to be huge, potentially at least. We have seen plenty of these geeky apps and web sites that make use of publicly available data and create some clever mashups. The usual meme of Open Data advocacy is that it fosters transparency, openness, enhances citizens’ say in public matters and thereby strengthens democracy and what else. For all this open data hipness and siren songs, it remains to be seen whether the advantages will be evenly distributed among citizens, who might receive enhanced or innovative public and non-public services, entrepreneurs entering the markets with some fresh and bright ideas bureaucrats haven’t thought of and ICT behemoths, which most likely will seize the opportunity and kick outtasking into new spheres to sell software, iron and services.

A litmus test to the openness and transparency rhetoric is, as always, the area of security. Will there be a section in COM’s portal labelled “internet security” or “cyber security”? In Brussels, the draft Directive on “judicial cooperation … on combatting attacks against information systems” is still under consideration. Article 15, paragraph 3 states:

Member States shall transmit the data collected according to this Article to the Commission. They shall also ensure that a consolidated review of these statistical reports is published.

Here we have a perfect opportunity for the EC to display its willingness for openness of public sector data. In addition to merely releasing consolidated statistics about the internet-based crimes, a more open approach appears to be perfectly feasible. We still lack reliable, deep knowledge about the scale of the internet security problem. Publicly accessible data will be very helpful to overcome this deficiency and thus to provide the knowledge base for sound political decisions.

Open Data often tends to focus on low-hanging fruits such as geographic data, administrative documents and similar kinds of public service raw data. The one and only area however that truly impacts transparency of governmental action is security. Security is often is grotesquely secretive, security organisation shielded from public scrutiny. With legitimate force entirely concentrated in their hands, these institutions both protect citizens and society, but also, by definition, pose a threat once organisational culture, political oversight and political independence become non-optimal. Hence, democratic governance requires security organisations that are open to public oversight to the maximum degree possible without endangering societal security interests.

While Open Data “merely” requires to add public interfaces to existing data warehouses, Open Security Data admittedly needs a thorough analysis on which data is safe for publication and which isn’t. It shouldn’t be that hard though to make statistical cyber-crime databases public. For a start.

Vulnerabilities facing the energy industries include:

* Those created in the operating environment by the rapid proliferation of industry-wide information systems based on open-system architectures, centralized operations, increased communications over public telecommunications networks and remote maintenance

Earlier this week, Terry Zink quoted the following in a blog post:

Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.

★

It found 41,776 cybersecurity incidents in 2010, up from just 5,503 in 2006. The GAO also analyzed the security practices of two dozen federal agencies, and gave recommendations on improving federal cybersecurity in line with the Federal Information Security Management Act of 2002. It noted, however, these implementations were not yet in place.

“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” states the report. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”

★

Homeland Security Department (DHS) of the U.S. has said that the number of cybercrimes has sharply risen as compared to previous records. The DHS said that the cyber experts working on the Control System Security Program have tackled 342 requests for assistance so far this year, while the number of such requests in 2010 was only 116, deploying the Emergency Response Team seven times this year as compared to only once or twice in previous years.

★

I think it’s brilliant. Not sure if people are wary of Amazon doing it since they will see all your traffic but SOMEONE should be doing this. Performance is one reason, but security benefits could be added too. Ultimately I think the idea of decoupled browsing makes a lot of sense. I’d rather a remote exploit run in a VM in the cloud instead of compromising my mobile device and rooting my phone.

While there is some ambiguity in Ulevtich’s wording, my interpretation is that he supports the idea of centralised access points for web surfing end users, which function as kind of content washing machines deleting malware, phishing sites and similarly insecure web content.

Will the sanitizers coalesce with the privatizers? Chris Espinoza:

The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet.

Fire isn’t a noun, it’s a verb, and it’s what Amazon has done in the targeted direction of Google. This is the first shot in the new war for replacing the Internet with a privatized merchant data-aggregation network.

And what does this from Amazon’s Silk FAQ mean:

What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://example.com).

★

The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security. 

… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):

Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).

(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)

Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.

But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.

★

According to her plans, Europe will have a built capabilities to smoothly respond to cyber attacks (contingency plans, sharing and alert systems) by 2013. Most likely, attacks won’t be successful anyway, because Europe’s internet will by then be roughly resilient thanks to the European Partnership for Resilience (EP3R). In case something goes wrong, there will be well-connected governmental/national CERTs all over Europe. Perpetrators will be identified and prosecuted by the European cybercrime centre and LE staff in member states. And handling of illegal content is an security issue: ISPs, LE and non-profit orgs will find a cure for that security threat.

Toward a European Cybercrime Centre as the “focal point” for law enforcement, govCERTs as helpers:

“By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe’s fight against cybercrime. At national level, Member States should ensure common standards among police, judges, prosecutors and forensic investigators in investigating and prosecuting cybercrime offences”

Some self-help for users/citizens:

“This guidance should include how people can protect their privacy online, detect and report grooming, equip their computers with basic anti-virus software and firewalls, manage passwords, and detect phishing, pharming, or other attacks. The Commission will in 2013 set up a real-time central pool of shared resources and best practices among Member States and the industry.”

Internet resilience organisationally by some PPP arrangement:

“Cooperation between the public and private sector must also be strengthened on a European level through the European Public-Private Partnership for Resilience (EP3R). … EP3R should also engage with international partners to strengthen the global risk management of IT networks.”

Securitization of illegal content. The paper carefully avoids the word “filtering“.

“The handling of illegal internet content – including incitement to terrorism – should be tackled through guidelines on cooperation, based on authorised notice and take-down procedures, which the Commission intends to develop with internet service providers, law enforcement authorities and non-profit organisations by 2011.”

Improve cyber attack response capabilities:

“Firstly, every Member State, and the EU institutions themselves should have, by 2012, a well-functioning CERT. … [A]ll CERTs and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental CERTs by 2012 …. … developing, with the support of the Commission and ENISA, a European Information Sharing and Alert System (EISAS) to the wider public by 2013 …. Thirdly, Member States together with ENISA should develop national contingency plans and undertake regular national and European exercises….”

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

May it help those virtual runaway bits to come back to their motherships. Such as:

New York breach notification: Bear Sterns – client information accidentally was viewable by 2 unauthorized firms. 442 NY residents potentially exposed.  (Source)

If only Bear Sterns had exposed just those 442 New Yorkers. Anyhow. Data losses are a societal problem, especially when incidents climb up to the dimensions of the Heartland Payment Systems case with their 130,000,000 records or the T-Mobile Germany incident, which affected some 17,000,000 customers.

The disruptive nature of the internet has been acknowledged and can be experienced in a wide range of societal dimensions. It has changed and still is changing the ways we communicate, how businesses are organised, how people collaborate, how we produce, exchange and consume informational goods. The internet is making inroads in domestic and international communications. However, the impact of the internet on the core institutions of organising security and the institutional necessity for organising internet security is still nebulous.

Cybersecurity can be seen as the umbrella concept for technologically related problems that are institutionally and in terms of governance addressed in fundamentally different ways: disturbance of infrastructural performance, internet-based crime, warfare and terrorism. As to practical governance, any of these problems needs to be properly assessed, empirically evaluated and practically addressed with appropriate means and institutions.

This is where the problem starts: Empirical analysis seems to be insufficient in nearly all the aforementioned security dimensions. While everyone seems to agree on that cybercrime amounts to billions of damages, the numbers vary widely. Analysis are often funded and executed by persons or organisations with vested interests, problems occasionally exaggerated, hyped and securitised, numbers overblown, not set in context. Hence, the scale of internet security problems and their respective risks need to clarified.

Regarding institutions, we are currently witnessing the emergence of a state-driven internet security architectures as an attempt to deal with cybercrime-type internet security problems. Internet security policy seems to be more and more driven by actors that have always played a crucial role in nation states’ security politics: governments, states, international organisations, police forces, military and intelligence agencies. In a sense, national security institutions are reclaiming the state’s sovereignty to regulate whatever is within their territories. It is arguable whether this institutional approach will solve internet security problems such as phishing or botnets.

Ongoing debates in most Western countries on, e.g., web-filtering are framed by those in favour as a necessity to overcome a lack of enforceability of national criminal laws (sexual criminal law, property law, treason, other types of content regulation). The argument of non-enforceability is based on a) the lack of reach of national law enforcement agencies beyond their jurisdiction and territorial borders, b) the lack of cooperation of foreign national LEA, c) the agility of perpetrators to change their locus of action, technologies and tactics, d) slowness of legal international cooperation, e) unlawfulness of direct cooperation between national LEA and foreign non-states actors such as ISPs , f) non-cooperative stance of rogue countries. The question here is whether those national approaches are caused by a lack of institutional adaptivity on the side of national legislation, by entrenched interests of national security authorities and other societal interests or justified by the nature of the problems. The idea of evidence-based governance suggests that we should know the empirics of the scale of the problem and effects of regulation before regulation is proposed.

Currently, internet governance is characterised by institutional diversity, and likewise, internet security problems are addressed by different organisational and institutional forms. These differences can be found in criteria like the degree of state involvement in policy formulation, policy implementation or security operations, the degree of hierarchical forms of steering, the degree of information sharing, the kind of threats to internet security or the kind of objects of internet security dealt with by the governance form. The diversity of current modes of internet security governance and provisioning seems to be underexamined. The same holds true for the relationship between concurrent modes of governance/provisioning.

New technologies in general allow for reorganising existing organisational, political and production processes. With the rise of the internet, not only new types of security problems have evolved, but also new ways of organising tasks and processes on any societal level have become possible. We need to explore and assess new possibilities in security provisioning and their normative consequences.

The geopolitics of internet security governance and provisioning is another topic lacking thorough research. The role of the internet has played a stunningly minor role for IR theorists for quite a long time. The trend of nationalising regulatory capacities highlights the necessity to analyse and assess the internet as a strategic resource for national politics and foreign policy strategies. Likewise, the idea of networked internet politics and the role of private actors therein, their consequences on shared democratic political values and institutions requires more thorough examination.