As part of their intelligence-gathering operation, the group gained access to a listserv used by Occupy Wall Street organizers called September17discuss. On September17discuss, organizers hash out tactics and plan events, conduct post-mortems of media appearances, and trade the latest protest gossip. On Friday, Ryan leaked thousands of September17discuss emails to conservative blogger Andrew Breitbart, who is now using them to try to smear Occupy Wall Street as an anarchist conspiracy to disrupt global markets.

What may much more alarming to Occupy Wall Street organizers is that while Ryan was monitoring September17discuss, he was forwarding interesting email threads to contacts at the NYPD and FBI, including special agent Jordan T. Loyd, a member of the FBI’s New York-based cyber security team. (…) …Loyd cited Occupy Wall Street as an example of a “newly emerging threat to U.S. information systems.”

The incident highlights structural weaknesses of open collaborative platforms in social environments with detrimental perceptions and interests. A group that wants to become a mass movement doesn’t have the choice of operating and planning in secrecy. Nor does it have the means to sanction – from the perspective of the group – anti-social behaviour. At yet another frontier, Generation Openness is learning the hard way that sharing can come with costs. It’ll be interesting to observe the institutional innovations, the OWS movement will inevitably come up with.

★

Another pivotal change is the fact that enterprise IT organizations are now discovering the need to “go social” and join communities as a strategy for leveraging and using more open source software, especially mission-critical components. This significant trend reflects the reality that open source use is becoming a competitive requirement. Even within the firewall of an enterprise, the trend toward collaborative development to share best practices, facilitate code reuse, and enhance developer productivity is escalating rapidly. …

While social development isn’t a challenge for Gen Y developers, it still presents management challenges for enterprises, especially larger ones. Moving at web speed and using social tools still requires some adjustment. For example, new college hires expect to be community participants, yet large enterprises may not be comfortable with this level of transparency. Although open source projects are based on the notion of transparency, collaboration and meritocracy, some corporate policies may prohibit or limit this philosophy, just like some corporate cultures may resist the trend toward openness in development.

Abstracting from software development: We’ll observe that functional units of larger organisations ever more connate with distinct communities and attempt to reap the fruits of theses communities. The trick is to identify your organisation’s gems and me-too’s to achieve the maximum degree of openness without compromsing your business model.

★

The OGP is part of a 21st century containment policy. And I’d go further, it is a effort to forge a new axis around which America specifically, and a broader democratic camp more generally, may seek to organize allies and rally its camp. (…)

Who is being contained? [China, Iran, Russia, Saudi Arabia, Pakistan] (…)

It’s no trivial coincidence that on the day of the OGP launch the President announced the United States first fulfilled commitment would be its decision to join the Extractive Industries Transparency Initiative (EITI). (…)

This is America essentially signalling to African people and their leaders – do business with us, and we will help prevent corruption in your country. We will let you know if officials get paid off by our corporations.

More data would certainly help to substantiate the argument, which in its current state is absorbing, but not compelling.

It would be interesting to link strategic US foreign policy thinking to ‘openness’ in governance – I’m thinking of, e.g., Anne-Marie Slaughter’s recent Foreign Affairs article, in which she proposed for the U.S. to take the role of a central node in a highly networked and, governance-wise, deconstructed world. The OGP could be one element in the operationalisation of this strategy.

★

Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”

The NATO Source Alliance news blog of the Atlantic Council reports:

Now …[Estonia] is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command. …
Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.

DefenseNews:

The new NCDU initiative will see the Total Defense League form a special liaison group to correlate its activities and intelligence with the CCD-COE.

So much for the plans of the Estonian Ministry of Defence.

The RIA (Riigi Infosüsteemide Arenduskeskuse, the Estonian Informatics Center, CERT-EE is part of that) is under supervision of the Ministry of Economic Affairs and Communications. The RIA will soon be promoted to a national authority (Riigi Infosüsteemide Amet), the RIA website tells us. I haven’t found an article in Western media about it, so Google Translate kindly helps out:

The government today approved the draft of National Informatics Centre will from 1 Agency in June 2011. The new Office will expand the state information systems dealing with security issues, and can be attached to the Inspection Department.

RIA Director Epp Joab, “created in the cybersecurity office is organizing three different roles. First, we develop the system further security measures. Continuous development of security measures are necessary because the risks of rapid technological progress, changing and improved attacks. Another is the role of planning in cybersecurity, and preventing the situation is monitored. Here we have prevention and IT professionals engaged in training, we now pay more attention to planning and monitoring. Third, arrange an emergency law and the state supervision over compliance with the Public Information Act. “

“Cyber security strategy for 2008-2013″ states that are most important in ensuring a comprehensive cyber security management system. This means that there must be both public and private companies providing vital services to prevent service interruptions caused by küberintsidentidest and the need to be able to quickly restore service.

However, it is clear that security incidents can not be completely ruled out. This means that Estonia has the potential to respond to incidents quickly, and effective manner. To this end, first mapped potential information security risks, weigh their implications and then take the necessary security measures. Because security is very expensive, and some risks will always remain, the owners of information systems and critical services necessary to obtain an independent assessment of whether the selected security measures are adequate. The new Authority will verify that the public and private critical information systems should be built up and stored securely.

Also, the Agency will infosüstemide introduced by the new laws. It is necessary that different systems can function together from the moment of creation. … RIA restructuring of cybersecurity and the need for additional resources related to the enlargement of the area is 12.9 million euros a year.

(Some paragraphs with a presumably better translation can be found in an interesting blog that covers Estonian economic affairs, “Government to found Estonian Informatics Board“.)

So, the Ministry of Defence aims for an interesting organisational approach that could be called “voluntary conscription services”. Whatever that means. The new authority under the auspices of the Ministry of Economics and Communication is to “arrange an emergency law”. The question the news above incite is whether government authorities would bypass management levels of infrastructure providers and command reconfigurations of internet components to ensure the functionality of domestic internet systems?

Irrespective of the answer, traditional security hierarchies have a problem with regard to internet security provisioning. Their institutional genes to expand their competencies into any domains that needs some security, is stymied by some internal and external factors: They appear to not have the skills on a scale necessary to guarantee the infrastructural security of the internet, nor, most importantly, do they own all those infrastructural components and resources.

From a global perspective, the conclusions that are drawn from this conscription idea are even more important. The Atlantic Council blog calls this organisational approach, which would include a central military command and conscription of cyber security experts, a “role model”. How would existing internet security communities react to the warm breath of embracing security hierarchies? Loyalty to the community that might then no longer represent the idea of self governance? Raise their voices? Or chose the exit doors and leave the communities? Would, just in case substantial “exit” looms, “conscription” be the instrument to bar just that?

The idea of “conscription” is surprising considering that the internet security community has managed to keep the internet up and running for decades – despite the fear-mongering of rhetoric patterns like “Digital Pearl Harbour” in the nineties and its later, similar successors. A somewhat popular discussion in social sciences, the so-called the Timuss-Arrow debate, provides some helpful insights into what happens when a production system based on voluntariness is transferred to one based on external motivation like the market. – telling story for those disturbing the structure and principles of volunteers. Yochai Benkler sums up the consequences on the volunteers’ thinking and motivation:

Extrinsic motivations [market incentives, i.e. money; for my argument here: the motivation to avoid the whip of superiors in the command chain] are said to “crowd out” intrinsic motivations [e.g. to voluntarily help to keep the internet up and running in times of an attack] because they (a) impair self-determination—that is, a person feels pressured by an external force, and therefore feels overjustified in maintaining her intrinsic motivation rather than complying with the will of the source of the extrinsic reward; or (b) impair self-esteem—they cause an individual to feel that his internal motivation is rejected, not valued, leading him to reduce his self-esteem and thus to reduce effort.

Given that reduced effort of volunteering internet security expert is the least you would currently want, one could hypothesise that one of the greatest internet security risks is the subordination of volunteers under a formalised command-chain.

The companies are different, and what they’re “open” about reflects that difference. For example, Trump is very secretive about pending real estate transactions, but would probably be happy to share the details of food served at one of his golf courses. McDonald’s on the other hand, isn’t all that secretive about real estate transactions but they’re very secretive or “closed” about their Secret Sauce.

In other words, companies are very closed, secretive, and controlling about the part of their business that makes the money. (via gruber)

Reminds me of the interesting question who has or wants which secret sauce in the area internet security?

“Potentially what one could mine from a huge data base like this are vulnerabilities in terms of how we operate, our tactics, our techniques, our procedures, the capabilities of our equipment, how we respond in combat situations, response times — indeed how we cultivate sources,” Morrell said. “All of that, [given the] thinking and adaptive enemy we’ve been facing in Iraq and Afghanistan, can be used against us.”

(Source: Smallwarjournal.com; similar in an press conference early August)

Openness, i.e. sharing operational and tactical information with adversaries, can create opportunities for adversaries to mitigate attack or defence capabilities. Can. Potentially. But what are the real costs of openness? And how do they compare to societal, political, and humanitarian costs of closure?

1. There is a lack of empirical analysis undertaken by social scientists, who are not affiliated with biased agencies engaged in turf-wars or the fear-mongering security industry, about the scale, quality and impact of internet security issues. Furthermore, existing institutions have hardly been researched.
2. Ongoing debates in the political sphere often refer to an lack-of-enforceability argument. More often than not, these arguments fail to be backed by scientific findings.
3. The geopolitical dimension of internet security is under-researched.
4. The potentially disruptive impact of internet-based collaboration on traditional security provisioning processes is to be explored. We can observe these discourses about new forms of distributed collaboration everywhere, but not in the field internet security governance.

The main issue for social sciences however to provide guidance for institutional and organisation design for internet security governance.

Ad-hoc defense system protecting railway embankment against Danube flood

The goal is to overcome the “problem of discovering workable political institutions for a community … that was created by a formidable revolution in technology; … and many of its common problems are beyond the power of nation states to solve.” This is a quote from the 1958 book, World Peace through World Law, by Grenville Clark and Louis B. Sohn. The community they refer to is nothing less than humanity or the community of world citizens that had been turned from a diverse, distributed, unconnected set of ethnics, tribes and nations into one community facing the fate of extinction by the invention of nuclear and hydrogen bombs. One can very well argue whether assured mutual destruction was the wisest answer humanity could have found for this problem.

Luckily, internet security problems aren’t that grim as the security problem caused by military use of nuclear technology — despite all that cyberwar/cyber-terror/cyber-Pearl Harbour/cyber-9/11/cyber-Katrina rhetoric. Societal risks are not only caused by internet security problems. The political reactions to them, the emergent institutional design and patterns of internet security governance can pose as grave a problem. The underlying threat for, well, relatively and somewhat open societies is that the responsibility for the security of the communicational nerve system is transferred to political, administrative and bureaucratic bodies which are characterised by secrecy, clandestiness, non-transparency and national egoisms. Traditionally, security-provisioning was owned by agencies that have just these characteristics. If, however, societies do not want to pass control of the internet to such institutions, the options are the following:

• Security institutions are substantially changed by adding transparency, openness, attributability and direct more direct involvement of citizens.
• Responsibility for internet security is distributed over complex, multiple layers with daunting attribution and legitimacy challenges. Responsibilities will be divided along criteria such as geography, jurisdictions, scale and scope of impact, ownership of resources and infrastructures, locus of expertise.

The risk inherent in internet security governance is to end up with governance institutions that are neither transparent, legitimate, far from citizens’ influence, non-inclusive or separatistic and do not allow for clear attribution. Which would equate to: insecurity through internet security institutions.