The security risk of bad security-provisioning design  10.6.10

I’ve pointed out earlier some of the research questions for social scientific internet governance research. The main issues I described there are:

1. There is a lack of empirical analysis undertaken by social scientists, who are not affiliated with biased agencies engaged in turf-wars or the fear-mongering security industry, about the scale, quality and impact of internet security issues. Furthermore, existing institutions have hardly been researched.
2. Ongoing debates in the political sphere often refer to an lack-of-enforceability argument. More often than not, these arguments fail to be backed by scientific findings.
3. The geopolitical dimension of internet security is under-researched.
4. The potentially disruptive impact of internet-based collaboration on traditional security provisioning processes is to be explored. We can observe these discourses about new forms of distributed collaboration everywhere, but not in the field internet security governance.

The main issue for social sciences however to provide guidance for institutional and organisation design for internet security governance.

Ad-hoc defense system protecting railway embankment against Danube flood

The goal is to overcome the “problem of discovering workable political institutions for a community … that was created by a formidable revolution in technology; … and many of its common problems are beyond the power of nation states to solve.” This is a quote from the 1958 book, World Peace through World Law, by Grenville Clark and Louis B. Sohn. The community they refer to is nothing less than humanity or the community of world citizens that had been turned from a diverse, distributed, unconnected set of ethnics, tribes and nations into one community facing the fate of extinction by the invention of nuclear and hydrogen bombs. One can very well argue whether assured mutual destruction was the wisest answer humanity could have found for this problem.

Luckily, internet security problems aren’t that grim as the security problem caused by military use of nuclear technology — despite all that cyberwar/cyber-terror/cyber-Pearl Harbour/cyber-9/11/cyber-Katrina rhetoric. Societal risks are not only caused by internet security problems. The political reactions to them, the emergent institutional design and patterns of internet security governance can pose as grave a problem. The underlying threat for, well, relatively and somewhat open societies is that the responsibility for the security of the communicational nerve system is transferred to political, administrative and bureaucratic bodies which are characterised by secrecy, clandestiness, non-transparency and national egoisms. Traditionally, security-provisioning was owned by agencies that have just these characteristics. If, however, societies do not want to pass control of the internet to such institutions, the options are the following:

• Security institutions are substantially changed by adding transparency, openness, attributability and direct more direct involvement of citizens.
• Responsibility for internet security is distributed over complex, multiple layers with daunting attribution and legitimacy challenges. Responsibilities will be divided along criteria such as geography, jurisdictions, scale and scope of impact, ownership of resources and infrastructures, locus of expertise.

The risk inherent in internet security governance is to end up with governance institutions that are neither transparent, legitimate, far from citizens’ influence, non-inclusive or separatistic and do not allow for clear attribution. Which would equate to: insecurity through internet security institutions.