The security risk of hierarchies embracing internet security communities 28.1.11
The Baltic TImes reports:
Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”
The NATO Source Alliance news blog of the Atlantic Council reports:
Now …[Estonia] is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command. …
Aaviksoo says it’s so important for Estonia to have a skilled cyber army that the authorities there may even institute a draft to make sure every cyber expert in the country is available in a true national emergency.
The new NCDU initiative will see the Total Defense League form a special liaison group to correlate its activities and intelligence with the CCD-COE.
So much for the plans of the Estonian Ministry of Defence.
The RIA (Riigi Infosüsteemide Arenduskeskuse, the Estonian Informatics Center, CERT-EE is part of that) is under supervision of the Ministry of Economic Affairs and Communications. The RIA will soon be promoted to a national authority (Riigi Infosüsteemide Amet), the RIA website tells us. I haven’t found an article in Western media about it, so Google Translate kindly helps out:
The government today approved the draft of National Informatics Centre will from 1 Agency in June 2011. The new Office will expand the state information systems dealing with security issues, and can be attached to the Inspection Department.
RIA Director Epp Joab, “created in the cybersecurity office is organizing three different roles. First, we develop the system further security measures. Continuous development of security measures are necessary because the risks of rapid technological progress, changing and improved attacks. Another is the role of planning in cybersecurity, and preventing the situation is monitored. Here we have prevention and IT professionals engaged in training, we now pay more attention to planning and monitoring. Third, arrange an emergency law and the state supervision over compliance with the Public Information Act. “
“Cyber security strategy for 2008-2013” states that are most important in ensuring a comprehensive cyber security management system. This means that there must be both public and private companies providing vital services to prevent service interruptions caused by küberintsidentidest and the need to be able to quickly restore service.
However, it is clear that security incidents can not be completely ruled out. This means that Estonia has the potential to respond to incidents quickly, and effective manner. To this end, first mapped potential information security risks, weigh their implications and then take the necessary security measures. Because security is very expensive, and some risks will always remain, the owners of information systems and critical services necessary to obtain an independent assessment of whether the selected security measures are adequate. The new Authority will verify that the public and private critical information systems should be built up and stored securely.
Also, the Agency will infosüstemide introduced by the new laws. It is necessary that different systems can function together from the moment of creation. … RIA restructuring of cybersecurity and the need for additional resources related to the enlargement of the area is 12.9 million euros a year.
(Some paragraphs with a presumably better translation can be found in an interesting blog that covers Estonian economic affairs, “Government to found Estonian Informatics Board“.)
So, the Ministry of Defence aims for an interesting organisational approach that could be called “voluntary conscription services”. Whatever that means. The new authority under the auspices of the Ministry of Economics and Communication is to “arrange an emergency law”. The question the news above incite is whether government authorities would bypass management levels of infrastructure providers and command reconfigurations of internet components to ensure the functionality of domestic internet systems?
Irrespective of the answer, traditional security hierarchies have a problem with regard to internet security provisioning. Their institutional genes to expand their competencies into any domains that needs some security, is stymied by some internal and external factors: They appear to not have the skills on a scale necessary to guarantee the infrastructural security of the internet, nor, most importantly, do they own all those infrastructural components and resources.
From a global perspective, the conclusions that are drawn from this conscription idea are even more important. The Atlantic Council blog calls this organisational approach, which would include a central military command and conscription of cyber security experts, a “role model”. How would existing internet security communities react to the warm breath of embracing security hierarchies? Loyalty to the community that might then no longer represent the idea of self governance? Raise their voices? Or chose the exit doors and leave the communities? Would, just in case substantial “exit” looms, “conscription” be the instrument to bar just that?
The idea of “conscription” is surprising considering that the internet security community has managed to keep the internet up and running for decades – despite the fear-mongering of rhetoric patterns like “Digital Pearl Harbour” in the nineties and its later, similar successors. A somewhat popular discussion in social sciences, the so-called the Timuss-Arrow debate, provides some helpful insights into what happens when a production system based on voluntariness is transferred to one based on external motivation like the market. – telling story for those disturbing the structure and principles of volunteers. Yochai Benkler sums up the consequences on the volunteers’ thinking and motivation:
Extrinsic motivations [market incentives, i.e. money; for my argument here: the motivation to avoid the whip of superiors in the command chain] are said to “crowd out” intrinsic motivations [e.g. to voluntarily help to keep the internet up and running in times of an attack] because they (a) impair self-determination—that is, a person feels pressured by an external force, and therefore feels overjustified in maintaining her intrinsic motivation rather than complying with the will of the source of the extrinsic reward; or (b) impair self-esteem—they cause an individual to feel that his internal motivation is rejected, not valued, leading him to reduce his self-esteem and thus to reduce effort.
Given that reduced effort of volunteering internet security expert is the least you would currently want, one could hypothesise that one of the greatest internet security risks is the subordination of volunteers under a formalised command-chain.