Agency or networks – some thoughts about Europe’s ongoing internet security debates 21.5.11
Well, I shouldn’t make these all-encompassing headlines, after all, forcing me to write way too long texts. Anyhow. I’ve been in Belgium a couple of weeks ago, used the opportunity of proximity for a Brussels visit. The first glaring characteristic of Brussels is the scent of Waffles all over Midi station. It is like any station comes with a little suprise for its passengers. At Luxembourg station, the on which neighbours the European Parliament, the party in control of the facility equipment opted for an acoustic treatment: Abba’s “The winner takes it all.” For sure she does. (Which reminds me of “Mamma Mia”: Meryl Streep has quite a voice, by the way.)
The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however comes with the inbuilt bathroom cell to wash off the blood, sweat and tears of parliamentary representative duties and meet and greet the lobbyesse du jour for background talks on lobby terms in a hopefully descent restaurant. There have probably been many discussions on internet security in the weeks ago as the European Parliament is heading for a couple of decisions relating that very topic.
There is, for one, the more simple institutional and organisational question of what to do with ENISA. Giles Chichester doesn’t literally say, “Shut it down”, but the eurosceptic and conservative English MEP is apparently close. For the Greek and Crete fans of ENISA, Chichester likely amounts to a major annoyance with his attacks on the location and its surroundings. The parliament’s focus on these formal problems instead of the agency’s mission and resources is somewhat inappropriate. The decision to host such an agency on Crete, as beautiful as it is for leisure purposes, is slightly awkward indeed, given that one of its crucial roles is to foster networking among internet security stakeholders in Europe. And networking works better if you’re not located at a paradisal back of beyond. But these aren’t the crucial topics.
Chichester, who is the Rapporteur of the European Parliament for the ENISA legislation, raised an interesting question in a parliamentary debate in 2008:
“Has the Commission seriously considered the possibility of replacing ENISA immediately by other, more appropriate, mechanisms, such as a permanent forum of stakeholders or a network of security organisations? Is it sure that network and information security must necessarily be addressed by means of a European agency, when the ENISA Management Board is not able to justify this? ”
The overall majority in the European Parliament certainly does not share Chichester’s fundamental ENISA critique, euroscepticism doesn’t go down well in the EP for a reason. On the contrary, MEPs supporting plans to strengthen ENISA‘s role, make Greece to build up the necessary infrastructure (international schools e.g.). Often enough, British euroscepticism has been a tool, a leverage for getting better outcomes in discussions in Brussels. The same probably goes for this case. Nevertheless, the discussion when a network of smaller organisations serves a task better that a central single one is certainly interesting not only of academic interest. When would you want to go beyond existing functions provided by a network of actors and start to merge its features into a distinct organisation or bureaucratic body? For sure, a comparison of transactions costs will help you to find the optimal organisational approach, yet that doesn’t save you from the laborious task to find the figures to fill into your Excel comparison sheet.
The current trend in internet polity, not only in Brussels, is to create distinct bodies, organisations, and task forces to report directly to the mandating body. Politicians want quick access and information to those responsible for internet security and want to easily delegate responsibilities and task to these internet security organisations. ENISA and similar bodies serve as proxies for internet security-related knowledge, able to formulate recommendations for the Brussels cabal at request. I can wholeheartedly comprehend the difficulties of grasping the complexities of internet security politics and polity. An aspect in this networks-vs-states debate that probably needs more examination is insecurity among decision makers caused – an insecurity that is caused by insufficient or contradictory information.
ENISA hence, among other tasks, conducts studies and research about existing response capabilities in Europe, commissions and co-authors reports on specific internet security issues, collects yellow-pages like information on existing response organisations, creates networking opportunities for security operations teams and experts. ENISA’s role itself is by and large not operational, for now at least. Many of these tasks could theoretically be delegated to e.g. TF-CSIRT, consultancies, research institutes, research programmes or the EU Commission bureaucracy. It’s just easier (lower transaction costs) for politicians to have all these capabilities bundled into one agency. Internet security bodies in fact represent a layer of attribution and trustworthiness for politicians when dealing with non-attributable and allegedly semi-trustworthy networks.
ENISA’s products might help to make trans-european incident response more effective and efficient. But, operational internet security can only be achieved by collaborative networks of first and foremost owners of private networks and their operational staff. Additional inter-organisational managerial or political governance layers above do not necessarily help to increase operational internet security. But they can ease the knowledge-problem in the political sphere. So, inserting an overseeing bureaucratic layer above actual internet security provisioning is rather predictable and hence boring outcome. The Commission’s solution to dealing with the problem to link the internet security networks with the state is their PPP approach, which in effect is collaboration between government sphere with multinationals. Yet, the internet security community comprises more actors than mere internet and security companies. From a societal perspective, I’m wondering whether the likely increases in costs of providing internet security (bloated governance regime, professionalisation and PPPification) will match the gained costs of reduced insecurity.