My talk at the Digital Agenda Assembly  21.6.13

I had a few lively days here in Dublin. Not only could I escape the mind-softening heat in central Europe and enjoy Ireland’s more bracing climate. The European Commission’s arm for all things digital, DG Connect (formally: the European Commission Directorate General for Communications Networks, Content and Technology), and the Irish EU Presidency had invited to this year’s Digital Agenda Assembly to reflect on the progress of and further opportunities for the Digital Agenda for Europa. The first half of the two-days event was packed with seven all-day workshops, and I had the pleasure to share a panel with a number of accomplished gentlemen (this perfectly represents the piteous excess of men in the infosec scene) in the workshop on “Building an open, safe & secure cyberspace.” Giuseppe Abbamonte, the author of substantial parts of Europe’s cyber-strategy and the Impact Assessment that accompanies the proposed Directive on Network and Information Security, convincingly explained the reasons for the need for a European approach: Only ten member states had developed a convincing strategy against cybercrime, the rest of the pack lags terribly behind. Frederic Martinez of Alcatel Lucent shared details from the trenches. MEP Malcolm Harbour added insights from the European Parliament. Nick Coleman, IBM’s Head of  Global Cyberintelligence, talked about responsibilities and processes. I then played the role of the academic and did what we are best at: raising questions and doubts, widening the perspective, and thereby provide ideas that are hopefully not  applicable in the office the next day. 

Here’s roughly what I’ve talked about:

—-

Following the contributions from representatives from industry, policy making and regulatory authorities, I’d like to address two things in my statement:
First, I give a brief summary over my field of research, i.e. Internet and network security from an political, economic, and organisational angle, share some commons wisdoms of that field, but also highlight some issues where we can’t give contribute substantial knowledge yet.
Secondly, I want to contextualise the proposed NIS directive in the wider context of our search for appropriate forms for the governance and provisioning of internet security.

It is save to say that in our field of research, it is widely accepted knowledge that the incentives among all actors are misaligned. Those actors who have the technical and organisations capabilities to mitigate ongoing attacks, invest in mechanisms to prevent them in the first place and help to increase the overall resilience of ICT systems often have too little economic incentives to actually intervene and help improve the situation. Everyone has reasons to ignore the need to step up in the cybersecurity game until they are themselves hit by an attack. Vendors of software and hardware, Internet services and hosting providers, end users, and even police forces have plausible reasons why security is not high up in their agenda, even if things might have slightly changed here in the last few years. The ensuing scientific discussion has therefore focussed on how to raise incentives for actors who can make a difference in NIS. ISPs were soon identified as a potential regulatory object, as they appear to have capabilities required to mitigate ongoing incidents.
But there certainly still are a quite a number of puzzles to which our field of research can’t make sufficient contributions. And as our search for good regulatory interventions will go on for a while, we might want to answer them. Good regulation should ideally be based on facts, not the unkwown unknown. Among the the questions whe have no suffient answers to yet are:
* Which intermediaries act responsibly and help to respond to ongoing attacks and structural, long-term risks?
* Which containment strategies against botnets or malware work best?
* Which owners of networks are negligent when it comes to security and which set good examples?

These admittedly are very specific questions. But we also have some wider, more general puzzles that need to be solved. The by and large discerning Impact Assesment, which accompanied the NIS directive proposal and was prepared by the Commission staff, has highlighted the previous (and still existing) voluntary approach to cybersecurity as a partial failure. My inner researcher however would consider the generalised statement that the voluntary approach has failed not as proven knowledge, but rather as a hypothesis. It leaves unanwered which elements and institutions of that voluntary approach to security governance have not worked? And which have? And why?
Before we kiss these voluntary approaches goodbye and replace them with public capabilities and institutions, we’d better have some answers to these questions.

This leads us—and this is my second point—to a fundamental issue, potentially the most momentous of all internet politics issues: Which institutions do we want for internet security governance? How do we want to govern and provision it in the future? And which modalities of sharing do we want to use?

Internet security governance and production is a wicked game. It is is such a tricky thing for a number of reasons:
a) It’s about security. And security policy usually involves force, enforcement, and secrecy. None of these factors fit particularly well to the much heralded ideals of transparency and openness.
b) It’s a transnational issue. The distributiveness of the problem, of incidents, of systems involved, of perpetrators and attackes, of actors required for mitigation require global solutions.
c) It mingles foreign with domestic security, and foreign policy with public policy. The practices of foreign and national security have traditionally differed from those in the domain of homeland security. The transfer of the former substantially changes the latter and our societies.
d) All of that results in a potentially precarious state of legitimacy of internet security policies.

So how do we govern for internet security? And which institutions for sharing do we want?

To give you an idea of the range of possibiliities that might be applied or are applied, I’d like to describe two ideal-type approaches of institutions for internet security. The types fundamentally differ in their inner organisation and governance model, their legitimacy model, their access restrictions, their use of hierarchies, their application of coercion, their scaleability and flexibility, the role of trust and authority.

The first type is called the “information hegemony”. The information hegemon achieves all-encompassing situational awareness by technical and organisation means. His superior knowledge is shared with like-minded allies, who in turn share their proprietary knowledge and data with the hegemon, which results in an even broader picture for the hegemon. The hegemon is equipped with informational resources and technologies that allow him to identify and mitigate security threats irrespective their geographical location.

The second model is a global network of communities of experts. These experts come from different constituencies, mostly IT operations, but also from law enforcement, police, or CERTs. Members of these communities share information and collaborate on certain technologies, internet services, geographies, or actual incidents. They are self-governed, bottom-up, distributed. Access to them however is restricted and depends on existing trust-relationships with existing members.

These are the ideal-type and at least partially existing governance models that are in place to increase cybersecurity.

As a closing remark, let me add a few words on the NIS directive proposal. The proposed EU-model would establish a new security network, but one that differs from existing Internet security communities set up by technical experts. The NIS directive proposes a “cooperation network”, in which the Commission and the planned national “competent authorities” (possibly addenda to existing national CERTs), share information on risks and actual attacks. The “cooperation network” will certainly help to overcome some of the knowledge problems I’ve described above. (And the envisaged Adcanced Cyber Defence Centre, which aims at nothing less but getting rid of botnets and bots, will help here, too.) The will help raising the security standards in public adminstrations and some businesses that have so far not invested in the resilience of their networks. So the directive might very well be a nucleus for improvement.

But, in the light of recent events, we also need to make sure that these new state-controlled capabilities don’t pave the way for a slippery slope into worse. Security institutions always bear the risk of becoming a risk to other aspects of security. My hunch is that our existing capabilites to oversee security institutions and bind them to the public will are insufficient. Especially in the emerging domain of public NIS institutions.