Black Code: Inside the Battle for Cyberspace (30 page)

•  •  •

Surely, one thinks
, the challenges of an unprecedented planetary network of communications, of something so complex as global cyberspace, require a special cyber
theory
of some sort, something that rises to the scope and scale of this all-encompassing domain? Maybe. But maybe not. Instead, perhaps what is required is simply the application of some timeless principles and traditions.

There is an instinctive tendency in security-related discussions to default to
realpolitik
or Realism (and the theory that world politics is driven by competitive self-interest) with its state-centrism,
top-down hierarchical controls, and the erecting of defensive perimeters to outside threats. In the creation of cyber commands, in spiralling arms races among governments, in “kill switches” on national Internets, and in the rising influence of the world’s most secretive agencies into positions of authority over cyberspace, we see this tradition at play. As compelling as it may be, however, Realism and its institutional manifestations fit awkwardly in a world where divisions between inside and outside are blurred, where threats can emerge as easily from within as without, and where that which requires securing – cyberspace – is, ideally, a globally networked commons of information almost entirely in the hands of its users.

What is needed is an alternative cyber security strategy rooted in liberal democratic principles that takes account of the growing need for civic networks to share knowledge and to communicate. For many who would characterize themselves as part of global civil society, “security” is seen as anathema. In today’s world of exaggerated threats and self-serving hyperbole from the computer security industry, it is easy to dismiss security as something to be resisted, rather than engaged. Securitization is generally associated with the defence industry, Pentagon strategists, and so forth, and many question whether employing the language of security only plays into the cyber-security military-industrial complex and the exercise of control. But the vulnerabilities of cyberspace are real, the underbelly of cyber crime undeniably huge and growing, an arms race in cyberspace escalating, and major governments are poised to set the rules of the road that may impose top-down solutions that subvert the domain as we know it. Dismissing these concerns as manufactured myths propagated by power elites will only marginalize civic networks from the conversations where policies are being forged.

Instead, civic networks need to be at the forefront of security solutions that preserve cyberspace as an open commons of information,
and that protect privacy and support freedom of speech, while at the same time addressing the growing vulnerabilities that have produced a massive explosion in cyber crime. Can security and openness be reconciled? Aren’t the two contradictory?

•  •  •

Not at all.

One alternative approach towards security that meshes with the core values and decentralized architecture of an open and secure cyberspace, and that has a long pedigree in political philosophy, is the “distributed” approach. It has roots in liberal political orders reaching back to ancient Greece and the Roman republic, and the late-medieval, early-Renaissance trade-based systems exemplified by the Venetians, Dutch, and English. But the fullest expression of distributed security is to be found in the early United States of America and the writings of the political philosophers who inspired the nation’s founders, Montesquieu, Publius, and others. Although multi-faceted and complex, distributed security starts with building structures that rein in and tie down political power, both domestically and internationally, as a way to secure rights and freedoms. It puts forward what Johns Hopkins University Professor Daniel Deudney, author of
Bounding Power
, calls “
negarchy” as a structural alternative to the twin evils of hierarchy and anarchy. In short, distributed security is the
negation
of unchecked and concentrated power, and, on the other side, recklessness and chaos.

At the core of this model are three key principles: mixture, division, and restraint. Mixture refers to the intentional combination of multiple actors with governance roles and responsibilities in a shared space; division to a design principle wherein no single actor is able to control the space in question without the co-operation and consent of others. As an approach to global cyberspace security and
governance, each of these can provide a more robust foundation for the empty euphemism of “multi-stakeholderism,” and principles upon which to counter growing calls for a single global governing body for cyberspace. Citizens, the private sector, and governments all have important roles to play in securing and governing cyberspace, but none to the exclusion or pre-eminence of the others.

Civic networks need to be players in the governance forums where cyberspace rules of the road are implemented. This is not an easy task. There is no single forum of cyberspace governance; instead, governance is diffuse and distributed across multiple forums, meetings, and standard-setting bodies at local, national, regional, and global levels. The acceptance of civil society participation in these rule-making forums varies widely, and the very idea is alien to some. Governments and the private sector have more resources at their disposal than citizens to attend these meetings and influence their outcomes. Civic networks will need to collaborate to monitor all of these centres of governance, open the doors to participation in those venues that are now closed shops, and make sure that “multi-stakeholder participation” is not just something paid lip service to by politicians, but something meaningfully exercised as part of a deliberate architecture.

The principle of restraint, however, is perhaps the most important and arguably the most threatened by overreaction. Securing cyberspace requires a reinforcement, rather than a relaxation, of restraint on power, including checks and balances on governments, law enforcement, intelligence agencies, and on the private sector. In an environment of big data, in which so much personal information is entrusted to third parties, oversight mechanisms on government agencies and involved corporations are essential.

Principles of restraint – sometimes called “mutual restraint” – can also help inform international cyberspace governance discussions concerning confidence- and security-building measures among
states. Danger in cyberspace is real but to avoid overreaction, transparent checks and balances are required. Here, the link in the distributed security model between domestic and international processes is exceptionally clear. The more transparent the checks placed on concentrated power at the domestic level, the more adversaries abroad will have confidence in each other’s intentions.

Distributed security also describes the most efficient and widely respected approach to security in computer science and engineering circles. It is important to remind ourselves that in spite of the threats, cyberspace runs well and largely without persistent disruption. On a technical level, this efficiency is founded on open and distributed networks of local engineers who share information as peers in a community of practice rooted in the university system (itself, a product of the liberal philosophy upon which distributed security rests). These folks need to be central during discussions about cyberspace governance.

The Internet functions precisely because of the absence of centralized control, because of thousands of loosely coordinated monitoring mechanisms. While these decentralized mechanisms are not perfect and can occasionally fail, they form the basis of a coherent distributed security strategy. Bottom-up, “grassroots” solutions to the Internet’s security problems are consistent with principles of openness, avoid heavy-handedness, and provide checks and balances against the concentration of power. Part of a distributed security strategy should facilitate cooperation among largely scattered security networks, while making their actions more transparent and accountable. Rather than abolish this system for a more top-down approach, we should find ways to buttress and amplify it. Loosely structured but deeply entrenched networks of engineers, working on the basis of credible knowledge and reputation, whose mission and raison d’être is to focus on cyberspace and its secure functioning to the exclusion of all else, are essential to its
longevity and security. We need to build out and provide space for those networks to thrive internationally rather than co-opt their talents for national security projects that create divisions and rivalry.

Part of a distributed security strategy must also include a serious engagement with law enforcement. These agencies are often stigmatized as the Orwellian bogeymen of Internet freedom (and in places like Belarus, Uzbekistan and Burma, they are), but the reality in the liberal democratic world is more complex. Many law enforcement agencies are overwhelmed with cyber crime, are understaffed and lack proper equipment and training, and have no incentives or structures to co-operate across borders. Instead of dealing with these shortcomings head on, politicians are opting for new “Patriot Act” powers that dilute civil liberties, place burdens on the private sector, and conjure up fears of a surveillance society. What law enforcement needs is not new powers, but new resources, capabilities, proper training, and equipment. Alongside those new resources, of course, the highest possible standards of judicial oversight and public accountability must be enforced.

The same basic premise of oversight and accountability must extend also to the private sector. Civic networks like those that helped spawn the Arab Spring are inherently transnational and have a vital role to play in monitoring the globe-spanning corporations that own and operate cyberspace. Persistent public pressure, backed by credible evidence-based research and campaigns – like the Electronic Frontier Foundation’s privacy scorecard – are the best means to ensure the private sector complies with protection of privacy laws and human rights standards worldwide. Civic networks must also make the case that government pressures to police the Internet impose costly burdens on businesses and should be legislated only with the greatest reservations and proper oversight. The securitization of cyberspace may be inevitable, but what forms it takes is not.

•  •  •

If we are to continue
to benefit from the common pooled resources that make cyberspace what it is – a planetary ecosystem in which no one central agency is in control – then all members of that ecosystem need to approach its maintenance in a deliberate and principled fashion. Here is where another tried and true approach might have broad utility for cyberspace: stewardship.

Cyberspace is less a pure public commons and more a mixed-pooled resource, with constantly emergent shared properties that benefit all who contribute to it. Does stewardship – generally defined as an ethic of responsible behaviour in regard to shared resources – have any relevance to such a domain?
The first custodians of the Internet believed that it did. Even if they did not use the language of stewardship, the engineers and scientists who built and designed the Internet saw their roles very much as custodians of some larger public good.

In discussing the stewardship of cyberspace, one must remember that it is an entirely artificial environment; that is, without humans, cyberspace would not exist. This places us all in the position of joint custodianship: we can either degrade, even destroy cyberspace, or preserve and extend it. The responsibility is intergenerational, extending to those digital natives yet to assume positions of responsibility, but also linked to those who first imagined the possibilities for what something like cyberspace could represent. Imagine if H.G. Wells were here today to see how close we are to accomplishing his vision of a world encyclopaedia, only to see it carved up by censorship, surveillance, and militarization?

Governments, NGOS, armed forces, law enforcement and intelligence agencies, private sector companies, programmers, technologists, and average users must all play vital and interdependent roles as stewards of cyberspace. Concentrating governance of cyberspace
in a single global body, whether at the UN or elsewhere, makes no sense. The only type of security that functions in an open, decentralized network is distributed security.

Stewardship happens constantly in cyberspace, even if not described as such. When Twitter unveiled a new national tweet removal policy, it felt obligated to justify its actions in terms of larger consequences, and the larger Internet community judged it accordingly. When companies like Google post transparency reports, listing government requests on user data or notices to remove content from cyberspace, these are acts of stewardship. As people entrust more and more data to third parties, how that information is handled, with whom it is shared, and what is communicated about how that data is treated, must be based on more than corporate self-interest and market considerations. Likewise, profiting from products and services that violate human rights, or that exacerbate malicious acts in cyberspace, is unjustifiable in a context of shared information and communication resources, regardless of how profitable such products and services might be. Justifying these sales on their being in compliance with local laws, as some companies have done, is a hollow and self-serving rationalization that fails the stewardship test of maintaining a global resource.

Generalized across the world, stewardship would moderate the dangerously escalating exercise of state power in cyberspace by defining limits and setting thresholds of accountability and mutual restraint. The alarming trend of even liberal democratic governments engaging in mass surveillance without judicial oversight contradicts the very essence of cyberspace as an open global commons. Governments have an obligation to establish the playing field, ensure that malicious acts are not tolerated within their jurisdictions, and set the highest possible standards of self-restraint vis-à-vis censorship and surveillance. Privacy commissioners and other regulatory and competition oversight bodies are critical to
stewardship in cyberspace, as more and more information and responsibilities are delegated to the private sector. In an era when “national security” is so often used to justify extraordinary intrusions on individual privacy, checks and balances are essential.