Cybersecurity as an Institutional Challenge
Cybersecurity as an Institutional Challenge
Responses - Stakeholder Technical & Academic Community
Leonid Todorov, Deputy Director, Coordination Center for .ru
I was amused to see Messrs. Ilves and Schneier’s papers offer provocative insights and encourage a closer look into the problem of a cybersecurity institutional framework. They force one to ask three questions: (1) Why does the State perceive cybersecurity to be such a plumbing issue these days? (2) Should cybersecurity fall under the State’s exclusive mandate? (3) What are we, as a community, expected to do?
The first question suggests employing the institutional theory perspective, and individuals’ rational and opportunist behavior and the State–individual relationship in particular.
The substance of the relationship appears fairly elusive and can easily be abused and manipulated by an individual or a certain group, including, for example, an attempt to spook other individuals, thereby forcing them to accept whatever the State believes (or seems to believe) in.
It is common knowledge that human beings have a natural propensity to exaggerate certain dangers. In the case of organized crime, for instance, do we seriously believe the Mafia are waiting for us around each and every corner? This is absurd, of course, caused by our limited rationality – even the mob’s violence-related capacity is limited and they have to save precious resources.
So much about cybersecurity. While hardly a manipulator, Mr. Ilves’s assumption about “ruining a country by bringing its Scada system to a halt” and the call “to re-examine many assumptions of security” and for “rethinking some of our core philosophical notions of modern society [in particular] between the public and private spheres” are a very familiar mantra, easy to sell to the public at large, yet only partially true at best and a pretty good example of a statesman’s biased rationality. Indeed, political scientists, economists, etc., and even governments themselves have long shared a misconception about the State as an omnipotent, uber-benevolent and superintelligent subject, which would take one’s great idea and efficiently and promptly implement it for everyone’s benefit. This sense has become particularly predominant since the 2008 crisis. The problem, however, is that the State is not transfinitely rational, as its rationality effectively constitutes a sum of the rationalities of the individuals in power. So, a bet on the State’s omnipotence rests upon an utterly unrealistic idea that we are ruled by Olympians. The State does not appear too benevolent either, as opportunistic behavior is possible both beyond the circle of power and within it. Factor in effects from a negative selection of public servants and we may well end up facing an immoral bunch in power, keen to manipulate and mislead us for their own purposes. Quite illustratively, Pres. Ilves ascertains, “If the private sector is unwilling to take the necessary steps to guarantee the integrity of its online activities [Is it? – L.T.], the government must step in [Must it? – L.T.] to fulfill its most fundamental task – to ensure the security of its citizens … [Is that the prime task indeed? – L.T.]”. Small wonder that he then shoots forth a pretty hip Orwellian oxymoron that “The job of cybersecurity is to enable a globalized economy based on the free movement of people, goods, services, capital and ideas” – all under Big Brother’s gentle but close observation, needless to say.
Do we really like living in this brave new world? Laying hopes on something supermighty and uber-benevolent is unlikely to form a normal bearing. Rather, we – or as Bruce Schneier puts it “everyone in the middle” – should also be keen to rely on specific, non-rigid institutions in the form of rules of social interaction, commonly agreed upon (between us), as much as common sense.
Back to institutional theory, the phenomenon we now know as James Buchanan’s goods implies a “normal” good on sale in tandem with certain contractual packaging, rules and institutions: thus, the choice between different goods, as well as different institutions, is ours. It’s therefore a blessing that, stuck between the power of big corporations and nation states, we are watching “Game of Thrones … when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics … ”, for their unlikely global alliance would otherwise put an end to our ability to make a rational choice about fundamental matters, including cybersecurity.
Rational choice should be guided by the conscious realization that cybersecurity does not form the State’s exclusive mandate – it is to a great extent an individual’s personal matter too. Once again, many things we have allowed the State to misguide us with are in fact phantoms from the abyss of our underconsciousness and we often do not need the State to play the role to the extent it forces us to believe is imperative. And I fully subscribe to Bruce Schneier’s call “to decide on the proper balance between institutional and decentralized power, and how to build tools that enable what is good in each while blocking the bad” and Mr. Ilves’s essentially similar observation that “Cybersecurity is not just a matter of blocking bad things … it is protecting all the good things that cyberinsecurity can prevent us from doing”.
We now have three intertwined institutional vehicles, that is: enhanced cooperation, the IGF, and multi-stakeholderism. While of different origin, they pursue the same objective and, combined, form a powerful instrument to promote debate on the future of the Internet and its governance system. Promoting the use of the vehicles and drawing the maximum from them is our prime mission as a community.
I fully share Mr. Schneier’s uncertainty about the path of future developments; however, with the State having compromised its credibility with all sorts of online eavesdropping initiatives, a drift towards “secure islands” seems inevitable. That said, security there may not necessarily be run by a “Sheriff of Nottingham” or a corporate executive, for it may well be a genuine netizen community that designs and enforces institutions of its own, which I would not mind at all. Would you?
- With big banks and corporations kowtowing and begging for bailouts, even a most rational State would feel like a real savior, with ultimate wisdom and powers to decide everyone’s fate.
- In this context, it is worth revisiting R. H. Coase’s famous paper “The Lighthouse in Economics” (Journal of Law and Economics, 1974, 17 (2)) a truly eye-opening illustration of how misguided we may be in regard to the actual role of the State in (economic) development.
MIND-Multistakeholder Internet Dialog