Ignoring national and international cyber security frameworks

Seeking inspiration for a post I came across this posting by Prescott Winter at ArcSight - on this very website. I find the perspective from which he writes - and the direction of his arguments - to be rather unrealistic. What do I mean by...


Seeking inspiration for a post I came across this posting by Prescott Winter at ArcSight - on this very website. I find the perspective from which he writes - and the direction of his arguments - to be rather unrealistic.

What do I mean by unrealistic?

To truly understand the Internet one must first understand that the Internet is not the real world and people do not automatically understand the ramifications of that. For instance, a couple of recent examples:

* There is no zero sum to theft.

If I steal your car then you are deprived of your car, but if I steal data from you then I implicitly steal a copy of it, without depriving you other than of your privacy. This is what makes headlines and stories like Pentagon demands return of WikiLeaks data on Afghanistan war crimes so comical:

[Pentagon Press Spokesman Geoff] Morrell declared, "We're not getting involved in harm-minimization conversations. We're asking them to return stolen property."

We can guess at what was intended (eg: the Pentagon wanting to know just how much other people know) but it's not like Julian Assange is going to drop-off a couple of boxes of bittorrent files thereby preventing the rest of the world from getting at the data ever again. We know that it doesn't work like that.

* There is no mapping of Internet to Geography - especially now in the era of social media.

Egypt did a pretty good job of switching itself off the net... except that it didn't. What Egypt actually achieved was to black itself out in a mini-dark-age in order to provide breathing space and quell internal unrest oppress its people. This caused the rest of the world to watch  the rest of "Egypt" very intently - the bits of "Egypt" which were users on Facebook, users on Twitter, users on Blogger, the bits of "Egypt" which existed in "the cloud" ... all of these parts of "Egypt" still existed despite the blackout, and several were thrown into huge relief.

So the socio-political geography of the Internet is explicitly and literally a human geography; it's the space of infinitely replicable data and the people who create it. Thus cyberspace is not a well-defined territory to be defended or conquered, it's a head-space of complex and interconnected information and services with parochial policy implementation and without any clear boundaries other than the boolean distinction of One vs: Zero, Yes vs: No, Yes I will let you access this data vs: No I will not.

And if a server's policy permits you access to some data - a webpage, a database, a "shopping basket" - then it will be yours to do with as you will / as much as you can get away with, and even though licenses, technologies and laws may be deployed to prevent you, in practice such exterior restrictions are "advisory", ignored by the miscreant and only policed in the breach.

What perspectives do I think are unrealistic?

If you haven't read Dr Winter's article, please do. There are some inarguable points:

  • Virtually all parts of modern life are dependent on [the Internet]
  • New malware is produced each year, and the level of sophistication of these attacks is increasing as well.
  • the Internet is an artificial environment created, operated and owned by numerous entities, while the seas and airspace are obviously natural and open environments.
  • the Internet has become such a vital framework ... that we must regard it as a ubiquitous medium

...but there are also:

  • we don't have decades to wait before we improve the security of cyber space.
  • We need action now.
  • ...risks and problems caused by the lack of serious regulation...
  • ...this medium must now be subjected to regulation and structure in order to protect the myriad critical activities running through it...

...and I disagree with all of these assertions.

First I disagree with the call-to-action; apart from the breadth of new users (and new security folk) there is nothing more urgent in the need for security today than there was in 2001 or 1991; in fact the same problems keep reoccurring, as evidenced by the ISC tutorial on Web Active Content Security (PDF) which I delivered in 1997 and which still mostly stands-up today. Security problems and solutions only ever change their clothes; underlying it all they are always the same.

Second, I disagree that the problems are due to "lack of serious regulation"; instead I submit that they are due to lack of awareness and accountability on the part of each actor.

If you visit Bangalore and eat food from a stall at a street market, then if you are not a local you will quite likely get ill - but what did you expect would happen? The FDA or Department of Health can make regulations regarding food preparation but there's a simple matter of them having no influence in that situation - and, arguably, nor should they have any. State money would be better spent on exhorting tourists not to behave irresponsibly, and informing them of the potential consequences of eating out in a foreign land.

Equally those who "offshore" their data processing should have the thunderous consequences of mistakes rest upon their own heads, rather than blame the Internet's lack of uniform regulation.

Thirdly, given the human-geography model of cyberspace I wonder whether a concept of regulation can actually exist, beyond the laws governing what individual country-nationals are/are-not permitted to do. Where is the line between people-regulation and internet-regulation? 

We already have laws for humans and corporations, for Americans versus Brits versus South Africans, and yet if you launch VLC on Ubuntu Linux, somehow it doesn't matter what region coding your movie's DVD is. Should we in Europe regard the US Digital Millennium Copyright Act - which prohibits the above - as merely a quaint custom local to Washington DC and Hollywood?  Or should we enforce the DMCA globally?  And if we did, would anyone care?

Practically speaking: nobody is ever going to be able to stop someone from putting whatever software they want on their computer, and any attempt to regulate will hamper innovation and competitiveness. Gilmore nailed it by saying:

"The Internet interprets censorship as damage and routes around it."

...but he didn't go far enough, because today the Internet is people.

Effective - or "adhered-to" - regulation will not happen. Those who desire regulation are chasing pipe-dreams, as we in Europe shall soon discover when every Tom, Dick and Harry weblog fails to warn its readers that they will be setting and storing cookies.

And these are just the start of my objections; so I will be reading Dr Winter's next few postings with great interest.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

"Recommended For You"

Activist group We Rebuild scramble to keep Egypt connected online Protesters use Web 2.0 to show dark side to Beijing Olympics