The following is a critique of the new policy document introduced by the Whitehouse on May 16th. All elements of the attribution policy of this blog/website apply. Though I’m critical of the document in general it is consistent with previous work done by various entities. I do not see anything revolutionary in this document that I have not seen in pieces of other documents suggested in the last 15 to 20 years of policy. It is actually quite nice to see some basic consistency, but at the same time it would have been nice to see actionable items much like the Vivak Kundra 25 point Implementation Plan. There then would be policy points to be measured against.
This domain though is resistant to policy advancement. The technical sophistication of the advocate needs to be fairly high to understand the micro-strategic issues and the inherent fallacy of macro-evolution of the policy statements. As an example the basic principle of the Internet and the TCP/IP protocols are indicative of a conflict environment. The Ethernet protocol is a conflict detection protocol. That micro element informs the debate at the macro level. Not understanding that very basic principle is like operating on the ocean not expecting to get wet at some point.
The document, “International strategy for cyberspace: Prosperity, security, and openness in a networked world” in general leans heavily on what Martin Libicki would call the syntactic and semantic layers of cyber space with a heavier skew towards the semantic. This document is NOT a cyberspace security document. With key phrases like dialog, goods and services, social and trade links, social and political movements (page 3) this is a cyberspace strategy through social means for the Internet. The issues that are attempting to be answered are clearly delineated as attempting to solve:
..the challenges posed by malevolent actors’ entry into cyberspace, and update and strengthen our national and international policies accordingly. Activities undertaken in cyberspace have consequences for our lives in physical space, and we must work towards building the rule of law, to prevent the risks of logging on from outweighing its benefits The future of an open, interoperable, secure and reliable cyberspace depends on nations recognizing and safeguarding that which should endure, while confronting those who would destabilize or undermine our increasingly networked world (p. 3).
Interoperable is a physical and syntactical layer set of issues. The physical space is most assuredly a physical layer of the Internet issue. This sets forward a set of internal inconsistencies throughout this document of stating the problem in one spectrum and attempting to solve it in another. In a matter of policy they are trying to pull the light from the bulb instead of flipping the switch.
There are three principles alliterated in the document; fundamental freedoms; privacy; and free flow of information (p. 5). Each of these are inherently semantic principles that operate at only one level of the cyberspace continuum. Consider it this way. If we are talking about land and only look at a map to navigate, no matter the inherent complexity of that two dimensional instrument, it will never allow us to view the inherent beauty of the three dimensional world, and contextual elements will have to be left off. This is the issue of only viewing cyberspace through a semantic lens. Much worse than the alliteration is the reality that those squiggly lines may represent hills and cliffs, but the navigation across them in two dimensions are minimal in comparison to the reality of hiking them on foot.
The document details a goal of open, interoperable, secure and reliable information communication infrastructures (p. 8) as primacy of policy. I won’t get into the details of interoperable communications as the irony that they as standards then stifle innovation. I won’t mention in detail that every revolutionary concept of technology was contrary to the standards of the time. I also won’t mention that interoperable and the associated standards then allow for commiserate control by nation states of the technology which is contrary to the open access and internally inconsistent with the rest of the document.
And everybody gets a Pony:
It is a future in which universities and companies are free to research and develop new concepts and products because they know their intellectual property and valuable data are safe, even on shared networks Individuals know the threats to their personal computers, and can take easy-to-use measures to protect their systems Private-sector companies also take a responsibility for their network hygiene, knowing that in so doing, they protect their investments When cybersecurity incidents demand government action, officials can detect those threats early and share data in real-time to mitigate the spread of malware or minimize the impact of a major disruption—all while preserving the broader free flow of information (page 7).
It is interesting that the words free, threats, and protect are so consistently used. Freedom of action is a requirement to protect systems. Yet, it is government responding to the threat actors within this paragraph. The logical inconsistency of the statement has flipped the concepts of freedom and protection. Where government is free to act on behalf of the individual and the individual is protected by the state from action. Much like the interesting statement on the side of the average police car “to protect and serve” we are talking about a paradigm shift on the Internet and within cyberspace where the nation state rises in primacy as the mitigating actor. No longer is the individual responsible for their safety, but a trusted third party will respond to criminal acts. The associated freedoms of action by the individual to be abrogated through policy and protection measures.
Those who like this document just went “WHOA!”
Alright consider it this way. The following from the document says my point most eloquently.
… states act as responsible parties in cyberspace—whether configuring networks in ways that will spare others disruption, or inhibiting criminals from using the Internet to operate from safe havens States know that networked infrastructure must be protected, and they take measures to secure it from disruption and sabotage They continue to collaborate bilaterally, multilaterally, and internationally to bring more of the world into the information age and into the consensus of states that seek to preserve the Internet and its core characteristics (p. 7).
States are the responsible entities for insuring freedoms, protecting the Internet, and no longer are the independent actors inherently free to protect themselves. Some would applaud the end of the “wild wild west” atmosphere of the Internet. The issue is that homogenization of the Internet is a cultural as well as legal influence. It is as much a technological issue (and largely ignored in this document) as it is a policy issue. As such this is internally inconsistent with the semantic freedoms espoused as principles earlier in the document. As a state solidifies regulatory control over a domain or object the associated freedoms are abrogated into defined and allowed channels. When defining the global commons the best analogy I can put forth is the radio spectrum and the associated controls upon that spectrum. The document even specifically states this associated goal of attempting to reach norms of behavior.
The last two decades have seen the swift and unprecedented growth of the Internet as a social medium; the growing reliance of societies on networked information systems to control critical infrastructures and communications systems essential to modern life; and increasing evidence that governments are seeking to exercise traditional national power through cyberspace (p. 9).
It is interesting that the norms of behavior are explored at the semantic level or relationships (and not quite surprising); upholding fundamental freedoms; respect for property (the RIAA MPAA clause); valuing privacy; protection from crime; and right to self defense (at nation state level). These are juxtaposed by the specific principles to cyberspace that are almost all syntactic layer issues; global interoperability (protocols); network stability; reliable access; multi-stakeholder governance (semantic layer again); cybersecurity due diligence.
I find this an interesting concept as I dig through the document and find the diplomatic objective to create consensus and incentives. As a fan of the micro to macro political process I look to see what a government is doing internally to see how it will enact policy externally. So, though not directly related I find a policy statement clear as day that most assuredly does not match with current structural or organizational constructs within government.
Distributed systems require distributed action, and no single institution, document, arrangement, or instrument could suffice in addressing the needs of our networked world. From end-users, private-sector hardware and software vendors, and Internet service providers, to regional, multilateral, and multi- stakeholder organizations—all are important in helping cyberspace meet its full potential (p. 11).
Now put that statement into context with a government that has enacted a centralized cyber command, associated that cyber command with an intelligence organization (the NSA one of the most secret entities on the planet), then put that same entity as primacy to another distributed entity (DHS), and then states as an external policy that those principles will not work. The homily “do as we say, not as we do” seems quite appropriate to the growing policy framework inherent in the document.
The document does intend to address the requirement of defense through dissuasion “We will do so with over- lapping policies that combine national and international network resilience with vigilance and a range of credible response options (p 12).” This effort though not defined here is later explained in depth. In an adage to earlier documents the first element is providing for resilience at home (p. 13). This is a national call for the United States to clean it’s own house. This unfortunately is counter to the current commercial model of how software and hardware are delivered. You can’t have a credible cyber hygienic model when the totality of the industry is built around just in time delivery and minimal quality association. It is also noted that “strength abroad” is also required. Though foreign entities may have a better uptake on technology adaption than the United States. That uptake and adoption cycle may not be even closely correlated to security mechanisms and tools.
The second element is deterrence. There is an issue when trying to associate risk-benefit or “return on investment” in the cyber realm. The document wishes to define a policy that to adversaries the risks of exploiting networks vastly outweigh potential benefits. This issue is one of asymmetry of hyper connectivity. Here the semantic and syntactic merge into a cohesive network construct. Where one touches all the one can succeed only once out of many-many attempts and be considered successful. As such deterrence in the asymmetric must take into account that asymmetry as a response mechanism. That can be done, but it is not done through simple deterrence. When considering the nation-on-nation aspects thought the policy correctly alludes to the diplomacy, informational, military, and economic model (p. 14) as appropriate retaliation. This though is also a model towards handling the asymmetry of response required towards criminal enterprise.
There are three sections that are discussed but are left as near orphans in the document; building technical capacity (p. 14); building cyber security capacity (p. 15); building policy relationships (p. 15). Why orphans? Technical capacity fills opportunity as air fills vacuum. However, there are requirements that must be met first. In a Maslow hierarchy model you must have energy, to have energy you must have subsistence and that these must happen in the correct order. It is also important to have the policy framework in place to insure correct policy to technology adoption. In China people carry multiple cell phones (as was done in Haiti) because the telecoms do not share capacity on the wireless networks. Therefore, requiring multiple NAM/ESN relationships across the national network infrastructure. The rising middleclass world-wide (as the American middle class shrinks) has adapted technology rapidly. The use though, and inherent communication models may not be what we expect. You don’t need a cell phone or Internet connection when you have nothing to eat. That same communication channel though can be used easily to radicalize the individual with no food.
Starting on page 17 of the document through page 24 each of the policy priorities are discussed more in depth. I may touch upon those in a later post or perhaps I’ll just add comments to this at a later time.