Is having too many stakeholders who care about cyberspace's viability a hindrance to cybersecurity?
That's one way to interpret comments from White House Cybersecurity Coordinator Michael Daniel as he addresses the challenges of governing the Internet to keep it secure.
Now, everyone cares about these things, at least to some degree. And, this makes it really hard to take collective action.
Here's Daniel's thinking. The success of the Internet means everyone - individuals, corporations, governments and so on - is fully invested in its availability and reliability. In the past, most people didn't care about infrastructure, protocols, security and the underlying code to make it work. That's changed.
"Now, everybody cares about these things, at least to some degree," Daniel says in remarks delivered late last month. "And this makes it really hard to take collective action. Governments are waking up to the fact that they really need to care about the Internet and how it works - for all sorts of reasons, good and bad - from our point of view.
"As a result, what used to be decided by technology experts, or by an informal agreement among Internet service providers, is now the intense focus of a highly political process. That means decisions that were once easy in Internet governance are now much harder. Given how important the Internet has become to everyone, that difficulty isn't going to change any time soon."
Hear Michael Daniel discuss global IT security guidance, from February interview.
We see this struggle in our own government. Congress and the president know what's needed in legislation to update the Federal Information Security and Management Act, the outdated, dozen-year-old law that governs U.S. federal government information security. And, the parties involved in enacting such legislation fundamentally agree on the basic aspects of FISMA reform. The few differences that have so far blocked enactment of FISMA reform focus on issues such as giving the Department of Homeland Security more sway over implementing civilian agency IT security.
If we, after six years of trying, can't get our own house in order, how can we expect to come to terms on global cybersecurity governance with other national governments, especially considering a growing number of nations want to limit Internet freedoms?
And, Daniel sees other obstacles that make global cyberspace governance hard to achieve. "The very nature of cyberspace and its interconnectedness means that everything and everyone touches an edge of a border in some way." he says.
Unlike the physical world - where governments man the borders to protect the interior (though, as we have seen with underage Central American children crossing our borders illegally, not necessarily effectively) - in cyberspace the government or any other group cannot provide such security alone. Securing cyberspace borders, by its very nature, requires joint cooperation, not just between governments but by the private sector, too.
Getting such cooperation won't be easy. "This reality makes organizing for cybersecurity incredibly complex, because it requires cooperation across boundaries in the physical world that are difficult to bridge - between government agencies, within the private sector, and between the government and the private sector," Daniel says.
Another barrier Daniel sees: "We clearly do not understand the economics of cyberspace. ... We know how to fix most of these vulnerabilities from a technical point of view, but we can't get people to implement them."
Understanding the Human Factor
Sure, we can provide more education and awareness, but cybersecurity challenges are well-known across most of society. It will require a new approach that goes beyond technical solutions. "Until we really understand the human factor - and change our approaches as a result of this understanding - we will continue to fail at solving this problem. Technology cannot compensate for bad business practices in cybersecurity," he says.
The challenges seem insurmountable, but Daniel cites administration efforts he contends will help address these problems, including cyberthreat information sharing between the government and private sector and among governments worldwide. (The Senate Intelligence Committee is slated to consider cyberthreat information sharing legislation on July 8.)
Daniel also cites the adoption by critical infrastructure operators and others of the cybersecurity framework, a roadmap to secure vital IT that the U.S. government published earlier this year (see The Evolving Cybersecurity Framework) as well the initiative known as NSTIC, the National Strategy for Trusted Identities in Cyberspace, a collaborative effort among business, not-for-profits and the government to create secure and interoperable identity credentials to access online services (see Pilot Projects Aim to Replace Passwords).
"Reinvigorating and making the multi-stakeholder approach to Internet governance truly global can give an effective voice to everyone who cares about the Internet: governments, civil society, businesses and individuals alike," Daniel says.
But does everyone around the globe share those values to a multi-stakeholder approach to global Internet governance? There's no guarantee that other governments, businesses and others cyberspace stakeholders will agree on a governance approach to cybersecurity. That doesn't mean we shouldn't try, and let's give Daniel and the administration credit for mapping out an approach.