Using Networks To Govern Network Problems
from the internet-governance dept
Today, botnets and the Distributed Denial of Service (DDoS) attacks that can accompany them, are considered among “the most severe cybersecurity threats.” Botnets have caused extensive economic harm to businesses, banks, hospitals, and government agencies around the world. Furthermore, botnets are used to spread political propaganda aimed at distorting democratic elections. In fact, U.S. government officials concluded that the Russian propaganda campaign has not stopped since the 2016 election and the magnitude of the issue is expected to grow. Yet, a time-tested framework for addressing the problem already exists. Governing complex internet-based problems is best accomplished by a network of stakeholders similar to the way the internet is currently governed.
In her Nobel Lecture, Elinor Ostrom emphasized the necessity to study human economic behavior in any complex system. She added that no “one size fits all” policy solution would work for a highly complex socio-economic issue, but approaches created by a disperse, spontaneously self-organized group are far more innovative. This is the essence of polycentric order as defined by Elinor and Vincent Ostrom. A polycentric order has multiple overlapping decision-making centers comprised of individuals equipped with necessary knowledge and expertise to create better outcomes for issues of high complexity.
In the case of cybersecurity, where dynamic response is critical – distributed network actors are best suited to govern complex cyber problems. While policymakers are one such group in this governance network, the efforts of other stakeholders are critical to maintaining flexibility and adaptability to emerging threats. The role of policymakers is to facilitating the emergence of multiple decision-making centers, which is key for resolving botnet issues.
In his book Networks and States, Milton Mueller offers a comprehensive analysis of network actors outside of the nation-state system as well as their effectiveness in addressing cybersecurity issues. Mueller outlines distinct challenges of cybercrime such as its globalized scope, boundless scale, and its decentralized and distributed nature. He argues that efficient institutions and new organizational forms are in a continuous process of emerging out of the interactions between public and private actors.
Mueller asserts that meaningful solutions to cybersecurity issues are only possible at the trans-national level. Such large international organizations as Internet Corporation for Assigned Names and Numbers (ICANN), The World Intellectual Property Organization (WIPO), and Internet Governance Forum (IGF) among others, provide governance at the international internet governance. Mueller highlights that an effective global internet security policy will recognize the interdependence of markets, nation-state specific property rights protections, and shared information and communication resources. He proposes that a “denationalized liberal approach” would be effective in resolving this dilemma. Moreover, he concludes that a true denationalized liberal governance will emerge out of the interactions of globally networked communities. His conclusions regarding internet security governance are, therefore, aligned with the Ostromian approach.
There have been some promising developments in collaboration between private and public sectors. In 2018, USTelecom and ITI announced the creation of the Council to Secure the Digital Economy. The Council brings together the leaders from the Information and Communication Technology sector to create a more resilient digital ecosystem. For example, they produced the botnet guide, a compilation of best practices by large scale enterprises that can be implemented in a variety of industries to mitigate the threats of the distributed denial of service attacks. Additionally, the Federal Trade Commission has been facilitating meetings between stakeholders.
Past and future administrations can learn from the Clinton Administration’s Framework for Global Electronic Commerce that made space for stakeholders to be involved in governing the internet and maximized cooperation between public and private initiatives for cyber-security. Indeed, the Obama administration’s cybersecurity plan included a call for technology companies to fight botnets collectively. The Trump administration declared its commitment to giving the Federal agencies legal authority to combat botnets.
Government should not be the only source of governance in addressing cybersecurity problems. Botnets are best combated by a multistakeholder effort between public and private entities. The tenants of “polycentricity” and “decentralized liberalism” capture the wisdom of a more distributed governance approach.
Anne Hobson is a program manager at the Mercatus Center at George Mason University. Yuliya Yatsyshina is an MA Fellow at the Mercatus Center at George Mason University.
Filed Under: ddos, denial of service attacks, internet governance
Comments on “Using Networks To Govern Network Problems”
Typo
The "tenets" perhaps, rather than the "tenants"?
I noticed AOC was recently attacking her opponents on their deployment of “multi-million dollar botnets“.
Now I read a “think piece” about botnets on Techdirt.
Sounds like another leftist fantasy begging for a leftist solution that moves the world closer to the tyranical facist empire that leftists hope for.
Re: Re:
Sounds like you are another paranoid fantasy moron.
Re: You’re a D student at best
You guys are truely pants wittingly terrified of her.
Is it because:
A) She’s a strong women?
B) She’s brown?
C) She won’t sleep with you?
D) all of the above?
Re: Re: You’re a D student at best
I don’t think it’s out of order to accuse Blue Balls of being a violent racist. But then again, those could be the comments of any dumb AC so who knows?
There are several AC’s that love to complain about the "Global Conspiracy" against their white rights.
Is this poster one of them? Maybe.
Re: Re: Re: You’re a D student at best
Go green yourself.
Re: Re: Re:2 You’re a D student at best
It’s not easy being green.
But it’s worth it in the long run.
Re: Re:
Sounds like another leftist fantasy begging for a leftist solution that moves the world closer to the tyranical facist empire that leftists hope for.
Yeah, because the [checks notes] Mercatus Center is know for their "leftist" viewpoints… That crazy leftist Tyler Cowen…
Holy fuck, how do you even function? Mercatus is about as far away from "leftist" viewpoints as you are from reality.
Re: Re: Re:
“Holy fuck”? Are you a teenager?
Re: Re: Re: Re:
Are you Rip van Winkle? Language has been evolving this way for decades and those sorts of exclamations for emphasis serve a useful purpose. Prescriptivism is dead everywhere except delusional English teachers because nobody cares.
Re: Re: Re:2 Re:
Most of those delusional English teachers have retired by now; English authorities were moving away from prescriptivism 30 years ago.
That’d mean someone using that expression would likely have been a teenager sometime between 1989 and today — so anywhere from 13 to 49 years old.
Re: Re:
I’m sorry, but you are aware that people use botnets, right? This isn’t a partisan issue. No politician that I’m aware of thinks that botnets don’t exist or aren’t a problem. There is some partisan disagreement about whether people are using them for political reasons, and if so who, when, where, and to what extent, but they absolutely exist and absolutely create problems. That’s not a conspiracy theory; that’s a fact.
Now you may be thinking, ‘But they’re talking about the Russians!’ Again, that’s just one example of harmful botnets (there are many others, such as DDoS attacks and crypto farming), but besides that, our intelligence agencies and other experts universally agree that Russian agents used botnets to attempt to sway our elections. How effective they were is a separate question. The point is that they tried, and botnets were very useful in doing so.
Again, botnets aren’t a partisan issue. Indeed, I’ve also seen conservatives accuse their opponents of deploying botnets like you say AOC did. (Not having seen that particular statement, I can’t say whether she did or not, so I’ll take no stance on that. Regardless, I’ve seen other people on the left do so themselves, so it’s rather irrelevant whether AOC, specifically, did so herself.) That sort of thing is not exclusive to any side in politics, and it’s ultimately irrelevant to this article, which doesn’t even mention American politicians, lobbyists, or activists using botnets for political reasons like you say AOC is accusing her opponents of. There’s no conspiracy, nor is there any real partisanship in this article.
So far, only one asshat has entered an opinion, and the rest of you have jumped on him like he deserves. (But I must interject here, given this golden opportunity, that printing text that says "Click here to show it" is quite parsimonious. Said link does not work, and it can’t work – there’s no underlying link code of any kind. What gives with that, Mike?)
So let me move on past all that, and get to the reality of what threats can be observed by the emergence of botnets. And BTW, I do indeed know several polititions who can’t even spell botnot three times out of five, with an open dictioinary in front of them, let alone know what they’re all about, and the derivative dangers therefrom.
The dangers are twofold, in the majority sense. There are lots of secondary problems, but I relegate those to the back burner. Those two are "invasion of privacy" and the attending problem of disruption of business, and influencing public opinion. I’ll leave off discussing the latter, I don’t consider myself qualified to offer an effective solution to that problem. Well, other than a Constitutional Amendment that corrects the Founding Father’s omission of not qualifying the First Amendment that one must be not stupid in order to use the Internet… but how could they have known so far ahead of time?
In the former case, the answer is quite simple – stop putting every last iota of date online!!! Do we really need our medical records online? No. Do we really need our insurance information online (medical, home/auto, etc.)? No. Do we really, really need our government information online (SS, VA, etc.)? Hell no!
But it doesn’t stop quite just there. Referring back to my wish to have Internet users be not stupid, I think a government-mandated warnging label should be attached to any Internet-connected device, both on the box at retail, and on the device itself. "Warning – this device can be used in a botnet, unless you change the password", or words to that effect. If the Surgeon General can make that happen for cigarettes, then I’m sure that’s a good enough precedent to make it happen for IoT devices.
For those of you who have to deal with recalcitrant folks ("I don’t wanna know anything about it, just make it work for me"), here’s a non-car analogy: An outdoor camera pointed at your driveway, and showing zero cars present says to me "no one home, time to go shopping". (Ditto for an in-garage camera.) A camera in the newborns’ nursery says to a company owner "start injecting advertisements for baby products/services into the home’s Internet connection". A refrigerator with a shopping list full of alleged "crap" food says to a health insurer "high risk, charge more". IOW, no one can be trusted to not abuse your IoT devices and Internet connection itself.
We could go much further, but I trust I’ve made my point.
sumgai
That’s not going to help. Average people don’t understand why botnets are a problem. You have to show people how it affects THEM for it to be a problem.
So, "Warning: this device connects your private use of its features and surroundings to known and unknown third parties on the Internet. You can be held accountable for the misuse of your personal information by third parties" while longer, would probably work a bit better. And it still wouldn’t help most people connect all the dots.
Re: Re:
Nobody is going to read that. The MacOS’s password prompts and Windows UAC notifications are supposed to help with security, but in practice, end users just mindlessly enter their password or click through; they don’t think about what they’re doing. They’re only helpful to people who are already security-conscious.
The requirement shouldn’t be labeling. It should be that if the device comes with a default password, it must require the user to change it on first use.
Even then, you’ve still got all the attendant security issues that come with passwords, but at least it’s an improvement over keeping the default.
Re: Re:
@ AC
Your wording is likely better from a legal standpoint, and I did say "or words to that effect". I know I was just shooting from the hip on that one. 😉
Still and all, whether or not any warning label helps, there’s one sure bet that no one will miss, and that is that a court case can (and will!) be made that the user "was given a proper warning" of the dangers. IOW, ignoring that warning label will get your "Get Out Of Jail Free" card rendered null and void.
@ Thad
I’m under the impression that parts of the IoT industry are no longer even installing a password, marking the device with a label that says: You must first install a password in order to proceed and connect to the Internet". Quite likely I haven’t gotten the correct wording there, but the point is that the industry is starting to take note, and starting to do a CYA job. I wouldn’t be surprised if they’re hoping to ward off any potential lawsuits, or worse, ignorant government regulations.
sumgai