Despite a number of recent gains in restricting government surveillance (see the USA FREEDOM Act), much remains to be done. Unfortunately, the pending Cybersecurity Information Sharing Act (CISA) could unravel the minor reform that has been won. As mentioned in a previous post, CISA would accomplish little for cybersecurity. Rather, its core provisions would be a blight on efforts to improve network security, while eroding privacy and civil-liberties protections.
So what would an alternative to CISA look like? Well, ideally, the alternative would simply be the status quo.
The Internet Society recently released a white paper describing the ideal means by which issues of cybersecurity can be, and are, resolved sans government legislation. The Society very rightly concludes that
The security of the Internet cannot be maintained by any single entity or organization. It is important that these issues be addressed by all stakeholders in a spirit of collaboration and shared responsibility in ways that do not undermine the global architecture of the Internet or curtail human rights.
Specifically, it advocates a collaborative security approach, characterized by a sense of collective responsibility, flexible and dynamic steps derived from the expertise of a broad set of experts and stakeholders, voluntary bottom-up organizations, and security solutions that are compatible with human rights and that preserve the fundamental freedom of the Internet.
Thus the ideal alternative to CISA would be no bill at all; we should simply embrace the status quo that has permitted the explosive growth of the Internet over the past quarter-century. This may come across as counterintuitive, especially given the lack of widespread technical understanding of how Internet security actually operates. To that end, a brief backgrounder might help clarify the issues at stake in this discussion.
In a working paper from 2012, Eli Dourado, director of the Mercatus Center’s Technology Policy Program, points out how decentralized, ad-hoc affiliations of volunteer security experts actually keep the Internet up and running day to day. Appropriately titled Internet Security Without Law, the paper gives an excellent rundown of how the Internet maintains high standards of security without any official oversight or hierarchical power structure dictating commands.
Computer security incident response teams (CSIRTs) form the backbone of online monitoring. As Dourado defines it, “a CSIRT is a team of technical experts that monitors traffic, identifies threats and vulnerabilities, and formulates solutions to security problems.” CSIRTs can be based at universities, nonprofits, private companies, or government agencies; individual security experts can also form teams. The key to their success is a system that empowers individual experts to respond quickly and efficiently to emerging threats without unnecessary roadblocks. This polycentric approach is best suited to the decentralized and ubiquitous nature of Internet communications – any imposition of hierarchical, top-down standardization of control would only inhibit the seamless operation of the global Internet.
Similarly, Milton Mueller, in his modern classic, Networks and States, points out that most of the work of ensuring online security “is done not by national states promulgating and enforcing public law, but by private actors in emergent forms of peer production, network organizations, and markets.” The governance of cybersecurity occurs primarily through ad-hoc, informal trust-based relationships established among online security experts. “States are players in these arrangements,” Mueller contends, “but are rarely in a position to exert hierarchical power.” Rather, states serve as partners in, not officiators of, online security.
Sometimes the best solutions don’t reside in particular bills or policy proposals; sometimes they lie in the hands of individuals cooperating without oversight or unnecessary bureaucratic impediments. Such arrangements have served the Internet pretty well thus far, and there’s no reason to believe they wouldn’t continue to succeed.
No piece of legislation can possibly serve as a silver-bullet solution for perfecting a cybersecurity framework, but CISA will do little to nothing at all in this vein. Rather, it will only serve to reinvigorate the intelligence community’s domestic surveillance apparatus, further eroding fundamental civil liberties and pushing America towards a Bethamite social panopticon.
As the debates surrounding surveillance reform gain steam, we must be mindful of the limits of legislation in enhancing online security.