The Role and Interplay Between Nation States and Industry - Questions for All to Answer
Greetings fellow Cybersecurity Capacity Discussants!
The poet e.e. cummings once wrote: “always the beautiful answer who asks a more beautiful question.” In that same spirit, this blog seeks to raise five (5) broad questions worth considering regarding the changing trends associated with global cyber security. The questions focus particularly on the major institutional players associated with defensive cyber security in our rapidly changing world – namely Westphalian nation states and industrial institutions.
The internet, by its definition, does not map easily to our physical world. Packets sent between two routers within a country might briefly travel outside of that country depending on Domain Name Server (DNS) lookups and Border Gateway Protocol (BGP) tables.
1. Do nation states or industrial institutions play a larger role in developing global defense cyber security capacities, and will this change in the future? Which will be more instrumental in developing the tools and techniques for cyber security – or will this vary by region in the world, and if so why? Will national borders matter less or more for the internet? If more, are borders wherever a requesting user sits – or wherever a responding server or content sits?
The question of borders then flows into questions of legal jurisdiction. In June 2014, the China Daily and the People’s Daily claimed, “U.S. technology companies are cyber ‘threats’” Earlier a U.S. congressional panel warned that Chinese companies “Huawei and ZTE pose a security threat”.
2. What autonomy does industry possess relative to other nations, and will this change in the future? Will the internet become “balkanized” into walled gardens or will resistance to this trend occur at industrial and public levels? For transnational corporations, is it only a matter of time before they start requesting modern diplomatic immunity akin to the principles introduced by the Vienna Conventions?
At the same time, Computer Emergency Response Teams (CERTs) are maturing along national borders and by industry products (e.g., Amazon Security Incident Response Team). Yet a recent European Union Court of Justice ruling held Google responsible erasing search engine metadata pointing to “forgettable” content upon request of an EU individual, demonstrating the power of a legal ruling to dramatically impact the business model of a corporation.
3. Do CERTs/Computer Security Incident Response Teams (CSIRTs) without a national identity need a home country sponsor? Alternatively, do the laws of wherever their clients – or code/threat – they are addressing take precedence? In regions of war-like unrest, how should non-state CERTs respond to requests for national assistance – and can the U.N. have its own “peacekeeping” CERT?
The “Internet of Everything” offers great opportunity – as well as great cyber security and potential privacy risks – for our world. Database compromises of customer data continue – Ebay, Target, Kickstarter, just to name recent public ones. At the same time, it appears members of the general public are experiencing “data breach fatigue”.
4. Do the catastrophic insurance policies for industrial institutions cover database compromises or theft of valuable intellectual property – or does industry need special “cyber insurance”? Beyond law enforcement, what roles should national governments play in aiding individual victims of data compromises or loss? What role, if any, should international bodies play with resolving disputes regarding cyber-related data compromises or intellectual property theft?
In 2013, there were 7 billion networked devices on the planet and approximately 3.8 Zettabytes (~4 billion Terabytes) of digital content. Before the end of 2015 there will be 14 billion devices and 7.6 ZBs of global digital content. By 2020, there will be between 50-75 billion networked devices and 40 ZBs if content, equal to two-thirds of the information that all human eyes collectively feed to our brains globally in a year. To keep up with these trends, an ever-increasing amount of identifying and securing devices must depend on ever-increasing automation and deep algorithms, made even more challenging as the automation itself might be compromised and infected as well.
5. What rights do nation states have to decide how they impact, or are impacted by, industry-related cyber endeavors that may threaten or challenge national beliefs, processes, laws, and culture? What can the public expect in terms of the defense cyber security protections afforded to the individuals in peacetime or in war-like situations by nation states and industrial institutions? What consequences might occur when defense of networked devices is entrusted to automated algorithms, do they respect national borders, industrial firewalls, or require users to “opt-in” (or opt-out) to being protected?
I welcome comments to seed the discussions at Oxford or share specific examples of real-world events mirroring these questions, and look forward to the conversation online after the workshop! There clearly are many more questions worth considering as well – not the least of which include the Deep Web and the rise of non-state entities, including organized cybercrime, cyber-inspired ideological movements, a cyber-enabled fifth estate – and perhaps even neo-feudalism as Bruce Sterling predicted in 1998?
Here’s to the future ahead and best regards,
This article gives the views of the author, and does not represent the position of the Cybersecurity Capacity Portal, nor of the University of Oxford.