Secure cyberspace to save civilisation

This is from today’s Times. The report quoted is officially published on 12 November, worth a read but I don’t see any governments picking up on the recommendations so it’s more an intellectual exercise than anything practical…:

A jargon jungle and alphabet soup await anyone navigating internet governance. The technology is baffling. So is the plethora of watchdogs, commissions and committees. But few things matter more. The internet has become, piecemeal, civilisation’s central nervous system. By putting convenience over security, we have reached the verge of dystopia, where our freedom, prosperity and safety are at the mercy of crooks, snoopers, spivs and hostile states.

The internet dissolves geographical boundaries, so drawing boundaries for behaviour can seem futile. Context varies wildly. What a Hong Kong protester finds reasonable looks outrageous to a policeman in China. Global enforcement would mean unpalatable universal controls. Nobody is in charge. Neither governments nor tech companies are suitable guardians for our freedom and welfare. Voluntary co-operation is not working. Rogue states do what they want.

Into this mess comes the Global Commission on the Stability of Cyberspace, an international task force of politicians, officials and experts, whose final report, based on three years of evidence-taking and cogitation, comes out tomorrow. Its backers include Michael Chertoff, who ran the US Department of Homeland Security, and the former Swedish prime minister Carl Bildt. Wisely, it does not try to deal with every security issue. It assumes competition: countries will conduct espionage and surveillance over the internet and stockpile digital weapons for use in time of war. Businesses, parties and individuals will compete too. But that should not mean a complete free-for-all.

The overall aim should be to preserve the stability of cyberspace: the knowledge that our mouse clicks and keyboard strokes will do what we expect them to do, that systems will be online when they are meant to be, and that we can authenticate ourselves and our decisions. Without confidence in these basic functions, trust evaporates.

Probably the most controversial recommendation in the report is that the internet is too important to leave to governments. An analogy is public health. The state plays a role in healthcare. But everyone — individuals, social groups, businesses and governments — has a role in preventing disease. Cyber-hygiene, the report argues, is similar. Nobody is in sole charge. But nobody is exempt from responsibility. With that comes a duty of restraint. Nobody should endanger the stability of cyberspace for commercial, political or other gain. That means treating the core infrastructure of the internet, such as routers, switches and addressing systems, as out-of-bounds when we seek competitive advantage. We should take the initiative when we see it threatened.

Another controversial suggestion involves cyber-weapons. These should be strictly limited to governments, the report suggests. Non-state actors such as businesses, campaign groups and individuals should not have the right to “hack back” when attacked. But there should be rules for governments too, especially about the flaws in software and hardware that military and intelligence outfits stockpile for espionage or sabotage. Criminals exploit just the same failings in our computers and networks. The report suggests governments should have clear, publicly accountable procedures for weighing the risk to the public of keeping these vulnerabilities secret.

The most topical recommendation is extending existing prohibitions about using the internet to attack core public services to the protection of technical systems used in elections. Hacking into the computers and networks used for casting and counting votes, it suggests, should be banned. That is not a huge issue in Britain, where we still use pencils and paper and count ballots by hand. But it is a big deal in countries that use electronic voting. These systems can be formidably secure — as in Estonia — or shockingly weak, as in the US, where some states use antique voting machines that can be easily hacked. Attacking election systems should be seen as a serious transgression, the report suggests, meriting not just public censure but sanctions, boycotts and other reprisals by countries and non-state actors.

The report admits that establishing new norms of behaviour is tricky. The way to start, it suggests, is building communities of interest who are willing to practise what they preach. An obvious starting point here in Britain would be online electioneering. Another new report, by the Oxford Technology and Elections Commission, notes the huge gaps in our rules. Every piece of paper put before the public, for example, must have an “imprint”, giving the name and address of the campaign official responsible. Spending is limited and anything over £200 must be itemised. But the internet allows you to deliver separate electronic messages to different groups of voters. This fragments the public arena, in which political contenders are accountable to everyone for what they say.

As an immediate step, the Oxford experts suggest a searchable public database of all online political advertising, mandatory imprints, and transparency by the parties on how they use data. That alone would make the activities of mischief-makers conspicuous, and give voters a better idea of what the parties are really doing. Our old-fashioned ballot boxes and town-hall counts may be reassuringly sturdy, but the rest of our electoral system is wide open to abuse. If we can’t fix something so clearly vulnerable and close to home, what price the rest of cyberspace?

Original article here