How Different Stakeholders Frame Security

Josephine Wolff examines different Internet governance stakeholders and how they frame security debates.

Her conclusion:

The tensions that arise around issues of security among different groups of internet governance stakeholders speak to the many tangled notions of what online security is and whom it is meant to protect that are espoused by the participants in multistakeholder governance forums. What makes these debates significant and unique in the context of internet governance is not that the different stakeholders often disagree (indeed, that is a common occurrence), but rather that they disagree while all using the same vocabulary of security to support their respective stances. Government stakeholders advocate for limitations on WHOIS privacy/proxy services in order to aid law enforcement and protect their citizens from crime and fraud. Civil society stakeholders advocate against those limitations in order to aid activists and minorities and protect those online users from harassment. Both sides would claim that their position promotes a more secure internet and a more secure society -- ­and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.

While vague notions of security may be sufficiently universally accepted as to appear in official documents and treaties, the specific details of individual decisions­ -- such as the implementation of dotless domains, changes to the WHOIS database privacy policy, and proposals to grant government greater authority over how their internet traffic is routed­ -- require stakeholders to disentangle the many different ideas embedded in that language. For the idea of security to truly foster cooperation and collaboration as a boundary object in internet governance circles, the participating stakeholders will have to more concretely agree on what their vision of a secure internet is and how it will balance the different ideas of security espoused by different groups. Alternatively, internet governance stakeholders may find it more useful to limit their discussions on security, as a whole, and try to force their discussions to focus on more specific threats and issues within that space as a means of preventing themselves from succumbing to a façade of agreement without grappling with the sources of disagreement that linger just below the surface.

The intersection of multistakeholder internet governance and definitional issues of security is striking because of the way that the multistakeholder model both reinforces and takes advantage of the ambiguity surrounding the idea of security explored in the security studies literature. That ambiguity is a crucial component of maintaining a functional multistakeholder model of governance because it lends itself well to high-level agreements and discussions, contributing to the sense of consensus building across stakeholders. At the same time, gathering those different stakeholders together to decide specific issues related to the internet and its infrastructure brings to a fore the vast variety of definitions of security they employ and forces them to engage in security-versus-security fights, with each trying to promote their own particular notion of security. Security has long been a contested concept, but rarely do these contestations play out as directly and dramatically as in the multistakeholder arena of internet governance, where all parties are able to face off on what really constitutes security in a digital world.

We certainly saw this in the "going dark" debate: e.g. the FBI vs. Apple and their iPhone security.

Posted on October 24, 2016 at 6:03 AM • 21 Comments

Comments

chuckbOctober 24, 2016 7:50 AM

The semantic approach to consensus seems to rest (and fail) on the notion that all "stakeholders" somehow have equal standing and stake in all issues of (whatever their definition of) "security", and that "governance" has some operational meaning in the Internet, as though it were some singular system as opposed to an agreement on an architecture. The anthropological observations however, ring true.

Sok PuppetteOctober 24, 2016 8:20 AM

That was a mind-bendingly long-winded and jargon-laden way way to say something something blindingly obvious.

uh, MikeOctober 24, 2016 9:02 AM

Government actors are in a perpetual conflict of interest between protecting the government and protecting the governed.

Protecting the government involves feeding it power over the governed.

It's a familiar conflict in American history. It just looks different for awhile when novel environments, like the Internet, arise.

WhitebeardOctober 24, 2016 9:42 AM

I began to seriously doubt the need to pay for privacy services the first time I ran a domain scan and learned it was "registered" to:

Yoki (sic) Bear
123 Main Street
Antarctica 99999

"Officials". "Governance". "Security".

Horrorshow, DroogieOctober 24, 2016 9:45 AM

Pretty good article. Wolff does an excusable amount of 2-4-6-8, Simplify, Exaggerate! in contrasting human and national security perspectives. Human security approaches like the IGF Charter include protection from crime as an integral principle. The real difference between the two perspectives is the emphasis on protection of humans versus repression of proliferating 'threats.'

The next step is some deontology to assign duties or responsibilities to all these techical stakeholders. If Internet governance organizations have any interest in interacting with global meatspace, instead of manipulating it, those duties and responsibilities will be grounded in human rights. The US government approach is to start from the minutia and work backward to some idiotic dominance agenda while giving obvious facile lip service to undefined rights.

DanielOctober 24, 2016 11:40 AM

and in a sense, both would be right, except that each promotes a differently secure internet and society, protecting different classes of people and behaviour from different threats.

Correct. Yet all this fancy phrasing does is convey what used to be known as "values" or even more broadly "culture". The question then becomes how does one go about resolving value conflict via cultural warfare. Once upon a time the answer to that question in America would have been "democracy" but to a large extent that answer is no longer possible. It is no longer possible when concentrations of power have been invested in certain institutions that feel they have have the right to by-pass democratic mechanisms in order to promote their own vision of the future (I am think of the CIA spying on the Senate). It is no longer possible to rely on democracy when the fourth estate feels the necessity to whip a propaganda machine into motion in order to blame outside parties for interfering in democratic process (liberal panic over Russian intervention in the current election) rather than educate the populace on hard security problems. It is no longer possible to rely on democracy when one political party keeps undermining faith in democratic legitimacy by calling the system "rigged". In short, everyone agrees that democracy in the USA broken somehow by everyone is pointing fingers at some other party in order to maximize short-term benefits to themselves.

Of course, what play out within a particular culture also plays out between cultures. It is difficult for the USA to take a credible international stance, however, when it doesn't have its own house in order.

albertOctober 24, 2016 11:57 AM

@Sok Puppette,

A died-in-the-wool academic, to be sure. Ironic that the gov't has the same security issues that J. Q. Public have.

Does the LE/IC have really great security in their systems?

Is the Internet broken beyond repair?

Enquiring minds want to know.

. .. . .. --- ....

Clive RobinsonOctober 24, 2016 1:31 PM

I read,

    ... and in a sense, both would be right, except that each promotes a differently secure internet and society

The thing is they are not "Government Employees" like "Corporate Employees", they are "Civil Servants" which means they are "Servants of the Civilians". Thus they are not the masters but the servants, designated to work for the civilian population, not themselves be it directly or by having their loyalties subverted by a self selected few. It is after all what "We the people..." is all about.

The people have in the past decided that "we the people" should be secure in their homes possessions and papers, except on articulable complaint to lawfull authority. Likewise that no agents of the government such as troops be quatered in the peoples homes.

Quite a number of gov agents belive that such considerations do not apply to them. Thus their defination of security is total subjugation of the population.

The two are clearly at odds with each other, and the only reason the gov agents can get away with it is by control of the "Guard Labour".

Thus there is also a considerable inequality of power between the gov agents and the people.

As long as the gov agents have control of the guard labour there can be no chance of the people having the privacy and thus securityb they have believed they are entitled to.

Jesse ThompsonOctober 24, 2016 2:04 PM

I do not understand why security is so frequently framed as "where should power be centralized".

Feel insecure? Apparently that just means that you lack enough power to feel better about yourself, so you'd better fight other actors in order to wrestle their power from them.

But the reason this entire pattern is so disgusting is because Adam Smith answered this question once and for all in "The Wealth of Nations", one of the published materials coincident with the emancipation of the United States.

Put simply: power should concentrate into the hands of those whom it most directly affects. You as an agent will never profit as much by conquering your neighbor and robbing them of agency as you will instead respecting your neighbor and their agency and commencing trade with them.

This works both at the scale of government, and at the scale of individual, and in the conflicts between the two.

My InfoOctober 24, 2016 2:45 PM

Internet "stakeholders" have a portfolio of "stakes" in AAPL, GOOGL, MSFT, FB, YHOO, TWTR, ORCL, CRM, SAP, RHT, etc. Who else do you think they're talking about?

Getcha stawwwk!!! Good dividen'-payin' stawwwk!!!

Sancho_POctober 24, 2016 4:15 PM


@Bruce: I miss your “good article”, was it done deliberately? (I’d vote for very …)

The paper distinguishes between two groups: Pro and contra.
This is obvious but not helpful, on the contrary, as it polarizes us human beings
into the most unnatural digital form, only useful to stupid machines, 0 and 1.
Republican or Democrat, paranoia or blind, America or Russia, …
Nonsense, the world is round and colorful, not flat / black and white.

I propose to see three basic groups: The good, the neutral, and the bad.
All other groups consist of these basic types:
Americans, rich, yellow, conservatives, elderly, … whatever.

Our society works because we, the society, try to take out the worst of the bad.
Result is: The good outnumber the bad.

Downside:
Whenever society creates a broader group having impunity the society will fail.

—> Try to identify the group(s) with impunity in this topic’s struggle.

TedOctober 25, 2016 7:19 AM

From Josephine’s paper 'What we talk about when we talk about cybersecurity: security in internet governance debates'

“...focus on more specific threats and issues within that space as a means of preventing themselves from succumbing to a façade of agreement without grappling with the sources of disagreement that linger just below the surface...”

Although, the following example does not highlight a specific clash between stakeholder groups involved in internet governance -- governments, private industry, and civil society -- it does provide a case of developers establishing a rigorous testing environment to evaluate models of applied designs.

Earlier this year, the Industrial Internet Consortium (IIC) developed a security evaluation environment -- the "Security Claims Evaluation Testbed." It is now one of many IIC testbeds that have been created for hands-on system security testing.
The “Security Claims Evaluation Testbed” allows for the testing of a configurable cybersecurity platform that includes endpoints, gateways, and other network components. Data sources can include industrial, automotive, medical, manufacturing, smart grid/energy, and other market segment endpoints.
The testbed allows developers to evaluate the security of their applications, products, and services to ensure they align with the IIC Security Framework prior to product launch. What is learned can be integrated into forthcoming versions of the framework.

Are testing modules available for the legal and social analysis of internet policies and events? With an analysis scope that extends beyond the technical micro-system?

There is an interesting online class 'Creative Problem Solving and Decision Making' that breaks down complex problem-solving by defining and analyzing the following five elements: actor analysis, goal analysis, causal analysis, alternative analysis, and scenario analysis. I wonder if a program could be designed to collect and test various scenarios before new policies are drafted.

A Nonny BunnyOctober 28, 2016 3:11 PM

@Jesse Thompson

You as an agent will never profit as much by conquering your neighbor and robbing them of agency as you will instead respecting your neighbor and their agency and commencing trade with them.
That sounds blatantly false.
Suppose I only have a gun, my neighbour has a solid gold bar but no gun and nobody that cares about what happens to him. What exactly can we trade so that I get his gold bar, or something more profitable? I have nothing to offer but to spare his life.
I mean, morals aside, this is a question of what does conquering your neighbour cost, and what do you gain from it. It sounds positively implausible that the costs would always outweigh the benefits.

Clive RobinsonOctober 28, 2016 5:33 PM

@ A Nonny Bunny,

Suppose I only have a gun, my neighbour has a solid gold bar but no gun and nobody that cares about what happens to him.

Well if he owns a gold bar the chances of their being "nobody that cares about what happens to him" or more importantly his gold bar is small.

Whilst you could argue only from the economic perspective. In most western societies robbing people at gun point tends to have quite significant non economic consequences, such as "twenty to life". In many prisons, it is a very thugish or brutal environment where your life would in fact be of little consequence to either the other inmates or the guards.

Which brings us onto,

What exactly can we trade so that I get his gold bar, or something more profitable? I have nothing to offer but to spare his life.

You are making two assumptions that are probably false. Firstly that you have "nothing to offer" most humans are capable of performing unskilled or semiskilled labour, thus they have the ability to offer a service. Secondly that your neighbour has no use for a service.

But you have the "petty thief blinkers" of if it's valuable I can take it and realise that value. The simple fact is getting even a small fraction of the worth of a gold bar is going to be well neigh impossible for you. If you make 2cents on the dollar you would be very lucky, the chances are you would be found dead in an alley or on your way to jail if you tried to trade the gold.

Which brings us onto,

I mean, morals aside, this is a question of what does conquering your neighbour cost, and what do you gain from it. It sounds positively implausible that the costs would always outweigh the benefits.

History shows that in most cases you loose in the long run. If a country invades another to exploit it's resources, you have not just the cost of the war, but the cost of keeping sufficient peace such that you can extract the resources. You also run the risk of being trapped into endless war as other nations work out that your conquests have weakend you and therefore you are prime for being invaded.

History shows that Empires are costly to obtain and costly to maintain, and in the long run the only profit to be made is via trade... Thus you and your neighbour are better off trading from the start. Because although you might be independent states you develop a mutually dependent economy without which you are both poorer. Thus trade is the tide that raises all boats.

Wars and the like actually show very little in return for the costs. It's something the English learnt the hardway, and the reason they eventually formed a Commonwealth trading empire not a political empire. Generaly the only winners in wars are those that supply the weapons, often to both sides at the same time...

FrankOctober 29, 2016 7:25 AM

Since both of you have eyes for my wallet, let me be Frank.

I'll tell you boys what, I'm Anony Bunny's neighbor and I've been thinking about etiring. Maybe retracing E. Snowden's travel logs, maybe John McAffee. Who knows? Yesteryear I bought three gold bars off the internet (I provably shouldn't tell you that, considering...) but none-the-less I find myself not having room for such paper weight in the future so if you two are interested I'd be willing to make a deal. Maybe you two can work something out? 50/50? Everybody likes gold, it's a wonderful investment opportunity, not at all like investing in say something as ephemereal as say banks or bitcoins.

So what'll it be?

I have 14x 1oz Perth Mint gold bars, valued at roughly $1300 a peice. I can sell you one or two for say $1200 or we can do all 14 of them for an even $12k. Sound good?

The cream filling is free.
(http://www.zerohedge.com/news/tungsten-filled-10-oz-gold-bar-found-middle-manhattans-jewelry-district)

It's a great investment opportunity, I just get tired of looking at it - I mean you can only swallow a gold bar so many times before it loses it's lustre.

Owning gold, just makes me feel like a target - won't you two help me out of a bind?

Clive RobinsonOctober 29, 2016 12:34 PM

@ Frank,

The cream filling is free.

If you goto an old post of mine and look for "gold" you will see I'm well aware of the problem and have been for some time.

There is also another post where I joke about it and a horse called gold brick, you can probably duck duck for it.

FrankOctober 29, 2016 3:37 PM

@Clive,

The people moaning about a lack of obscure reverence pulling are attempting to place circles in a triangular hole.

AnonOctober 30, 2016 1:15 AM

Stop using the word "stakeholder" for a start. All this management speak is completely unhelpful for getting to who we are really talking about.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.