Global Governance Institute


Regulating Cybersecurity

13 March 2015

Corina Campian (MSc Global Governance and Ethics) on a GGI keynote lecture with Professor Martijn Groenleer.

Symbols on Computer Screen

Following the recent revelations made by former US National Security Agency contractor, Edward Snowden, internet governance has concentrated minds not only in the seminar room but also the halls of power. Who controls the Internet? Who, if anyone, should regulate it? How do we strike a balance between national security and information privacy?

To help us understand the role of government interventions and market incentives in the field of cybersecurity and data privacy, the Global Governance Institute invited two experts in the field of internet governance and security, Prof Martijn Groenleer from Delft University of Technology, the Netherlands, and Dr. JP MacIntosh of UCL's Institute for Security and Resilience Studies, to discuss these cutting-edge issues.

Internet Security

The conference began with a discussion of malicious software ('malware') and other online security challenges. Dr. Groenleer, who is part of a network of political scientists, public administration officials, engineers, and computer scientists attempting to solve some of the puzzles that the internet and its governance invoke, argued that, although the academic literature is relatively scarce on the subject, there are several factors that make the internet a novel and dynamic field of governance study. First of all, the end-to-end principle means that the internet is an open and decentralised network where functions and content can easily be changed by users. This can translate into positive outcomes, in the sense that the more people who make use of the service, the more interesting it becomes. But it can also produce a number of negative externalities, as any vulnerability can be exploited and can travel through the network. One of the key problems here is that it is difficult to locate these vulnerabilities, and very often the end users themselves are unaware of the fact that they are being exploited.

Every year 10% of end users or their machines are infected with malware. Whereas initially malicious software was mainly meant to disrupt the users of the internet, it has now developed into a business and there is a whole underground economy for malware, as it is easy to set up and it can be scaled up incredibly quickly.

Who are the Actors?

The question, then, is who controls what gets transmitted through the network? Is there anyone who can indeed exercise a form of control and, as a consequence, can be identified as the responsible party? Several candidates spring to mind: hacktivists and citizen groups, sovereign nation states, international organisations, nonprofit organisations such as The Internet Corporation for Assigned Names and Numbers (ICANN), multistakeholder networks such as the Internet Governance Forum, among others.

A lot of the activities that researchers observe, however, while not insitutionalised, are not ungoverned either. Increasingly, cybersecurity stems from private actors, and it is made possible through the physical infrastructure of the internet. What Prof Groeenleer's group is currently looking at are the intermediaries: all the companies located between the technical part of the network and the end users. They not only facilitate access to the internet, but also act as facilitators, sometimes consciously, but most often unwittingly, of cyber-crime. The upside to this is that these intermediaries are therefore also ideally placed to act as "guardians of the internet", as control points in the network.

Only a few companies control the bulk of the problem. 20% of web-hosting companies facilitate 80% of malicious activity. The market is getting more and more concentrated following a 'winner takes all' approach. Fewer and fewer companies are getting bigger and bigger. More powerful players translates into a kind of 'feudal security'. Just as in feudal societies, we hand over our power to internet giants, who take care of our security, but in the process we lose some of the control.

What, then, is the role of the state? It can perhaps incentivise private actors to invest in security, in which case the next challenge becomes knowing who to pinpoint - identifying that 20% - and deciding how to delegate regulatory authority and censorship powers. For Internet Service Providers (ISPs), security enhancement is equally important, and probably less expensive than investing in customer support, reputation-building, and legal provisions. Moreover, researchers at Delft University have shown that membership of informal organisations of regulators such as the London Action Plan correlates with lower infection rates in ISPs, as does the presence of national public-private regulatory initiatives.

In the end, such emergent research efforts suggest that current academic conceptualisations of internet governance are overly informed by a conventional paradigm which directs our gaze to national actors and formal structures. As a result, a lot of the bottom-up initiatives led by ISPs and other types of private actors escapes our field of vision. It is incumbent upon Global Governance students and researchers to critically assess how existing concepts and theories can be modified to provide a fuller understanding of the new realities of internet governance.