Friday, August 29, 2008

Securing "Places"

The picture is a photograph of Hadrian’s Wall, the Wall the Romans built across what is now England.

The Romans built it to protect Roman Britain from raids by the Picts, the tribes that inhabited what would become Scotland. It marked the northern boundary of the Roman Empire in Britain, the dividing point between the unsettled outlands and the area encompassed by the Roman Peace, the Pax Romana.

You’ll note in the photo that this section of Hadrian’s wall is still standing, though it’s eroded a bit, and may not be doing a great job of controlling those sheep. The guy in the photo is apparently applying weed-killer, which I assume is used to keep weeds from further eroding the wall.

This is a blog about cybercrime, not history, so you may be wondering why I’m rattling on about Hadrian’s Wall and the Pax Romana. This post is going to be different: Instead of talking about a case or statute, I’m going to ruminate on an issue I’m trying to sort out.

The issue is the problem of securing cyberspace. That phrase is not really accurate, unless we think cyberspace is a “place” analogous to Roman Britain, or Roman Gaul or Roman Italy or Roman Africa or the Roman Empire. Each of the constituent areas of the Roman Empire (Italy, Gaul, Africa, Britain) was a “place,” a geographical area with clearly defined boundaries. The Roman Empire was also a “place” – a conglomeration of geographical places, to be precise. The Roman Empire’s ability to secure the areas it controlled created and sustained the Pax Romana, at least until the Empire crumbled.

Cyberspace is in one sense analogous to a geographical “place” – like one of the areas that constituted the Roman Empire, or maybe the Empire itself. We tend to describe our experiencing it in spatial terms: We “go into” cyberspace when we’re online (an analogy that is particularly apt when we’re in virtual worlds like Second Life or playing games like WoW). We refer to “sites” and “locations” in cyberspace, and cyberspace has for over a decade been characterized as a “frontier,” an unexplored “place” we are in the process of settling and civilizing. All of these are examples of the spatial analogies we implicitly rely on when we talk about and conceptualize cyberspace. We use those analogies, I think, because we have no other way of conceptualizing purely non-spatial experiences – Gibson’s collective, consensual hallucination.

Cyberspace has definitely become a venue for human activity, and that brings us to the issue of securing cyberspace: As we all know, and as I’ve written about almost 200 times on this blog, cyberspace can be and is being used to commit criminal activity. As I’ve also noted here before, criminal activity undermines social order; social order is the term used to refer to a social system’s need to maintain order among its constituents, to prevent them from preying on each other. As I’ve noted before here and elsewhere, no social system – no tribe, no empire, no nation-state – can survive if its constituents are free to prey upon – to rape, assault, murder, steal from, etc. – each other. Every social system has to maintain a baseline of internal order if it is to survive; order is essential if people are going to produce and distribute food and the other necessities they require to survive and prosper. It’s also essential for stable reproduction and the socialization of children.

Every social system – tribe, empire, nation-state, etc. – also has to maintain external order – it has to fend off attacks from other tribes, empires, nation-states, etc. They do that by relying on their military; Rome used military force not only to fend off its enemies, but to bring other geographical areas under its control. Having done so, it had to protect those areas from external enemies (Hadrian’s Wall) AND preserve internal order, which it, like very other evolved human social system, did with criminal rules and procedures for enforcing those rules.
But so far every human social system – tribe, city-state, empire, nation-state – has been a closed system: It has occupied a bounded geographical area, and used it military to fend off outside enemies and its law enforcement rules and personnel to keep its own citizens from preying on each other (too much). It is for this reason that we tend to refer to the social systems – the nation-states – that are now dominant as “countries.” Their identity and existence are defined by the territory – the “country” – each controls.

Now we have cyberspace: What is it? Is it a new country, to be conquered and put under the control of one or more of our existing nation-states? Do we somehow carve cyberspace up into regions: U.S. Cyberspace, French Cyberspace, Thai Cyberspace, and so on? Or do we make it a “country” in and of itself? If we do that, who runs it and how do they maintain order “in” cyberspace?

Maintaining order “in” cyberspace is, I submit, an oxymoron, as is “securing cyberspace.” Analogizing cyberspace to a geographical “place” may have its uses, but this is not a productive analogy when it comes to talking about threats in cyberspace and how they impact on our lives in the real-world. The Romans could build Hadrian’s Wall and use it to keep the Picts out of Roman Britannia, but we can’t do that with cyberspace; it is not a separate “place” with its own, indigenous population. It’s “occupants,” if we want to use that term, are transients – real-world citizens who drop in and out of cyberspace. Unless and until we develop the technology and the inclination to decant our consciousnesses into an evolved version of cyberspace, we cannot become permanent residents.

What I find most interesting about cyberspace is that it is, IMHO, breaking down the carefully constructed and maintained boundaries that divide the world into nation-states or “countries.” It’s eroding cultural and social barriers, but it’s also eroding geographical boundaries. As I’ve noted here and elsewhere, the defining characteristic of cybercrime is that it tends to be transnational. Unlike traditional crime (which was face-to-face and therefore physically grounded crime), cybercrime is unbounded crime; a cybercriminal can victimize someone halfway around the globe as easily as he/she can someone who is across the street.

That, as I’ve noted here and written about extensively elsewhere, erodes the efficacy of the systems nation-states use to control crime and keep order. Those systems are set up to deal with internal crime: There’s a crime scene, which is local; there are witnesses who can be interviewed who will know the victim, if not the likely perpetrator, and who can be interviewed to provide information that will help police catch the person who committed the crime. All of these law enforcement systems are organized hierarchically, on a quasi-military model; both the systems that are used to maintain internal order (fight crime) and the systems that are used to maintain external order (keep other countries at bay) are hierarchically organized, territorially-based systems.

Law enforcement officers from Country A can’t simply go into Country B, kick down doors, chase suspects and do whatever else they need to catch a cybercriminal (assuming all of that would be effective in doing so). The same is true of the military: If Country A comes under cyberattack in what seems to be cyberwarfare, instead of cybercrime, the military can’t simply invade Country B, from which the attack seemed to originate. Country B may not actually be the source of the attack; and even if it is, the attack may not be warfare launched by Country B. It might be warfare launched by Country C to get Countries A and B going at each other; or it might be warfare launched by a group of non-nation-state actors who either consider themselves capable of waging war on their own or are interested in getting Countries A and B to attack each other.)

I’ve written more about the cumbersome nature of the systems nation-states use to maintain order (and do pretty much everything) elsewhere. You can find a link to one of those articles here, if you’re interested.

My point is that I don’t think the approach we have used is working, and can work, in a world in which computer technology increasingly makes geography irrelevant. Like others, I wonder if we will not see the nation-state disappear as the basic social system . . . to be replaced by . . . what?

I am becoming increasingly convinced that the territorially-based, hierarchically-organized (and often ridiculously huge) agencies we rely on to secure the real-world areas controlled by nation-states are completely unsuited for, and incapable of, dealing with cyberthreats. I keep coming back to a book I read several years ago, as a source of an analogy for what MIGHT be happening.

The book (the title escapes me, sorry) is about a man, a fairly wealthy and powerful man, who lives with his family in Provence (now part of France) in the period when the Roman Empire is beginning to fail. He’s a native of the area, but has become a Roman citizen, and like all the citizens of the Empire he’s used to peace and security. There were dustups at times, but the world was, and had for a long time been, stable.

As you read the book, you realize what it was like to live through the early decline and then disintegration of the Roman Empire, the entity that had kept everyone safe. It’s easy for us, looking back, to point to things and note how obvious it was that the system was beginning to fail. It’s a lot harder to do that when you’re in the system, you’re used to it and you need it, because if it fails, you’re in trouble. As you read the book, the man it’s about slowly begins to realize that his world is ending, and he’s going to have to figure out how to deal with it. The bad guys are becoming bolder, because the systems that used to keep the in check are not working so well, anymore.

I’m not saying we’re Rome, and that everything is going to fall apart in the near future. What I AM saying is that I think we’re a little like the people who closed their eyes when it began to become apparent that what had been Rome wasn’t going to work any more. They may not have had any other choice, but I think we do. And I don’t think endless conferences and press releases touting law enforcement’s success against child pornography and the odd, inept local cybercriminal and all the other “noise” about how well governments are dealing with cybercrime are getting us anywhere. The world is changing, and I don’t see why we can’t accept that and try to adapt to it, instead of letting change happen and reacting to it.

No comments: