Saturday, April 29, 2006

Securing cyberspace

This is a follow-up to my last post, about security.

As I have written elsewhere (I know I keep saying that, but it’s true), our goal is to keep crime on line to manageable proportions, to maintain the necessary baseline of order for cyberspace to function as an analogue of the real-world. In the real-world, we maintain a baseline of order which allows societies to carry out the functions they must if they and their constituents are to survive and prosper. We cannot eliminate real-world crime, but we control it, using the law enforcement strategy I talked about yesterday and have talked about here and elsewhere (yes, again).

We cannot, as I have explained before, use the reactive law enforcement strategy we use for real-world for cybercrime because cybercrime is different. We need a new strategy, one that involves citizens as well as law enforcement. We still retain the traditional, reactive law enforcement strategy but we supplement it with preventative efforts implemented by individuals and entities.

I see cyberspace as analogous to Europe after the fall of Rome. The mechanisms that had maintained the necessary modicum of order in society disappeared, leaving a state of disorder, anarchy. There were no nation-states to maintain order within a demarcated territory; indeed, there were no functional territorial boundaries. Crime control was purely a civilian function; members of communities shared responsibility for apprehending criminals. In medieval England, male adults were required to possess weapons they could use in apprehending and subduing a criminal; the practice was for someone to raise the “hue and cry” when a crime had been committed, after which men in the local community attempted to catch the perpetrator, who would then face certain, rough justice. This model prevailed until the 19th century, when Sir Robert Peel invented the modern police force and eliminated civilian involvement in security.

We need to restore civilian involvement, at least in securing cyberspace. We need a culture change; we need for people to understand that cyberspace is not like the safe, predictable environment many of us inhabit; it is, instead, analogous to the out of control world Europeans confronted after the fall of Rome. It was up to them to take care of themselves, and it is up to those of us who inhabit cyberspace to do the same thing.

I have written extensively about this, but I have not seen it mentioned in the popular press or anywhere else . . . except for the National Strategy to Secure Cyberspace. The White House released the National Strategy in 2003. It calls for civilians – individuals and entities – to assume responsibility for protecting themselves online and thereby helping to prevent cybercrime. It makes this assumption of responsibility a purely voluntary act; there are not consequences if one does not assume responsibility and does not make an effort to prevent cybercrime. Perhaps for that reason, the National Strategy rather quickly disappeared from public view and public discourse.

As I have argued elsewhere , we cannot rely on a voluntary approach to achieve civilian involvement in controlling crime in cyberspace. We need a culture change, and while that might occur on its own if we pursue a voluntary approach, it will take a very long time for the process to be complete. I do not think we have a very long time; I think cybercrime (and cyberterrorism) will only become more pervasive and more destructive, since there is little chance a clever cybercriminal will be apprehended and sanctioned.

I have written extensively about how we can use law, notably criminal law, to jump-start this culture shift. I do not claim to have devised the perfect solution for this problem; all I really want is to bring it into public consciousness and see us making some serious effort to address it.

No comments: