Posts Tagged ‘clark’

The growing menace of Internet crime is really astounding. Phishing. Malware. Spam. The volume of attacks and deceptions are extraordinarily high. Estimates of the number of personal computers which are controlled by botnets range from 12-30% of connected computers; these hundreds of millions of machines are then harnessed to attack servers, mine the net for personal data or any number of other nefarious activities. No longer is hacking the pursuit of curious tinkerers or bored teens. Today an entire industry, estimated recently by Gartner to be worth $3.2 billion in 2007, has arisen to sell malicious computer activities.

Cybercrime takes advantage of both the generative nature of the net, poorly written code and user ignorance. Like all crime, cybercrime has brought about attempts to regulate the Internet, and often these regulations err on the side of caution and over-regulate, limiting beneficial activities. Rampant copyright infringement brought about the DMCA which tried to limit illegal song-swapping, but instead has been used to silence critics or sue adorable kids. And, most likely, it hasn’t done a whole lot to stop copyright infringement.

What is at risk with Internet crime is a similar course of events. In briefly reviewing Zittrain’s book, Lessig poses the question:

“Whether a single event, or a coordinated event, whether intentional, or accidental, it is simply a matter of time before a catastrophic network event happens. And when it happens — think of it as a kind of i9/11 event, but the bad guys are not Al-Qaeda — will we be prepared for the inevitable iPatriot Act response? Are we better prepared than civil libertarians were when we were hit with the USA Patriot Act? Have we even framed the right debate?”

Arguably this over-regulation has already started to take place, but it could certainly get worse. To help flesh out some of the important ideas about the future of cybercrime, the Publius Project has commissioned three essays.

Michael Barrett, head of information security at PayPal, writes that the impetus for regulation of cars and airplanes were prominent accidents. Paul Starr tells a similar story in The Creation of the Media about the beginning of radio regulation. Following the sinking of the Titanic, the Radio Act of 1912 required all radio operators to be licensed, all ships to have transmitters and allocated bands of spectrum for certain purposes. Barrett thinks that cybercrime will have the same effect that the Titanic did and be the cause of serious government regulation of the Internet. In fact, he welcomes it as an important part of the interconnecting regulation needed from government, private industry and users.

First of all, it is not clear that cybercrime will be able to have the dramatic effects that a sinking Titanic did. Many of the threats from online activity, especially identity theft, are well-known and publicized. Others are becoming more publicized, like Internet-facilitated espionage. These cybercrimes will not necessarily serve as the shock that government needs to begin regulation. But, let’s say there is an event or series of events which are powerful enough to induce government response, like Barrett welcomes and Lessig fears, is that the right response?

Cybercrime, as best we know, is not centralized. There is no capital city to bomb, leaders to sanction or even mob boss to imprison. As security expert Bruce Schneier says, even the alleged Chinese spy-hackers are not controlled by the state. So, what the cyber-police or other government regulation would be up against is a distributed network of criminals – a classic starfish – and one does not combat decentralized organizations in the same manner as centralized ones. As The Starfish and the Spider points out, to beat a decentralized foe, in this case, cybercrime, one must decentralized oneself, centralize the opponent or change the ideology. In this light, Barrett’s assertion that “it’s quite possible that a new global governance organization is needed” seems misguided. While I welcome his support of a shared responsibility between stakeholders, I am fearful that calling for government regulation may be regrettable.

Instead, the words of Internet guru David Clark seem more nuanced:

So the starting point for improving the state of Internet security must be a social dialog, not just a technical dialog, about what sort of Internet we want. The challenge to the technical community is not to build a very secure Internet—that might be more of a price than we actually want to pay. The challenge is to find clever ways to give us more security without taking away our freedom of action. And finding these better solutions will require a design process that involves both technologists and social observers, because it will take both technical imagination and social imagination to conceive of a different Internet from what we have today, more secure but still suited to our desires for open, diverse access.

This social dialog should recognize the power of defaults and architect a security-bias. Beau Brendler, in his essay, embraces this by calling for simple solutions which “nudge,” to use Sunstein and Thaler’s expression, users towards more secure computing. Provide free anti-virus software and simple-to-understand security manuals, for one.

But if these soft-power solutions are to emerge, they had better do so quickly because while mainstream media rhetoric on the issues may border on panicked, those who know best are worried, too. And if we are to save the open, generative net, it will need saving from both itself and outside regulation.