[discuss] Who is responsible for security

Sat Jan 18 09:50:12 UTC 2014

Inline

On 18 Jan 2014, at 01:20, Brian E Carpenter <brian.e.carpenter at gmail.com> wrote:

> On 18/01/2014 03:37, Eliot Lear wrote:
>> Hi Nick,
>> 
>> On 1/17/14 6:22 AM, Nick Ashton-Hart wrote:
>>> Security in its various guises is THE policy subject with respect to
>>> the Internet. 
> 
> That's a statement of opinion but I'm not sure it's a fact.

Let me phrase this differently. My statement is based upon 6 years living in Geneva and 12 years working in this community - where 80% of Internet policy meetings take place and have for years. You can assume if you like that I’m making this up, or somehow have misinterpreted a large number of conversations with personal friends in government and UN agencies here and part of the NY UN diplomatic corps over the last several years, as you please.

>> Therefore, it cannot be divorced from IG 
> 
> I didn't say that.

Actually, you did as far as I could tell from reading what you said, but from your statement below, it seems clear you meant something more nuanced:

> What I intended to say, at least, is that most
> aspects of IT security are not issues of Internet security; they are
> issues of security in the boxes at the edge. Of course there are
> some issues of security in the network and in services provided
> by the network. Some of those security issues have a governance aspect.

Any security issues that impact content or those able to create and disseminate content have a governance aspect because of free speech and commercial implications in those limits or impacts.

Security - again, in the broadest sense, not just spam and malware but encryption of communications and fraud prevention, and of course national security - is actually a very broad field and all of those and others have a political dimension when they involve transboundary activities. 

> What is problematic and leads to fuzzy thinking is stating or
> implying that all the security issues faced by IT users who happen
> to use the Internet are Internet security issues and therefore
> Internet governance issues.

At a logical level I agree with you - the problem is that governments don’t approach issues from logic and reason only but from political angles. You can say this is wrong, or foolish, or whatever, but it is true, and always has been and in every area of international policy.

Users elect politicians. Politicians make rules. Users who feel unsafe online - in whatever guise - is a political issue if there are enough of them. As we see across the world, with all the elections that are happening globally, is those running for election seeing angles in Internet policy - especially national security but also child porn, etc - seeing there’s an electoral angle in these issues and taking positions.

> 
>>> and if you try
>>> policymakers will write you (you in this instance being whatever part
>>> of the Internet policy community tries to suggest it isn't an IG
>>> issue) out of the equation.
>> 
>> And this is why we have such things as the Council Of Europe's
>> Convention on Cybercrime (the Budapest Convention).  Now, cybercrime !=
>> cybersecurity, but it is an example of something where accession or
>> congruence has been shown to correlate to reduced cybercrime[2].  To
>> Brian's point, however, what we see from many governments and some
>> institutions is a classic form of over-reaching: they pick their
>> favorite complaint of the day, don't bother to bring their concerns to
>> those who are responsible for attempting to correct the problem, and
>> just argue, “there ought to be a law”[3].  
> 
> Exactly.

We agree. However, right now, there is the additional problem that a large body of policymakers are suddenly very interested in Internet policy who weren’t before, and they don’t understand the Internet. Where is the coordinated plan for educational outreach from the Internet community to meet this challenge? I’m working on one and have been calling for one for months to many stakeholders.

It seems to me that this kind of coordinated approach is something /1Net would be extremely valuable for - helping people work smarter and not harder to leverage all educational efforts in a coordinated way.

>> This, by the way, is
>> precisely what happened at WCIT with Spam.[8,9]  There was a convergence
>> of interests- some of those who *perhaps* legitimately feel the problems
>> of spam and those who simply wanted to make inroads to Internet
>> Governance.  The result was, ironically, what Brian was aiming for, a
>> specific remedy to a specific problem (careful with those bullets,
>> Brian- you only have two feet).
> 
> Depends how fast I can dance ;-)

Good luck with that ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140118/594d5d68/signature.asc>