On internet history and regulation
So, we learn that one of the big areas on which the US and the UK are supposed to still have a special relationship is that of ‘cyberspace’. Or rather, I learned that from my brother Adam, who suggested that I write a piece on it. I ought to be embarrassed to admit that. After all, knowing about ‘cyber’ stuff is my job, kind of. I teach a course in’terrorism and the Internet’ at the University of St Andrews and have just finished writing a module in ‘cyberterrorism’ for Informa Global. So you might think that I keep an eagle eye on what the great powers are doing in this area. And I do, kind of. That probably sounds a bit laid back. I think the bit that puts me off is the ‘cyber’ bit. Usually that’s a giveaway that one doesn’t have to pay particularly close attention. In my experience, no one who actually knows what they are talking about still uses the word ‘cyber’ or (William Gibson excepted) cyberspace with a straight face. It’s become a word that generals and politicians use because they think it makes them sound cool.
That isn’t to say that governments don’t have an important role to play with regard to the Internet. After all, the Internet grew out of government backed projects: the Internet itself, for example, was spun off the US military ARPANET project, and later on Tim Berners Lee’s invention of the Web was made possible through some enlightened decisions at CERN. We still need government today to defend and uphold the basic principles that make the Internet what it is: net neutrality, for example. It’s also true that, realistically, we sometimes need governments to decide when certain kinds of activity which basically didn’t exist before the Internet should be considered a crime. The case that is always cited as an example of this is the I LOVE YOU virus, whose Filipino creator apparently couldn’t be prosecuted, because that country had no laws about virus writing at the time. So when – as the FCO statement on Obama and Cameron’s joint policy does – the attention turns to actual concrete meaningful things like the Budapest Convention, then my ears start to prick up again. The Budapest Convention, also called the Convention on Cybercrime is the Council of Europe’s attempt to produce a single framework for international cybercrime law. It has its critics. Some say its provisions are overly broad and lacking in adequate safeguards. But it is at least an example of the kind of thing which governments ought to be doing in relation to the Internet.
Nor is it the case that cybersecurity is a non-issue as such. It is perfectly reasonable to governments not to want hackers from anywhere in the world to be able to access their computer systems – though again, that doesn’t mean that accidentally deleting some documents on a Pentagon server makes you a ‘cyberterrorist’ (is it too much to hope that the word ‘cyber’ coming from an American president could possibly have prompted, perhaps behind closed doors, the words ‘Gary MacKinnon‘ from his prime minister?).
So why is it that talk of ‘cyberspace’ from governments makes me tend to glaze over? Or, perhaps better, why is it that the endless plans and programmes and policy papers on the subject (a good example of which is the report that Obama commissioned as one of his first acts in office) seem so often to have so little substance?
The answer to this question is worth setting out I think, not so much because it has anything to do with cybersecurity per se, but rather because it has something important to tell us about politics in a wider sense.
And in order to tell this story, I shall have to go back a few years, to 2008.
It was in that year that, rather unexpectedly, I found myself employed to write a report for the United Nations on the subject of ‘countering the use of the Internet for terrorist purposes’. I was just beginning a PhD, and although I was very flattered to be approached for the job, I hardly felt qualified – particularly for such a potentially large and ambiguous remit. Realising that I knew very little myself, I set myself to talking to anyone who might have something to say on the subject. In retrospect of course this is called ‘research’.
Probably the best single decision I made that year was to attend the 2008 ICANN meeting in Paris. If you Google me, you can see that I still have a caricature on the ICANNwiki to prove it. ICANN is an interesting organisation. It’s a non-profit corporation which has the job of looking after the relationships between ‘numbers’ (that is, the numerical ‘IP addresses’ which theoretically tell every computer on the Internet where every other computer is), and ‘names’ like http://www.brightgreenscotland.org/ which humans use to find out where the stuff they are looking for is. This is, in essence, the system we call the ‘Domain Name System’, and it underpins the Internet as we know it. So, in so far as anyone does, ICANN runs the Internet. But the thing that really makes ICANN interesting is not so much what it does, as its anomalous situation.
Cutting a very long story short, here is a potted (and outrageously simplified) history of Internet governance. Once upon time, it was suggested to the US defence advanced research projects agency (DARPA), that a decentralised, ‘packet switched’ digital communications network would be much more robust than conventional phone network that existed at the time. In order to turn this idea into a reality, a bunch of brilliant nerds – many of them MIT alumni who had learned about the intricacies of switching technology through that university’s legendary model railway club – were hired. Given relatively free range with the most advanced computer equipment that then existed on the planet, these nerds did what all right thinking employees do. They pissed around. They invented the electronic bulletin board in order to talk about Star Trek. They (well, to give credit where it’s due, Ray Tomlinson) invented email pretty much just for the hell of it. Along the way, they also built ARPAnet – the US military network which became the main tributary of the various early computer networks that flowed together to make the Internet. Indeed, as Wolfgang Kleinwaechter of the University of Aarhus tells us: ‘The domain name system (DNS) was also developed bottom up. It was coordinated by its father, Jon Postel, with one assistant in his California office in Marina del Rey until the early 1990s. He managed the zone files of a database and was not interested in being pulled into policy’.
This basically left a situation in which the US government ‘owned’ the Internet, without really understanding exactly what it owned. Meanwhile, people like Jon Postel simply got on with running it. But while they weren’t interested in being ‘pulled into policy’, that’s just not how politics works. Because, of course, even if you aren’t interested in politics, it is interested in you. And it sure as hell is interested in you if you essentially hold the keys to the most sophisticated communications network ever devised. In practice what happened was that, as the Internet developed in importance, the US military began to take a progressively more proactive interest in the running of the project they had funded. In particular, this meant commercialisation as companies like Network Solutions were given contracts to sell domain names for money. One day in 1998, this all this became too much for Postel, who quietly took over the entire Internet, by writing to eight of its twelve ‘name servers’, asking them to route queries to his own computer at the University of Southern California, making it in effect the ‘root’ for the entire net. As Goldsmith and Wu claim in their brilliant description of this Internet revolt, the people running the servers, who were all colleagues of Postel knew what they were letting themselves in for. One even arranged to have his children looked after, fearing his imminent arrest. But they did as they were asked. In what followed, the conversation between Postel and Clinton policy advisor Ira Magaziner asking the computer genius calmly to ‘put things back as they were’ is priceless.
ICANN was in essence the compromise deal that came out of this power battle. On the one hand, ICANN is, to the chagrin of many, not formally a part of the international system of UN affiliate organisations – although national representatives attend its meetings. Technically indeed, it remains under contract to the US Department of Commerce, although it chafes against this. It is a ‘corporation’, but – as I mentioned – it does not work for profit. The only reason this odd chimera is able to function at all (and, by and large, it actually functions reasonably well) is that it focuses as far as possible on technical matters. When I went there, it had all the trappings of a jet setting international meeting but for one thing. Every now and then amidst all the suits you would come across a bearded guy in a pair of sandals, and the sense was that these people were still running the show – just.
It was into this organisation that I walked, very much suited, utterly ignorant of the workings of the Internet, and with a job that had both the words ‘terrorism’ and ‘United Nations’ in the title. Perhaps surprisingly, some people were still nice enough to actually talk to me. So I started, naively, to ask my questions. My big question was basically this: why, since cybersecurity threats are clearly a global issue, is there no global level institution capable of responding to them? The first answer I got was ‘trust’. The handful of people who actually, when it comes down to it, know how to run the Internet simply will not trust anyone simply because of where they come from. They have to know you personally. They have to know what you can do. And that led on to the second issue: competence. People who know how to run the Internet simply don’t care who you are. They care about what you can do.
Now, that may sound like an absurdly romanticised idea of how the Internet is run. For starters, it glosses over the fact that most of these Internet insiders still tend to be white men from rich countries (and it was, after all, the poorer countries that were least pleased about the UN being shut out of running the Internet). But it still makes quite a lot of sense when one considers what happens when things go wrong. For example, when Estonia’s electronic banks were shut down by a flood of malicious Internet traffic in 2007, they didn’t call Interpol. What happened was this: the head of Estonia’s ‘Cyber Emergency Response Team’ had dinner with a guy called Kurtis Lindqvist, who called in a couple of his mates, who in turn called up the places the traffic was coming from and asked them – one computer geek to another – to kick the rogue computers off the network. Something roughly similar happened a couple of years ago when the evil genius of the conficker worm struck computers around the world. Microsoft and a few other big companies provided the money, but in the end the organisational structure was the same: a handful of people who actually knew what they were talking about (including Rodney Joffe, who very nicely had agreed to talk to me a few months earlier back in Paris) put their heads together, called in favours from friends, and tried their best to fix things.
The point is to all this is that there is something about how the Internet in general works, and Internet security in particular, that just doesn’t institutionalise well. Broad notions like ‘cybersecurity’ which pour forth from the mouths of policymakers tend to crash against the specifics of what these things actually mean. Indeed, I suspect that the tendency of policymakers to talk about ‘cyberspace’ as a ‘space’ that can be ‘defended’ may have a lot to do with just how poor security sometimes seems to be in some big institutions. Our own Gary MacKinnon reportedly got into the Pentagon by scanning for administrators who just hadn’t bothered to put a password on their accounts. Perhaps they had the notion that somewhere out in ‘cyberspace’ they had an invincible cybershield that would protect them, like some Star Trek cloaking device. The problem is that computer hacking and computer security, thus conceived, are simply too different to mutually engage: one is all about innovating, for its own sake if for nothing else. The latter seems all to often to be about building institutions and processes without figuring out what’s going to go in inside them.
But this isn’t really where I’m going with all this. Rather, I think that the moral to this story is something different.
The history of the Internet is sometimes seen as a battle between a kind of rather American spirit of rugged individualism running rings around bureaucratic bean counters, and then an ongoing struggle to protect the spirit of the ‘Internet frontier’ from encroachments of institutional power. Efforts to control the Internet – to regulate encryption, to legislate ‘cybersecurity experts’ out of thin air tend to be sneered and feared in equal measure. But the reality is more complex than that. The Internet grew out of the generosity of governmental institutions which were prepared to pay bright people to do something and then let them get on with it. It grew out of educational institutions which left people the spare time to mess around. None of these governmental decisions were capable of creating the Internet – nowhere near. Nor are they capable of directing its future – except perhaps in a negative sense. But they are capable of providing the conditions in which it can make its own future.
This is a moral that goes well beyond the Internet. Today we often seem to be faced with two equally unpalatable principles: one which would micromanage everything, and another that would monetize everything. By being against both of them one is apt to be seen as naive. And yet neither really explains how much of what works in the world actually does work. The first principle would have us believe, for example, that teachers will only teach children to read if we make them fill out forms explaining how they propose to do so. The second would suppose that teachers will only teach children to read if they stand to lose their jobs if they don’t. The reality is that teachers, in whatever kind of school, will teach children to read if they see themselves as teachers. The same goes for computer security, where professionals can only be as good as they are allowed to be playful. Forget Britain and America. It is the special relationship between a human and the outcomes of her or his own work that really matters.
(Speaking of one’s own work, I’d like to mention that I borrowed some ideas in this piece. Special thanks go to Alasdair Macintyre, Lawrence Lessig, Jack Goldsmith and Tim Wu).