Security, Safety, Stability & Resilience
Security, Safety, Stability and Resilience (SSSR) of the Internet stands for a vision: a single, global interoperable Internet ecosystem that is open and accessible for the global community, is used predominantly peacefully, does not directly or indirectly endanger human beings, and can withstand or optimally deal with disruptive events and other malicious behaviour.
- 1 The Situation
- 2 Concepts
- 3 Disciplinary Views
- 4 Relationship to Internet Governance
- 5 Current Status & Options
- 6 Workshops at IGF2019
- 7 External Links
Visions are declarations of mid- and long-term goals that lie in the future. With a vision comes the need to understand the current situation in relation to that future goal. Once we have such situational awareness, we can start thinking about the steps that should be taken and the resources that are needed to reach that desired stage.
There used to be a lot of optimism with regards to the liberating and democratising effects of the Internet. However, a variety of political developments that are linked to the use and misuse of technology have dampened this enthusiasm considerably in the last few years.
The frequency and sophistication of disruptive events are increasing. Powerful actors are showing that they have developed the political will and the capabilities to use cyberspace for strategic and military aims or to surveil and oppress parts of their population. Cyberspace has been upgraded to a strategic domain whose development is no longer left to non-state actors. At the same time, the market opportunities for security and insecurity providers have skyrocketed, leading to the development and use of new tools and services that have a direct, negative impact on human security and human rights.
One of the core issues preventing the vision from becoming a reality is that a) the vision of a secure, safe, stable, and resilience internet is not shared by everyone, most importantly not by powerful actors in the system who are prioritizing other interests; b) even among those who share the vision, there is a fundamental disagreement as to what type of Security, Safety, Stability & Resilience should be the goal; and c) there is a fundamental difference whether we aim for SSSR in or SSSR through cyberspace.
That said, many different state and non-state actors are working towards this vision tirelessly, for example by trying to establish norms of responsible behavior in cyberspace.
Security, Safety, Stability & Resilience are very difficult concepts to define in simple ways because they are highly context dependent, with substantive bodies of literature dealing with the various facets of them. In addition, definitions are also seldom objective or neutral: they come with certain decisions about what to include and what to exclude and always represent the interests of particular groups of actors.
Security is particularly prone to definitional disagreements, which is also why it has been called an essentially contested concept (i.e., a term on which no amount of debate will bring full scholarly consensus, Gallie 1956). In a basic form, security is the state of being free from danger or threat. However, defining what kind of threats should be taken seriously, what objects or values or people these threats endanger, what means or instruments should be used to counter the threats, and who should be in charge of this is a highly political and often contested undertaking (which is at the heart of the current problem of fulfilling the vision outlined above).
Security is also considered one of the prerogatives and core duties of the state. In this form, it is linked to the so-called “monopoly on violence” or the “monopoly of the legitimate use of physical force”, an idea having its roots in Western political philosophy. It posits the state as any organization that has been legitimized by its citizen to hold the exclusive right to use, threaten, or authorize physical force against residents of its territory. Because it has such a monopoly, the state has a duty to use all its available instruments of power (diplomatic, informational, military, economic) to safeguard the security of the nation state. This type of security is often called national security. National security is often said to be more important than other political issues, which means that invoking national security concerns carries particular weight.
This conceptualization is problematic if the governing authority is not legitimized, is not willing or able to perform its duty, or might deliberately favor one group over another, which often means that the security of one group in society might result in the insecurity of another. In this context, the UN developed and championed the concept of human security. It is a human-centred concept that posits that the referent for security should be at the human rather than the national level. In other worlds: unless individuals are safe and secure, no security is achieved. In short, it is security relevant to people.
We will look at information security and cyber security further below because they encompass a lot of the other dimensions addressed in what follows.
Not all languages make a clear distinction between “safety” and “security”. In general, the concept of safety is less contested than the concept of security, mainly because it emerged from the technical field and is much more limited in its aspirations. In that understanding, safety refers to the protection from accidents or hazards and was developed in the context of the health and well-being of people at work, often in so-called high-risk industries. Safety as a concept is more limited than security also because it refers to individuals and not collectives.
Following this understanding, Internet safety is related to individual user's personal safety when using the Internet. The threat is criminal (not political) and includes things such as internet scams, cyberstalking, cyberbullying, online predations and sextortion.
Stability in general is a positive concept that signifies a state of being that is without disruptions or a performance that is enduring. Similar concepts are constancy, robustness, and resilience (see below), which are all found in both the natural and the social sciences.
There is one body that has most prominently addressed Internet stability, the Global Commission on the Stability of Cyberspace. In their mission statement, they make it clear that the stability of the Internet is linked to political stability. The more we see the strategic stability decline, the more likely it is that cyber-activities “play a leading role in this newly volatile environment, thereby increasing the risk of undermining the peaceful use of cyberspace to facilitate the economic growth and the expansion of individual freedoms.” The way forward, so this Commission, is the development of “norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.”
The concept of resilience adds an interesting facet to the other three concepts. Within various policy fields, resilience is discussed as the answer to a world of rapid change, complexity and unexpected events. The basic assumption is that the (in)security of an object is not only dependent on the character and severity of the threat it is exposed to (its vulnerability), but also on the object itself – namely, its resilience to detrimental events. The concept thus aspires to describe mechanisms for maintaining stability, survival and safety – mechanisms that seem equally applicable to the individual, society, nature and technical systems.
While protective measures aim to prevent disruptions from happening, resilience accepts that a whole variety of potentially severe incidents (terror acts, natural disasters, power outages, etc.) cannot be prevented. If resilience is a core concept, security does not refer to the absence of danger but rather the ability of a system to exist and persist in a system where potentially catastrophic events (mainly inside one’s own country) are an ever-present possibility. Applied to the Internet, resilience is the ability of a system or network or the entire Internet to continuously deliver the intended outcome despite adverse events.
Security, Safety, Stability and Resilience (SSSR)
Together, these four concepts cover a very wide range of actors and issues, all having to do with the functionality of the Internet. However, there remains the question whether the effects of SSSR refer mainly to the technical environment (SSSR in cyberspace) or whether we wish the Internet to be a means to achieve SSSR beyond this technical environment (SSSR through cyberspace). Whereas the first, narrow understanding has a lot to do with technical means and standards, the second is a much broader, much more difficult goal to achieve. Also, many stakeholders can agree on SSSR in cyberspace since interests converge to a large degree - whereas the interests diverge hugely when it comes to SSSR through cyberspace. The main reason is that there is no agreement on what kind of security should be achieved - and who the main beneficiary of this security should be.
In the technical sphere, SSSR (under the heading of cybersecurity) is linked to the so-called CIA Triad, the protection of confidentiality, integrity and availability (CIA) of information (see ISO/IEC 27032:2012). A comprehensive definition along these lines is given by the ITU, the United Nations specialized agency for information and communication technologies:
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability; Integrity, which may include authenticity and non-repudiation; Confidentiality.
Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Data encryption is a common method of ensuring confidentiality, as is user IDs and passwords as standard procedure.
Integrity means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. Data integrity covers data in storage, during processing, and while in transit. Typical measures include file permissions and user access controls.
Availability means ensuring timely and reliable access to and use of information. It is ensured by hardware maintenance, regular and timely system upgrades, but also disaster recovery plants.
Political science is getting more and more interested in SSSR. In general, the discipline is focusing on two main factors: First, the use and misuse of digital technologies by human actors in economic, social, and political contexts; and second, by enduring and often highly conflictual negotiation processes in formal and informal settings between the state and its bureaucracies, society, and the private sector, geared towards defining roles, responsibilities, legal boundaries and acceptable rules of behavior.
The first dimension is tied to the use of a set of distinct digital technologies and how these technologies are linked to broader conceptions of socio-economic changes. The most pertinent questions are what their characteristics are, what actions they make possible and which ones they restrain, but also who develops them in what ways and why and who has the power to shape their use and misuse.
The second dimension is tied to the role of states and their engagement with other actors nationally and internationally. Importantly, the state has different roles in cybersecurity, ranging from security guarantor, legislator and regulator, to threat actor and danger to society and other states. Hence, cyber security politics are defined by national and international negotiation processes about the boundaries of the responsibilities of state, economic, and societal actors and the agreement or disagreement over the means these actors use. This second dimension includes the projection of power by certain actors, like the control over populations and information flows, and the push-back against it as well.
Relationship to Internet Governance
Not so long ago, states were believed to be powerless or at least disinterested entities with regards to many aspects of Internet Governance. The supposed novelty of the domain was thought to render traditional forms of state intervention and strategies useless. We now understand that this is not the case: As states have come to reveal themselves as capable and determined actors, willing to use and shape the digital realm as part of their strategic and military toolsets, unease about the escalatory potential of offensive cyber-operations has risen. The uncertainty about the intentions of other states lead to heightened feelings of insecurity and, in a classical security-dilemma fashion, to high incentives to build up (offensive) capabilities and building up cyber-command units, often at the intersection between the military and intelligence.
The framing of cybersecurity as national security frames the issue in power political contexts, which introduce largely divergent values and interests into the debate and is often used to crowd out “non security” actors from deliberation processes. The assertion of state power is linked to the notion of territorial borders in cyberspace. According to this view held by many government actors, the process of asserting state sovereignty and re-establishing state control in cyberspace is inevitable, because security is the most fundamental need of human beings, which means that security – and the sovereign obligation to provide it - triumphs over other, lesser, inferior needs (such as privacy, which is framed as a “nice to have”). Furthermore, the more cybersecurity is presented as a traditional national security or public safety issue, the more natural it seems that the keeper of the peace in cyberspace should be governments and their military, aided by the intelligence community.
Totalitarian governments are embracing a growing “cyber-sovereignty” movement to further consolidate their power. Government cybersecurity practices such as online censorship, curtailing of encryption, surveillance, deep packet inspection (DPI) and government hacking have become prevalent across certain regions. These practices principally affect basic human rights and fundamental freedoms set out in the “Universal Declaration of Human Rights” and the “International Covenant on Civil and Political Rights”, including freedom of expression, freedom of speech, the right to privacy, freedom of opinion, and freedom of association.
With these challenges, working towards the vision of a secure, safe, stable and resilient Internet is going to be at the heart of any future Internet Governance discussion.
Current Status & Options
Because cyberspace is a realm used by different actors for highly diverse activities, the security-seeking actions by states often directly clash with other uses and conceptions of cyberspace. This causes considerable resistance to the actions of governments, with high costs for all sides. In particular, there are problems associated with the empowerment of intelligence and military establishments in matters of cybersecurity. The military accumulation of cybercapabilities may be outpacing civilian comprehension and control. Similar problems hold true for intelligence agencies: While they may have the budget and technological resources that are best suited to respond to cyberthreats, their role also elicits great public unease.
However, without technical security that respects confidentiality, integrity and availability of information, there cannot be any SSSR in but also no SSSR through the Internet. The one is a prerequisite for the other. Security practices such as intelligence agencies’ exploitation of vulnerabilities in computer systems and their weakening of encryption standards have the potential not only to create new vulnerabilities but also to further undermine trust and confidence in the Internet and in the very institutions involved. There is no guarantee that these entities have full control over the technologies and vulnerabilities involved. Nor is there any guarantee that they can maintain their secrecy – in other words, they could be identified and exploited by criminal hackers or even “terrorists”. Here, state practices not only become a threat for human security and rights: paradoxically, they also become a threat to the states themselves. Therefore, there is only one way forward: to strengthen the overall security of the information technological infrastructures through rights-respecting policy and technology by design.
Workshops at IGF2019
Tuesday, Nov 26
Wednesday, Nov 27
Thursday, Nov 28
Friday, Nov 29
- Egloff, F. J. (2019). Contested public attributions of cyber incidents and the role of academia. Contemporary Security Policy, 1-27.