Cybersecurity Governance

My latest article, “Cybersecurity Governance: A Prehistory and its Implications,” is now out in Digital Policy, Regulation and Governance. Message me for a preprint if you don’t have access. Here is the introduction:

This paper provides an analysis of early internet history, so as to better understand the challenges faced in contemporary cybersecurity governance and its relationship to internet governance. Its focus is on the design and management of the Arpanet, as well as the early phase of the internet’s development, when the internet was centered on its Arpanet backbone (c. 1979-1985). It argues that, during the 1970s, the US Department of Defense separated major elements of the design and management of networks from the design and management of network security. This separation of network from network security was a consequence of the Department of Defense’s need to build and secure military networks: not only did the networks require the security necessary to carry classified traffic, but many of the technologies they used to provide this security were also classified. It impacted the design and management of the internet in part because, through the mid-1980s, the infrastructure and management of the civilian internet was a component of a larger military internet, the Defense Data Network.

The split of networks from network security was extremely influential on the development of the civilian internet. There are two major consequences of this split. The first impact can be traced to the research and development strategy used by the Information Processing Techniques Office (IPTO) of the Advanced Research Projects Agency (ARPA; now DARPA). IPTO was the computing office within DARPA, the US defense agency tasked with creating revolutionary technological advances for the military. This strategy involved testing prospective computing technologies for the Department of Defense in the unclassified, civilian world. If the technologies proved successful, they could be transferred to the military or intelligence community for (usually classified) use. In the case of computer networking, this meant unclassified networking testbeds such as Arpanet, the general-purpose computer network funded by DARPA that went online as an experiment in 1969. Through its funding of the Arpanet, DARPA created a civilian networking community in the USA that designed, built and managed unsecure networks. To put these networking technologies to use for the military, DARPA funded research and development projects to add security technologies in a modular fashion, modifying the existing networks for military use. Thus, the modular structure of the security technologies that developed in this arrangement mirrored the modular structure of the classified and unclassified research worlds. The absence of network security on the early internet was not an oversight (Timberg, 2015), but a byproduct of its institutional and political context. By the mid-1980s, the protocols that structured the internet architecture were unsecure by design. The internet technology, management governance organizations of the early to mid-1980s had little experience developing security technologies and even less in governing their use. Computers attached to the internet could contain their own security software, but the networking protocols themselves did not provide the security technologies that we increasingly take for granted today. For example, while a mainframe or personal computer might be protected against unauthorized entry, the design of the internet did not provide for encrypted traffic, secure routing or a secure namespace.

The second consequence lies in the historical origins, and present moment, of internet governance. By the mid-1980s, the lack of network security, noted above, was accompanied by emerging (civilian) internet governance practices that evolved around managing networking – and not security – technologies. This history is significant because the technologies and management structures of the Arpanet and early civilian internet ultimately became the global internet, as the internet absorbed competing systems and as others fell to the wayside.

This paper addresses only a limited portion of the breadth of technologies and organizations that fall under the label of cybersecurity. Today, cybersecurity is a broad topic that extends beyond what might come to be managed by internet governance organizations like the Internet Corporation for Assigned Names and Numbers (ICANN). The early history of security addressed in this paper is that of network security, which refers to security technologies deployed as part of network architecture. (Today, technologies like BGPsec and DNSsec fall under this category; the firewall on a personal computer would not.) This paper is an effort to understand the technologies of network security and the path dependency that they created for the portions of cybersecurity that deal with technologies integral to networks. This focus is necessarily limited, as there were less security technologies in existence decades ago, and not all of the security technologies in existence were deployed on networks or in network-facing machines.

A similar caveat is necessary for the distinction between the history of computer networking and the historical trajectory of the internet. The history of computer networks is far broader than the history of the internet, and includes many more networks and technologies than identified here. Some of these networks and technologies – such as those identified below – were influential in the design of the internet. However, the present-day technologies and governance model of the global internet emerged, in large part, in a subsection of the history of computer networking. To only address the history of the internet is not to say that the larger, global history of networking is any less important. Rather, this paper’s focus on the history of the internet is more limited, meant only to better understand specific characteristics of the technologies and governance models with which we live today. Finally, the analysis that follows is agnostic regarding the quality, utility or any other evaluative criteria that may be applied to the organizations and technologies of networks and network security. In computer science communities, discussion of the history or politics of a technology can be laudatory or critical; this work is neither.

This paper proceeds as follows. In the section that follows, I will provide a brief overview of literature on networks, cybersecurity and internet governance. Next, I will analyze the history of the Arpanet’s research and management ecosystem, discussing the initial separation between networks and network security, as outlined above. Following this, I will explain the emergence of the civilian internet as a component of the military internet, the Defense Data Network, and its consequences for security technologies and internet management. Finally, I will conclude with questions and observations regarding the future of cybersecurity governance.