Cyber reliability and confidentiality: lessons from the 19th century?
By Sam Klein and Greg Gardner
In light of the significant hack of the Office of Personnel Management (OPM) and the recent revelations by the Washington Post about the insecurity of the internet, it is now time to revisit a proven method for ensuring the viability and privacy of international communications: establishing a truly international, multi-stakeholder organization that places an emphasis on reliability and privacy, oversees policy and standards, and facilitates/coordinates the actual transmission of communications. Globalized, multistakeholder organizations effectively govern other types of communication networks; the same approach would work just as well with the Internet.
In 1875, European governments agreed to ensure confidentiality of telegraph messages under Article 2 of the International Telegraph Convention (ITC). In 1878, the Universal Postal Union (UPU) unified the world’s commercial and private mail networks and promoted robust principles of reliability and confidentiality. And in 1906, European governments extended similar protections to radio communications with the International Radiotelegraph Convention. Of course, there are exceptions, but today, almost 200 countries abide by these conventions.
Unfortunately, as the Washington Post articles demonstrate, this historic respect for assured communications, confidentiality, and privacy does not exist for users of the Internet.
An emphasis on reliability and privacy by international, multi-stakeholder organizations pushed states to respect the structure and contents of mail, telegraph, and radio networks. However, such motivations do not currently exist in the same way for users of computer networks. The Internet emphasizes speed and ease of use to govern messages transiting transit cyberspace. Once countries open their borders to Internet traffic, the Border Gateway Protocol (BGP) automatically routes information packets, regardless of whether the information will remain private while en-route.
Under this design, speed and convenience trump security, tossing reliability and privacy concerns out the window. Unlike users of mail, telegraph, or radio networks regulated by the UPU and its sister organizations, those who send information via the Internet can not choose between ease of use and privacy due to the automatic routing of messages. The paradox of the InfoSec Triad acknowledges this trade-off between ease of use and security – a trade-off that causes friction between users and those responsible for maintaining security and protecting privacy.
Consider the case of Egypt (a member of the UPU since 1875) near the end of the Mubarak regime. On January 27, 2011, in large measure because it could not control the flow of Internet communications, the Egyptian government severed the country’s connections to the Internet, shutting it down. Over 93 percent of Internet connections were severed; only government institutions remained online. With the Egyptian economy losing tens of millions of dollars per day and in the face of increasing domestic unrest and international condemnation, the shutdown did not last long; by 1 February 2011, Internet Service Providers (ISP) were reestablishing all of their services. This event demonstrates, however, how easy it is for a government uncertain about unregulated Internet traffic to operate independently and assert control over digital information flows quickly and decisively despite the presence of a modern, multidimensional, and privatized information sector.
Similarly, the multifaceted approach of government regulation, censorship, monitoring, self-regulation, and protectionism in China (a UPU member since 1914) has been highly effective in restricting the access and digital privacy of China-based Internet users.
The international, multistakeholder governance models that underpin the UPU and the ITC (now known as the International Telecommunication Union) are widely accepted and have much to offer. As Shawn Roberts and Michael Jablonski point out, the origins of those organizations and the historical conditions prompting their charters offer important precedents. For example, the UPU not only standardized postal policies and costs across international borders, but more importantly it fostered norms favoring the availability and confidentiality of correspondence. These policy, standards, and norms were considered crucial to maintaining the world’s first coordinated system of global communication. We would do well to look to them again.
It is time now to establish a similar set of transparent rules governing the assurance and security of global Internet traffic. It is simply unacceptable for the majority of Internet communications to be subject to the whims of either government entities or private service providers and, because they are managed by an automated protocol, to be generally unsecure and unprotected. Security and assured performance must truly co-exist with functionality and ease-of use. We need a Universal Internet Union representing the interests of countries, corporations, and private citizens alike that takes back control of the Internet and brings assured governance to the digital communications that have come to dominate our world.
And we need it now.
Samuel Klein earned his B.A. from The George Washington University where he studied international affairs, cyber-security, and mandarin Chinese. His honor’s thesis investigated China’s information warfare strategy and objectives to assess the possibility of a Chinese cyber-attack targeting US critical physical infrastructure.
Greg Gardner, PhD, is a Senior Fellow with the GW Center for Cyber and Homeland Security.