Securitizing the Internet [Kozlovski]

A very passionate Nimrod Kozlovski came to us today to speak of the Internet and security.  An OII-SDP alumni from 2003, his abstract states the session will:

explore the regulatory and technological framework of the new security model and will offer critical analysis of its effect on the distribution of power in the information environment.

And that it did.

Nimrod began by explaining that the Internet was a security network in the beginning - not meant for the general public, rather the military network - therefore as a system that is TCP/IP-based, the security foundations are not adjustable to the e-commerce and mass-communication of civilian usage.  In fact, the Internet (as originally designed and used today) has no security solution for:

1. Integrity of messages/information
2. Confidentiality (quite the opposite – the Internet was built to ensure information was as accessible as possible – contained in many nodes – see point 3.)
3. Availability (information availability vs. node/server availability

So, how can we securitise the Internet when it is not already built into it? Nimrod tells us how with three strategies for increasing security: technology; social/bsuiness changes; or legal changes.

In the first instance we can change in underlying technological make-up of the Internet, though Nimrod doesn’t see this as a viable option.  Instead, he suggests we build more layers into the technology in order to accommodate security threats, though still would, and I quote, 'gain so-so security’.

Secondly, we can look at social or business changes.  That is, changes in the social practices in Internet consumption (e.g. more trust; exclusion before inclusion; more ‘zone-gate’ communities; usage based on certainty of who you’re interacting with.)

Lastly, we look to three stages of Cybercrime Law for a possible legal framwork to securitise the Internet.  With Cybercrime 1.0, we saw  changing definitions of criminal legislation, e.g. including the stealing of information to cover things that happen in the virtual world.  With Cybercrime 2.0, the law realized that we have procedural and evidentiary issues that are problematic in enforcing cybercrimes: jurisdiction issues due to the global reach of the Internet, i.e. what if something happens online? Which country does it get tried at? What about cross-jurisdiction evidence collection e.g. territories, boundaries?  How do we treat virtual documents in physical prosecution?  Also, anonymous surfing and identities allows detachment from the cyber-crime, thus Nimrod told us the 'true cybercriminals' never see court.  Lastly, Cybercrime 3.0 is the current battlefield that is negotiating security theory and policy choices for a communication medium such as the Internet.