Home » CyberSecurity » ThreatIntel » Tragedy of the Cyberspace Commons

Tragedy of the Cyberspace Commons

by Jane Ginn

In the 1970s, as a student of environmental science, I read the seminal Science essay Tragedy of the Commons by Garrett Hardin (1968). Among other things, the essay used the example of a common area for grazing cattle in a small New England town to illustrate how overuse of a resource could lead to erosion. His key point was that by everyone maximizing their own interests, conditions would arise that would irreversibly destroy the “common land” resource. The tragedy is a dilemma arising from the situation in which multiple individuals, acting independently (pursuing their own self-interest), will ultimately deplete a shared limited resource, even when it is clear that it is not in anyone’s long-term interest for the resource to be depleted.

Now, in the 21st century, decades after significant progress in the methods and applications of rational resource management, a new abuse of a “commons” area is rearing its ugly head. This more recent commons is one that is entirely man-made; cyberspace. Like physical resources, cyberspace has elements that have been commoditized, elements that may be characterized as “private”, and elements that could be referred to as “common” resources. A commoditized product might be a microchip for the hardware industry. A private element would refer to personally identifiable information (PII) which is protected by several legal constructs in the E.U., the US, and elsewhere. A commons element might refer to the Internet backbone of ultra high speed, high volume fiber optic cables used by the telecommunications companies to route traffic around the world.

Defining Cyberspace

The term “cyberspace” requires some definition in this context. I draw my roadmap from a detailed exposition given in Networks and States: The Global Politics of Internet Governance (Mueller, 2010). Mueller’s book presents a conceptual framework that helps to define the issue dimensions of the cyberspace policy framework (see Figure 1).

Click on image to enlarge

Figure 1 – The Policy Dimensions of Cyberspace

Mueller’s basic argument can be summarized along the two dimensions of the figure. He deals here with what is considered a legitimate polity for the governance of the critical resources of the Internet. He juxtaposes the ideology of the governance of Internet resources by only nation-state actors (characterized as Hierarchy), with the ideology of “loose but bounded and consciously constructed organization based mainly on the benefits of reciprocity” (characterized as Networks). This contrast is pictured on Figure 1 as the vertical axis.

On the horizontal axis he contrasts the ideology of National governance (i.e., traditional geographically-based territorial rights that accrue to cyberspace, and the control of access and content within that territory), with the ideology that has emerged as part of Transnational governance of the Internet through the Internet Corporation for Assigned Names and Numbers (ICANN) (especially the Internet Governance Forum (IGF)) and the Internet Engineering Task Force (IETF).

Within each of the quadrants of the figure Mueller expounds upon distinct constituencies each advocating their own brand of Internet governance. The reader is encouraged to explore his definitions in the original book for an in-depth discussion of the model. For our purposes here, the model is illustrative of the new policy space that gives rise to fundamental questions regarding individuals’ rights on the Internet.

But can we use the word “Internet” and cyberspace interchangeably? I think not. Cyberspace refers, not only to the Internet, but also to the entire complex of interdependent information technology networks that includes the public Internet and private intranets both fixed line and wireless. This broader definition is what is at risk in the modern era. Nonetheless, it is from Mueller’s basic framework that I hope to reflect upon the origin of the concept of “commons” within this new domain. But, before I do that, let’s explore the dimensions of the current battles that are being fought over who controls what on the Internet.

Global Governance: Three Battles

There are currently three key battles being waged over the future of Internet governance; the outcomes of which will dictate how the future unfolds for millions of individual users. The battle lines are drawn around the following issues:

  1. Intellectual property protection (IPP) versus Internet Protocol (IP) freedom;
  2. Content filtering and control versus total access to non-blocked, non-filtered content;
  3. Nation state-only governance of key standards institutions versus the current model of multistakeholder (i.e., public and private) governance.

Each combatant in these battles believes his or her position is justified on the basis of history or law or tradition. Each combatant is, however, contributing to the potential for “resource depletion” to use an analogy that stems from Hardin’s paper. I use this term resource depletion in this essay to refer to the encroachment of command and control tools by anarchists, nation-state actors, business/corporatist actors and entrepreneurs seeking to cash in on the current technical, institutional, sociological and political chaos in cyberspace.

Each of these battle grounds will be summarized below. In the final section of this essay I will cover the cyberproperty (or private vs. commons) implications of the total global debate over cyberspace.

IPP vs. IP

During the 1990s, with the growth of the Internet, the US Congress began to get pressure from interest groups whose primary objectives were to protect the copyrights, trademarks and patents of their members. In October, 1998 the Digital Millennium Copyright Act (DMCA) was passed. Three key provisions of DMCA gave the copyright advocates some relief:

  • Extensions of copyright protection for decades beyond previous limits;
  • Prohibitions on the sale of technological devices or measures for the circumvention of intellectual property rights;
  • Exemption for Internet service providers (ISPs) from strict liability for the actions of their customers.

This legal framework did little to reduce the widespread copyright and patent infringements that were occurring globally; however, it temporarily allayed the concerns of the US interest groups that supported DMCA. Since then, the major US interest groups have regrouped and are now pushing for additional legal and regulatory weapons to protect their business strategies. The key feature of this constituency is that IPP, based on proprietary access to content, forms the basis of their strategic business models[i].

This era also gave rise to IP-based peer-to-peer network sharing which aggrandized copyright infringements in the guise of open networks and net neutrality. The net neutrality movement, based on an “end-to-end” principle for networks converged with the open source movement in the field of software engineering. Both ideologies were being promulgated both formally and informally through the Internet’s abundant resources: newsgroups, forums, chat rooms, email and web-based comment threads. Interestingly, many new business models have sprung up to take advantage of these new associative clusters that are not based on IPP but rather on some other form of revenue generation[ii].

IPP is perceived to be antithetical to the credo of the net neutrality/open source advocates. This latter polity converged around the idea of information sharing in a borderless context through the use of the widely accepted TCP/IP or Transmission Control Protocol/Internet Protocol[iii]. They have mounted various forms of protests to promote their point, most interestingly through the use of a loose-net conglomeration of “hacktivists” that call themselves “Anonymous” as a way to symbolize their merged leaderless collective.

Their access to and use of the Internet-based command and control servers for various botnets have allowed them to launch distributed denial of service (DDoS) attacks against “targets” that they perceive to be fighting[iv]. On March 1st one of their proponents posted a Declaration of the Independence of CyberSpace at the AnonNew site. A provocatively worded proclamation, it characterizes the collective as a group that is creating a “civilization of the Mind” where “egalitarianism reigns true.”

Both the IPP and the IP combatants are adding to the current surge of activity within the US legislative context. Recent US Congressional battles surrounding the Stop Online Piracy Act (H.R.3261) and the Protect Intellectual Property Act (S.968) and the overwhelming response by the amorphous Internet community against these bills attest to the broad interest in the outcome of this battle. It is my observation that much of the activity, on both sides of the field, leads to economic and social predation. The only losers in this battle will be everyone that uses the Internet.

 

Content Filtering vs. Total Access

The current version of the Internet had its origins in technological innovations that originated in the US and Europe. As such, the philosophical imprint was based on the notion of network neutrality, an idea consistent with the sociological liberalism of these developed societies. But ongoing efforts by nation-states to filter content for religious, political or sociological reasons attest to the lack of agreement around the issue of appropriateness of some content for general consumption. With the rapid diffusion of the technologies of the Internet, including sophisticated consumer electronics that have made access more affordable, a form of market policy has been the norm. I use this term “market policy” as defined by Peter Cowhey and Jonathan Aronson in their recent book Transforming Global Information and Communication Markets (2009). They argue that the convergence of traditional broadcast media with the deregulated telecommunications market and rapidly evolving information services community has led to a highly competitive, globally-liberalized framework that includes both market and non-market actors.

The multistakeholder governance model of ICANN, the IETF and the World Wide Web Consortium (W3C) have allowed for powerful corporate entities to sit at the table with nation-state representatives as policy and standards are hashed out. This new model of governance was the subject of a series of high-level United Nations (UN) meetings that took place between 2002 and 2005 known as the World Summit on the Information Society (WSIS). At these meetings more authoritarian states (e.g., Russia and China) were pushing for hierarchical control (read: government-only) of the Internet governance structure, in part to ensure that they could maintain strict control over content piped through their fiber[v].

ICANN’s pivotal role in the maintenance of the domain name server (DNS) root and address system allows it to yield significant global power in the administration of the Internet. ICANN’s unilateral control has given rise to push back from China. China exerts significant control over content on the Internet by requiring that all ISPs be licensed and that Internet traffic is routed through at least 1 of 4 government organizations that monitor content. Self-censorship is actively encouraged through the use of high-profile arrests and public humiliation[vi]. The human rights practices within China came to a head during the WSIS when a non-governmental organization (NGO) that focused on human rights abuses in China was not granted accreditation during the WSIS, due, it was believed, to political pressure from China. Content filtering is so extensive in China that it is characterized by many writers as the Great Firewall of China (Mueller, 2012)

As it stands now, the existing governance structure, characterized by the multistakeholder model, has only tentatively avoided widespread use of content filtering as a matter of public policy. The filtering which does occur is applied on a nation-state by nation-state basis, based on the governance objectives of each country. For example, China systematically blocks references to separatist movements such as the Free Tibet or Independent Taiwan separatist movements.

As other examples, the US, in accordance with the Children’s Online Protection Act (47 USC §254), conducts ‘sting’ operations to arrest and prosecute child pornographers. And, since 2006, the US also prohibits online gambling in accordance with the Unlawful Internet Gambling Enforcement Act.

Increasingly, ISPs operating within a country’s jurisdiction are being asked to use techniques such as deep packet inspection to filter content and identify cyber criminal and terrorist activities[vii]. Political pressures are mounting to institute more aggressive content filtering due to the use of the Internet for both criminal and terrorist activities.

This movement towards content filtering, although laudable for subjects like child pornography, is still troubling in light of the electronic freedom frontier. Those that argue for total access are becoming increasingly sophisticated in mobilizing netizens to support their cause, while those that feel justified in implementing filtering on moral or ethical grounds are working to support stricter legislation for enforcement of filtering regimes.

 

Nation-State vs. Multistakeholder

I have already discussed how nation-state actors in the Internet governance arena are seeking to further assert their authority over ICANN and the IANA contract. The cyber nationalism of China is the clearest example of a nation-state that seeks to arrest control of governance from ICANN and transfer it to the ITU. China pressed for greater ITU control during the WSIS negotiations, but failed. By 2009 it acquiesced to the creation of the Internet Governance Forum (IGF) as a surrogate for ITU control, even though IGF is also a multistakeholder body as well. However by 2010, with the support of the BRICs[viii], China had succeeded in bringing the IGF more under the control of the UN, thereby challenging the unilateralism of the US through direct control of ICANN (Mueller, 2012). Also importantly, it created a new technical root based on the Chinese character set as a challenge to the ICANN-defined DNS root.

Further conflicts emerged in November of 2010 when China Telecom advertised erroneous network traffic routes as part of the border gateway protocol (BGP) thereby rerouting massive volumes of global Internet traffic through Chinese servers. This was characterized as a ‘hijacking’ by the US-China Economic and Security Review Commission (ibid, pg. 187). Unfortunately for the US, China, and the rest of the world, relations have deteriorated at the Internet diplomatic level and cyber espionage is moving to the forefront[ix].

The ongoing debates in the US Congress on the Cybersecurity Act of 2012 (S.2105) and Secure IT Act (S.2151) elevate the importance of this issue in the geopolitical context. Both of these bills seek to provide additional enforcement and implementation authority for the protection of the US infrastructure, although they would provide that authority to different agencies[x]. Much of the cyberwar rhetoric that is animating the dialogue about US domestic policy targets China and Iran due to recent evidence from what have been presumed to be government-sponsored attacks. However, as long as the IP addressing regime is able to function through anonymity and through proxies, the spoofing of IP addresses will continue. There are some in the technical community that would regulate away this right to anonymity in the interest of national security.

With this evolution in US domestic policy, the international implications of saber rattling within the Internet governance debate will likely shift away from the unilateral regime towards a more hierarchical/authoritarian regime, as pictured in Figure 1. How this debate unfolds will have profound consequences for the modern world and the future of the Internet.

Cyber Property Rights

In Garrett Hardin’s original essay he dealt with both overgrazing of the commons area as a way to “take something out” of the environment but he also dealt with pollution as a way to “put something in”[to] the environment. My perception of the problems outlined here today is that multiple individual actors, each operating from the basis of their own ideological framework, feel that they have the right to put something into the Internet. It might be malware, it might be control of content, or it might be an offering for a cut-rate version of a pirated DVD. The notion of stewardship, so important in the environmental movement, has not emerged with respect to cyber space.

At this point the actors include a wide range of participants. On the one hand there are hacktivists, black hat hackers, code kiddies, common thieves and criminals from organized crime syndicates seeking limited governance, total access without content filtering, and freedom to share on peer-to-peer networks. These actors are accompanied in this agenda by individuals who are concerned about the potential for abuse by governments of individual rights and civil liberties and by those who believe that, for philosophical reasons, the sharing of source material among and between parties enhance the whole (i.e., the open source movement and access to knowledge [A2K] movement).

On the other side of the battlefield are those that are seeking more control over the present anarchistic environment through increased regulation, monitoring, and legal enforcement of intellectual property infringements. Both sides of this battle are making incursions into the commons of cyberspace. But as I have made clear above, this is not a battle taking place in a single domestic nation-state. The battlefield is global. The stakes are high. The outcome is not assured for any set of cyberactors.

When Garrett Hardin ended his original essay he focused on the importance of population control as a way to decrease pressure on the commons of natural resources. Is that one radical solution that some nation-states will try? Limited access to the Internet resource? Or is Balkinization of the Internet through the imposition of different naming and numbering of the root in our future.

The alternative is to recognize the fragile nature of the freedoms of the Internet and the uncertainty of the future for all who use it as a resource. Perhaps what we need is non-anonymous engagement. What do you think?

 

 


[i] The entertainment industry, represented by the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) and the pharmaceutical industry represented by Pharma.org among others.

[ii] Peter Cowhey and Jonathan Aronson cover some of these alternative models in their discussion of modularity in Transforming Global Information and Communication Markets: The Political Economy of Innovation (2009) MIT Press.

[iii] The current IPv.4 when combined with the Transmission Control Protocol (TPC) is often specified as: TCP/IPv.4. A revised version of the IP standard, version 6, is being integrated into the network for expanding the size of the domain name space and to enhance security.

[iv] The website of the US Chamber of Commerce was subjected to a DDoS attack in the build-up to the Stop Online Piracy Act (SOPA) in the House of Representatives and the Protect Intellectual Property Act (PIPA) in the Senate.

[v] Ongoing administration of WSIS’s consultation process is administered by the International Telecommunications Union (ITU), the UN agency for ICT. Mueller gives a detailed account of the history and politics of this series of meetings, and the institutional outcome (2010). For our purposes, I will note that the ongoing contractual arrangement between the US Department of Commerce and ICANN, particularly with respect to the Internet Assigned Numbers Authority (IANA), is a point of contention between several UN members, notably, China and Russia.

[vi] In 2008 Wang Xiaoning a teacher in the Sichuan province who had taken pictures of collapsed schools after the 5.12 earthquake on May 12, 2008.

[vii] https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation

[viii] Brazil, Russia, and India.

[ix] http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[x] S.2105 would assign the authority to the Department of Homeland Security, while S.2151 would assign that authority to the Department of Defense.

 

Bibliography

 

Cowhey, P. &. (2009). Transforming global information and communication market: The political economy of innovation. Cambridge, MA: MIT Press.

Hardin, G. (1968). The tragedy of the commons. Science, 162 , pgs. 1243-1248.

Mueller, M. (2012). China and Global Internet Governance. In R. P. Deibert, Access contested: Security, identity, and resistance in Asian cyberspace. (pp. 177-194). Cambridge, MA: MIT Press.

Mueller, M. (2010). Networks and states: The global politics of Internet governance. Cambridge, MA: MIT Press.