Norms on the Net: Governing the Internet and the perils of failure

Odd as it might seem in a world of ubiquitous computing and hand held email devices, the first ever web browsing software made its debut in 1991. Not until the mid 1990s did the Internet begin to make any commercial impact, and only since 2000 has it become a mainstream social and political medium. Human society is still in the first stages of adapting to the Internet and discovering new beneficial uses. Yet already, risks are beginning to mount. Over the next few years, humanity will have to consider how it will govern and protect the Internet as a new global commons. Otherwise, it is possible that ‘iWar’, a form of conflict waged over the Internet, will upset the beneficial development of the Internet across the globe.

The threat of cyberwar and catastrophic hacking have been much hyped for decades – most recently in the action film Die Hard 4. Yet as events in Estonia throughout April and May 2007 demonstrated, a cruder, less cinematic mundane threat has begun to gather online. iWar, using relatively unsophisticated attacks to disrupt services delivered over the Internet, enables almost anybody to inflict damage from any point on the globe at a target anywhere on the globe at virtually no cost. Estonia, where 96% of banking transactions are conducted online and where citizens can cast electoral votes online, was laid low by an iWar campaign of “distributed denial of service” (DDOS) attacks. The attacks hit the websites of the president, parliament, ministries, political parties, and major news outlets. Estonia’s two dominant banks, also struck down in the attacks, were unable to interact with customers.

The denial of service (DOS) attack has existed in various forms since at least as early as the “Morris Worm” in 1988. DOS attacks attempt to overwhelm a computer or networking system by bombarding it with many specious information requests. If successful, the attack renders the targeted system unable to respond to legitimate requests, which could include providing access to a particular website. A DDOS attack operates on the same principle, but multiplies its impact by directing a “botnet” of networked computers that have been remotely hijacked to bombard the target system with many requests at the same time.

This iWar form of conflict is different to what militaries refer to as “cyberwar”. The attacks on Estonia targeted the consumer rather than military or critical infrastructures such as water, power or air traffic control systems. Moreover, the attacks were undertaken by individual “hacktivists” united by their shared umbrage at a specific political event. iWar can be waged by nations, corporations, communities, or by any reasonably tech-savvy individual. Indeed, a botnet capable of disrupting a website of national importance can be operated by a single person. In the Estonian attacks, “dummies’ guides” to DDOS attacks were distributed through Internet forums enabled anyone with an internet connection to participate in the iWar. More alarmingly still, the dearth of arrests or formal accusations by the Estonian Government illustrate that iWar can be waged anonymously and is difficult to punish. This is a fundamental shift in the balance of offensive capability, empowering individuals with the power to threaten the activities of governments and large corporations. Hence the “i” in iWar. Perhaps not since the introduction of the first simple musket weapons, which removed the need to train longbow troops for decades, has the franchise of offensive been extended so broadly.

Yet as a corollary, almost anybody can be harmed as a result of iWar attack. For example, this could include migratory workers who use online services to remit money to their families in poverty stricken regions. It could also include transnational corporations that migrate their daily operations to virtualised internet services reliant on data centres.

What makes iWar particularly worrying is that it has the potential to conflagrate. The trend of increasing vulnerability, coupled with the convenience and deniability of attacks, is likely to result in a outbreak of iWars between individuals, communities, corporations, nations and alliances.

Unilateral initiatives will not be effective against iWar because iWar, like maritime piracy before it, is a global phenomenon. This should not be seen as a technical problem for IT security experts alone, but as a broad challenge of the commons. The crucial question is not how a particular type of DDOS attack can be averted on a particular network, but how humanity will choose to govern the Internet. Successive technological developments, from animal husbandry, which enabled the use of common grazing lands, to maritime navigation, which opened new trade and communications routes on the high seas, have forced human society to consider how it governs shared common resources. The Internet, like the high seas before it, transcends national boundaries and comes under the jurisdiction of no particular state.

While the idea of an internet first occurred to an MIT researcher in 1962, it is important to remember just how recently this new commons has been in existence. Few Internet users were connected before 1995. Humanity needs to consider how it will deal with the new commons and weigh the prospect of a failure. The UN Internet Governance Forum, first convened in late 2006, may be a useful step in this direction. However, thus far the issue of Internet governance has not received the attention worthy of an urgent global crisis. Few heads of government have publicly spoken on the issue. Unless a consensus toward Internet governance is placed at the highest level on the international agenda, the prospect of an anarchic, unworkable Internet is very real.

Much hangs in the balance in the coming months and years. Having proven its potency, governments will be tempted to use iWar as a new form of “gun boat diplomacy” on the Internet to apply pressure on weaker actors. Indeed, it is reasonable to expect that iWar might, mistakenly, be considered a legitimate tool in the arsenal of nation states. Yet the ease and deniability of waging iWar also enables weaker non-state actors to threaten powerful nation states with little fear of reprisal. By enabling all actors across the spectrum to attack each other, iWar could create anarchy on the Internet, ruining the global engine of prosperity and innovation.

To avert anarchy and allow all to benefit from the Internet, common access must be protected. Two examples of approaches to global commons should provide faint solace, salted with caution. The example of the Law of the Sea might illuminate the path ahead for policymakers. Here is an example of an international body of law, established on the foundations of informal customary laws, which evolved to protect universal access to the high seas. Yet our painful progress on climate change should give pause for thought. If governments are only now reaching a fragile consensus on this, the most visible challenge of the commons, the development of robust new international norms of behaviour on the Internet could be decades away. Humanity faces the risk of ruining the Internet even before it becomes a mature technology, before its benefit as a global commons can be fully realised.