The Difficulties of Defining and Discussing Security: A Perspective from the IGF 2009

The 4th annual Internet Governance Forum is ended today in Sharm el Sheikh Egypt. Over 1500 delegates from around the world representing various industry sectors, governments, NGOs, and civil society are gathered to discuss important issues that affect the Internet. This might seem broad and irrelevant to a technology company like Intel, but if you think about the breadth of Intel’s technology around the world, you soon realize that our technology enables the functioning of the Internet globally and thus these global conversations are of relevance to our policies and technologies.

The IGF has five main tracks, one of which is entitled Security, Privacy and Openness. In addition to a main session on this topic, a wealth of other discussions, in the form of Workshops, Open Forums and Best Practices Forums, occur throughout the four day meeting of the IGF. That has indeed been the case at this IGF however despite the fact that “security” is in the title of most of many of these sessions, the discussions tend to actually center around privacy and the protection of data. It seems as though we are confused, or at least struggling to understand what security means and what – in the context of this global forum – can be discussed. Are we talking about crime? Data protection? Laws? Policies? Technology?

I tend to think that most people understand intuitively what the word “privacy” means to them as individuals or their society as a whole. When applied to the online environment, I suspect most computer users understand that information about them – information they might consider private – may be exposed to a variety of actors, some malicious, some not. Some people care, some don’t, or at least don’t seem to. For those that care, we spend a lot of time discussing how to address that problem – who is responsible and what legal mechanisms are needed to protect that data.

So, what does this have to do with security? It seems to me that cybersecurity can best be described as processes, technologies and people that protect the online environment from the threats to that very environment (our data or technology assets). The difference with privacy is that privacy issues come into play when data has failed to be secured (here we’re back to security) – regardless of where it is held. And, security is about more than just cybercrime. Sure, a lot of the activities might end up being illegal in various jurisdictions but not in others. Nonetheless, not all security issues are criminal issues. Much of security is about prevention which is about solving the problem before it becomes a problem – this requires foresight and creative thinking about the future.

Given all this, it seems that because “security, or cybersecurity” as a problem is so broad and processes, technology and people as solutions are equally or more broad, we struggle to bound and define security – and therefore have productive conversations – about security. This conversation is further muddied by terms like cyberterrorism and cyberwar which are wholly undefined and are largely the responsibility of governments.

One approach for the future would be to define a few problem sets and then take some very specific case studies of solutions or approaches for addressing that issue. For example, often the solution to a vulnerability in one technology product affects another – or series of other – products. How do we address this so as not to make those affected more vulnerable? One solution is the Industry Consortium for Advanced Security on the Internet (ICASI) which works on multi vendor responses to product security issues. Another problem set could be how to determine interdependencies between infrastructures like energy and transport that rely on ICTs for their functioning.

Whatever is determined for next year’s IGF in Lithuania, I hope we can break down the topic of security into consumable parts that all participants can discuss and address. And I hope this can be related to the issues of privacy but not consumed by privacy as security implies more than just privacy. This is an important topic that is about much more than where data is stored and who has access to it (that would be privacy); it is about policies and technologies that help ensure we don’t get to the point that data or assets are compromised or that when they are, effective response and recovery are possible.

Comments are closed.