« Power to the People | Main | Personal Responsibility »

April 16, 2008

It’s the Network, Stupid

There is a natural tendency for people, when looking for security solutions, to appeal to some higher authority. In many cultures, we’re accustomed to abdicating the bulk of the responsibility for our collective security to a number of organizations, such as the government, the military (often one in the same), local police forces, our parents, even corporate policy.

Considering how fundamental security is to the well-being of our selves and our loved ones, it’s surprising how willing we are to give up control of it. Perhaps that’s why in our latest deep dive in Berlin, a new concept of security began to emerge, one that builds on some ideas that first bubbled up in Moscow.

In Russia, we called it a more “distributed” approach to security, one in which individuals, with proper incentive, take on an increasing share of responsibility. In Berlin, we called it “sustainable” security. Regardless of what you call it, it’s an idea that has legs. William Heath is the founder of an IT consultancy called Kable, and the brain behind the Ideal Government blog. He participated in our Berlin dive, and described sustainable security, as opposed to what he calls top-down “control-oriented” approaches, thusly:

The idea behind this is quite simple but very powerful. It is the concept of leveraging the power of a network. Just like with information technology, networks are pools of resources that, when connected, are much greater than the sum of their parts. Many people in the security game complain of the “multiplier effect,” the notion that bad guys take advantage of networks to cause damage disproportionate to their resources; viruses that are passed from computer to computer, terrorist cells that splinter and grow.

But a few people in the Berlin dive asked why the good guys have been so slow to leverage the same network effect. Why are we complaining about a lack of security resources when there are countless more good guys in the world than bad guys? Activate all those good guys on security’s behalf and, voila, resource problem solved.

“To fight a network, you need a network,” said Katharina von Knop, an adjunct professor of Terrorism and Security Studies at the George C. Marshall European Center for Security Studies

It is true that as the many complex networks that make up our modern world continue to grow – think about commercial networks, technology networks, social networks – there will be more opportunity to exploit and attack them. One participant urged us to think about the deluge of new IP addresses that will be added to the Internet over the coming years, everything from your automobile tires to your refrigerator, and how each of those is open to attack.

But by the same token, those new nodes on the network have an ability to report back useful information on possible attacks, sensing threats earlier and taking steps to combat those threats. For example, one participant noted the immense security potential that wireless networks and devices afford us: localized, personalized security alerts; or using picture phones and text messaging as virtual sensors, picking up and reporting back data on potential threats to law enforcement.

Of course, all of this requires a certain level of autonomy at the edges of the network, be that a human being or a refrigerator. Personal responsibility, and collective responsibility, are concepts that will need to gain ground if this “sustainable” security is to work. You could argue, cynically, that humans are already the weakest link of the security chain (one participant said that the greatest point of vulnerability in Internet security lies between the seat and the keyboard.) But humans are also the key to security’s greatest potential. Technology and machines that provide security are amoral, and inherently open to both good and evil intent. But human beings, presumably, know the difference between right and wrong.

There is already some sharing of distributed and centralized security in most areas of life. Individuals buy and maintain anti-virus software (or at least some of us do), but also expect a certain level of security from our Internet service providers. Families lock their doors and install alarms in their homes, but also depend on local police forces and government to provide generally safe living conditions.

But the ratio of distributed vs. centralized security may have to change to really make a dent in this issue. And considering how security is a shared concern at all levels (personal, corporate, national, global), and our interests are pretty well aligned (we all want to live in secure environments safe from threats), my guess is that with some well-placed incentives, a lot of ground could be made up. For example, one participant suggested some kind of Cyber-Driver’s License, which would require netizens to pass a basic test before they could surf the web. Just like with real driver’s licenses, if you are reckless on the Web and put yourself and others in harm’s way, there are consequences (maybe your ISP charges more, or you get your license revoked.)

Whatever the incentives, the safer each of us is individually, the more secure the network is as a whole. That goes for thwarting Internet threats, detecting terrorist activity, or catching a petty thief. It’s the neighborhood watch approach, applied globally.

April 16, 2008 in Security and Society | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference It’s the Network, Stupid:


Great; we've got this conversation cooking now. I was worried we'd ducked the "sustainable security" angle but delightd to see this. And check out the comment thread at

Posted by: Wiliam | Apr 20, 2008 3:49:29 PM

> bad guys take advantage of networks to cause damage disproportionate to their resources

> To fight a network, you need a network, says Katharina.

I think we're starting to move here from the mindset of the prebrief. But why fight a network we're part of? Surely the point is we're all part of the SAME network. We share the same ecosystem, Internet, global mnestrone of human cultures. Drug dealers put family pics on flickr. Islamic fundamentalists want to go to the US and be dentists. The fictional Borat wants to marry Pamela Anderson.

Yes, we're deeply uncomfortable with some behaviours which damage the network and damage us. But at the same time we're irretrievably linked to each other in a wholly interconnected world.

I think it's a helpful and difficult exercise to discuss the evidence and possible courses of action without the language of violence. Let's try it!

Posted by: William | Apr 21, 2008 1:52:48 AM

Well said, William. I agree that the language of conflict is a default for most when speaking of security. As you said, it's the "us vs. them" mentality. But I must admit that I'm struggling to embrace the alternative, would that I knew what it was. How do you mitigate or eliminate damaging, hurtful, or dangerous behavior, be it in the physical or digital world, without approaching it as "bad" behavior that needs to be corrected? I like the way you're approaching the topic, I just need to be shown the vision that you have for it.

Posted by: Dan Briody | Apr 21, 2008 6:19:44 AM

Dan - I'm not an expert on this. I have no direct experience in this sort of conflict resolution and I struggle with the ideas also.

I think the problem is when all the focus is on what one does in the "impossible" situation, far too late in the day when there is no "correct" or "good" course of action left - or no effective non-violent course of action. (We can all think of the hypothetical examples. They usually involve bombs, violence to female close family members or Nazism in 1939.)

The alternate question to focus on is: what is it that we're doing NOW that adds to the latent tensions which lead to violence. Where are we conniving in or reinforcing inequality and injustice? That's where we're sowing the seeds for future conflict.

This is highly pertinent for a firm like IBM to reflect upon. Do your systems designers, and do the CIOs implementing IBM systems understand human rights? My experience is that a minority do. We dont need to think about it long to see that every single one of them needs to.

How can we look forward to a peaceful future unless we deliberately and consciously design respect and justice into these systems - especially in public services?

This applies especially to: welfare systems, border controls, ID management, customer relations managagement....any system which gives people access to services to which they're legally entitled, or which is essential for human dignity.

It's fair enough to take pride in the speed of technological progress. But his change is generally happening too fast for us to build in the values we need as we go along.

Let's ask Oxford Research Group to help us elaborate.

Posted by: William | Apr 22, 2008 2:36:10 PM

The comments to this entry are closed.