The Internet has acquired the status of an indispensable infrastructure for a tremendous range of communication and transactions around the globe.
The applications are interwoven in daily activities to such an extent that modern societies would be hamstrung without their ICT systems and the Internet up and running.
With ever more social activities based on the Internet, the stakes are increasing for potential losses of Internet functionalities, as they would result in a substantial reduction of productivity, and harm our ability to communicate and share information efficiently. The vulnerabilities of networked computers are exposed in manifold Internet security problems such as spam, viruses, phishing, identity theft, botnets, civilian and state-sponsored denial of service attacks, and unauthorised intrusion into private networks.
The scale of these problems is the subject of widespread discussion and debate. The very same security problems are at the core of five distinct, but interlinked discourses on cybercrime, cyberterror, cyberespionage, cyberwarfare, and critical infrastructure protection. While estimates about potential risks and real damages vary widely, it is safe to say that damages caused only by cybercrime amount to billions of US Dollars or Euros and thus provide strong incentives for mitigating activities (van Eeten & Bauer, 2008a; Anderson et al., 2012).
Given the scale of the problem and its distributed, border-crossing nature, the question arises as to which governance and security production approaches are best suited to deal with these Internet security problems. The Internet offers new opportunities for ‘creative destruction,’ thus endangering venerable entrenched interests and institutions. The transformational force of ICT and the Internet has substantially diminished the role of some traditional intermediaries, altered entire economic sectors, and given birth to entire new businesses, new economic players and thereby new political actors. Advertisement, distribution of informational goods such as software, music, and film; retail in general; libraries; storage and retrieval of written text, maps, images, or whatever kind of information; travel agencies; dating; journalism; public relations; interhuman communication; payment and banking — the list could well be extended by dozens of additional examples.
The Internet has also left its mark in the political domain, altering political revolutionising, mass upheavals, intelligence, political campaigning, and the martial domain of “politics by other means” (Clausewitz). And yet, the impact and possibilities of the potentially transformative organisational changes on polity and politics are far from clear. Enter peer production, the term that describes the particular features of a form of production that has been showcased in the creation of open source software like Linux or in collaborative content production projects like Wikipedia. Despite massive onslaughts by entrenched interests, defamatory attacks, and attempts to undermine the legal basis of open source projects, open source production still provides substantial products and services. Recently though, the ideas of openness and free information exchange has come under pressure on various fronts.
The hyperbolical idea of a ‘Twitter revolution’ has waned with the reactionary counters to the Arab Spring. Microsoft’s desktop monopoly is on the verge of being succeeded by the new personal computing duopoly of Apple’s even more closed and integrated products and Google’s pseudo-open Android. These developments might ring in a roll-back, rendering open production to an interim phenomenon, or they could be mere temporary setbacks.
The underlying questions which have driven this research project encompass the general limits of peer production, its applicability to domains other than software or encyclopaedia production. Security production, which usually comes with more or less secrecy, appears to be the most unlikely case to apply the pure form of peer production with all the openness it entails. Open collaboration contradicts secrecy, but the production of Internet security requires distributed collaboration. This thesis looks into the interplay of secrecy, openness, Internet security, and peer production.
The nature of Internet security is such that it requires governance and operational mechanisms that cross organisational and jurisdictional lines. Attacking machines, resources, and personnel are geographically distributed, exploiting vulnerabilities of resources belonging to different organisations in different countries with different laws.
These characteristics of Internet security problems raise the question about the best ways to organise the production of Internet security. The governance of security has not only a substantial effect on whether security is effectively and sufficiently taken care of. Given their often-clandestine modes of operating, traditional security institutions come with a price tag for democratic principles such as transparency and accountability. The governance of security can therefore have a significant impact on shared societal values.
Modes of security governance can differ in a variety of ways, spanning from the degree of state involvement in policy formulation, policy implementation or security operations, the role of coercion, distribution of authority, internal hierarchies, to the role of private actors in the security architecture, the fora, techniques and depth of sharing information, the kind of threats to Internet security addressed to the kind of objects of Internet security dealt with by the governance form. The political response to Internet-based threats, risks, and vulnerabilities has been a mixture of increasing public awareness, fostering private self-regulation or publicprivate cooperation. Other responses included creating Internet security groups within traditional state-based security organisations, supporting international incident-response exercises, setting up secretive monitoring programmes, and increasing military cyber-units. Consequently, the current organisational landscape of Internet security governance is characterised by a variety of governance forms.
They range from international conventions (Council of Europe), initiatives launched by international organisations (ITU), regional directives (EU), unilateral hegemony (NSA-led monitoring system), to national and regional public-private partnerships — to name only a few. Emerging Internet security institutions have been organised along national lines, but also in terms of their subject matter. Different security problems like viruses, denial-of-service-attacks, botnets, spam, and phishing appear to be dealt with in different, yet occasionally overlapping organisational and institutional settings; one might call these “problem-specific governance islands”. Finally, different sectors in the economy follow individual approaches to deal with Internet security problems.