Internet security and the security of information systems are no longer narrow technological subjects, but are at the top of policy agendas worldwide. The rise of the Internet has brought new security risks. At the same time, it allows for new forms of collaboration among globally distributed teams, jointly producing intangible goods that require little to no initial capital investment and production costs. See the basic info in this presentation:
Existing research and theories on open source and peer production have focused on describing the enabling factors of this mode of decentralised, distributed, and nonhierarchical form of collaboration. Yet, the limits of this form of production have yet to be explored, or inquiry made into possible organisational hybrids.
This study aims to contribute to the literature on open source, peer, and social production by analysing its limitations and feasibility in the domain of Internet
security governance, and responses to large-scale Internet security incidents. In a way, this study places peer production and internet security in a room together for the first time, and sees how well they get along.
The first research question guiding this study is: Can the handling of a particular Internet security incident be classified as peer production? A second set of questions addresses a) the role and importance of secrecy and the antagonists in incident responses and b) factors supporting either the absence or presence of elements of peer production in response activities.
2. Theoretical Foundations
To address these questions, this study employs theories, models, and concepts like open source and peer production, Internet governance, security governance, trust and secrecy.
The idea of peer production describes collaborative arrangements for the development of free/open source software and Wikipedia. According to Benkler, this “new modality of organizing production” is facilitated by cheap-Internet based communication, distributed ownership of cheap ICT systems, and thereby reduced costs of distributed collaboration.
The study proposes a taxonomy to clearly label varieties of social production. Social production is the umbrella term, describing new non-market and non-hierarchy forms of production. Peer production requires that social production is based on a egalitarian distribution of authority among the contributors. Commons-based peer production labels that subset of social production, in which no central controlling governance unit or appropriation of produced goods exist.
The defining characteristics of these variants of social production are distributiveness, openness and socialness. Distributiveness refers to the network topology of the contributing agents, the absence of central or decentralised hubs, the prevalence of peer governance and ad-hoc hierarchies. Openness describes the accessibility of the production platform, its transparency, a shared sentiment, and the accessibility and modifiability of produced goods.
Socialness refers to the social transaction framework, i.e., contributors participate not based on monetary incentives or hierarchical pressure, but on intrinsic incentives. Untangling the relations between secrecy, security, and social production, this study provides an analytical model to explain the presence and absence of elements of social production in incident response. Some degree of secrecy is compatible with peer production, but it alters the underlying economics of the peer production model and decreases the viability and ideational ambition of the production model.
3. Research Design
This research employs the study of cases of Internet security incidents. This allows for a detailed description of actors involved in the responses, the organisation of their activities, their access to relevant information, and their interactions and collaboration.
As criteria for the selection of the cases, the incidents need to be significant and limited in time and scope. In addition, data on the incidents and the response measures are available and accessible. Eventually, the Estonian cyberattacks and the Conficker botnet were chosen.
Identifying the application of peer production in incident response requires three steps. The first task is to identify the goods and services produced in response activities, requiring a descriptive narrative thereof. Second, the activities within this response are categorized, using the specified criteria of peer production — distributiveness, openness, and socialness.
The third task is to decide whether the response can be classified as peer production or not.
In order to analyse why elements of peer production were or were not applied in the responses, a model of the feasibility of peer production was developed. It describes factors that have been identified as likely prerequisites for the feasibility of peer production for the creation of a particular good.
The main source of empirical data is a series of qualitative expert interviews, supplemented by desk-research and a bit of direct observation. Interviews have been transcribed and coded.
4. Endangering the Internet
The ground for subsequent analyses was prepared with a historiographic depiction of the two incidents.
For three weeks from April 27 until May 18, 2007, components of the Estonian Internet infrastructure were overwhelmed by Distributed Denial of Service (DDoS) attacks, website defacements, DNS server attacks, mass e- mail and comment spam. The attacks constituted a watershed in the history of Internet security because of two aspects.
Firstly, the attacks made it plausible to a wider public that cyberattacks could be used as a tool in international or bilateral conflicts. Secondly, the Estonian cyberattacks are a rare case where a “national security situation” was straightened out by a community of technical experts.
In late 2008, a malware exploited a critical vulnerability within the Microsoft Windows operating system, and installed itself rapidly and silently on millions of PCs. Infected computers became part of a huge botnet, created by the use of a stunning range of innovative attack techniques. Despite its unusual size, the botnet has only been used in minor cybercrime cases, making its underlying purpose mysterious to this day.
The Conficker case raised awareness of the problem of botnets among a wider global audience. It also featured an impressive global collaboration among technical experts and shed light on the Internet’s commonly hidden security institutions.
5. Producing Internet Security
How is the Internet secured and defended in times of a crisis, and which products and services are provided by the responding actors to eventually re-establish the status quo ante?
The Estonian attack was mitigated by the Estonian community of technical experts, supported by their international peers. CERT-EE evolved as the central hub for information exchange and coordinated some of the defensive measures. Security production consisted of a successful mitigation of different attack techniques, DDoS mitigation first among them. Situational awareness was established by monitoring technical and social networks. Collaboration among domestic actors was eased by familiarity among the country’s security professionals.
With global security-communities, ad-hoc collaboration had to be established in a rather improvised manner.
Initially, the response to the Conficker botnet consisted only of a small ad-hoc group of security professionals. The technical nature of the attacks, of involved Internet subsystems, and the response strategy chosen, required a large response community. Its creation was enabled by half a decade of prior conferencing and networking. The primary response activities included malware and botnet analyses, defensive DNS, and sinkholing. Reverse engineering of the malware’s binary code was indispensable to understand the botnet and design its mitigation.
Through the implementation of Defensive DNS, bots were denied from contacting the botnet’s command servers. Sinkholes, databases containing information about bots’ traffic, were created to learn about the bots’ activities and distribution.
Both responses depended on contributions from Internet security communities.
Their values, norms, and internal practices influence how Internet security is produced after such large-scale incidents.
6. Social Dimensions of Internet Security
The empirical analysis identifies the role of peer production in Internet security incident response by puzzling out whether the responses to the Estonian 2007 and the Conficker incidents have been distributed, open, and social. In both cases, incident response did not conform to all aspects of the peer production model. In terms of distributiveness, both responses blend elements of decentrality and distributiveness.
Both CERT EE and the Conficker Cabal had a central role in coordinating the responses. Activities like situational monitoring, DDoS mitigation, and malware analysis were mostly distributed, while defensive DNS or traffic filtering were conducted in a decentralised manner. Individual authority was not evenly distributed within response communities. Equipotentiality among actors largely existed in both responses, though some internal hierarchies emerged. Response networks were able to enforce norms among their members.
The responses in both cases have not been open in the way that open source production is. At best, the activities happened in an environment that could be described as gated openness or barcamps within walls. Access to security communities is usually restricted, requires vetting and vouching of potential members and is based upon interpersonal trust. The response networks, however, were also comprised of unvetted actors. Within the boundaries of the security communities, many informational resources were shared. While some of them had flirted with openness ideology in the past, the guiding principle by now is responsible disclosure and responsibility towards victims.
The responses came closest to peer production in the dimension of socialness. The motivations of contributors resembled those common in open source projects, including the aim to foster idealistic values or to follow personal interests. Bringing down the ‘bad guys’ and ‘playing with secrets’ may be motivations unique for security communities, but still fit into the open source motivation framework.
The same holds true for the shared interest in gaining from indirect appropriation. Furthermore, contributors have substantial commitments towards their communities and their loyalty to communities can trump that of their employers.
7. Limits of Openness
The open source access-for-all policy and the swift trust model is replaced by a system of limited access, vetting of potential contributors and sharing on a needto- know basis. This outcome — no pure peer production, but significant application of elements of peer production — raises the question of why certain elements of peer production can be found in the response endeavour, while others have not been applied.
Analysing the hindrances of openness based on a model of factors supporting open or secretive approaches, the study identifies the communities’ antagonist, the “bad guys”, as a main driver towards secrecy and the communities’ preference for a walled organisational approach. The flavour of social production used in the response endeavours resembles an institutional design that tries to incorporate some major advantages of the ideal-type peer or open source production model, while at the same time factoring in the need for secrecy.
The application of deep-trust as a prerequisite for community membership can therefore be interpreted as a hedge against the risk of defections. The observed hybrid flavour of social production reduces the risks of intrusion by malevolent bad guys, who seek to nullify the communities’ defence efforts. Community-based vetting and a certain degree of permeability towards new contributors keep the costs of secrecy relatively low.
While secrecy thwarts one source of peer production effectiveness — the unplanned, unrestricted use of resources by high numbers of agents with diverse talents and skills — security communities can still leverage relatively low-cost permeability to new contributors to take advantage of external information gains.
The production of Internet security looked different in the cases analysed than in a usual circumstance in which public security is affected. With transnational cooperation among police, law enforcement, or military forces lacking or inappropriate, distributed bottom-up collaboration in ad-hoc teams or permanent security communities has played a decisive role. Unlike in open source and rigid peer production, access to production platforms, input resources, and to intermediary informational goods is restricted, and no culture of unconditional openness and transparency exists.
Naturally, this study has a number of limitations. It only offers a glimpse into the relationship between peer production and Internet security. The observations allow no clear conclusions about optimal organisational designs of response endeavours.
This holds even more as the response organisations had an element of historic contingency. In addition, employee-employer relationships are not based on intraorganisational data.
A number of research gaps have been observed in the course of this study. Internet security communities deserve further analyses from different theoretical angles and levels of analysis — be it Ostrom’s common-pool communities, epistemic communities, or International Relations theories. More encompassing theories of trustbased collaboration, social production, distributed, networked, and egalitarian communities would be valuable. Finally, deeper theoretical and design studies on open security systems are recommended.
The study concludes with discussions on the state of Internet security governance and ideas on how to ‘open’ it. More recent trends in Internet security governance have nurtured the impression of a relative decline in Internet security communities.
On the other hand, centralising effects and the hierarchification of the community could be avoided by a range of measures.