Friday Secretary Napolitano delivered a speech on cybersecurity to a forum sponsored by The Atlantic and Government Executive. About mid-way through the remarks there was something that sounded new to me:
Now, there are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it’s the market or the war. Those are the two analogies that you hear.
Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.So let me just say that again. In my judgment, both the market and the battlefield analogies are the wrong ones for us to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe.
So we’re proud to be a part of that global effort. We believe in the importance of an open Internet, but we cannot have an Internet that is open, but not secure, nor an Internet that is secure but not open. And I think just by saying that, that lays down the challenge that we confront.
So… like a watershed, or a fishery, or deep sea oil deposits, or the radio spectrum, or other “common pool resources” there is a shared public-private responsibility. If that’s the model, Elinor Ostrom would appreciate the emphasis on ”fundamentally a civilian space.”
Dr. Ostrom’s research and that of her myriad disciples — including yours truly — suggests that when the emphasis starts and stays on user management then resilient systems are more likely to emerge. Effective norms are developed by users — who know and depend on the resources most — and are adopted not just as rules but as fundamental expectations across the system.
When government is a facilitator, trusted source of information, and a last resort of enforcement against norm-breaking users, public-private partnerships usually thrive. Government insisting on taking an aggressive lead is an early symptom of collapse in many a commons.
Perhaps I am reading too much between too few lines. The Secretary did not say much. Maybe she was just sending a turf-claiming signal to DOD. There was no footnote pointing us to Elinor Ostrom. Imposing a Nobel Laureate’s meaning on the Secretary’s remarks may be a stretch. But I like the stretch.
Earlier in the speech the Secretary had a paragraph that did not sound new (at least to me), but when read in combination with what is excerpted above takes on new meaning (at least for me):
Finally, I want to stress that cybersecurity isn’t about control. It’s not about government control. It is about partnerships. But partnership needs to have some effectiveness. There needs to be meat on the bone when we say partnership. And there needs to be widespread distributed action toward that goal, so that we view this much more as creating, if I may, layered security involving partnerships, as opposed to top-down or government-down. So we are working more closely than ever to identify the private sector partners who we need, and work with them, and also across the federal family.