Hardly a day goes by that the media do not confront us with headlines on the latest breaches, hacks, and attacks, whether political, criminal, or both and which effect all areas of society. Many of these attacks are not even new, but sometimes years old and have only recently been discovered and reported. It is therefore reasonable to assume that there are many security breaches that we don’t know about and perhaps, for various reasons, never will. At least with regard to what we do know, the cost of cybercrime and cyber attacks has been estimated in the hundreds of billions of dollars, quite apart from the other damaging effects, for example, loss of trust in the effectiveness of our law enforcement and security institutions. It has become apparent that traditional law enforcement and security measures do not work when it comes to preventing or combatting cyber-warfare, cyber-crime, and cyber-terrorism. For example, it is often difficult to find the scene of the crime, the weapons or tools used in the crime, to assess the damage done, or determine who is responsible. And even if it is possible to find out who did it, this information is mostly useless. One is left with the impression that despite enormous efforts by law enforcement and security institutions, cybercriminals and hackers move through our networks with impunity.
Of course, there are many reasons for this, including our own negligence. We ourselves, whether it be infrastructure and software providers or users are often a major part of the problem. The state of simple and normal “digital hygiene,” such as updates, anti-virus software, strong passwords, and so on is so deplorable that it makes you WANNACRY.
What can we do? Whereas new technologies of trust by design and new networked organizational models are slowly becoming focuses of interest for cyber security solutions, legal and ethical proposals seem not to have moved beyond positions developed in the bygone industrial era. The digital transformation seems not to have changed much in our conceptions of what security means and how freedom, autonomy, and human dignity are to be preserved in the information age. Although ethics and discussions of values and norms may appear of only incidental significance when standing on the front in the struggle against cyber-crime, cyber-warfare, and cyber-terrorism, they play a very important role in the foundational regulative frameworks that condition law enforcement and security strategies. For this reason, it is perhaps time to take a critical look at ethics with regard to cyber security.
If values and norms do not come from God or his representatives on Earth – including pure reason –, and if they are not hardwired into our DNA, then it is at least plausible that they emerge from the interactions of social actors. What has become apparent in the digital era is that technologies, artifacts, and non-humans must also be considered to be social actors. Non-humans have become our partners in constructing social order. This means that the “affordances” of information and communication technologies (ICTs), contribute to our norms and values. It is the network as a whole that is the actor and the actor is always a network. Let us therefore ask: What do networks want? What are the norms inherent in the affordances of ICTs?
Here is a short list of what could be called “network norms,” that is, the most important affordances of ICTs that are guiding how social order in a global network society is constructed, maintained, and transformed.
- The network tends to connect everything to everything. This is exactly the opposite of what closed systems want. Where closed systems are characterized by hierarchy, limitation, exclusion, and reduction, networks are non-hierarchical, inclusive, connected, complex, and public.
- Connectivity is not a weakness, but a strength. Let us recall that Paul Barron’s original concept of a distributed network – which became the basis of the Internet – was designed in order to withstand a nuclear attack. The distributed network was a security strategy.
- The larger the network, that is, the more connections it has, the more resilient it is.
- Finally, the more connected a network is, the more effort it takes to divert the trajectory or subvert the purposes of the network, since there are many more nodes and links that have to be moved.
- Networks want information to flow freely through all the nodes.
- Flow means that information, as well as everything else, such as people, money, goods, etc., are always uncontrollably and unpredictably moving through the network. We will always be surprised by new and unforeseen information.
- Every attempt to control flows weakens the network or invites work-arounds and extensions into other networks – the darknet is a case in point.
- Participation means that all nodes in the network are not mere passage ways through which information – or anything else – moves, but every node also has the ability, and even the duty, to change, improve, transform, and repurpose information.
- Every node in the network is an actor, a source of information, a contributor to the whole and not a mere function or a black-box.
- Participation makes not only the flows, but also the content of information unpredictable and uncontrollable.
- Transparency means that the sources, reliability, and uses of information are known by all. Nothing is hidden, this is the famous “glass human being”. Publicy not privacy is the default condition today.
- Transparency is symmetrical. The network does not condone or facilitate asymmetrical transparency. If anything, this is what all the leaks and whistle blowing teaches us. That is to say, everyone ought to be equally transparent.
- Transparency is the opposite of anonymity. Those actors who depend upon anonymity such as the hacker group Anonymous, or the NSA, CIA, GCHQ, and all the rest who are based on secrecy and disguise are contributing to the general insecurity of the network and not to making the world safer.
- Authenticity is related to transparency, but is addressed to the trolls, vandals, and liars and represents the network affordance of truth. It is a commonplace that networks function on the basis of trust. Mistrust is dysfunctional in networked organizations.
- In the Machiavellian world of bureaucratic hierarchies and informational scarcity, mistrust is normal and perhaps even necessary for survival. In connected, participatory, and transparent networks this no longer the case.
- Who you are in Facebook is pretty much who you are, and if this is not the case, you’re going to get into trouble sooner or later.
What do the network norms shortly described above imply for organizational and technical cyber security strategies? It could be that current attempts to reinstate traditional norms and values into a global network society run counter to the network norms actually guiding the construction of social order today and that this is one reason why many cyber security strategies don’t seem to be effective. If our commitments to normative principles derived from the industrial age are hampering efforts to deal adequately with present day threats then we are caught in an ethical conflict as well as a conflict with cyber-criminals. Maybe we should talk about just what good and bad mean, before we try to go after the bad guys.