Establish a global cyber “neighborhood
watch” enabling users to take defensive
action to protect their operations.
BY stePhen J. LUKasiK
CYBer prOteCtiOn has long been a concern; recall
the Morris worm in 1988, widespread use of the
commons with the introduction of commercial email
and Web browsers in the early 1990s, and the U.S.
Presidential Commission on Critical Infrastructure
Protection (PCCIP) in 1996.11 A Google search
yields more than 43 million articles dealing with
computers and networks. This much attention,
without dependable security for users, leads one
to wonder why the problem persists. Are computer
vulnerabilities growing faster than measures to reduce
them? Perhaps the problem is not purely a technical
matter, but more to do with users. Carelessness in
protecting oneself, tolerance of bug-filled software,
vendors selling inadequately tested products, or
the unappreciated complexity of network connectivity
have led today’s abuse of the commons.
However, among potential rem-edies, current U.S. government-led approaches appear to be going at them
piecemeal, fixing those that demand
immediate attention. Since this approach is not keeping up, it may be
useful to rethink it, seeing if there are
strategic directions more likely to deliver benefits.
Protecting users of the cyber commons, nationally or globally, has both
top-down and bottom-up aspects.
Calls for government action to “protect
cyberspace” relate to top-down processes that, while identifying drivers
of policy, wash out lower-level detail.
That is the way governments think and
what people have come to expect from
them. Protecting a national commons
would appear little different from other aspects of national security, which is
clearly a government responsibility. In
the U.S., under the recently organized
Defense Department Cyber Command,
the National Security Agency has been
designated as the U.S. cyber force,
4 including both the 24th “Air Force” and
the 10th “Fleet,” in quotes because neither is a conventional flying nor floating combat unit, consisting instead of
people at computers, the newest element of net-centric warfare.
Bottom-up processes are equally important; they are what “really happens,”
the way processes work, rich in detail,
but leave some major drivers of events
invisible. The difference between the
two perspectives—top-down and bot-
top-down processes (such as regulation,
national strategies, federal funding, and
international agreements) protecting
users of the cyber commons operate
far more slowly than offensive and
Bottom-up processes (such as the affinity
groups that characterize social nets)
take advantage of the character of public
networks, offering additional defensive
options to protect them from abuse.
these processes mimic how the
aRPanet was created, contribute
to network evolution, and share the
concept behind the ietf and other
volunteer network mechanisms.