vate actions. Governments also play
an implementation role in proposing
legislation, enforcing mandates, and
protecting users of the commons too
small or weak to function effectively on
their own behalf.
While the U.S. government relies on
public-private partnerships to achieve
many of its goals, the degree to which
network security is worsening suggests
the need for new mechanisms. Since
commercial organizations see computer security as a cost and do not value the
corresponding benefit, private efforts
have to date been insufficient. Both
sides of the partnership are failing to
stem the tide of abuse of the commons.
Efforts by President Barack Obama
and his Administration suggest this
posture may be changing. In 2009 remarks, Melissa Hathaway, then acting
senior director for cyberspace at the National Security Council, representing
the National Security and Homeland
Security Councils, said, “The Federal
government cannot entirely delegate
or abrogate its role in securing the nation from a cyber incident or accident.
The Federal government has the responsibility to protect and defend the
country, and all levels of government
have the responsibility to ensure the
safety and well-being of citizens.”
Though government leadership is
necessary for protecting the nation
from cyber abuse, it is indirect, with
much distance between government-strategy documents and demonstrable security.
International mechanisms. Cyber
abusers and their victims can be in different sovereign jurisdictions. Actions
against violators are supported by common standards of unacceptable behavior. Rationalizing laws globally makes
sense but is time consuming and eventually limited by the speed each country adapts to new technical, economic,
and political circumstances.
For international agreement to be
effective, implementing mechanisms
are needed for accommodating changes suggested by evolving needs: monitoring compliance by the signatories
to maintain their trust and confidence;
enforcing the agreement should signatories depart from agreed-upon norms;
resolving disputes among the signatories; addressing technical issues of
definitions, standards, and forensic
collection; and rendering assistance
to signatories to respond to technical
challenges expeditiously. However,
this process is also slow, as diverse signatories must be convinced they need
to take action.
While many protective steps can
be taken without formal agreement,
if global changes in security are to be
achieved, a larger international framework will be necessary for facilitating
cooperation among signatories; drawing from common international contexts, Sofaer and Goodman13 discussed
elements of such a framework.
As with the previous three dimen-
sions of a framework for cybersecurity,
international organizations have a role
to play but, like regulation and govern-
ment strategy, find it difficult to re-
spond to the needs posed by a dynamic
technology environment and aggres-
sive and quick learners among those
who would abuse the commons.