In late September, deep in bucolic Oxfordshire, an eclectic group of spooks, soldiers, civil servants, academics and geeks gathered in surroundings eerily reminiscent of Downton Abbey. They took tea on the veranda, looked out onto a herd of docile cows and obediently trooped in to dinner when an austere-looking butler banged the gong.
Their focus, however, could hardly have been further from the subtle class divisions that began to rend the fabric of British society in the early twentieth century. They were mulling over how governments should respond to the growing threats facing networked computer systems.
Most of those in attendance were well accustomed to the task of trying to stop bad stuff from overwhelming the Internet, but the tone of the discussions was somber. “You must work on the assumption that all your primary systems are compromised to some degree,” was a typical contribution. “Whatever you might think, they are inside your networks.”
One of the main purposes of the meeting at Ditchley Park was to work out how to protect what is known as the Critical National Infrastructure, or CNI. But just figuring out exactly what constitutes the CNI and who should be protecting it, under whose authority, has proved disarmingly tough. At Ditchley, participants soon established that defining the CNI is nigh on impossible: in this interconnected age, the CNI is everything. Disruption of something like the telecommunications infrastructure could lead to chaos in a very short time because so many other utilities depend on it.
Furthermore, so much of the CNI is in private hands that coordinating its defense with government is a tricky business, fraught with the potential for missteps and conflicts of interest. In the United States, the Department of Homeland Security is in theory responsible for protecting the CNI, but if the American securocrats and military officers at Ditchley were anything to go by, they do not possess anything like the capacity to deal with a major cyberattack. Like other agencies, DHS is too often in thrall to major security companies that have invested heavily in expensive cyberdefense technology.
Moreover, protecting the CNI without infringing on civil liberties requires striking a delicate balance. Those responsible for “bad stuff” in cyberspace are tough to pin down. Who “they” are is open to discussion because “they” might be infiltrating your computer for a variety of reasons. There is a danger that if the scale of the threat is exaggerated, it will prompt moves to step up the regulation and monitoring of the Internet and people’s private communications. In fact, this is already happening.
Bad Stuff Is Out There
The very genius of the web—its interconnectedness—means that the “securitization” of cyberspace has an impact well beyond its stated goals of protecting against the menace of the three main pillars of malfeasance: cybercrime, cyberindustrial espionage and cyberwar.