February 3, 2010

The New Tragedy of the Commons

Recent revelations about cyber attacks emanating from China and other nations, combined with the hydra-headed activities of al Qaeda, suggest that the Internet has brought us a 21st Century equivalent of the Tragedy of the Commons.

The towns of colonial America, like their European counterparts, made a commons area available in which townsfolk could graze their livestock. The problem arose when the users of such common “infrastructure” abused the asset and everyone suffered. Open access encouraged villagers to get “just one more” cow or sheep which resulted in over-grazing the commons. A grassy field of value to all became a muddy quagmire of value to none.

Today’s commons is the Internet. For a cost shared by all, a common infrastructure provides benefits to all. Monthly ISP payments support this shared resource much like the townsfolk’s shared responsibility for the commons. This time, however, digital connectivity spreads the new commons beyond national borders and wireless networks put access into the hands of billions of people.

The Web is the global village’s commons. Like the commons of history, however, such a shared resource invites abuse.

Allegedly, China came to the new commons for the purpose of spying on others in the space.

On July 4th computers, reportedly from North Korea, attacked U.S. and South Korean net-based activities.

Last year, the electronic infrastructure of the nation of Georgia was attacked, as was Estonia in 2007, reportedly from computers in Russia.

Al Qaeda uses the commons to recruit and communicate.

The old Tragedy of the Commons was that irresponsible use threatened the value of a shared resource. The new tragedy is not dissimilar, just more dispersed.

In the first Tragedy of the Commons rules quickly evolved. Those who benefitted from the commons took steps to assure that usurpers did not destroy the shared benefits. Limits were placed on how many animals a town member could graze and fences were erected against commercial herds. Identifying similar antidotes to protect the 21st Century’s shared space will be more difficult, however, because the new commons is not a defined place.

The grass commons could be fenced off and controlled. The cyber commons has no such singular location; its operations are so amorphous that we call it a “cloud” and illustrate it with a fluffy drawing. Yet, ultimately it is the nature of the asset that must define the solution.

For 50 years we dealt with the previous national threat in a manner similar to solving the original commons Tragedy. The Cold War threat came from an identifiable “place,” the Soviet Union. We responded by fencing off the threat with both offensive and defensive efforts. This was possible because our Cold War adversary still had the characteristics of “place” – a reality dictated by the nature of the networks that connected it. Because the communications networks of the time hauled activity to a central switch other activities symbiotically grew around that point. We could identify such points and target them for both offensive and defensive efforts.

The new cloud commons rules out a similar strategy. Once again our adversaries take on the characteristics of the networks that connect them; this time it allows them to hide in a distributed network architecture.

If the distributed commons allow activity to be everywhere in an undefined cloud then the response to protecting that commons must be in the same form. Digital fencing – firewalls – have their application, but we no longer are in a world where we can fence off places; the Net-based attacks come from the cloud to attack an asset that lives in the cloud rather than a defined place. Distributed network technology that is both everyplace and no place brought us to this point, and distributed network technology must be the solution. Such technology would provide dispersed awareness as to what’s happening and distributed visibility into where and how it is occurring.

During the Cold War Western democracies confronted the security threat in two ways: (1) by banding together, and (2) by exploiting their technological wherewithal to win an arms race. The new battle is with zeroes and ones instead of tanks and missiles; but the defense strategy of coordinated action and technological superiority remains the same. Solutions must look like the network that delivers the threat; and there is no substitute for continual upgrades in technology to provide the needed awareness and visibility.

The new commons began in the United States. Its early applications exploited that home field advantage to gain a global leadership position in Internet technology. As the threat to the new commons exploits the distributed characteristics of the commons itself our security rests on an equally dispersed response of ever-advancing technological innovation.