Regulatory Developments

Last updated: 
2 months 19 hours ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Choose the right metaphor

Thursday, April 30, 2020 - 09:34

I've been reading a fascinating paper by Julia Slupska – "War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance" – that looks at how the metaphors we choose for Internet (in)security limit the kinds of solutions we are likely to come up with. I was reminded of a talk I prepared maybe fifteen years ago where I worried that none of the then-current metaphors for the Internet seemed to lead to desirable outcomes: "Information Superhighway" (seven deaths a day acceptable), "Wild West" (get a bigger gun), and so on. But Slupska – who, unlike me, knows the theoretical background – has her eye on things of greater significance: whose role it is to address the problem and what a "successful" outcome looks like.

The most common metaphor seems to be "cyber-war", either explicitly or implicitly through terms like "battlefield", "enemy" or even "Geneva Convention". These constrain us to thinking of "solutions" that take place between nation states, and involve the "defeat" of some enemy. Any de-escalation must be mutual. At the opposite extreme "cyber-hygiene" places the burden almost entirely on individual behaviour, which seems to be taking things too far in the opposite direction. Intermediate metaphors seem more fruitful: "cyber-ecosystem (environment)" and "cyber-public health". Both assign roles to nation states, the private sector and individuals, and seek to mitigate, though perhaps not to eliminate, a global threat. Both seek to create mutually-reinforcing incentives though without being entirely dependent on concerted action.

Both seem useful, but I detect a slight preference for the environmental metaphor, partly because global discussions have been going on longer so the framework may be more developed. In particular there's a fascinating observation that environmental discussions can cope with disagreement, or some parties stepping outside the system entirely. Within an environmental metaphor unilateral action can make sense, even be beneficial: adopting stricter standards for your own industries may give them an economic advantage when others are finally forced to catch up. Here the parallel is explicit with vulnerability disclosure: a "warfare" metaphor makes you much more likely to hoard vulnerabilities in the "enemy's" systems, an "environmental" one lets you consider whether the (direct or indirect) benefit in fixing your own systems might actually be greater. Maybe we should be talking about a "digital Paris Agreement", rather than a "Geneva Convention".

Now go and read the paper...

incident response
Cybersecurity
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo