At the Internet Governance Forum in Baku, I made an intervention on behalf of NL IGF, reporting on the recommendations given by the participants of Workshop 87. Participants coming from positions representing most actors on and around the Internet. As one of circa ten recommendations, I concluded that more regulatory and law enforcement bodies need to become part of the IGF discussions, as they are an integral part of governing the Internet from a safety and security perspective. Mr. Cerf responded with a one-liner: “I can’t help observing, if we keep the regulatories confused, maybe they will leave us alone”. There seems to be a misunderstanding between us that I would like to clear up.

Workshop 87

This workshop took on one of the most difficult topics concerning Internet governance, cross border cooperation between (public and private) entities. The specific topic was incidents concerning critical (Internet) infrastructure, but could have been on cyber crime, fraud, spam, botnet mitigation, etc. The discussion would hardly have been different.

The participants came from governments, an international governmental organisation, the CERT community, private companies, an Internet resource organisation, in this specific case a ccTLD, national centres for botnet mitigation (to be) and a regulatory body. In short all but traditional law enforcement, who, NL IGF found, could not be enticed to participate in a discussion on cross border cooperation. There was an interesting discussion between the different panellists, showing, among other things, that public—private cooperation is a normal phenomenon for most participants, but not always easy to achieve, nor always institutionalised. They all shared recommendations, which will be published soon on the website of NL IGF. Let’s go into specifics relevant to this blog post.

Regulatory bodies

Traditionally a regulatory body has a task to regulate a market. The Internet so far has managed to stay away from regulation. Mainly because the Internet is a market that works and does not need regulation.

This has shifted somewhat in the past four years, as the Internet has become substantially less safe to use and governments worry about safety and security of the state, its citizens and institutions. This is normal as it is one of the main tasks of the state. The discussions are mostly about how the Internet can become safer, looking at the public functions some private organisations perform, like distributing domain names and IP addresses. It is not in this context that the term ‘regulatory bodies’ was used by me at the IGF.

Enforcement bodies

Several regulatory bodies have been given enforcement tasks on spam, malware, online fraud, identity theft. They come from a telephony, consumer and privacy regulatory background. Some function very successfully like the U.S’. FTC, the Australian ACMA and the Dutch OPTA, in other countries enforcement tasks were given to regulatory bodies also, but they are less or unsuccessful, e.g. because they do not give enough or any priority to enforcement tasks. For known and unknown reasons. The bodies who are successful, need to be engaged in Internet governance. Especially now that initiatives are sprouting in several countries on cyber security strategies and botnet mitigation centres. An international comparative study shows that cooperation does not come natural to most national centres and regulatory bodies. (Click here for the study.)

If countries can become more aware of the possibilities they have at “regulating” around the Internet, this would make the Internet environment safer for everyone, without impeding in any way on private initiatives that have made the Internet to what it is today. Better, if public and private parties know what they can expect from each other, a lot of efficiency can be reached at saving energy and cost. Like the Cyber Crime Working Party initiative at RIPE NCC has shown and is working on, through managing expectations and standardizing information streams. And best is when through coordination a national body is able to chose which entity is best equipped to deal with an incident. Private? CERT? Regulatory? LEA? All together? This can only happen when all are equipped in the right way and connected at the national level. Preferably through a national strategy.

The participant from a regulatory body in the NL IGF panel in Baku e.g. also runs the national CERT and the national botnet mitigation program. In other words, from his perspective there is a clear need for more cooperation. Especially with countries that have not given the kind of priority his country has to security and safety tasks. Because on the one hand Finnish government and companies are threatened from abroad and there is no one at the other end to stop these threats, while at the same time he has information on threats going to these countries, with no one to mitigate them on the other side. Cyber security cooperation works both ways, if there is a level playing field.

Foreseeable results

By engaging these regulatory bodies, including traditional law enforcement, into discussions of Internet governance, several results can be achieved. Governments are made aware of the need to speed of action at the enforcement and security level and learn first hand what works, copy and help shape best practices and are made to understand that doing nothing is no longer an option. Regulatory bodies get to know counterparts at major companies, organisations and governments that they need to engage with in order to be more successful. The Internet industry gets to know their counterparts within law enforcement and builds a trusted relationship. Only by supplying information governments and law enforcement can be made to understand where true priorities lie. This way both sides can manage expectations and efficiency is reached in their mutual contacts.

Self regulation

I, for one, am convinced that the Internet and ICT industry can go a long way making the Internet a safer environment for all end users through self-regulation. Not that this is common practice at this moment, as in the past years the technical community has focussed on enabling the ease of use of the Internet and ICT products, while others have focussed on making money.

It is only if industry fails at self-regulation that regulation becomes an option. Several recent initiatives show that diverse Internet industry bodies are working on self-regulatory initiatives that can make a major difference in the future. Governments are supporting these initiatives like AbuseIX in The Netherlands, the German, Swiss and Finnish botnet centres and the EU funds 50 % of the ACDC project.

However, this is not enough. If law enforcement does not become involved or is made to understand where cyber crime meets cyber security and (is made to) prioritize accordingly, all present and future initiatives are mopping activities only, as the criminals remain in control of the tap. They need to get arrested or if this is impossible, frustrated in such a way that they employ themselves elsewhere. Only a public—private partnership can achieve this.

Communication and cooperation

Mr. Cerf’s own company, Google, in the panel stated that they cooperate in a standardized as well as in an ad hoc way to mitigate security incidents. With public and private institutions. I.e., most likely including, government bodies that (also) have regulatory and enforcement tasks beyond market regulation. And this is a good thing as communication, understanding, trust and cooperation lead to a safer Internet.

If the world manages to establish these lines of communication and cooperation, crime on the Internet will be pushed back to more acceptable levels. If this does not happen, it is the Internet and the Internet industry and companies that will get hurt in the process.

Every day life is not safe, but we are all under the impression that it is and function as such. The same situation needs to be created for the Internet. This can only be achieved if government and private sector cooperate, just like in the offline world and that includes regulatory bodies. That is why Vint Cerf is wrong and with his comment runs a risk of frustrating developments that the world actually needs rapidly in order to keep the Internet as it is. A great open tool for all (well almost all if we bar criminals), to use at ease, in work and play. Something no one with a right mind wants to lose. (This last comment is not aimed at Mr. Cerf, but at the ongoing WCIT discussion.)

For the transcript of my intervention and Mr. Cerf’s response click here and scroll to the near bottom.