[CII] welcome to the public CII

Andrea Glorioso andrea at digitalpolicy.it
Tue Dec 8 17:33:39 UTC 2009 

Dear Angela, dear all,

>>>>> "angela" == Angela Cataldo <angela.cataldo at gmail.com> writes:

    > Gadi, Andrea, before making policy-makers completely aware of
    > deep dependance from (and criticities of) internet
    > infrastructure, can we think of a way of double controlling CII?
    > I mean: we cannot have an ideal opinion of policy-makers as
    > people employed for the benefit of community.  As citizen, I
    > would like to have (or third party to have) a way to control
    > their operations, and have knowledge enough to understand what
    > happens and what will happen in near and far future, if
    > possible.  As technician, I would be sure not to be completely
    > dependent only on policy-makers, which might be non honest
    > persons.  In this context, CII is not made only of sotware and
    > hardware, but of persons able to control them in some way, too.

I find this approach to CII, as well as network and information
security (and, I should add, anything related to society..) absolutely
necessary.

I do not have an immediate practical answer for your concerns, except
by noting that the main way in which citizens of democratic societies
control the activities of their public bodies is by "doing politics".

Having said that, let me offer a couple of reflections, which I hope
are useful as a starting point of discussion.

I would question the characterisation of `policy makers' as
potentially non-honest - not because I believe all of them are honest,
rather because I think the issue of honesty is completely hortogonal
to the function one performs in society (even if s/he works in the
private sector..).  But in any case, I do believe that independent
control is indeed fundamental for a democratic approach to security
and critical infrastructure protection.

When it comes to the Internet, I think we have the advantage of a
system that - unlike other ICT sectors, or other unrelated fields -
has grown substantially `bottom up' and can count on real-world
examples of working dynamics relying on `distributed control'.

Incidentally, the action plan for Critical Infrastructure Protection,
which I drafted together with colleagues, contains a paragraph which
may seem obvious to Internet folks but, let me assure you, was not for
European policy makers:

  "A thorough understanding of the environment and constraints is
  necessary. For example, the distributed nature of the Internet,
  where edge nodes can be used as vectors of attack, e.g. botnets, is
  a concern. However, this distributed nature is a key component of
  stability and resilience and can help a faster recovery than would
  normally be the case with over-formalised, top-down procedures. This
  calls for a cautious, case-by-case analysis of public policies and
  operational procedures to put in place." [1]

This is but one example of the fact that even in the shady rooms of
Bruxelles, there is a certain sensitivity to the undesirability of
centralising all responsibilities for Internet resilience and
stability.

On the other hand, one has to keep in mind that when something goes
*really* wrong, citizens will (understandably and rightly so!) turn to
their public authorities, which will be forced to "do something".

This is why I have been pushing for a long time - and will continue to
do so - for technologists and policy makers to talk with each other.
The old mantra that public authorities should stay clear of the
Internet may have been sustainable in the '80s and the '90s, but
nowadays it is simply a dangerous attitude if one wants to avoid such
public authorities (at whatever level: national, European,
international) to intervene like elephants in a glass shop.  There is
nothing that arouses the curiosity (and the worrying) of politicians
and bureaucrats than the often-heard statement in certain circles that
"there is nothing for you to see or do here - go away".

I do strongly believe that the main task of the "operational
community" out there is to help policy makers understand what they
should, but especially what they should *not* do, with the Internet.
Possibly by presenting (in a manner understandable to policy makers)
why the Internet has been doing very well in many respects, but
also by being honest about what does not work that well.

Ciao,

Andrea

[1] COM(2009) 149 Communication from the Commission to the European
    Parliament, the Council, the European Economic and Social
    Committee and the Committee of the Regions on Critical Information
    Infrastructure Protection - "Protecting Europe from large scale
    cyber-attacks and disruptions: enhancing preparedness, security
    and resilience", 30 March 2009, available at
    http://foxyurl.com/MCn.


--
      Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/
          M: +32-488-409-055         F: +39-051-930-31-133
  * Le opinioni espresse in questa mail sono del tutto personali *
      * The opinions expressed here are absolutely personal *

	"Constitutions represent the deliberate judgment of the
     people as to the provisions and restraints which [...] will
	secure to each citizen the greatest liberty and utmost
	       protection. They are rules proscribed by 
	         Philip sober to control Philip drunk."
			   David J. Brewer (1893)
       An Independent Judiciary as the Salvation of the Nation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://isotf.org/pipermail/cii/attachments/20091208/59483569/attachment.pgp>

More information about the CII mailing list