The extended DDoS attacks over the past few days that triggered widespread outages and Internet congestion are more than a mere annoyance. Rather, these instances have proven to be increasingly sophisticated efforts to strike at core networking protocols—the infrastructure that makes the Internet operate—to render large portions of the network inoperable or inaccessible. Perhaps the greatest irony of these complex attacks has been the fact that they have been conducted on the backs of some of the dumbest devices out there—the so-called "smart" devices that make up the Internet of Things (IoT).
It has become impossible to slow the explosion of these connected devices. The combination of the Internet’s open architecture, easy to use open source software libraries, access to location agnostic data storage and processing services, continual improvement in wireless technologies, and the wide availability of cheap, reliable chipsets, cameras, and radios that use very little power and can fit into the smallest of spaces, has given manufacturers every incentive to build new connected devices or retrofit their existing products to become IoT nodes themselves. Yet this ease of entry yields its own problems for the Internet ecosystem: Manufacturers are able to build connected devices quickly and cheaply, with little apparent incentive to incur the costs associated with the properly securing or maintaining those devices.
The openness of the Internet is both its strength and weakness. A decentralized and loosely coupled model allows for the work of bad actors within the system. From the Internet’s earliest days, as its population of citizens grew, we began to see manifestations of this problem in Internet worms and viruses, spam, and computer hacking, and the open workings of the networks gave us the ability to generally combat these problems. But as the Internet has become an increasingly vital part of our global infrastructure— Gibson’s "eversion of cyberspace"—solving the problem of bad actors has become quite difficult. Zero-day vulnerabilities have become weaponized. The failure or inability to update old software can bring down entire Internet ecosystems. The transmission of data in the clear invites snooping or misuse, while masking your information using encryption raises government suspicions.
The introduction of security vulnerabilities, as well as the failure to fix or mitigate these vulnerabilities in a timely fashion, creates an overall systemic risk to the Internet ecosystem, and can be described as a negative externality associated with technological growth in cyberspace. Modern economic theory recognizes the inefficiencies likely to occur when individuals selfishly maximize against these externalities. These market inefficiencies become especially troubling when such circumstances lead to the inequitable creation of winners and losers within a system, where some agents—end-users of these technologies—have little or no say over the actions of others within this economy.
A well-known game theoretic scenario used to model and explore versions of such problems is the unscrupulous diner’s dilemma. The game is often described thus: A number of friends gather at a restaurant to enjoy a meal with one another. This group has met with the unspoken agreement that they will divide the check evenly when the meal is finished. Each individual diner is left to make her own decision as to what to order, from the least expensive chicken salad to the much pricier lobster tail and filet mignon. If everyone orders the same meal, the effect would be no different than if they had each paid their own tab for their individual dinners. If, however, nearly every member of the party orders the least expensive item, one diner could then order the most expensive meal on the menu and get it at a bargain price, since it will be subsidized by his fellow diners under their unspoken agreement (and who may now feel less well disposed toward their free-riding companion.)
To mitigate this existential risk of "cybersecurity free riders" to the continued health and growth of the Internet, I believe it is necessary to develop a theory of Internet Stewardship—a distributed, decentralized, cooperative model that incorporates a shared duty to establish, maintain, and follow basic cybersecurity standards. This model is based upon established social contract principles, organized around the concept of the Internet as a global public good, and places an emphasis on the endogenous formation of institutions in order to minimize free rider incentives, while maintaining a system of measured, mutual restraint. My current work in this area is an attempt to develop such a theory by applying the foundational work of Locke, Hegel, Kant, and Rawls to our contemporary world of ubiquitous computing. I will be posting updates on my research here from time to time, and welcome any comments or observations you have on the topic.