Cyber Governance: How the Cyber System is Structured and Disciplined?

This segment of the ECIR scientific research consists of distinct investigations, each generating specific results about the nature of cyber governance. We summarize here three research activities based on different methods and analytical tools.

Mapping Authority and Governance for the Cyber Domain

The increased density of decision entities worldwide creates challenges for governance in the physical as well as cyber arenas.  Results include:

  • Mapping the new global parameters created by: (i) the state system as a latecomer to matters of cyber governance; (ii) intersections with the private sector entities; (iii) the role of non-state actors; (iv) emergent contentions between established institutions (such as ITU) and the cyber-centered ones (such as ICANN), and (iv) consolidated political contentions with potentials for strong cleavages worldwide (Choucri, Clark)
  • Generating Empirical evidence of the growth of actors managing cyberspace and the contentions created by the increasing density of decision-entities (Choucri)
  • Mapping the governance “ecosystems” of cyberspace provides an overarching perspective on how the virtual domain is managed, i.e. who does what how and why, Figure below shows a stylized view of the results we have obtained.  Note the core functions of each of the three individual ecosystems, and the linkages among them. (Chueng, Bradner, Choucri)
Governance of the cyber domain.
Governance of the cyber domain.
Source: Cho (2015).

Norms for Cyberspace

The role of norms is a critical element in the development of international cooperation. This issue was explored in three different contexts:

  • Framing and exploring two different hypotheses: cyberspace lacks operational norms vs. norms are already in place,
  • Differentiating between norms for management of the Internet, vs) norms for interaction and conduct in cyberspace; and
  • Identifying the specific formal and informal norms among Internet technical operators (Hurwitz, Sowell).

Power of Private Authority

The management of the Internet is currently done by a wide range of private sector, actors including close-knit organizational entities with their own “models”. These informal systems are under pressure from the more established entities, in both the cyber and the traditional domains. Based on diverse methods, results showed:

  • The structure of hidden vs. formal operational governance of the Internet at the local levels  based on detailed cases and interview methods (Sowell)
  • The self-damaging tendencies in business responses to cyber intrusion or damages demonstrated via the use of system dynamics modelling and simulation (Goldsmith and Siegel)
  • The action-reaction chain across cyber and physical domains as governments seek to resist pressure or prevent revolution (Rady)
  • The use of anonymous proxy networks to support pressures on governments, with applications to revolutionary movements, case studies of Egypt and Iran.
Overview of the TOR mechanism.
Overview of the TOR mechanism.
Source: Rady (2015).

Resilient Mechanism Design

Mechanism design is about framing a negotiation context that will enable good outcomes, under conditions of incomplete but crucial information held by the players, and to do so with realistic assumptions. Establishing the rules under which negotiations will take place is an essential prerequisite to the process itself. The assumptions are that (a) the players only approximately know what they want; (b) they do not want to tell the overarching arbiter or decision maker; and (c) they will collude if this may make them better off. The results consist of:

  • Improved framing of such mechanisms – often seen as a mixture of game theory, secure protocols, and algorithms – to facilitate policy-relevant application   (Micali).
  • Initial application to evolving negotiations on cyber management in the context of international organizations (Micali, Chen, Choucri)

Institutions for Cyber Security

In response to increasing threats to cyber security, the international community established formal mechanisms to identify, monitor, and mitigate the damages. ECIR empirical and comparative investigations show that:

  • While the institutional landscape is becoming increasingly dense; coordination integration, and shared responses mechanisms lag far behind.
  • Despite the expansion of these institutions, we have found there are major inconsistencies among them in conceptual orientation and data making capability (Ferwerda, Choucri, Madnick)
  • Built-in limitations are created initially by their “bottom-up” institutional design and then reinforced by business as usual (Ferwerda, Madnick)