I’ve been reading a fascinating paper by Julia Slupska – “War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance” – that looks at how the metaphors we choose for Internet (in)security limit the kinds of solutions we are likely to come up with. I was reminded of a talk I prepared maybe fifteen years ago where I worried that none of the then-current metaphors for the Internet seemed to lead to desirable outcomes: “Information Superhighway” (seven deaths a day acceptable), “Wild West” (get a bigger gun), and so on. But Slupska – who, unlike me, knows the theoretical background – has her eye on things of greater significance: whose role it is to address the problem and what a “successful” outcome looks like.
The most common metaphor seems to be “cyber-war”, either explicitly or implicitly through terms like “battlefield”, “enemy” or even “Geneva Convention”. These constrain us to thinking of “solutions” that take place between nation states, and involve the “defeat” of some enemy. Any de-escalation must be mutual. At the opposite extreme “cyber-hygiene” places the burden almost entirely on individual behaviour, which seems to be taking things too far in the opposite direction. Intermediate metaphors seem more fruitful: “cyber-ecosystem (environment)” and “cyber-public health”. Both assign roles to nation states, the private sector and individuals, and seek to mitigate, though perhaps not to eliminate, a global threat. Both seek to create mutually-reinforcing incentives though without being entirely dependent on concerted action.
Both seem useful, but I detect a slight preference for the environmental metaphor, partly because global discussions have been going on longer so the framework may be more developed. In particular there’s a fascinating observation that environmental discussions can cope with disagreement, or some parties stepping outside the system entirely. Within an environmental metaphor unilateral action can make sense, even be beneficial: adopting stricter standards for your own industries may give them an economic advantage when others are finally forced to catch up. Here the parallel is explicit with vulnerability disclosure: a “warfare” metaphor makes you much more likely to hoard vulnerabilities in the “enemy’s” systems, an “environmental” one lets you consider whether the (direct or indirect) benefit in fixing your own systems might actually be greater. Maybe we should be talking about a “digital Paris Agreement”, rather than a “Geneva Convention”.
Now go and read the paper…