Today, botnets and the Distributed Denial of Service (DDoS) attacks that can accompany them, are considered among “the most severe cybersecurity threats.” Botnets have caused extensive economic harm to businesses, banks, hospitals, and government agencies around the world. Furthermore, botnets are used to spread political propaganda aimed at distorting democratic elections. In fact, U.S. government officials concluded that the Russian propaganda campaign has not stopped since the 2016 election and the magnitude of the issue is expected to grow. Yet, a time-tested framework for addressing the problem already exists. Governing complex internet-based problems is best accomplished by a network of stakeholders similar to the way the internet is currently governed.
In her Nobel Lecture, Elinor Ostrom emphasized the necessity to study human economic behavior in any complex system. She added that no “one size fits all” policy solution would work for a highly complex socio-economic issue, but approaches created by a disperse, spontaneously self-organized group are far more innovative. This is the essence of polycentric order as defined by Elinor and Vincent Ostrom. A polycentric order has multiple overlapping decision-making centers comprised of individuals equipped with necessary knowledge and expertise to create better outcomes for issues of high complexity.
In the case of cybersecurity, where dynamic response is critical - distributed network actors are best suited to govern complex cyber problems. While policymakers are one such group in this governance network, the efforts of other stakeholders are critical to maintaining flexibility and adaptability to emerging threats. The role of policymakers is to facilitating the emergence of multiple decision-making centers, which is key for resolving botnet issues.
In his book Networks and States, Milton Mueller offers a comprehensive analysis of network actors outside of the nation-state system as well as their effectiveness in addressing cybersecurity issues. Mueller outlines distinct challenges of cybercrime such as its globalized scope, boundless scale, and its decentralized and distributed nature. He argues that efficient institutions and new organizational forms are in a continuous process of emerging out of the interactions between public and private actors.
Mueller asserts that meaningful solutions to cybersecurity issues are only possible at the trans-national level. Such large international organizations as Internet Corporation for Assigned Names and Numbers (ICANN), The World Intellectual Property Organization (WIPO), and Internet Governance Forum (IGF) among others, provide governance at the international internet governance. Mueller highlights that an effective global internet security policy will recognize the interdependence of markets, nation-state specific property rights protections, and shared information and communication resources. He proposes that a “denationalized liberal approach” would be effective in resolving this dilemma. Moreover, he concludes that a true denationalized liberal governance will emerge out of the interactions of globally networked communities. His conclusions regarding internet security governance are, therefore, aligned with the Ostromian approach.
There have been some promising developments in collaboration between private and public sectors. In 2018, USTelecom and ITI announced the creation of the Council to Secure the Digital Economy. The Council brings together the leaders from the Information and Communication Technology sector to create a more resilient digital ecosystem. For example, they produced the botnet guide, a compilation of best practices by large scale enterprises that can be implemented in a variety of industries to mitigate the threats of the distributed denial of service attacks. Additionally, the Federal Trade Commission has been facilitating meetings between stakeholders.
Past and future administrations can learn from the Clinton Administration’s Framework for Global Electronic Commerce that made space for stakeholders to be involved in governing the internet and maximized cooperation between public and private initiatives for cyber-security. Indeed, the Obama administration’s cybersecurity plan included a call for technology companies to fight botnets collectively. The Trump administration declared its commitment to giving the Federal agencies legal authority to combat botnets.
Government should not be the only source of governance in addressing cybersecurity problems. Botnets are best combated by a multistakeholder effort between public and private entities. The tenants of “polycentricity” and “decentralized liberalism” capture the wisdom of a more distributed governance approach.