Internet Infrastructure Security: A Casualty of Laissez-Faire and Multistakeholderism?

It is time to reckon with the security implications of the laissez-faire approach that has dominated Internet regulation. Since the late 1980s, this US-led, hands-off approach has facilitated unprecedented technical innovation. Competition and technological progress have driven down the price of resources like hosting and domains. While cheaper prices do benefit everyday users, near-general availability and low prices have the unintended consequence of enabling the inevitable elements of the human condition that are often kept in check by law and regulations. In short, laissez-faire governance was reasonable for infrastructures used by a small group of expert users but now comes at the cost of real harm and threats to individuals, organizations, and society at large.

In this talk, we focus on the multi-stakeholder approach to governance of Internet domain names and addresses that in part results from this laissez-faire approach. While technically open to all, meaningful participation in multi-stakeholder fora like ICANN and standard-setting bodies has always required time and money. Naturally, large vested interests like corporations will be heavily involved in, and often try to steer, governance and policymaking concerning the processes on which their operating environment and profit margins depend. Less profit-driven stakeholders, including academics and independent researchers, consumer protection agencies and advocacy organizations, as well as civil society in general, have fewer resources and are thus less able to have their interests represented and thus have an equivalent impact on policy. Recently, tensions among key actors have risen, along with familiar but escalating criticism by both insiders and outsiders regarding the imbalanced representation of stakeholders, volunteer burnout, slow progress, high cost, and unscalable results of policy development.

Due to the technically open but heavily stratified nature of internet governance, goals like public security and safety have often been neglected, and their proponents struggle to tackle these issues through existing policy avenues. Furthermore, independent researchers or public interest bodies have difficulties when trying to comprehensively study end-user security, or the relationships between policy, organizational arrangements, pricing, costs, and abuse.

In the short term, we must recognize that the current lack of data and access undermines our understanding of the status quo, and thus inhibits possible preparations for a more secure "cyberfuture." In the medium term, we argue that these fora will have to be reorganized to provide a stronger voice to consumer protection interests, and the independent experts and researchers that support them. In the long term, we need the regulatory function—or at least some form of oversight—to be (financially) independent from the industry it regulates.