Cyberspace is a domain without distinct borders where action at a distance is the new reality. In effect, almost every computer in America is a potential border entry point. This reality makes international engagement on cybersecurity essential.
Even more notably, the sheer scale of the network demands a global approach. The Internet is as large a human enterprise as has ever been created. More than 2 billion users send more than 88 quadrillion e-mails annually, and they register a new domain name with the Internet Corporation for Assigned Names and Numbers (ICANN) every second of every day. The scope of the Internet is as broad as the globe and that makes the scope of the Internet governance question equally as broad—who sets the rules for the Internet and what rules they set is a question that can only be answered on an international basis.
This then, is a fundamental question—perhaps THE fundamental question—of cyber conflict today: How does a fractured international community respond to the phenomenon of the Internet? One has the clear sense that 40 years ago, when the Internet was born, the various sovereign nations of the world didn't think much of the innovation. By and large, they systematically ignored it and let it grow on its own with its own relatively unstructured set of governing authorities. And then sometime in the last 10 years, the nations of the world looked up and suddenly recognized that the Internet had become this immense entity—possibly the largest human enterprise in existence—and that it had a vast influence and power. The Internet could be used to change governments and spread culture; it could run nuclear power plants and fight a war. With that realization, sovereign nations became quickly and intensely interested in the Internet. The result is a trend toward the re-sovereignization of cyberspace or what Chis Demchack and Peter Dombrowski of the Naval War College call the “Rise of a Cybered Westphalian Age,”1 that is, an age in which sovereign nations control the Internet.2
And so, the question is: Who will run the Internet? Will it be separate sovereign countries? Will it be the UN? Or a set of nongovernmental organizations like ICANN and the Internet Engineering Task Force? For America this question poses a problem. Some think it is critical that our engagement occur in a manner that is protective of American interests and maintains American freedom of action. By contrast, some (including the Obama Administration) advocate a general approach that favors the development of multilateral norms to preserve the openness of the Internet, while relying on supra-national organizations to manage cybersecurity problems. The choice is of truly profound significance—perhaps more so than any other question addressed in this book.
Nobody owns the Internet. We've seen throughout this book how sovereign nations around the globe have allowed the Internet to grow without significant control or regulation. Rather, technical standards are set by the IETF and limited substantive regulation of the Internet (e.g., the creation of new top level domain names and the like) is done by ICANN. ICANN was, originally, a quasi-American corporation chartered by the Department Commerce, but it has been spun off as a nonprofit international organization.
On a nation-state level, this is slowly changing. Some countries have responded to this reality by attempting to cut themselves off from the Internet or censor traffic arriving at their cyber borders. The most notorious example is China's attempt to construct a Great Firewall to keep Internet traffic out of the country.3 China conducts an active effort to suppress adverse news on the Internet, with more than 300,000 Internet monitors engaged in the process.4 As a result, the recent unrest in the Middle East seems to be unable to find traction in China. The instinct to regulate is not, however, limited to authoritarian regimes. Even liberal Western countries like Australia have proposed restrictions on Internet traffic, albeit for on the surface more legitimate reasons, such as limiting the spread of child pornography.5
Or, consider another example from a relatively small nation, Belarus. According to the Library of Congress6 on December 21, 2011, the Republic of Belarus published Law No. 317–3. The law imposes restrictions on visiting and/or using foreign websites by Belarusian citizens and residents. It also requires that all companies and individuals who are registered as entrepreneurs in Belarus use only domestic Internet domains for providing online services, conducting sales, or exchanging e-mail messages. In addition, the owners and administrators of Internet cafes or other places that offer access to the Internet might be found guilty of violating this law and fined and their businesses might be closed if the users of Internet services provided by these places are found visiting websites located outside of Belarus and if such behavior of the clients was not properly identified, recorded, and reported to the authorities. Talk about a Westphalian response to the borderless Internet!
The impetus for greater control has also led a number of nations to call for a UN organization (the International Telecommunications Union [ITU]) to exert greater control over the operation of the Internet. Likewise, some nations have urged greater international control over the content of the Internet. Indeed, Russia and China have begun advocating for the adoption of an international treaty to govern conflict in cyberspace—a Cyberspace Geneva Convention, if you will. Critical to their draft proposals are the adoption of cyber conflict norms about targeting (about which more in the following text), married to an international standard that allows each nation to manage its domestic Internet however it pleases (in effect, giving international law approval to domestic Internet censorship).
Indeed, according to Demchack and Dombrowski, this development is inevitable:
A new “cybered Westphalian age” is slowly emerging as state leaders organize to protect their citizens and economies individually and unwittingly initiate the path to borders in cyberspace. Not only are the major powers of China and the United States already demonstrating key elements of emerging cybered territorial sovereignty, other nations are quickly beginning to show similar trends. From India to Sweden, nations are demanding control over what happens electronically in their territory, even if it is to or from the computers of their citizens.
This process may be meandering, but…it was inevitable, given the international system of states and consistent with the history of state formation and consolidation. As cyberspace is profoundly man-made, no impossible barriers hinder the growth of national borders in cyberspace. They are possible technologically, comfortable psychologically, and manageable systemically and politically.7
That prospect certainly reflects the reality of the issue from the perspective of nations, but it may not reflect the intent of the broader Internet community. We can be sure of resistance to this trend.
One way to think of that resistance is to ask: do human beings have a fundamental right to have access to the Internet? How you view the question may very well drive your assessment of the right structures for the international governance of the Internet. Indeed, if you think access is a fundamental right, you will be unalterably opposed to the new cybered Westphalia.
Vinton G. Cerf, thinks the answer is clearly “no,”8 and he ought to know. After all, Cerf is one of the fathers of the Internet and currently serves as the Chief Internet Evangelist for Google—he is one of the grand old men of the network (if any endeavor that is barely 40 years old can be said to have a grand old man). According to Cerf, the right way to think about technology is as an enabler of rights—not as the right itself. Human rights “must be among the things we as humans need in order to lead healthy, meaningful lives, like freedom from torture or freedom of conscience. It is a mistake to place any particular technology in this exalted category, since over time we will end up valuing the wrong things.” After all, 150 years ago having a horse might have been an essential enabler; 50 years ago, a car. The Internet, like any technology, is a means to an end—not the end itself.
Others disagree. For example, the United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, is of the view that a complete denial of access to the Internet is a violation of international law: “[C]utting off users from Internet access, regardless of the justification provided, [is] disproportionate and thus a violation of article 19, paragraph 3, of the International Covenant on Civil and Political Rights.”9 The Rappoteur views the denial of Internet access as an unacceptable means of controlling freedom of expression and limiting dissent. Set against the backdrop of the Arab Spring, there is a certain force to his concerns.
In the end, the disagreement may not matter. Most would admit that the Internet is an exceedingly powerful enabler of freedom. Those who design the Internet, and those who manage it, ought to do so cognizant of the great force they have unleashed—and that it can be used for good or ill. One way to think about the Internet as human right issue is to simply ask whether those designing the Internet's architecture (like the IETF) might not owe a duty of care to the general world population to take greater steps to make the Internet impervious to malware and viruses.
The Westphalian image is one of conflict, rather than cooperation. Already, we can see how it will play out in cyberspace. Consider just one issue: In a wide, interconnected world, data and applications run on servers. Those servers, though connected to a borderless web, all reside somewhere physically. Who controls them and the data they contain?
The real estate sales mantra (“location, location, location”) is equally relevant to critical aspects of distributed computing services. While the location of a data storage center may be irrelevant to many operations and applications, the physical location of a piece of data or information is often critical in determining which sovereign nation controls that data. Indeed, if information is power, then the location of information may determine who exercises power in cyberspace. The trend toward cloud systems—and the lack of any consensus on the rules that govern them—is a paradigmatic example of the breakdown in international governance.
International and national institutions need to come to grips with these challenges (often the issue is spoken of as one of data sovereignty, that is, which sovereign controls the data). The question of control is not a new one—issues of data sovereignty have been around since the first bits and bytes of data were transferred to a cheaper offshore data storage facility. But, the transition to a broader Internet-based model has greatly exacerbated the problem. When a customer uses cloud data storage, for example, it outsources data storage requirements to a third party via the Internet. The service provider owns the equipment and is responsible for housing, running, and maintaining it. Those servers can be anywhere—in the United States, in Europe, in Russia, or in a smaller third-world country.
When the customer is a private sector company, the transition to cloud storage and processing services creates difficult jurisdictional issues. Whose law is to be applied? The law of the country where the customer created the data? The law of the country (or several countries) where the server(s) are maintained? Or, the law of the home country where the data storage provider is headquartered? At a minimum, customers need to exercise caution and get concrete legal advice before transferring data offshore.10
There is, today, no international standard that governs the question of data sovereignty. Nor is any institution (say, the United Nations) likely to sponsor an agreement of this nature in the near future. Rather, disputes about the control of data are resolved on a case-by-case basis often turning on geography and/or economic factors. The fundamental factor that is likely to determine the resolution of a dispute is the physical location of the server. For example, when the United States recently began seeking banking data from Swiss banks for tax collection purposes, the critical factor was that the Swiss banks had to have a physical presence in the United States in order to be effective in the international financial marketplace.
For government data on overseas servers, the issues are made even more difficult to assess by the addition of national security concerns. Even if one could gain legal assurance (perhaps through contractual arrangements or international agreements) as to the integrity of data maintained in cloud servers offshore, that legal protection would not prevent or protect against intrusions and exploitations by foreign espionage agencies.
To be sure, the potential for intrusion and exploitation exists wherever the cloud data servers are located. If we have learned anything from recent intrusions like Operation Shady RAT, Byzantine Hades, and the penetration of RSA, it is that American-based servers are not immune from attack. But, the vulnerability to intrusion is increased significantly when the data repository is offshore. The potential for the exploitation of an insider threat increases whenever non-American staff has access to American data. Local cybersecurity capabilities of the cloud server's host country and its ISPs may be weaker than they are domestically. Nondomestic cloud servers will be outside of the protective umbrella we are attempting to create through public–private partnerships here in the United States. Perhaps most worrying, we can never know what the potential is for foreign espionage overseas nor discount the potential that peer-competitor nations like Russia and China will be more successful in targeting offshore cloud data servers.
The lesson here is that the Internet has a real world physical presence with its fiber optic transmission lines and server farms. Every data storage facility is located somewhere. And, when that “somewhere” is not in the United States, American companies and its government run the risk that the data stored overseas will be subject to the sovereign control of the country where the data is located. That's probably tolerable and manageable for a private company. It is less tolerable and manageable for federal, state, and local governments. If, as some say, geography is destiny, principles of good governance and caution require U.S. governments to control their own destiny.
Given the limitations of a Westphalian-based policy, it is not surprising that the Obama Administration has pursued a multilateral approach to international cyber issues. The recently released International Strategy for Cyberspace11 points toward the creation of an “open, interoperable, secure, and reliable” communications and information architecture (surely, a positive goal) through building and sustaining norms of international behavior. The strategy goes further in articulating the norms it seeks to foster (freedom, privacy, respect for property, protection from crime, and the right of self-defense), but one may be forgiven in thinking that these norms are articulated at too high a level of generality; and unlikely to find great acceptance in many nations that value neither privacy nor freedom.
The limits of this sort of strategy are best exemplified by how the strategy addresses the problem of cyber crime. We saw, in chapter 7, how limited the effectiveness of the Cybercrime Convention has been. And yet, the principal goal of the new strategy for addressing cyber crime is to harmonize criminal law internationally by expanding accession to the Convention. If there were a realistic prospect that criminal havens, like Russia and China, would both join the convention and also implement it aggressively, this policy would likely be effective. But, in the absence of that prospect, the promise of a multilateral policy seems a bit empty.
Consider how the multilateral impulse has begun to drive negotiations over a cyber warfare convention. For years, the United States resisted Russian blandishments to begin negotiations over a cyber warfare convention, akin to the chemical warfare convention. The Russian model would outlaw certain types of cyber attacks (say, on civilian targets, like electric grids) as out of bounds. At its core, this seems a reasonable objective.
The principal American objection has been that a cyber treaty, unlike a ballistic missile treaty, is inherently unverifiable. In other words, in a world where weapons cannot be identified and counted and where attribution is difficult, if not impossible, how could any country be assured that others were abiding by the terms of the agreement?
Beyond verifiability, there is a question of enforceability. Those who are skeptics of a cyber warfare convention point, for example, to the provisions of the 1899 Hague Convention, which prohibited the bombardment of civilian targets.12 Needless to say, the commitment to withhold bombing of civilian targets did not survive the World War II Blitz of London and the firebombing of Dresden (not to mention the nuclear targeting of Hiroshima and Nagasaki). There is, it is argued, therefore good reason to doubt that a prohibition on targeting, say, electric grids, would be sustainable in a truly significant conflict.13 Notwithstanding these concerns, in 2009, the United States abandoned its position and agreed to discussions with Russia.14
As Jack Goldsmith of Harvard points out, in addition to the inherent inability to verify or enforce any cyber-disarmament treaty, the treaty would greatly limit America's freedom to act offensively in support of its own sovereign interests.15 To be sure, we would be bound to restrain the NSA's operations in a host of ways to abide by the treaty's requirements. In addition, we would have to clean up our own house. In a 2010 survey by McAfee, the computer security company, more information technology experts around the world expressed concern about the United States as a source of computer network attacks than about any other country.16 And so, we would likely be obliged to take steps to monitor the domestic Internet (and reign in our own hacker community) in compliance with our treaty obligations that would be a civil libertarian nightmare.
More significantly, the proposed treaty comes with some baggage. Non-Western states view the cyber domain less as a means of communication and more as a means of control—a viewpoint they want to import into any global treaty. Consider the International Information Security agreement among the Shanghai Cooperation Organization nations (China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan). Under the agreement, state security and state control over information technologies and threats are permitted. In the view of the SCO nations, the major threats to their own sovereignty are the dominant position in the information space of Western nations and the “dissemination of information harmful to the socio-political systems, spiritual, moral, and cultural environment of the States.”17
And that leads to another consideration—America's interest in Internet freedom. We are often conflicted in that view, since freedom to use the Internet for political purposes often comes at the cost of decreased security on the network. But by and large we have come to see freedom of expression on the Internet as a fundamental good. That's why Secretary of State Hillary Clinton emphasized that “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government, and our civil society.”18
Indeed, as a symbol of our view that freedom of expression is critical, the United States is leading efforts to develop the technology for a shadow Internet—one that can be deployed independent of the main backbone of the network. If successful this new technology would, in effect, create an Internet in a suitcase and would enable dissidents to avoid the censorship of repressive authoritarian countries. To quote Secretary of State Hillary Rodham Clinton again: “We see more and more people around the globe using the Internet, mobile phones and other technologies to make their voices heard as they protest against injustice and seek to realize their aspirations…. There is a historic opportunity to effect positive change, change America supports…. So we're focused on helping them do that, on helping them talk to each other, to their communities, to their governments and to the world.”19
In short, one aspect of the new multilateral policy calls for the development of norms that are squarely at odds with those espoused by repressive governments. In that context, finding an international consensus is likely to prove very difficult.
So, if the Westphalian model leads to conflict and if the multilateral model involves disagreements that can't be squared, why not go the whole hog and create an international institution to run the Internet? Alas, that option, too, is problematic.
For years, the architecture of the Internet has been defined by two NGO organizations—IETF and ICANN. Both are nonpartisan and professional and their policy-making is highly influenced by nations that are technologically reliant on the Internet and have contributed the most to its development and growth. As a consequence, America has an influential role in those organizations.
Many in the world see this as problematic. The International Telecommunications Union (the ITU dates back to 1865 but is now a part of the UN) has been proposed as a better model for Internet governance. Transferring authority to the ITU (or a similar organization) is seen as a means of opening up the control of the Internet into a more conventional international process that dismantles what some see as the current position of global dominance of U.S. national interests. In the ITU, like most UN institutions, a one nation/one vote rule applies—a prospect that would certainly diminish Western influence on Internet governance.
Indeed, some argue that giving the ITU a role in Internet governance is no different from the role that the World Customs Organization has in setting shipping standards, or the International Civil Aviation Organization has in setting aviation traffic rules. To some degree that may be true. The IETF is an inefficient means of setting binding international technical standards.
On the other hand, aviation communications frequency requirements and standard shipping container sizes are not fraught with political significance in the same way that the Internet has become. Rather those institutions succeed precisely because they manage the mundane, technical aspects of a highly specialized industry. They would be ill-suited to provide broadly applicable content regulation for a world-girding communications system. Thus, some fear that a transition to the ITU would run the risk of politicizing an already contentious domain even further.
At bottom, however, the preference for ICANN over the ITU is not just about national interests. It is also, more fundamentally, about the contrast between ICANN's general adherence to a deregulated market-driven approach and the turgid, ineffective process of the international public regulatory sector. Recall the Ford policy sedan issue that we earlier addressed with respect to the American policy making apparatus. The problem will, if anything, be exacerbated in the international sphere. Given the scale of the problem, it is likely that the mechanisms for multinational cooperation are too cumbersome, hierarchical, and slow to be of much use in the development of international standards. Acceptable behavior on the Internet mutates across multiple dimensions at a pace that far outstrips the speed of the policy-making apparatus within the U.S. government already—and the international system is immeasurably slower. Indeed, some are reasonably concerned that there is no surer way to kill the economic value of the Internet than to let the UN run it.
Thus, though there is a real intellectual appeal to the idea of an international governance system to manage an international entity like the Internet, the prognosis of a cybered Westphalian age is almost certainly more realistic. We are likely to see the United States make common cause with trustworthy allies and friends around the globe to establish cooperative mechanisms that yield strong standards of conduct while forgoing engagement with multilateral organizations and authoritarian sovereigns.