Safeguarding Cyberspace

CAMBRIDGE – Brazil recently hosted NETmundial, the first global conference on Internet governance, attended by 800 representatives of governments, corporations, civil-society organizations, and technologists. Based on the notion of “multi-stakeholderism,” the meeting produced a 12-page “outcomes” document.

Nonetheless, at the end of the conference, there was still no consensus on global cyber governance. Many governments continued to advocate traditional United Nations voting procedures for making global decisions, and defend their right to control domestic cyber activities.

In a sense, this is not surprising. After all, though the Internet is a complex, fast-evolving, and all-encompassing global resource, it has not been around for very long. While the World Wide Web was conceived in 1989, it was only in the last 15 years that the number of Web sites burgeoned, and Internet technology began to transform global supply chains. Since 1992, the number of Internet users has exploded from one million to nearly three billion. Just like that, the Internet became a substrate of economic, social, and political life.

In its early days, the Internet was often characterized as the ultimate egalitarian conduit of free-flowing information – a harbinger of the end of government controls. But the reality is that governments and geographical jurisdictions have always played a central role in regulating the Internet – or at least have tried. Ultimately, however, the Internet poses a major governance challenge, exemplified in ongoing efforts to understand the implications of ubiquitous mobility and the collection and storage of “big data.”

The governance challenge stems from the fact that cyberspace is a combination of virtual properties, which defy geographical boundaries, and physical infrastructure, which fall under sovereign jurisdictions. Control of the physical layer can have both territorial and extraterritorial effects on the virtual layers. At the same time, attacks can be launched from the low-cost virtual realm against the physical domain, where resources are scarce and expensive.

The Internet began as a small village of known users, where an authentication layer of code was unnecessary and the development of norms was simple. But then it grew, and everything changed. Though cyberspace offered the advantages of access to information and easy communication to a growing number of people, it became a breeding ground for crime, hacker attacks, and threats to governments.

Efforts to limit the risks incurred in this volatile environment have focused on creating private networks and “walled gardens” (closed platforms) – cyber equivalents to the seventeenth-century enclosures that were used to solve that era’s “tragedy of the commons.” But this raises the risk of fragmentation, which, if allowed to go far enough, could curtail the Internet’s economic benefits.

Given that security is a traditional function of the state, some observers believe that growing insecurity will lead to a greater role for governments in cyberspace. Indeed, accounts of cyber war may be exaggerated, but cyber espionage is rampant, and more than 30 governments are reputed to have developed offensive capabilities and doctrines for the use of cyber weapons. Ever since the Stuxnet virus was used to disrupt Iran’s nuclear program in 2009-2010, governments have taken the threat posed by cyber weapons very seriously.

Governments also want to protect their societies from what comes through the Internet. For example, China’s government has not only created a “Great Firewall” of software filters; it also requires that companies take responsibility for censoring their public content. And, if China is attacked, it has the capacity to reduce its Internet connections.

But China’s government – and others that practice Internet censorship – still want to reap the economic benefits of connectivity. That tension leads to imperfect compromises.

A similar tension exists in the effort to create international Internet-governance norms. While authoritarian countries like China and Russia seek “information security,” including the kind of overt censorship that would be prohibited in countries like the United States, Western democracies pursue “cyber security.”

This divergence was starkly apparent in 2012, at a conference convened in Dubai by the UN’s International Telecommunications Union (ITU). Though the meeting was ostensibly about updating telephony regulations, the underlying issue was the ITU’s role in Internet governance.

Authoritarian regimes and many developing countries believe that their approach to sovereignty, security, and development would benefit from the multilateral processes that the ITU employs. But democratic governments fear that these processes are too cumbersome, and would undercut the flexibility of the “multi-stakeholder” approach, which stresses the involvement of the private and non-profit sectors, as well as governments. The vote in Dubai was 89 to 55 against the “democratic” governments.

This outcome raised concerns about a crisis in Internet governance – concerns that the recent conference in Brazil alleviated, but only slightly. Stayed tuned. There are many more conferences scheduled on cyber governance – and a lot more work to be done.