This article is part of the monthly CSI5x5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the CSI5x5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at [email protected].
The internet has been a pivotal force behind the growth of the global digital economy and altered the relationship among states, their citizens, and the private sector. These changes have disrupted the geopolitical balance of power and ushered in a new generation of globally-powerful multinational companies. However, new dynamics of conflict are threatening the internet as we know it.
Our Cyber Statecraft Initiative experts go CSI5x5 to take a look at how the changing internet is shaping the conduct of statecraft.
#1 Since its development in the late 1980s, what has been the most consequential governance miscalculation made in the adoption of the internet?
Trey Herr, director, Cyber Statecraft Initiative: “Failure to agree on, and widely adopt, an authentication scheme for email. Be it spamming, spoofing, or phishing—email has been rife with malicious abuse since its inception yet serves as the lingua franca of the internet. The cost has been decades of fraud, regular security compromises, and galactic quantities of spam.”
Jeff Moss, nonresident senior fellow, Cyber Statecraft Initiative; founder, Black Hat and DEF CON security conferences: “When the International Telecommunication Union allowed data lines to be treated differently than voice circuits in regards to fees that countries could charge for landing, termination, etc. This had the positive effect of allowing data lines to flourish all over the world and cheap internet to be the norm. This is also why the internet cost structure is not the same as the (legacy) voice structure.”
Justin Sherman, nonresident fellow, Cyber Statecraft Initiative; fellow, Duke Center on Law & Technology at Duke University School of Law: “The assumption that the internet would somehow operate independently from existing political, economic, and social dynamics and power structures—whether that’s social media platforms underpreparing for the volume of hate speech that would spread on their platforms, or citizens thinking corporations wouldn’t grow to have an outsized influence on the global web, or liberal democratic governments assuming the advent of the internet in authoritarian countries would inherently bring with it information openness and democratization.”
Sara-Jayne Terp, nonresident senior fellow and senior advisor, GeoTech Center, Atlantic Council; lecturer, Western Washington University: “Nobody who dealt with large-scale governance models expected the internet to become this important. And by the time it did, there was a powerful second human world, with all the issues of the physical world, but no real equivalents to Diplomacy, Information, Military, and Economic (DIME) models, and all the added complexities of the 3+1Vs (volume, velocity, variety, veracity). We metamorphosed from friendly hippies to Eternal September to online hybrid conflict whilst losing the humanities majors who could have helped us with that (yes, back in the 1980s, we had computer scientists with humanities degrees).”
Josephine Wolff, assistant professor of cybersecurity policy, Tufts University Fletcher School of Law and Diplomacy: “From my perspective working on cybersecurity and liability, I think the most consequential miscalculation has probably been not clarifying the expectations for different stakeholders when it comes to security responsibilities—what kinds of security measures we expect from internet service providers versus web hosts versus Domain Name System (DNS) operators versus payment processors versus software manufacturers, etc. Those expectations are hard to crystallize because the threats evolve over time, of course, but even so, we could have done a much better job earlier on of trying to define what particular capabilities each of these stakeholders has to identify and crack down on certain types of online misbehavior. We could have also thought much more carefully and rigorously about what kinds of responsibilities that should translate into across the larger internet ecosystem.”
#2 How have authoritarian regimes’ increased control over the internet within their borders—such as through censorship and surveillance—impacted US national security?
Herr: “The contrarian answer—it may be on the way to improving US national security. Why? Much of this authoritarian information control—if not outright surveillance—is carried out or facilitated by some large US-based technology companies. This has raised concerns in the United States, provoking conversation between the public and private sector about the responsibilities of these global technology firms. The product of these conversations is not always progress but the dialogue itself builds relationships and helps bridge a cultural gap. These relationships will pay dividends down the road and better they are formed now than in a moment of crisis.”
Moss: “The goal for many is to control content and suppress dissent through real name policies—“internet drivers licenses”—and other measures to identify who is saying what. This is coupled with traffic inspection technology, mostly made in the West unfortunately, and backed up by local laws. This impacts US national security because there is less free flow of ideas, is harder for people in the US interact with others, and the fragmentation of the internet into different pieces hurts global economic competitiveness.”
Sherman: “Censorship and surveillance can have negative impacts on human rights, democracy, and internet freedom and openness—all of which are reason for concern—but there are also potential national security implications. Increased online control can enable authoritarian regimes to consolidate power, many of whom may not align with US national security interests. Increased online control may also lead certain actors to perceive themselves as more insulated from foreign hacking and other risks and thus increase their outward-facing malicious activity as a result.”
Terp: “Security of the state, or security of the people? And which people? Countries like China’s use of the internet and connected technologies to stalk Americans related to it could definitely be viewed as a mass personal security problem, leading to a question of just how widespread does an security problem have to be before it’s national security? The abuse of the online and internet-enabled commercial surveillance that we’ve all become used to as the price of being online (or of our friends and neighbors being online—see under Ring doorbells) by other nation-states coupled with the surprising amount of information shared by government here (really? I can just look up everyone’s address and birthdate here?) has made micro-targeting and fine-tuned disinformation easier, and old-school tradecraft to gather information abroad harder. All the parts of the DIME model have been changed by this change in information availability.”
Wolff: “Particularly in the case of China, it seems to have forced the United States to think more carefully about supply chain security and the national security implications of relying on overseas suppliers to provide equipment for internet infrastructure and devices—as well as the national security implications of its allies’ suppliers given the global nature of the internet.”
More from the Cyber Statecraft Initiative:
#3 Finish this sentence. If the internet were to be redesigned, core values of that redesign should be…
Herr: “Distributed trust, equitable control, and open architecture.”
Moss: “Decentralization and communications privacy with no reliance on any centralized components, such as the DNS system today. Privacy to reduce surveillance capitalism, decentralization (at the expense of raw performance) to increase resiliency.”
Sherman: “Security: robust, by-default security of transmitted internet data, for instance, which can better protect consumer privacy and safeguard journalists, political dissidents, and citizens against surveillance; robust, by-default security of internet protocols, which can prevent governments or criminal groups from hijacking and redirecting large volumes of internet traffic; and so on.”
Terp: “…to build spaces that continue to work for everyone: small and large businesses alike; people regardless of gender, color, language, access, and reduce the fears that harassment and abuse create.”
Wolff: “This is probably an unpopular opinion, but I think I’d actually choose a lot of the same values that were initially baked into the internet, beginning with the flexibility of the end-to-end principle and the resilience of its decentralization. Because I spend so much time looking at security incidents, I’d be tempted to include security as a core value but it’s hard for me to say exactly what that would mean in practice—that it’s harder to spoof information about where packets originate from? I think there would be some benefits to embedding that principle in the design of a new internet but it’s also difficult for me to predict what all the unintended consequences would be of designing an internet that way since one of the great lessons of the internet we have today is that it’s very hard to make those predictions ahead of time!”
#4 Is a free, fair, open, and secure internet possible?
Herr: “It was easier before the internet’s widespread commercialization but that inflection point is long past. An internet with these principles is possible but policymakers and users’ goal should be to evolve the current architecture forward to this state rather than trying to revert to a previous incarnation of the network.”
Moss: “No, technology has costs, and trying to keep everything free brought us persistent advertising and profiling. For example, I can’t pay Facebook to not show me ads. The economic model is advertising to create the appearance of free, but it is actually at odds with an open and secure internet.”
Sherman: “Yes, although not perhaps quite as free, fair, open, and secure as once imagined. The current internet has many flaws and imperfections in its technical design, and other problems like weak or nonexistent data privacy regulations in many countries allow for infringements on ideals of fairness. But there is hope for the future, should governments, corporations, citizens, human rights activists, and civil society work together in different ways on the various issues facing and created by the modern internet.”
Terp: “Mostly. It is not an absolute, and it is not an end state: we have to keep working every day to keep the internet healthy.”
Wolff: “Sure, I think the larger question is, is it possible for us to reach any consensus about what it means for the internet to be free, fair, open, and secure? If we could answer that question in any consistent way, I have great faith we could make it happen, technologically.”
The Cyber Statecraft Newsletter
#5 In the next ten years, who will be the most influential force on the shape of the internet—states, companies, or individuals? Why?
Herr: “Companies. Major technology firms appear to be winning more battles over the design and deployment of technology than individuals, and even where states wish to influence the internet, they generally have to act through companies to do so. The concentration of cloud computing into a handful of hyperscale vendors has centralized an enormous amount of influence over the internet and how it used. For better and worse, these companies will have a major role to play.”
Moss: “States, they will determine the extent of fragmentation through national laws and regulations. Data localization laws already distort who can afford to enter a market. Should countries fight over the internet then the network operators will respond and try to protect their investments and users, changing how the network operates. Companies and users may change their behaviors, but it is under the framework of laws that countries impose.”
Sherman: “States, though certainly including through engagement with companies and individuals. More countries around the world are exerting increased sovereignty over the web within their borders, from Beijing’s content controls and Moscow’s domestic internet law, to the EU’s General Data Protection Regulation and New Delhi’s draft Personal Data Protection Bill. They will have a strong influence on the shape of the web in the next decade.”
Terp: “Companies. States have the power to bound the internet around their territories; to limit the mobile bandwidth available in countries where that is the main access to the internet, to control traffic to and from servers. Individuals—some individuals, often with help—have ways around that (hello steganography) and can form communities to push back against some of the stronger constraints (communities should also be on that list). But the group that ultimately stands to make most difference is companies—from companies launching small satellites and other ways to get internet coverage into previously-dark areas, to companies working with research organizations to change the ways we interact with each other, as individuals, communities, nations etc., online.”
Wolff: “My guess would be that states will be the most influential force, but they will exert that force largely through companies. Or, put another way, states will make many high-level rules about how they want the internet to be run, but the actually nitty-gritty implementation of those rules will be delegated to companies who will have significant discretion in many cases to decide, operationally, what those rules will look like in practice.”
Simon Handler is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.