On Monday, June 17, 2013, the Atlantic Council’s Cyber Statecraft Initiative, of the Brent Scowcroft Center on International Security, held a discussion on Capitol Hill about the future of Internet governance with Dr. Greg Rattray, CEO and founder of Delta Risk, and Dr. Paul Twomey, former president of ICANN and founder of Argo [email protected] The discussion, moderated by the Atlantic Council’s Mr. Jason Healey, director of the Cyber Statecraft Initiative, was coordinated with the office of Congressman Jim Langevin (D-RI), who also delivered closing remarks in which he emphasized the importance of an open Internet for both American prosperity and the promoting freedom worldwide.

Dr. Twomey and Dr. Rattray explained the current status of Internet governance and the multi-stakeholder model, in which both state and corporate actors have a voice. The multi-stakeholder model emphasizes Internet openness. An alternative state-sovereignty model, proposed by countries including China and Russia, would accentuate security at the cost of openness. While Western nations continue to support a multi-stakeholder model, a significant number of countries favor the state-sovereignty model. Debate remains lively.

Dr. Twomey argued that the US lacks a consistent narrative on how it views the Internet. Perceived inconsistencies in US policies confuse the international community. The US pushes Internet freedom as part of its democratic values. However, the US is widely perceived to be responsible for the Stuxnet attack against Iran in 2010 and the US is the only nation to have a military command focused on cyberspace. The recent NSA leaks revealing PRISM and other surveillance programs further alienate nations that fear a US-dominated Internet.

Dr. Twomey noted that Africa may be the key in deciding Internet governance. Between western and eastern competing perspectives on Internet governance are “swing states,” many of which are in Africa, that have not decided which governance model to support. While states want the economic growth which comes with a multi-stakeholder model, Dr. Twomey pointed out that the content control of the state-sovereignty model appeals to nations’ telecommunications professionals, many of whom are former intelligence officers trained by Cuba or the Soviet Union. What these states decide will heavily influence the future of Internet governance.

Dr. Rattray added that America’s internal debate on government responsibility in cyberspace is also impacting Internet governance. Declaring cyberspace a military domain and developing and expanding USCYBERCOM have prompted other nations, including Russia and China, to expand their own military capabilities in cyberspace.

On the subject of attribution for cyber attacks, Mr. Healey explained that larger, more severe, cyber attacks do not occur at random but are part of a broader geopolitical context. The cyber attacks against Estonia and Georgia were both part of a deterioration of relations with Russia. The DDoS attack against US banks occurred within the context of Iran and American relations, and may have been retaliation for the Stuxnet attack. While attribution is important and likely more difficult for both smaller-scale attacks and larger cybercrimes, this is not an insurmountable problem. Recognizing cyber attacks within their broader geo-political context provides significant clues to attribution. The Mandiant Report on Chinese espionage illustrates that technical attribution capabilities are continuing to improve.

The discussion further illustrated that there remains significant debate on how Internet governance can deal with cyber attacks. Issues such as thresholds for armed conflict, private companies “hacking back” against malicious actors on their own, and the potential for international security standards remain hotly debated.

Related Experts: Jason Healey and Gregory Rattray