The internet, Google CEO Eric Schmidt once said, is the only thing that man has created that it does not understand. A lack of understanding has never been an impediment to regulating something, but when it comes to the internet, the stakes are particularly high.
In the past month, in the wake of the WannaCry and NotPetya outbreaks—which left tens of thousands of PCs forcefully encrypted and their data held hostage by unknown cybercriminals—there has been a steady drip of calls for national governments to “do something about cybersecurity.” While the urgency surrounding cybersecurity measures is undoubtedly warranted, the temptation to award greater responsibility for regulating cyberspace to national governments must be resisted.
Some of these appeals seem reasonable and at least worthy of discussion: At a G20 meeting on June 10, German Chancellor Angela Merkel said that the internet requires some sort of digital rules, analogous to those rules that govern the financial system. Microsoft’s President Brad Smith went even further, restating his proposal for a Geneva Convention for cyberspace, with an attendant international consortium tasked with attributing cyber-attacks.
But recent public commentary on cybersecurity has tacked in a slightly but meaningfully different direction as well: British Prime Minister Theresa May announced after the London Bridge terror attack that she wanted to introduce plans to “regulate cyberspace to prevent the spread of extremist and terrorism planning.” She refused to rule out Chinese-style Internet censorship as part of that strategy, suggesting that she might look to shut down or ban companies that didn't comply with her controversial proposals to actively censor internet content and assist in spying on all communications. May even announced that she wanted to make the country once known as the mother of all democracies a “global leader in the regulation of the use of personal data.”
No wonder Russian President Vladimir Putin has been relatively quiet on the subject recently. Russia has been calling to regulate the internet (and in particular internet content) for nearly two decades. The current discussion emerging amongst Western democracies may greatly advance this goal.
Russia and its allies have been a clearly recognizable political bloc with a common goal: bringing the global internet, and in particular internet content, under some sort of intergovernmental control. Diplomatically, these nations have pursued this agenda on two tracks: first, by trying to shift the responsibility of managing the Domain Name Service, the telephone book of the Internet, from a U.S.-incorporated but international NGO to some kind of intergovernmental body, preferably an agency of the United Nations. On the other hand, they have sought to push international security concerns, like how to manage state conflict in cyberspace or how to fight terrorism and crime, under the purview of one or more new international treaties. Russia and its allies, especially China, have advanced drafts of a code of conduct for cyberspace that would especially encourage cooperation on the “three evils” of “radicalism, separatism and terrorism.” Much of this cooperation is simply about securing agreements to block access to content that those regimes don’t like—from Islamist websites and dissident social media groups to translated copies of The New York Times. These governments have also cleverly exploited the anxieties of Western nations about a clear escalation of state-led conflict in cyberspace, a strategic shift in international affairs sometimes treated like the early introduction of nuclear weapons. Russia and its fellow travelers have resisted calls to accept the complete application of current international law to cyber operations, and at the end of June helped sink attempts in a United Nations negotiating group of 25 countries to reach an agreement to this end. Instead of a political agreement between states on what the rules of the road for state conflict in cyberspace entail, the authoritarian nations continue their drive toward a new international legal treaty. Most Western diplomats fear that these nations would have no interest in abiding by such a treaty, which would also be impossible to verify.
At the same time, such a governmental treaty could serve as a body blow to the current non-state-led model of how the core of the internet is actually run. The global internet is managed by stakeholders from the civil society, the private sector, and, to a lesser degree, governments. The strategy of reinforcing the non-state-led nature of the internet was always considered in the West to be the only bulwark against a potentially catastrophic Orwellian misuse of the internet by governments. We already have an idea of what this could look like: China is considering a “social credit score” scheme that would award and punish its citizens for their behavior online. There should be no doubt that this is the kind of internet some nations would like to see: a perfectly controlled information bubble that entrenches their regimes’ hold on power.
While this darkening of the internet has not yet come to pass, the embryonic discourse among Western societies is worrying and amounts to a slippery slope. Simplistic notions of government-only solutions to cybersecurity support the quintessentially Russian narrative that, in effect, amounts to considering all information, all speech, as a potential weapon—if governments say it is. Truly frightening is the degree to which specific cyber incidents like the NonPetya outbreak are able to subtly advance the agenda of countries like Russia in the Western media. This may not be by chance: the origin and actual purpose of these cyber-attacks is unclear; wanton destruction, rather than profit, may well be their goal. If that is the case, we need to consider that one intent of the creators may simply be to help advance the discussion of government solutions on cyber threats—to execute an information warfare attack rather than just a cyber-attack. What is certainly true is that, combined with a relentless stream of incidents around the use of social media for both information warfare and also Islamist terrorist recruitment purposes, some Western governments may be feeling that the Russian and Chinese approach to regulating the internet is not as bad as it once seemed. As Theresa May showed, there is a strong temptation to cast aside fundamental democratic values in order to find simplistic solutions to a perceived cybersecurity threat.
This trend must be resisted if we are going to keep the internet as it is: a unique expansion of personal freedoms and productivity. National governments have much to contribute to conversations about stronger cybersecurity measures. Conceptually, Chancellor Merkel’s comparison of the internet with the financial system has merit, and has indicated what new paths could be explored in the future. But as President Obama said in 2015, there is no single sheriff that can bring order to this digital Wild West. The internet that has brought us such obvious benefits in recent decades is a messy place, and the non-state-led system for managing it is messy as well. But although it may not be pretty, it’s a lot better-looking than the model the authoritarian forces want. All those wishing for an easy fix for security issues should be careful what they wish for—otherwise, when aiming to fight cyber threats, we may end up hitting democracy instead.