Governing the Internet: The Latest Addition to the Global Governance Monitor

Coauthored with Naomi Egel, research associate in the International Institutions and Global Governance program at the Council on Foreign Relations.

The Internet has facilitated countless improvements in lives around the globe, from reducing costs of business transactions to connecting distant expatriate communities. But it has also brought challenges, from new privacy concerns to cyberattacks.

The latest addition to the Global Governance Monitor, produced jointly with our colleagues in CFR’s Digital and Cyber Policy program, assesses efforts to govern cyberspace. Unlike most other issue areas explored by the Global Governance Monitor, the regime for Internet governance is—at best—fledgling. There is no cornerstone treaty, as for nuclear weapons (the Treaty on the Nonproliferation of Nuclear Weapons) or crime (the UN Convention against Transnational Crime) undergirding the regime. Further treaty-making is additionally complicated by the speed with which the Internet is evolving: by the time negotiations are finished, a treaty might be irrelevant. Still, despite serious challenges to robust Internet governance, there have been some positive steps toward improving international cooperation in cyberspace.

Major Governance Challenges

Disagreements among major powers: The United States, European Union, Russia, and China disagree on how the Internet should be managed. The United States and Europe support a continuation of the decentralized, multistakeholder process that involves governments as well as civil society, businesses, technical experts, and other private citizens. This is the model on which ICANN (the Internet Corporation for Assigned Names and Numbers), which manages the allocation of IP addresses and the domain name system (DNS), among other functions, is based. In contrast, Russia, China, and other authoritarian countries see the multistakeholder model as favoring U.S. economic and security interests and want Internet policy issues to be decided through purely intergovernmental forums, like the International Telecommunications Union (ITU). Many developing countries, which often lack independent civil-society actors or businesses capable of participating in multistakeholder governance, also prefer venues like the United Nations (UN) where governments are the primary actors.

Tensions between privacy and security: Particularly after the Snowden revelations, privacy on the Internet has become a core concern for people around the world. In light of these concerns the European Court of Justice (ECJ) recently struck down the Safe Harbor agreement on the grounds that it failed to provide adequate protections to data on EU citizens in the United States. This agreement had sought to set standards to protect privacy: under it, American companies that operate in Europe are required to self-certify that they disclose to customers when personal data is being collected, how it is being used, and who has access to it. The ECJ’s decision made clear that existing privacy protections no longer provide the assurance they previously did.

Ongoing Cooperation Efforts

Incorporating Internet governance into existing institutions: As the Internet increasingly changes nearly every aspect of our lives, a growing number of international institutions are taking the Internet into account in their respective domains. In 2013, the Organization for Economic Cooperation and Development (OECD) updated its 1980s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The UN Human Rights Council passed a resolution in 2012 affirming that “the same rights that people have offline must also be protected online.” Meanwhile, the UN Office on Drugs and Crime (UNODC) has taken up the issue of cybercrime by initiating a draft study to examine countries’ ability to tackle it.

Developing norms for cybersecurity: As cybersecurity risks and attacks become increasingly public, governments are struggling to prevent, mitigate, and respond to them. These challenges are compounded by difficulties of attributing malicious cyber activity to a specific actor and discerning the intentions of malevolent actors. The United States and others have attempted to promote norms of responsible behavior in cyberspace, but countries have different ideas of what “responsible behavior” involves: for example, the United States and many NATO countries consider that the laws of armed conflict apply in cyberspace, while Russia and China have actively promoted the concept of “cyber sovereignty.” Countries are also unable even to agree on a definition for “cybersecurity.” Moreover, private sector companies, rather than governments, provide most cybersecurity assistance, making it difficult for the ITU or other established intergovernmental venues to coordinate global efforts.

Potential Policy Options

Improve data collection on cybersecurity

All states need better data to assess cybersecurity threats and vulnerabilities and whether existing efforts are working. Currently, however, such data is collected primarily by companies selling cybersecurity products and thus inherently biased. To create a more neutral process, the OECD is attempting to streamline cybersecurity data collection and reporting requirements among its member states. Over time, this process will also enable states to compare practices across jurisdictions and to set common international standards. The United States should both contribute to this effort and seek to involve non-OECD countries as well.

Give the ITU the authority to discuss but not decide Internet issues

The ITU has historically been one of the more effective UN bodies, and today, many developing countries ask the ITU’s advice for Internet issues from cybersecurity to broadband development. Still, the ITU’s involvement in Internet issues is politically charged, as many efforts to expand its influence have sought to centralize authority over the Internet and directly challenge the role and operations of ICANN and other decentralized, multistakeholder venues. The promising middle ground here is to encourage the ITU to act as a facilitator, but not a deliberative body or service provider, to help countries solve Internet-related challenges. The ITU can link experts on Internet policy issues from government, the private sector, and civil society to help expand Internet access in a secure and reliable manner.

Create a digital due process system

One of the biggest obstacles to improving online privacy is the lack of a digital due process system to standardize how operators of Internet platforms respond to requests from users to correct online information. Governments and the private sector should fill this gap by agreeing on a streamlined approach to the processing of such requests for the removal of content. Any such system should also include a consistent approach for handling law enforcement requests for data from platform operators like Google, Facebook, and Twitter. The United States is in a special position to lead and shape the creation of a digital due process system, since so many of these companies are U.S.-based.

These comprise only a sampling of the issues explored in the Global Governance Monitor: The Internet. For more, visit the monitor itself.