Cyber Sovereignty and Online Borders Do Not Improve International Security

Hugo Zylberberg is a Fellow for Technology and Policy at Columbia University's School of International and Public Affairs. Nikolas Ott is a Mercator Fellow at the Mercator Program Center for International Affairs (Stiftung Mercator). This op-ed is based on a publication that was presented at the 2017 CyFy Conference in New Delhi, India.

In 2100 BCE, the ancient city-states of Lagash and Umma in Mesopotamia concluded the first recorded agreement to solve a border dispute. Little did they realize they were setting in motion a chain of events that would forever alter the course of history. Nearly 4000 years later, physical borders are still very much at the center of international relations and increasingly creeping onto the online world. Today, internet fragmentation—the process of erecting digital borders on a seemingly borderless space—is threatening to splinter the internet into loose internet-states.

One of the main arguments for creating borders in the digital realm is the same one used to create physical borders: security. The peace of Westphalia in 1648 established the notion that countries are sovereign and have dominion over everything within their borders. In Westphalia much like between Lagash and Umma, borders were supposed to increase domestic security by keeping out foreign meddling in a country’s internal affairs. One of the first attempts at establishing online borders occurred in the late 1990s, when a French court found that an auction of Nazi memorabilia on Yahoo.com violated French law. By protecting French citizens from Nazi material, French authorities exercised sovereign control over their territory, and contributed to internet fragmentation.

If keeping people and goods out of a country’s territory might improve security from physical threats, it hardly translates online. The belief that fragmenting the internet along physical borders could lead to better security is flawed for three main reasons. First, cross-border incursions online are easy, much easier than they are offline. It is almost trivial for an attacker in one country to surreptitiously infiltrate a network in another. Second, actors who threaten the security of a state will use circumvention tools (e.g. virtual private networks, Tor, end-to-end encryption, etc.) to achieve their aims. Third, the digital world is a conduit for security threats, not their source. Cyberattacks are still organized, conducted and managed by people in the physical world where borders are far from perfect.

Security has historically been one of the drivers for erecting physical and digital borders, but there are many other compelling reasons for a state to erect borders, some are economic (protectionism is one form, but also economic security and local growth); some are cultural (language is still one of the non-physical borders that is hardest to cross); others are simply legal (countries do not always agree on what is acceptable online and what is not). The world is already fragmented, and this will continue offline and online.

However, domestic policies aimed at providing more security online are starting to have an impact on the stability of cyberspace. As cyber threats become more prominent, countries undertake military and intelligence operations to protect themselves, which can be interpreted as hostile and in turn further increases the risk of conflict. As this security-based fragmentation becomes more consequential, policymakers need to develop tools to better manage it and avoid a catastrophic scenario where a complete splintering of the internet deprives the world of its many benefits.

In order to have a nuanced conversation about internet fragmentation, we propose the creation of Fragmentation Impact Assessments (FIAs) for domestic cyber policies. These impact assessments would examine how a particular domestic cyber policy:

• affects how the internet works (e.g. the nuts and bolts that keep the network running);
• constrains domestic and foreign private actors in their operations; and
• constrains foreign state actors in their operations.

Academics and policymakers need to better understand the consequences of fragmentation. Having a robust database of FIAs on a wide set of policies would achieve a number of different objectives. First, it would enable a more rational debate about the consequences of internet fragmentation. If the belief that internet is and should remain a borderless space is undeniably naive and factually incorrect, so is the belief that everyone would be better off with one internet per country. Second, it would help countries work together to develop interoperable policy frameworks. Such efforts are already happening in some regions—the European Union and Association of Southeast Asian Nations are venues where countries can work together to enable cross-border data flows and more integration between their economies. These efforts need to be scaled and replicated. Third, it would help to look at fragmentation from many angles, not one. Fragmentation is not only about digital rights; fragmentation is not only about Westphalian sovereignty; fragmentation is not only about cultural differences—it is about all these things and more.

Lagash and Umma might have invented the modern notion of physical borders but the new digital ones have vastly different consequences than their brick-and-mortar counterparts, and we are far from grasping how far-reaching these consequences are. Fragmentation Impact Assessments are a first step forward to understand the implications of borders on the internet.