The Future of Internet Governance: 90 Places to Start

The open, global Internet, which has created untold wealth and empowered billions of individuals, is in jeopardy. Around the world, “nations are reasserting sovereignty and territorializing cyberspace” to better control the political, economic, social activities of their citizens, and the content they can access. These top-down efforts undermine the Internet’s existing decentralized, multi-stakeholder system of governance and threaten its fragmentation into multiple national intranets. To preserve an open system that reflects its interests and values while remaining both secure and resilient, the United States must unite a coalition of like-minded states committed to free expression and free markets and prepared to embrace new strategies to combat cyber crime and rules to govern cyber warfare.

These are the core messages of the just-released CFR report, Defending an Open, Global, Resilient, and Secure Internet. The product of a high-level task force, chaired by former Director of National Intelligence John D. Negroponte and former IBM Chairman Samuel J. Palmisano, the report opens by describing the epochal transformation the Internet has wrought on societies and economies worldwide—particularly in the developing world.

Facilitating this unprecedented connectivity has been a framework based not on governmental (or intergovernmental) fiat but on “self-regulation, private sector leadership, and a bottom-up policy process.” By leaving regulation in the hands of technical experts, private sector actors, civil society groups, and end-users, the pioneers of the early Internet ensured that it would “reflect a broad range of perspectives and keep pace with rapidly changing technology.” They also ensured that rights of free expression and privacy would emerge as dominant norms.

Those halcyon days are over, alas, as more states assert sovereignty in cyberspace, as cybercrime spikes to unprecedented levels, and as nations develop new weapons of cyber warfare. Already, dozens of governments place restrictions on transmitting data and knowledge over the internet. These include not only authoritarian regimes but some democracies in Europe and the developing world (like India and Brazil). At the multilateral level, meanwhile, a majority of states at December’s World Conference on International Telecommunications (WCIT) in Dubai voted to transfer authority for regulating critical aspects of the Internet from ICANN (perceived as U.S.-dominated) to the International Telecommunications Union (ITU), a UN agency. Although some participants were motivated by equity concerns, others—notably Russia, China, and Saudi Arabia—saw the intergovernmental route as a means to assert sovereignty in cyberspace, including a license to crack down on dissent under the guise of fighting cyber crime. The forces arrayed in Dubai will clash again in 2014, at the ITU’s plenipotentiary meeting, intended to revise the body’s constitution.

Meanwhile, cyberspace is increasingly anarchic, as cyber-criminals use sophisticated attacks to steal vast quantities of funds, intellectual property, and trade secrets. Of even greater concern are government-backed cyberattacks. Some forty governments are believed to have developed offensive cyber weapons. The absence of clear rules of cyber warfare, as well as the general problem of attribution, creates a situation of strategic instability, rife with risks of miscalculation and escalation. Still, as the task force notes, the danger is less of a “cyber Pearl Harbor” (as former Secretary of Defense Leon Panetta warned) than a growing loss of confidence by both governments and the private sector in the security and integrity of the Internet.

Given current trends, can the United States possibly preserve the open global internet? Yes, but the first step is getting its own house in order. Distressingly, the U.S. government lacks a coherent strategic vision, an adequate policy coordination framework, and the requisite legislative authorities to develop and implement a national cyberspace policy, undercutting its global leadership.

Beyond this general guidance, the CFR task force offers some ninety (!) recommendations for U.S. policymakers. Let’s group the most important in clusters:

• Create a cyber alliance: The United States should sponsor “a coalition of like-minded actors,” including both foreign governments and private corporations that are committed to common “Internet practices and principles.” To nurture this coalition, the U.S. government should expand military-to-military contacts, intelligence and homeland security cooperation, and extend mutual legal assistance with friendly governments. Finally, it should sponsor the creation of an International Cyber Crime Center “that addresses the problem of sanctuary states—territories unwilling or unable to rein in cyber crime.”

• Foster transparency and new legal norms: To increase strategic stability, the task force recommends, the United States should clarify the U.S. right to conduct offensive operations in cyberspace. At the same time, it should work with other “cyber powers” to hammer out consensus on the applicability of the laws of war in cyber operations. At a regional level, the United States can promote confidence building in groupings like the OAS, OSCE, and ASEAN Regional Forum.

• Promote limits on cyber espionage: The estimated cost of commercial cyber espionage to the United States may be as high as half of a percent of GDP. Given its relatively clean reputation, the United States is in a strong position to work with the EU, Japan and other like-minded countries to combat espionage incorporating prohibitions against these practices in bilateral and “plurilateral” trade pacts. A successful counter-espionage program must include close collaboration with the private sector.

• Clarify what sort of “active defense” is permissible: As victims of cyber-crime, private corporations are increasingly taking matters into their own hands—“hacking back” against assailants. Given the risks involved, the U.S. government needs to clarify what sorts of tactics are legally permissible, as companies seek to protect their property.

• Create a cadre of cyber-public servants: The U.S. ability to compete in cyberspace will require not only a dynamic private sector but a public sector staffed with cyber-savvy employees. The task force calls on the United States to “expand the pipeline of people in cybersecurity” and to develop a special “Cyber Service,” analogous to the Foreign Service, to which talented young professionals may aspire.

• Pass needed cyber legislation and improve domestic coordination : The United States urgently needs a new legal framework for cybersecurity that balances the protection of individual privacy against the need to secure critical infrastructure. It also needs to promote  greater information sharing between the private and public sectors while reducing the liability of corporations involved in such programs. Beyond calling for such legislative changes in Congress, the task force recommends executive branch reforms, notably augmenting the coordinating authority of the National Cybersecurity and Communications Integration Center (NCCIC), creating a new Cyber bureau at the State Department, and establishing posts of cyber attachés in U.S. embassies abroad.

• Insist on the free flow of information in all trade agreements: the United States should require all trade partners to adopt common principles, among these nondiscrimination in digital trade and information flows, limited liability for internet intermediaries, protection of intellectual property, and the security of personal data and free expression. Such principles should be embedded in the Trans-Pacific Partnership (TPP) and future trade agreements.

• Adapt to the rise of emerging Internet powers: Rising powers like Brazil, India, and especially China are testing the U.S. vision of an open Internet, both commercially and politically. In league with likeminded countries, the United States should use positive and negative incentives—including sanctions—to discourage discriminatory economic practices and intellectual property theft. At the same time, the United States should be prepared to engage rising powers on issues of internet governance—including within ICANN, the ITU, and, perhaps more significantly, in “mini-lateral” forums modeled on the Major Economies Forum for climate change. The objectives of U.S. efforts should be to broaden global support for an open Internet built on the existing multi-stakeholder governance mechanisms.