Justin Sherman (@jshermcyber) is a Cybersecurity Policy Fellow at New America.
Chinese internet policy has consumed mainstream headlines over the last few weeks, and not just because of the United States’ campaign to convince other countries to ban Huawei from 5G networks. Apple removed an app from its App Store used by Hong Kong protesters to track police, raising questions about Beijing’s influence on U.S. companies. Meanwhile, Chinese internet giant Tencent has suspended its streaming of National Basketball Association games in China after the Houston Rockets’ general manager tweeted in support of the Hong Kong protesters.
During its annual state-run World Internet Conference in October, the Chinese government continued to push its narrative that countries need to exert sovereignty over the internet within their borders. In a letter to the conference, President Xi Jinping wrote of the responsibility of all nations to “develop, use and govern” the internet responsibly.
These recent events underscore a debate that has been ongoing for years: just how much ‘cyber sovereignty’ is too much cyber sovereignty? While many countries have long resisted the notion of cyber sovereignty, Beijing and other actors could be influencing the discussion.
Authoritarian countries like China and Russia have long used phrases like ‘cyber sovereignty’ as a way to justify practices deemed unacceptable in many democracies, such as tight control of internet gateways or the censorship of political content online. Specifically, in China, ‘cyber sovereignty’ manifests in the Great Firewall and data localization policies. In Russia, it has encompassed everything from the country’s push for a domestic internet to laws mandating local storage of certain data.
These practices have long been rebuked by many democratic countries that espouse maintaining an internet that is both global and open—where the state exerts minimal control over the traffic passing through its borders. Defense of net neutrality and aversion to government control of internet traffic are just some examples of this internet policy view. However, democratic countries appear to be starting to embrace cyber sovereignty.
The United Kingdom, for instance, has begun to advocate for democratic governments doing more to confront cybersecurity threats, without violating the rights of citizens and businesses. India, Japan, the European Union, and the United States are all considering how to effectively govern data flows—designing limits on free data flows, despite previously condemning this practice. Meanwhile, democracies continue to modify and enforce regulations on the creation and dissemination of child pornography and terrorist propaganda. Recent court cases in the European Union involving content moderation, including a ruling on global content takedowns, reflect growing debate about the government’s role in platform moderation. While not nearly equivalent to something like the Great Firewall, they underscore the fact that even democracies exert some degree of sovereignty over cyberspace within their borders.
The question, then, becomes how much cyber sovereignty is too much?
For many countries, the Russian and Chinese approach is compelling in light of global disinformation campaigns and cyberattacks, like the WannaCry attack that caused billions in damage to the global economy, or the Mirai botnet that shut down parts of the U.S. internet. Exerting more control over the internet could both be a way to better manage cybersecurity risks and censor content on the web under the guise of protecting citizens. This authoritarian form of cyber sovereignty has been gaining traction around the world.
Over the past year, more governments have sided with Chinese and Russian cyber sovereignty proposals in the United Nations and internet shutdowns have become a more common practice for responding to protests. Vietnam, Kazakhstan, Indonesia, and many other nations have increased government control over internet content and the ability of citizens to circumvent censorship by using VPNs and other measures. Russia and Iran continue their pushes for a domestic internet.
Even Western companies seem to have grown to accept some forms of cyber sovereignty. From their perspective, compliance with app takedown requests or data localization policies by the Chinese government, despite possible political motives, are viewed as a necessary transaction cost of breaking into the Chinese market.
As liberal democracies shift their views on the notion of cyber sovereignty, Beijing’s efforts to make its extreme form of cyber sovereignty acceptable to the global community continue. As articulated in Sovereignty in Cyberspace, a new paper jointly released by three Chinese think tanks, “Advocating and practicing sovereignty in cyberspace does not mean isolation or breaking cyberspace into segments, but means facilitating a just and equitable international cyberspace order on the basis of national sovereignty and building a community with a shared future in cyberspace.” The World Internet Conference and recent events are just a preview of what to expect in the future—a growing emphasis on the need for internet regulation and a global debate over when ‘cyber sovereignty’ crosses a line.