The Internet Is Fragmented. What Should the United States Do Now?
At the end of June, Delhi police arrested Mohammed Zubair, an Indian journalist and prominent critic of Prime Minister Narendra Modi, for allegedly violating federal laws on social media. According to a police spokesperson, Zubair's Twitter posts were "demeaning to one community." An anonymous account had complained to Twitter that one of his tweets was an insult to Hindus, but press activists and other civil rights groups place Zubair's arrest as part of long campaign against free speech. The same week, the Indian government reportedly forced Twitter to take down posts from Freedom House on how internet freedom has declined in India.
Unfortunately, India is not an outlier on these trends, and a new CFR Independent Task Force on U.S. foreign policy for cyberspace confronts the reality of an increasingly controlled and fragmented internet head on (you can read the full report here, and my introduction to the report here). As the report bluntly puts it, "the era of the global internet is over."
U.S. officials and technologists often presented the internet as a take-it-or-leave-it proposition: governments would either plug in, allow the free flow of data, and enjoy the growth and prosperity of the digital age, or opt out and disadvantage themselves economically and politically. Yet from the beginning, many governments—including Washington’s closest allies—rejected this vision. They had different ideas about how data should be regulated, privacy protected, and how dependent on American technology and social media they wanted to be. European countries, for example, have long banned Nazi material from social media, and in 2016 the European Union adopted the General Data Protection Regulation, which enhanced individual control over private data. Some European leaders also have argued for greater technological autonomy from Chinese hardware and U.S. software and infrastructure. Europe, for example, is working to promote alternatives to Amazon, Google, Meta, and Microsoft through projects such as Gaia-X, a shared cloud infrastructure.
The efforts of China and Russia to create sovereign internets are even starker. The Chinese government developed the technical and regulatory capabilities to actively censor the internet traffic that enters and leaves its country, rapidly take down information and block collective action, and tightly surveil, harass, and, when necessary, detain users. After street protests in Moscow in 2012, the Russian government began more actively blacklisting, censoring, and blocking content. In 2019, Russia adopted the Sovereign Internet Law, which seeks to shield the domestic internet, Runet, from foreign attacks and mandates annual tests of telecommunications ability to disconnect the domestic internet from global cyberspace.
The U.S. has failed to hold these moves to fragment the internet back. In an effort to turn this tide, in April 2022 the Biden administration along with sixty one countries issued a Declaration for the Future of the Internet. The signatories committed themselves to supporting “a future for the Internet that is an open, free, global, interoperable, reliable, and secure” system, and reaffirms a positive vision of a “single interconnected communications system for all of humanity.” The declaration, however, has no binding commitments or new policy initiatives. Moreover, many important potential partners appear reluctant to join. Most of the signers are in Europe; significant holdouts include Brazil, India, Indonesia, and South Africa.
So if the global internet is not a realistic goal, what should U.S. policy aim for? Washington should make digital trade central to a cyber coalition, rather than the promotion of an unachievable aspiration. The grouping would build on shared data privacy values while recognizing the differences in domestic approaches to protecting data privacy. Coalition members would be required to develop and implement internet regulations guided by the rule of law, transparency, and accountability. Partners would agree to work cooperatively to address malicious cyber activity. As former Japanese Prime Minister Shinzo Abe put it, the goal should be to establish “data flows with trust.”
There are some models to build on, including the United States-Mexico-Canada Agreement (USMCA), the United States-Korea Free Trade Agreement (KORUS), and a digital agreement among Chile, New Zealand, and Singapore. These agreements broadly cover both the removal of tariffs on digital goods and the elimination of nontariff barriers to digital trade, and include some shared attributes including: ensuring the free flow of data across borders; prohibiting localization requirements for computing facilities, cloud services, or data analysis motivated by protectionist purposes; and banning requirements to turn over source code, algorithms, or related intellectual property rights. New provisions should address concerns of workers and consumers, including those that promote digital inclusiveness, strengthen consumer confidence and trust, and protect personal information.
This coalition of trusted states should also build an international cybercrime center, support cyber capacity development in developing economies, and cooperate on technological innovation in sectors critical to offensive and defensive cyber operations. These actions are mutually reinforcing, building trust among and providing concrete benefits for the partners. The international cybercrime center would, for example, be a permanent mechanism through which to coordinate botnet takedowns.
A modified U.S. cyber strategy will be more limited, more realistic, and more likely to succeed in achieving critical but finite goals. It would not seek for other countries to embrace an American definition of democracy or free speech, but rather secure a commitment to build the domestic capacities to ensure the trusted flow of data.