If you think the United Nations (UN) is about to subordinate Internet freedoms to governments, consider this. Compare the ineffectual and bureaucratic UN, which lacks any real operational leverage over the Internet, to the Washington, DC-based Center for Strategic and International Studies (CSIS). Now, there’s a real threat to bring the states back in.
James Lewis, the CSIS point man for Internet policy and instigator of the Commission on Cybersecurity for the 44th Presidency, is part of an entrenched Washington community devoted to identifying, analyzing, playing up and selling solutions to the US government for threats in foreign policy and military/national security. With the Cold War over and the war on terrorism no longer able to command the same budgetary stimulus, they have turned to cyberspace for fresh blood. They are busily re-framing the Internet’s known civil vulnerabilities into major national security threats. Lewis in particular is on a crusade to convince Washington that what he denigrates as the “90′s approach” to Internet governance was all wrong.
Lewis was at a recent CSIS-sponsored Global Security Forum that explored “the top challenges facing U.S. and global security.” The Forum concluded with a session on Fighting a Cyber War. The basic premise of all the panelists was that the vulnerabilities of military, civilian, and commercial networks to cyber attack should force the US to revise its approach to cyberspace.
As is all too typical of these affairs, the dialogue avoided any analysis or discussion of the actual types of attacks on Internet infrastructure that might constitute a true military threat. The threats were simply assumed to be there and to conform to the Cold War-honed, state-vs.-state mindset that the national security community knows and loves. Panelists from the U.S. Defense Department acknowledged that we have a clear legal process for dealing with cyber-crimes (citing some of the FBI’s recent successes), but claimed that we will need rules for military response when “immediate action” is required. (Sort of like an Internet kill switch, but you can’t really say that anymore.) This prompted Lewis to rant about the Internet’s existing governance institutions:
back in ye olden days of the Clinton administration, when we did the, you know, commercialize-the-Internet things, we had two working groups. We had the commercial working group; that was Ira Magaziner. We had the security working group; that was John Deutch. And …we never talked. And so we have a whole governance structure that grew out of that process that’s incredibly feeble. And you can just make up letters and put them together: WSIS, IGF, whatever you want, ICANN. We have a feeble governance structure that makes it really hard for us to agree on rules for cooperation and security. And that’s what we’re probably going to need to revisit.
As any regular reader of IGP Blog knows, we will be the first to criticize existing Internet institutions for their failings. But to blame them for not facilitating a rapid U.S. military response to hypothetical cyber attacks seems dangerously wrong-headed. And yet, the attack is constant and relentless. It is part of a broader agenda.
One gets the impression that Lewis is dismissing, with a wisecrack about acronyms, the trillions of dollars worth of jobs, innovation, economic growth and trade that has come from those “commercialize-the-Internet things.” Indeed, it is the very success of those institutions in fostering – or at least not getting in the way of – the emergence of a global networked economy and public sphere that has made cyberspace so pervasive. Prior to that, security concerns were minor or hypothetical. Of course as the economic stakes rise, so do security concerns.
But Lewis seems to be suggesting that global Internet governance institutions should have been designed to optimize U.S. military response capabilities in the first place. The problem with that perspective is that military and national power competition is largely a zero sum game among states. Such an approach could only trigger a chain reaction undermining the acceptance of Internet governance institutions and the interoperability of computer systems.
Lewis is certainly correct that we need to pay attention to transnational institutions and their capacity. But he’s short on creative thinking and viable alternatives. When he criticizes existing institutions as “feeble” what exactly does he want? A traditional, treaty-based intergovernmental body? Probably not: the US has made clear it does not wish to cede Internet governance to the ITU or UN. Is he proposing a new US-led club of states, such as NATO or OECD? While a US-friendly, US-dominated body like NATO might be palatable inside the DC beltway, its not clear that forming “alliances” in cyberspace does anything to counter cyber-threats. The Internet and its problems are distributed and global, and many threats are likely to come from territories that are not in the club.
So insofar as CSIS and its ilk actually know where they are leading us, we can only infer where it is. We suggest that we are being led into the following two paths.
1) A more aggressive U.S. unilateral globalism. The reviled SOPA and PIPA laws, in which the U.S. asserted extraterritorial jurisdiction over domains and addresses, is an example of what happens when U.S. politicians respond to demands for “strong action on the Internet” of the type Lewis is promoting. These kinds of laws seize upon US economic dominance of certain aspects of the Internet economy and try to leverage them to global regulatory effect. The Cyber Intelligence Sharing and Protection Act (CISPA) is a similar effort. It tries to facilitate sharing of information about cyber-attacks by allowing private companies to hand over massive amounts of personal information to the U.S. government with no judicial oversight, regardless of where they are located and what law they live under. Those proposed laws were not and are not feeble. But are they any good for us, the people, the denizens of cyberspace? SOPA threatened both the technical security of the global Internet (by undermining secure domain name resolution), and broadcast a powerful message to the rest of the world to avoid U.S. based domain name registries, registrars and hosting services. CISPA threatens users’ personal security and privacy. Both do little or nothing to advance the kind of global cooperation needed to address pressing problems regarding botnets and DDos attacks.
2) Seize control of existing transnational institutions. Try to bend ICANN, ARIN, and perhaps even IETF so that they are more responsive to the security concerns of the US and its allies. But this will mean undermining, if not destroying, the civilian, private sector-based multi-stakeholder features of these institutions. Instead of being bottom up and open, they will have to take policy dictation from the U.S. and perhaps from a strengthened Governmental Advisory Committee (GAC). Instead of relying on networks of cooperative relationships, they will become more hierarchical, top-down and regulatory.
The Internet’s lightweight governance institutions have and continue to serve as points of coordination. But private actors own and operate the Internet’s infrastructure and it is they who must repeatedly deal with the security challenges thrown at it. This is as it should be. Large-scale manmade Denial-of-Service attacks on the DNS root servers are an actual risk identified by the USG, but have been found to be of low likelihood because of the distributed and global nature of the DNS. These structural features allow a myriad of actors to respond to problems as necessary within the boundaries of the law. In many respects, the centralization and militarization sought by the security mavens will make us less secure. We agree with Rebecca MacKinnon that in institutional design it is the consent of the networked that matters most, not the security interests of states.
And yet, as all this goes on there are still people encouraging us to gird our loins against a UN/ITU threat that barely exists and has been repeatedly rebuffed and diminished. It’s time to stop projecting threats to Internet freedom onto symbolic bogeymen like the UN. There are more serious threats right here at home.