Last week we began a review of the Council on Foreign Relations’ recent report on “Defending an Open, Global, Secure and Resilient Internet.” Judging from our web statistics, neither the CFR report nor our review of it is setting the world on fire. But we doggedly adhere to our plan to review the rest of the report in some detail. Whatever one’s opinion of its content or significance, the CFR report and similar activities show that Internet governance is moving inexorably into the mainstream of foreign policy discourse in the U.S. and Europe. Yet the world of foreign policy, international relations and political science is still not well integrated with the world of Internet policy, governance and technology. Also, as we suggested last week, US policy is ripe for a comprehensive overview.
The first blog reviewed the CFR report’s recommendations regarding trade and governance institutions. This week, with some overlap, we focus on Alliances and Cybersecurity.
The CFR report calls for the United States to “articulate and advocate a vision of Internet governance that includes emerging Internet powers and expands and strengthens the multi-stakeholder process.” This is an important recommendation. It recognizes the need to move beyond the traditional OECD countries in advancing Internet Governance institutions. If governance is to be stable and global it must include the BRICS and other emerging societies and have full legitimacy among them.
Calls for US leadership, however, must take into account the fallout from the NSA surveillance revelations, the continuing irritant of US control of the IANA contract, and the broader perception among some countries that multistakeholderism is merely a cover for U.S. dominance of the whole domain. The US cannot form a more inclusive alliance by “strengthening the GAC” or any other strategy designed to lure states into the status quo institutions with promises of more power. That only reinforces and rewards the tendency to see a stronger role for states as the way forward; long term it undermines the very fabric of multistakeholder cooperation.
A new alliance can best be formed by strengthening institutions for effective collective governance that are truly de-nationalized and rooted in civil society and the private sector. It is not the Internet users and businesses in the emerging economies who are seeking to control the internet and who use the ITU to assert more power over it; it is their governments. The US – or rather, advocates of Internet openness and freeom – needs to go over the heads of repressive states and appeal directly to the local and transnational Internet communities – user groups, businesses, civil society, Internet techies and the like. The ministers and politicians are hopeless, as their very position in society predisposes them to look out for the authority and power of the state rather than the freedom and capabilities of the Internet. Moreover, they are more likely to change their mind due to political pressure from their own burgeoning internet communities than from any US government efforts.
The CFR report suggests, somewhat vaguely, that the US can wean developing countries away from intergovernmentalism by creating another forum. It suggests that the State and Commerce Departments “should encourage a forum at which developing countries and users can address cybersecurity and other technical concerns without having to turn to the ITU” (p. 61). This could be a good idea, if the Forum is indeed multi-stakeholder and not just a collection of states, and if the US makes a serious commitment to it. But there are already many cybersecurity-related forums, including expert communities organized around CERTS and CSIRTs, such as the Forum of Incident Response and Security Teams. These forums are dominated by non-state actors; it is better to bring emerging economy actors into that environment than to create yet another intergovernmental effort. There are also transgovernmental networks such as the London Action Plan, which could be expanded to include developing countries. And there are now dozens of regional and local Internet Governance Forums. (E.g., EuroDIG is on right now)
Anyway the US’s credibility around new forums is a bit frayed at the moment. The last time the US supported creating a new forum in the Internet governance world – namely, the UN Internet Governance Forum – both the US government and the Internet technical community undermined it by discouraging it from dealing with serious, controversial issues and by actively preventing it from developing recommendations. Developing world governments started to defect after about four years, viewing the IGF, not unfairly, as a placebo for the status quo. Recently, the ITU has overtly started picking up the slack. With its “policy opinions” and its WTPF, the ITU has offered countries in the second and third tiers of the global Internet economy a place to discuss and make resolutions on global internet policy issues, where they feel more comfortable and empowered. That water is now under the bridge; there is no way to go back and undo the mistakes that were made in the early phases of the IGF. The point, however, is that the US and the Internet community should not view developing world governments as their constituency; they should view the internet users and businesses in those areas of the world as their true constituency.
The CFR Task Force report’s discussion of cybersecurity strives to come up with interesting new ideas, but stays closely bound to conventional wisdom. A grab bag of recommendations can be found in the report, ranging from organizational change among US government agencies to an international cyber crime center to CISPA-like legislation. But the group did produce a very useful discussion and critique of the way US government responsibility for cybersecurity is organized (pp. 33-37, 45-49).
Its analysis of the nature of the threat seems to be a bit inconsistent. On the one hand, the report avoids scare-mongering, and seems to promote a civil-oriented approach to cybersecurity. It dismisses the notion of a “cyber Pearl Harbor” and contends that “the most pressing current threat is not likely to be a single, sudden attack that cripples the United States [but] a proliferation of attacks that steal strategically important or valuable data and destroy confidence in the safety and trustworthiness of the Internet.”
On the other hand, the report succumbs to misplaced military-style thinking and advocates a model of “deterrence,” claiming that offensive capabilities are required to deter attacks or to impose costs on the attackers. The idea that cyber attacks can be “deterred” through offensive cyber capabilities is a wrongheaded holdover from nuclear thinking. All too often these discussions conflate military attacks – i.e., attacks by other governments and/or terrorists with the intent to take over, cripple or destroy our entire society or system of government – with data theft or mundane cybercrime. Worries about the former are largely misplaced. A true cyber war is not a strategically viable possibility at the moment; one cannot take over or rule a society solely or even primarily via cyber means. But even if it were possible, deterrence against such an attack need not rely on cyber weapons. If it is truly war we are trying to deter, the possibility of a response from traditional kinetic weapons will do just fine. Terrorist organizations, obviously, will not be deterred in either case.
If a state-based attack is not an attempt to destroy the US but a more limited attempt at espionage or probing, the value of offensive capabilities as a deterrent is highly questionable. If the other side thinks it can get away with stealing valuable information from their adversaries via cyber-means, it will do it. If the information is really valuable, punishing them after they have it is unlikely to deter the espionage (assuming we can even know that it has been taken in a timely fashion). Likewise, if our military thinks it can gain valuable information about adversaries from cyber exploits it will do so. Better defense – or even international agreements to limit such activities – is really the only way to go. Being able to catch and prosecute the perpetrators of cyber-espionage is more likely to prevent such efforts than “offensive capabilities;” just as catching and prosecuting the perps is the best way to deter attacks by garden variety cybercriminals. The CFR should abandon its recommendation that “the Obama administration should clearly state that the United States has the right to conduct offensive [cyber] operations.” That aspect of the report does not mesh with its call for a broader and more inclusive alliance around governance.
Out-of-place military-style thinking also shows up in the Task Force’s call for a “Cyber Reserve program.” They want DHS cyber alumni and other talented cybersecurity experts outside of government to be ready, known and available to DHS in times of need, just like the National Guard. The recommendation is not harmful so much as pointless. To begin with, a great deal of cybersecurity operations already is organized around informal networks of expert actors in the private and nonprofit sectors. Scholarly research on these communities shows that in order to be effective, they must be in constant contact and have well-established trust relations among each other, as well as carefully vetted entry restrictions. Trying to call such a network into being by government fiat won’t work. One cannot effectively replace the intrinsic motivation and organic development of trust and vetting of operational expertise with formal bureaucracy, procedures and money. At best, it would simply result in a useless list of names and a tax-consuming bureaucracy. At worst, it could undermine existing networks by tying them to nationalistic and military agendas when current networks are transnational.
The report’s call for an international cyber crime center is something that already seems to be happening. Another recommendation is that the U.S. Congress pass legislation that sounds very similar to CISPA, with some tweaks (p. 46). It wants the new law to authorize the development of mechanisms for real-time sharing of information (including classified intelligence) between government and the private sector and among private-sector actors, allegedly with some privacy protections and oversight. It includes “limited liability provisions for companies voluntarily involved in the information-sharing program.”
We need to be very careful when we talk about “information sharing” – not only because of the threat of untrammeled surveillance raised by the recent NSA revelations, but also because effective sharing of information is a lot more difficult to achieve in practice than it is to authorize generically. Too many people in Washington seem to think that the phrase “information sharing” is a magic wand that can be waved over security problems to produce instant solutions. But it is no simple matter to get the right information to the right person at the right time while at the same time not giving government agencies indiscriminate access to any and all private data; it requires clearly defined procedures, oversight and well-implemented organizational mechanisms.
In essence, this report proposes to keep doing what we are already doing in ICANN and IGF, only “better;” to tweak CISPA; to rearrange org charts in the State and Homeland Security Departments; to make Interpol bigger. It seems to support a Cold War-era concept of deterrence and offensive capability while at the same time trying to sweet-talk developing world governments into accepting “the multistakeholder process” – but its attempts to appease states might just compromise both multistakeholderism and Internet freedom. It is, in short, a compendium of the Washington mainstream consensus, a policy approach that has already lost more momentum than Apple Computer’s stock price – and suffers from the same disappointment of an anticipated innovation that never seems to come.