At the beginning of the New Year, Robert Knake, who was once the Obama administration’s Director for Cybersecurity Policy at the National Security Council and is now a fellow at the Council on Foreign Relations, predicted in a blog that “at some point in the next decade, the Chinese government, with the support of Russia and other authoritarian regimes, will move forward with plans to establish a separate [DNS] root system for their share of the internet.”
I respect the fact that Knake didn’t play it safe by just expressing another “China is bad and a threat to the global internet” opinion. No, he made a prediction that something specific will happen. Predictions advance knowledge because they can be proven right or wrong. One can also quantify their probability by placing bets on them.
I am willing to take a bet with Mr. Knake on this one. I am personally offering to write him a $500 check if his prediction comes true. And I ask that he reciprocate by sending me $500 if it doesn’t.
What does it mean?
Pinning down the meaning of this prediction is an interesting exercise in and of itself. What exactly does it mean to “establish a separate DNS root system for their share of the internet”? Knake needs to be warned that the party on the other side of this bet has been contemplating the economic, political and technical aspects of alternate/competing DNS root systems for the past 25 years. I published paper on the topic in a refereed journal back in 2001. I recently published a book on Internet “fragmentation” which devotes most of a chapter to an assessment of the likelihood of a split DNS root based on geopolitical conflict. My colleagues at IGP and I have blogged and analyzed the issue several times over the past decade, including in connection with China. So below I explain a bit about the root of the domain name system, the institutions and operations underlying it, and what an alternate root means.
For Knake to be correct, here’s what has to happen
Let’s break down Knake’s prediction into its component parts and develop a list of all the things that must happen for it to be true. We can summarize the conditions in these five bullet points:
- The content of China’s DNS Root Zone file must deviate from the root zone file of the Internet Assigned Numbers Authority (IANA)
- China must require its domestic name servers to point to its alternate root exclusively
- China must offer this deviant root zone file to the world and openly solicit Internet operators from other countries to make it their authoritative root
- China must do so with support from Russia and other authoritarian regimes
- All this must happen before January 1, 2030
If Knake understands and agrees to these conditions, the bet is on. Let’s explain the reasoning behind them.
1. Deviant root zone file
The first condition is the most important one. The defining characteristic of a “separate root system” is that the contents of the root zone file deviate from the authoritative root zone file promulgated by IANA. The root zone file contains the information that consistently maps IP addresses to top level domains. So a separate root would contain information different from the IANA root. That is, for any given TLD – let’s say Taiwan’s country code .TW – it either wouldn’t exist as an entry in the China root, or the IP address would point to a name server in mainland China instead of to TWNIC as it does now.
If there is no difference in the contents of the root zone file, then his prediction is utterly meaningless. Anyone can run their own DNS name server and call it a “root server.” Anyone can – and lots of people do – create mirrors of existing root servers, using anycast or other techniques. None of these count as alternate roots, much less as a “break from the global Internet,” because the contents of the root zone file are the same as IANA’s. So if Knake’s prediction is to be true, China must operate a DNS root server system which disseminates a root zone file the contents of which do not match the IANA root zone file.
2. Requirement to use it
China must also force its domestic internet users to use this deviant root – to the exclusion of the IANA root. If this condition is not met, it is not a “separate root” or a “break with the global internet.” It is merely a parallel root that does not involve a break. And since pointing to a truly deviant root would risk incompatibility with many domains in the world, no Chinese ISP, user or browser manufacturer is going to voluntarily migrate to a deviant DNS root as authoritative. Most internet users get their DNS root selected for them by their Internet service provider. China can force domestic ISPs to use its own root. But the browser can also be critical. As DNS over HTTPS is implemented, any user of Chrome, Firefox, Safari or Edge is going to have the IANA root hardwired into their DNS. China certainly has the power to force Chinese browser manufacturers to use an alternate root, but will it? Knake thinks it will. I think it won’t.
3. Offer it to the world
Once China’s own DNS has seceded from the global Internet’s DNS, then it must take another strong step to make Knake’s scenario come true. It must openly and publicly make this deviant root available to the world and actively solicit other countries, telecom operators and internet service providers to point to it as their authoritative root zone file. Obviously it can’t force other nations or service providers outside of its jurisdiction to do so. So it would have to publicly hang out a shingle advertising “alternate root – sign up here!”
4. Authoritarian regime coalition
Related to point 3, Knake’s prediction also asserts that China will be joined by a coalition of authoritarian states. China will, he states, do this with “the support of Russia and other authoritarian regimes.” That’s a very specific prediction. China will execute, Russia will support. I’ll be satisfied his prediction is correct if China gets Russia, never mind all the other authoritarian states. Am I not generous?
And of course, this all must happen “at some point in the next decade.” So the clock is running. Knake “only” has 9 years and 9 months for his alternate Internet to gestate and be born. China’s actions can prove him right at any time in that period. I on the other hand have to wait until 2030, and I am an old, old man to prove him wrong. But the $500 will make a nice contribution to my retirement.
Why is this prediction likely to be wrong?
Why am I so confident that Knake is wrong? Let’s begin by saying that life is uncertain and that’s why we make bets. He could turn out to be right. But the issue of competing roots has been in my radar for more than two decades, and I’ve been tracking and analyzing China’s growth and its internet policies for some time. I simply do not see any way this happens. As I explain below, this kind of prediction is rooted in a bad case of Washington-insideritis, not based on a careful assessment of the situation.
To begin with, the global compatibility fostered by convergence on a single DNS root is extremely valuable to China as well as the US. There are literally millions of international interactions that depend in one way or another on a consistent DNS. The costs of a break would be immediate and high. What would be the benefits? Knake’s assumption that China needs to fragment the DNS in order to protect itself from unwanted information flows is not well thought out. China can block a lot of the unwanted material from the internet without sacrificing global DNS compatibility. It already does block many domains and web sites. The potential losses from an incompatible DNS are high compared to the potential gains.
There is also reason to question whether Russia and other authoritarian states would trust a root run by China. Russia’s blundering attempts to create a “national DNS” are emanating from nationalistic legislators in the Duma. Their premise is national autonomy, not a preference for Chinese dependency relative to the U.S.
Why does this difference of opinion matter?
It is also quite interesting to reflect on why Knake made this prediction, why CFR published it, and why I am responding. For my part, there’s something intensely irritating about Washington insiders fretting about Chinese threats to the global unity of the internet.
In the past year or two the U.S. has cut off capital flows from China in the tech sector, broadened the scope of CFIUS reviews in a way intended to target China, imposed sanctions on Chinese equipment manufacturers that are causing operating systems to fork and the chip market to de-globalize, and waged a global campaign to portray the world’s leading telecommunications equipment manufacturer a national security threat simply because its origin is in China. A State Department official has said that the purchase or use of any equipment or internet-based service from China is the same as importing Chinese authoritarianism. Without a trace of irony, they have claimed that TikTok is a national security threat. We have torpedoed a badly needed international cable project simply because one of the partners of two American firms was a Chinese firm. What we see here is a systematic long term attack on the globalization of the tech sector.
In the midst of all this, one would think someone would have to be blind to speak of China as the country pushing to fragment the internet. But this narrative plays well in Washington. It allows Republicans and Obama-era Democrats to reassure themselves that yes, the U.S. still believes in a global, free and open internet and digital free trade and China is the one who threatens it.
All that aside, the issue now is, will Robert Knake stand up for his prediction? I am looking forward to this being the 21st century version of the Julian Simon – Paul Ehrlich wager. Stay tuned.