This is the text of the keynote speech delivered by Milton Mueller at the 2020 conference of the Hague Program for Cyber Norms of Leiden University. Special thanks to Prof. Dennis Broeders for the invitation. A recording of the talk, which will include many good follow up questions, will become available soon.
States are competing for sovereignty in cyberspace, but there is no sovereignty to be had there. That competition for the impossible pushes states in one of two directions: toward national digital islands, or towards a single, global sovereign, a sovereign that will disempower other states and most users and suppliers. Meanwhile, this competition for sovereignty is doing severe damage to the internet. Of course there is no such thing as “the internet.” Take that term as shorthand for something much bigger: the human capability to communicate at will with anyone in the world. This includes the personal freedom to associate online and to access and use vast stores of information, as well as the economic freedom to choose a diverse, interoperable and affordable set of information technology devices, applications and services. By competing for sovereignty in cyberspace, states are threatening these benefits, but, as I said before, there is no sovereignty to be had there. This living contradiction explains a lot of what is happening in internet governance and cyber diplomacy today.
Now let’s back up a bit. Four years ago I wrote a book that asked “Will the Internet Fragment?” Since then there have been three critically important developments relevant to its theme:
- Renewed data governance conflicts between the U.S. and Europe
- A technical, economic and political rupture between the US and China
- A backlash against social media based on concerns about disinformation
Let me first summarize the argument I made in 2017. Then I will try to fit these current events into its framework, and see how they fit.
Recap of WITF
It was of course the Snowden revelations that triggered the contemporary debate about internet fragmentation. Many in the international arena saw the revelations as an open admission that U.S. dominance of the internet and its infrastructure was being used for military and intelligence advantage. The whole idea of a free and open internet took a serious hit. Some responded with calls for data localization policies, others with vague calls for tehc sovereignty or a “national internet.” The response from defenders of “the internet” – again that term – was that what they were proposing would fragment or balkanize the internet.
We then started to have a very interesting debate about what the heck a “fragmented internet” is. Some people said it was about blocking content, others talked about incompatible applications, geo-blocking, or alternate DNS roots. Some people even said language differences and the digital divide were forms of internet fragmentation.
My book broke out of this dead end by developing a technically grounded definition of what it would mean to fragment the internet. That was hard to do, in fact, because as a decentralized system of tens of thousands of independently managed networks, one could easily say that the internet was already fragmented.
I argued that it was layer 3 compatibility that made the internet not-fragmented. That is, the basic IP protocol was the lingua franca, the glue that held the network of networks together. IP resides at what we call the network layer, which maps onto layer 3 in the OSI reference model. And layer 3 compatibility has proven to be a very powerful and durable thing.
Following this line of analysis, the only thing that would qualify as a “fragmented internet,” would be an “internet” that no longer had a globally unified layer 3. It would have to split the world between two or more different, incompatible layer 3 protocols.
It was clear then that that was not happening. Quite the opposite. Not only was IP still the world’s dominant data communication protocol, it was expanding to all kinds of new devices and services. We are so stuck in the original internet protocol that we can barely manage to upgrade it to a newer version with a larger address space. Universal Layer 3 connectivity is intact.
So does that mean all is well? No, it does not. Something is happening, and it is not good. Frustrated by the interdependence of cyberspace, States are trying to assert some of their authority over it – or what they think is their little piece of it.
Alignment, not fragmentation, is the correct term for that. By alignment that I mean the attempt to make authority over internetworking match up with authority over legal jurisdictions at the national level.
States don’t really know how to do this. They get some leverage by using their power over organizations located in their jurisdiction. They can, to some extent, regulate ISPs and social media platforms. But despite all these efforts, the open nature of the protocols and the global standards that make things interoperable allow for relatively limited control over what happens when those users and suppliers are connected.
Against sovereignty in cyberspace
Since publishing that book I explored the concepts of sovereignty and cyberspace more deeply. I published a new paper developing an argument about the relationship between the two in International Studies Review last year. Sovereignty is a concept that needs to be rescued from international law, which works with a dead and mummified version of it. Most of what that discipline says about its application to the cyber domain is legally correct but totally useless for solving today’s governance problems. And most of them have no idea how to apply the concept to cyberspace other than to point out, endlessly, that physical layer devices can be assigned to a territory.
It is much more helpful to look at sovereignty historically and dynamically. In European history, we can best describe sovereignty as the consolidation of power on a larger geographic scale, and the separation of religious authority, which was not territorial, from political authority, which was. Sovereignty achieved economies of scale in governance; instead of many small princes in small territories with unclear relations with each other, it established a single, hierarchical authority over a wider territory, which was more reflective of the geographic scope of transportation, communication and commerce. Its emergence in practice was aided by the Reformation, which undermined the monopoly of the Catholic Church. For these new relations to form there had to be a supportive ideology for sovereignty, The people, the church, other princes all had to understand and come to accept the new conception of power. which started to emerge with Bodin.
Initially, sovereignty was an entirely authoritarian and absolutist concept. It was used to rationalize the supremacy and exclusivity of a monarch’s government. With the liberal-democratic revolutions, the holder of sovereignty was radically changed. It was no longer an individual, designated king, but “the people.” This magical transformation was performed by that moment in the founding of a republic, wherein the popular will takes the form of a constitution. Democracy delegated supreme authority to the people through a constitution that defines the rules for self-governance. But the people at that time lived in a circumscribed territory. Even then, the mismatch between those geographic boundaries and the linguistic, cultural and religious differences within them created constant turmoil. So did imperialism and colonialism. A dynamic, historical perspective on sovereignty makes it clear how plastic and evolving the notion is.
A historical perspective also makes it clear that several domains, notably the high seas, have been exempted from territorial sovereignty for most of human history. More recently, outer space has been exempted from sovereignty claims by treaty.
Now if sovereignty means clear territorial boundaries around monopolies on the use of force, it is clear that cyberspace sunders those two things, territory and power. The virtual territory of cyberspace does not map onto geographic territory. Its physical layer of computers and networks cannot completely avoid territorial authority, but when the physical layer devices are interconnected and interoperating they are participating continuously in a global virtual space that is not under any state’s complete control. It is a global commons.
A number of things had to combine to create this unique situation, a global virtual space. One of the most critical is that the internet protocols are open source software, appropriable by anyone, and so are its other basic standards documents. Additionally, its unique identifiers, such as names and addresses, are administered by transnational, nongovernmental institutions that try to do bottom-up, multistakeholder governance. The liberalization of telecommunications service and equipment, which created a transnational market, was also a factor. So while physical devices can be assigned to a territory, their interactions across networks in a software-defined virtual space cannot be so easily.
And this creates all kinds of problems for territorial sovereignty as an institution. The idea of the world divided into distinct, clearly bounded political units just doesn’t work. Alignment is a paradox, a contradiction. Efforts to achieve it are both inevitable and impossible.
It is inevitable because states will be states. They are the biggest, most powerful actors in the global political economy, and they are not going to cede power to alternative institutions without a fight.
But alignment is also unattainable. Territorial sovereignty is simply not compatible with the open, nonproprietary standards, nonterritorial virtual space and default global interoperability created by the internet.
Currently, cyberspace is formed by a huge number of independent actors, all connecting, sharing facilities and collaborating or refusing to collaborate on a voluntary basis. They are held together by common protocols and standards, developed independently of states. It is predominantly nonhierarchical networked governance that holds it together.
If you want to achieve sovereignty in cyberspace, you cannot leave that system in place. You must either sever all digital connections with the outside world and be the supreme ruler of a digital island, or fight with other states to be the one sovereign over global cyberspace.
Sovereignty means supreme and exclusive authority. Only a single unitary global entity could establish such authority over cyberspace. Only a world state could ever have enough control over all the actors and processes and resources underpinning the global internet to possess what political scientists mean by sovereignty. And that means there is room for only one sovereign in cyberspace. Everyone else will be excluded. Not such an attractive option.
Alternatively, one could pursue sovereignty as a digital island. That would make multiple sovereigns possible, but sacrifices global compatibility and trade in information services. It means an exclusively national, autarchic cyberspace. No one really wants this, not even China and Russia. No major industrial or post-industrial economy can survive under those conditions, unless it aspires to be North Korea. Connectivity is too valuable for any major economy to give up willingly.
So any attempt by states to establish sovereignty over cyberspace is doomed to fail.
This is what I call the jurisdictional paradox. You can have sovereignty or you can have a globally connected internet but not both. But states really want both, and there are strong political and economic forces pushing them simultaneously in both directions. This problem exists for democratic as well as authoritarian countries, for the East and the West, for the so-called global North and Global South. The whole quest for sovereign control of communications and information is a goal which is impossible to achieve in a way that will make any sovereign satisfied.
Most of the big events in IG that have happened since 2016 can be seen as ways in which these contradictions are playing out. Let’s begin with Europe and data protection
Europe and data governance
Superficially, the European attempt to impose stronger data protection law on internet businesses might look like alignment. It can be seen as an assertion of jurisdiction, even of digital sovereignty. But it isn’t. Its actual effect has been, for the most part, greater globalization. Article 3(2) of the GDPR binds data controllers and processors regardless of their geographic location or statutory seat. The abandonment of territory is pretty explicit in court decisions. The European Court of Justice describes the ‘territory’ of the member states as “not necessarily territorial in the spatial or geographic sense” but the “area of exercise of the competences of the Union.” Those competences when applied to the data economy are transnational.
A few businesses in the U.S. have chosen to detect and disallow traffic with Europe to avoid compliance, but it is not common. Transatlantic interactions and data flows are so pervasive that most multinational US companies chose to become compliant with GDPR as a matter of course. Furthermore, laws harmonized with GDPR were passed in non-EU countries such as Norway, Switzerland and Iceland. Imitation of GDPR-like protections in California, Brazil, Africa, SE Asia. The Annual Privacy Governance Report for 2019 claimed that “the regulation has had such a massive impact on data management practices globally that it has become the de facto global standard for privacy.”
Globalization was reinforced when ICANN, the nongovernmental institution that regulates the supply of domain names, had to completely reform its handling of domain name registration data to comply with GDPR. ICANN’s reforms greatly upset economic nationalists and intellectual property interests in the US. Some are lobbying for legislation to impose US standards and laws on domains registered or managed in the US jurisdiction. If successful, this move would destroy ICANN as a global governance entity for domain names, creating a jurisdictionally partitioned DNS. But it is unlikely to happen precisely because most people want DNS to be governed globally, so as to maintain compatibility and lower transaction costs.
The adjustment to GDPR provides a good example of the jurisdictional paradox. Efforts to assert sovereignty either lead to severing connections to a country, or to the globalization of a legal jurisdiction. Whether by design or not, Europe took advantage of a situation that allowed it to achieve global rule. It worked this time, but there are still risks of splintering. Extreme applications of GDPR could make it into a rigid data localization law. If that happens, and it may be happening due to the Schrems decisions, then the supply of many information services will be crippled. In particular, services that connect people in different jurisdictions may be literally unable to function, because it will be impossible to comply with some of the more extreme forms of data localization. That could still push things into digital island mode. Long term, if GDPR becomes too much of a constraint on the capabilities of the digital economy it will undermine rather than strengthen compliance. Privacy protection needs to focus on protecting individuals’ confidentiality in the context of a global info economy, but this goal must not morph into a process of micromanaging where data resides and where it can move.
The US-China Digital War
Now on to China. It is surprising how rapidly and thoroughly the US has, under Trump, abandoned its prior role as the leader and chief defender of global cyberspace and a liberal trading order. Initially, Trump’s attack on the trading system was unilateralist and almost indiscriminate in its targeting. Canada, Europe, China, Mexico, whoever. According to Trump, we had a lousy trade deal with all of them, and he was going to fix it.
Eventually Trump’s protectionist economic policies were channeled and focused into a more comprehensive attack on China. This united several constituencies: Republican Party nationalists, trade protectionists of both parties, the cultural right, and the Defense Department, which has had China’s growing strength under its eye for some time.
The U.S. national security establishment began to use the Committee on Foreign Investment in the US, known by its acronym CFIUS, to block capital investments by Chinese firms in high-tech areas. Mainly because of ICT issues, the law describing the methods and mandate of CFIUS was broadened and strengthened in 2018. But this raising of barriers turned into a thoroughgoing decoupling. Almost all aspects of ICT were securitized. Chinese equipment vendors Huawei and ZTE were banned from North American markets. Leading US diplomats openly encouraged other countries to do the same. Sometimes allies were threatened as well as encouraged to cooperate with this effort. Aside from bans on market access, Huawei was prosecuted by the U.S. Justice Department for violating the Iranian sanctions. The daughter of Huawei’s CEO was arrested and jailed. It was also sued for intellectual property theft.
As the attack on Huawei intensified, it became clear that it was a foreign policy issue, not a cybersecurity or trade issue. Not just Huawei, but virtually all Chinese information services and ICT firms were now portrayed as agents of the Chinese state. Their purpose in selling equipment and services was not to make money, we were told, but to help the Chinese Communist Party take over the world. The decoupling was very thorough in the ICT sector. FCC licenses allowing Chinese telecommunication firms to operate in the U.S. were withdrawn. A new international cable was denied landing rights, because the third partner was a Hong Kong firm with Chinese capital.
The Clean Networks initiative openly tried to exclude Chinese products and services from the internet pathways. The attempt to ban WeChat and Tiktok from the U.S. was yet another leap in the direction of alignment. In their efforts to block the Chinese, the US was starting to look a lot like the Chinese. Charges of a Great Firewall of America were not unfounded. We initiated industrial policy efforts similar to the Chinese ones we felt threatened by.
But there is more. With its anti-China export control regime on integrated circuit technology, the US is taking alignment beyond the internet per se and deeper into the ICT ecosystem. We are talking about a market in the hundreds of billions of dollars that sits at the core of the information sector. The chip industry is highly globalized. But much of it hinges on the IPR and designs of US-based firms.
The chip war is not a cybersecurity initiative. It is an attempt to cripple Chinese manufacturers of ICT products, and indirectly retard Chinese military capabilities. It is comparable to the ban on oil and gas exports to the Japanese in 1941: an economic blockade of the sort that usually follows, or leads to, military hostilities.
The dominance of US companies in chip supply gives the US government great leverage. But overly aggressive attempts to exploit a dependency can backfire. With chip sanctions, the US may be pissing away one of its most important economic and technological advantages in the global economy, an advantage that has served as the foundation for economic growth for the past 50 years. All in an attempt to achieve some kind of short term and highly speculative military advantage over China. The Chinese response has been predictable: instead of opening their markets they are moving to become more self-sufficient, with their own mobile OS, and their own chip technology.
Did the Chinese state deserve this reaction? It’s clear that China, with its Great Firewall, its market access limitations and its one-party political monopoly, has been a leader in devising methods of alignment for the past 20 years. But it was also very interested in engagement with the global economy. It sheltered its huge national market, but encouraged incoming foreign capital and technology transfer. American companies such as Apple an MSFT were let in. As its digital economy matured it looked forward to the global expansion of domestic companies such as Huawei and Ali Baba. The accusation of information age mercantilism has more than a grain of truth. But a rational response to this problem would have been to handle it as a trade issue, not a national security issue.
The crackdown on Hong Kong is something that cannot be ignored. The National Security Law was an assertion of sovereignty, and a deliberate and systematic attempt to stamp out the protests, political expression and the remnants of democratic representation in HK. It eviscerated the one country two system international agreement guaranteeing a separate system of governance. What is interesting about that sorry event is the extreme extra-territoriality of the national security law. Article 38 states that the NSL not only covers anyone in Hong Kong, regardless of nationality or residency status, it also applies to offenses “from outside the Region by a person who is not a permanent resident…” I know from personal experience that discussion groups of the HK diaspora on WhatApp and other non-Chinese platforms, which had been actively debating the HK protests, suddenly fell silent because of the intimidation. Just as the US tried to leverage chips to achieve global leverage, China understands that controlling speech, asserting sovereignty over how people communicate on the internet, requires global reach.
China’s treatment of HK has increased Europe’s reluctance to work with Chinese enterprises and of course is easily used as a justification for the American blockade. China’s starts to face the harsh reality of a sovereigntist internet: insofar as it succeeds in creating one, its own barriers will be matched by other countries.
Here we have the opposite of what happened with Europe and GDPR. Instead of a de facto harmonization and convergence on principles, norms and rules we see a fracturing. The world’s two biggest economies and military powers have discovered that sovereignty in cyberspace is mutually exclusive. They are competing for sovereignty in cyberspace. There can only be one. Neither seems likely to back down.
And yet, the future of a globally compatible and interconnected internet depends heavily upon US-China relations. If China and the US cannot maintain an integrated digital economy, who can? We may very well evolve into a truly fragmented world information and communications environment. This will not happen because of the so-called “New IP” initiative of Huawei – which has been exposed as vaporware. But longer term, the US-China digital conflict could very well lead in that direction. Going down this road could undo the great revolution in global interoperability that occurred in the 1990s with the victory of internet protocol.
Four years ago I did not foresee the degree to which content on social media platforms would be militarized by nation-state directed influence operations. It does, however, fit neatly into the alignment thesis. It also exhibits the jurisdictional paradox.
The idea of info warfare and disinformation have created a linkage between content and cybersecurity. This is new, and problematic. Prior to 2015, the U.S. and other liberal democracies supported understandings of cybersecurity that focused on the confidentiality, integrity and availability of information systems. There was an understanding that definitions of information security that included the meaning and content of messages could be used to justify censorship, and could clash with Article 19 of the UDHR. Only authoritarian countries defined “security” in a way that involved shielding their territory from external messages.
That liberal approach was evident in the West’s reactions to the Shanghai Cooperation Organization’s Code of Conduct for State Behavior in Information Security. The SCO is a Eurasian political, economic, and security alliance led by China and Russia. Its original 2011 draft of the info security code included a commitment to “…cooperate in curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.”
When the SCO code of conduct was placed before the United Nations in 2012, the US State Department issued a statement claiming that the draft code “would legitimize the view that the right to freedom of expression can be limited by national laws and cultural proclivities, thereby undermining that right as described in the Universal Declaration on Human Rights.”
But the US view has changed dramatically. Trump’s 2016 election fueled a form of partisan politics that exaggerated the impact of Russian influence operations on American society. As a result, ironically, every policy and doctrinal move the US has made since 2016 basically affirms the principles and norms in the SCO’s approach to information security:
The President’s 2017 National Security Strategy (NSS) and the 2018 National Defense Strategy contain multiple references to “political and information subversion” and “foreign propaganda that threatens our cultural and political values,” just as in the SCO Code of Conduct.
I see here a major shift in cyber norms. There is not only a nostalgia for territorialized media and its gatekeepers, but a loss of confidence in liberal democracy – that is, in the ability of people to separate truth from fiction in an open and free information environment. That loss of confidence is fueled by the left as much as the right. Pushed by various interest groups, including old media, the liberal state evinces a defensiveness, a feeling of vulnerability, to the dramatically scaled-up, global capabilities for information exchange created by the platforms.
The U.S. government’s reaction to TikTok’s success took these politicized fears to new and absurd heights. A frivolous app was declared a national emergency and demonized as a form of espionage, propaganda and censorship. The USG seemed either entirely unaware of, or unembarrassed by, their imitation of China’s methods of blocking apps.
While authoritarians look to the state to try to border their information space, the more liberal societies, increasingly, look to the platform operators to govern content – even as they claim that the platforms are too big, have too much power, are addictive, politically biased, or whatever. And so we get shifty forms of public-private power which will, in my view, cement the dominance of established platforms and subordinate their content decisions to geopolitical competition.
In the U.S., the private platforms’ detections of “coordinated inauthentic activity,” seem to mirror their own nation-state’s geopolitical adversaries: Iran, Russia and China. That becomes problematic when the platform is global and reaches into the populations of other states. A number of initiatives are globalizing content moderation, such as the Christchurch Call, the Global Internet Forum to Counter Terrorism, and an OECD initiative to standardize the reporting of terrorist content. Both the EU and the CC Call seem to be pushing for mandatory upload filters, an algorithm-driven prior restraint on speech that will be riddled with false positives. Even as antitrust authorities target the platforms, the same governments leverage and reinforce their dominance to advance their content regulation objectives.
There is a tension between global cyberspace and territorial sovereignty, and that tension is a major driver of problems in internet governance. The factors driving this struggle are structural; although Trump inflamed these problems they are not caused by him, they did not start with him, nor will they go away with his absence.
Cyberspace is a global commons that requires loose, cooperative and decentralized forms of governance to maintain its key benefits. We need to nurture and preserve this resource, not destroy it. Calls for digital sovereignty or any other form of sovereignty over it will in fact destroy it.
To securitize ICT is to plunge the global info economy into an anarchic war of all states against all others, it takes us down a rabbit hole that can only lead to hierarchical dominance, whether dominance over a digital island or the dominance of a global sovereign.
The future of liberal democracy may very well depend upon how we handle the internet governance problems, and that in turn relies on finding effective governance institutions that are global, multistakeholder and supersede the sovereign state.
 ECJ Case C-347/10 2011, ECLI:EU:C:2011:562, para. 56