As norms and governance for cyberspace have grown more problematic, the forums at which they are discussed have multiplied. Besides their recurrent discussion among the United Nations Government Group of Experts (GGE) on Information and Telecommunications, and at the Internet Governance Forum (IGF), these matters are now subjects for meetings both on international security and regulation of international communications. Recent venues have included the Organization for Security and Co-operation in Europe (OSCE), the Asian Regional Forum (ARF), the Munich Security Conference, the UN Institute for Disarmament Research (UNIDIR), the East West Institute’s Cyber security Summit and the World Conference on International Telecommunications (WCIT). These meetings have highlighted significant differences among states, with regard to the (a) the role of states in Internet governance; (b) tradeoffs between unfettered flows of communications, i.e., Internet Freedom, and national security; and (c) military operations, especially offensive actions, in cyberspace. The differences have prevented liberal, democratic states, on one side, and more authoritarian states, e.g., Russia and China, on the other side, from reaching agreements on the appropriate norms and model of governance for cyberspace. The meetings will nevertheless continue because (a) growing instability in cyberspace can undermine its contributions to global economic and social development; (b) the contributions are too vital for states to ignore this threat and (c) states consider these meetings opportunities to publicize, defend, gain support and bargain for their respective positions.
The Budapest cyberspace conference, October, 2012, provides a case of how these various concerns and contentions combined in a concrete event. It was the second intergovernmental conference stemming from UK Foreign Minister William Hague’s proposal at the Munich Security conference in 2011, for an international meeting to discuss “rules of the road” in cyberspace. However the first one in London, November, 2011, focused heavily on Internet Freedom issues, in response to the proposal for international cyber norms, which Russia and China had tabled two months earlier at the UN. That proposal, the “Code of Conduct,” calls for greater state centric governance of the Internet and states’ regulation of cyberspace within their territories, based on the principle of national sovereignty.
The Budapest conference’s agenda was broader and closer to Hague’s original vision. In addition to norms for cyber behavior, governance and Internet freedom, the discussions covered building capacity for cyber security, the respective roles of state and private sector in providing cyber security, the roles for regional organizations, and international cooperation in cyber crime investigations and prosecution. The attendance at this by-invitation-only event was in line with the liberal democracies’ multi-stakeholder model of governance for the Internet. The delegations represented about sixty nation states, including liberal democracies, authoritarian states and traditionally non-aligned ones; twenty intergovernmental organizations (IGOs), e.g., OSCE, European Commission, NATO; ICT vendors and carriers, e.g., Microsoft, Google, BT, AT&T, KDDI; human rights and other concerned civil society organizations, e.g., International Red Cross; Internet administrators, e.g., ICANN, the Internet Society; and academic institutions. However many Internet users were underrepresented, as some speakers noted by expressing the hope that more Asians and Africans would attend the next meeting, scheduled for Seoul in late 2013. The Chinese delegates seized upon the same point to dispel any claims of legitimacy the meeting might have and reminded other conferees at every opportunity that “China has more Internet users than any other country.”
President Toomas Ilves, the highest ranked official at the conference, outlined the positions of the Western democracies most forcibly. While calling for “the correct balance between Internet freedom and Internet security,” he declared that for Estonia, and presumably other liberal states, “no security, cyber security included, can be achieved at the expense of people’s fundamental freedoms.” Noting that cyber security must include protection of critical civil infrastructure from attacks by state and non-state actors alike, Ilves called for the private sector to take a role in such protection, but also for the state to act in case of markets failing to provide it. He cautioned that the impending WCIT could have implications for Internet freedom, especially if it supported a larger role for states in regulating cyberspace. He therefore rejected in advance any proposals at WCIT that would have the effect of reducing freedom of expression. Sweden’s Foreign Minister Carl Bildt, EU Representative for Foreign Affairs and Security Policy Catherine Ashton; and Amy Adams, New Zealand’s Minister of Communications iterated these positions, which were somewhat selective and limited in viewing the threats to cyberspace. For example, Minister Adams did not acknowledge New Zealand’s violations of its own laws against spying on its residents, in the matter of Kim Dotcom and Megaupload, and no Western speaker noted that offensive cyber weapons, such as Stuxnet, could have negative implications cyberspace and critical infrastructures.
China’s positions, as presented to the conference by Huang Huikang, the Legal Adviser to China’s Foreign Minister, can be summed up as the “three dislikes and the five principles.” China dislikes (a) other states’ meddling in a country’s internal affairs by supporting dissidents to its regime, under the pretext of Internet Freedom; (b) the militarization of cyberspace by the US; and (c) the United States’ and other western countries’ dominating the governance of cyberspace, while neglecting the need of developing countries for fairer allocations of cyber resources. Governance and norms for cyberspace should be based, instead, on (a) the right of states to determine policies for their respective national cyberspaces; (b) the need to balance the claims for free flow of information against their potential threats to national security and social order; (c) the peaceful use of networks and restrictions on cyber weapons; (d) the equal right of all states to the participate in the management of internet resources; and (e) international cooperation in dealing with network based threats to a state’s security.
The Russian speakers shared shares these principles, but were more defensive in articulating them. Vladislav Sherstyuk, Deputy Secretary of the Russia’s Security Council and an influence on Russian cyber policy, acknowledged that people should have freedom of speech and access to information online, but he emphasized the need for discipline in exercising those freedoms. He called for international cooperation in fighting cybercrime and for extension of existing UN provisions on transnational crime, but rejected the Budapest convention on cybercrime as potentially interfering with a state’s sovereignty. A Russian Foreign Ministry spokesperson tried to downplay the importance of the Code of Conduct by characterizing it as just a “start,” intended to move along the discussion of international cyber security, and all its provisions were open to revision. She added that the words used in discussions of cyber security do not matter and that states could use whatever words that wanted, as long as there was agreement on the desired outcomes. This apparent conciliatory remark, which Russians have also made at other venues, was regarded by Western diplomats as obfuscation. Chris Painter, the head of the American delegation, responded that “words do matter,” and that for Russians and Chinese the term “information security,” which appears in the Code of Conduct, has traditionally included suppression of objectionable content as much as preventing disruption or damage to information flows and resources.
India, the most important non-aligned state at the meeting, did not present its position on the state’s role in Internet governance to the conference, although it had previously proposed that a UN agency be created to supervise ICANN’s administration of the Internet. The delegation head Sachin Pilot, instead, focused on India’s efforts to build its cyber security capacity, by having the state work to create a pool of a half million cyber security specialists within the frameworks of public-private partnerships. However, shortly after the Budapest conference, India dropped its proposal in favor of continuing the present mechanisms of governance, provided that “third world countries” were better represented on the various ICANN advisory committees. At the subsequent WCIT, India was among the fifty-five states, which refused to sign the new International Telecommunications Regulations (ITRs), because they give the state-centric International Telecommunications Union (ITU) a role in supervising the Internet.
While governance and norms for the Internet are matters of considerable importance for transnational ICT vendors, most have refrained from taking having profile positions, since they often operate under the jurisdictions of states which differ on these matters. Microsoft was an exception to this pattern at the Budapest conference. It distributed a white paper which implicitly criticizes proposals tantamount to creating borders in cyberspace by noting that national boundaries often limit the effectiveness of public-private partnerships for cyber security in which it and other vendors the participate.
For example, different laws in different countries regarding rights of surveillance and access to infected computers have encumbered Microsoft’s responses to computer viruses at the global level. The whitepaper therefore proposes the creation of international public-private partnerships, observing that these can help ensure resiliency of infrastructures and agile responses by relevant organizations to complex cyber security events. Microsoft also endorsed the London, Budapest and Seoul conferences for providing a multilateral forum and inclusive process for discussion of cyber norms, and it is likely this view is privately shared by other vendors. As one TNC executive quipped, “my company is comfortable discussing these issues with various governments, but we would like to get a vote.”
As this review of the Budapest conference and the turbulence at WCIT suggest, the institutions of governance for the Internet will be hotly contested among states and bound tightly to questions of freedom in cyberspace. In summing up the conference, its official host Hungarian Foreign Minister Janos Martonyi framed the challenges for governance as finding the right balances, first for the claims for online expression and association against the need to protect people online from hate, terrorism and crime, and second for the openness, creativity and absence of borders in cyberspace against the legitimate claims of national sovereignty. Yet this summation ignores that democratic and authoritarian states’ respective visions for cyberspace might be so fundamentally different as to preclude compromises or bargaining. It also ignores the extent to which these issues have blocked progress among states and other stakeholders in dealing with other aspects of cyber security, especially the use of cyberspace for military operations and espionage.
About Roger Hurwitz
Roger Hurwitz is a Research Scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), a senior Fellow at the Canada Centre for Global Security Studies at the University of Toronto, and a founder of Explorations in Cyber International Relations (ECIR), a Minerva Research Initiative program at Harvard and MIT. A Ph.D. in computational social sciences, with application to international relations and communication studies, his research and writing include modeling conflict escalation and de-escalation, Middle East politics, measuring information flows, content analysis and hermeneutics. He has taught at MIT, Northeastern and the Hebrew University, and co-developed (with John Mallery) the White House Electronics Publication System, used by the Clinton administrations, and the Open Meeting platform for wide-area online collaboration. In addition to developing a research agenda for cyber norms, his current work includes the development of a computational system for cyber events data and ontologies, and modeling the complexities of cyber incidents.