22 February 2019

How to Regulate the Internet Without Becoming a Dictator

BY JUSTIN SHERMAN

On Nov. 16, 2018, U.S. President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act into law, which transformed the National Protection and Programs Directorate at the Department of Homeland Security into the Cybersecurity and Infrastructure Security Agency (CISA).

The change aims to bolster the United States’ defenses against physical and digital threats to critical infrastructure. The reasons for CISA’s creation are no mystery: Democracies are increasingly realizing that they cannot rely entirely on the unregulated market to protect citizens or even businesses from cyberharms. Now, the question for CISA is how to meet current threats while maintaining a free and open internet for Americans.

Democracies are grappling with the differences between the internet as idealized in their policy documents—with principles such as freedom and openness—and the internet in reality—an insecure, increasingly centralized, and increasingly restricted network. Democratic internet strategies face tensions that need to be resolved, including the need to find a balance between total network openness (which dangerously allows anything through) and total network control (an authoritarian model for the internet).


In 2016, election interference plagued the U.S. presidential election and other contests across Europe, and the devastating NotPetya ransomware wreaked global havoc. Cyberinsecurity is driving many countries toward a more authoritarian approach to the internet.
Cyberinsecurity is driving many countries toward a more authoritarian approach to the internet. In a November 2018 resolution on cybercrime backed by Russia and adopted by the U.N. General Assembly, three of the biggest democracies in the world—India, Brazil, and Nigeria—voted with Russia and China, clashing with more traditionally open countries including Australia, Canada, Estonia, France, Greece, Israel, the United States, and Britain.

Individual countries have also participated in this trend toward increased surveillance. In the last six months alone, many strict, sweeping laws have been passed or proposed in the name of mitigating vulnerability and combating cybercrime, including in Vietnam, Thailand, Tanzania, the United Arab Emirates, and Egypt. Even India, the world’s largest democracy, has recently adopted some troubling tech policies.

New options are necessary, lest the authoritarian model for the internet—one in which the government exerts tight control over the internet in its borders—become a more appealing means of addressing cybersecurity threats than a relatively hands-off approach. One approach some cybersecurity experts have begun to advocate is the British example.

The United Kingdom has taken the view that its citizens and small businesses should not be expected to address cybersecurity threats on their own. As such, Britain’s approach offers an interesting philosophical take on the roles and responsibilities of governments for cybersecurity within their borders.

Governments can exert some influence over the internet within their borders without being authoritarian

Governments can exert some influence over the internet within their borders without being authoritarian—if they act in a way that protects citizens from cybersecurity threats, such as identity theft or computer hacking—provided those actions are also backed by democratic laws and procedures that prevent the abuse of power (e.g., using cyberinsecurity as an excuse for censorship). This is a critical idea at a time when countries around the world seem to be shifting toward an authoritarian model of internet regulation under the pretense of maintaining internet security.

The U.K. National Cyber Security Centre is adopting a suite of new cyberdefense measures: For example, it recently implemented a government email security protocol, alongside new mechanisms of domain name system filtering, to stop attacks before they even approach end users. At its core, the goal is to block malicious domains and internet protocol addresses—from which 1s and 0s are sent across the web—before their data can reach U.K. citizens. By automating the detection and mitigation of smaller threats on public networks, more resources can be focused on greater risks (such as advanced persistent threats).

The British government also strengthened the Border Gateway Protocol (which routes internet traffic worldwide) and SS7 (the international telecoms signal protocol) to make malicious traffic rerouting more difficult. Such a step, historically taken by China, Russia, and other authoritarian nations, moves one country’s internet traffic through another’s borders, potentially allowing easier access to sensitive information.

These policies are part of Britain’s greater cyberdefense across public U.K. networks—specifically, “minimising the most common forms of phishing attacks, filtering known bad IP addresses, and actively blocking malicious online activity,” according to the country’s 2016-2021 National Cyber Security Strategy.

National-level threat filtering seems to work: According to Britain’s 2018 update on the strategy, the government reduced the median time that phishing sites and compromised sites are physically hosted in the U.K. before they’re taken down. The global volume of phishing has increased by nearly 50 percent from mid-2016 to present, yet the share hosted in the U.K. has decreased by almost that same amount.

The global volume of phishing has increased by nearly 50 percent from mid-2016 to present, yet the share hosted in the U.K. has decreased by almost that same amount. Cyberharms impacting citizens are being reduced.

Philip Reitinger, the head of the Global Cyber Alliance and former director of the U.S. National Cybersecurity Center, noted last year that “we have to stop trying to teach people to farm in cybersecurity. We have to give them food.” In other words, governments need to lessen the burden placed on the individual to stay cybersecure.

For the 50 countries around the world that have yet to take decisive stances on their internet models—what my colleagues and I term the “Digital Deciders”—it may be unclear what the difference is between government defense from cyberharms in the U.K. and internet control in countries such as China. To understand why the U.K. model offers a way to protect citizens without exerting authoritarian influence over the internet, it’s imperative to break down this distinction.

Britain is a clear supporter of a global and open internet, which depends on principles including free speech, open access to information, and the expansion of global commerce. It clearly differentiates its stance from the sovereign and controlled internet model favored by countries like China, Russia, and Iran, which is characterized by such practices as the suppression of online dissent and the blocking of foreign news sites.

These countries have long filtered the internet traffic entering their borders—and heavily regulated, among other things, where data is geographically stored and who can post what—all under the justification of internet insecurity. Because the global network is only enabling the spread of harms, the logic goes, governments must exert tight control of the internet within their borders to limit the overall flow of traffic.

The U.K. strategy calls for the filtering of data rather than content, which is a crucial point of differentiation. Data in this case refers to 1s and 0s (“machine-readable” code), while information refers to what the data means to humans. In control of the former, the United Kingdom takes down phishing websites that are perpetrating malicious data—code that intends to damage digital systems or gain unauthorized access to information. In control of the latter, China impedes access to foreign news sites that are perpetrating what it deems to be malicious information—content that runs contrary to the objectives of the government. The technical end results are quite different; Britain’s strategy is aimed at reducing cyberharms, such as identity theft and computer hacking, as opposed to censoring and isolating a country’s internet.

Britain’s strategy is aimed at reducing cyberharms, such as identity theft and computer hacking, as opposed to censoring and isolating a country’s internet.

Even when democratic countries do filter for content, such practices are distinct from content filtering by authoritarians. China censors content that runs counter to its leaders’ goals, and Russia uses the domestic surveillance system SORM-3 to screen for political dissent. Democracies typically use content filtering for protecting child welfare and intellectual property, including, for example, the United States’ Children’s Internet Protection Act or Australia’s amended Copyright Act. These are not the same: The latter is meant to protect citizens and businesses from cyberharms that could result from the likes of IP theft or a child’s exposure to pornography.

By carrying out new strategies in cyberdefense, democracies like the United Kingdom set important standards for how other countries should operate while promoting a global and open internet. France’s recent international cybernorms proposal received relatively wide support for its agreement to promote a more secure cyberspace, as have similar proposals in the U.N. General Assembly that have, in recent years, received similar backing. The policies and messaging of these global and open internet supporters have important influence on the 50 Digital Deciders that are grappling with their approach to internet governance, including Singapore, Indonesia, Brazil, Mexico, and South Africa.

Of course, the feasibility of applying the British approach around the world is an open question. Implementation, after all, would differ by country depending on such factors as the centralization of a nation’s internet infrastructure, its governmental cybersecurity bureaucracy, and its existing laws. If wider implementation does not succeed, countries like China may capitalize on the internet defenses employed by the U.K. to point out that they were “right all along” and further twist future internet governance dialogues in their favor.

For instance, the United States has far more unique IP addresses within its borders than the U.K., which means the IP space is far less consolidated. This would likely make it more difficult to implement Britain’s assorted data-filtering mechanisms, since there is a wider range of web addresses the government would have to filter for malicious traffic. The United States also has the First Amendment, which the Supreme Court ruled in the 1990s in Bernstein v. Department of Justice could be interpreted to protect computer code as speech.

This is perhaps the central question at the heart of U.S. efforts to mimic the U.K. strategy. As Jane Bambauer argues, “Data is not automatically speech in every context,” but “any time the state regulates information precisely because it informs people, the regulation rouses the First Amendment.” It’s possible that filtering 1s and 0s to look for cybersecurity threats could be interpreted as infringement on this protection.

If the United Kingdom is correct that the best way to protect businesses and citizens from cyberthreats is to engage adversaries online, other democracies ought to explore this path. The authoritarian argument of controlling the internet in the face of cyberinsecurity is compelling—which is why the authoritarian internet model is spreading around the world.

In order to defend a global and open internet, and to better protect governments, economies, and citizens against cyberharms, other countries should emulate the United Kingdom’s approach. The central challenge for democracies is to figure out how they might interpret and adopt this strategy and to find an appropriate balance between total network openness and total network control that protects citizens and still preserves the benefits of a global and free internet.

No comments: