Here in Sydney, Australia, where I’m attending a conference of CFR’s Council of Councils—a global network of prominent think tanks—a dialogue about the future of Internet governance has highlighted brewing controversy about the management of cyberspace. The conversation has convinced me that the Obama administration has a closing window of opportunity to safeguard international support for an open global Internet. It must immediately quicken dialogue with allies and partners to ensure that outrage over the NSA spying program does not result in the irreparable fragmentation of cyberspace.
By the end of this year, two major international meetings may crystallize international support for greater sovereign control over cyberspace if the administration does not rally like-minded allies in opposition to statist regulation of the Internet. Revelations of the NSA’s massive PRISM program have angered critical U.S. allies and partners and eroded trust in the United States as the leading champion of liberal world order. The loss of Western solidarity has come at a critical juncture, emboldening authoritarian governments seeking greater control over cyberspace. As a result of these self-inflicted wounds, the United States will find itself on the defensive this year at two critical cyberspace summits: in São Paulo, Brazil, in April, and in Busan, South Korea, in October-November. At stake is nothing less than the integrity of the global open Internet we have so long taken for granted.
This debate came to a head at the twelfth World Conference on International Telecommunications (WCIT) in Dubai in December 2012, where a majority of International Telecommunications Union (ITU) members—eighty-nine countries—supported an initiative backed by Russia and China to transfer to sovereign states greater control over the Internet. The United States and other Western governments opposed these moves as a blatant effort by governments to control citizen access to information and, in principle, crush dissent. The Dubai summit ended in stalemate but momentum was clearly with the majority. (Even ICANN, in its Montevideo communique from October 2013, conceded that the future would include a greater state role in Internet governance.)
Since the dawn of the digital age, the United States had consistently supported an open, decentralized, and secure cyber domain that remains largely in private hands. Even before the Snowden disclosures, that vision was under threat, thanks to disagreements among governments on three fundamental issues.
- First, some world leaders are questioning whether the ITU ought to play a more active role in regulating cyberspace. To the degree that the Internet is “governed,” the primary regulatory body remains ICANN (the Internet Corporation for Assigned Names and Numbers), an independent, nonprofit corporation based in Los Angeles. The outsized role of ICANN—and the widespread perception of U.S. (and broader Western) control over the Internet—has long been a sore point for authoritarian states, as well as many developing countries, which would prefer to move cyber governance to the intergovernmental ITU.
- A second threat to the open Internet has been a surge in cyber crime—and disagreement over how to hold sovereign jurisdictions accountable for criminality emanating from their territories. Estimates of the magnitude of cyber crime range from large to astronomical. In 2012, NSA director general Keith Alexander put the annual global cost at $1 trillion. Most cyber crime is undertaken by nonstate actors against private sector targets for motives of financial gain. But national authorities have also been involved in economic espionage, both directly and through proxies. The most infamous case involves a unit of China’s People’s Liberation Army, which allegedly has been at the forefront of Chinese hacking efforts to steal industrial secrets and technology from leading U.S. companies.
- Third, the growing specter of cyberconflict—even cyber war—among nations threatens a secure and open Internet. Worldwide, dozens of governments are developing doctrines and capabilities to conduct “information operations.” This includes, of course, the United States, which has established a robust Cyber Command within the Department of Defense. Meanwhile, there is no international consensus on what constitutes a “cyberattack,” what responses to these incursions are permissible, and whether and how existing laws of war might be applied to cyberconflict.
The total absence of global norms governing surveillance and data protection in cyberspace only exacerbates these disagreements. The details of NSA spying have elicited outrage among many U.S. allies and partners, from Germany to Brazil. There is, to be sure, a whiff of hypocrisy in these complaints, not least in European countries that possess extensive cyber snooping programs of their own and have long cooperated with NSA efforts by supplying data on their own citizens. Like Claude Rains in Casablanca, they profess themselves “shocked, shocked” to learn that such things might occur. And yet the domestic outrage and resulting diplomatic headaches are real.
The Snowden revelations have called into question existing transatlantic arrangements for data sharing, including exchange of information on airline passengers, financial transactions, and banking deposits for anti-terrorism purposes. In response, the European Commission also threatened to suspend the “Safe Harbor” rule, which allows U.S. companies with European operations to transfer data on EU citizens outside the EU, though it ultimately abandoned the proposal. The European Parliament, meanwhile, drafted rules to make U.S. social media providers subject to “EU law rather than secret American court orders,” and impose massive fines for noncompliance. While these rules stalled in October, the Parliament is set to vote on March 12 on proposals to halt trade talks with the United States if the country does not increase protection for the private data of EU citizens.
All this has set off alarm bells within U.S. technology companies, which fear being shut out of an EU market of 500 million customers. On December 8, Apple, Google, Microsoft, Facebook, Yahoo, LinkedIn, Twitter, and AOL—eight companies with a total value of $1.4 trillion—published an open letter to President Obama and Congress supporting radical reforms to preserve global public “trust in the Internet.” The companies clearly worry that separate national rules of data protection will reduce their bottom lines. And President Obama’s January speech about reforming NSA phone surveillance did little to assuage concerns.
Specifically, Brad Smith, general counsel to Microsoft, called for a new “international legal framework—an international convention—to create surveillance and data access rules across borders.” The idea is to supplement the cumbersome network of bilateral Mutual Legal Assistance treaties with new, streamlined processes for authorizing real-time data sharing between governments. Such an arrangement would replace unilateral, unauthorized data mining with a cooperative framework among nations that better safeguards individual liberties.
Given the difficulties of negotiating a universal UN convention on the matter, Microsoft’s Smith proposes beginning with a negotiated agreement among like-minded governments—and gradually extending membership to others willing to embrace these norms. Such a coalition approach to multilateral cooperation has intriguing precedents. Two potential models include the Financial Action Task Force (FATF), created to combat money laundering, and the U.S.-led Proliferation Security Initiative (PSI), designed to interdict illegal transfers of weapons of mass destruction and related technologies.
It would be naïve, of course, to imagine that the United States and other countries will cease spying on one another, even—at times—on their closest friends. Still, some more common, explicit guidelines may reduce head-on diplomatic collisions in the era of Big Data mining.
Whatever the model, the time for the United States to act is now. In April, Brazilian president Dilma Rousseff, who has blasted PRISM as an affront to international law and national sovereignty, will host a major international summit to consider new global rules for privacy in the digital age. In late October, the International Telecommunications Union will convene in South Korea for its thirteenth summit. Atop the agenda will be expanding the ITU’s role—and that of member states—in governing the Internet. In both forums, the United States will be on the defensive. To avoid a debacle that irreparably fragments cyberspace, the Obama administration needs to shift to a “war room” footing, anticipate the raft of unproductive initiatives it might confront and work behind the scenes to cobble together an international coalition committed to preserving the foundations of an open Internet.