Table of Contents
Framework Background
In order to better understand and classify the idealized version of the internet and the real internet, as well as current activities and proposals, we suggest a two-tier analytical framework.
In this section, we provide the framework along with a description of its tiers and elements. In the following section, we then use the framework to construct a baseline idealized version of the internet and map todays internet reality, to capture the departure from the ideal. Once this baseline is established and the contrast is evident, future work can use the framework to systematically analyze individual nation-state policies and practices around cybersecurity and governance of the internet.
To be clear, this is not a model for the global internet itself; rather, we introduce an analytical framework for understanding the global internet, specifically geared towards helping policymakers with non-technical backgrounds understand the internet reality. The five aforementioned principles—freedom, openness, interoperability, security, and resiliency—are merely a lens, and as such, our perspective in creating the framework remains that of policymakers in liberal-democratic nation-states. In the larger context, highlighting the gaps between the ideal and the reality allows us to guide liberal-democratic thinking on internet governance and cybersecurity policy. For instance: What tensions exist within country X’s vision of the global internet? Are their current policies challenging or undermining this goal? What are nation-states like Iran doing under this lens? What are their thresholds for upholding or violating these principles—that is, what gaps do they tolerate between the liberal-democratic ideal and their reality? And so on.
In the larger context, highlighting the gaps between the ideal and the reality allows us to guide liberal-democratic thinking on internet governance and cybersecurity policy.
Our framework integrates softer governance issues such as politics, economics, national security, and international norms with harder architecture issues such as system resilience, protocol interoperability, and network security—factors often isolated from one another in existing internet analysis.1 Nation-states like China and Russia have set up bureaucratic structures to integrate these ideas,2 and liberal-democratic nation-states should as well. Further, we believe this integration—that is, a comprehensive and intersectional view of the global internet—will guide the most effective policy creation.
Governance Tier
The first tier (the Governance Tier) breaks out influencers of the internet into four categories: laws and regulations, social norms, standards, and markets. This tier largely examines legal, societal, and economic code rather than technical code.
The Governance Tier is an adaptation of Lawrence Lessig’s regulators of behavior in cyberspace3—which he identifies as laws, standards/social norms, and markets. His approach is theoretically effective for strategic and policy analysis, but Lessig groups together standards and social norms, two factors which have developed increasingly different roles over time. Standards, developed and maintained by such organizations as the ITU, the Institute of Electrical and Electronics Engineers (IEEE), and the Internet Engineering Task Force (IETF), are formal protocols for device and network activity. They are increasingly necessary to access the global internet; those who do not comply with IP address rules, for instance, will not be able to access Netflix.
The Governance Tier largely examines legal, societal, and economic code rather than technical code.
Social norms, in contrast, differ from standards in both design and enforcement. Norms face the challenge of soliciting and encouraging nation-state agreement—going through mechanisms of the United Nations, for instance, rather than simply saying “comply and connect, or do not comply and stay offline.” Incentivizing agreement with norms often is not as black-and-white as it often is with global internet standards.4 Further, internet norms are typically far less technical than internet standards. For example, IEEE 802.11, the set of standards for wireless local area networks (WLANs),5 has extreme technical specificity in contrast with a norm such as not interfering in the “internal affairs” of other nations through the internet.6 Thus, separation between standards and social norms is necessary but nonexistent in Lessig’s model.
We therefore have our Governance Tier of laws and regulations, social norms, standards, and markets.
Governance Tier
| Dimension |
|---|
| Laws and Regulations |
| Social norms |
| Standards |
| Markets |
Architecture Tier
The second tier (the Architecture Tier) describes different layers of internet architecture, using an adaptation of the well-known OSI (Open Systems Interconnection) model.7
The OSI model is composed of seven layers:
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical
The OSI model is a popular tool for understanding the processes behind the global internet itself, such as IP routing and packet transmission. However, OSI has a problematic omission: content.8 Although content (information) is not necessarily distinct from presentation (code becoming readable characters, aka data) on a technical level, it must be separated in policy and cultural contexts. Different countries have fundamentally different understandings of terms like “information security,” because their fundamental understandings of online information are different—regardless of any technical similarities between systems.9 Britain, for instance, may use the phrase “information security” in reference to data and network security, whereas Russia may use the term in reference to controlling the flow of information and general public discourse itself.10 Thus, the particular importance of online information merits a comprehensive analysis of content as its own element.
We refer to these components as elements rather than layers to make clear the interplay between each component. The network cannot route traffic without the support of data link and transport protocols just as there is nothing to send without applications and content. “Layer” seems to denote physical separation between components, and we aim to show differently. We also combine OSI’s Application and Presentation layers into a single Application and Presentation element, as the distinction is not necessary for our purposes. Minimal policy decisions occur around character code translation (OSI’s Presentation layer) but many do occur around applications (e.g., encrypted messaging apps like Telegram and Signal).
We therefore have our Architecture Tier of Content, Application and Presentation, Session, Transport, Network, Data Link, and Physical elements.
Architecture Tier
| Element |
|---|
| Content |
| Application and Presentation |
| Session |
| Transport |
| Network |
| Data Link |
| Physical |
The Whole Picture
Of course, governance and architecture, while sometimes distinct, can and often do overlap. For example, laws or regulations about the legality of some content (Governance Tier) will necessarily implicate the internet’s content element (Architecture Tier) as well as its network element (Architecture Tier). Likewise, markets (Governance Tier)—especially local language information markets—also implicate the content element (Architecture Tier). The separation of tiers, and the separation of dimensions and elements within those tiers, does not mean that each component operates in isolation. Rather, their separation allows for a useful analytical framework for understanding the forces shaping the internet we see today.
Citations
- For more on the exclusion of politics, economics, and other types of influence from digital and internet analysis, see: Laura DeNardis, “The Global War for Internet Governance,” 2014, 8; Jacques Bughin, Tanguy Catlin, Martin Hirt, and Paul Willmott, “Why Digital Strategies Fail,” January 2018, source; Dan Schiller, “Geopolitical-Economic Conflict and Network Infrastructures,” 2011, source;, 90-107; and Dwayne Winseck, “The Geopolitical Economy of the Global Internet Infrastructure,” 2017, source.
- For instance, see: Jack Margolin, “Russia, China, and the Push for ‘Digital Sovereignty,’” December 2 2016, source for discussion on Russian and Chinese views of the internet playing into national sovereignty and regime stability.
- Lawrence Lessig, “The Laws of Cyberspace,” 1998, source, 2-3.
- This is not to say that internet norms are impossible to achieve or necessarily ineffective, as such assertions would be incorrect; rather, we believe this difference simply merits a distinction between standards and social norms that Lessig’s approach does not provide. For more discussion on international norms in cyberspace, see: Martha Finnemore, “Cybersecurity and the Concept of Norms,” November 30 2017, source; Tim Maurer and Kathlyn Taylor, “Outlook on International Cyber Norms: Three Avenues for Future Progress,” March 2 2018, source; and Tim Maurer, Ariel Levite, and George Perkovich, “Toward a Global Norm Against Manipulating the Integrity of Financial Data,” March 27 2017, source.
- See technical specifications at: IEEE, “IEEE 802.11, The Working Group Setting the Standards for Wireless LANs,” n.d., source.
- See: United Nations General Assembly, “International Code of Conduct for Information Security,” January 9 2015, source, 5.
- This dimensional separation between “softer” elements of governance and architectural “code” conforms with Lessig’s notion of code as a separate regulator of cyberspace behavior. [See: Lawrence Lessig, “The Laws of Cyberspace,” 1998, source, 3-4.] Our framework, though, goes into detail of what that “code” actually means.
- The presence of a “content layer” is based on Jonathan Zittrain’s idea of a conceptualized internet layer that contains “actual information exchanged among the network’s users.” See: Jonathan Zittrain, “The Future of the Internet — And How to Stop It,” 2008, source, 67.
- Because information—both network data and the idea itself—plays such a critical role in nation-state crafting of international cyber policies, particularly in Russia and China, it is essential to leverage content as a mechanism for comparing different models of internet governance. For more information on the semantic differences surrounding such words as “cyber,” see: Julien Nocetti, “Contest and Conquest: Russia and Global Internet Governance,” 2015, source; Rogier Creemers, Graham Webster, Paul Triolo, Katharin Tai, Lorand Laskai, and Abigail Coplin, “Lexicon: 网络强国 Wǎngluò Qiángguó,” May 31 2018, source; and Keir Giles and William Hagestad II, “Divided by a Common Language: Cyber Definitions in Chinese, Russian and English,” 2013, source.
- And in this way, Russia’s government doesn’t just use “information security” in the context of cyberspace or the internet, but it also attaches deeply political and philosophical meanings to the phrase as well, in ways that relate to newspapers, radio, and television. For more on this, see: Julien Nocetti, “Contest and Conquest: Russia and Global Internet Governance,” 2015, source, 126; and Keir Giles and William Hagestad II, “Divided by a Common Language: Cyber Definitions in Chinese, Russian and English,” 2013, source, 3-4.