In a recent expert survey, we examined the effect of Stuxnet on the Internet governance debate. One of the most common responses was that Stuxnet as well as the Snowden disclosures have contributed to a convergence of policy areas, policy communities, and policy agendas. (James Lewis writes about the role of agendas in another blog post for the Cyber Dialogue 2014.) This convergence will pose a growing challenge for anybody involved in Internet policy processes. Each area and community has its own dynamics, values, and political objectives. As they continue to merge, the politics of each risks getting in the way of policy for all.
A first result of this convergence has been the proliferation of conferences and events relating to Internet governance, cybersecurity, and Internet Freedom. Not a week goes by without a conversation with people trying to figure out what event to prioritize or to consider “useful.” This imposes a direct cost on people’s scarce resources, both travel budgets and time.
An even greater challenge is that different communities use the same terms with different meanings. “Cyber war,” “cyber attack,” or “cyber weapon” are among the usual suspects. Until recently, the communities were fairly distinct, each using vocabularies and shared understandings that developed over time within that specific group. As these communities are now increasingly converging—on panels, when consuming each other’s writings, and in diplomatic negotiations—they will need to invest additional resources in making sure they understand each other in the first place before they can try to come to an agreement. This will increase the overall cost of policy discussions and the cost for finding agreements.
An illustrative example is export controls and the term “cyber weapon.” On the one hand, some human rights advocates are using the term “cyber weapon” to refer to censorship and surveillance technology and calling for updated export controls. On the other hand, some security professionals are using the term “cyber weapon” to refer to malware such as Stuxnet. As both communities use the same term, important nuances get lost such as the difference between data exfiltration and data manipulation or the difference between physical and virtual effects. Those nuances matter to develop useful policy.
When the Wassenaar Arrangement, a multilateral export control regime for dual-use technologies among others, announced new export controls relating to “intrusion software” in December 2013, the Financial Times viewed it through a security lens, calling it “Cyber war technology to be controlled in same way as arms.” Privacy International wrote about the same development through the human rights lens, referring to an “International agreement reached controlling export of mass and intrusive surveillance technology.” (The Open Technology Institute is part of a joint surveillance project with Privacy International and Digitale Gesellschaft focusing on export controls.)
There is currently no multilateral export control regime with a specific human rights focus. The Wassenaar regime itself is about “regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies.” The government of the United Kingdom, and the source of this new language on intrusion software, thought of “Advanced Persistent Threat software and related equipment (offensive cyber tools)” when it shared its ideas with the other 40 member states of the Wassenaar Arrangement. At the same time, the UK government has been under a lot of pressure from human rights groups to control the export of FinFisher. The new controls conveniently happen to address both.
These are only a few examples of the linguistic challenges which will make future policy discussions more complicated and harder to understand and reaching agreements more difficult. People will need to invest more time to listen to and understand each other to develop cross-community shared understandings and vernacular. There will continue to be very different opinions and positions, some irreconcilable, but at least people will not be talking past each other and will begin speaking the same language in the first place. More technically informed language, and a more technical approach to many of these debates in general could help mitigate some of these risks. Otherwise, the politics of language will get in the way of finding policy solutions.