Analysis: Tensions

One of the primary values of this framework is its ability to highlight tensions inherent in the idealized internet. These inherent tensions partly explain some of the incoherence in liberal-democratic nation-state approaches to cyberspace policy. The absolutes of the five principles—freedom, openness, interoperability, security, and resiliency—may not be compatible with one another. For instance, a network cannot be completely open and completely secure.¹ However, the absolutes of these principles are not implemented in practice; in other words, they are not the reality, which in fact lies somewhere on a spectrum. Thus, there are tensions between these five principles which must be explored to determine the right balance. Some are starting to realize this fact, as demonstrated by a report from the U.S. National Security Telecommunications Advisory Committee, which in 2017 noted that “as networks become more open and interconnected, [the current] trust model can no longer be the sole foundation for Internet security.”² Others have begun to point to inherent tensions and problems with this approach as well.³ However, most liberal-democratic policymakers are still reluctant to consider the tensions at play. Here, we identify some such tensions and identify key considerations and challenges for liberal-democratic policymakers as they devise future cyberspace policies.

There is certainly some tension between internet security and internet openness, as we just referenced. Firewalls, email filters, and other components of a network defense are in fact designed to restrict the open flow of information for purposes of security. These technical interventions on the network’s architecture explicitly make infrastructure aware (or otherwise the opposite of oblivious) of the traffic traversing it. Even at the internet’s content level, allowing anything to be transmitted anywhere, by any user, empowers the spread of propaganda and disinformation in addition to child pornography and other illegal or undesirable information. This raises a key question for liberal-democratic policymakers: how closed are they willing to make the internet in the name of security? Some democracies, notably the United Kingdom, are beginning to realize the value in nationally-coordinated cyber defenses, in this case through national filtering of low-level threats like phishing emails.⁴ While authoritarian approaches to internet openness, like China’s Golden Shield and Great Firewall, similarly manipulate the openness of architecture to filter out malicious traffic, the operative difference is in the definition of malicious traffic—or essentially the instructions for the national firewall. This is a prime example of how liberal-democratic policymakers must examine the tensions between internet security and internet openness in order to find their ideal balance in policies and processes.

The resilience of data may similarly be in tension with security. Ensuring the persistence of all packets sent across a network enables a version of all worms, viruses, and other malware to indefinitely reside on the global internet. On the other hand, ensuring resilience of internet routers can prevent botnets like Mirai⁵ from disabling large components of a nation’s internet. Resilience harms security in the former case but supports security in the latter, indicating that different elements of the Architecture Tier may therefore expose different tensions or compatibilities between resilience and security. Again, no network is going to be entirely resilient or entirely secure. The objective, instead, should be striking an optimal balance between the two.

Interoperability can arguably help and harm security at once. Having interoperable communications (e.g., network protocols) can enable stronger security between devices and thus across entire networks and systems (e.g., through standardized encryption). Within single government or corporate systems, interoperability of devices and programs enables integrated security defenses such as packet filtering and secure data management. Conversely, wireless interoperability that enables device and network communication permits hackers to easily hop from one to device to the next, essentially using a single entry point to seamlessly cascade down a string of networks and devices. As smartphones and the internet of things (IoT) increase interconnectivity, for example, the risk of remote and/or data-based attacks that exploit interoperability also grows. This is by definition a tension as both realities exist in tandem. The interoperability of the global network is also what allows nation-states to attack one another from within their own countries.

Interoperability supports openness insofar as it enables the flow of data through neutral systems, and it supports resilience insofar as it allows devices, systems, and networks to rely on each other for resource protection and thus maintain constant availability. But to what extent does interoperability allow content restriction through centralized surveillance, thus harming the principle of internet freedom?

Freedom and openness are intertwined. Laws and regulations that restrict freedom of access to or expression of information will often be implemented via architectural interventions that limit openness. In other words, nation-states often approach the same organizations to censor content (restricting freedom) as they allow to violate net neutrality (restricting openness): ISPs and IXPs. Further, once an organization begins filtering content for purposes of censorship, it’s not a far step to scan the content for purposes of speed throttling or price discrimination (e.g., violating net neutrality). There is a clear distinction between the two in nation-states like Iran, which slow connections to foreign sites rather than censoring them entirely,⁶ but the challenges to freedom and openness are again closely related. This perhaps explains the frequent grouping of a free and open internet in liberal-democratic policy documents.⁷