The Decade that Shook the Open Web

If you’re old enough to remember the start of 2009, you might recall the optimism surrounding the open internet. How’s that going?

Well, it depends on who you ask.

Certainly, some of the positive predictions about the web have come true. The global internet has accelerated economic growth in many countries, and online-offline movements like #BlackLivesMatter, the Umbrella Movement, #MeToo, and #MarchForOurLives underscore social media’s potential to affect real change in the world. But a series of events since 2010, from large-scale cyberattacks to disinformation campaigns to revelations about global surveillance, have prompted many governments to question whether the benefits of a global and open internet are worth the potential costs.

Here’s a look at some of the events that shook the global internet over the last decade—and a preview of what might come in the next.

• Arab Spring (2010): Pro-democracy protests and revolts in Tunisia, Egypt, and many other Arab nations were aided in part by online organization through microblogs and social media like Twitter. While many democracies cheered the potential for social media to fuel democracy, Vladimir Putin and other dictators were less enthused: The Spring only deepened their convictions that the global and open web is a security threat.
• Snowden leaks (2013): National Security Agency contractor Edward Snowden leaked classified documents about U.S. global surveillance and hacking operations to journalists. Once published, European governments reacted with proposals to establish “technological sovereignty,” American civil liberties advocates decried the U.S. government’s surveillance programs, and Russia and China used the revelations as affirmation of their distrust of the open web.
• Ukraine grid shutdown (2015): On December 23, a power grid in Western Ukraine was hit with a cyberattack that temporarily shut down all operations, cutting power to thousands in the area. Ukranian and U.S. officials have since blamed Russia. The incident accelerated fears about the vulnerability of connected critical infrastructure, and what happens when a cyber-capable actor turns its guns against a smaller state.
• Mirai botnet (2016): Mirai, a self-propagating computer worm, infected hundreds of thousands of Internet of Things devices—from smart fridges to webcams—in the second half of 2016 and used them to launch massive Distributed Denial of Service (DDoS) attacks against internet website hosts. Many websites in the United States and elsewhere were rendered temporarily unavailable during these attacks, spurring fears about IoT device insecurity and the vulnerability of parts of the internet to temporary failure.
• U.S. election (2016): The Russian government interfered in the 2016 U.S. presidential election through hacking-and-dumping operations and information operations on social media. In the former case, documents were stolen and leaked from the Democratic National Committee and the Clinton campaign, and GOP lawmakers and organizations were also hacked (although no documents were leaked). In the latter case, the Russians used misinformation, disinformation, and the artificial amplification of real news to stoke division and spread falsehoods on Facebook, Twitter, and other social media platforms. On top of all that, Cambridge Analytica, the (sketchy) political consulting firm hired by the Trump campaign to target online ads, illicitly obtained Facebook user data to target social media ads—driving more attention to social media companies’ role in modern discourse.
• WannaCry (2017): A global ransomware attack perpetrated by North Korea, WannaCry, infected hundreds of thousands of computers in 150 countries, encrypting data and demanding a ransom to decrypt it. Global companies and consumer devices were hit hard, and over a dozen hospitals in the UK were shut down, resulting in billions of dollars in damage. But the ransomware attack wasn’t just financially devastating and threatening to human life—it also made use of computer exploits allegedly developed by the U.S. National Security Agency that were stolen and sold on the dark web. It became clear that no hacking tools were completely safe from theft and reuse.
• NotPetya (2017): Ransomware dubbed NotPetya—a modification of the earlier Petya malware—infected computers around the world. The large-scale cyberattack, since attributed to the Russian government, was concentrated heavily in Ukraine but also impacted other regions, as well as global companies like Maersk and Merck. It underscored at once the power of a single actor to halt many systems linked to the global web and the vulnerabilities of high digital interconnection. NotPetya also used (alleged) NSA exploits stolen in the aforementioned case.
• GDPR (2018): In May of 2018, the European Union’s General Data Protection Regulation went into effect. The regulation instituted a number of privacy and security requirements for processing personal data of individuals in the EU. This marked a major moment for the open web, as a coalition of democracies instituted major data privacy legislation and a range of companies—from small internet service providers to tech giants like Facebook and Google—were forced to comply.
• Huawei 5G (2018): The U.S. commenced a sustained diplomatic campaign to convince allies, partners, and other countries to ban Chinese telecommunications company Huawei from supplying their 5G telecommunications equipment. While met with resistance from other countries—and even contested within the United States—Washington’s push to ban Huawei 5G slots into a greater trend of countries scrutinizing their digital communications infrastructure supply chain, with an eye toward preventing espionage. It also represents how cybersecurity concerns can be weaponized for other geopolitical ends—in this case, as political leverage in a trade war.

Many other notable cybersecurity events took place during this period, from the United States’ agreement with Beijing on reducing intellectual property theft to the discovery of Heartbleed, a vulnerability in the widely used OpenSSL software library. However, the above events all underscore, in one way or another, the many risks of the open web—to privacy, to security, to truth, and even to democracy itself.

New America’s research has documented global rises in so-called internet sovereignty—countries exerting more technical and legal control of the web within their borders. While there are numerous factors at play in this gradual global shift, the aforementioned (and other) events from 2010 to 2019 undoubtedly influenced perceptions in many democracies—and elsewhere—that the global and open internet presents too many threats to remain untouched by governments. Liberal democracies’ mixed and sometimes contradictory responses to these incidents likely didn’t help.

As we look toward the next decade, it is more imperative than ever that democracies work to reconcile tensions in how they govern and reaffirm trust in the global and open internet. It’s worth considering, for instance, whether democracies can do a better job of balancing internet openness with internet security, rather than being too hands-off the web. Can they protect and uphold civil liberties online while also protecting citizens and businesses from cybersecurity threats?

Without substantive, democratic policy changes that do just that, the decade ahead may produce even greater suspicion toward cyberspace than the one now coming to a close.