July 26, 2018
Listen to the ongoing conversations on net neutrality, and you’ll notice that the United States, like other liberal-democratic countries, believes that, in the lexicon of policymakers, a free, open, interoperable, secure, and resilient internet can be a torchbearer for an open society—and democracy more broadly. But listen to China and Russia, and you’ll notice that they march to the beat of a different drum.
Rather than being a place to freely share ideas or to be secure in our interactions, the internet, as China and Russia largely tell it, is vulnerable to security threats and an inherent threat to state security. This is their justification for internet censorship, pervasive surveillance of communications, and tight control of information, all of which seek to manage the devastating effects online interactions can, and too often do, produce. Think of it this way: For Russia, China, and many others, it’s all about an internet that maintains sovereign state control.
What emerges is an interesting juxtaposition, a tale of two internets: one based on the principles of freedom, openness, interoperability, security, and resilience, and the other tightly attached to authoritarian strings. In this broader push for cyber governance, the United States, and countries like it, ought to pay attention to what’s happening. In particular, the state-controlled model of the internet seems to be increasing in popularity, shaping how the internet operates across the planet. If liberal-democratic countries don’t do more to challenge this trend, the reigning view of the internet may soon become one that’s deeply at odds with their vision of cyberspace.
While authoritarian models of internet control are unattractive to some countries, that doesn’t mean that China and Russia make incorrect assumptions about the nature of the worldwide network. The planet has increasingly been rocked by misinformation, disinformation, phishing attacks, ransomware, child pornography, and other harms—all fueled by the global internet. In this light, China and Russia’s pro-security approaches can seem more desirable than liberal-democratic countries’ approaches, particularly to countries still trying to create their internet policies.
But the challenges for the liberal-democratic method don’t end there. Part of the problem with using these five principles as the basis for foreign policy is that liberal-democratic countries don’t always uphold them. Put more bluntly, they often operate in ways that appear inconsistent with their foreign policy messaging. Take, for instance, the internet principle of openness, which in the United States has become synonymous with net neutrality—the notion that internet service providers shouldn’t throttle internet content. While authoritarians slow down foreign internet traffic and block VPNs, consistent with their state-controlled internet model, the United States repeals its net neutrality protection, violating its own principle of an open internet.
But an open internet—one whose infrastructure, regardless of who controls it, doesn’t discriminate or throttle traffic—is, in significant ways, contrary to modern internet security needs. Firewalls, for one thing, prevent dangerous communications from entering a network and are designed to restrict the open flow of information. We face an enormous security risk if malicious actors can get onto our home Wi-Fi or our company’s intranet. Conversely, blocking all traffic in the name of security would mean a completely closed internet, through which nobody can communicate at all—another unrealistic (and undesirable) extreme.
As liberal-democratic countries have begun to observe the security implications of the internet, in terms of both cybersecurity and the internet vis-à-vis broader security, policymakers have started to realize that not each of these five principles works in perfect tandem with the others. In other words, liberal-democratic policymakers may have to depart from absolutes of some principles—openness, interoperability, and freedom, for example—if the internet is to become more secure.
The United Kingdom is one case of a liberal-democratic country that’s acknowledged these tradeoffs. It’s begun filtering out security threats “at the border,” where something akin to a national firewall blocks out spam and malware from reaching citizens. While the global volume of phishing attacks has about doubled since the start of this policy, the United Kingdom’s share has been cut almost by half. Recognizing the importance of both internet openness and internet security, the United Kingdom has started to find a way to balance the two.
Contrarily, authoritarian countries have long recognized the implicit tension between things like openness and security, and have built their internet accordingly. For example, the Chinese government authorized the Golden Shield Project in 1998, when internet penetration there was less than 0.2 percent. The project later spawned the so-called Great Firewall, which serves to block internet traffic for the alleged purpose of security. As similar as this may sound to the United Kingdom’s filtering, the distinction between the two is significant.
The United Kingdom is filtering for data. Its focus remains on items like phishing URLs—i.e., when someone fakes a website address—and email spoofing—i.e., when someone impersonates a sender—while still allowing free discourse and access to foreign websites. To paraphrase Ian Levy, director of the National Cyber Security Centre, it’s all about harm reduction.
China, however, is filtering for content. It takes aim at things like protest speech that supposedly challenges its national interest and foreign news sites it says threaten the political objectives of the Communist Party, rather than preventing data breaches or minimizing device hacking. In short, China views “internet content as a potential threat to [its] political stability that demands tight controls,” and policy mechanisms emphasize controlling discourse over protecting citizens.
This difference raises very difficult technical questions about whether you can have internet architecture that recognizes and filters malicious data without fundamentally altering the content presented to internet users. (Hint: It’s unlikely that you can). Given the relationship between internet data and internet content, the question for liberal-democratic policymakers is one of degrees: How much are they willing to compromise openness in the name of security?
Of course, the tension between openness and security isn’t the only one. Also consider the principles of interoperability and security. If devices have an easier time exchanging information, that aids interoperability. But increasing the ease of device communication also means attackers can more easily hop from one device to another—and in turn harm security.
And yet, for all that friction, what also becomes clear on closer examination are some interesting interrelations. We see, for example, that freedom and openness are intertwined. Laws that restrict freedom can prompt restrictions of openness. Still, it’s possible to find some middle ground between the two: Nations like Iran throttle undesirable internet traffic rather than outright limit freedom through censorship. Indeed, it’s much more complicated than it appears.According to the Russian newspaper Kommersant, the Russian government is planning to introduce rules to the United Nations about how countries use the internet—a “cybercode for states.” This follows a history of Chinese and Russian norm-pushing on the international stage, frequently coupled with foreign investments, to ramp up influence in nations in which the internet is still a relatively underdeveloped phenomenon. This is an underappreciated battleground of cyberspace. So, as liberal-democratic countries pay more attention to the tensions inherent in their approach to the internet and grapple with the role of the state in securing it, the task becomes clear: ensuring that they don’t cede too much ground in the fight for the future of cyberspace.
For more information on internet realities, read the new report by New America’s Cybersecurity Initiative: “The Idealized Internet vs. Internet Realities (Version 1.0).”