IT Blog

Public Policy Quick Tips

Norms for the international management of cyberspace

The foundations of the internet are based in a small US military-funded research project called ARPANET in 1969. With the development of other complementary technologies since then, especially that of the internet protocol suite in the mid-seventies and the World Wide Web in 1989, ARPANET gradually morphed into what we know and use today as the internet. In the near half-century since ARPANET, 30 years since the world wide web and just over a decade since the iPhone, the internet has become ubiquitous. It has grown from simply a means of sharing information to permeating nearly every aspect of our daily lives. Today, the internet drives commerce, dating, communication, delivers education, facilitates transportation, enables essential citizen services and has become a means to store and share information by private individuals, corporations and nations across the world. The extent to which we now depend on the internet means that any disruptions to it can have far-reaching consequences in the lives of citizens, the economy and the security of nations. Despite the potential for such major disruptions, there is little coherence on policy at the national level and cooperation at the international level. Given how rapidly the technology has evolved and permeated societies across all nations, policymakers globally have had little opportunity to fully grasp the technology’s impact and formulate regulation, form comprehensive cooperative agreements and effective domestic and international bodies with the mandate and authority to facilitate and enforce such regulation and agreements. Much like land, sea and air spaces, cyberspace comprising of the internet and other interconnected communication technologies is also now a realm in which citizens’ identities live, nations’ economies thrive, and critical infrastructure runs. And much like the other spaces, governments must take an active role in securing and regulating cyberspace. However, unlike the other physical spaces, cyberspace has very little in the way of defined national boundaries and hence presents unique challenges for formulating regulatory policy.

A well-developed cyberspace is in every nation’s interest

Cyber technologies are near universal across nearly every nation in the world. By facilitating real-time communication across national and international borders, the internet has accelerated the globalization of workforce, services, and manufacturing. It allows rapid innovation through the sharing of information, and aids in reducing cost and speeding up production by leveraging specialized workforce from across the globe and distributing manufacturing, transportation and assembly. In today’s internet-driven interconnected world it is hard to imagine an economic domain that hasn’t had significant influence from cyber technologies. With an easy access to an immense range of consumable goods from the palm of one’s hands, ease of payment for such goods through digital payments such as credit cards, wallets and online banking and facilitating real-time communication between suppliers, manufacturers and sellers of goods, the impact of internet on commerce in the last decade has allowed economies to develop at an unprecedented scale and speed. Thanks to the internet and mobile computing devices, today one can shop, order a cab, have food delivered, learn new skills and demand better governance without ever leaving the comfort of their homes.


In many developing nations, including India, a widely available cyberspace has helped bring efficiencies in governance. Increasingly, governments are relying on these technologies to deliver citizen services such as issuing birth and death certificates, applying for licenses and sending government payments directly into constituents’ bank accounts. Cyberspace has also brought citizens closer to a truly democratic self-governance. Citizens now have almost real-time access to information. Before the internet, dissemination of information was controlled by large powerful institutions and the nature of the medium of dissemination meant inevitable delays before it could reach the people. Today, through many internet news feeds, online forums and active solicitation by governments on mediums such as Facebook and Twitter, citizens can access information, discuss issues and give feedback to policymakers in real-time. Individuals with access to the internet now each have a pulpit and a forum to connect. This has fostered participatory democracy in democratic nations and gave rise to the many colour revolutions in various oppressive nations.


For centuries, technological innovations in agriculture, manufacturing, communications, extraction of resources and transportation have fuelled market growth and have been instrumental in driving the dominance of nations. Those that were able to stay at the forefront of these technological advancements managed to emerge at various times as the world’s superpowers. Dubbed as the fourth industrial revolution, today we stand on the brink of a fundamental leap in technology through AI and 5G that will seemingly alter the way we work, live and interact. As we march ahead into this great unknown, the need for technological prowess in securing our nation’s future is now ever more acute.

Evolving cyber threats and the need for regulation and diplomacy

Information is only as good as it is trustworthy, but the pervasiveness of fake news, doctored images and videos is making it harder for people to trust the internet. Over the last two decades, the internet allowed information from being solely within the control of large powerful corporations and governments to being equitably available to all individuals with access to cyberspace. Lately, however, we are starting to see a gradual reversing of this trend. Large corporations and authoritarian nations are now positioned to consolidate and control the nature and content of what we see. As in many other domains, the internet started as a government initiative, but the commercial sector helped foster its rapid development. Over the last decade, these corporations have consolidated and the market for data and information is starting to look more like an oligopoly. They have little regulation other than their own terms of use and this puts them in the role of arbiters of content and speech. One must note however that these corporations are less interested in the politics or ethics of information as much as they are interested in making money. Given how deeply critical a well-functioning cyberspace is in the economic and political security of our nation, the question for regulators is if these corporations must be treated as utilities and in need of regulation or would we be better off with continuing to allow corporations to self-regulate in the interest of furthering innovation.


Nations around the world have recognized that they have an unshakeable reliance now on cyber technology for their national defence, economic growth and well-functioning of their critical infrastructure. This opens the door for cyberspace to be very much within the purview of adversarial conflict and therefore a need for nations to protect their cyber infrastructure. Several nations have now made cyber weapons for use in information gathering, vandalism, disruption or influence an integral component of their tactical toolkit. Cyber warfare on a nation’s critical infrastructure, such as disabling the electrical grid has the potential to cross into armed conflict. This alarming reality demands a diplomatic strategy, one that keeps the realities of competition and espionage between nations in consideration. As militaries continue to build up their cyber offenses, we need agreements to exercise restraint in their use particularly during peacetime. We also need formal and informal channels for dialogue and reduce the risk of miscalculation and errors in attribution in the event of a serious cyberattack that appears to come from an adversarial nation.

As cyberspace continues to permeate into nearly every type of commerce, banking and payments, it has created opportunities for financial crimes and illicit trade. Regulating the cyber world is difficult because it is neither owned by the government nor can a geographical boundary be placed on it. Unlike the open road where the government owns it and can decide where to put traffic lights, for a government to put traffic lights in cyberspace it must work with several other stakeholders – other governments, equipment makers, data companies, service providers and civil societies. Particularly with respect to security, while we place an expectation on the government to enforce security in other domains, for cyberspace security we must rely on public-private partnerships. Some nations believe that defence alone is not enough and to combat the threat of cybersecurity nations must adopt an offensive strategy. One notable example of such an offensive strategy is the US doctrine on persistent engagement which envisions relentlessly tracking bad actors and taking offensive action against them regardless of geographical boundaries.

Norms for managing cyberspace

Nations have always engaged in spying on other nations and attempting to curtail the economic and security infrastructure of their adversaries. Cyberspace is one more medium for them to continue to engage in such activities. Against this reality, it is important that as nations continue to build up their cyber arsenal, they must operate their offense in such a way that it does not violate other nations’ sovereignty or damage critical infrastructure. They need to formulate norms of behaviour as an attempt to get runaway competition under some management. Soft tools are not enough to influence state behaviour and effective deterrence must both overtly and covertly act against malicious behaviour by attribution in naming and shaming, and then when necessary, going further with punitive actions. A recent example of where such a tactic was employed effectively was when after the attack on OPCW by Russian agents, European nations came together with a sanctions regime to condemn and punish the bad behaviour.


In 2016 several countries came together to form the Global Commission on the Stability of Cyberspace. At the end of their 3-year mandate, the commission published a report that listed several recommended international norms for the stability of cyberspace. Their recommendations were based on 4 key principles – everyone has a responsibility to ensure the stability of cyberspace, all state and non-state actors must exhibit restraint and refrain from actions that would impair such stability, everyone is required to act together when stability is threatened and measures to act must respect human rights. Based on these principles, the Commission recommended eight norms. These norms deal with ensuring the stability and integrity of the core of the internet, refraining from interfering with political systems such as elections, referenda or plebiscites, preventing tampering of products and services that are key to the stability of cyberspace, refraining from commandeering of general public’s computing resources for the purpose of deploying botnets, creating systems to ensure transparent disclosure of vulnerabilities in computing devices, placing responsibility on makers of computing devices to ensure that their systems are free of vulnerabilities and taking timely and transparent action to mitigate vulnerabilities upon discovery, placing the onus on state actors to put in place adequate laws and regulations for the purpose of cyber hygiene, and ensuring that state actors act against non-state actors when such laws are violated. These recommended norms highlight two important realities – firstly, that the stability of cyberspace is not just a state subject, but rather a multi-stakeholder endeavour and secondly, simply defining norms is insufficient and there must also be adequate laws and regulations to enforce these norms and mechanisms to punish violators.


Nations have historically had legitimate contentions between themselves and it would be unrealistic to expect that they would not engage in cyber espionage. Despite this reality, there are many areas of cooperation in cyberspace. Illicit cross-border trade, human trafficking, child pornography and terrorism are some examples of evil that persist and thrive in the cyber world and areas where countries must work together to curb such activities.

Conclusion

At its advent, the internet started with the idealistic goal of democratizing access to information from around the world. Today, fake news pervades our social feeds, disrupts elections, screen addiction worries parents, and cyberattacks pose growing concerns about economic and national security. Like all other technologies in our history cyberspace too can be used for both good and evil. The last 30 years has been one of rapid, remarkable, organic and at times undesirable change. With AI firmly here to stay and 5G enabled hyper-connectivity right around the corner, the next 30 years will make the last decade look like child’s play. The question for policymakers around the world is can we ensure that this next tsunami is something that we can better prepare for than we have had in the past. A failure to establish effective regulation, mutually agreed-upon norms and international and domestic legal structures to enforce such norms carries with it a real risk of destabilizing the relative peace that we have enjoyed as a world in the last several decades.