Challenges for inter-governmental and multilevel governance of Cyberspace
Governing and securing cyber space is complex. It is not something one can do unilaterally, nor can it be solved through workshops. The solution requires a deep understanding of the issues and a degree of finesse.
INTRODUCTION
The very nature of cyberspace makes it difficult for a single organization to confront on its own. The circumstance of disruptive technology, globalization, multi-level Internet governance and polycentrism[1] break traditional domains-of-control, and entangle private, public, domestic and international levels-of-authority.
For centuries, territory has been by marked by borders, governed by sovereign states and the rule-of-law. Yet, cyberspace is global, and borderless. It is owned and operated by the private sector and defined by its digital natives.
“In North America, the Internet is, to a large extent, an unregulated phenomenon, but supported by a regulated infrastructure.”[2] Meanwhile, Cyberspace has undergone dramatic global disruptive changes in the past few years, particularly in highly-contested areas of the network. The “Internet and digital technologies [have] change[d] deeply the economics of regulation and more generally the economics of institutional frameworks.”[3]
A quarter trillion dollars in electronic funds transverse the networks in Canada every day. “Some estimates put the economic contribution of the Internet as high as $4.2 trillion in 2016. The Internet of Things (IoT) could result in upwards of $11.1 trillion in economic growth and efficiency gains by 2025. Upwards of one billion new users and 20 billion devices are forecast to be online within five years. To realize its full potential, the Internet of the future will need to be open, secure, trustworthy and accessible to all. The worst-case scenario is one in which the Internet breaks on our watch.”[4]
There are a couple of characteristics of cyberspace that many of us take for granted, but need to think through critically. First, is that cyberspace is a synthetic domain, but with a very real physical and human (social) presence. There is nothing that exists in cyberspace that does not leave a trace, which is quantifiable, capturable, and ultimately, subject to analysis. Second, that data resides, transits, or is created by physical devices that have, both a temporal, and a geographic component. Those three things can be correlated and together create a bordered, territorial Internet, even without the imposition or the changes in the governance environment to make it so. The border between human and machine ambient intelligence is eroding. Hence, the Internet-of-Everything.
“The Internet is the first thing that humanity has built that humanity doesn’t understand.”[5]
Intergovernmental, multilevel, polycentric governance dimensions of cyberspace
Cyber is a domain where the interests, values, norms and strategy of the Western liberal democratic vision of open networks and Internet freedom, is countered by alternative models posed by states seeking to restrict and control the Internet along nationalistic boundaries. These “multipolar politics and the prevailing status quo of strategic ambiguity hinder international cyber regulation.”[6]
There has also been a growing divide between national regulators, international standards bodies, the International Telecommunication Union (ITU) and the owner-operators of cyberspace. Discussions of Internet governance at the ITU have been attentive “to the question of domain names and complex power relationships in a decentralised network structure”[7] as a technical means to regain sovereignty. We now need to consider emergence of models such as polycentrism that “promote self-organization and networking regulations at multiple levels. This bottom-up form of governance is in contrast to the increasingly state-centric approach to both Internet governance and cybersecurity prevailing in forums like the ITU.”[8]
This, decentralization “guarantees its reliability, its efficiency and its ability to develop. [The Internet enables] worldwide connectivity that overwhelms existing regulations based on territorial jurisdiction and Government’s legitimacy. Digital networks allow bypassing nation-state based regulatory frameworks.”[9] This means that “any legislation can be [circumvented] through the Internet because no governmental agency would be able to efficiently supervise the exchanges of information among Internet users under their jurisdiction and between them and foreign third parties to guarantee the enforcement of existing laws.”[10] “The principle of State regulation … is no longer relevant because the problems they addressed change with the new technologies [that being] intellectual property rights… and convergence.”[11] Technological converge in the Internet-of-Everything collapses multiple regulatory silos.
The very definition of cyberspace is evolving faster than out ability to govern it.
Open media, big-data, ubiquitous mobile communications and the IoT are at the centre of national identity and governance. Yet, in many countries around the world, open access to the Internet is Balkanized, blocked, censored, shaped, controlled and denied.
Cyber Power
The centre-of-authority for cyberspace has migrated. It is less about imperial power and more about multinational corporations, non-government organizations, philanthropy, and social agency. “This trend toward Internet sovereignty is complicating efforts at enhancing cybersecurity and clarifying governance.”[12] However, telecoms regulation at home remains a blunt instrument; far more concerned with tariffs and Canadian media content rather than security, while ignoring complex global issues.
[In the absence of] concrete actions from actors across the ecosystem, we could end up in a world where states assert their sovereign control over the network, where private platforms control who benefits from the Internet, or where online criminals dominate the scene. - Global Commission on Internet Governance 2016
Governments are not the only actor, or even the most significant players in cyberspace. “Analyzing the debate between Internet sovereignty and Internet freedom through the lens of polycentric regulation, provides new insights about how to reconceptualize both cybersecurity and the future of Internet governance.”[13]
Western societies rely on infrastructure that is privately owned. Western governments therefore have no choice but to call on the infrastructure's management to perform actions necessary for national goals. Multinational companies will face conflicting demands from governments, likely made more severe by governments' increasing efforts at extra-territorial reach.[14]
The Realpolitik of cyber power is not just about regulatory governance framework. In the evolution of state and civilian cyber power the “oscillation in the balance of power may be peaking, but never before could a dozen people in their pyjamas meaningfully annul the monopoly on the use of force.”[15] There are cyber capabilities now wielded by the private sector for which there is no analog by nations. “The evolving cyber threat to the private sector, coupled with a lagging regulatory environment, has made the uptake of best practices haphazard. [Furthermore,] governance gaps hamper efforts to collaboratively manage cyber-attacks.”[16]
“States increasingly define cyber-territory by where their subjects go, whether by destination control in the Chinese style or by data control in the EU style.” [17]
Cyber Defence
In defence of cyber power, governments, would be expected to be responsible for protecting public and private assets on the territory of the state from external aggression, but in practice are not unilaterally capable of providing the required protection to citizens.
The tensions over information sovereignty have begun to challenge foundational tenets of policy. Nations and corporations are now playing in the same global competitive business markets and a shared risk environment.
The dynamics that shape challenges and relationships between states, and among non-state actors, is not merely evolving but mutating. Public policy needs to consider the complexities that cyber introduces into the equation. “Vying national approaches to enhancing cybersecurity can impede multilateral cooperation to secure critical infrastructure”[18]
A cornerstone of the global economy, cyberspace is an incubator “for new forms of entrepreneurship, advances in technology, the spread of free speech, and new social networks”[19] that drive economies and express principles. Securing critical cyber-infrastructure is pivotal.[20] Cyber creates a frictionless slope from competition to conflict.
Thus, the national cyber defence is challenged by the essentially borderless nature of the Internet. Governments have been hard-pressed to be at the forefront of this aspect of national defence by putting in place systems of mutual defence across all sectors of the economy. [21] Attempts at regulation in a complex system like cyberspace, is as challenging as regulating the weather.
CONCLUSION
The Internet-of-Everything (IoE) breaks the current siloed regulatory and legal frameworks. Best-practices, policy, programming, regulation, diplomacy and law are simply not ready for this.
That being said, “today's increasingly networked legislators, regulators, diplomats, business and civil society entities need a common mental framework, in terms of shared essentials of governance, and a vision of constitutionalisation, including normative principles, to safeguard both competition and public policy objectives, at a scale congruent to Cyberspace.”[22]
Operating complex systems require knowing what levers to pull, in what order and measure. “Governments should live up to the challenges of the information society and global networks, but focus on bottlenecks and exercise regulatory self-restraint.”[23]
When it comes to Cyber security, we have been admiring the problem for quite some time. The next-evolution of cyberspace is not without its risks, opportunities and moral hazards but the solution requires a genuine public private partnership.
Endnotes
[1] Polycentrism is the principle of organization of a region around several political, social, financial centres or cyber domains.
[2] Ibid. Conflict and good Governance in cyberspace Klaus W. Grewlich
[3] Multilevel Governance of the Digital Space. - Eric Brousseau, University of Paris X, Institut Universitaire de France, EconomiX, 27/07/05
[4] Global Commission on Internet Governance 2016
[5] Google Chairman Eric Schmidt
[6] Rex B. Hughes, NATO and Cyber Defence: Mission Accomplished? https://www.atlcom.nl/site/english/nieuws/wp-content/Hughes.pdf
[7] Conflict and good Governance in Cyberspace Multi-level and Multi-actor Constitutionalisation, Klaus W. Grewlich
[8] Toward Cyber Peace: Managing Cyber Attacks Through Polycentric Governance, American University Law Review, Scott Shackelford, August 20, 2012
[9] Ibid. Multilevel Governance of the Digital Space. - Eric Brousseau
[10] Ibid. Eric Brousseau
[11] Ibid. Multilevel Governance of the Digital Space. - Eric Brousseau
[12] Robert K. Knake, Council on Foreign Relations, Internet Governance in an Age of Cyber Insecurity 3 (2010)
[13] – Ibid. Toward Cyber Peace. Scott Shackelford
[14] CSIS 2018 Security Outlook, Chapter 5 – State power and cyber power
[15] Chapter 5 – State power and cyber power, 2018 Security Outlook Potential Risks and Threats – Canadian Security Intelligence Service
[16] Foundations of Polycentric Governance in Cyberspace, Cyber Attacks in International Law, Business, and Relations: In search of cyber peace. Scott J. Shackelford, Cambridge University Press
[17] Ibid. State Power
[18] Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A.F. L. Rev. 121, 141 (2009)
[19] Department of Defense Strategy for Operating in Cyberspace, supra, p. 1.
[20] Ibid.
[21] “Don’t Call Us” Governments, Cyber Security, and Implications for the Private Sector Tom Quiggin, Centre for International and Defence Policy, Queens University, 2015, ISBN 978-1-55339-356-6
[22] Ibid. Conflict and good Governance in cyberspace Klaus W. Grewlich
[23] Ibid. Conflict and good Governance in cyberspace Klaus W. Grewlich