How to Regulate the Internet Without Becoming a Dictator

A member of staff poses for a photograph at a workspace in the National Cyber Security Centre on Feb. 14, 2017 in London, England. (Carl Court/Getty Images)

A member of staff poses for a photograph at a workspace in the National Cyber Security Centre on Feb. 14, 2017 in London, England. (Carl Court/Getty Images)

On Nov. 16, 2018, U.S. President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act into law, which transformed the National Protection and Programs Directorate at the Department of Homeland Security into the Cybersecurity and Infrastructure Security Agency (CISA).

The change aims to bolster the United States’ defenses against physical and digital threats to critical infrastructure. The reasons for CISA’s creation are no mystery: Democracies are increasingly realizing that they cannot rely entirely on the unregulated market to protect citizens or even businesses from cyberharms. Now, the question for CISA is how to meet current threats while maintaining a free and open internet for Americans.

Democracies are grappling with the differences between the internet as idealized in their policy documents—with principles such as freedom and openness—and the internet in reality—an insecure, increasingly centralized, and increasingly restricted network. Democratic internet strategies face tensions that need to be resolved, including the need to find a balance between total network openness (which dangerously allows anything through) and total network control (an authoritarian model for the internet).

In 2016, election interference plagued the U.S. presidential election and other contests across Europe, and the devastating NotPetya ransomware wreaked global havoc. Cyberinsecurity is driving many countries toward a more authoritarian approach to the internet.

Cyberinsecurity is driving many countries toward a more authoritarian approach to the internet.

In a November 2018 resolution on cybercrime backed by Russia and adopted by the U.N. General Assembly, three of the biggest democracies in the world—India, Brazil, and Nigeria—voted with Russia and China, clashing with more traditionally open countries including Australia, Canada, Estonia, France, Greece, Israel, the United States, and Britain.

Individual countries have also participated in this trend toward increased surveillance. In the last six months alone, many strict, sweeping laws have been passed or proposed in the name of mitigating vulnerability and combating cybercrime, including in Vietnam, Thailand, Tanzania, the United Arab Emirates, and Egypt. Even India, the world’s largest democracy, has recently adopted some troubling tech policies.

New options are necessary, lest the authoritarian model for the internet—one in which the government exerts tight control over the internet in its borders—become a more appealing means of addressing cybersecurity threats than a relatively hands-off approach. One approach some cybersecurity experts have begun to advocate is the British example.

The United Kingdom has taken the view that its citizens and small businesses should not be expected to address cybersecurity threats on their own. As such, Britain’s approach offers an interesting philosophical take on the roles and responsibilities of governments for cybersecurity within their borders.

Governments can exert some influence over the internet within their borders without being authoritarian

Governments can exert some influence over the internet within their borders without being authoritarian

—if they act in a way that protects citizens from cybersecurity threats, such as identity theft or computer hacking—provided those actions are also backed by democratic laws and procedures that prevent the abuse of power (e.g., using cyberinsecurity as an excuse for censorship). This is a critical idea at a time when countries around the world seem to be shifting toward an authoritarian model of internet regulation under the pretense of maintaining internet security.

The U.K. National Cyber Security Centre is adopting a suite of new cyberdefense measures: For example, it recently implemented a government email security protocol, alongside new mechanisms of domain name system filtering, to stop attacks before they even approach end users. At its core, the goal is to block malicious domains and internet protocol addresses—from which 1s and 0s are sent across the web—before their data can reach U.K. citizens. By automating the detection and mitigation of smaller threats on public networks, more resources can be focused on greater risks (such as advanced persistent threats).

The British government also strengthened the Border Gateway Protocol (which routes internet traffic worldwide) and SS7 (the international telecoms signal protocol) to make malicious traffic rerouting more difficult. Such a step, historically taken by China, Russia, and other authoritarian nations, moves one country’s internet traffic through another’s borders, potentially allowing easier access to sensitive information.

These policies are part of Britain’s greater cyberdefense across public U.K. networks—specifically, “minimising the most common forms of phishing attacks, filtering known bad IP addresses, and actively blocking malicious online activity,” according to the country’s 2016-2021 National Cyber Security Strategy.

 

[“source=foreignpolicy”]