An internationally recognized expert on cybersecurity, James Lewis is a senior vice-president and program director at the Center of Strategic and International Studies (CSIS) of the US. He has served as a member of the Commerce Department’s Spectrum Management Advisory Committee and the State Department’s Advisory Committee on International Communications and Information Policy, and a member and chair of the Advisory Committee on Commercial Remote Sensing. Lewis is the US lead for a long-running Track II Dialogue on cybersecurity with the China Institutes of Contemporary International Relations. His current research examines international security and governance in cyberspace, the relationship between innovation and technology, the future of warfare, and the effect of the Internet on politics.
Cyberspace sovereignty is defined as the authority, ability and duty of a government to manage Internet entities operating within its borders and cooperate with other network entities often in the form of law enforcement. The new National Security Law of China was passed on July 1, 2015 and for the first time, China explicitly made network sovereignty a national priority. On Dec. 16 of the same year, the Cyberspace Administration of China convened the second World Internet Conference in Wuzhen, Zhejiang Province. In his keynote speech at the opening ceremony, Chinese President Xi Jinping called on all nations to respect the cyberspace sovereignty of others.
A CSST reporter recently sat down with cybersecurity expert James Lewis to explore issues related to Internet governance and sovereignty.
CSST: Why did the US government agree that the concept of sovereignty is applicable to cyberspace?
Lewis: You cannot say states are responsible for their behavior in cyberspace if you do not accept sovereign control. A US diplomatic goal is to develop norms for responsible state behavior in cyberspace. Recognizing the concept of sovereignty places the discussion of international cybersecurity within the existing framework of commitments among states. We agree that responsible state behavior is the best way to obtain stability. That is why the US has twice agreed to the application of sovereignty in the UN Group of Government Experts in their 2013 and 2015 reports.
Along with this, there was also recognition that what we call cyberspace, or the Internet, is based on physical infrastructure located in sovereign territory. No one would argue that a nation cannot apply its own laws to things located in its sovereign territory. The new construct is that national sovereignty applies to the Internet and cyberspace, subject to a country’s international commitments.
Nations should not make laws for other countries. It is national governments that must make the rules for their own citizens. Some in China would say that the United States, as the “hegemon,” is always trying to impose its laws on other countries, but this fundamentally misinterprets American foreign policy. After 1945, the United States and its allies created rules and institutions designed to avoid another global war. Internet governance reflects not only a millennial ideology but this long-standing US policy on fundamental freedoms and the rule of law.
CSST: But those of a libertarian tendency are reluctant to agree with the government’s stance.
Lewis: There are things that we do not want governments to do—the idea of any country dictating Internet technology for state purposes is frightening. There are other things—overseeing a legitimate, accountable and representative governance system—where states are the best actors. Early thinking about the Internet underestimated the importance of the state in making the Internet secure and stable.
The commercialization of the Internet in the mid-1990s was accompanied by a powerful ideology—not a state ideology but one developed by thinkers on America’s West Coast. This ideology was shaped by millennial expectations that international relations would change to make borders and government less important, a strong “libertarian” streak among many Internet pioneers from Northern California, and by the influence of telecom deregulation efforts of the preceding decade, which saw many countries end government telecommunications monopolies and replace them with market-oriented policies.
This millennial ideology included a belief that the state would wither away and that private and non-governmental entities could exercise governance functions better than states. This was some of the thinking behind the creation of the Internet Corporation for Assigned Names and Numbers (ICANN), and the current governance model, which assigns responsibility to an amorphous “global Internet community.”
The model for Internet governance created in the 1990s was an experiment to see if a global community using informal processes could substitute for state representatives in making decisions and rules. The limitations of this experimental approach derive from a more complex argument on legitimacy. Legitimate governance requires the assent of the governed. Assent is expressed through elections open to all citizens. Nation-states are more likely to represent all their citizens than self-selecting private groups, and nation states are more likely to demand accountability from international institutions. Some would argue that there are states that do not legitimately represent their citizens, and that this makes non-state actors preferable as representatives. This is true, but on the whole, most national governments are more representative and more accountable to their citizens than non-state entities.
There is also a fear that recognizing national control will somehow fragment the Internet. Sometimes this is called Balkanization. This is unlikely because most countries recognize the damage to innovation and economic growth that comes from not allowing citizens to have access to the Internet is very great, and will try to avoid it. That said, there is a strong temptation in Europe and in China to use Internet governance as a way to gain national commercial advantage, leading to inefficient policies that could impoverish everyone. Data gains value when it flows across borders. We do not have an adequate system to govern these flows, but restricting them will harm growth and innovation.
CSST: How should the concepts of sovereignty and extraterritoriality be interpreted in the context of Internet governance?
Lewis: Sovereignty is not absolute, especially in cyberspace, given its “transborder” nature as an entity composed of interconnected high-speed networks. International agreements constrain sovereignty. In particular, the UN Charter, the Universal Declaration of Human Rights and the agreements establishing the World Trade Organization are all examples of where nations, including China, have voluntarily surrendered some of their sovereign authority.
A nation may wish to restrict certain online activity, and it is within its rights to do so subject to two caveats. First, it can control its own networks but not the networks of other states. If those other states choose to allow a website to show content someone else finds objectionable, it is their right to do so. A state can take action to block content on its national networks, but not to try for the extraterritorial application of national laws. Your citizens are subject to your laws, but citizens of other nations are not. Second, when a state has voluntarily surrendered sovereign authority in an international agreement, it cannot legitimately impose laws contrary to those international commitments. This explains the opposition to the proposed “Code of Conduct for Information Security” since most Western observers believe it is an effort to rewrite international agreements in ways that strengthen sovereign authority at the expense of existing international commitments.
The greatest danger is not Internet Balkanization but incompatibility as nations impose different and often conflicting requirements on global services. There is a risk that these will interfere with cross-border data flows and obstruct efficient communication in a range of business processes. Policymakers are tempted to create barriers to digital flows, including localization requirements, divergent data-protection rules and varying degrees of censorship. These initiatives, often intended to address legitimate policy concerns for law enforcement, privacy and security, create risks for economic growth by damaging the opportunities and efficiency a seamless global network can provide.
CSST: Is it possible for China and the United States to cooperate with each other in the realm of Internet governance?
Lewis: Global expectations about China have changed. China has more global responsibility than it had 10 years ago, which requires its policies to keep up. This can make partnership difficult. Many people also believe the United States follows a grand strategy to preserve hegemony, and this belief is a source of tension. Countries can have good relations without agreeing on everything, but it requires a degree of trust on both sides that is currently in some sense lacking from the bilateral relationship. Nevertheless, there is a strong pragmatic streak in both countries, which gives us a reason to keep an open mind about the future.
CSST: What are your expectations for the global application of Internet sovereignty?
Lewis: The Internet is a form of global infrastructure. Data networks create a new resource, driving growth in digital products and services—a fast-growing part of the global economy. The growth of the digital economy presents unique challenges. Policy and regulatory frameworks for localization, privacy, intellectual property and data protection are evolving rapidly, but taking disparate national approaches that undervalue connectivity will create incompatible islands. Economic growth will be hampered by a lack of coordination, inconsistent standards and differing principles. If we can find ways to apply sovereign controls in an even-handed reciprocal way—if we set greater economic growth from digital trade as the goal—we can find ways to apply sovereignty without strangling growth. This will require rules, institutions and common standards, just as what we have for global financial flows, including institutions like the IMF and the Basel Committee. But right now we have neither the mechanism nor the trust nor the shared values to achieve this. Therefore, finding ways to apply sovereignty to cyberspace will be an issue for years to come.