Looking at the ongoing militarization of the Internet, one could rephrase Rousseau’s famous incipit to The Social Contract: “Internet was born free and everywhere it is in chains”. In fact, the Internet is increasingly militarizing, and cyberspace has become the domain of choice for destabilising campaigns and hostile activities that would be unsustainable in the conventional domain.
Given the absence of a superordinate authority, the Internet has often been portrayed as anarchical in nature. Supporting this idea is the fact that cyberspace offers an unprecedented platform for humankind to interact globally with complete disregard for political borders and power politics. Moreover, the Internet allows public opinion a much greater control of governments’ doings, new forms of social protests, and empowers communities outside of the mainstream media. As such, one cannot but sympathize with Barlow’s ode to a cyberspace outside of states’ control, in his 1996 Declaration of the Independence of Cyberspace: “Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.”
In reality, however, Rousseau’s quixotic “State of Nature” is fictional just as much as Barlow’s alleged “statelessness” of the Internet. Whoever remembers the movie “War Games” from 1983 will know how, since the very beginning, the cyber domain was understood to be intrinsically insecure and yet increasingly critical in supporting even the most sensible tasks. Before the term “cyberspace” even existed, it was clear that its security was going to be crucial in military operations and that the distinction between what is “cyber” and what is “real” was going to be increasingly difficult to grasp. States had therefore an interest in Internet’s security from the outset, and their involvement only grew over time: the more the confidentiality, integrity and availability of data prove essential for national security, the more urgent it becomes for states to enhance their national cyber power, intended as the ability to achieve desired results in and through cyberspace while denying strategic, tactical and operational advantages to the adversaries. Hence the ongoing “militarization” of the Internet, by which we refer both to the struggle of sovereign states to assert their prominence in cyberspace vis-à-vis all non-state actors that populate cyberspace, and to the increasing relevance of military considerations in shaping national approaches to the stability of cyberspace.
This ongoing militarization, regrettably, is proving how much Barlow was wrong, and it is not making cyberspace any safer. In fact, quite the opposite: the more cyber power becomes an essential enabler of sovereignty, the more cyberspace develops as a contested domain where each player’s quest for greater security translates, at the systemic level, into a more unpredictable and volatile security environment. Cyberspace is ubiquitous: it is the nervous system that connects and increasingly enables the political, strategic, military, informative, economic, financial, industrial and infrastructural dimensions on a personal, local, national, transnational and international level. This entanglement and the growing complexity of these interdependencies multiply the risk of cross-domain escalations: a cyber-attack on critical civilian infrastructures or military command and control centres, or a major cyber-enabled information warfare campaign, could (in an admittedly unlikely but not impossible scenario) escalate into a concrete threat to strategic nuclear stability.
Efforts to develop globally recognized norms of responsible state behaviour in cyberspace have so far had little success, and optimists about their prospects should probably think twice, as the nature of cyberspace poses significant stumbling blocks to the development of an agreed-upon international framework. This has immediate consequences both on the stability of cyberspace and on the actual privacy and freedoms that Internet users may enjoy. Just like the emergence of international law did not put an end to wars, the development of international law applicable to cyberspace would certainly not end states’ active engagement in cyberspace – but it would certainly contribute to identifying the perimeter of states’ legitimate activities in cyberspace. The first obstacle to this advance is probably cultural: although cyberspace is more than 30 years old, we still approach it as a “new” domain. This is somehow understandable, as the digital revolution is unfolding at a pace that we all struggle to keep up with. Developing doctrines, policies, procedures, human skills and norms of behaviour takes time, and major developments in international relations have historically been associated with painful wars, for which (luckily!) we still have no cyber equivalent, yet. Moreover, the cyber domain is global, instantaneous, asymmetrical: attackers may strike at the speed of light from every network’s entry-point, taking advantage of virtually any vulnerability in hardware, software and operating procedures. Also, attacking in cyberspace costs much less than defending, because (and this a major stumbling block) threats typically strike under the threshold of the use of force and attribution is cumbersome: the Internet might be militarizing, but militaries alone can hardly retaliate, which in many ways complicates the picture. Another obstacle lies in the intrinsic difficulty in regulating among sovereign peers a domain which is populated by a multitude of non-state actors (OTTs and the ICT industry, hacktivists, criminals) whose operational capabilities may easily exceed those of many sovereign states. States try to assert their prominence in cyberspace through military or intelligence operations, the promotion of international normative approaches, national regulations or technological solutions, but the struggle is continuous and the relationship very complex. For instance: criminals are enemies, but may sometimes provide useful capabilities and plausible deniability to governments’ doings. The private sector is not only a competitor to states’ prominence in cyberspace: it is also where innovation happens and technological superiority materialises, and it is essential for states in order to mobilize cyber power. Therefore, in order to enhance cyber security at the national level, a comprehensive “whole of society” approach must be established, which in turn brings us back to our first point: cultural change takes time.
If the picture already looks gloomy, there’s a more fundamental question hampering the development of global norms, and therefore making a persistent fight among states in cyberspace unavoidable. As we explained in ISPI’s first Report of the Center on Cybersecurity, Confronting an ‘Axis’ of Cyber?, while the West sees the Internet as a “neutral” infrastructure where content cannot be constrained because “centuries-old battles over human rights and fundamental freedoms are now playing out online”, autocratic regimes view the Internet as a threat to their grip on power, and social media servers located outside of the government’s control as an intrinsic risk to their survival. This fundamental cleavage emerged more than twenty years ago at the United Nations, when, in 1998, the Russian Federation presented to the UN General Assembly a proposal for a resolution titled “Developments in the field of information and telecommunications in the context of international security”. The Russians wanted to discuss both cyber security and the limitations to destabilizing online content (revealingly gathered together by Moscow under the label of “threats to the information space”). The West refused to have that discussion, on the grounds, essentially, of its self-proclaimed moral superiority: if we want to safeguard an open Internet and freedom of expression, the West argued, it is not possible to negotiate information’s content. Ironically, more than twenty years later, the West is accusing Moscow of manipulating online content in order to destabilize the social order and democratic processes. Since then, five successive rounds of negotiations unrolled at the UN within the Group of Intergovernmental Experts on Developments in the Field of Information and Telecommunications. Some successes were achieved in developing a voluntary code of conduct for states in cyberspace – we will see what the ongoing sixth Group will be able to accomplish - but the cleavage between the West and autocratic regimes regarding the freedom of Internet content seems irreconcilable.
The Internet is therefore one of the privileged platforms of the ongoing Great Power competition. The immediate result is the diffusion at the global level of the principle of digital sovereignty, intended as the application of technological and normative solutions to uphold the ultimate responsibility of the state over national cyber infrastructures and data. This is not only a development we observe in China or Russia, that are both busy implementing technical solutions to allow the segregation of their Internet traffic from the rest of the world’s. The ongoing decoupling of the ICT supply chain can also be understood in this context, and this is certainly a process impacting heavily even in the West, as shown by the harsh debate about Chinese hardware and 5G connectivity. But there is more: in this ISPI Dossier we consider cleavages that are widening even amongst like-minded and allied countries, such as those resulting from the global normative patchwork created by different national legislations in cyber security, or the restrictions to the free flow of data because of privacy and national security concerns, or, even, the discovery of long-term computer network operations against own allies’ most sensible targets.
Since, in cyberspace, the weakest link is the most likely next target, every state has an international obligation to “do its part” by strengthening its domestic cyber resilience, and a national duty to build its relative cyber power. But cybersecurity is a team sport, and individual efforts will not suffice in order to safeguard a secure and free “cyber global common” for mankind. We might never see a cyber domain such as the one dreamt of by Barlow or even vaguely resembling Rousseau’s ideal “State of Nature”, but we need to avoid drifting in cyberspace towards a Hobbesian homo homini lupus that would justify Leviathans which areincompatible both with cyberspace stability and with the values the West needs to preserve.