Cyberspace in geopolitics – International cybersecurity agreements
24 September, 2022, 7:00 pm
We continuously bemoan the fact that Big Tech has become larger than most countries and wield global power that would be incomprehensible in the past decades.
China has recognised this as a threat to their authoritarian regime and has reined back their wild cowboys of entrepreneurship and capitalism like Jack Ma of Alibaba and other Chinese billionaires from the technology revolution of the past two decades.
Earlier this year, Bruce Schneier and Wheeler in an article for The Cipher Brief articulated some of the conflicts between corporate financial interests and international cybersecurity agreements. Some of their salient points are summarised below.
The Paris Call for Trust and Stability in Cyberspace was an initiative launched by French President Emmanuel Macron during the 2018 UNESCO’s Internet Governance Forum. It’s an attempt by the world’s governments to come together and create a set of international norms and standards for a reliable, trustworthy, safe, and secure Internet.
It’s not an international treaty, but it does impose obligations on the signatories. It’s a major milestone for global Internet security and safety. Corporate interests were all over this initiative, sponsoring and managing different parts of the process.
As part of the Call, the French company Cigref and the Russian company Kaspersky chaired a working group on cybersecurity processes, along with French research centre GEODE. Another working group on international norms was chaired by US company Microsoft and Finnish company FSecure, along with a University of Florence research centre.
A third working group’s participant list includes more corporations than any other group. As a result, this process has become very different than previous international negotiations. Instead of governments coming together to create standards, it is being driven by the very corporations that the new international regulatory climate is supposed to govern.
This is wrong. The companies making the tools and equipment being regulated shouldn’t be the ones negotiating the international regulatory climate, and their executives shouldn’t be named to key negotiation roles without appointment and confirmation.
It’s an abdication of responsibility by the US and other mainly Western governments for something that is too important to be treated this cavalierly. On the one hand, this is no surprise. The notions of trust and stability in cyberspace are about much more than international safety and security.
They’re about market share and corporate profits. And corporations have long led policymakers in the fast-moving and highly technological battleground that is cyberspace.
The global Internet has always relied on what is known as a multistakeholder model, where those who show up and do the work can be more influential than those in charge of governments.
The Internet Engineering Task Force (IETF), the group that agrees on the technical protocols that make the Internet work, is largely run by volunteer individuals.
This worked best during the Internet’s era of benign neglect, where no one but the technologists cared. Today, it’s different. Corporate and government interests dominate, even if the individuals involved use the polite fiction of their own names and personal identities.
However, we are a far cry from decades past, where the Internet was something that governments didn’t understand and largely ignored.
Today, the Internet is an essential infrastructure that underpins much of society, and its governance structure is something that nations care about deeply.
Having for-profit tech companies run the Paris Call process on regulating tech is analogous to putting the defence contractors Northrop Grumman or Boeing in charge of the 1970s SALT nuclear agreements between the US and the Soviet Union.
This also isn’t the first time that US corporations have led what should be an international relations process regarding the Internet. Since he first gave a speech on the topic in 2017, Microsoft president Brad Smith has become almost synonymous with the term “Digital Geneva Convention”.
It’s not just that corporations in the US and elsewhere are taking a lead on international diplomacy; they’re framing the debate down to the words and the concepts. Why is this happening? Different countries have their own problems, but we can point to a few that currently plague governments.
First and foremost, “cyber” still isn’t taken seriously by most governments. It’s not real to the older military veterans, or to the even older politicians who confuse Facebook with TikTok and use the same password for everything.
It’s not even a topic area for negotiations for trade representatives. Nuclear or weapons of mass destruction disarmament, terrorism, climate change, illicit drugs or people trafficking is “real geopolitics,” while the Internet and cyberspace is still, even now, seen as vaguely magical, and something that can be “fixed” by having the nerds yank power cords out of a wall or blocking/filtering Facebook, or whatever App or even Internet access itself! There are degrees of control even.
In the US for instance, there seems to be a continuous power struggle at the heart of the US government involving cyber issues, between the White House, the Department of Homeland Security (represented by CISA), and the military (represented by US Cyber Command)
. Trying to create another cyber center of power within the State Department threatens those existing powers.
It’s easier to leave it in the hands of private industry, which does not affect those government organisations’ budgets or turf. Easier to blame when things go awry which is often the case until swept under the carpet and glossed over with investigations filed away after all the fuss has died down. After all it is rare to be front page news for more than a few days.
We don’t want to go back to the era when only governments set technological standards.
The governance model from the days of the telephone is another lesson in how not to do things.
The International Telecommunications Union (ITU) is an agency run out of the United Nations.
It is moribund and ponderous precisely because it is run by national governments, with civil society and corporations largely alienated from the decision-making processes.
Today, the Internet is fundamental to global society. It’s part of everything.
It affects national security and is already an intrinsic part of war as seen in Ukraine today. How individuals, corporations, and governments act in cyberspace is critical to our future. The Internet is critical infrastructure. It provides and controls access to healthcare, the military, water, energy, education, and nuclear weaponry.
How it is regulated isn’t just something that will affect the future. It is the future. Since the Paris Call was finalised in 2018, it has been signed by 81 countries – including the US in 2021 – 36 local governments and public authorities, 706 companies and private organisations, and 390 civil society groups.
The Paris Call isn’t the first international agreement that puts companies on an equal signatory footing as governments. The Global Internet Forum to Combat Terrorism and the Christchurch Call to eliminate extremist content online do the same thing. But the Paris Call is different. It’s bigger.
It’s more important. It’s something that should be the purview of governments and not a vehicle for corporate power and profit.
When something as important as the Paris Call comes along again, perhaps in UN negotiations for a cybercrime treaty, we call for actual government officials with technical expertise to be sitting at the table with the interests of their country at stake … not people with equity shares to protect. We can only hope that common sense will prevail.
As social and economic theorist Jeremy Rifkin observed on the political impact of the Internet today: “We have come to discover what we suspect is a new political mind-set emerging among a younger generation of political leaders socialised on Internet communications.
Their politics are less about right versus left and more about centralised and authoritarian versus distributed and collaborative.” God bless and stay safe in both digital and physical worlds.
• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on firstname.lastname@example.org