As the world’s largest economies, western liberal-democratic countries have a critical strategic interest in sustaining cyberspace as an open and secure commons of information constituted around freedom of speech and access to information. They also stand to lose the most should it spiral into a hotly contested zone of crime, espionage, and warfare. What should be done?

This article originally appeared in The 2011 G8 Deauville Summit: New World, New Ideas published by the G20 Research Group.

In its short lifespan, the Internet has evolved from a laboratory experiment, to an entertainment medium, to a global immersive environment — called cyberspace — that encompasses all of society, economics and politics. It is the communications environment in which we are now embedded. Its constituent parts are widely conceived of as critical national infrastructure.

But alongside its rapid growth and penetration, cyberspace is now entering into a period of intense geopolitical contestation as a multitude of actors strive for competitive advantage over and through this new domain. Part of this contestation is being driven by a major demographic shift occurring in cyberspace as the center of gravity of cyberspace users moves from the North and West to the South and the East. Although cyberspace was born in the United States and other western countries, Internet users in places like China, India, Latin America, and Southeast Asia will soon dwarf these early adopting constituencies. Presently, the Asian region comprises 42 percent of the world’s Internet population (the most by region), but it ranks only sixth in terms of penetration rates at 21.4 percent.

With these new digital natives will come new ways of using cyberspace, and different strategic priorities, some of which will invariably clash with the status quo. To understand how cyberspace will look in years to come, we need to explore beyond DC and Silicon Valley, and into the streets of Shanghai, Nairobi and Tehran. For many of these new digital natives, cyberspace is perceived less as a digital agora than an opportunity to route around structural economic and political barriers and pursue individual and collective advancement.

The political jurisdictions in which these digital natives reside are entering into cyberspace at a difficult historical juncture than the early adopters. For the latter, cyberspace was governed according to a laissez-faire policy: a domain to be primarily “left alone.” The states of the developing world (many of them semi-authoritarian or authoritarian) have a much stronger tradition of state intervention into political and economic affairs, and see cyberspace as something to be shaped to preserve collective identity and shore up regime security.

While conventional wisdom has long assumed authoritarian regimes would wither in the face of the Internet (and some in the Middle East and North Africa appear to have done just that) many show resilience and capacities that belie the conventional wisdom. Tunisia and Egypt may have succumbed to Facebook-enabled protestors, but China, Vietnam, Iran, Belarus and others have successfully employed control techniques to penetrate and immobilize opposition, cultivating a climate of fear and self censorship. They are also asserting themselves more forcefully in international venues, like ICANN, the ITU, and the Internet Governance Forum, and using regional security forums, like the Shanghai Cooperation Organization, to coordinate their policies and seek international legitimation for their territorialized vision of cyberspace.

It may be tempting to portray the contest over cyberspace as a struggle between forces of liberation and control, pitting democratic versus authoritarian regimes. The reality is much more complex. For example, the tradecraft of cyberspace controls comes predominantly from Western firms servicing the exploding cyber security market, now estimated to be anywhere between $US80 and $US150 billion dollars annually. Products that provide advanced deep packet inspection, content filtering, social network mining, cell phone tracking, and even computer network attack capabilities are being developed by U.S., Canadian, and European firms, and marketed worldwide to regimes seeking to limit democratic participation, isolate and identify opposition, and infiltrate meddlesome adversaries abroad.

Like Eisenhower’s military industrial complex before it, this massive cyber-industrial complex is intimately connected to militarization processes in the west, and in particular the United States. The establishment of U.S. Cyber Command in 2010 helped trigger a major industrial shift in the defense industry and a fundamental force restructuring among allies that is still unfolding.

It also had ripple effects around the world among the United States’ adversaries. Unable to compete on the same level, these regimes seek comparative advantage by exploiting criminals and patriotic hackers to do their bidding instead. Major incidents of computer network attacks and espionage have been traced back to the Chinese and Russian criminal underworld. Both Indian and Iranian officials have gone on public record condoning hackers who work in the state’s interest. Not surprisingly, and in the absence of restraints to prevent it, the ecosystem of cyber crime is exploding, providing opportunities for enrichment for the new digital natives and blurring the worlds of crime, espionage and warfare. We are now witnessing a classic arms race in cyberspace that threatens to subvert the domain entirely.

As the world’s largest economies, western liberal-democratic countries have a critical strategic interest in sustaining cyberspace as an open and secure commons of information constituted around freedom of speech and access to information. They also stand to lose the most should it spiral into a hotly contested zone of crime, espionage, and warfare. What should be done?

First, a comprehensive strategy to protect the cyber commons should begin by linking the international consequences of domestic policies. If liberal democratic countries pass legislation that permits access to data for state security services without judicial oversight and protections for civil liberties, mandate their armed forces to mount clandestine cyber attacks, use extrajudicial means to disable websites, and put Internet “kill switch” powers in the hands of central authorities, then there is no moral basis for condemning those actions when they occur abroad.

Second, they should work to build a broad community of like minded-states for support around “rules of the road” in the cyber domain. Such rules should include the promotion of norms of mutual restraint, protocols for effective and efficient law enforcement sharing across borders, and vigorous opposition to the tolerance of cyber crime activities within territorial jurisdictions. Governments should not be able to hide behind the excuse of attribution challenges when malicious activities originate within their borders.

Third, such domestic responsibilities should include setting standards for the private sector around mandatory disclosures of security breaches, strong privacy protections built by design, and restrictions on the sale of technologies that assist regimes in the violation of human rights. If self governance mechanisms like the Global Network Initiative are insufficient then regulatory measures should be introduced instead.

Finally, liberal democratic states should be at the forefront of the promotion of non-state, decentralized and distributed security mechanisms, while actively resisting proposals that seek to alter the constitution of cyberspace through top-down, centralized government controls. Such nascent mechanisms already exist among transnational peer groups of networked computer security professionals and engineers, and academic based monitoring and research projects. But they need nurturing, financial support, and civic empowerment. Federated and decentralized security mechanisms suit not only the constitutive components of cyberspace that should be preserved, but the tradition of classic republican security thinking that underpins the liberal democratic project.

No longer will it suffice to approach cyberspace in a laissez-faire manner, assuming that leaving it alone will somehow produce benign outcomes. Cyberspace is a human-made domain, and subject to change and manipulation. Liberal democratic governments need a common domestic and foreign policy strategy that creates structural conditions to protect and preserve cyberspace as a secure, decentralized, and open commons. Otherwise, future historians will look back at the period of the late 20th/early 21st century as a brief window when such a commons materialized, but then withered in the face of militarization and short-sighted policies.

Ronald J. Deibert
Director, the Canada Centre for Global Security Studies and the Citizen Lab,
Munk School of Global Affairs, University of Toronto

This article originally appeared in The 2011 G8 Deauville Summit: New World, New Ideas published by the G20 Research Group.