October 2018 The Digital Deciders
How a group of often overlooked countries could hold the keys to the future of the global internet
Robert Morgus, Jocelyn Woolbright, & Justin Sherman
Last edited on October 22, 2018 at 9:24 a.m. EDT Acknowledgments
We would like to thank Jason Healey, Trey Herr, Pavlina Ittleson, Adam Segal, and Ian Wallace for their thoughtful comments on earlier drafts, as well as all those who participated in our research survey. In addition, we owe a special debt of gratitude to Loren Risenfeld, Ellie Budzinski, and Maria Elkin, without whom’s help the data we collected would be far less useful. Finally, Tim Maurer, now of Carnegie Endowment for International Peace, was instrumental in the formulation of the ideas behind this report.
This paper was produced as part of the Florida International University - New America Cybersecurity Capacity Building Partnership (C2B Partnership).
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 2 About the Author(s) and local level, within the U.S. government and industry, and internationally. Robert Morgus is a senior policy analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIU- New America C2B Partnership.
Jocelyn Woolbright was an intern with New America’s Cybersecurity Initiative and is a recent graduate of Florida International University.
Justin Sherman was an intern with New America’s Cybersecurity Initiative and a student at Duke University.
About New America
We are dedicated to renewing America by continuing the quest to realize our nation’s highest ideals, honestly confronting the challenges caused by rapid technological and social change, and seizing the opportunities those changes create.
About Cybersecurity Initiative
The goal of New America’s Cybersecurity Initiative is to bring the key attributes of New America’s ethos to the cybersecurity policy conversation. In doing so, the Initiative provides a look at issues from fresh perspectives, an emphasis on cross-disciplinary collaboration, a commitment to quality research and events, and dedication to diversity in all its guises. The Initiative seeks to address issues others can’t or don’t and create impact at scale.
About FIU-New America C2B Partnership
The Cybersecurity Capacity Building (C2B) Partnership is a partnership between Florida International University and New America designed to develop knowledge and policies aimed at building the cybersecurity capacity in the workforce, at the state
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 3 Contents
Introduction 5
Internet Governance and Today’s Context 8
Two Poles and Three Clusters 11
Sovereign and Controlled 13
Global and Open (albeit without consensus on how) 16
The Digital Deciders 18
Understanding the Clusters Through Data 20
Analyzing the Clusters 22
Sovereign and Controlled 13
Global and Open 24
The Digital Deciders 18
Conclusion 39
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 4 Introduction
Which futures [for the internet] seem to be more likely today? ... [C]ountless experts made gloomy projections for the next five years. Cyber risks will continue to rise significantly in the near future. Technological and process innovation might help some organizations, but overall there is little on the immediate horizon that suggests that cyberattacks will become less common. With the massive profusion of recent tension between major military powers, the trend is perhaps more towards a Clockwork Orange or Leviathan Internet.1
- Jason Healey and Barry Hughes
In 2015, Jason Healey and Barry Hughes created a model to project the impact that different versions of a future internet would have, principally focused on the economy. In their paper analyzing the model, Healey and Hughes describe a number of alternate futures. Among them were the Base Case—which continued general trends of the time resulting in an internet that is mostly global and open— and the Clockwork Orange and Leviathan internets—whose main features were fragmentation and national borders.2
Today, this global and open model is under pressure, and we risk drifting towards an internet that we do not want—a Clockwork Orange or Leviathan. Amidst a massive global dialogue about cyber norms—who should not attack what and how—we are losing sight of the forest in favor of individual trees. Though important, the grand prize here is not an agreement about not attacking hospitals or financial institutions. Rather, the prize is the norm that the internet should be a place that is global and open to the free flow of content, not narrowly sovereign and closed.
The ultimate trajectory of this process will depend just as much, if not more, on domestic developments around the world as sweeping debates at international forums. Put simply, what countries do nationally will have an international impact, while we often focus on the international governance, the internet as it affects people is the internet in countries. In parallel to domestic developments, countries will continue to do what they have done for decades and seek legitimacy and cover via international agreement and norms.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 5 The prize is the norm that the internet should be a place that is global and open to the free flow of content, not narrowly sovereign and closed.
In the debate over internet governance, three clusters of states have emerged. On one end of the spectrum sit a number of countries—spearheaded by the likes of Russia and China—that advocate for greater sovereign control over as series of interconnected but nationally distinct internets. On the other end of the spectrum sits a cluster of states that advocate for an open, global internet. Traditionally, both sides have argued for a global norm that fits their own national interest and that which they view to be in the interest of the rest of the world. The third cluster of states is what we refer to as the Digital Deciders—a group of states undecided or unconcerned about the best trajectory for the internet.
If we want to build our version of the internet—one where the internet is free, open, and global and sovereign internets are an anomaly—we will need to do a better job of building our coalition more broadly. The fear that a country will not be able to manage the looming LikeWars3 is one of the factors most likely to push individual states away from an open and global internet. As we alluded to in The Idealized Internet vs. Internet Realities, one of the biggest challenges for proponents of a global and open internet will be developing a model to manage security—both likewars and cybersecurity—while maintaining openness.4
This paper and the accompanying data tools are a means for diplomats to analyze these Digital Deciders in the pursuit of a better international strategy for cyberspace. The different rankings and data sets in this paper can shed light on things like who to prioritize for engagement and how to engage different countries. At the end of the day, the purest and openest model may not be the one to offer for emulation. As Healey and Hughes note:
Deciding how to steer between alternate futures to guide policy often results in a very basic problem of political philosophy worthy of Hobbes, Locke, and Rousseau: Is it better to avoid the worst cyber futures or to aim for the best? Of course, we want the best cyberspace for ourselves and our children, but when humanity has aimed for heaven, then missed, we have often wound up in hell.5
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 6 Being able to clamp down on hate speech, for example, may be in the best interest of a country and its people. It may be necessary, even desirable, to compromise some absolute freedoms in order to maintain security.
This paper proceeds as follows. In the next section, we provide a background and context for this broad debate. In the third section, we describe the three clusters of states that have emerged. In the following section, we provide a data tool to explore those clusters and the states in them in greater detail. We finish by providing our own light analysis of the data and what it means for policymakers.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 7 Internet Governance and Today’s Context
Internet governance is the simplest, most direct, and inclusive label for the ongoing set of disputes and deliberations over how the Internet is coordinated, managed, and shaped to reflect policies.6
- Milton Mueller
In April 2014, New America conducted a study on swing states in internet governance.7 Using the informal vote at the World Conference on International Telecommunications as a barometer, we identified two camps—one in favor of a multistakeholder governance model and the other favoring state control over the internet and the baggage that comes with it. In between these two camps was a group of potential swing states. Using a series of qualitative and quantitative metrics, we identified what we believed to be the top 30 most influential swing states in internet governance.
At the time of that publication, the world was still trying to make sense of new internet realities. But a lot has changed since early 2014.
Specifically, three trends have come to the forefront, each of which have impacted the state of internet governance around the globe:
1. Shifts in the broader political context and an uptick in the emphasis on sovereignty, on the internet and other aspects of international politics;
2. An increase in awareness of online disinformation, the awareness being something of a novelty in Western Europe and the Americas;
3. The IANA transition, which transferred administrative oversight of core internet functions out of the U.S. government.
These trends are driven in large part by a series of watershed events between 2014 and 2017. The 2013 leaks of classified material by Edward Snowden resulted in political leaders around the globe gradually comprehending and pushing back against the perception of pervasive surveillance. In 2014, this manifested in calls from many traditionally pro-global internet countries for greater sovereign control over their local internets and the way their data is stored and transmitted. 8 In March of the following year, the United States Federal Communications Commission issued the Open Internet Order, a bastion of hope for proponents of maintaining an open, global internet.9 To many in liberal democratic societies, an open and free internet would be instrumental in promoting democratic
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 8 interests around the world, but the very concept appeared to be under assault domestically.
In mid-2016, yet another watershed moment occurred. The seemingly around- the-clock work of Russian intelligence officers and “patriotic hackers” to distort reality in American politics opened the eyes of policymakers worldwide to the potential harms a fully open and free internet could pose to democracy itself.10 The parallel rise of populism in the United States and elsewhere, coupled with concerns about the collapse of liberal international order, saw many of the traditional open internet sword-bearers retreat into their shells. The U.S. and others began considering methods for blocking disinformation, mirroring the techniques of more closed states for stopping the free flow of information, and populism pushed back against free trade causing agreements that would bolster the free flow of information and data to suffer.11 States like Australia, the United Kingdom, and others have attempted to step in to fill the resultant political leadership vacuum, but only with mixed success.
An open and free internet would be instrumental in promoting democratic interests around the world, but the very concept appeared to be under assault domestically.
Then, in September 2016, as Russian trolls used the internet to sway an American election, the U.S. Department of Commerce completed its nearly two-decade long process of transitioning oversight over the Internet Assigned Names and Numbers Authority (IANA) to the Internet Corporation for Assigned Names and Numbers (ICANN).12 The transition, which was lauded as a victory for multistakeholder internet governance, did transition oversight to a more multistakeholder body than the U.S. government, but it also weakened the U.S. government’s ability to reliably advocate for a multistakeholder model at ICANN.
In the wake of these experiences, even the staunchest proponents of a free, open, interoperable, secure, and resilient internet began to construct domestic governance that emphasizes two concepts—security and resilience—at times to the detriment of freedom, openness, and interoperability. The U.K., for example, is in the process of building their own version of a national firewall capable of sifting out malicious traffic at national borders.13 Rumors persist about others
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 9 following suit. This is not necessarily a bad thing, but it does carry immense international implications with it.
Domestic and international governance efforts have always run in parallel, regardless of the politics at play. Authoritarians have long sought to use the international system and its institutions as means to legitimize or provide cover for domestic actions. Internet politics are no different from any other politics in this regard. In our 2014 Swing States report, we wrote about two primary “visions for Internet governance”—one a bottom-up, multi-stakeholder model, and the other a top-down model driven primarily by governments. At the time, the battle lines were relatively stark and certainly international. The burning question then revolved around the form “global internet governance” would take. In retrospect, it is the national or domestic governance that truly matters.
The two visions we described in 2014 still represent the prevailing ideologies for internet governance. What is perhaps different from 2014 is the unit of analysis. Where the focal point of the debate in 2014 was around the “right” way to model and govern the internet globally, the battle today is over how states should model their internets domestically. Rather than resolving, this debate has mutated. Today, some states have built governance structures and internets that increasingly gravitate towards one of two poles—Global and Open, or Sovereign and Controlled—often in alignment with other political interests.14 However, a far larger group of countries—the Digital Deciders—have yet to gravitate towards either end of the spectrum, some undecided and others seeking a third path.
Although corporate and civil society actors influence the trajectory of the global internet, the focus of this report is states. Despite early technoutopianism and technolibertarianism, the sovereignty of states remains reality. Companies and individual developers are not sovereign. States are increasingly setting the context within which these private actors operate. The opportunity for the clusters described in the next section lies in how they use that reality.
The Digital Deciders have yet to gravitate towards either end of the spectrum, some undecided and others seeking a third path.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 10 Two Poles and Three Clusters
It is tempting to romanticize Internet architecture and governance as innately embodying democratic values of equality, participatory openness, and multistakeholder oversight but there are several problems with this narrative. In a significant portion of the world, Internet governance control structures do not embody democratic values but involve systems of repression, media censorship, and totalitarian surveillance of citizens.15
- Laura DeNardis
Norms at the international level are likely to reflect actions at the national level around the globe. To that end, internet governance, as described by DeNardis above, is not one thing. It is a suite of issues including technical design standards, data retention and localization policies, and many things in between. Some of these issues should appropriately involve or even be driven by private stakeholders—civil society or industry. Others, though, still need to be driven by the state.
DeNardis’ words ring just as true today as they did in 2014. Two loose models for the internet and its governance exist. On the one hand, a predominantly free and open internet driven by a multistakeholder governance model; on the other, a sovereign and controlled version of the internet, where the state exerts authority over the architecture, often in the name of some form of security, usually resulting in a censored or unfree space. These two models represent poles of attraction. In reality, national-level internet regimes exist on a spectrum between these two camps with few—if any—fully embodying the extremes of either camp.
In order to depict this phenomenon, we use a simple plot consisting of two spectrums as the axes: one measuring internet openness and the other capturing the character of internet governance.
Openness means different things to different people. For the early internet pioneers, “open” referred to the principle that internet architecture should be agnostic to the traffic on it. What this would mean, in practice, is that architecture would not discriminate—block or throttle—different packets based on what was contained in them. However, openness in the political context has increasingly come to describe the content environment of a country’s internet. A fully open internet in this context refers to an internet absent of any censorship, throttling, or blocking—whether of content or any other type of internet traffic. As authoritarian countries push to legitimize censorship and democrats laud the power of the internet for spreading democracy, it is this second version of openness that has been placed at the center of the internet governance debate. It
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 11 is also this version of openness—content openness—that we map on our x-axis. On the far right, we have a completely open internet. On the far left, we have an internet whose content is completely moderated.
The character of governance is the extent to which the state has—or should have —a monopoly over internet governance in its country and is mapped along the y- axis. Full monopoly—where the government is a solitary decision maker on internet governance—is the bottom of the spectrum, whereas pure multistakeholderism—where each relevant stakeholder has a voice in governance decisions—is the top of the spectrum. A country where the state has a monopoly over all internet policy decisions, can dictate architectural changes and configurations, and sets standards would fall on the bottom of the spectrum. A country where control is partially distributed would fall near the middle of the spectrum. A country where control is equitably distributed would sit at the top of the spectrum.
The poles of attraction—sovereign and controlled and open and global—are the bottom left and top right of the graph, respectively.
To view the interactive, visit newamerica.org/cybersecurity-initiative/reports/digital-deciders
The exercise of plotting countries on these spectrums reveals a clear differentiation between two clusters of countries, with a few countries sprinkled throughout the middle. In the lower left-hand corner is a cluster of states that
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 12 take a heavy-handed approach to governing the internet and tightly control the content on that internet. The opposing cluster is slightly less well defined. Looking at the far right end of the plot we see a series of countries that generally favor an open internet, but their governance model is less starkly defined. In addition, the 2014 and present day comparison reveals that this second cluster of countries (on the far right end of the spectrum) have begun to creep closer and closer to the middle—a visual depiction of the challenges to the multistakeholder and open models we previously described.
No longer do the camps only represent models for global internet governance. Instead, these two camps represent distinct—but seemingly compatible—models for the internet itself.
This plot depicts the steady consolidation of states into two clusters, one in the Sovereign and Controlled quadrant of the graph and the other in the Global and Open quadrant, over the last four years. With this consolidation comes greater clarity of the impact of these models on the functioning of the internet. No longer do the camps only represent models for global internet governance. Instead, these two camps represent distinct—but seemingly compatible—models for the internet itself: one placing freedom and opportunity for individual users front and center, the other emphasizing sovereign control and managing threats to political stability. Yet, so long as interconnection continues to work—that is, filtering and blocking happens at the borders of national networks—these models may not break one another.
That these two clusters exist is not groundbreaking. What matters is where these clusters plot—the general trend down and to the left in our scatterplot—and where countries that do not yet fit into either of these clusters reside in relation to each cluster. To better understand these dynamics, let us first explore the principles and practices of each cluster.
Sovereign and Controlled
Whoever masters the Internet holds the initiative of the era, and whoever does not take the Internet seriously will be cast aside by the times.16
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 13 - Zhuang Rongwen, Chief of the Cyberspace Administration of China
In September 2018, newly appointed chief of the Cyberspace Administration of China (CAC), Zhuang Rongwen, published an essay outlining the Communist Party of China’s plan to “exert full control over the information flowing over China’s portion of the Internet,” according to a translation by DigiChina.17 For Zhuang, “Whoever masters the Internet holds the initiative of the era, and whoever does not take the Internet seriously will be cast aside by the times.”18 While some of the means proposed by Zhuang in his essay were novel, the end was not. This notion, that the state must master the internet to stay relevant, has been present in parts of the world for the better part of two decades.
This approach was embodied at the international level first in 2011 when a group of countries, including China, Russia, and several Central Asian Republics submitted a letter to the United Nations General Assembly (UNGA). The letter, which was resubmitted in 2014 with minor changes, opined on “the need to prevent the potential use of information and communication technologies for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the integrity of the infrastructure within States, to the detriment of their security” and sought to reaffirm “that policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues.”19 In short, as early as 2011, governments in Russia, China, and a group of allies sought to legitimize a consolidation of sovereign control over the internet through international institutions.
So what does this approach look like in practice? For the better part of five decades, the creators and stewards of the internet have expounded on the benefits of its statelessness—describing a solitary internet as challenging territorial borders, needing its own law and legal institutions.20 The Sovereign and Controlled approach challenges these notions, placing “more authority in the hands of the state,” and viewing “cyber activity as occurring within the jurisdiction of these states, rather than within a stateless data environment.”21 As Jack Margolin notes, for Russia at least, the sovereign approach to the digital space mirrors “the Kremlin’s conception of ‘sovereign democracy,’ a term used to justify Russia’s right to eschew certain democratic principles in the name of ‘stability’ and sovereignty in its own affairs.” Cyber-sovereignty challenges an “internationalist approach to norms of digital governance.”22 For China, arguably the leader of this pack, “Cybersecurity and informatization are a single body with two wings, the two wheels of a single drive, and require unified planning, unified deployment, unified promotion, and unified implementation.”23 While there is some variation between Sovereign and Controlled approaches, the model manifests with a number of generalizable traits with regard to governance process and character, as well as—particularly—internet openness.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 14 As early as 2011, governments in Russia, China, and a group of allies sought to legitimize a consolidation of sovereign control over the internet through international institutions.
First, with regard to governance process and character the cluster of states that have gravitated towards the Sovereign and Controlled end of the spectrum tend towards a statist approach to internet governance. In contrast to the popular multistakeholder governance movement from the mid-2010s, this statist approach to internet governance grants the state outsized—if not complete— decision-making power over governance. Crucially, internet governance impacts the internet’s architecture as well as the policies guiding corporations, developers, and users. Decision-making power may come via state-owned and operated corporations, public infrastructure, laws and regulations that legitimize state direction of private corporations, quiet agreements, or simple intimidation.
Second, these countries tend to favor a more closed version of the internet. Through legal and technical means as well as social norms and intimidation, the market for information on the internet is strictly controlled by the state. In China, this means the continued iteration on the Golden Shield project, which uses technical and human means to manipulate the Chinese internet’s architecture to filter out content deemed malicious by the state.24 Similarly, the Iranian state is able to control the few physical points of ingress for the internet in Iran effectively enough to block information at the borders.25
In part because of the nature of its internet architecture, the Russian model for information control departs from these technical means of censorship and, in a sense, the flow of online information is freer. Rather than employing heavy- handed filtering of traffic, the Russian government deploys a system called the System for Operative Investigative Activities (SORM), which allows the government to intercept and view all traffic on their networks.26 The presence of this pervasive surveillance coupled with strict laws regarding legal and illegal information and communications achieves a similar censoring effect to that of the Chinese “Great Firewall” or the Iranian “Halal Net”.
In his book, The Darkening Web, Alex Klimburg aptly outlines the Sovereign and Controlled model and provides an assessment of some of its pitfalls. To Klimburg, the “core notion of cyber sovereignty is on its surface beguilingly
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 15 simple: a state should be totally sovereign within its borders,” rendering it free from foreign influence or interference. According to Klimburg, this implicates both internet content in the country and the “logical and physical infrastructure on the local Internet segment,” what we refer to as the internet’s architecture. Sovereignty in this space, to its champions, is meant to help states “better protect not only its citizens from bad content but also the critical infrastructure and government systems from hostile outside forces.” For this to work, contends Klimburg, the sovereignty of states must be ”immutable and absolute,” and this is simply not the case.27 Compounding these fallacies is the notion that sovereign control over domestic internets could lead to breakdowns in the interconnection of the global network, impacting the way the internet acts and presents outside of those sovereign borders—a somewhat paradoxical reality. If your sovereign internet inevitably interferes with the functioning of mine, are you respecting my sovereignty?
The Sovereign and Controlled cluster of states plot at the extreme ends of both of our described spectrums and appear clustered in the bottom left corner of Figure 1.
Global and Open (albeit without consensus on how)
Americans sometimes took for granted that the supremacy of the United States in the cyber domain would remain unchallenged, and that America’s vision for an open, interoperable, reliable, and secure Internet would inevitably become a reality. Americans believed the growth of the Internet would carry the universal aspirations for free expression and individual liberty around the world. Americans assumed the opportunities to expand communication, commerce, and free exchange of ideas would be self- evident.
- National Cyber Strategy of the United States of America, September 2018
On the opposite end of the spectrum of content control sits a cluster of countries that gravitate towards the global and open end of the content spectrum, but have been volatile with regard to governance structures. This is the cluster of states we wrote about in our Internet Ideals vs. Internet Realities report and consists of a group of like-minded states that favor a global internet that embodies principles of openness, freedom, interoperability, security, and resilience. As the 2018 U.S. National Cyber Strategy observes, many Americans—and many of America’s allies—”took for granted that the supremacy of the United States in the cyber domain would remain unchallenged, and that America’s vision for an open, interoperable, reliable, and secure Internet would inevitably become a reality.”28
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 16 Likewise, this Global and Open cluster, spearheaded by U.S leadership, “believed the growth of the Internet would carry the universal aspirations for free expression and individual liberty around the world.”29
Within this cluster, there is a general consensus that a global internet is not only in the best interest of individual states, but in the best interest of the entire globe. Likewise, there is consensus that openness—though there is some contention over what that term means—is in the national and global best interest. However, less consensus exists in how, exactly, to design both domestic and international governance structures—laws, regulations, standards, and norms—to achieve this reality.
Within this cluster, there is a general consensus that a global internet is not only in the best interest of individual states, but in the best interest of the entire globe.
The American model for the internet was indeed embraced by many of the U.S.’ friends and allies. In 2017, the French strategy sought an internet driven by principles of “ouverture” (openness), “neutralite des reseaux” (network neutrality), and “liberte d’acces garantie par une architecture decentralisee” (freedom of access guaranteed by a decentralized architecture).30 The U.K. similarly calls for a “free, open, peaceful and secure cyberspace.”31 Thus, as with the Sovereign and Controlled cluster, the Global and Open share some generalizable characteristics.
Most notably, these countries favor internets that enable the free flow of internet content, freedom of speech, and global e-commerce. In the past, many of these countries sought—at least in principle—to construct systems of internet governance that allotted governance power equitably to stakeholders, including government stakeholders, but also industry, academia, and civil society. At the same time, these countries sought to build internets that embodied the early internet principle of openness. What this meant in practice was that internet infrastructure would be designed and governed to treat all internet traffic equally, thereby not throttling or filtering any of the packets flowing through it.
However, in recent years, both the practicality of a pure multistakeholder system of internet governance and the desirability of the free flow of all data over global networks, have come into question. The governments of the U.K. and Israel are
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 17 exploring ways to filter out certain malicious traffic at their borders. Data localization and other laws restricting internet content are becoming more commonplace.32 In addition, governments are increasingly intervening on their internet’s architecture in order to bolster national cybersecurity. These interventions have the often unintended and unstated consequence of consolidating control and influence over the internet’s architecture in the hands of states, leaving Milton Mueller to ask: “Is cybersecurity eating internet governance?”33 Yet, today this Global and Open cluster is still—according to both doctrine and action—in favor of a more open version of the internet, though the shape of this vision, the meaning of open, and the best governance structure to achieve it are all in flux.34 Indeed, as portrayed by the movement of this cluster towards a more statist and closed approach to the internet—down and to the left in Figure 1—the sovereign and controlled pole has some attraction.
The Global and Open cluster of states plots at the extreme end of the openness spectrum, but tends to be scattered between the middle and the equitable end of the governance spectrum. A sampling of Global and Open states plots in the top right quadrant of Figure 1, especially in the present day.
The Digital Deciders
I think the most likely scenario now is not a splintering, but rather a bifurcation into a Chinese-led internet and a non-Chinese internet led by America.35
- Eric Schmidt
Despite the attraction of these poles, not every state around the world possesses either the capacity or interest to pursue or commit to either model. Indeed, many states have not yet codified one model or the other, and some might even argue that, quietly, a third model—one that cedes control over the internet to corporate actors—has emerged and is thriving in parts of the world. The "Digital Deciders" are those states that remain largely undecided and possess the capacity to influence the global conversation.
In part to avoid confusion in an era where election cybersecurity is a hot topic, we do not refer to this group as swing states, as we did in 2014. Nonetheless, in a one-state-one-vote context, as would be the format for the negotiation of a treaty at the UN, these states act much like swing states and we use similar criteria to isolate the Digital Deciders. According to Richard Fontaine, swing states in the American political context “are those whose mixed political orientation gives them a greater impact than their population or economic output might warrant.” 36 In 2014, we defined a swing state in foreign policy as “a state whose mixed
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 18 political orientation gives it a greater impact than its population or economic output might warrant and that has the resources that enable it to decisively influence the trajectory of an international process.”37 This reality means that states can take on new responsibilities, complicate solutions to significant challenges, or free-ride on established countries’ positions if they find alignment. In the context of internet governance and the internet’s architecture, it is these Digital Deciders that will determine the prescience of Schmidt’s projection.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 19 Understanding the Clusters Through Data
To view the interactive, visit newamerica.org/cybersecurity-initiative/reports/digital-deciders
This tool is intended to provide policymakers and researchers with a means to analyze the profiles of states around the world in an effort to better understand how and why they may be attracted to either the Sovereign and Controlled or Open and Global poles.
This data tool is meant as a means for diplomats to analyze these Digital Deciders in the pursuit of a better international strategy for cyberspace. The different rankings and data sets in this paper can shed light on things like which countries to prioritize for engagement and how to engage them.
A high overall score indicates that a country is both influential and more likely to favor a Global and Open approach to the internet. This does not mean that countries that score poorly are not worthy of engagement, particularly countries that score poorly on the two values scores and the reliance score. In some ways it does not matter where countries stand on the list, but where the Digital Deciders sit on the scatterplot in relation to the major clusters. Sometimes it is those on the far fringe most worth engaging.
Our overall scoring system is based on five factors:
• Internet Values Score: A score that rates states on the values that drive their internet. A score approaching 1 embodies more liberal and democratic tendencies, like freedom and openness. A score demonstrates 0 embodies more authoritarian tendencies. Those who score highly will have values for governing the internet and information most similar to the Global and Open cluster.
• Political Values Score: A score that rates states on their overarching political values. A score approaching 1 embodies more liberal and democratic
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 20 tendencies, like freedom and openness. A score demonstrates 0 embodies more authoritarian tendencies. Those who score highly will have political values most similar to the Global and Open cluster.
• International Internet Policy Participation Score: A score that rates states on their involvement in international internet policy processes and debates, to date. A score approaching 1 signals a high level of participation. A score approaching 0 signals a low level of participation.
• International Influence Score: A score that rates states based on how influential they are internationally and regionally on all political and policy issues. A score approaching 1 signals a high degree of influence. A score approaching 0 signals a low level of influence.
• Internet Reliance Score: A score that rates states based on how reliant they are on the internet for commerce, governance, and broader societal interaction. A score approaching 1 indicates a high degree of reliance. A score approaching 0 indicates a low level of reliance.
The default setting for the map and ranking places equal weight on each of these five factors and presents just the Digital Deciders. However, the tool is designed to allow users to both isolate different groupings and place greater or lesser importance on the different factors. Increasing the slider for a factor to 10 does not mean the values in that particular factor are higher, rather that the factor is given greater weight in calculating the ranking.
For a detailed description of the metrics collected, their methodologies, and our methodology for our scoring system, see Appendix I: Methodology and Description of Indicators.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 21 Analyzing the Clusters
Figure 2: How Different Camps Score on Average (out of 1)
Liberal Liberal International Number Internet Political Internet Policy International Internet of Values Values Participation In�uence Reliance Countries Average Average Average Average Average
Global 193 .53 .45 .60 .44 .52
Global minus LDCs and 114 .67 .54 .74 .51 .61 small countries
Sovereign and 27 .34 .26 .56 .45 .52 Controlled
Global and Open 37 .88 .78 .80 .69 .80 Average
The Digital 50 .69 .51 .69 .53 .51 Deciders
Sovereign and Controlled
Our Sovereign and Controlled camp consists of countries that scored as “Not Free” on the Freedom House Freedom in the World Index and “Authoritarian” in the Economist Intelligence Unit’s Democracy in the World Index. Their internets largely mirror their political systems. For example, every member of the coalition to submit the proposal for a regressive Code of Conduct for Information Security to the United Nations General Assembly sits in the Sovereign and Controlled group.39
In terms of values, both the internet values and the political values largely fall below global averages and the average of the Global and Open group. This does not, however, prevent this group of states from wielding influence on internet issues and more broadly in international settings. Particularly influential actors
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 22 falling into the Sovereign and Controlled camp include the logical candidates, China and Russia, but also countries like Turkey, Belarus, and Egypt.40
Their model for the internet differs in subtle and not-so-subtle ways from the version idealized by liberal democrats, and this difference appears to have yielded different results regarding the extent to which these countries, on average, are reliant on the internet. Our data suggests that some countries in this group, like the United Arab Emirates, Qatar, Bahrain, Russia, and a few others, are as reliant on the internet for the functioning of their governments, economies, and social systems as the rest of the world. However, on average it appears that the Sovereign and Controlled group has built less reliance on the internet. This could be construed as a positive—lower dependence means less of a shock should the internet become less reliable—but to many the benefits of the internet likely outweigh this prospective risk. Indeed, in purely economic terms, business usage of the internet—which can unlock new efficiencies and markets— is staggeringly low in comparison to the Global and Open cluster.
Figure 3: Sovereign and Controlled
Country Aggregate Score
Qatar 0.654
Turkey 0.614
United Arab Emirates 0.581
Belarus 0.574
Russia 0.563
China 0.536
Kazakhstan 0.502
Oman 0.491
Bahrain 0.490
Azerbaijan 0.488
Vietnam 0.466
Saudi Arabia 0.455
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 23 Country Aggregate Score
Egypt 0.451
Zimbabwe 0.447
Venezuela 0.440
Swaziland 0.434
Cuba 0.419
Iran 0.411
Algeria 0.404
Libya 0.362
Angola 0.362
Uzbekistan 0.343
Cameroon 0.328
Turkmenistan 0.291
Tajikistan 0.222
Syrian Arab Republic 0.151
Democratic People's Republic of Korea 0.028
Global and Open
Our Global and Open camp consists of countries that largely embody the principles of freedom and openness online. This is perhaps explained by the importance of the internet for the functioning of these countries’ economies, political, and social systems. Nearly every country in this group scores highly on our Internet Reliance score. Nineteen of the top 20 scorers on Internet Reliance come from the Global and Open cluster (see Figure 4). Only 15 of the Digital Deciders or Sovereign and Controlled states scoring higher than Romania, the lowest from the Global and Open group (see Figure 5).
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 24 Figure 4: Top 20 Internet Reliant
Country Internet Reliance Digital Decider Global and Open
Sweden 0.92 x
Norway 0.91 x
Finland 0.91 x
United States 0.91 x
Netherlands 0.90 x
Denmark 0.90 x
Singapore 0.89 x
Switzerland 0.89 x
Japan 0.88 x
United Kingdom 0.88 x
Republic of Korea (South Korea) 0.87 x
Germany 0.87 x
New Zealand 0.87 x
Luxembourg 0.86 x
Australia 0.86 x
Canada 0.86 x
Belgium 0.85 x
Estonia 0.84 x
Austria 0.84 x
France 0.84 x
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 25 Figure 5: Romania and Internet Reliance
Country Internet Reliance Digital Decider Sovereign & Controlled
Singapore 0.89 x
United Arab Emirates 0.84 x
Qatar 0.81 x
Bahrain 0.80 x
Saudi Arabia 0.70 x
Kuwait 0.70 x
Russia 0.70 x
South Africa 0.70 x
Belarus 0.69 x
Oman 0.67 x
Uruguay 0.67 x
Serbia 0.67 x
Turkey 0.66 x
Azerbaijan 0.65 x
Republic of Moldova 0.65 x
Romania 0.64
Most states gravitating to the Global and Open of the spectrum appear to share a set of liberal values for the internet. Indeed, 20 of the 30 members of the Freedom Online Coalition, a group of states “committed to work together to support Internet freedom and protect fundamental human rights—free expression, association, assembly, and privacy online—worldwide,” fall in the
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 26 Global and Open camp.41 Of the remaining 10, nine are in the Digital Deciders and one was disqualified from our analysis due to its small population. Analysis of the majority of these countries’ publicly available international internet strategy documents reinforces the notion of shared internet ideals. In addition, all but two are signatories of the Council of Europe’s Budapest Convention on Cybercrime, further suggesting a shared set of principles for defining and enforcing cybercrime. These internet values are likely derived from a shared set of liberal political values, as each Global and Open country scored higher on our liberal political score than every Sovereign and Controlled state.
Interestingly, while the average score between the Global and Open and Sovereign and Controlled camps is extremely close on two cybersecurity indicators42 intended to depict how well a country is doing on cybersecurity broadly, the Global and Open camp actually scores slightly lower on aggregate. This data point could be interpreted in one of three ways: (1) The Sovereign and Controlled approach does produce better cybersecurity as measured by these metrics, (2) cybersecurity concerns should not be viewed as a legitimate reason for closing one’s internet, as the two camps appear to have very similar cybersecurity scores and the discrepancy could be explained away by confounding variables, or (3) it is not empirical cybersecurity outcomes that drive the desire for more internet closedness, but ill-defined perceptions of cyber insecurity. Each of these interpretations merit greater exploration to elucidate the relationship between different governance and architectural models and national cybersecurity performance.
Figure 6: Global and Open Cluster
Country Aggregate Score
United Kingdom 0.97
Canada 0.94
Australia 0.94
Germany 0.93
Japan 0.93
Sweden 0.92
Netherlands 0.90
United States 0.90
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 27 Country Aggregate Score
Norway 0.88
France 0.87
Finland 0.87
Switzerland 0.86
Estonia 0.86
Spain 0.83
Poland 0.82
New Zealand 0.81
Republic of Korea (South Korea) 0.79
Austria 0.77
Ireland 0.77
Czech Republic 0.77
Portugal 0.76
Denmark 0.75
Italy 0.75
Latvia 0.75
Lithuania 0.75
Luxembourg 0.75
Belgium 0.72
Slovenia 0.72
Greece 0.71
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 28 Country Aggregate Score
Chile 0.71
Cyprus 0.68
Slovak Republic 0.68
Israel 0.66
Croatia 0.66
Bulgaria 0.66
Hungary 0.63
Romania 0.57
The Digital Deciders
The ultimate trajectory of the future internet will depend just as much, if not more, on domestic developments in the Digital Deciders as international negotiations and developments. If we want to bolster our version of the internet —one where the internet is free, open, and global and sovereign internets are an anomaly—we will need to do a better job of building a broad coalition.
In our 2014 report, we sought to identify a top 30 set of swing states, ranked in order of importance. Today, such a ranking—even one backed by empirics— would be highly subjective. Instead, we decided to focus on identifying the Digital Deciders and evaluate these states based on: (1) how well a country’s values align with a given camp, (2) how much influence a country has globally, regionally, and within global cyber policy circles, and (3) the importance of the internet to the country for things like governance, the economy, and society more broadly. Our data tool has default settings, which give equal weight to five different factors and produce a ranking based on that setting, but the tool is designed to allow users to alter these weights. The subjective importance of different members of the Digital Deciders will vary depending on how much weight one puts on each of these categories. Readers can use our tool to assign their own weights to value, influence, and importance categories.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 29 The full list of Digital Deciders is below, along with their evenly weighted aggregate score. The higher the score, the more our data suggests a state is influential and more closely aligned with the Global and Open approach.
Figure 7: 50 Digital Deciders (alphabetical order)
Country Aggregate Score
Albania 0.69
Argentina 0.75
Armenia 0.60
Bolivia 0.43
Bosnia and Herzegovina 0.52
Botswana 0.69
Brazil 0.73
Colombia 0.65
Congo (Republic of) 0.34
Costa Rica 0.74
Cote d'Ivoire 0.54
Dominican Republic 0.59
Ecuador 0.55
El Salvador 0.61
Georgia 0.69
Ghana 0.64
Guatemala 0.57
Honduras 0.49
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 30 Country Aggregate Score
India 0.63
Indonesia 0.66
Iraq 0.41
Jamaica 0.62
Jordan 0.59
Kenya 0.60
Kuwait 0.51
Kyrgyz Republic 0.52
Lebanon 0.60
Macedonia 0.51
Malaysia 0.57
Mexico 0.73
Mongolia 0.68
Morocco 0.46
Namibia 0.62
Nicaragua 0.33
Nigeria 0.52
Pakistan 0.35
Panama 0.64
Papua New Guinea 0.51
Paraguay 0.65
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 31 Country Aggregate Score
Peru 0.61
Philippines 0.59
Republic of Moldova 0.65
Serbia 0.69
Singapore 0.74
South Africa 0.68
Sri Lanka 0.57
Thailand 0.46
Tunisia 0.64
Ukraine 0.53
Uruguay 0.71
In�uence
Figure 8: The Top 20 Digital Deciders Ranked by Influence
Country Aggregate In�uence Score
Brazil 0.91
Indonesia 0.90
Mexico 0.89
India 0.86
Singapore 0.84
Botswana 0.81
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 32 Country Aggregate In�uence Score
Albania 0.78
Paraguay 0.77
Serbia 0.77
Jordan 0.76
Argentina 0.75
Colombia 0.75
Armenia 0.69
Lebanon 0.69
Uruguay 0.67
South Africa 0.66
Costa Rica 0.65
Mongolia 0.63
El Salvador 0.62
Malaysia 0.62
The Influence Score combines the international internet policy participation score and the international political influence score and is meant to provide insight into which countries may have an outsized impact or influence over international internet policy. As a reference point, .52 is the global average Influence Score and .61 is the average Influence Score for the Digital Deciders. To that end, our data points to several expected regional leaders as potentially crucial—Brazil, India, Indonesia, Mexico, and Singapore. Notably, Botswana and South Africa both score well in Africa, while Serbia and Albania score highly in Europe, each of their scores driven up by their consistent participation in global internet policy processes. The scores of these countries suggest that engaging
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 33 them on internet governance issues has potential to scale as geographical and cultural neighbors are likely to look to these influential countries for leadership.
Notably, of the Digital Deciders, Nicaragua and Bolivia are the only two countries to score 0 on Internet Policy Participation, having not participated in the WCIT vote or any of the UNGGEs and lacking ICANN GAC membership. This reality sees them score at the bottom with regard to influence in this debate.
Whereas the Influence Score provides insight into which countries may be particularly important to engage, the other scores, Value Scores and Internet Reliance Score, provide insight into how to engage Digital Deciders countries.
Value Alignment
Figure 9: The Top 20 Digital Deciders Ranked by Value Alignment
Country Aggregate Values Score
Costa Rica 0.89
Georgia 0.82
Ghana 0.82
Argentina 0.81
Mongolia 0.78
Uruguay 0.77
Tunisia 0.75
Republic of Moldova 0.73
Botswana 0.72
Kenya 0.71
Jamaica 0.70
Namibia 0.70
South Africa 0.70
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 34 Country Aggregate Values Score
Mexico 0.68
Panama 0.68
Peru 0.66
Philippines 0.65
Albania 0.64
El Salvador 0.63
Serbia 0.63
The Value Score captures the extent to which a country rates highly on both liberal internet values and liberal political values. The global average Value Score is .49, while the Digital Deciders average Value Score is .60, the Global and Open average is .83, and the Sovereign and Closed average is .30. Of the Digital Deciders, 41 score above the global average on our Value Score, but only one (Costa Rica) scores above the average of the Global and Open group.
What this means is that a values-based approach to engagement with this set of countries on the issue of internet governance and control is likely to bear fruit. In particular, the nine Digital Deciders members of the Freedom Online Coalition (see Figure 7) are highly likely to be receptive to an approach that emphasizes the benefits of a free and open internet, with two possible exceptions of Tunisia and Mexico, both of whom score worse than the rest on current measurements of internet openness and freedom. Of the Digital Deciders that rank highly on the Value Score, Costa Rica, Ghana, and Tunisia have particularly strong civil society presence, which may represent a similar opportunity to work with stakeholders outside of the government.
Figure 10: The Nine Freedom Online Coalition Members of the Digital Deciders
Country Aggregate Values Score
Costa Rica 0.89
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 35 Country Aggregate Values Score
Georgia 0.82
Ghana 0.82
Argentina 0.81
Mongolia 0.78
Tunisia 0.75
Republic of Moldova 0.73
Kenya 0.71
Mexico 0.68
Internet Reliance
Figure 11: The Top 20 Digital Deciders Ranked by Internet Reliance
Country Internet Reliance Score
Singapore 0.89
Kuwait 0.70
South Africa 0.70
Uruguay 0.67
Serbia 0.67
Republic of Moldova 0.65
Argentina 0.64
Brazil 0.63
Costa Rica 0.63
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 36 Country Internet Reliance Score
Georgia 0.63
Malaysia 0.63
Panama 0.62
Thailand 0.61
Mongolia 0.59
Albania 0.58
Ukraine 0.57
Armenia 0.57
Colombia 0.57
Bosnia and Herzegovina 0.57
Lebanon 0.56
The Internet Reliance Score provides an indication of the extent to which a country relies on the internet to function. To measure this, we aggregate six different sub indicators that measure internet penetration,43 social media use,44 the robustness of local internet infrastructure and content,45 the extent to which local businesses use and rely on the internet,46 the use of the internet for the delivery of public services,47 and the country’s international internet bandwidth. 48 Like the Value Score, the Internet Reliance Score can indicate not only who to engage in evangelizing the benefits of a more open and equitable internet, but how to engage certain countries.
The starkest point that emerges from an exploration of our data is that Singapore is far ahead of all other Digital Deciders in terms of internet reliance. Indeed, Singapore scores the highest in the Digital Deciders on each of our sub indicators and nearly 20 points higher on the aggregated score than the second highest scoring country, Kuwait.
Of the Digital Deciders, Singapore, Malaysia, Indonesia, and South Africa are the only countries to score higher than the global average on business usage,
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 37 suggesting that an appeal to industry and the current benefits of the global internet may be inefficient with the majority of the Digital Deciders. However, an appeal to untapped potential as they look around the world and see far more connected businesses among peers and competitors may prove productive. A study empirically drawing the correlation between increased business usage of the internet and economic growth would aid such an endeavor.
While the Digital Deciders appear to lag behind the rest of the world with regard to business usage of the internet, their populations’ reliance on social media and virtual social networks appears to be roughly on par with the rest of the world.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 38 Conclusion
This report is meant to provide a framework for empirically analyzing the state of internet governance around the globe. The metrics—and therefore the analysis— will require periodic updates as new information becomes available. However, the timing of this particular iteration is no coincidence.
It is impossible to ignore the context at the time of publication in late October 2018. ICANN is currently hosting ICANN63, its annual meeting, where it will draft its next Five-Year Strategic Plan.49 In mere days, the ITU’s Plenipotentiary kicks off in Dubai, where government officials will likely once again argue about whether the internet falls under the ITU’s mandate.50 In early November, the Internet Governance Forum will host its annual meeting in Paris, where some governments, industry, and civil society will seek to rekindle interest in a multistakeholder “Internet of Trust”.51 All the while, in the background, rumors swirl of an impending proposal for a treaty codifying greater internet governance authority in the hands of states from Russia and possibly others.52
The conflict described in this paper will continue to play out in these engagements, but all of this comes at a time when the internet is changing as rapidly as it is growing. The next generation of telecommunications equipment (5G), artificial intelligence, the cloud computing revolution, advances in computing power, and the prospect of quantum computing just over the horizon usher in an era of vast change and growth potential. But they also usher in an era of intense competition for ideas, market access, information, and innovation.
Proponents of a global and open internet will need to provide the tools, confidence, and pathway to allow those in the Digital Deciders to drift towards the global and open end of the spectrum and resist the anchor pull of the sovereign and controlled approach.
Those countries that have not reached a path dependent state with regard to the character and governance of their internets—what we refer to in this paper as the Digital Deciders—are in a moment of immense importance. Their actions now
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 39 and into the future are influenced by one another, by great powers, and—in many cases—by corporate or civil society stakeholders.
Amidst the turbulence, are some constants. How the internet functions and is controlled implicates the future of democracy and freedom of individuals. It enables or constricts the ability of liberal democrats to message to the public— both their own and that of the globe. It dictates the opportunity for companies around the world and the security with which we conduct commerce and communication over the internet.
As Eric Schmidt observed, "I think the most likely scenario now is not a splintering, but rather a bifurcation into a Chinese-led internet and a non- Chinese internet led by America.”53 Fragmentation, to the extent that we’ve witnessed it thus far, has taken place mostly at the “Governance Tier” of the internet or has consisted of alterations on rather than of the architecture itself.54 This is positive for those who wish to—depending on your perspective—protect, retain, or regain the global Internet. These forms of fragmentation are reversible. However, while the underlying architecture of networked computing has not been altered at a national level, the possibility that it will be cannot be ruled out. The Russian government’s commitment to build its own Domain Name System comes closest to doing so to date.
In 2015, Jason Healey and Barry Hughes used the International Futures forecasting system to project the potential impact of different internet futures. In their models, the Leviathan Internet—the scenario in which a series of national or regional networks are dominated by national governments—has a “modest” impact on the economy. In parallel, ICT inequality would increase, as smaller nations with fewer resources would “struggle to build enough sovereign infrastructure,” while larger nations have “enough scale to succeed.”55
The global and open model is under pressure. One of the biggest challenges for states going forward, regardless of which cluster they fit into, will be managing security—both in relation to LikeWars and cybersecurity—while maintaining openness. Proponents of a global and open internet will need to provide the tools, confidence, and pathway to allow those in the Digital Deciders to drift towards the global and open end of the spectrum and resist the anchor pull of the sovereign and controlled approach. Furthermore, these proponents must prove and present the merits of their approach. Every day they do not, Schmidt’s splintering and Healey and Hughes’ Leviathan inch closer and closer to reality.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 40 Notes 8 Tim Maurer, Robert Morgus, Isabel Skierka, and Mirko Hohmann, Technological Sovereignty: Missing 1 Jason Healey and Barry Hughes, Risk Nexus: the Point? (Berlin, Germany: Transatlantic Digital Overcome by cyber risks? Economic bene�ts and Debates on Security and Freedom in the Digital Age), costs of alternate cyber futures (Washington, DC: https://s3.amazonaws.com/www.newamerica.org/ Atlantic Council, 2015), 24, http:// downloads/Technological_Sovereignty_Report.pdf. publications.atlanticcouncil.org/cyberrisks/risk-nexus- september-2015-overcome-by-cyber-risks.pdf. 9 Robert McMillan, “The FCC’s Vote To Protect Net Neutrality Is A Huge Win For The Internet,” WIRED, 2 Jason Healey and Barry Hughes, Risk Nexus: January 26, 2015, https://www.wired.com/2015/02/ Overcome by cyber risks? Economic bene�ts and fcc-votes-yes-net-neutrality/. And The US Federal costs of alternate cyber futures (Washington, DC: Communications Commission, Open Internet Order, Atlantic Council, 2015), 12-20, http:// Adopted: February 26, 2015, https://www.fcc.gov/ publications.atlanticcouncil.org/cyberrisks/risk-nexus- document/fcc-releases-open-internet-order. september-2015-overcome-by-cyber-risks.pdf. 10 Robert Morgus, “Russia Gains an Upper Hand in 3 Peter Singer and Emerson Brooking, LikeWar: The the Cyber Norms Debate,” NetPolitics, December 5, Weaponization of Social Media (Boston, MA: 2016, https://www.cfr.org/blog/russia-gains-upper- Houghton Mi�in Harcourt, 2018). hand-cyber-norms-debate.
4 Robert Morgus and Justin Sherman, “Analysis: 11 Credit for these points goes to Adam Segal of the Tensions,” The Idealized Internet vs. Internet Realities Council on Foreign Relations. (Version 1.0) (Washington, DC: New America, 2018), https://www.newamerica.org/cybersecurity-initiative/ 12 David G. Post and Danielle Kehl, Controlling reports/idealized-internet-vs-internet-realities/ Internet Infrastructure: The “IANA Transition” and Why analysis-tensions/. It Matters for the Future of the Internet, Part I, (Washington, DC: New America), https:// 5 Jason Healey and Barry Hughes, Risk Nexus: static.newamerica.org/attachments/2964-controlling- Overcome by cyber risks? Economic bene�ts and internet-infrastructure/ costs of alternate cyber futures (Washington, DC: IANA_Paper_No_1_Final.32d31198a3da4e0d859f9893 Atlantic Council, 2015), 24, http:// 06f6d480.pdf. And National Telecommunications and publications.atlanticcouncil.org/cyberrisks/risk-nexus- Information Administration, “Fact Sheet: The IANA september-2015-overcome-by-cyber-risks.pdf. Stewardship Transition Explained.” September 14, 2016, https://www.ntia.doc.gov/other- 6 Milton Mueller, Networks and States: The Global publication/2016/fact-sheet-iana-stewardship- Politics of Internet Governance (Cambridge, MA: MIT transition-explained. Press, 2010), 9. 13 David Bond, “‘Great British �rewall’ helps block 7 Tim Maurer and Robert Morgus, Tipping the Scale: 54m cyber attacks,” Financial Times, February 4, 2018, An Analysis of Global Swing States in the Internet https://www.ft.com/content/ Governance Debate (Waterloo, Canada: The Centre ece41146-081c-11e8-9650-9c0ad2d7c5b5. for International Governance Innovation and the Royal Institute for International A�airs, 2014), https:// 14 Speci�cally, we assert that 37 countries have www.cigionline.org/sites/default/�les/ governance structures that favor a free and open gcig_paper_no2.pdf. internet and 27 have governance structures that emphasize sovereign control and political stability.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 41 15 Laura DeNardis, The Global War for Internet 24 Pingp, The Great Firewall of China: Background, Governance, (New Haven, CT: Yale University Press, (Palo Alto, CA: Stanford University, 2011) https:// 2014), 16. cs.stanford.edu/people/eroberts/cs181/ projects/2010-11/FreedomOfInformationChina/the- 16 Rogier Creemers, Paul Triolo, and Graham great-�rewall-of-china-background/index.html. Webster, “Translation: China’s new top Internet o�cial lays out agenda for Party control online,” DigiChina - 25 Collin Anderson, “How Iran is Building its New America, Sepbember 24, 2018, https:// Censorship-Friendly Domestic Internet,” WIRED, www.newamerica.org/cybersecurity-initiative/ September 23, 2016, https://www.wired.com/2016/09/ digichina/blog/translation-chinas-new-top-internet- how-iran-is-building-its-censorship-friendly-domestic- o�cial-lays-out-agenda-for-party-control-online/. internet/. And Collin Anderson and Karim Sadjadpour, Iran’s Cyber Threat (Washington, DC: Carnegie 17 ibid. Endowment for International Peace, 2018), 39-48, https://carnegieendowment.org/�les/ 18 ibid. Iran_Cyber_Final_Full_v2.pdf.
19 United Nations General Assembly, Letter Dated 9 26 Andrei Soldatov and Irina Borogan, Inside the Red January 2015 from the Permanent Representatives of Web: The Struggle Between Russia’s Digital Dictators China, Kazakhstan, Kyrgyzstan, the Russian and the New Online Revolutionaries (New York, NY: Federation, Tajikistan and Uzbekistan to the United PublicA�airs, 2015). See and excerpt from the book Nations addressed to the Secretary-General, 69th here: https://www.theguardian.com/world/2015/ Session, Agenda item 91, January 13, 2015, Available sep/08/red-web-book-russia-internet. at: https://opene�ect.ca/code-conduct/ 27 Alexander Klimburg, The Darkening Web: The War 20 See, for example: David Johnson and David Post, for Cyberspace (New York, NY: Penguin Press, 2017) “Law And Borders-The Rise of Law in Cyberspace,” Sta 110. nford Law Review 48 (1996): 1367-1390.For a discussion on the fallacies of borderlessness, see: Jack Goldsmith 28 The White House, National Cyber Strategy of the and Tim Wu, Who Controls the Internet? Illusions of a United States of America, September 2018, https:// Borderless World, (Oxford, UK: Oxford University www.whitehouse.gov/wp-content/uploads/2018/09/ Press, Inc., 2006). National-Cyber-Strategy.pdf.
21 Jack Margolin. “Russia, China, and the Push for 29 ibid. Digital Sovereignty,” Global Observatory, December 6, 2016, https://theglobalobservatory.org/2016/12/russia- 30 Government of France, Stratégie Internationale de china-digital-sovereignty-shanghai-cooperation- la France pour le Numérique (French International organization/. Digital Strategy), December 2017, 14, https:// www.diplomatie.gouv.fr/fr/politique-etrangere-de-la- 22 ibid. france/diplomatie-numerique/strategie-internationale- de-la-france-pour-le-numerique/. 23 Elsa Kania, Samm Sacks, Paul Triolo, and Graham Webster, “China’s Strategic Thinking on Building 31 Government of the United Kingdom, National Power in Cyberspace, DigiChina - New America, Cyber Security Strategy 2016-2021, November 2016, September 25, 2017, https://www.newamerica.org/ 63, https://www.gov.uk/government/publications/ cybersecurity-initiative/blog/chinas-strategic-thinking- national-cyber-security-strategy-2016-to-2021. building-power-cyberspace/.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 42 32 William Alan Reinsch, “A Data Localization Free- 39 United Nations General Assembly, Letter Dated 9 for-All?” Center for Strategic & International Studies, January 2015 from the Permanent Representatives of March 9, 2018, https://www.csis.org/blogs/future- China, Kazakhstan, Kyrgyzstan, the Russian digital-trade-policy-and-role-us-and-uk/data- Federation, Tajikistan and Uzbekistan to the United localization-free-all. Nations addressed to the Secretary-General, 69th Session, Agenda item 91, January 13, 2015, Available 33 Milton Mueller, “Is cybersecurity eating internet at: https://opene�ect.ca/code-conduct/ governance? Causes and consequences of alternative framings,” Digital Policy, Regulation and Governance 40 It’s worth noting that Qatar also scores well in the 19, no. 6 (2017): 415-428, https:// in�uence categories, but this is likely no longer the www.emeraldinsight.com/doi/pdfplus/10.1108/ case today due to tensions in the Persian Gulf. DPRG-05-2017-0025. 41 Freedom Online Coalition, ”About Us,” Freedom 34 This trend is illustrated by the movement towards Online Coalition, https://freedomonlinecoalition.com/ the center of every Open Internet country in Figure about-us/about/. Figure 1 from 2014 to present day. 42 The ITU’s Global Cyber Index and Cyber Green’s 35 Lora Kolodny, “Former Google CEO predicts the Risk Exposure Score. See:The International internet will split in two—and one part will be led by Telecommunications Union, Global Cybersecurity China,” CNBC, September 20, 2018, https:// Index (GCI) 2017, (Geneva, CH: The International www.cnbc.com/2018/09/20/eric-schmidt-ex-google- Telecommunications Union, 2017) https://www.itu.int/ ceo-predicts-internet-split-china.html dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf. And CyberGreen, “DDOS,” CyberGreen, https:// 36 Richard Fontaine and Daniel M. Kliman, stats.cybergreen.net/risk/ddos. “International Order and Global Swing States,” Washin gton Quarterly 36, no. 1 (2013): 93, https://csis- 43 internet live stats, “Internet Users by Country prod.s3.amazonaws.com/s3fs-public/legacy_�les/ (2016),” internet live stats, July 2, 2016, http:// �les/publication/TWQ_13Winter_FontaineKliman.pdf. www.internetlivestats.com/internet-users-by- country/. 37 Tim Maurer and Robert Morgus, Tipping the Scale: An Analysis of Global Swing States in the Internet 44 World Economic Forum, “Indicator 6.07: Use of Governance Debate (Waterloo, Canada: The Centre Virtual Social Networks,” Networked Readiness Index for International Governance Innovation and the Royal 2016 (2016), http://reports.weforum.org/global- Institute for International A�airs, 2014), https:// information-technology-report-2016/networked- www.cigionline.org/sites/default/�les/ readiness-index/? gcig_paper_no2.pdf. doing_wp_cron=1538600332.66361188888549804687 50. 38 See: Robert Morgus, Jocelyn Woolbright, and Justin Sherman, “Appendix: Methodology and 45 World Economic Forum, “3rd Pillar - Infrastructure Description of Indicators,” The Digital Deciders: How a and Digital Content,” Networked Readiness Index 2016 group of often overlooked countries could hold the (2016), http://reports.weforum.org/global-information- keys to the future of the global internet (Washington, technology-report-2016/networked-readiness-index/? DC: New America, 2018), [insert link to methodology doing_wp_cron=1538600332.66361188888549804687 annex] 50.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 43 46 World Economic Forum, “7th Pillar - Business 54 Robert Morgus and Justin Sherman, “Governance Usage,” Networked Readiness Index 2016 (2016), Tier,” The Idealized Internet vs. Internet Realities http://reports.weforum.org/global-information- (Version 1.0) (Washington, DC: New America, 2018), technology-report-2016/networked-readiness-index/? https://www.newamerica.org/cybersecurity-initiative/ doing_wp_cron=1538600332.66361188888549804687 reports/idealized-internet-vs-internet-realities/ 50. framework-background/#governance-tier.
47 United Nations, “E-Government Development 55 Jason Healey and Barry Hughes, Risk Nexus: Index,” United Nations Department of Economic and Overcome by cyber risks? Economic bene�ts and Social A�airs, https://publicadministration.un.org/ costs of alternate cyber futures (Washington, DC: egovkb/Data-Center. Atlantic Council, 2015), 20, http:// publications.atlanticcouncil.org/cyberrisks/risk-nexus- 48 World Bank, “Int’l Internet bandwidth, kb/s per september-2015-overcome-by-cyber-risks.pdf. user,” World Bank, https://tcdata360.worldbank.org/ indicators/entrp.inet.bandwidth? indicator=3405&viz=line_chart&years=2012,2016.
49 ICANN, “Update on ICANN’s Strategic Planning Process,” The Internet Corporation for Assigned Names and Numbers, August 8, 2018, https:// www.icann.org/news/blog/update-on-icann-s- strategic-planning-process.
50 Dominique Lazanski, “What to Expect at the 2018 Plenipotentiary Meeting,” Net Politics, October 1, 2018, https://www.cfr.org/blog/what-expect-2018-itu- plenipotentiary-meeting.
51 Internet Governance Forum, “IGF 2018: Internet of Trust,” Internet Governance Forum, 2016, https:// www.intgovforum.org/multilingual/.
52 David Ignatius, “Russia is pushing to control cyberspace. We should all be worried.” Washington Post, October 24, 2017, https:// www.washingtonpost.com/opinions/global-opinions/ russia-is-pushing-to-control-cyberspace-we-should- all-be-worried/2017/10/24/7014bcc6-b8f1-11e7-be94- fabb0f1e9�b_story.html? noredirect=on&utm_term=.70be63bd5a02.
53 Lora Kolodny, “Former Google CEO predicts the internet will split in two—and one part will be led by China,” CNBC, September 20, 2018, https:// www.cnbc.com/2018/09/20/eric-schmidt-ex-google- ceo-predicts-internet-split-china.html.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 44 This report carries a Creative Commons Attribution 4.0 International license, which permits re-use of New America content when proper attribution is provided. This means you are free to share and adapt New America’s work, or include our content in derivative works, under the following conditions:
• Attribution. You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
For the full legal code of this Creative Commons license, please visit creativecommons.org.
If you have any questions about citing or reusing New America content, please visit www.newamerica.org.
All photos in this report are supplied by, and licensed to, shutterstock.com unless otherwise stated. Photos from federal government sources are used under section 105 of the Copyright Act.
newamerica.org/cybersecurity-initiative/reports/digital-deciders/ 45