A Rules-Based Order to Keep the Internet Open and Secure

When J. P. Barlow presented his 1996 "Declaration of the Independence of Cyberspace" in Davos, cyberspace was idealized as a separate universe, detached from the "real" world, with no government controls and no national boundaries.¹ Twenty-two years later, this libertarian dream of the open Internet has been buried with J. P. Barlow. The Internet has increasingly become an essential element to furthering people's development and freedom, as well as a foundation for economic growth and international trade. The stakes for nation-states to exercise control over its functioning have thus become higher, and the global Internet has now become a platform for political, economic, and military power. Additionally, private companies have become powerful global actors in the online environment.

The European Union and the United States have historically been the guardians and advocates of a rules-based system, and should be best positioned to develop global rules for the open Internet, based on the rule of law. However, there is a wide gap to be bridged between promise and practice. Both American and European leaders have had moments of promoting an open, free, and secure Internet as part of foreign policy. In 2010, US Secretary of State Hillary Clinton launched her Internet Freedom Strategy that promoted the freedom to connect, centered on "the idea that governments should not prevent people from connecting to the Internet, to websites, or to each other."² She urged media companies to "take a proactive role in challenging foreign governments' demands for censorship and surveillance."³ The EU followed suit and promoted its No Disconnect strategy in the wake of the Arab Spring, which aimed to ensure that "information and communication technology can remain a driver of political freedom, democratic development and economic growth."⁴ The High Representative of the European Union for Foreign Affairs and Security Policy, Catherine Ashton, stated that "the EU is determined to resist any unjustified restrictions on the Internet and other new media."⁵

However, the legacy of these much-touted "21st century statecraft"⁶ policies is minimal. The EU has quietly abandoned its No Disconnect strategy,⁷ and after the Snowden revelations, the US lost its credibility when it came to promoting online freedom. Similarly, in the wake of a number of terrorist attacks on European soil, the EU has proposed measures that have eroded the high standards on Internet freedom Europe had earlier promised to uphold.⁸ In general, Europe focuses now almost exclusively on the potential threats that were associated with the rise of the Internet and new technologies, as opposed to focusing predominantly on its liberating effect. Both European and American companies continue at the same speed to export highly sophisticated surveillance systems to dictatorships.⁹ Both actors have lost precious time to seek effective leadership toward a rules-based system to preserve the open Internet globally.

An alternative model to a global, rules-based online order is gaining ground in the meantime. China is a staunch defender of the idea that states should be permitted to manage and contain their "own Internet." A recent implementation of the concept of this "cyber sovereignty" is China's cybersecurity law, which requires foreign firms to store data on Chinese territory. These data can be transferred abroad only after "security assessments" that severely disrupt the free flow of information.¹⁰ Other articles of the law disproportionately interfere with the right to privacy and the freedom of speech.¹¹ China actively seeks to shape global norms based on what it considers to be responsible state behavior online.¹² This model certainly does not put the rule of law, or the rights and freedoms of users, first. It also has a profoundly protectionist impact.

Governments exercising national control over the Internet also hurt cybersecurity. Nation-states are increasingly exploiting weak elements in the security architecture of the Internet to attack others. Intelligence services are stockpiling vulnerabilities in software, with the aim of weaponizing them or using them for covert access to devices and systems.¹³ Almost two hundred state-sponsored attacks by sixteen countries have been registered since 2005, including twenty...