How does the concept of sovereignty work in the digital world? What can states do, what should they do and what must they not do? Such questions permeated the discussions at the Global Conference on Cyberspace (GCCS), hosted by the Kingdom of the Netherlands in The Hague on 16 and 17 April.
Since the Peace of Westphalia (1648) gave rise to co-existing nation states and the principle of non-interference in the domestic affairs of these states, the concept of sovereignty has underpinned the international system In the digital domain, however, the concept of ‘cyber sovereignty’—the idea that State sovereignty extends into the domain of cyberspace—is hotly contested.
Whereas the ambit of state sovereignty could previously be delineated on the basis of physical boundaries, the rapid expansion of information communications technologies (ICTs) and the Internet over the past few decades raises new questions about jurisdiction over Net-based activity. Currently, the management of the web is based on a multi-stakeholder approach, involving the technical community, the private sector, governments and civil society. However, revelations by American whistleblower Edward Snowden in 2013 on cyber espionage and global surveillance programs cast doubt over the security of private data, both nationally and internationally, sparking debates about the implications of the cyber policies of individual nations for cyberspace as a whole . This has led some States to consider data localization (Brazil, Germany, and India for example), and others to place restrictions on freedom of the Internet within their borders.
The strengthening by China, for example, of its Internet firewall, can be seen by the blocking of virtual private networks (VPNs). In a statement to the UN General Assembly in 2013, the Chinese delegation on Information and Cyber Security elaborated on the idea of cyber sovereignty, stating that “countries should enjoy state sovereignty in information space. The governments are entitled to managing its network-related activities and have jurisdiction over its information infrastructures within its territory.” They also put forward that other states should not use ICTs “to interfere in other countries’ internal affairs and undermine other countries’ political, economic, and social stability as well as cultural environment”. This multilateral governance model views each State as responsible for regulating the Internet within its borders, and determining what online content is acceptable or beneficial to the economic, political, and social development of the nation.
The idea of cyber sovereignty was put forward by (members of the Shanghai Cooperation Organisation) China, Russia, Tajikistan and Uzbekistan in 2011 in a letter addressed to the UN Secretary-General to be circulated among the Member States. The four countries proposed an ‘International code of conduct for information security’, calling for deliberations on international norms and rules guiding the behavior of States in the information space. The idea of cyber sovereignty is raised in the preamble as “reaffirming that policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues”. It further refers to the UN Charter and “respect for the sovereignty, territorial integrity and political independence of all States” while promoting international cooperation among States and capacity-building measures to close the digital divide.
The United States, among others, rejected the code. In a statement, the US reaffirmed the multi-stakeholder approach “where all users have a voice” and stated the approaches put forward in the code would legitimize repressive state practices as well as “the view that the right to freedom of expression can be limited by national laws and cultural proclivities”. This resistance to any perceived intention to change to the multi-stakeholder approach was later echoed by the refusal of Western nations (e.g. US, France, UK, and Germany) to sign a revised treaty for International Telecommunications Regulations, overseen by the UN’s International Telecommunications Union. The inclusion of “all governments should have an equal role and responsibility for international Internet governance…” was seen by the US as incompatible with multi-stakeholder governance.
In January 2015, China, Russia, Tajikistan, Uzbekistan, now joined by Kazakhstan and Kyrgyzstan, proposed an updated version of the International code of conduct for information security “taking into full consideration the comments and suggestions from all parties.” However, the new code of conduct is only marginally different from its predecessor, and in most cases only makes cosmetic changes, including the removal of the term “information weapon” and addition of the willingness to “cooperate fully with other parties”. Conceptually, the document remains much the same.
The updated code takes into account the developments since 2011 in the area of information security and refers directly to the 2013 report of the Group of Governmental Experts (the third installment of a 15-member expert panel established by UN General Assembly Resolution). Despite the criticism Western nations have levelled at the information security code, the expert report does appear to provide some support for it. While ‘cyber sovereignty’ is not mentioned explicitly in the UN’s recent cyber governance policies, the expert report does address this issue in the context of the applicability of international law (particularly the UN Charter) in cyberspace. It states that “State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory” and encourages exchange of best practices on a voluntary basis.
Whether or not the proposed ‘international code’ gains any traction in the international community remains to be seen. However, ideological differences and concerns about restrictions on access to information, freedom of expression and related rights could stymie other goals of the code – such as ensuring an information environment that is peaceful, secure, open and founded on cooperation – by fuelling fears that the information security approach, which emphasizes the privileges of sovereignty, is merely a smokescreen for restrictive governments to control flows of information within their borders.
Sovereignty, according to the contemporary understanding of the concept, is more than a mere prerogative, but also a set of duties and responsibilities. While the proposed ‘international code’ might not be the solution, the idea of a code has merit, and could inform the elaboration of a global set of principles to guide state behavior in cyberspace. The 2015 Global Conference on Cyberspace has the challenging task of attempting to articulate such principles.
At face value, it seems a far reach that there could be a centralized authority in such a decentralized domain, or that such an idea could gain traction with only six like-minded countries behind the code and a proposal based on information sharing on a voluntary basis. Rather than dismissing the code out of hand, however, countries could view it as a point of departure for a broader discussion at the GCCS that could result in greater consensus on how to regulate cyberspace.