EPISODE V – Competing Systems: Nation-State vs. The Internet
08 JUL 2016
Welcome to Episode V! To those in Canada and the United States, I trust you all had a very Happy Canada Day and a Happy Independence Day! It is these two days that actually served as the basis for this Episode, namely: the birth of nations.
Unlike previous Episodes, this one will simply offer an open-ended question (if you can answer the question, all the power to you, because I certainly cannot).
The question is: How do we balance the interests of the nation-state versus the openness of the Internet?
It’s an easy question, right?
The Basics
There are two very fundamental requirements for law: jurisdiction and enforcement. Without either, you cannot reasonably have law. Last I checked, most of us live in a world where laws apply (how well they are applied is not up for discussion in this Episode).
Therefore, whenever you think you may have an answer to the question at hand, ask yourself this as well: do you have the jurisdiction to do that and are you capable to enforce that? If you don’t, you haven’t reasonably answered the question.
Another basic concept – which is one likely to cause a debate – is the definition of “universal.” In an ideal world, I too would like to believe we have universal concepts that we all would/will adhere to. Sadly, my view is that reality dictates otherwise.
To illustrate the point through the lens of the cyber domain, I like to refer to the Budapest Convention (also known at the Convention on Cybercrime). Article 23 “General principles relating to international co-operation” is a particular favorite of mine, which states:
“The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”
I’ve always been fascinated by the phrase “to the widest extent possible.” What does this mean?
If I may be so bold: it means whatever you want it to mean. And in this context I will be even bolder, even if unfashionable, to say “to the widest extent possible” means: I will play along so long as my own affairs or interests are not infringed upon. Or another way: do not mess with my sovereignty, regardless of who you are.
This mindset is anything but universal. Yet, the non-universal mindset is also the prevailing one if you take a more realpolitik view of the world.
Why? I believe in large part it is because of the socio-cultural norm that we have accepted and adhered to for the last 368 years: The Peace of Westphalia and the concept of the nation-state.
Where the Cyber Security Battle Began
I will be candid and say I have received flak for this, but I’m still sticking to my posture on this one: the cyber security battle began in 1648. But, unlike what began in 1618 (that entire throwing people out of a window and unleashing a bloody 30-year continental battle royale), I believe the cyber security battle will be resolved quite differently…I just don’t know how that will play out.
The reason why I continue to believe the cyber security battle began some 300 years before the invention of ENIAC is because the Peace of Westphalia has shaped our worldview of what a “boundary” is in terms of international affairs: the nation-state. A main pillar of the Westphalian worldview is to set limitations.
(I will not go down the road of some universal global order or model of governance as a tenable and achievable solution for the near-term; in case you haven’t noticed what’s going on in the world, we have a few other problems we must resolve before we even entertain the thought of universal global governance, jurisdiction, and enforcement.)
In contrast to “the boundary” and limitations, ask yourself: what is the purpose of the Internet? What spawned its creation? The answer is relatively simple: effective, fast, sharing of information.
These two domains had births that are in total contradiction of each other. One was made to set limits; the other was made to set free. They are the antithesis to each other.
Thus, the challenge becomes a squabble between siblings: the older – 368 years old and counting – which is still going strong despite attempts to disrupt it, versus the considerably younger – say one that is about 50 years old if we pick ARPANET as the starting point – which is immensely powerful in its own right. Can the two co-exist?
The truth is that whether they “can” or not is somewhat irrelevant in 2016; reality dictates that they must co-exist. Here is some proof: a great depiction of 40 maps that helps explain the interconnectivity between nation-states and the Internet.
Yet even if we wanted to create some sort of hard boundary, like a “Cyber Westphalia” (Chris Demchak and Peter Dombrowski have done a lot of work on the issue, for example here and here), the answer still is not that clear cut; I like this one analysis by Luke Allnutt which explains why it is not that easy.
Do I believe that we have the technical capabilities to set up some sort of “international checkpoints” for the Internet? Yes and these already do exist (in some countries, it is called censorship).
But, can we rip away the existing infrastructure as a means to better enforce these cyber borders? No. Look at the telecommunication backbones between Canada and the United States and you’ll soon realize that this is a near impossible solution. I only say “near” impossible because of the insane cost to re-route, re-build, and re-establish the infrastructure. I won’t even gander a guess, but I think maybe some tens of billions is a good starting point (which is probably a low estimate anyways, meaning hundreds of billions is more likely).
This of course presumes we have the money to do it, something I would suggest to you we don’t. At last check, the only countries/territories in the world living debt free (some figures dated) are: Macau, the British Virgin Islands, Brunei, Liechtenstein, and Palau, none of which, respectfully, have ever been known for their telecommunications backbone infrastructure.
What all of this leads to is something I have been harping about on my status updates recently (and in my work for a long time): the cyber security challenge – or more broadly, the cyber domain challenge – is one of a human nature and NOT a technical nature (though one, where the technical plays an incredibly vital role).
There is no scientific method behind the Magna Carta, Habeas Corpus, constitutions, systems of belief, religious texts, and so on. Depending on your worldview (which I am not judging), these all have roots in human interpretations, expressions, and understandings. Even something that we try to quantify, such as risk, is influenced by our human perception and experiences. There is no pure science behind trying to answer this cyber domain question, something I somewhat touched on in a post that is not part of this serial.
Broadly speaking, this is not a question of how do we get a space vehicle to Jupiter (that was a pretty cool human achievement by the way); the cyber security challenge is not so scientific, though there are those who continue to believe so. I respectfully continue to agree to disagree with that posture.
The human element will always challenge the proponents of purely (or primarily) technical solutions. You cannot win if you are not addressing the human factor head on, regardless of whether you are participating in statecraft, creating a business plan, or are trying to protect intellectual property of a private firm.
That’s all for this Episode. We’re going to need to find a way to get these two systems of thoughts, worldviews, domains, siblings, whatever you want to call them, to co-exist. If any of you have an answer on how to do that, I’d be delighted to hear it!
See you in the next Episode and as always, THANK YOU to all those helping to spread the word about cyber security!