The Worldwide Struggle to Claim Cyber Sovereignty

The year was 1648. Europe had just negotiated the Peace of Westphalia, ending the 30 years of war that had ensnared the continent. The series of peace treaties that came out of the negotiations established the concept of sovereignty, a political order of co-existing states, establishing a norm against interference in the domestic affairs of others. As European influence spread, so did the concept of sovereignty, soon becoming a central tenet of international law and the prevailing world order – the modern nation-state was established.

But much like economic globalization and interdependence has slowly eroded the traditional concept of sovereignty, so has the expansion of the global internet. The physical infrastructure of cyberspace – the undersea fiber optic cables – is likely to continue connecting nations for trade and economic inclusion in global markets. But governments across the political spectrum – from Russia and China to Western liberal democracies – are now seeking to impose their sovereign authority on the content and data that transverse their borders across those very cables.

Rediscovering Sovereignty

“The internet is ultimately useful to achieve at least three things: collaboration, competition, and conflict. In the case of collaboration, it is generally more useful if we don’t describe boundaries and if we don’t withhold information from certain parties. Collaboration is best done without preconditions,” says Chris Inglis, former Deputy Director of the NSA. “But if you bias your views towards the internet towards competition or conflict – where knowledge is power – then you want to exercise some degree of control over that information. Balkanization aids and abets their control over that information.”

While some fear complete balkanization, or a nation’s physical isolation from the World Wide Web, it is rather gradual measures that will increasingly fragment online experiences, providing some semblance of sovereignty to nations, for better or for worse. These could include data localization laws, national encryption standards, and other protectionist policies that benefit domestic software and hardware companies at the expense of foreign multinational companies.

“No country, except perhaps China, outright says it is extending sovereign control over the internet, and this lack of explicit pronouncements helps preserve the illusion that the internet is free and open,” says James Lewis, a Senior Vice President and Program Director at the Center for Strategic and International Studies (CSIS). “Instead, countries impose regulation for data protection and localization, to restrain hate speech or intellectual property theft, creating a piecemeal extension of sovereignty.”

China’s new Cybersecurity Law, which went into effect in June, is an example of aggressive efforts to establish sovereign authority over the internet. The law essentially requires tech companies operating in China to retain consumer data within their borders, provide the state access, and filter content deemed illegal. Much like in other countries, China says it wishes to use data to secure the state against terrorist threats and the cyber breaches that plague all modern institutions. But unlike efforts by other countries, the law allows the Chinese regime to further its practices of domestic surveillance, censorship, and market protectionism.

On one hand, governments worry that data of citizens being stored abroad allows cyber criminals and foreign intelligence services to access it more easily – perhaps due to the FISA 702 revelations made by former NSA contractor Edward Snowden in 2013. This has led to data localization laws demanding that foreign companies store all data on Chinese users within Chinese borders.

But on the other hand, requiring data related to Chinese citizens or business operations to be stored on servers within the country gives the Chinese government unrestricted access to the internet data of all Chinese citizens, particularly with provisions in the law requiring companies operating in China to lend technical support to security agencies, commonly in the form of weakening encryption through the creation of backdoors.

The new law also creates practical burdens on foreign internet companies to protect China’s market. The data localization measures put a burden on companies who do not already have Chinese data centers, and the law also has the requirement that companies provide their source code so that the government may ensure that it is “secure and controllable” – which risks the theft of intellectual property and source code that could be turned over to Chinese competitors.

This is not a trend relegated to autocratic regimes like China and Russia. The UK’s Investigatory Powers Act authorizes government access to bulk datasets such as travel logs, financial transactions, biometrics, the interception of digital communications data, the hacking of devices, and requires the retention of browsing history by internet service providers. The government can also serve companies a “technical capability notice,” whereby companies could be required to remove electronic protections applied to any communications or data – such as encryption – to help address the phenomenon of criminals and terrorists “going dark.”

Other measures in the West, such as the new changes in the United States to Rule 41 of the Federal Rules of Criminal Procedure, seek to address the transnational nature of cybercrime – giving legal jurisdiction beyond merely where there is physical territorial control.

“The wild west days of an unregulated internet, where anyone could post what they wish, are ending,” says Lewis. “Governments extend sovereignty to protect the public good, and governments will eventually agree on how to cooperate in doing this. The story of the last century has been states agreeing to give up sovereign rights to formal, multilateral organizations.”

Legal Responses to Infringements on Sovereignty

While half of the concept of digital sovereignty is about governing activity that is taking place on the internet within a country, the other is about reacting to external infringements through cyberspace from other states. Much like Westphalian sovereignty was the foundation of much of international law, established international law – such as the law of armed conflict and international humanitarian law – can also give insight into a country’s right to defend their digital sovereignty.

In 2013, the UN Group of Governmental Experts (GGE) agreed that that “international law, in particular, the UN Charter, is applicable to the cyber-sphere.” A year later, the GGE declared that state sovereignty applies to conduct and jurisdiction within a state’s borders.

But once members delved into the details of international law, particularly issues of self-defense under Article 51 of the UN Charter and the law of countermeasures in response to actions below the threshold of the use of force, countries such as Russia and China began to back away from consensus, arguing the West, particularly the United States was militarizing cyberspace. But without establishing the lawful options states have to respond to malicious cyber activity, states not only fail to deter others from nefarious activity, but also fail to declare that responses to such malicious cyber activity are constrained by requirements of necessity, distinction, and proportionality.

Furthermore, the challenges of public attribution and the plausible deniability enabled by the use of proxies continue to undermine efforts to normalize countermeasures against incursions on a state’s sovereignty. If attribution is wrong, the responding state will be in breach of international law and susceptible to countermeasures themselves. Should cyber attacks be launched from a third party, such as North Korea attacking U.S. systems from China, then the country being used as a launch-pad has a due diligence obligation – to the extent that is feasible – to halt serious attacks emanating from its territory. Should it not adequately fulfill this obligation, the third party – in this case China – could open itself up to countermeasures, giving states another reason to back away from declaring that international law applies to cyber operations.

By asserting that international law as is does not apply to cyberspace, states are merely pursing their own national interests. Cyber capabilities provide an asymmetric advantage for smaller, less connected countries without the same risks of escalation from kinetic operations. While China and Russia might push the sovereignty angle to control information domestically, they are unwilling to acknowledge that international law applies to the digital domain, specifically regarding sovereignty leading to the right to self-defense used to deter adversaries in cyberspace.

While this legal gray zone is intentionally operated in by states, the U.S. should be wary of raising the standard of sovereignty in cyber operations, as doing so could restrict many U.S. actions in cyberspace. Espionage is not directly covered under international law, but remotely conducted computer network exploitation, which is the mainstay of intelligence organizations like NSA, could result in other nations turning to their own countermeasures should it reach a certain scale. What’s more, framing information campaigns taken through cyberspace – such as Russian interference in the 2016 U.S. elections – as an infringement on the country’s sovereignty could enable others to claim the same of U.S. messaging abroad.

“There are a number of contradictions that are inherent to how countries very often construe their interests in cyberspace,” Alexander Klimburg, the Director of Cyber Policy and Resilience Program at the Hague Center for Strategic Studies, told The Cipher Brief. “All governments, including Western governments, are often harming their own self-interests by how they pursue their interests in cyberspace.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.