|
In 2022, the Internet world was shaken by big contradictions. On the one hand, efforts to constitute a stable and secure framework for a safe cyberspace made substantial progress. The UN got a new Tech Envoy. The UN-based Internet Governance Forum (IGF) got a “Leadership Panel.” The UN negotiations on cybersecurity and cybercrime produced constructive interim results. The G20 adopted the “Digital Bali Package” to stimulate further digital development and bridging the digital divide. The ITU Plenipotentiary Conference ended without any controversies. In the shadow of the pandemic, virtual trade reached new heights, and connectivity was growing in underserved regions. More efforts were undertaken to protect human rights, such as privacy and freedom of expression online. Smart regulation channelled digitalization in a more rules-based direction to enhance cyber stability.
On the other hand, the digital sphere has become a dangerous space. The Ukrainian war pulled cyber into real military fighting. Cybercrime exploded. Fake news, hate speech and disinformation campaigns polluted virtual communication channels. Censorship and surveillance undermined individual human rights. Big Internet corporations, once a driver of innovation, became monopolists and a barrier to fair competition. On the horizon, a digital trade war was appearing. And the big US vs. China, cyber superpower controversy reached a new level with mutual sanctions and building digital alliances against each other.
Looking into the crystal ball, it seems this schizophrenic development will continue. In 2023 we will probably have more of both. We will, hopefully, have more constructive digital cooperation. But we will, unfortunately, have also more destructive cyber confrontations. Will “Digital Coop-Frontation” become the “New Normal” in cyberspace?
Let’s start with the good news. Regardless of all the disasters of 2022—wars, pandemic, climate change, energy and food crises, underdevelopment etc., the Internet works. The day-to-day operations of the global network are functioning. During the pandemic, the Internet helped to continue working, learning, shopping, and entertaining. Nearly five billion people worldwide are now connected. New services and applications are emerging. And the numbers are rising.
75 years ago, when a group of diplomats drafted language for a “Universal Declaration on Human Rights,” the idea, that everyone can “seek, receive and impart information and ideas through any media and regardless of frontiers” was like a utopian dream. Today, borderless communications are as natural as air for the younger generation.
Digitalization is, like never before, a driver for economic growth, both in developed and developing countries, pulling millions of people out of poverty. The fact that the G20 Summit Meeting in Bali (November 2022), in a time, where deep political conflicts undermine the stability in the whole system of international relations, could agree on the so-called “Digital Bali Package” is a remarkable signal. In Bali, the G20 leaders, including the presidents of the US, China, EU, Russia, India, Brazil and others, promised the world that they would work “together for a more inclusive, empowering, and sustainable digital transformation.” They called, by consensus, the 30 pages long document, elaborated by the G20 Digital Working Group, “an essential milestone to pave the way toward global recovery through cooperation among the G20 members in achieving a resilient recovery”. The package includes a long “to-do list” with many very practical and constructive recommendations to enhance connectivity, post-COVID-19 recovery, digital skills and digital literacy, as well as trusted and cross-border free data flow.
That the G20 leaders could find compromise language in November 2022 that overaome the deadlock of their digital ministers, who left Bali two months earlier without a signed document, is a strong message. It signals that if diplomatic skills—as demonstrated by the president of Indonesia—are matched with political will of brave governments come, even adversaries can move forward, regardless of deep geo-strategic and ideological differences. They agreed to disagree in areas where agreement was impossible. And they agreed to agree in areas where they have common interests.
Could this “Bali Model” become a blueprint for the forthcoming complicated decisions within the global Internet Governance Ecosystem? Why not! Let’s take the cybersecurity negotiations in New York, Geneva and Vienna. In 2022, skilful chairpersons of UN working groups (OEWG and AHC) were able to produce reports, which kept the door open for further outcome-oriented negotiations in difficult times. The fact that in December 2022, the 77th UN General Assembly could adopt—by majority voting—three cybersecurity-related resolutions is another signal that even in wartimes, there are windows for cooperation.
The good news is also that in 2022 the UN Secretary General’s “Roadmap on Digital Cooperation” from June 2020 saw substantial progress. Antonio Guterres appointed Ambassador Amandeep Gil Singh, an experienced diplomat from India, as his “Envoy for Technology.” And Guterres nominated a high-level “IGF Leadership Panel,” co-chaired by the father of the Internet, Vint Cerf, and the Nobel Peace Prize winner, Maria Ressa. Both—the UN Tech Envoy and the IGF Leadership Panel—will be engaged now to support the process towards the drafting of a “Global Digital Compact” (GDC).
Another constructive milestone in 2022 was the defusing of the ITU-ICANN conflict. For more than 20 years, the intergovernmental International Telecommunication Union (ITU) and the multistakeholder Internet Corporation for Assigned Names and Numbers (ICANN) had a dispute about the management of critical Internet resources. Former ITU Secretary Generals Yoshio Utsumi and Hammadou Touré, supported by the Russian government, Saudi Arabia and members of the Shanghai Cooperation Organisation (SCO), claimed that the governments in the ITU should have primary responsibility and control over the global Domain Name and IP Address System, managed by ICANN and the Regional Internet Registries (RIRs). In ICANN, governments do not have voting rights. The advice of ICANN’s “Governmental Advisory Committee” (GAC) is not legally binding for the ICANN Board.
But at the recent ITU Plenipotentiary Conference (Bucharest, October 2022), the ICANN vs. ITU controversy didn’t play a big role. In the final proceedings of the Bucharest meeting, there are still references to the ITU Council Resolution 1306 and ICANN itself is only mentioned in a footnote in ITU-Resolution 102, but these are leftovers from the past. The newly elected ITU Secretary-General, Doreen Bogdan Martin from the US, and ICANN’s CEO & President, Göran Marby, exchanged friendly letters. And one can expect that Marby’s successor (he stepped down in December 2022) will work hand in hand with ITU’s new leadership to concentrate on non-controversial issues, such as digital development and the enhancement of connectivity, to bring the next billion Internet users online.
The bad news started with the unneeded aggression of Russia against the Ukraine in February 2022. The war in Ukraine has tremendously negative consequences for cyberspace. As we know today, the war was prepared by numerous individual targeted cyberattacks, among other things, against civilian infrastructure. Everybody remembers NotPetya from 2017, which produced digital disruptions in Ukraine and elsewhere, with a loss of $10 billion around the globe.
After February 2022, the war moved into a hybrid war, where conventional fighting was complemented by defensive and offensive cyberoperations. It triggered new processes with very negative side effects for the global Internet Governance Ecosystem. One is the emergence of private “IT-armies”. The Ukraine did see it as justified to call to arms all the country’s computer specialist to defend their nation. Individuals started to hack Russian websites. The website of Russian president Wladimir Putin, www.kremlin.ru, could not be reached for days. It was blocked by DDoS attacks. Messages with protests against the Russian war were included in private communication channels on Russian social networks such as VKontakt. If somebody in Vladivostok was searching for a restaurant, she or he might see pictures of Ukrainian buildings destroyed by the Russian army. On the Russian side, “patriotic hackers” copied the practices of the private Ukrainian IT army and hacked back. This “tit-for-tat” has raised complicated legal questions about attribution, accountability and state responsibility which will further complicate the UN cybersecurity discussion.
The call of the Ukrainian minister of communication, to delete the zone files of Russian top-level domains such as .ru, .rf (in Cyrillic) and .su in the Internet’s root server system and to stop the allocation of IP addresses to Internet users in Russia has challenged the “One World, One Internet” philosophy on which our virtual world is based. Both ICANN and the RIRs declared their solidarity with the Ukraine but also made clear that the removal of TLDs from the Internet root server system is a bad idea. It would open a Pandora’s Box, which would lead to the end of the Internet as we know it. ICANN is the neutral steward of a public resource, which can be seen as something like the common heritage of mankind. Those resources are indeed like “air.” And as in our natural environment, where we do not have “Chinese air” or “American air”, but “polluted air” or “clean air,” there are no “Russian IP addresses” or “Ukrainian IP addresses.” The world and its more than five billion users need “clean air” in the virtual environment. And it is up to the multistakeholder community, including governments, to guarantee the neutral functioning of the public core of the Internet.
And there is another sad side effect of the war. Internet-based drones are now becoming a key element in the military fighting on both sides. For years, UN Secretary-General Antonio Guterres has been calling for a prohibition of autonomous weapon systems (AWS). A Group of Governmental Experts has been negotiating since 2014 on a legal instrument for Lethal Autonomous Weapon Systems (GGE LAWS). Those calls and negotiations are now collapsing under the pressure of the real war. Who could expect now that countries like the US, Russia, China, Turkey, Israel, Iran, China and others, which develop, produce and sell drones, would be ready to accept a legally binding instrument to restrict or prohibit AWS? On the contrary, the war will stimulate their development. To build autonomous weapons, it needs, first of all, data. Data collected in peace times from military exercises have only a limited value. But now, data can be collected during real military operations. It sounds cynical, but a longer war means more data and a higher quality of the next generation of autonomous weapons.
It is too early to make any final conclusion. But one understanding has already emerged since February 24, 2022. There is no such distinction between a “conventional war” and a “cyberwar”. Many academic papers argued in the past that a conventional war with death, destruction and territorial claims is a thing of the 20th century. Wars in the 21st century, so many authors, would be different. Attacks in non-territorial and borderless cyberspace would aim to create chaos and confusion in the territory of the enemy. What we see now is that a war in the 21st century has everything: death and destruction as well as chaos and confusion. And the crazy ghosts of yesterday, that controlling a real territory means power is not back in the bottle.
We learned in the early 2000 years, that there is no “old economy” and “new economy” but only “one economy,” which is becoming more and more digitalized. Now we learn, that there is no “old war” and “new war.” A war is a war is a war. And this new cyber complexity, where we do not have a distinction between the “real” and the “virtual” world, has the potential, to turn a digital disaster into a human catastrophe.
But the confrontation doesn’t stop in the military theater. If the economy is a digital economy, the battle around markets and profits for new services and products will become much tougher than in the last decade. Digital trade and global supply chains are now an intergovernmental battlefield.
The digital economy did open windows for a never known division of labour around the globe, where everybody was a winner. Globalization was based on mutual benefits and mutual trust. But against the background of geo-strategic reconsiderations, win-win mechanisms have now been turned back into zero-sum games. Trust is gone. China mistrusts Alphabet and Meta for it believes they will use their services to support dissidents. The US suspects that Huawei and TikTok may represent a threat to their national security. Nationalism and protectionism are back in the world economy.
Everybody knows that today’s smartphones include around 30 raw materials from about 20 countries. Even big countries with many resources will be unable to become truly self-sufficient. The reality is that digital interdependence will not go away. Already minor efforts to substitute existing supply chains by bringing outsourced production back home will drive prices up and reduce the quality of services. And there will be unintended side effects. At the end of the day, it could be the poorest developing countries that have to pay the bill. They could become the real victims of a collapsing global digital economy and the priority shift toward military considerations. During the US-Africa Summit in Washington in December 2022, US president Joe Biden announced an aid package for Africa of about $55 billion. The cheque for the Ukrainian war has reached meanwhile $60 billion.
The UN High-Level Panel for Digital Cooperation (HLP) titled its 2019 final report “The Age of Cyber-Interdependence.” The group of very experienced individual experts realized that John Perry Barlow’s call for “Cyber-Independence” from 1996 was rather unrealistic. In the complex world of the 21st century with borderless challenges such as climate change and pandemics, the “independence” of individual countries would be like moving back to the Middle Ages, where alone in Germany, more than one hundred “Kleinstaaten” with their own kings wanted to manage their destiny “independently.” This cannot be a strategy for the second quarter of the 21st century. Narrow-minded governments could try it, but moving back to the Middle Ages will be not only difficult but also very costly. It is worth remembering the wisdom of the late nestor of US political science, Karl Deutsch. He once argued that politicians could do anything, but every action comes with a price tag for the people. Sometimes one has to pay immediately; sometimes, the bill arrives years later. But there is nothing for free.
Bad news also comes from the human rights front. 2022 was another year of decline in Internet freedom. In its annual “Freedom of the Net” report, Freedom House recognized: “The internet is becoming less free. At home and around the world, governments are breaking apart the global internet to create more controllable online spaces. Global internet freedom declined for the 12th consecutive year in 2022, and governments are on a campaign to divide the open internet into a patchwork of repressive enclaves”.
And as censorship is growing and limits the human right to freedom of expression, massive surveillance is undermining the human right to privacy. New technologies such as the spyware Pegasus is enabling governments, but also private corporations and even our neighbours, to look into our private life. With the smartphone, the spy is now in everybody’s pocket. And with the metaverse on the horizon, the spy could move even closer to our bodies—via ear clips, finger rings and bracelets—or go directly under our skin via implanted chips. Will this open new doors for the next generation of sophisticated criminal hackers? And will governments build an Orwellian society? Already years ago, Harvard’s Shoshana Zuboff warned against “Surveillance Capitalism.” But “Surveillance Socialism,” as envisaged by the November 2022 congress of the Chinese Communist Party (CCP), isn’t any less intrusive. Vint Cerf says that the “Digital Dark Ages” are coming. It’s about time to ring the alarm bells.
Will the Internet become a Splinternet? This was one of the main questions during the recent IGF in Ethiopia. After seven workshops and one plenary session in Addis Ababa’s Convention Center, the short answer is: It depends. Different people understand different things under Internet fragmentation. One could simplify the problem by arguing that nothing is new. The Internet was, from the very early days, “fragmented.” It was (and is) a “network of networks.”
When the ARPANET was connected to the Aloha-Net (across the Pacific) and the Sat-Net (across the Atlantic) in the early 1970s, it was a network of three networks. More networks were interconnected in the following years, and the whole thing became an “Inter-Net”. The benefit for all members of all networks was that everybody could communicate with everybody, using the same transport protocol since 1974, the TCP/IP. This opportunity for universal “end-to-end communication” created the feeling of the Internet as one single network. Being online was like leaving a “bordered place” and entering a “borderless space.” And indeed, the “One World, One Internet” philosophy is primarily based on the fact that today’s five billion users are using the same technical protocols: TCP/IP, DNS, BGP, IPv4/v6 etc.
Those protocols are not “legally binding.” They were not negotiated among governments but emerged in an open, bottom-up process by members of the community within mechanisms like the Internet Engineering Task Force (IETF) or the World Wide Web Consortium (W3C). Jon Postel delegated the management of Top-Level Domains (TLDs) by a handshake.
Efforts to substitute this self-organized system with an intergovernmental mechanism started at the end of the 1990s. It was first stopped during the negotiations at the UN World Summit on the Information Society (WSIS) in 2005, where the governments of the 193 UN member states finally recognized “that the existing arrangements for Internet governance have worked effectively to make the Internet the highly robust, dynamic and geographically diverse medium that it is today, with the private sector taking the lead in day-to-day operations, and with innovation and value creation at the edges.”
Metcalfe’s law, which states that the value of a network is proportional to the square of the number of connected users of the system, did beat all efforts so far to produce an alternative. The “alternate root” in the 1990s failed because it could not attract enough users. In the 2000s, the French government had the idea to launch a parallel “Object Naming System” (ONS) for the Internet of Things (IoT). Long discussions, inter alia during the 6th IGF in Nairobi in 2011, helped to understand better that IOT is not a “new Internet”, but a service on top of the DNS. Also, Bob Kahn’s idea of a new “Digital Object Architecture” (DOA) did have only limited success. Its DONA-Foundation never became a big player. When in 2017, China tried to rock the boat—via an ITU Focus Group—with a “New IP” proposal, referring to security and latency weaknesses of TCP/IP, the community discussed but rejected the idea. Now, blockchain is seen as another challenge. Ethernnum, with its “.eth-domain” already has one million registration. But “.eth” is not a TLD under the ICANN root. It is confusingly similar, but there is no direct connection between the five billion users of ICANNs DNS and the one million .eth registrants.
Efforts to innovate and introduce technical improvements are very natural. An engineer would not be an engineer if she or he would not try to test out what could be done better. Possibly, “polymorphic networks” with a “new IP” could work in special areas where zero latency and 100 percent security is needed, such as in autonomous driving or remote medical operation. But such a network would be a “single network” for a special purpose and build on top of the existing networks, using the established Internet protocols.
In other words, all discussions around Internet fragmentation end with the simple truth: regardless of wishful political thinking, the existing transport layer for Internet-based services and applications work, it is unfragmented and not splintered.
This looks different on the application layer. Already twenty years ago, during the WSIS negotiations, the interlinkage between the technical transport layer and the more political application layer was the subject of controversial discussions. The outcome was reflected in the so-called “Internet Governance definition” of the Tunis Agenda, which differentiated between the “development” and the “use” of the Internet. This distinction—Governance OF the Internet and Governance ON the Internet—allowed stakeholders to have a broader approach to Internet Governance and gave them enough flexibility for interpretations. There is no one size fits all if it comes to the governance ON the Internet. And on the application layer, we do have “One World, 193 Jurisdictions”.
In the early days, some Internet pioneers such as John Perry Barlow or the authors of the “Cluetrain Manifesto” expected that the philosophy for the transport layer would spill over to the practices on the application layer. But this remained an illusion in a world, where national sovereignty is and will remain a recognized fundamental jus cogens principle of international law, enshrined in the Charter of the United Nations. In the Tunis Agenda, governments reserved their rights to have primary responsibility with regard to “international public policy issues pertaining to the Internet.” However, the Tunis Agenda also recognized “the need for the development of public policy by governments in consultation with all stakeholders.”. But how such “consultations with stakeholders” should be organized remains in the hand of national governments. 193 governments, 193 different options.
This reality can certainly be described as Internet fragmentation. And it would make sense to reduce—and not enhance—the frictions among different national regulatory frameworks. It would certainly be useful to have a “political protocol” similar to the technical TCP/IP protocol to enable better collaboration among governments in cyberspace. The “Internet & Jurisdiction Project” has worked for years to bring stakeholders closer together and to discuss solutions. But it is a thick board.
There is no need for every country to reinvent the wheel when it comes to national internet legislation. Lawmakers can copy and paste from their neighbours. This is one reason why the “Parliamentarian IGF Track,” established during the 14th IGF in Berlin (November 2019), offers a good opportunity to enhance communication among members of national parliaments, to learn from each other and to discuss “best practices.” An “Informal Parliamentarian IGF Group” (IPIG) could make a good contribution to reducing legal differences in national regulatory frameworks with regard to digitalization and cybersecurity.
And there is the European Union. The EU sees itself as a “regulatory cyber superpower.” As the president of the EU Commission, Ursula von der Leyen, repeats permanently, Europe wants to be a “norm-maker” and not a “norm-taker.” The EU wants to write the “digital rule book.” And indeed, there is something like the “Brussels Effect” in global Internet regulation. Many countries copy language from EU directives and adjust it to their national circumstances. It started with the EU directive on data protection (GDPR). And it continued in 2022 with the Digital Service Act (DAS), the Digital Market Act (DMA), the new Cybersecurity Directive (NIS 2), the Cyber Resilience Act, the Data Act, the Chips Act, and the Cyber Freedom Act. And the Regulatory Package on Artificial Intelligence and many more are in the making.
It has to be seen how far this will go in 2023. The first question is whether the EU is strong enough to convince the US to follow it. A transatlantic consensus would have a tremendous impact on future global Internet regulation. The newly established “Transatlantic Trade and Technology Council” (TTC) is a timely designed body that could do the homework. However, it is not so easy to find a common language, even among friends who share the same values. The US has already published its “AI Bill of Rights,” which reads a little bit different from the proposed AI Regulatory Package, the EU is drafting. And there is the endless story of making data protection compatible between the EU and the US: “Safe Harbor” failed, and “Privacy Shield” failed. And it was remarkable that the new CyberCzar in the US State Department, Nathaniel Fick, referred in his statement at the IGF in Addis Ababa in December 2022 not to the European GDPR but to the APEC Cross-Border Privacy Rules (CBPR) when he addressed privacy protection on the global level.
Another view is that the introduction of censorship mechanisms, filtering and blocking is seen as “Internet Fragmentation”. And indeed, such unfriendly efforts, very often in violation of international human rights obligations, are linked to deep cuts into the Internet space and make it inaccessible for users in a special jurisdiction. But this is not a fragmentation of the Internet infrastructure; it is an isolation of special user groups, a fragmentation of the audience and a pollution of the application layer. There is a risk, that this pollution will have effects also on the transport layer. In the old days, idealists did hope that the universality of the transport layer would lead to a universality of the application layer. Realists today fear that the splintering of the application layer will threaten the universality of the transport layer.
Unfortunately, this arm-twisting is also part of the bigger geopolitical battle. After the Alaska meeting between the American and Chinese foreign ministers in 2021, the US-Chinese relationship in cyberspace did not recover but went deeper into controversies. This is now a conflict between a democratic and an autocratic view of the Internet. Many US experts have doubts about whether one could find a common language with China in the cyber domain. For them, “the era of the global Internet is over.” They prefer to unite democratic nations and strengthen the values of the founding fathers of the Internet. The “Declaration on the Future of the Internet” (DFI), signed by more than 60 governments in April 2022 in Washington, reflects this approach. The declaration reaffirms the principles of an “open, free, global, interoperable, trustworthy and secure Internet.” It supports the multistakeholder model for Internet governance and rejects Internet fragmentation.
On the other side, China is exporting its idea of cyber sovereignty as the key principle for the governance of the Internet. For China, it is the state, which has to manage the Internet. The Chinese white paper “Jointly Build a Community with a Shared Future in Cyberspace” from November 7, 2022, also invites non-state actors from business, academia, technical community and civil society to make contributions. And the paper supports a non-fragmented Internet. But the oversight remains in the hand of the Communist Party and the “Cyberspace Administration of China” (CAC). It was the CAC that launched the World Internet Conference (WIC) in Wuzhen in 2014 with the aim of finding supporters for an Internet Governance model in Chinese colours and partners for the “Digital Silkroad.” And indeed, autocratic regimes in Africa or Asia are interested in how China manages the great firewall and executes mass surveillance. Insofar it was not a surprise, that as a reaction to the DFI, in July 2022, Chinese President Xi Jinping supported the idea of institutionalizing the WIC and building an alternative bloc. Another form of “tit for tat.” And new sanctions and blockades emerged: No Google and Facebook in China, no Huawei and TikTok in the USA.
How far will this go? We have now, on the one side, SCO and BRICS. Both have Internet Governance on their agenda with annual meetings of digital ministers. And they are reaching out to new members. On the other side, we have G7 and OECD. The G7 has institutionalized annual meetings of its digital ministers. And just recently, the OECD did have in Gran Canaria (December 2022) another big ministerial meeting, which adopted a “Declaration on a Trusted, Sustainable and Inclusive Digital Future”. The OECD document supports an “open, free, global, interoperable, reliable, accessible, affordable, secure and resilient Internet,” adding to the six DFI principles references to access, reliability, affordability and resilience.
Do we see in 2023 a deepening of “Internet Bifurcation” with G7/OECD/DFI on the one side and BRICS/SCO/WIC.org on the other side? Will this political split lead to similar consequences as in the 1950s, when NATO and Warsaw Pact did divide the world into two parts and leaders in the third world, like India’s Prime Minister Nehru, formed a non-aligned movement? As in 1950, there are many countries—from Singapore to Indonesia, from Kenia to Ghana—which do not have an interest in being pulled into a cyber battle between China and the US.
However, today’s Prime Minister Modi from India has no appetite to start a new digital non-aligned movement. In 2022 he went to Elmau for the G7 meeting and to Samarkand for the SCO meeting. Modi made clear it is “India first,” which guides the cyber policy of his country with 1.3 billion people. India, like many other “swing states,” has no interest in fueling the political tensions among big powers. They do not have an interest in new battles. They are interested in finding solutions for their daily problems.
It is interesting to note, that neither DFI nor WIC.org moved into the centre of the global Internet Governance debate. No progress was reported until December 2022. Tim Wu, the man behind the DFI, left the White House in January 2023. And no further plans were announced on how to build WIC.org. There are big gaps and differences between the cyber superpowers. But one can also hear, “The Internet is dead and fragmented; long live the unfragmented Internet.”
The United Nations once feared as a potential intergovernmental controller and censor of a free Internet, redefined its role and now offers its authority and legitimacy to facilitate a multistakeholder dialogue to identify the digital problems of the 21st century and to find balanced solutions to keep the cyberspace free, open, affordable, safe, innovative and unfragmented.
In 2023, cybersecurity will remain for digital diplomacy the number one issue. In today’s world, there is no national security without cybersecurity. The two main negotiating bodies are the OEWG for cybersecurity and the AHC for cybercrime. As it was stated in the outcome document of the Parliamentary Track of the IGF in Addis Ababa, “cybersecurity and cybercrime are related but distinct issues, “cybersecurity” being something that needs to be improved and “cybercrime” being something to be prevented.”
The Open-Ended Working Group (OEWG) operates under the 1st Committee of the UN General Assembly (UNGA). Its work is based on the eleven principles of responsible state behaviour in cyberspace, agreed upon by a “Group of Governmental Experts” (GGE) in 2015 and reaffirmed by a number of UN Resolutions. It constitutes today’s “Political Cybersecurity Framework.” It is not legally binding, but the agreed language is helpful in identifying the “responsible” or “irresponsible” behaviour of governments in cyberspace. The mandate of the OEWG goes until 2025. On its negotiations list are the application of international law in cyberspace, new norms, confidence and capacity-building measures and forming of sustainable institutional frameworks. A majority of governments want to launch a separate “Program of Action” (POA), which would give implementation of already existing norms first priority.
The OEWG-Chair, ambassador Burhan Gafoor from Singapore, understands very well, that cybersecurity is primarily a governmental issue. But it cannot be reached by excluding other stakeholders in their respective roles. The UN Resolution, which defined the OEWG mandate, recognized the valuable contributions of non-state actors and supported interaction with business, academia, civil society and technical experts, as “appropriate”. The problem is that some governments have their special ideas about what “appropriate” is. In 2022, unfortunately, the issue was pulled into the geo-political conflicts. Ukraine blocked four Russian NGOs, the Russian government excluded 29 non-governmental institutions, including the World Economic Forum Davos, the Digital Peace Institute in Geneva, the Global Forum on Cyber expertise in The Hague and the German Association of Foreign Policy from participating in OEWG meetings. For 2023 there are two regular OEWG sessions on the agenda and a number of intercessional meetings.
The Ad Hoc Committee (AHC) operates under the 3rd Committee of the UNGA. It aims to draft a legally binding global treaty to fight cybercrime. The AHC has a tough timetable. The plan is to have the first final draft in August 2023. The hurry is very justified. The explosion of criminal ransomware attacks in recent years has extended the pressure to do something. The financial loss through cybercrime in 2022 is calculated at $220 billion. Only recently, thanks to Interpol, 1000 criminals were arrested and $130 million confiscated as part of the global “HAECHI III Operation.” For the first AHC session in 2023, the UNDOG secretariat tabled a consolidated negotiating document (CND) with 55 draft articles in November 2022. A second part will follow on the eve of the next meeting, scheduled for April 2023 in Vienna. The final meeting is scheduled for August 2023 in New York. A very sportive plan.
The now-tabled draft is very broad. It triggered already a lot of criticism among non-governmental stakeholders. In a letter to the AHC chair, one of the accredited NGOs, the Electronic Frontier Foundation (EEF), raised grave concerns that the draft text “risks running afoul of international human rights law. The CND is overbroad in its scope and not restricted to core cybercrimes. The CND also includes provisions that are not sufficiently clear and precise and would criminalize activity in a manner that is not fully aligned and consistent with States’ human rights obligations… Further, the CND’s criminal procedural and law enforcement chapter lacks robust human rights safeguards, while its substantive provisions expand the scope of criminal intent and conduct, threatening to criminalize legitimate activities of journalists, whistle-blowers, security researchers, and others”.
In the field of digital development, it is primarily the 2nd UNGA Committee that adopts an annual resolution on “ICT for Sustainable Development.” The 2nd Committee oversees the implementation of the WSIS outcomes, including the Tunis Agenda. The new resolution 77/150 (December 20, 2022) recognizes progress but also identifies gaps. When WSIS started, the world did have 500 million Internet users. Now there are five billion online. This can be seen as a success story. However, three billion people are still offline. Too many to be satisfied. And it is not only the numbers that count. It is the quality of the connections and the ability of the people to make reasonable use of those virtual resources to improve their lives and society. Digital skills and digital education are moving more and more into the center of the discussion around digital development. UNESCO’s and ITU’s Broadband Commission for Sustainable Development did a lot to turn political resolutions into practical results. New working groups on “AI Capacity Building” and “Data for Learning” are helpful initiatives. But there is a lot to do until 2030 when the UN Sustainable Development Goals (SDGs) will be reviewed.
For years the international digital economy discussion circled around digital taxation and a new treaty on digital trade. For digital taxation, the joint G20/OECD working group reached a final solution, adopted in principle by the G20 summit meeting in Rome in November 2021. But the implementation needs time. At the G20 summit meeting in Bali, the heads of state reaffirmed their commitment “to the swift implementation of the OECD/G20 two-pillar international tax package. ... We call on the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting (BEPS) to finalize Pillar One, including remaining issues and by signing the Multilateral Convention in the first half of 2023, and to complete the negotiations of the Subject to Tax Rule (STTR) under Pillar Two that would allow the development of a Multilateral Instrument for its implementation.”
Progress on a digital trade treaty is similarly slow. The G20 leaders in Bali said, “We remain committed to further enable data free flow with trust and promote cross-border data flows.” But progress at the negotiations table is made in baby steps. In June 2022, the World Trade Organisation (WTO) extended the mandate of the moratorium on customs duties on electronic transmissions from 1998 until the next Ministerial WTO Conference. This could be in 2023; this could also be in 2024. The plan is to substitute the 20+ years old moratorium with a new treaty. Some articles of a new agreement are already formulated, but there is still a long list of unsettled problems. Ambassador Hung Seng Tan of Singapore, co-chair of the negotiation group, said in December 2022: “As we approach the end of the year, I think it’s time for us to start thinking ahead and reflect on how we can accelerate the pace of negotiations next year with the aim of reaching substantial conclusions.” The latest cluster of meetings continued to seek convergence on topics such as privacy, telecommunications services, electronic invoicing and cryptography.
The institutional framework for the protection of human rights online is, first of all, the 3rd UNGA Committee and the Geneva-based UN Human Rights Council (HRC). The HRC has appointed over the years special rapporteurs for freedom of expression and freedom of association online, as well as for privacy in the digital age. The rapporteurs are important watchdogs and have produced on a regular basis reasonable reports with dozens of recommendations. It is now up to the member states to consider the outcome of the reports and make a decision. But the geopolitical conflicts, where human rights issues are at the centre of controversies, make it very difficult to find consensus.
Insofar as it is very natural that more effective discussions take place within non-governmental organizations. It is good to see that the three HRC Rapporteurs are permanent participants in the annual “RightsCon” conference, which is now one of the main global platforms for discussing the protection of human rights in the online world. RightsCon 2023, which is again organized by Access Now as a face-to-face meeting, is scheduled for June 2023 in Costa Rica with 400+ sessions across 15+ program tracks,
Other UN bodies also made a valuable contribution to the human rights discussion: UNESCO has adopted a recommendation on “Ethics and Artificial Intelligence.” The International Labour Organisation (ILO) convened a “Global Commission on the Future of Work,” which produced a great report with good recommendations for “decent work” in the information age. The ITU has its “Connect the World” plan, which aims to link national digitalization strategies closer to the UN SDGs.
And there is much more on the 2023 Internet Governance Calendar. On the intergovernmental level, there are the annual summit meetings, where digital and cyber issues have been on the agenda for a couple of years: The G20 presidency has moved from Indonesia to India and the G7 presidency from Germany to Japan. South Africa will host the BRICS summit. And Bishkek in Kirgizstan is the place for the SCO Summit. The ITU Council Working Groups (CWGs), which also includes the CWG-Internet and the CWG-WSIS&SDGs, will meet in November in Geneva. UNESCO will have its 42nd General Conference in November in Paris. And the Council of Europe plans to table a new “COE Convention on Artificial Intelligence” until the end of 2023.
On the multistakeholder level, the 18th IGF takes place in October 2023 in Kyodo, Japan. More than 100 national and regional IGFs will take place over the year, including EURODIG, the European IGF, in Tampere/Finland, in June 2023. Summer Schools on Internet Governance (SIGs) offer digital and cyber capacity-building courses around the year. The first SIG, which was established in Meissen/Germany in 2007, will have its 17th edition in July 2023. ICANN meetings are scheduled for Cancun/Mexico (March), Washington/USA (June) and Hamburg/Germany (October). IETF meetings will take place in Yokohama/Japan (March), San Francisco/USA (July) and Prague/Czech Republic (November).
But the main attention will get the process around the global Digital Compact (GDC). With the GDC, UN Secretary General’s “Roadmap on Digital Cooperation” now has a concrete project and a landing place. It has already triggered a broad discussion and the formation of a “process.” The GDC process is primarily a multistakeholder process, even if it will be the governments, which has to adopt the final text. All stakeholders are invited to comment and make proposals until March 31, 2023. A Ministerial Meeting in New York will look into the first drafts in September 2023. The 18th IGF in Kyodo in October 2023 will further stimulate a multistakeholder discussion before the final draft goes to the “UN Summit on the Future”, scheduled for September 2024 in New York.
This process has a lot of potentials to mobilize the global Internet Governance discussion. But it will not be easy. The way from A to B is a minefiled, and it does need both skilful diplomats, brave governments and an engaged multistakeholder community: Such a crew of like-minded sailors could maneuver the “Global Internet Governance Ship” (GIGS) through stormy waters into the next safe harbour. This would be New York in September 2024 with the “Summit on the Future.” But there will not be much time left to enjoy Manhattan. The next journeys (and harbours) are waiting: WSIS +20 in 2025 and the review of the UN Sustainable Development Goals (SDG) in 2030. Stay tuned.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
As usual, Wolfgang is strikingly comprehensive and articulate he summarizes the “best of times, worst of times” picture of the Internet as we enter 2023. I am sharing this post with the IGF/Leadership Panel as level-setting reading, informing potential work agenda items to be pursued by the IGF/LP leading up to IGF 2023 in Kyoto. Thank you, Wolfgang, for your persistent and substantive contributions over the years. (Vint Cerf)
One of the best articles I have read on Internet governance. Comprehensive and objective. Thank you, Wolfgang.