Crisis of Command
America’s Broken Civil-Military Relationship Imperils National Security
The early days of the Internet inspired a lofty dream: authoritarian states, faced with the prospect of either connecting to a new system of global communication or being left out of it, would choose to connect. According to this line of utopian thinking, once those countries connected, the flow of new information and ideas from the outside world would inexorably pull them toward economic openness and political liberalization. In reality, something quite different has happened. Instead of spreading democratic values and liberal ideals, the Internet has become the backbone of authoritarian surveillance states all over the world. Regimes in China, Russia, and elsewhere have used the Internet’s infrastructure to build their own national networks. At the same time, they have installed technical and legal barriers to prevent their citizens from reaching the wider Internet and to limit Western companies from entering their digital markets.
But despite handwringing in Washington and Brussels about authoritarian schemes to split the Internet, the last thing Beijing and Moscow want is to find themselves relegated to their own networks and cut off from the global Internet. After all, they need access to the Internet to steal intellectual property, spread propaganda, interfere with elections in other countries, and threaten critical infrastructure in rival countries. China and Russia would ideally like to re-create the Internet in their own images and force the world to play by their repressive rules. But they haven’t been able to do that—so instead they have ramped up their efforts to tightly control outside access to their markets, limit their citizens’ ability to reach the wider Internet, and exploit the vulnerability that comes with the digital freedom and openness enjoyed in the West.
The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet. Instead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals. Under such a system, countries that buy into the vision of a truly free and reliable Internet would maintain and extend the benefits of being connected, and countries opposed to that vision would be prevented from spoiling or corrupting it. The goal should be a digital version of the Schengen Agreement, which has protected the free movement of people, goods, and services in Europe. The 26 countries in the Schengen area adhere to a set of rules and enforcement mechanisms; countries that do not are shut out.
China and Russia would ideally like to re-create the Internet in their own repressive images.
That kind of arrangement is what’s needed to save the free and open Internet. Washington ought to form a coalition that would unite Internet users, companies, and countries around democratic values, respect for the rule of law, and fair digital trade: the Internet Freedom League. Instead of allowing states that do not share those values unfettered access to the Internet and to Western digital markets and technologies, a U.S.-led coalition should set the terms and conditions under which nonmembers can remain connected and erect barriers that limit the value they gain and the harm they can do. The league would not raise a digital Iron Curtain; at least initially, most Internet traffic would still flow between members and nonmembers, and the league would primarily block companies and organizations that aid and abet cybercrime, rather than entire countries. Governments that fundamentally accept the idea of an open, tolerant, and democratic Internet but that struggle to live up to such a vision would have an incentive to improve their enforcement efforts in order join the league and secure connectivity for their companies and citizens. Of course, authoritarian regimes in China, Russia, and elsewhere will probably continue to reject that vision. Instead of begging and pleading with such governments to play nice, from now on, the United States and its allies should lay down the law: follow the rules, or get cut off.
When the Obama administration released its International Strategy for Cyberspace, in 2011, it envisioned a global Internet that would be “open, interoperable, secure, and reliable.” At the time, China and Russia were pressing to enforce their own rules on the Internet. Beijing, for example, wanted any criticism of the Chinese government that would be illegal inside China to also be prohibited on U.S. websites. Moscow, for its part, disingenuously sought the equivalent of arms control treaties in cyberspace while simultaneously ramping up its own offensive cyberattacks. In the long term, China and Russia would still like to exert influence on the global Internet. But they see more value in building their closed networks and exploiting the West’s openness for their own gain.
The Obama strategy warned that “the alternative to global openness and interoperability is a fragmented Internet, where large swaths of the world’s population would be denied access to sophisticated applications and rich content because of a few nations’ political interests.” Despite Washington’s efforts to prevent that outcome, that is precisely where things stand today. And the Trump administration has done very little to alter U.S. strategy. President Donald Trump’s National Cyber Strategy, released in September 2018, called for an “open, interoperable, reliable, and secure Internet”—repeating the mantra of President Barack Obama’s strategy and merely swapping the order of the words “secure” and “reliable.”
The Trump strategy expounds on the need to extend Internet freedom, which it defines as “the online exercise of human rights and fundamental freedoms—such as the freedoms of expression, association, peaceful assembly, religion or belief, and privacy rights online.” Although that is a worthy goal, it ignores the reality that in many countries where citizens do not enjoy those rights offline, much less online, the Internet is less a safe haven than a tool of repression. Regimes in China and elsewhere employ artificial intelligence to help them better surveil their people and have learned to connect security cameras, financial records, and transport systems to build massive databases of information about the activities of individual citizens. China’s two-million-strong army of Internet censors is being trained to collect data to feed into a planned “social credit” scoring system that will rank every resident of China and dole out rewards and punishments for actions committed both online and offline. The so-called Great Firewall of China, which prohibits people in the country from accessing material online that the Chinese Communist Party deems unacceptable, has become a model for other authoritarian regimes. According to Freedom House, Chinese officials have held training sessions on how to develop Chinese-style Internet surveillance systems with counterparts in 36 countries. In 18 countries, China has helped build such networks.
How can the United States and its allies limit the damage that authoritarian regimes can cause to the Internet and also prevent those regimes from using the Internet’s power to crush dissent? Some have suggested tasking the World Trade Organization or the UN with the establishment of clear rules to allow for the free flow of information and data. But any such plan would be dead on arrival, since in order to gain approval, it would have to win support from some of the very countries whose malicious activity it would target. Only by creating a bloc of countries within which data can flow—and denying access to noncompliant states—can Western countries gain any leverage to change the behavior of the Internet’s bad actors.
Europe’s Schengen area offers a real-life model, in which people and goods travel freely without going through customs and immigration controls. Once a person enters the zone through one country’s border-security apparatus, he or she can access any other country without going through another customs or immigration check. (Some exceptions exist, and a number of countries introduced limited border checks in the wake of the 2015 migrant crisis.) The agreement that created the zone became part of EU law in 1999; the non-EU states of Iceland, Liechtenstein, Norway, and Switzerland eventually joined, as well. The agreement left out Ireland and the United Kingdom at their request.
Joining the Schengen area comes with three requirements that can serve as a model for a digital accord. First, member states must issue uniform visas and demonstrate strong security on their external borders. Second, they must show that they have the capacity to coordinate with law enforcement in other member countries. And third, they must use a common system for tracking entries and exits into the area. The agreement sets rules governing cross-border surveillance and the conditions under which authorities may chase suspects in “hot pursuit” across borders. It also allows for the speedy extradition of criminal suspects between member states.
China and Russia can either follow the rules, or they can get cut off.
The agreement creates clear incentives for cooperation and openness. Any European country that wants its citizens to have the right to travel, work, or live anywhere in the EU must bring its border controls up to the Schengen standards. Four EU members—Bulgaria, Croatia, Cyprus, and Romania—have not been allowed to join the Schengen area partly because they have failed to meet those standards. Bulgaria and Romania, however, are in the process of improving their border controls so that they can join. In other words, the incentives are working.
But these kinds of incentives have been lacking in every attempt to bring the international community together to address cybercrime, economic espionage, and other ills of the digital age. The most successful of these efforts, the Council of Europe’s Convention on Cybercrime (also known as the Budapest Convention), sets out all the reasonable actions that states should undertake to combat cybercrime. It provides model laws, improved coordination mechanisms, and streamlined extradition procedures. Sixty-one countries have ratified the treaty. Yet it is hard to find defenders of the Budapest Convention, because it hasn’t worked: it doesn’t offer any real benefits to joining or any real consequences for failing to live up to the obligations it creates.
For the Internet Freedom League to work, it would have to avoid that pitfall. The most effective way to pull countries into line would be to threaten to deny them the products and services of companies such as Amazon, Facebook, Google, and Microsoft and to cut off their businesses’ access to the wallets of hundreds of millions of consumers in the United States and Europe. The league would not block all traffic from nonmembers—just as the Schengen area does not shut out all goods and services from nonmembers. For one thing, the ability to meaningfully filter out all malicious traffic on a national level is beyond the capability of technology today. Moreover, doing so would require that governments have the ability to decrypt traffic, which would do more to harm security than to help it and would infringe on privacy and civil liberties. But the league would prohibit products and services from companies and organizations known to facilitate cybercrime in nonmember countries, as well as block traffic from rule-breaking Internet service providers in nonmember states.
For example, imagine if Ukraine, a well-known safe haven for cybercriminals, were threatened with being shut out from access to the kinds of services on which its citizens, companies, and government have come to rely—and on which its future growth as a center for legitimate technological development depends. The Ukrainian government would face a strong incentive to finally get tough on the cyber-underworld that has developed inside the country’s borders. Such threats would not lend the U.S.-led coalition leverage over China and Russia: after all, the Chinese Communist Party and the Kremlin have already gone to some lengths to cut their citizens off from the global Internet. The point of the Internet Freedom League, however, would be not to change the behavior of such committed bad actors but to reduce the harm they do and to encourage countries such as Ukraine—along with Brazil, India, and other places with less-than-stellar records when it comes to fighting cybercrime—to do better or risk being left out.
A foundational principle of the league would be upholding freedom of expression on the Internet. Members, however, would be allowed to make exceptions on a case-by-case basis. For instance, although the United States would not be forced to accept EU restrictions on free speech, U.S. companies would need to make reasonable efforts not to sell or display banned content to Internet users in Europe. This approach would, in many ways, enshrine the status quo. But it would also commit Western countries more formally to the task of preventing states such as China from pursuing an Orwellian vision of “information security” by insisting that certain forms of expression pose a national security threat to them. Beijing, for example, routinely submits requests to other governments to take down content hosted on servers on their territory that is critical of the Chinese regime or that discusses groups that the regime has banned in China, such as Falun Gong. The United States denies such requests, but others might be tempted to give in—especially since China has retaliated against U.S. denials by launching brazen cyberattacks on the sources of the offending material. An Internet Freedom League would give other countries an incentive to deny such Chinese demands: doing so would be against the rules, and the other member states would help protect them from any retaliation.
Countries such as Ukraine would finally have to get tough on the cyber-underworlds inside their borders.
The league would need a mechanism for monitoring its members’ adherence to its rules. Maintaining and publicizing metrics on each member’s performance would serve a powerful naming-and-shaming function. But a model for a more rigorous form of evaluation can be found in the Financial Action Task Force, an anti-money-laundering organization created by the G-7 and the European Commission in 1989 and funded by its members. The FATF’s 37 member countries account for most of the world’s financial transactions. Members agree to adopt dozens of policies, including ones that criminalize money laundering and terrorist financing and require banks to conduct due diligence on their customers. Instead of heavy-handed centralized monitoring, the FATF employs a system by which each member reviews the efforts of another on a rotating basis and makes recommendations. Countries that fail to meet required policies are placed on the FATF’s so-called gray list, triggering closer scrutiny. Repeat offenders can be put on its “blacklist,” obliging banks to start detailed examinations that can slow down or even stop many transactions.
How would the Internet Freedom League prevent malicious activity within its member states? Once again, an existing arrangement provides a model: the international public health system. The league would establish and fund an institution akin to the World Health Organization that would identify vulnerable online systems, notify the owners of those systems, and work to strengthen them (the equivalent of the WHO’s worldwide vaccination campaigns); detect and respond to emerging malware and botnets before they could cause widespread harm (the equivalent of monitoring disease outbreaks); and take charge of the response when prevention failed (the equivalent of the WHO’s response to pandemics). The league’s members would also agree to refrain from launching offensive cyberattacks against one another during peacetime; such a pledge would not, of course, prevent the United States or its allies from launching cyberattacks against rivals that would almost certainly remain outside the league, such as Iran.
Establishing an Internet Freedom League would require a dramatic shift in thinking. It remains part of the gospel of Internet freedom that connectivity will eventually transform authoritarian regimes. But it hasn’t—and it won’t. An unwillingness to accept that reality is the single biggest barrier to an alternative approach. Over time, however, it will become clear that the technological utopianism of an earlier era is misplaced in today’s world.
Western technology companies would likely resist the creation of an Internet Freedom League, since they have worked to appease China and gain access to the Chinese market, and because their supply chains depend on Chinese manufacturers. However, the costs to such firms would be partly offset by the fact that by cutting off China, the league would effectively protect them from Chinese competition.
An Internet Freedom League modeled on the Schengen area is the only way to secure Internet freedom from the threats posed by authoritarian states and other bad actors. Such a system would admittedly be less global than today’s more freewheeling Internet. But only by raising the costs of malicious behavior can the United States and its friends hope to reduce the scourge of cybercrime and limit the damage that regimes such as those in Beijing and Moscow can do to the Internet.