On the anniversary of the armistice ending the First World War, more than 40 countries stood together for security online by signing the Paris Call for Trust and Security in Cyberspace. The call, which sets out a list of challenges the world needs to tackle, seems to be promising on paper. From hacking to harming the public core – all of this needs to be addressed. And it needs to be addressed urgently.
Others signed the call too. The Internet Society signed because we believe it is a continuation of calls we have made before. It maintains that solutions to Internet issues must be developed together with other Internet stakeholders – each performing its role, and all working collaboratively.
This approach is what allows the Internet to thrive and is key to the ultimate success of this call. Open, decentralized, and distributed. It’s not the traditional multilateral way of doing things, but it is the Internet way – the only one that can work.
There are real and pressing Internet security concerns. It’s critical that signatories to the call do not imagine they can address the concerns alone. The Internet depends, as a technical fact, on cooperative voluntary action, so unilateral action puts the Internet at risk. Countries, organizations, and individuals have a choice to make. We can pursue national or parochial interests, and eat away at the easy connectivity that makes the Internet an engine for growth and development. Alternatively, we can set aside those interests to take actions together to improve the security of the Internet, recognizing that our collective will and creativity, in the service of all humans, can defeat the attackers and continue to build the Internet for everyone.
Lately, we’ve heard a siren song of greater online regulation to make us safe, targeting everything from cyber attacks and election interference to intellectual property theft and barriers to Internet access. The story is appealing: the Internet, once a force for good, is being subverted by evildoers who must be stopped. Governments have a responsibility to protect the people in their society and have always done so. To protect people from online threats, the story goes, governments must act to protect their citizens.
It is, of course, true that governments should protect their citizens, and that they are the only ones in a position to offer such protections. It does not follow that every protective measure a government tries is one that will work. Some of them may even do harm.
The Internet connects people because of its open, distributed, and interoperable design. Each network that connects to the Internet then also becomes part of the Internet. Together these networks are richer, more reliable, and more valuable than any would be alone. And of necessity, they gain that value without the requirement for pre-existing contract or careful geography-based controls on connection. Attempts to impose such controls are, in effect, attempts to break the Internet.
Similarly, the Internet works at multiple layers. The layers that provide connectivity, for instance, work without attending to the content they are carrying. This kind of separation of responsibility is a hallmark of modern network design, and the Internet relies on it. Policies that do not respect these technical distinctions – policies that might mix issues of content and network neutrality, for instance – are damaging to the Internet. We are more likely to avoid such mistakes when we involve all stakeholders.
This all means that working together isn’t just effective. It’s necessary. Since all control on the Internet is distributed as a feature of the technical design, no actor or single group on the Internet – not industry, not governments – can solve the challenges alone. Distributed operation is what makes the Internet robust. That feature presents security challenges that are different than what’s found in other kinds of technology. Therefore, the only way to stay on top of evolving challenges around cybersecurity is by using the collaborative and distributed approach to decision-making – what allowed the Internet to thrive in the first place.
None of this, of course, means that every regulation that could possibly touch something connected to the Internet is automatically wrong. Many services that we use on the Internet (virtually every social media service, for instance) are closed systems that really operate on top of the Internet. It is possible that effective social responses to some of the challenges arising from those systems can be addressed in part through appropriate regulatory frameworks. But hasty action, unilateral movement, and attempts to legislate values along national lines are as likely to break the Internet as they are to address social issues arising from Internet use.
Those attacking through the Internet alter their approaches to work around obstacles, and most regulatory responses are likely merely to look like obstacles. The attacks evolve. Internet security needs to do the same. Operators must learn new security approaches that do not depend on secure perimeters. Services must be designed to depend on minimal, compartmentalized user information. Governments must learn how to defend their societies in the face of asymmetric and adaptive attacks and must give up on the illusion of central control. Systems developers and standardizers must treat the urgent security challenges as an opportunity for new technical inventiveness, and vendors must bring those new inventions to market. Platform operators need to give users – humans – the necessary tools to defend themselves against manipulators, scammers, and attackers. This is hard work, but work that can only be accomplished by everyone who is interested in a healthy Internet working together.
The open Internet is not some utopian political promise, but a technical fact that gave us a reliable system built from unreliable parts. It did this precisely because of the diversity of the constituent networks. Unless we want to give up the Internet, we need our cybersecurity strategies to depend on the same diversity. We believe we can best tackle these issues in a new approach to the Internet Governance Forum that empowers its participants to create informed and tangible solutions that benefit everyone.
So, we support the values in the Paris Call in as much as they are open, bottom up, inclusive and collaborative. We hope those who signed on will hold those values as dear as we do. We’re here to help. We are ready to work with all of those who believe in the Internet – the true Internet – an open, globally-connected, trusted, and secure network of networks that connects all of us.
Together we can protect the core principles and infrastructure of the Internet. By taking a collaborative approach to security, we can address problems at the source and make sure solutions do not have negative impacts on the architecture of the Internet. We must not try to save the Internet by breaking it, thereby denying humanity this tool that can benefit us all.