ONCE upon a time, two superpowers, the United States and the Soviet Union, held summits to reduce the danger of a nuclear war. Today, the summitry is between the US and China, much of it to reduce confrontation in cyberspace.
How the world responds to cyber attacks will determine the extent to which future generations will benefit from the digital era. There is the the risk of conflict, but governments may overreact, erecting barriers to information that undermine the internet.
We are already in low-level conflict in cyberspace. China is not alone in engaging in massive cyber operations against other countries’ political and economic structures. We are in the midst of an historic shift: offensive technologies are cheaper and more powerful than defensive ones.
There is a need for rules of the road in cyberspace, and perhaps cyber-power summitry — the US is the internet technology leader, while China has the largest numbers of users — is the first step. But the danger is not only confrontation between states.
Fear of loss of control within states is driving new data-localisation requirements and barriers that could fracture and balkanise the internet.
The Kremlin has its own reasons for stipulating — despite the economic cost — that all data generated within the country be stored on Russian-based servers. But equally worrying are policies in the European Union.
In the name of defending citizens’ privacy, barriers are being erected to the free flow of data. In some European countries, not least Germany, there is a conviction that citizens’ data will be safe only if it is stored on European soil, out of reach of, say, evil American spies.
This simplistic philosophy underpinned the European Court of Justice’s recent decision invalidating the so-called Safe Harbor agreement, which facilitates the free flow of information across the Atlantic. As a result, the legal framework for these data transfers has been thrown into disarray.
Ensuring the protection and integrity of data is vital. But this has little to do with where data are stored. Attackers based in China recently broke into the US Office of Personnel Management and stole 22m files that had sensitive information on federal employees.
Chinese and Russian hackers routinely penetrate secure industrial and government networks in the US and Europe. Several countries are tapping underwater cables that carry the world’s communications. So what problem does data localisation solve?
The solution to privacy concerns lies not in data localisation, but in the development of secure systems and the proper use of encryption. Data storage means the continuous transfer of data between users, with no regard for Westphalian borders. Security in the digital world is based on technology, not geography.
With the rapid development of global value chains, our economies are becoming increasingly dependent on the free flow of data across political borders. With the advent of new, global technologies, such as block-chains — continuously-growing transaction databases used, for example, to sustain virtual currencies — data localisation becomes even more misguided.
The OECD has just issued a report highlighting how data-driven innovation will dictate the economies of the future. It stresses “the need to promote ‘openness’ in the global-data ecosystem and thus the free flow of data across nations, sectors, and organisations.”
These principles are enshrined in the just-concluded Trans-Pacific Partnership, which will govern trade and investment among 12 Pacific Rim countries, including the US. The rest of the world should follow suit.
Indeed, a huge global agenda of digital governance — the new domain of diplomacy — lies before us. It includes the establishment of formal and informal norms for state behavior, better legal mechanisms for addressing cross-border cybercrime, transparent national legislation for law enforcement, and endorsement of the need for encryption to protect the integrity of data.
But efforts to deal with cybercrime and terrorism must not undermine the principles on which the internet is built.
China will face a choice. Today, it talks about its so-called ‘One Belt, One Road’ initiative to link its economy with those of Central Asia and Europe. But China’s global future will be as dependent as everyone else’s on ‘One Net’ — an open, free, dynamic, and secure internet.
The EU must not allow a muddled understanding of digital realities to give rise to profoundly damaging protectionism. It must overcome the institutional barriers that make it difficult to forge a common position on external cyber policy.
And it needs to take the foreign-policy implications of its actions seriously: When EU countries talk about data localisation, others do, too. The US must adapt as well. It must accept that it is no longer the only global cyberpower, and that its behaviour must comply with globally accepted norms.
The internet is the world’s most important infrastructure. Soon, it will be the infrastructure of all other infrastructures. Policies born of confusion, chaos, and confrontation have no place in this new world of opportunities.