The international governance framework for cybersecurity.

• Author: Rosenzweig, Paul
• Position: 35th Annual Henry T. King Conference: The US-Canadian Border Action Plan

Cyberspace is a domain without distinct borders where action at a distance is a new reality. In effect, almost every computer in America is a potential border entry point. This reality makes international engagement on cybersecurity essential.

Even more notably, the sheer scale of the network demands a global approach. The Internet is as large a human enterprise as has ever been created. More than 2 billion users (1) send more than 88 quadrillion emails annually, and they register a new domain name with the Internet Corporation for Assigning Names and Numbers ("ICANN") every second of every day. (2) The scope of the Internet is as broad as the globe and that makes the scope of the Internet governance question equally as broad--who sets the rules for the Internet and what rules they set is a fundamental question that can only be answered on an international basis.

This then, is a fundamental question-perhaps the fundamental question--f cyber conflict today: How does a fractured international community respond to the phenomenon of the Internet?

One has the clear sense that, forty years ago, when the Internet was born, (3) the various sovereign nations of the world did not think much about the innovation. By and large, they systematically ignored it and let it grow on its own with a relatively unstructured set of governing authorities. And then sometime in the last ten years, the nations of the world looked up and suddenly recognized that the Internet had become this immense entity and that it had a vast influence and power. The Internet could be used to change governments and spread culture; it could run nuclear power plants and fight a war. With that realization, sovereign nations became quickly and intensely interested in the Internet. The result is a trend toward the "re-sovereignization" (4) of cyberspace or what Chris Demchack and Peter Dombrowski of the Naval War College call the "Rise of a Cybered Westphalian Age" (5)--that is, an age in which sovereign nations control the Internet. (6)

And so, the questions are: Who will run the Internet? Will it be separate sovereign countries? Will it be the UN? Or a set of non- governmental organizations like ICANN and the Internet Engineering Task Force ("IETF')? Or, perhaps a series of bi-national or multilateral groups? For America this question poses a problem. Some think it is critical that our engagement occur in a manner that is protective of American interests and maintains American freedom of action. (7) By contrast, some (including the Obama Administration) advocate a general approach that favors the development of multilateral norms to preserve the openness of the Internet, (8) while relying on supra-national organizations to manage cybersecurity problems. (9) The choice is of truly profound significance-perhaps more so than any other policy question to be addressed in the cyber domain.

This brief article begins by describing the existing Internet governance and describing the dynamic that is leading to change. After assessing some of the barriers to effective international Internet governance, it closes with a brief discussion of United States-Canada cybersecurity cooperation.

1. EXISTING INTERNET GOVERNANCE STRUCTURES AND CHANGING INTERNATIONAL NORMS

   In this first section, I want to briefly describe the existing Internet governance structures using the security of the domain name system as a prism through which to examine their operation. I then want to examine how nation states are responding to that governance structure and close with concerns expressed by human rights activists.

   1. ICANN and the IETF

      Domain names are familiar to everyone who uses the Internet. In any web address (for example, http://www.redbranchconsulting.com) it is the portion of the address after http://www. Domain names are familiar ways to identify the web page you are seeking to access or the email address you are trying to reach. We know them and recognize them readily--Microsoft.com takes you to Bill Gates' company (10) and direct.gov.uk takes you to the front page of Her Majesty's Government in London. (11)

      Of course, computers do not use names like "Microsoft" or "Her Majesty's Government" to route traffic. They use numbers. The Domain Name System ("DNS") is, in effect, a translation system-it takes a domain name and translates it to an Internet Protocol address ("IP address"). (12) The IP address is a binary number inside the computer (that is, just a string of ls and 0s), but it is usually written in a traditional format when put down for humans to read (for example 172.16.254.1). (13) The IP address tells the Internet routing system where a particular server is on the Internet, and then the Internet Protocol tells the system how to get the message from "here" to "there," wherever "there" may be. (14)

      So the DNS link works in a three-stage process. An individual (Paul Rosenzweig) registers a domain name (redbranchconsulting.com) which is hosted on a server somewhere and that server is identified by an IP address. When a potential client wants to access the Red Branch web site by typing in that domain name, the DNS programming helps to route the request to the right server and return the web page.

      The addressing function of the DNS is absolutely critical. If the DNS system were corrupted, hijacked or broken, then communications across the Internet would break down. And it also means that keeping a good registry of which domain names are in use is just as vital. If "Microsoft.com" is taken by Microsoft, the computer software giant, it cannot be used by Microsoft a (hypothetical) manufacturer of small soft washcloths. Somebody needs to be in charge of keeping the books and making sure they are all straight.

      That somebody is the Internet Corporation for Assigning Names and Numbers ("ICANN"). (15) ICANN is a non-profit organization that sets the rules for creating and distributing domain names. (16) When the Internet was first turned on, the function for assigning names was actually done by a single man, John Postel, (17) who helped create the first Internet as a project for the Advanced Research Projects Administration ("ARPA"). (18) Since ARPA was a Federal government funded agency this, in effect, meant that the U.S. government handled the naming function. (19)

      In the long run, of course, as the Internet grew to span the globe, a U.S.-run and--managed naming convention was considered too insular and unilateral. (20) ICANN was chartered in 1998 as a means of transitioning control over Internet naming from the U.S. government to a non-profit private sector organization. (21) Today, ICANN operates from California but has a global constituency, registering new domain names every day. (22)

      In theory, the DNS system should be completely transparent--knowing a domain name (the "cyber-persona" of a person or company) you should be able find out who the real person behind the domain name is. Unfortunately, the system does not work as effectively as it should. In December 2011, ICANN completed a comprehensive review of the WHOIS functions. (23) The conclusion of the report is both chilling and accurate. The report "concisely present[s] in a balanced and fair manner the very real truth that the current [WHOIS] system is broken and needs to be repaired." (24) Because domain registry companies (like GoDaddy ((25) accept identification that appears to be lawful and because they make no real attempt to verify the information they receive, the WHOIS registry is littered with errors, both accidental and deliberate. (26)

      Just as ICANN is the international organization that runs the program for assigning domain names, another non-governmental organization, the Internet Engineering Task Force ("IETF"), is responsible (in an indirect way) for developing the technical aspects of the computer code and protocols that drive the Internet. (27) Nobody actually owns or operates the Internet itself. While private sector and government actors own pieces of the cyber domain (various routers and nodes, for example) the actual rules for how the cyber domain works are set by the IETF which is an "open international community of network designers, operators, vendors and researchers concerned with the evolution of the Internet architectures and the smooth operation of the Internet." (28) This community operates by the promulgation of technical standards, which, in the end, become de facto operating requirements for any activity in cyberspace. (29) Thus, some questions about cybersecurity necessarily require engagement with an engineering community that is both internationalist and consensus-oriented, characteristics that may be inconsistent with effective U.S. government action.

      Put another way, the IETF's self-described mission is to "make the Internet work better" (30) but it quickly notes that it is an "engineering" group so what it means by "better" is "more technically effective," not better in some metaphysical sense. (31)

      The IETF is a self-organized group of engineers who consider technical specifications for the Internet. (32) Anyone may join and the group's proposals (or decision not to make a proposal) are the product of a rough consensus. (33) The IETF has no enforcement function at all--anyone is free to disregard the technical standards it sets, but they do so at their own peril. (34) Because of the openness, inclusiveness, and non-partisan nature of its endeavors, IETF standards have become the "gold standard" for Internet engineering. (35) In addition to the standard setting function, IETF also identifies lesser standards, known as "best current practices," that are more in the nature of good advice than of operative requirements. (36) Given the near-universality of IETF standards and practices, anyone who chooses not to follow the standards set forth risks ineffective connections to the broader network. And so, even without a single means of forcing people to follow its dictates...