Internet Governance

On Friday, March 24 I gave a talk on internet governance at the Information Technology Conference at UMass Amherst. Directed mostly at undergraduates, this talk incorporates many of the issues I have already discussed in this blog space. But if you were interested, I thought I would share it nonetheless. I look forward to comments.

You are young, vibrant, and more than once already I am sure you have had elders at your church, teachers at your college or other classmates say that you are the generation that will inherit responsibility for your community, this society, this country, this planet, for better or for worse. 

And no matter what the technological advances -- artificial intelligence being the latest craze, but almost now 60 I can tell you that I have already lived through many: semi-conductor maximization, digitization, computers, network systems -- all promising to change your life, you will face some age-old challenges. 

There is enough food to feed the world. And yet every day millions of people starve and/or are chronically malnourished. There is enough medical science to address essential health needs across the globe, and yet we don’t do it. There is more than enough wealth in the world to provide for basic shelter, sanitary conditions, and utilities -- safe water and food -- why aren’t wealth and basic resources distributed with some sense of commonality, decency and magnanimousness? 

Do we lack the will? The way? Are there forces we must overcome to make the world a more fair and equitable place? If so, what are those forces and why or how to they impede best intentions and honest efforts? 

Allow me to add more thoughts about what needs your attention as you go forward in life:

• How to work toward environmental sustainability on a comprehensive scale, including prevention of global warming and of the extinction of many species.
• How to inculcate an understanding of local or national culture, history, and traditions sufficiently to encourage tolerance for diverse religions, manners, and mores.
• How to understand the human condition through the study of cross-cultural and trans-historical art, literature, languages, and humanities.
• How to live the ethics of scientific research, whether it be the exploration of the outer spaces of our universe or the inner spaces of particle and nuclear physics, or genomics and the creation of species for which we do not yet know the intended, or unintended, consequences.

And finally, the one for which you are here to discuss at this conference:

• How to deploy all layers (physical, logical, and applications) of the Internet while also developing international governing bodies and policy principles for information and communications technologies, including search engines, algorithms, and the repositories of information and knowledge that includes international jurisdiction and substantive law to settle legal disputes.

Before the election of 2016, these questions and the one regarding the internet especially, might have seemed theoretical, or, at least, the kind of questions reserved for specialists. Now we recognize these questions are germane to the integrity of our political process, or, for that matter, any sovereign nation’s autonomy from subversive external influences. Had I delivered this talk before Monday I might have had to go into more detail to be sure that the audience understood the context. National news as a Monday of this week speaks for itself. The heads of both the FBI and NSA testified that there is an ongoing investigation of Russian interference in that election. That investigation comports with the finding of the joint intelligence report that came out in January. And news reports in reputable journals such as The Washington Post, New York Times, The Guardian of the U.K. and Die Welt of Germany, among others, have similar accounts of Russian interference with elections in an array of European countries, not only those formerly under Soviet influence, but including those thought to be independent and robust, such as the Federal Republic of Germany. 

From a technical perspective, cyber insecurity is the tactic by which this interference took place. This played out through “phishing” for credentials that allow criminals unauthorized access to accounts. The release of Jon Podesta’s emails, the chairman of candidate Clinton’s campaign, probably caused the most public relations damage. Compounded by the contretemps of Secretary Clinton’s private email server while working for the government – which by the way, was neither illegal nor against policy at that time – and the FBI announcement that the emails of her friend and confident were under review in a completely unrelated case, became fodder along with the Podesta release to innuendo that there was something nefarious about Clinton herself. As we now know, Candidate Trump proved particularly effective at using these issues to create doubt in swing voters in key states. 

U.S. intelligence reports identified four actors in the Podesta email release, all of whom are outside the United States and connected with Russia, two of whom are highly placed in the Russian intelligence service. Together, these individuals are alleged to have executed the phish, accessed Mr. Podesta’s email account fraudulently, removed its contents, and then either directly, or in an underground electronic forum, made a connection with the website WikiLeaks which agreed to release the contents. 

Now let me ask you, is there anything illegal about this activity? Inured to identity theft and reports of phishes and cyber insecurity attacks, many of you assume not. Cyber insecurity seems to occur with abandon, all around us, how could it possibly be illegal if there is so much of it?  But the basic facts are that acquiring an individual’s credentials perpetrated on a fraud – this one involved a fake google email account – and then using those credentials to access the email account and remove its contents are all violations of the Computer Fraud and Abuse Act of 1986.

That is the same law that copyright reform advocate Aaron Swartz is alleged to have violated when he hacked into the MIT network. It is the same law that Edward Snowden is alleged to have violated because he removed classified content from protected computers and systems and released it to journalists.  For those of you steeped in the history of the internet, it is the same law that the young graduate student Robert Morris Jr. at Cornell University broke and resulted in parole, a fine, and dismissal from Cornell. (He now is a professor of computer science at MIT, so maybe that was not such a bad fate … but be that as it may …) my point is this: there is a law and it has a well-worn history already of famous cases. 

If there is a law, how did these actors get away with it, and why wasn’t there more attention to the violation? The contents of Podesta’s emails, while politically sensitive because of the challenge that Bernie Sanders brought to the Clinton campaign, did not reveal anything illegal or immoral about him, Clinton, or the campaign.  I grant you, politics vastly overdetermined the context of this hack, but I can’t help but go back and ask why, in the moment, didn’t more people say, “Hang on a minute … how did WikiLeaks get those emails, and isn’t there something wrong with that process? Why should any candidate ask me to trust information procured in violation of federal law? Shouldn’t we be focused on enforcing our laws and prosecuting people who break them? Why would we encourage hackers by supporting candidates that would use what is in effect ‘stolen property?’ Is there a law to protect against that?”

This line of inquiry gets to the heart of my thesis: all countries and people of good will, one’s interested in commerce, communication, political discourse, the dissemination of culture and knowledge – including higher education that uniquely lauds learning and knowledge for its own sake – will be persistently at a disadvantage to use the internet for these purposes so long as we lack sound and robust global internet governance. Could you imagine trying to control the crime of theft in physical space with technology alone? You have a lock on your door for which the thief gets a crow bar that breaks the lock, so then you get a security system to sound an alarm, for which the thief figures out a way to trip it, and so on.  Technology alone will never address the root problem of criminal behavior and intent.  For that aspect, law is a prerequisite. Does the existence of law eliminate crime? No, of course not. But can you imagine addressing crime in a stable social order without it? I can’t. 

In the Podesta case, not only do we lack international law to cover these events, we have actors outside the United States and in countries with no extradition treaty to send them here for trial. Should we create extradition treaties with countries such as Russia, China, and Nigeria to prosecute these crimes?  Sure, but that is the problem. The United States lacks the diplomatic apparatus and/or relationships with these countries sufficient to the meet the task. No amount of military buildup or show of might, and certainly no “deals” – no matter how “artistic” – are going to change that landscape.  When President Xi of the People’s Republic of China visited the United States, he and President Obama shook hands on an agreement to tone down the nation-state attacks between our two countries.  In and of itself, that was a good thing, but upon a handshake is not how to manage a diplomatic matter as significant as trust in the internet. Under this administration and its “America First” doctrine, no one can expect the quality of collaboration among nation-states required to lay the foundation for this kind of cooperation and consent. No administration to date has thought through the implications of how the internet changes the nature of international law well enough to offer so much as a template. 

The United States carries neither the authority nor the influence to create that template.  History complicates this state of affairs. Domination in its own hemisphere up to the 20th century, and then one compounded by global politics throughout the twentieth unto today, is why the United States is not uniformly trusted around the globe to set the rules unilaterally for internet governance. The specific history of the internet underscores these circumstances. For the most part, it was the United States Department of Defense, working with U.S. research universities and some corporate actors, developed the TCP/IP protocol into a network system (and their routers and switches, cables, wires, fiber and wireless access points, etc.) that form the physical and technical foundation of the internet.  As a result, the United States, now under its Department of Commerce, controls what are known as the root domain servers, those devices translate names into the numbers and direct internet traffic. Without that function, the internet would grind down to a halt and/or function as a bunch of unconnected subnets throughout the world, undermining the very extraordinary functions it serves as a global, interactive communication network. 

That control is at this stage of development both a blessing and a curse for the United States. The reason why no administration, Democratic or Republican, has corrected cybersecurity from the perspective of internet governance is primarily because it has technical control and wants to maintain that control. Concomitantly, the U.S. engages in state sponsored cyber security attacks. Suxnet is the most notable example. This was malware sent out by computer/intelligence operatives of the United States and Israel that destabilized Iranian nuclear reactors. This destabilization is thought to have brought Iran to the bargaining table. But now, when cybersecurity is exacted against us, we find that behavior abhorrent. The hack into Podesta’s emails are a case in point.  Very few would have made the argument that cyber insecurity should be fixed before the election for the sake of the integrity of American democracy. Now it seems we should be thinking about nothing else. 

I am not advocating that the United States relinquish control over those root domain servers.  What I am advocating for is the beginning of serious discussion on how to build a framework of multi-stakeholder internet governance. Without it, the internet will continue to be a compromised communication platform. It will never live up to its economic, social, political, intellectual, or cultural promise. What we would not tolerate in physical space – thieves routinely gaining entry to our houses without the state acting to protect us – we should not tolerate in cyberspace – hackers who use fraud or any other method to penetrate private communications or correspondence. This observation applies to hackers who steal personally identifiable information for garden-variety financial fraud as well as those who do so for purpose of influencing international politics.

I propose that we renounce the practice of cyber insecurity practiced by or against the United States government, its institutions, and its people. Furthermore, since nation-states have engaged in the practices of cybersecurity, they cannot be relied upon to create that framework. And since corporate entities, from telecoms to application developers, have their own interests at stake, neither can they be trusted to serve a greater purpose than profit.  So I have an idea that goes along with my proposal: Let higher education do it.

Higher education is the only institution that can lay claim to a mission that strives for the sake of knowledge itself. It is, notwithstanding its inevitable political dimensions relevant to time and space, dedicated to both a principle and a process that is larger than a nation-state governments or multi-national corporations. It has a custom and practice of international connections and relationships. A framework created out of multi-stakeholder discourse would act as a starting point, a draft, a position paper, a straw man. Higher education can facilitate a discussion about how international internet governance might operate. Only then can we address cyber insecurity as its core weakness: the lack of governance. The rule of law must prevail over commerce, communications and content on the internet. 

I began this talk with an overview of the some of the significant challenges that your generation faces. Depending on your academic and personal interests, you may choose to pursue any number of these challenges such as environmental sustainability, global health, a more equitable distribution of the world’s resources or how to achieve understanding among people of different religious practices and faiths.

But some of you out there must have a penchant for law, for negotiation. Some of you must be peacemakers who know how to bring people together to converse about complicated and challenging topics as to advance a common good. It is to you I speak and to the University of Massachusetts Amherst campus.

Global internet governance is among some of the most important issues that your generation must address. Working collaboratively with other higher educational institutions as well as centers for internet governance that already exist, colleges and universities can bring diverse, international, stakeholders together to think deeply about this challenge. Would we allow criminals, thieves and thugs to run our cities? Of course not. There is no reason why we should allow them to have as much control as they now exercise over the internet. The integrity of our political process – the heart of a democratic republic – is also at stake. It is time to get serious about global internet governance, and I see no reason why such an effort shouldn’t start right here, among us.