Cyberspace is comprised of computer networks, computer resources, and all the fixed and mobile devices connected to the global internet. A nation’s cyberspace is part of the global cyberspace; it cannot be isolated to define its boundaries since cyberspace is borderless, unlike the physical world-land, sea, river waters, and air-that is limited by geographical boundaries.
Is it a ‘Global Commons’ like sea, air, and space? Since all the networks and devices connected to them belong to people and/or organizations in specific countries, do these constitute private property, and hence a national asset? If it is a global commons, what international laws should apply to cyberspace? How can countries defend their part of the global cyberspace? If cyber attacked, do they have recourse to existing laws like law of armed conflict? If it is a national asset, how can it be defended since the attacks can come from afar, with the challenge that attackers may be hard to identify.
More so, because there are no barriers to cyberspace entry, since attack vectors-freely available at low cost-enable non-state actors to challenge large organizations and countries by attacking them for financial frauds, terrorist, or ideological reasons. Even worse scenario is a nation-state using non-state actors against its adversaries for cyber espionage, and disruption of critical infrastructures with outcomes similar to kinetic attacks.
Whether cyberspace belongs to the global commons, can be better appreciated, by examining how the governance of global commons for access and stability has evolved internationally, and what kind of rules of road have been created for them by the international community. In this paper, we briefly review the experience of creating rules of behavior in the global commons of sea, air, and space, followed by a brief discussion on cyberspace-both as a commons and a national asset.
Sea, air, and space have long been accepted as global commons by the international community. “The global commons are not under the control of a particular state, but are open for use by states, organizations, and individuals worldwide” (Tara Murphy). They bring economic benefits to nations; facilitate the passage of goods, and people on which every nation depends. Sea is the oldest of the global commons. Over 90% of global trade is carried through the seas.
It was viewed ‘as a great highway, or a wide common, over which men may pass in all directions’ as far back as 1890 by Alfred Thayer Mahan in his study entitled ‘The Influence of Sea Power upon History 16601783’. History shows that dominating seaborne commerce, and controlling sea routes enabled a country project its power capabilities. A state could become a military power through the control of routes. This led European thinkers to recognize the potential for international conflicts in the commons, and hence, the need for international agreements to broad rules and regulations.
It took several years of engagement with the international community on the part of United Nations to evolve acceptable governance regime for the sea in the form of UN Convention on the Law of the Sea (UNCLOS) in December 1970. According to this agreement, a state maintains sovereign control of coastal waters out to 12 miles beyond its beach, and exclusive rights to extract resources from the sea up to 200 miles from the shores.
While the area from 12 to 200 miles is part of the Exclusive Economic Zone (EEZ) of a state, it remains an international waterway through which even warships may pass as per the UNCLOS. Thus, UNCLOS defines states’ territorial boundaries, rights to resources in waters, and regulates behavior on the seas-in short rules of the road for states in the sea global commons.
Air as Global Commons
It presents a good example of broad agreements that have enabled the civil air-traffic movement through transport agreements registered with the International Civil Aviation Organization (ICAO), while the International Air Transport Association (IATA) provides operational level rules for airlines. Similar to 200 miles off the shores in case of seas, 60,000 ft above its geographic boundaries, and 12 miles from its shores, a state has sovereign rights over the airspace. This has provided for organized, safe and efficient passenger and cargo movement, while supporting freedom of skies.
Space as Global Commons
It was considered the newest, till, of course cyberspace arrived on the scene about a decade ago. Space was recognized as global commons only after the launch of Soviet Satellite-Sputnik-in 1957. It has comparatively less mature governance regime, though international agreements for its peaceful uses have been hammered out. The Outer Space Treaty of 1967 provides a regulatory structure for access and use of space as global commons.
Global commons are used for economic, commercial, and military purposes. Militaries and nations view it as a means to protect national territory and strategic interests, since navigating safely through the global commons is deemed to be part of national defense. The Quadrennial Defense Review Report 2010 of the US department of defense states, “Global security and prosperity are contingent on the free flow of goods shipped by air or sea, as well as information transmitted under the ocean or through space.” Thus, access to the global commons, and its stability are seen to be integral to the US homeland security and its vital national interests.
Cyberspace as Global Commons
Where does cyberspace fit in? It spans the entire globe almost seamlessly. Does it have any national borders? Yes, there are national gateways where countries can install filters to enforce censorship-as is done by some of them-even though these are porous and it’s not possible to block content with complete certainty. This is because the standardized protocols that enable the accessing of information and services easily from anywhere, are used by servers and underlying networks anywhere in the world, even though they pass through national gateways. To become only a national network, a country will need to snap connection of its gateways from the landing stations; in which case it’ll be a national asset, operating as an intranet in the country without being able to connect to the outside world.
It is clear that national assets have to be part of the cyberspace, the global commons, to derive benefits of connectivity-global e-commerce, email, funds transfer, stock trading, and other relations for business and trade; social networking that is spawning global communities, and changing the way people keep in touch with their families and friends.
Cyberspace is indeed a global commons, albeit of a new kind, since it is man-made. It facilitates the transfer of data and information rather than people, vessels, and goods; it is largely owned by the private sector. But it’s a national asset too, since it enables a host of business and government services to citizens; critical infrastructure depends on it for its efficient operations. In fact, economies of advanced nations almost entirely depend upon it. That’s why President Obama has identified the cyberspace commons as a ‘strategic national asset’ and has stated that protecting this infrastructure will be a national priority.
However issues of ownership complicate governance and require high level of public-private sector cooperation. On the other hand, critical infrastructure dependence on cyberspace such as telecom, banking, transportation, energy, defense, and governance continues to increase. Entire infrastructure of cyberspace, in these critical areas, belongs to individual nations and is part of their national ICT assets. But the attacks on these systems can come from anywhere in the world, because cyberspace is borderless. That’s what makes cyberspace a unique global commons, with every piece belonging to some company, organization, or individual as part of a national ICT asset. We need global rules for cyberspace as global commons to protect our national ICT assets from attackers in other countries. Clearly, national security depends on safe cyberspace commons.
Challenges to Cyberspace as Global Commons
International regimes and agreements that enhance openness, strengthen governance, and stability of cyberspace commons are essential, because it is the international legal frameworks and norms that put pressure on states to act. The international community, therefore, has to take steps to counter challenges to global commons.
Collaboration between private and public sectors, and among global state and non-state actors, is essential to ensure that threats to global commons are adequately addressed. The approaches to other global issues such as pollution, global climate change, and resource scarcity that are shaping the 21st century may hold some learnings to address the cyberspace challenge, especially as to how individuals and communities behave in a global commons.
Cyberspace has evolved from a totally unregulated techies’ domain, where innovation, new technologies, new services were the only drivers. Indeed it’s the innovations in cyberspace that have led to economic growth and globalization. But, unfortunately it has now reached a stage where it is sought to be highly regulated, because of the threats cyberspace poses to security of nations, and its emergence as a global economic and military battle arena, where inter-state cyber conflicts are likely.
Recent cyber attacks by organized criminals, non-state actors, and even nation-states have underlined the threat scenario. Sensitive country information including defense secrets, embassies’ correspondence; intellectual property comprising R&D of several companies based on years of efforts worth billions of dollars; penetration of critical infrastructures; use of cyberspace by terrorists, by nation-states through non-state actors have raised the specter of a silent net-centric war-in what is known as cyber warfare. Cyberspace has emerged as the new domain-beyond land, sea, air and space-that has to be factored by nations in their national defense strategies and plans. Cyberspace commons, therefore must have rules of the road.
Cyberspace is anarchic today since there is no formal governance regime. Market based governance that includes people, groups, and governments around the world has produced a flexible and effective global network of networks. But its regulation is complicated by several features.
Cyberspace is asymmetric, and offense dominant, provides anonymity because of difficulties in attribution-with implications for bringing criminals to justice and for deterrence and reprisal in the battle space. Silent, undetected attacks by non-state actors-criminals and terrorists-and by nationstates for cyber espionage, and disruption of critical infrastructures to cripple economies and spread disorder-are a reality.
Governments do not know how to protect cyberspace because infrastructure is owned by the private sector. It may be part of cyber commons, but every piece of hardware and services is privately owned. Existing international agreement, the Council of Europe (COE) convention on cyber crime, is limited in scope and even more limited on enforcement. It’s the owners of infrastructure, and individual users who shoulder the burden of responsibility to provide cyber security.
It is certainly time for international agreements, though not necessarily for treaties. This is because the dynamics of cyberspace is probably not understood well enough for international regimes. Moreover, countries do not seem to be favorably disposed towards evolving such a regime or treaty. One of the reasons is the level playing field that cyberspace provides to new economic powers that are emerging, giving rise to a multi-polar world with new centers of power. Cyberspace global commons presents a unique opportunity to small states and non-state actors to develop cyber weapons at almost no cost, and challenge the supremacy of bigger nations directly or through proxy war by supporting individuals or mercenaries anywhere.
Recognizing the anarchic development of the internet-with its bottoms-up techies’ approach which has created such a global platform based on innovations from different parts of the world-that has nearly disrupted the way the world exchanges information-in fact, the very definition of information and how data is used in all walks of life-has dramatically changed. It is not just facilitation, but the crimes that the cyberspace has spawned, the threats it poses to governments, as also to the international community, that the world has suddenly woken up to is resulting in governments’ attempts to impose new rules and regulations.
They do not want the control to stay either in the hands of technical people or in the institutions promoted or seen to be controlled by the US-Internet Corporation of Assigned Names and Numbers (ICANN), Internet Engineering Task Force (IETF), and similar organizations. Some of the countries are trying to wrest control of internet governance through the United Nations.
A Working Group on Internet Governance (WGIG) as a multi-stakeholder group was set up after the 2003 World Summit on Information Society (WSIS). Some of the vocal countries in this group are those that have introduced censorship in ‘their part’ of cyberspace commons. Doubts have been raised on whether these are countries requiring ‘equal’ say in internet governance for actually wanting to conduct censorship or to monitor citizens? Will increased ‘governance’ bring more regulation, and make access more expensive? Moreover, governmentfocused ‘top-down’ philosophy, is inherently incompatible with the current ‘bottomup’ evolution and structure of the internet.
Military Challenge to Cyberspace as Global Commons
It has to be recognized that nations are concerned about the military uses of cyberspace, and hence they’re wary of getting into treaties without understanding the full implications of cyber warfare. This is posing an impediment to the development of rules of behavior. There are trust issues because of fears of net-centric war, and attacks on critical infrastructures to immobilize nations. In fact, these have already been tested by some adversaries on Estonia, Georgia, and Iran. Cyber espionage, at low cost, is yielding huge economic benefits to nations, in the form of designs of bombers, secret military information, important economic data, and state secrets.
The US government has already announced that cyberspace is a battle arena much like land, sea, air, and space. It has reiterated that its national defense is highly dependent upon the ability to navigate safely through the global commons, including through the cyberspace. The Russians had earlier stated their doctrine that cyber attacks on their assets could invite reprisals, including even nuclear attacks on adversaries.
The US defense has identified the following attributes of cyber:
#1 Dependence on computer networks and cyber is essential to the conduct of military operations.
#2 Cyber is an asymmetric technology-low cost of attack weapons-that can pose a significant threat to military capabilities. Adversaries do not have to invest in expensive weapon systems.
#3 Some 120 military intelligence agencies are believed to be developing offensive cyber capabilities.
#4 It is hard to identify the origin of an attack. Forensics necessary to identify an attacker can take a long time; irrefutable proof required to justify a counter attack may not be adequate. Established models of deterrence, therefore, do not apply. Worse, if the attacker is identified to be a non-state attacker such as a terrorist group, it is not clear who and where to counter attack.
#5 Cyberspace is asymmetric-offense dominant, where defenders have to defend all the time at a heavy cost, while the offender, ie, adversary needs only a single failure to exploit.
#6 Supply chain is at great risk. The equipment delivered to the military, can contain remotely operated ‘kill-switches’ and hidden trapdoors in the computer chips used in military hardware, before it arrives. The systems are manufactured globally-these threats are real.
#7 Cyber threats transcend the battleground. Civilian infrastructure like power grids, telecommunications, transportation systems or financial systems may be disrupted leading to physical damage and economic disruption on a large scale.
#8 Intellectual property maybe stolen. Defense industry, academic institutions, and others involved in such design and development of weapon systems may be targeted.
The defense department believes that the next war is going to be network-centric; in fact, cyberspace allows unseen non-stop cyber war to go on all the time, with outcomes which maybe kinetic. It is, therefore, deploying defenses that can respond to cyber attacks at network speed. It is also protecting critical civilian infrastructure, especially that which is used by defense industrial base.
As part of its strategy, the US recognizes that information sharing on threats and vulnerabilities with allies is necessary, because cyberspace is global and advance information on new attack vectors and signatures, can act as early watch and warning system, for building appropriate defenses. It is also leveraging its technological base-it was the US that created the internet, it still is the most dominant player in developing advanced technologies.
Likewise, NATO has underlined the role of cyberspace as glue or interconnective tissue that enables nations to connect and prosper. But, it recognizes that cyberspace enables threats, and defies jurisdictional categorization in many ways. Adversaries are likely to make decisions to deny, disrupt, and/or deter access to the global commons. It underscores the 2 big challenges in a cyber attack, namely, anonymity and asymmetry, which have implications for deterrence, retaliation, and prosecution of attackers. NATO believes that in military battle, attribution will become more a political decision since technical and physical attribution is not feasible in short time.
Different nations have different norms, standards, and capabilities-agreeing to a common definition is difficult. But every state should collaborate by protecting its portion of the commons and avoid offenses which originate from its territory. Internationally recognized rules for use of the commons must be developed and ratified even though political and military changes are determining approaches to cyberspace. In any case, cyber security requires 2 layers of preparedness-national security level (countries’ responsibility), and cyber warfare (UN’s responsibility).
UN is unable to formulate a policy due to disagreements on concepts such as sovereignty and freedom, as also on defining what will constitute an act of war. Since the same attack vectors can cause financial frauds, cyber espionage or disrupt critical infrastructure; it is difficult to decide when an attack would be deemed to be war. Will the outcomes decide a cyber war? The malware can lie undetected for a long time, even though damage to a nation may be happening. It is not possible to declare when a cyber war started. Will the Law of Armed Conflict (LOAC) apply to cyber war? There are some who believe that it does.
Need for Global Cooperation
Cyberspace is both, a global commons and a national asset, as is clear from the above discussion. In so far as the infrastructure is concerned, the parts that pass through the other global commons, such as undersea optic fibers and satellite links in space-even though privately owned by companies-should be deemed as cyberspace commons. Global clouds-servers and networks-providing services to all countries have to be deemed as cyberspace commons. Likewise, root servers that resolve IP addresses, should be treated as a part of cyberspace commons.
This has implications, for example, for protecting the global commons, as also for users and the Law-Enforcement Agencies (LEAs) in countries. Non-state actors damaging the underground optic fiber cables, or attacking root servers should be punished by states wherever they are. Global clouds, irrespective of where they’re located, should be treated as an extension of the country to whose organizations and individuals they’re providing services, thereby making them liable to comply with the laws of that land without taking recourse to the laws of countries where such cloud companies are incorporated.
Criminals are creating cyber weapons, exploiting vulnerabilities in various platforms-hosting them globally and making available to all for a fee or just free. This is certainly happening from and within cyber commons-not just espionage and attack on critical information infrastructure-but as cyber warfare that is slow and bleeding all the time. National ICT assets are attacked from cyberspace commons without the fear of being identified. Even though all the assets are owned privately, individual countries are finding it difficult to handle the criminals, since the origin of cyber attack can be camouflaged-attribution is difficult. Global cooperation is clearly required.