Should cybersecurity see the global Internet as an open network, or as sovereign walled gardens? Robert Potter writes that thanks to countries like Russia and China, today’s cyber landscape is more complex than either model.
Our thinking about the place of cybersecurity within politics is being revolutionised.
Traditionally, Australia and other like-minded states have thought of the Internet as a politically open platform supported by segregated corporate networks. We believed that over time the Internet would lead to more information sharing, more openness and greater political freedom. Cybersecurity practitioners would work to harden their corporate networks which would facilitate greater openness of the broader Internet.
This may still be true, but it is surely being tested.
States are challenging the contemporary consensus on the nature of cyberspace: China is becoming more powerful and assertive. And recent Russian election interference shows that Russia also does not have benign intentions. Current cybersecurity practitioners think of the Internet as an open network where malicious actors traverse common space to access a firewall-protected segregated network.
However, only the most optimistic view would see cyberspace in countries like China and Russia as a common, open network. This understanding fails to grasp the full set scope of potential operations through which states are pursuing their objectives in cyberspace.
As the traditional narrative has been tested, the view is shifting to one of a ‘sovereign’ network as an extension of how we think about corporate networks. Understood in this way, nations exist as networks of their own and states make claims around the acceptable behavior within those spaces. However, this view also does not correlate well to the facts on the ground. Rather, states such as Russia, China, Iran and a range of other states, act increasingly as if cyberspace sits within areas which are controlled, influenced and not-influenced by their state power.
Previous analyses of decision-making by activist states saw their actions as fracturing the Internet. China built the ‘great firewall’ to separate itself from the rest of the Internet. However, this term is likely a Western invention and reinforces perceptions of network segmentation which sit at the core of contemporary cybersecurity.
China sees its efforts as centred on a mission to control and surveil the Internet and increase its influence over the platform. China’s behavior is not like the sort of perimeter defence traditionally devised by cybersecurity, where access is authenticated and tightly controlled. Rather, China’s Internet remains largely connected to the wider network but is subject to significant national influence efforts.
This is a rejection of the ‘walled garden’ in favor of zones of influence. It allows us to reconcile that states are increasing their capacity to gain access to the wider network while enacting significant controls on access to the Internet, even in extreme cases such as North Korea.
Pyongyang has no intention of allowing a free and open Internet. Its behaviour towards companies such as Sony show its claims to authority is not geographically limited. North Korea clearly sees utility in engaging with the Internet, even going so far as to reduce geopolitical dependence on access through China by deploying additional cabling through Russia.
For its part, Russia has interests in using the Internet to further its strategic aims. Moscow’s activity has progressed to the point where ‘information operations’ is now a unique but broadly studied vector for cyber-attack.
Traditional network-centric views (such as the cyber kill-chain) do not engage with attacks that manipulate the legitimate functions of a platform to further their aims – for instance, harnessing Facebook during the US presidential election. Nor does the kill-chain approach reconcile easily with the interdependent nature of many networks, which traverse public space and are governed by external entities.
The perception of the Internet as an open platform, devoid of national boundaries, where exploitation requires unauthorised access of some kind, is irreconcilable with the behaviour of some countries. However, many concepts used to understand cyber-attacks do not encapsulate current realities. For example, while Russia might believe in a sovereign Internet for Russia, it clearly has no intention of accepting the Internet of another country as similarly sovereign. China too, has a clear interest in the broad uptake of services it governs, such as WeChat, which is surveilled by China even when users are within Australia.
From a regulatory point of view, social media applications are treated as carriers and not subject to the same sort of rigorous scrutiny that traditional media is, particularly with regards to foreign ownership. Australia has gone to great lengths to limit foreign ownership of traditional media platforms, but faces a new reality where a significant portion of online media ownership is completely unregulated.
Australia maintains the traditional view of a common Internet. While this norm remains highly praiseworthy, it does not capture the reality of contemporary influence operations.
While defining the limits to state control over cyberspace is becoming more difficult, the need to identify intent and effect is becoming more urgent. This makes it harder for traditional mechanisms to identify malicious activity, but it does allow states such as Australia to maintain the norm of an open Internet by pathologising behaviours which cut against that norm.
Attempting to influence another state’s election has been identified as cyberwar by other means – the ‘means’ is the network itself. The open nature of the Internet’s protocols carries an assumption: that the trade-off for openness is that malicious activity often comes in the form of interactions that were assumed to always be good. This assumption must be challenged.
Self-managed networks have entrenched the perception that it’s possible to define their boundaries. While these perceptual boundaries are useful in some contexts, we must move past them if we are to effectively identify and respond to malicious activity. In the contemporary threat landscape, if behaviour is defined through existing legal terms of act and intent, regulators and analysts will have a more reliable method of categorising actions as malicious.
We could then have further significant debates: Who has the power to categorise and police this behaviour? What level of media ownership by other states is acceptable? These debates will eventually distil into effective, international norms. But until malicious activity can be reliably identified without undercutting them, those norms are unlikely to progress.