How to counter authoritarian regimes online
Disconnecting? A woman in a Beijing Internet cafe, July 2011
Im Chi Yin/The New York Times/Redux
Hmmm, still have to preface with a "translator's note." The discovered text seemed to me curious and debatable. The only edits in the text are "bolds". I allowed myself to express my personal attitude in tags.
The age of the Internet was full of lofty hopes. Authoritarian regimes faced with the choice of becoming part of the new system of global communications or being left out will choose to join it. Arguing with rose-colored glasses further: the flow of new information and ideas from the "outside world" will inexorably push development towards economic openness and political liberalization. In fact, something quite the opposite happened. Instead of spreading democratic values and liberal ideals, the Internet has become the basis for espionage by authoritarian states around the world. Regimes in China, Russia, etc. used the infrastructures of the Internet to build their own national networks. At the same time, they erected technical and legal barriers to be able to restrict their citizens' access to certain resources and to make it difficult for Western companies to access their digital markets.
But while plans to split the Internet are lamenting in Washington and Brussels, the last thing Beijing and Moscow want is to be on their own networks and cut off from the global Internet. After all, they need access to the Internet to steal intellectual property, spread propaganda, interfere in elections in other countries, and be able to threaten critical infrastructure in rival countries. China and Russia ideally would like to re-create the Internet in their own way and force the world to play by their repressive rules. But they have failed to do so – instead, they have stepped up their efforts to tightly control outside access to their markets, limit their citizens’ ability to access the Internet, and exploit the vulnerabilities that inevitably come with digital freedom and Western openness.
The United States and its allies and partners must stop worrying about the risk of Internet division by authoritarian regimes. Instead, they should split it on my ownby creating a digital bloc within which information, services and products can move freely, excluding countries that do not respect freedom of expression or privacy rights, engage in subversive activities or provide safe havens for cybercriminals. In such a system, countries that embrace the concept of a truly free and reliable Internet will maintain and expand the benefits of connectivity, and countries that oppose the concept will not be able to harm it. The goal should be digital version of the Schengen agreement, which protects the free movement of people, goods and services in Europe. 26 countries of the Schengen area adhere to such a set of rules and enforcement mechanisms; non-isolated countries.
Such arrangements are necessary to maintain a free and open Internet. Washington must form a coalition that unites Internet users, companies and countries around democratic values, respect for the rule of law and fair digital trade: Free Internet League. Rather than allowing states that do not share these values unhindered access to the Internet and Western digital markets and technologies, the US-led coalition should establish conditions under which non-members can stay connected and put up barriers to limit the valuable data they may receive and the harm they may cause. The league will not raise a digital iron curtain; at least initially, most Internet traffic will continue to flow between its members and "out", and the league will primarily block companies and organizations that promote and facilitate cybercrime, not entire countries. Governments that basically embrace the ideas of an open, tolerant, and democratic Internet will have an incentive to improve their enforcement efforts to join the league and provide reliable communications for their companies and citizens. Of course, authoritarian regimes in China, Russia, and elsewhere are likely to continue to reject this vision. Rather than begging and begging such governments to behave well, the United States and its allies must now lay down the law: follow the rules or be cut off.
An end to the dreams of an internet without borders
When the Obama administration released its International Cyberspace Strategy in 2011, it envisioned a global Internet that would be "open, interoperable, secure, and reliable." At the same time, China and Russia insisted on applying their own rules on the Internet. Beijing, for example, wanted any criticism of the Chinese government that would be illegal inside China to also be banned from US websites. Moscow, for its part, has been dodgy looking for the equivalent of arms control treaties in cyberspace while ramping up its own offensive cyberattacks. In the long term, China and Russia would still like to influence the global Internet. But they see great value in building their own closed networks and using the openness of the West to their own advantage.
Obama's strategy warned that "the alternative to global openness and interoperability is a fragmented Internet, where a significant portion of the world's population will be denied access to complex applications and valuable content due to the political interests of several countries." Despite Washington's efforts to prevent this outcome, this is exactly what we have arrived at now. And the Trump administration has done very little to change US strategy. President Donald Trump's National Cyber Strategy, released in September 2018, calls for an "open, interoperable, trusted, and secure Internet," echoing the mantra of President Barack Obama's strategy, interchanging the words "secure" and "reliable" from time to time.
Trump's strategy is based on the need to expand Internet freedom, which she defines as "the exercise of human rights and fundamental freedoms on the Internet, such as freedom of expression, association, peaceful assembly, religion or belief, and the right to privacy on the Internet." While this is a worthy goal, it ignores the reality that in many countries where citizens do not enjoy these rights offline, much less online, the Internet is no longer a safe haven, but rather a tool of repression. Regimes in China and elsewhere are using artificial intelligence to help them better monitor their people and have learned how to wire up security cameras, financial transactions and transportation systems to create vast databases of information about the activities of individual citizens. China's army of XNUMX million Internet censors is being trained to collect data for inclusion in planned scoring system "social loans", which will allow each resident of China to be assessed and assign rewards and punishments for actions taken both online and offline. China's so-called Great Firewall, which prevents people in the country from accessing content on the Internet that the Chinese Communist Party considers inappropriate, has become a model for other authoritarian regimes. According to Freedom House, Chinese officials have held training sessions on developing Internet surveillance systems with counterparts in 36 countries. In 18 countries, China has helped build such networks.
Near the Beijing office of Google the day after the announcement of the company's plans to leave the Chinese market, January 2010
Gilles Sabrie / The New York Times / Redux
Using "numbers" as leverage
How can the United States and its allies limit the damage that authoritarian regimes can do to the Internet and prevent those regimes from using the power of the Internet to suppress dissent? There have been proposals to instruct the World Trade Organization or the UN to establish clear rules to ensure the free flow of information and data. But any such plan would be stillborn, for in order to gain approval it would have to enlist the support of the very countries whose malicious activities it targeted. Only by creating a block of countries within which data can be transmitted and banning access from other states can Western countries get any leverage to change the behavior of the "bad guys" of the Internet.
Europe's Schengen area offers a real model where people and goods move freely without going through customs and immigration. Once a person enters the zone through one country's border post, he or she can access any other country without going through other customs or immigration checks. (There are some exceptions, and a number of countries introduced limited border checks after the 2015 migrant crisis.) The zone agreement became part of EU law in 1999; the non-EU states of Iceland, Liechtenstein, Norway and Switzerland eventually joined as well. The agreement excluded Ireland and the UK at their request.
Joining the Schengen area is associated with three requirements that can serve as a model for a digital agreement. First, member states must issue uniform visas and ensure reliable security at their external borders. Second, they must show that they are capable of coordinating with law enforcement agencies in other member states. And third, they must use a common system to track entries and exits to the zone. The agreement sets out rules governing cross-border surveillance and the conditions under which authorities can pursue suspects in hot pursuit across borders. It also allows for the extradition of criminal suspects between Member States.
The agreement creates clear incentives for cooperation and openness. Any European country that wants its citizens to have the right to travel, work or live anywhere in the EU must bring its border controls into line with Schengen standards. Four EU members - Bulgaria, Croatia, Cyprus and Romania - were excluded from the Schengen area in part because they did not meet those standards. Bulgaria and Romania, however, are in the process of improving their border controls so they can join. In other words, incentives work.
But that kind of incentive is missing in all attempts to bring the international community together to fight cybercrime, economic espionage and other digital age issues. The most successful of these efforts, the Council of Europe Cybercrime Convention (also known as the Budapest Convention), defines all reasonable actions that states should take to combat cybercrime. It provides model laws, improved coordination mechanisms and simplified extradition procedures. Sixty-one countries have ratified the treaty. However, it's hard to find defenders of the Budapest Convention because it didn't work: it doesn't provide any real benefits for accession, or any real consequences for the non-compliance it creates.
For the Free Internet League to work, this trap must be avoided. The most effective way to bring countries into league compliance is to threaten them with refusal of products and services companies such as Amazon, Facebook, Google and Microsoft, and cut off their companies' access to the wallets of hundreds of millions of consumers in the US and Europe. The league will not block all traffic from non-members - just like the Schengen area does not close all goods and services from non-members. On the one hand, the ability to meaningfully filter out all malicious traffic at the national level is not available to technology today. What's more, it would require governments to be able to decrypt traffic, which would do more harm to security than help it, and violate privacy and civil liberties. But the league will ban products and services from companies and organizations known to facilitate cybercrime in non-member countries, as well as block traffic from rule-breaking ISPs in non-member states.
For example, imagine if Ukraine, a well-known safe haven for cybercriminals, were threatened with shutting down access to services to which its citizens, businesses, and government are already accustomed, and on which its technological development may largely depend. The Ukrainian government will face a strong incentive to finally take a tough stand against the cybercriminal world that has developed inside the country's borders. Such measures are useless against China and Russia: after all, the Chinese Communist Party and the Kremlin have already done their best to cut off their citizens from the global internet. However, the goal of the Free Internet League is not to change the behavior of such “ideological” attackers, but to reduce the harm they cause and encourage countries such as Ukraine, Brazil, India to achieve success in the fight against cybercrime.
Keeping the Internet Free
The founding principle of the league will be to uphold free speech on the Internet. Members, however, will be allowed to make exceptions on a case-by-case basis. For example, while the US will not be forced to accept EU restrictions on free speech, US companies will need to make reasonable efforts not to sell or display prohibited content to Internet users in Europe. This approach will largely consolidate the status quo. But it would also oblige Western countries to take on the more formal task of restricting states like China from pursuing the Orwellian vision of "information security" by insisting that certain forms of expression pose a national security threat to them. For example, Beijing regularly sends requests to other governments to remove content hosted on servers in their territory that is critical of the Chinese regime or that discusses groups banned by the regime in China, such as Falun Gong. The United States has rejected such requests, but others may be tempted to give in, especially after China retaliated against the US refusal by launching cyberattacks on the sources of the material. The Internet Freedom League will give an incentive to other countries to deny such Chinese demands: it will be against the rules, and other member countries will help protect them from any retribution.
The league will need a mechanism to monitor compliance by its members with its rules. Maintaining and publishing the performance indicators of each participant can be an effective tool for this. But the model for a more rigorous form of assessment can be found in the Financial Action Task Force, an anti-money laundering organization set up by the G-7 and the European Commission in 1989 and funded by its members. The 37 member countries of the FATF account for the majority of financial transactions in the world. Members agree to adopt dozens of policies, including those criminalizing money laundering and terrorist financing, and require banks to conduct due diligence on their customers. Instead of rigid centralized monitoring, the FATF uses a system whereby each member in turn analyzes the efforts of the other and makes recommendations. Countries that do not comply with the required policy are placed on the FATF's so-called "grey list", which requires more scrutiny. Criminals can be blacklisted, requiring banks to launch detailed checks that can slow down or even stop many transactions.
How can the Free Internet League prevent malicious activity in its member states? Again, there is a model for an international public health system. The League will create and fund an institution similar to the World Health Organization that will identify vulnerable online systems, notify the owners of these systems, and work to strengthen them (similar to WHO's worldwide vaccination campaigns); detect and respond to emerging malware and botnets before they can cause extensive damage (the equivalent of disease outbreak monitoring); and take responsibility for the response if prevention fails (the equivalent of the WHO response to pandemics). League members would also agree to refrain from conducting offensive cyberattacks against each other in times of peace. Such a promise, of course, will not prevent the United States or its allies from launching cyberattacks against rivals that will almost certainly remain out of the league, such as Iran.
Building barriers
Creating a Free Internet League would require a fundamental change of mindset. The idea that Internet connectivity will ultimately transform authoritarian regimes is a wishful thinking. But it's not, it won't happen. The unwillingness to accept this reality is the biggest obstacle to an alternative approach. However, over time it will become clear that the technological utopianism of the era of the emergence of the Internet is inappropriate in the modern world.
Western tech companies are likely to oppose the creation of the Free Internet League as they work to appease China and gain access to the Chinese market because their supply chains are heavily dependent on Chinese manufacturers. However, the costs of such firms will be partly offset by the fact that by cutting off China, the league will effectively protect them from Chinese competition.
A Free Internet League, modeled on the Schengen area, is the only way to secure the Internet from the threats posed by authoritarian states and other bad guys. Such a system would obviously be less global than today's free Internet. But only by raising the cost of malicious behavior can the United States and its friends hope to reduce the danger of cybercrime and limit the damage that regimes like in Beijing and Moscow can do to the Internet.
Authors:
RICHARD A. CLARKE is Chairman and CEO of Good Harbor Security Risk Management. He has served in the US government as Special Adviser to the President for Cyber Security, Special Assistant to the President for Global Affairs, and National Coordinator for Security and Counterterrorism.
ROB KNAKE is Senior Fellow at the Council on Foreign Relations and Senior Fellow at the Global Sustainability Institute at Northeastern University. He was director of cyber policy at the National Security Council from 2011 to 2015.
Source: habr.com