Introduction for Cyber Sovereignty
Introduction
Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.1
These are the opening lines of “A Declaration of the Independence of Cyberspace,” a manifesto formulated at the 1996 World Economic Forum in Davos, Switzerland, by John Perry Barlow, a poet, political activist, cyberlibertarian, and founding member of the Electronic Frontier Foundation, an institution defending online civil liberties. Back then, cyberspace was at its onset, and a group of the first cyberspace theorists believed that cyberspace should be free from state interference and thus also immune from state sovereignty. Barlow was the loudest proponent of this paradigm, which claimed that a new community with its own norms and internal regulations was being constructed in cyberspace and that governments’ presence was neither necessary nor welcome. Despite these hopes and wishes, it soon became clear that states would not follow Barlow’s demands and would try to impose their sovereignty on cyberspace.
State sovereignty is a fundamental concept of the modern international order whose origins can be found in the Peace of Westphalia of 1648. It is not a specific style of governance or type of constitution. State sovereignty is rather a legal and political groundwork on which different styles of governance can be executed and different types of state constitution can be built. It is a remarkably long-lasting and ever-changing concept that has continually evolved and transformed with time to accommodate particular historical periods. Despite all these transformations, state sovereignty has always preserved its fundamental idea. It is the supreme authority exercised within a distinct territorial jurisdiction that is free from foreign interference but asserts its place in the international system. Sovereignty is the ultimate precondition of modern law and politics.
Sovereignty has faced serious challenges and undergone occasional existential crises. The most recent challenge for states and their sovereignty materialized in the form of cyberspace, whose wild and fast spread worldwide was, at one point, predicted to erode the concept. Cyberspace is complex, requiring more than a simple description of hardware and software. I interpret it through four distinct layers that, together, create the cyber domain. These are its physical infrastructure, its code, its regulations, and the data and information it contains.2 The main concern has been the supposedly borderless nature of the cyber domain, where data can be exchanged from one corner of the planet to another in the blink of an eye, diminishing the relevance of physical territory.
Governments became conscious of the capacity of cyberspace in its early stages, as indicated by their actual practice, and wanted to extend their sovereign position into it. Increasingly, states seek greater sovereignty over the cyber domain, previously seemingly ungoverned. In the broader context of cyberspace as a domain, this behavior appears logical. The concept of state sovereignty in cyberspace is crucial to any debate about regulation of the domain. Achieving a cyber order broadly accepted by the international community requires, first, a consensus on basic regulations. These basic regulations, then, are inherently based on the application of state sovereignty in this new domain. If states cannot apply and rely on their sovereignty in the cyber domain, they will not accept even the weakest attempt to establish order in cyberspace. Hedley Bull’s The Anarchical Society proclaims that states try to preserve the international order because it is in their own interest.3 From this logic, international order in cyberspace cannot exist without a solid basis of sovereignty, hence states’ activity in this regard.
The puzzling situation this creates is the subject of this book. I argue that we find ourselves in an exploratory phase; governments try new options for extending their sovereignty into cyberspace. States globally stretch their muscles and probe the limits to their sovereignty in the cyber domain. Nevertheless, a state is still a territorial entity, and imposing sovereignty in a seemingly nonterritorial man-made cyber domain is very different from imposing it in the physical domains of sea, land, air, and space in which sovereignty was previously developed. I examine how our understanding of state sovereignty has been transformed by state practice under the pressure of new cyber challenges. This is a crucial question because the debate on sovereignty in cyberspace is being framed at the moment, and its outcome will offer a framework for addressing further cyber-related topics.
I aim to answer three related questions. The principal question asks How does state practice of sovereignty in cyberspace change the traditional understanding of the concept? Two working questions delve into sovereignty in cyberspace and feed into the answer to the principal question. The first working question asks What kinds of tools do states employ to exercise their sovereignty in cyberspace? The second working question asks In what way is the exercise of authority and control by states in cyberspace different from traditional domains?
I argue that the unique environment of cyberspace requires states that desire to retain their sovereignty therein to adjust their behavior to fit the characteristics of the cyber domain. State sovereignty exists in cyberspace, and states are not willing to cede it to other cyber actors. However, because cyberspace does not have the same characteristics as the traditional domains of air, sea, land, and space, states need to adapt their practice of sovereignty in cyberspace accordingly. Consequently, state behavior influences our approach toward the concept of sovereignty, which must be more adaptive and accept a modification of its classical understanding. Distribution of authority and control in cyberspace likely differs substantially from noncyber environments, and the tools used by states to enforce sovereignty in cyberspace are more miscellaneous, closely interconnecting modern technologies and legal frameworks. Ultimately, I argue that sovereignty as applied to cyberspace is the latest stage of its evolution, and so sovereignty once again transforms itself to keep up with the latest developments in modern politics and law: cyber governance.
Although state sovereignty in cyberspace has been studied before my examination, I show in chapter 1 that the research has focused solely on narrow and specific segments of the issue so far, such as territoriality or framing the concept within one particular state activity. It has not taken the crucial further step of exploring in depth and in a more complex manner how the cyber domain transforms our understanding of state sovereignty with respect to democratic rule. This book addresses this gap and moves the debate forward by exploring how democracies in the transatlantic area enforce their sovereignty in cyberspace.
To do this, I use Stephen Krasner’s typology of sovereignty, which constitutes the most suitable theoretical framework for this book. The typology is simultaneously complex, covering the whole range of states’ activities, and flexible enough that it can also be applicable in different conditions and environments. According to Krasner, states exercise sovereignty in four ways: Westphalian sovereignty, international legal sovereignty, domestic sovereignty, and interdependence sovereignty. Westphalian sovereignty centers on the exclusion of external actors from authority structures, and international legal sovereignty deals with a state’s behavior as a juridical equal in international law and relations. Domestic sovereignty focuses on the organization of political authority and the ability to exercise effective control, and interdependence sovereignty concerns the regulation of transborder movement.4 Embedded in these four sovereignty types are a fundamental distinction between authority and control. Authority Krasner defines as a mutually acknowledged right for actors to become involved in specific activities, and control as attainable through the simple use of brute force without a need for mutually recognized authority.5 I do not always neatly apply all the aspects of the typology as originally defined, because the nature of cyberspace simply does not allow it (for example, it is impossible to use brute force in relation to control), but I am positive that it is the most suitable analytic foundation, which will become self-evident during the course of the book.
I transfer Krasner’s typology of sovereignty into the cyber domain and match each sovereignty type with a case study. To do so, I first identify four long-term trends in states’ approaches to cyberspace: efforts to preserve the confidentiality, integrity, and accessibility of governmental data in the digital era; international negotiations on norms of behavior in cyberspace; the push toward state control of the internet; and protection of national infrastructure. With minor exceptions, almost every state worldwide with at least a minimal interest in cyberspace has faced all four topics and come to a decision about how to approach them. Using purposive sampling, I then identify the most suitable case study per sovereignty type, those whom I perceive to be democratic pioneers in the transatlantic region that stretch the limits of state sovereignty in cyberspace the most. To operationalize the cases, authority and control are the variables. Authority in cyberspace is assessed through respective state legislation, and control is measured through the cyber capabilities that are necessary for the state’s exercise of the respective type of sovereignty.
I limit the territorial definition to democracies, because they are guided by the general will of the people and do not tend toward extreme solutions. I also narrow it to the transatlantic region, because those states have similar perceptions of cyberspace matters. I intentionally avoid the study of authoritarian regimes for two reasons: first, previous research on state sovereignty has already substantially explored the approach of authoritarian governments to state sovereignty in cyberspace; second, the source of legitimacy of authoritarian regimes is not the will of the people to whom they would be answerable. Their source of sovereignty is different, and hence their sovereignty limits can be set differently too. Ultimately, these different limits could distort the results of this book.
Westphalian sovereignty is represented in chapter 3 by Estonia and its decision to build a network of data embassies. These are data centers under the full control of the Estonian government but located outside Estonian territory. The data embassies can serve as backup providers in times of emergency in Estonia, thereby ensuring the digital continuity of Estonian e-government. This progressive and innovative idea clearly secures the exclusion of external actors from the authority structures of a state within its territory as defined by Westphalian sovereignty. The subsequent adoption of the same far-reaching practice by other states and institutions confirms Estonia’s leadership in this sovereignty type.
The engagement of the Dutch leadership in international negotiations in chapter 4 on responsible state behavior in cyberspace embodies the most advanced case of international legal sovereignty. The Netherlands has been a keen and progressive proponent of establishing international forums for discussion about norms in cyberspace while also playing an active role in already-established negotiations. This leadership resides in the Netherlands’ efforts to include in these negotiations the broadest range of stakeholders possible while working on both bottom-up and top-down approaches. Their proactive steps and eagerness have paid off in a recognition by other stakeholders of their initiatives, including significant successes in clarifying norms of responsible state behavior in cyberspace.
Turkey and its approach to internet restrictions in chapter 5 represents the most advanced case of domestic sovereignty. I intentionally limit this case to the time frame of 2007 to 2016 because that is when Turkey could still be considered a democratic or partially democratic state. In 2007, the first internet governance law in Turkey created its main legal framework. Since then, the law has gradually evolved into a tool of the state that facilitates its reaction to political events unfavorable to governmental policy, culminating in the military coup of 2016. Because this is when Turkey began transforming into a semiauthoritarian regime both inside and outside cyberspace, I believe it is a good example of the delicate moment when the extension of sovereignty by a government violates democratic values and so serves as a warning for other democracies.
Finally, the United States’ approach in chapter 6 toward the Chinese telecommunications company Huawei Technologies and its attempts to enter the US market is the most advanced case of interdependence sovereignty. Governments globally have discussed the threats and risks from Chinese information technology (IT) companies to their critical infrastructures for several years. The United States, however, has most strongly advocated excluding Chinese companies from their markets because investigations indicate the companies might pose a significant threat to US national security. The US leadership went one step further when it launched a global campaign to persuade US allies to adopt the same approach.
In chapter 7, I draw conclusions on the theoretical implications of state sovereignty’s application to cyberspace. The distribution of authority and control in cyberspace compared with noncyber domains is diametrically different. In fact, the very nature of cyberspace requires that the distribution be much more nuanced, such that one variable might be needed to exercise a particular type of sovereignty but does not play the decisive role. This contrasts with Krasner’s view of authority and control being either present or absent in the exercise of a sovereignty type. Authority and control are also closely linked to the methods and tools that states employ to exercise their sovereignty in cyberspace. I come to the conclusion that governments must carefully balance legal frameworks and cyber capabilities, because sole reliance on one is not sufficient. Depending on the type of state sovereignty that states want to enforce, they need to work with domestic legislation or international law and international relations on both multilateral and bilateral levels. Interestingly, the word “innovation” is often associated purely with technologies in cyberspace. I show, however, that that is a mistake, because cyberspace requires us to innovate and think outside the box with respect to authority and law too. In terms of cyber capabilities and capacities, I conclude that the technical tools used by governments are more miscellaneous than the legal ones. Technology constantly evolves and so must governments and their willingness to use them. Governments can no longer rely on only their own cyber capabilities but must create strong, reliable, and safe partnerships with the private sector and other stakeholders. Nonstate actors are often owners of cyber capabilities that states must have to exercise a particular type of sovereignty.
This ultimately leads me to the answer of how the state practice of sovereignty in cyberspace changes the traditional understanding of the concept. I see two major changes compared with noncyber domains. First, authority and control are much more interconnected and strongly interdependent, and they often influence each other in cyberspace. This is why governments, when considering a particular type of sovereignty in cyberspace, must employ a more comprehensive approach to cover both of these factors and their potential interactions and dependencies. Second, governments and the cyber community need to be more open-minded, flexible, and creative in their thinking about sovereignty in cyberspace than in their thinking about other traditional tangible domains. Cyberspace is a man-made domain that is far from static, which is most visible in terms of cyber capabilities. Similarly, governments must use lateral and out-of-the-box thinking in relation to legal frameworks and negotiation platforms. If states wish to retain their sovereignty in cyberspace, they must keep up with the rapid pace of development and react swiftly with the tools at hand.
In addition to the theoretical implications of my research, I also discuss practice-oriented conclusions. These brief findings and observations might have particular relevance for decision-makers and policy-oriented practitioners in general. I lay out several findings for each of the case studies in the conclusion, and I mention just few here.
Estonia is a showcase country, having built up and continuing to develop its novel e-government under the watchful observation of the international community. Its government is open and transparent about most of its efforts, including the feasibility analysis of the solutions for how to secure its digital continuity. This transparency is a valuable resource for other countries trying to achieve the same goal, but even more importantly, it greatly enhances the Estonian reputation globally and raises its profile and credibility in the eyes of the cyber community.
The example of the Netherlands teaches us that the territorial size and population of a country do not really matter in cyberspace. What is far more important is for a nation to have a good strategy and the dedication to achieve its goal. The Dutch have aptly demonstrated this with their approach to norms building and shaping. They are aware that, for a norm to be successfully accepted by the international community, it is crucial to bring to the negotiation table states and nonstate actors from the broadest spectrum of interests and opinions. Consequently, to keep them interested in the negotiation process, it is a smart strategy to start with less controversial, more basic topics to reach a consensus that serves as a foundation to build on.
The Turkish case shows the perils of a state-centric approach to regulation of the internet. Compared with a multistakeholder approach, a state-centric one is based on a hierarchical system of mutually interconnected entities that is ultimately controlled by the government. That can lead to the dangerous situation of the government misusing its powers and hiding its misuse behind national security concerns or some other similar justification. Thus, the multistakeholder approach is, in my opinion, a safer option because it incorporates checks and balances of power.
The most crucial observation of the United States’ case is the importance of cooperation between a government and the private sector. The time when governments were fully able to sustain and secure their infrastructures using solely domestic sources is long gone, and so they need to create a supply chain of trustworthy and reliable international partners. At the same time, however, it is necessary to sufficiently diversify providers and not to rely on just one supplier or one other country. That can create the dangerous situation where the potential interruption of production can have far-reaching implications, as happened in the early 2020s with the supply of semiconductors.
States desire to retain their sovereignty in cyberspace and are willing to adjust their behavior accordingly to fit the particular nature of the domain. This book explores the most advanced cases of states exploring and stretching their sovereignty’s boundaries in cyberspace while holding on to their democratic values (with one precautionary exception). After all, we are still in the exploratory stage, where states are testing new methods and tools, establishing important precedents for the future. I analyze this behavior to offer a new understanding of the concept of state sovereignty in cyberspace. Ultimately, state sovereignty is one of the foundational building blocks of the modern international order, and thus it is important to fully explore and comprehend how it functions when it is exercised in the new domain of cyberspace.
Notes
1. John Perry Barlow, “A Declaration of the Independence of Cyberspace,” Electronic Frontier Foundation, February 8, 1996, https://www.eff.org/cyberspace-independence.
2. Ronald J. Deibert, Rafal Rohozinski, and Masashi Crete-Nishihata, “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia-Georgia War,” Security Dialogue 43, no. 3 (2012): 5–6.
3. Hedley Bull, The Anarchical Society (New York: Palgrave, 1977).
4. Stephen Krasner, Sovereignty: Organized Hypocrisy (Princeton, NJ: Princeton University Press, 1999), 3–4.
5. Krasner, Sovereignty, 10.