A heated debate is underway about the appropriate role of nation-states in Internet governance and enhancing global cybersecurity, as was illustrated most recently during the 2012 World Conference on International Telecommunications (WCIT-12). Meanwhile, national governments are increasingly seeking to secure their critical infrastructure through regulation that may have global impacts. In an effort to compare and contrast these policies so as to begin to identify best practices that could give rise to norms and eventually be codified in international law, this Article analyzes proposed and implemented critical infrastructure regulations in China, the European Union, India, the United Kingdom, and the United States. Ultimately, the Article demonstrates that there exists a continuum of governmental interest in and approaches to regulating cyberspace, blurring the "digital divide" that was exposed at WCIT-12 and noting the value of finding common ground between stakeholders. Only then will the international community be able to reach agreement on the future of Internet governance and promote cyber peace.
INTRODUCTION I. FROM DARPA TO WCIT : A BRIEF INTRODUCTION TO THE INTERNET GOVERNANCE DEBATE A. Phase One: Early Internet Governance (1969-1998) 1. The ITU's Early Exclusion: How TCP/IP Won 2. Regulating Domain Names: The Internet Assigned Numbers Authority 3. Managing Communications: The Internet Engineering Task Force B. Phase Two: The Emergence of "Global" Internet Governance (1998-2006) 1. Commercialization and Challenging the Status Quo: ICANN 2. Beyond U.S. Control: The Birth of the IGF C. Phase Three: WCIT and the Future of Internet Governance (2006 Present) 1. A New Internet Governance Order: Enter the State 2. Rise of the ITU: WCIT and a New "Digital Divide" Summary II. BEYOND WCIT: COMPARATIVE STUDIES IN NATIONAL AND REGIONAL INTERNET REGULATIONS A. Rationale for Regulating Critical National Infrastructure B. United States C. United Kingdom D. European Union 1. Evolution of EU Cybersecurity Policymaking 2. 2013 EU Cybersecurity Strategy E. China 1. Evolution of Chinese Information Security Policymaking 2. Challenges Facing Chinese Information Security Efforts F. India Summary III. BRIDGING THE DIGITAL DIVIDE: SECURING CRITICAL INFRASTRUCTURE IN AN AGE OF CYBER INSECURITY A. Analysis of National and Regional Regulatory Trends B. Impact on International Policymaking and Governance C. Bridging the New "Digital Divide" CONCLUSION INTRODUCTION
As the 2012 World Conference on International Telecommunication (WCIT-12) ended, a crisis of "Internet governance" deepened. (1) How the Internet should be governed has been a contentious issue since the late 1990s, but in recent years, increasingly sophisticated cyber attacks, global geopolitical shifts, and social media-empowered political movements have exacerbated ideological disagreements and amplified the stakes for invested national governments. Over time, at least two coalitions have emerged: "cyber paternalists," which advocate for enhanced national Internet sovereignty, and "Internet freedom" advocates, which believe that the private sector should largely be left to regulate a borderless cyberspace. (2) In December 2012, 193 Member States of the International Telecommunication Union (ITU) failed to compromise on updates to the 1988 International Telecommunication Regulations (ITRs). (3) As such, WCIT-12 seemed to solidify the positions of so-called cyber paternalists and Internet freedom advocates, entrenching a problematic "digital divide." (4) Ultimately, this tension is causing Internet governance to fragment, which could create obstacles to interconnectivity and disrupt the Internet itself as well as the way that much of the world interacts with it. (5) In addition, in the wake of revelations from Edward Snowden, further fragmenting may be occurring among "Internet freedom" advocates, as is illustrated by calls from Brazil and core Internet institutions for a new international regime to manage the Internet. (6)
Amidst this perceived global division over Internet governance, many national governments are facing internal cybersecurity crises. They are seeking to secure their critical infrastructure, deter criminal behavior, control content, foster economic growth, and protect citizens' interest in privacy. Indeed, some States, notably the cyber powers--including China, Israel, Russia, the United States, and the United Kingdom--are introducing national policies aimed at managing or regulating aspects of the Internet. (7) Protecting critical national infrastructure (CNI) is of particular interest to regulators (8) because of the widespread risk associated with vulnerabilities within it. (9) While the most substantial consequences of such government actions are limited to the prescribed national (or regional, in the case of the European Union) jurisdictions, network effects spill across borders. (10) Moreover, many private sector CNI companies operate across jurisdictions, and some infrastructure--such as the finance sector--is by its nature international, further complicating the international legal environment. (11)
This Article argues that while some Internet governance issues may be too contentious to address directly, efforts to regulate CNI present an opportunity to engage national governments facing similar cyber policy issues. In doing so, it recognizes the challenges inherent in using national regulation to address global issues; divergent State laws can pose some of the same interconnectivity risks as codifying divergent multilateral approaches to Internet governance. However, this Article argues that national laws have an important role to play in advancing cybersecurity standards and identifying common ground wherein States may act as norm entrepreneurs. (12) As such, this Article analyzes proposed and implemented critical infrastructure regulations in China, the European Union, India, the United Kingdom, and the United States, comparing and contrasting these policies in an attempt to begin the process of identifying best practices that could give rise to norms and eventually form part of customary international law. Ultimately, the Article demonstrates that there exists a continuum of governmental interest in and approaches to regulating cyberspace, blurring the "digital divide" and noting the value of focusing on common ground between nations. Only once this is achieved will the international community be able to reach agreement on the future of Internet governance and promote cyber peace. (13)
This Article has three parts. Part I explores the evolution of Internet governance by describing its progression through three eras, grounding current challenges in a history of institutional change and economic as well as political developments. Part II discusses national and regional case studies, focusing on. CNI regulations in China, the European Union, India, the United Kingdom, and the United States. (14) Finally, Part III identifies similar challenges and goals in regulating CNI and considers opportunities for collaboration between States, moving us beyond the new digital divide and toward building a common vision for cyberspace that meets twenty-first century expectations.
FROM DARPA TO WCIT: A BRIEF INTRODUCTION TO THE INTERNET GOVERNANCE DEBATE
Despite vast technological and socioeconomic changes, the current approach to Internet governance is rooted in a network that connected four computers in 1969. (15) The growing financial importance and global presence of the Internet first sparked governance controversies in the late 1990s, but no widely accepted alternative to the prevailing status quo was forthcoming. (16) More recently, security concerns and multipolar politics have heightened governance controversies. (17) Effective dialogue is needed to recognize common interests and to build consensus around a form of governance that can accommodate diverse interests and functions. (18)
This Part of the Article divides the evolution of Internet governance into three phases. Phase One was defined by influential network engineers and the organizations that they developed, such as the Internet Engineering Task Force. Phase Two coincided with the commercial success of the Internet and the rise of the Internet Corporation for Assigned Names and Numbers and other multi-stakeholder organizations, like the Internet Governance Forum. Finally, as the events of WCIT-12 demonstrate, Phase Three has been defined by the extent to which States have begun to assert a role in regulating the internet. The goal of this Part is to contextualize the significance of the growing role of States in Internet governance and the new digital divide, framing Parts II and III.
Phase One: Early Internet Governance (1969-1998)
Phase One of Internet governance has been the longest stage to date. It began in the 1970s, as today's Internet and other networks were being created, and lasted until the mid to late 1990s, when today's Internet emerged as the clear net work winner and its economic potential began to be appreciated. This phase was characterized by network competition and the growth of ad hoc governance structures. But, as will be shown, the somewhat haphazard manner in which these governance structures developed has had relatively little impact on their staying power. Rather, operating on an as-needed basis has helped to ensure these organizations' utility, which has strengthened their continued claim to a governing role even in the face of challenges regarding their representative legitimacy.
The ITU's Early Exclusion: How TCP/IP Won
As the United Nations' specialized agency for global information and communication technologies, the ITU has long had a hand in managing and distributing resources related to radios, satellites, telephones, and more. (19) It also develops and publishes technical standards for these technologies to ensure that they are...