Governing Cyberspace: State Control vs. The Multistakeholder Model

A Note to Readers:

The U.S. and China do not and will not agree on key issues in the international arena.  In the opaque and volatile domain of cyberspace, however, we should keep lines of communication open to constructively disagree and proactively find areas where we have shared interests.  There will never be complete trust between the U.S. and China: the nations’ values and systems of government differ too starkly.  But by searching for areas of mutual interest, we bolster the likelihood of greater strategic stability in cyberspace. 

The divide between nations that support governance models based on cyber sovereignty, primarily China and Russia, and those that believe in the multi-stakeholder model, including most liberal democracies, is one of the most prominent ideological conflicts dividing cyberspace. Enhancing understanding on both sides of these philosophies is an important step toward preventing further fragmentation of cyberspace and necessary for avoiding conflict.  

Identifying areas of mutual interest is a key part of our Track II Dialogue with the China International Institute for Strategic Studies. We would like to thank Rtd. Maj General Hao Yeli for presenting, explaining and discussing her own theory of cyber sovereignty with us over the past year. We appreciate her efforts to bridge differences in opinions with regard to cyberspace governance and are looking forward to further discussions.

As part of our effort to illuminate Chinese perspectives on Internet governance, we are pleased to share an abridged and translated version of Rtd. Major General Hao Yeli’s theory along with an essay outlining our initial response. This is part of an ongoing discussion with our Chinese partners and we look forward to sharing future findings with you.

—Eric Rosenbach, Co-Director Belfer Center

—Julia Voo, Research Director China Cyber Policy initiative

A Three-Perspective Theory of Cyber Sovereignty

by Rtd. Major General Hao Yeli
December 2017

I am indebted to the Chinese and foreign friends and colleagues that I have met with during previous China-US, China-Russia and China-Europe Track II Dialogues. My friends and colleagues have inspired me with their diverse perspectives. There is an old Chinese saying, “the greatest truths are the simplest” (大道至简). I believe that any complicated problems can be clarified if we return to the simple but correct path. It is this sentiment that has driven me to design a theoretical framework and dialectical approach to understanding and resolving the contradictions described below.

—Hao Yeli

(Gen. Hao’s “A Three-Perspective Theory of Cyber Sovereignty” is an edited version of a piece published Dec. 21, 2017 in PRISM, a publication of National Defense University.)

Executive Summary

1. Today cybercrime and cyber terrorism are the most visible symptoms of a pervasive cyber security problem. The question of how to establish a fair and just governance regime in cyberspace and establish international rules is also controversial. 
2. This controversy reflects the competing interests and demands of three distinct actors in cyberspace: the state, the citizen, and the international community. The establishment of order in cyberspace requires consideration of the perspectives of all three actors.
3. The “three-perspectives” theory outlines the three actors as “three points” which can be visualized as a triangle. The boundaries of the triangle are the core interests of the three actors and the triangular common zone are the areas that can be negotiated between the three. 
4. Cyberspace can be characterized into three layers; the infrastructure, the application, and the core. At different levels, cyberspace shall be treated distinctively and shall require different understandings between each actor which differs at each level. As a methodology, three-perspectives could be applied to understand the flexible and non-flexible state sovereignty issues to reach a common understanding.

Three Disputes Over Cyber Sovereignty

Cybersecurity is a global challenge and a tier one security threat for many sovereign states. Heated debate rages among countries concerning the rules of cyberspace, and the systemic and revolutionary challenges to global governance. Cyber sovereignty has inevitably become the focus of great controversy. Although a certain degree of consensus was achieved in 2013, at the 6^th UN General Assembly by the Information Security Group of Governmental Experts (A/68/98), deep divergence and doubts continue to divide the international community, particularly on the following three issues:

1. The contradiction between cyber sovereignty and the spirit of the Internet: the exclusivity of classical state sovereignty is contrary to the spirit of the Internet which rests on the concept of unrestricted interconnectivity. If the emphasis is placed on cyber sovereignty, this may result in each country creating a separate cyberspace of their own, thus resulting in the fragmentation of the Internet.
2. The contradiction between cyber sovereignty and human rights: there is a tension between the Internet principle of freedom of speech, and state intervention in the name of cyber sovereignty which restricts the free flow of information. Such criticisms mostly target China’s firewall.
3. The contradiction between cyber sovereignty and the involvement of multiple stakeholders in governance, which rests on the assumption that sovereign government-led, multilateral cyber governance will challenge the existing pattern of multi-stakeholder governance.

Cyber sovereignty is the critical issue at the heart of establishing the international rules of cyberspace. Only when we clarify and resolve the differences on the issue of cyber sovereignty and reach consensus can we achieve international cooperation. 

The question is how can we resolve this issue? How can we adapt the traditional concept of sovereignty to the globalized world in the cyberspace era? Is there a framework that can be applied to enhance understanding of this issue?

I believe we can find common ground. In-depth analysis of the three major contradictions highlighted above demonstrates the tension between the interests of the nation state, the citizen, and the international community. Focusing only on one’s own interests and ignoring others does not lead to compromise.These are the actors we should focus on when we examine each contradiction:

1. Cyber sovereignty and the spirit of the Internet: state, international community
2. Cyber sovereignty and human rights: state, citizen
3. Cyber sovereignty and multi-stakeholder governance: state, the citizen and the international community

The actors behind the contradiction of cyber sovereignty and the spirit of the Internet are the state and the international community. Behind the contradiction of cyber sovereignty and human rights are the state and the citizen. The contradiction of cyber sovereignty and multi-stakeholder governance involves the state, the citizen, and the international community.

Zero-sum games based on binary opposition usually lead to deadlock or the less than satisfactory outcome where one succeeds, but all sacrifice. To better understand the concept of the three actors and three perspectives in cyberspace envision a dark space with three lamps: lighting a single lamp enables us to see a point; two lamps reveal a flat, two-dimensional surface; three lamps enable us to see the three-dimensional whole. 

With three-perspective thinking, we can have a better understanding of each actors’ interests in cyberspace, where the roles and demands of each actor, as well as their internal relations and impacts, converge to form diverse and contradictory opposites.

Theoretical Framework

The significance of the “three perspective” framework is that we can set three boundary conditions for each of the three actors, which is more inclusive, facilitating dialogue.

Traditional understandings of national sovereignty imply natural exclusivity. It emphasizes the supreme authority internally, and stresses the inviolable independence, of the sovereign state externally. Because of the openness and global nature of cyberspace, however, the voices of two other actors must be heard. When speaking of national sovereignty, it is necessary to expand on the perspectives of the international community and the citizen.

The citizen (or netizen in this case) pursues personal freedom. This year, the total number of netizens has reached 4 billion globally; in China alone, the figure reaches 830 million. To some extent, we can equate netizens to citizens. It is in the nature of netizenship to pursue individual net freedom. However, under a disorderly environment, the fact is that individual self-governance based on self-discipline will not work, and freedom sought will have no guarantor. To preserve the real freedom of every netizen, it is necessary to balance with order so it means cyberspace cannot be outside the law. To establish and form order requires external forces. Therefore, national or governmental entities should administer cyberspace and protect the legitimate rights and interests of netizens. Technology itself does not provide order or security; so, it needs sovereignty to provide appropriate legal protection.

A state must ensure its safety while seeking development, and likewise must manage cyberspace while making use of it. At this point, the relationship between state and citizen is actually not antagonistic, but interdependent. President Xi Jinping said, “Cyberspace is people-centered. We should make the Internet better benefit the people. When people get online it means public opinion is online.”  President Donald Trump is especially well-known with his unique “twitter governance strategy,” so it is no exaggeration to say that the regime is built online now. The freedom and vigor of the Internet also contributes to national prosperity and development.

The Internet represents the mainstream of technological development and the profound innovation of civilization. The international community must seek openness and inclusiveness, because in addition to competition between the major powers and a collision of Eastern and Western cultures there is also a need to share digital benefits between developed and developing countries.

The exclusivity of national sovereignty and the openness of the international community while seemingly in conflict can be reconciled. On the one hand, the state must assume responsibility for emancipating minds, changing concepts, and promoting an objective and balanced understanding of the relationship between security and development. A state integrates into the international system by transferring some portion of its national sovereignty, while international connectivity and interoperability will deliver greater developmental opportunities, promote cultural exchanges, economic cooperation, and collaborative security efforts. Therefore, the relationship between the state and the international community is one of interdependence, which contributes to the unity of opposites.

On the other hand, from the perspective of the international community, Internet technology offers the promise of global interconnectivity. But as long as states exist, we cannot ignore national boundaries and national sovereignty. We ought to avoid the excessive pursuit of unregulated openness, in order to not cross a tipping point beyond which global cultural diversity is subordinated to a single dominant culture. Those states with great cyberspace capacity should take the initiative to bridge the digital gap and actively transfer and share cyberspace resources and management experience, restraining their impulse to use asymmetric means in pursuit of narrower and short-term, national interests. 

We would all benefit from more conjunction points of interest through one global network to help all the countries achieve economic growth, cultural prosperity, and security. This “interconnection and shared governance” is consistent with the spiritual essence of the Internet, as highlighted at the first Wuzhen Internet Conference in 2014. 

In conclusion, the relationship between development and security, freedom and order, openness and inclusivity are all sets of a static and dynamic balance. The competing demands of these three actors are not in absolute conflict, nor are they absolutely contradictory, though through a narrower lens they will show a certain degree of antagonism. Through the exchange of ideas and the evolution of perspectives, we can resolve many disputes.

Cyber Sovereignty

Although traditional sovereignty is naturally exclusive it must accept or at least consider a reasonable transfer of control in the era of globalization. Each state should carefully determine what elements of sovereignty it must retain and what can be transferred, and to what degree. 

The debate on cyber sovereignty is often over whether or not sovereignty in cyberspace should be an extension of traditional sovereignty.

As highlighted in President Obama’s speech, cyberspace is the fifth domain of conflict after land, sea, air, and space. In fact, both the United States and NATO have defined cyberspace as the fifth domain and as such have created cyber combat troops. Although there are different formulations of cyber sovereignty, countries still regulate their own cyberspace to protect against external interference and damage without exception at a practical level. Differences are not over whether or not we practice cyber sovereignty, but over which sectors cyber sovereignty will cover. States have different cyber sovereignty “pain points”, and the international community must respect and understand the different “pain points” of states.

One method is to examine the divisibility of cyber sovereignty using a layered approach, and identify which elements of sovereignty must remain exclusive, and which are transferable.

Diagram of the Three Perspectives Theory (Hao, 2016)

In the figure above, the bottom layer contains physical and technical infrastructures. The key at this layer is the pursuit of standardization to ensure interconnectivity. At this layer states should be willing to collectively transfer authority to the international community in the interest of standardization and interconnectivity. States with well-developed cyber capacity must take the initiative to extend standardization and connectivity to the less capable states; developed countries must share their expertise with developing countries to bridge the digital divide.

The middle layer represents various applications including the many Internet platforms in the real world that have integrated technology, culture, economy, trade, and other aspects of daily life. At this level, the degree of cyber sovereignty should be adapted to local conditions, with the aim to achieve dynamic equilibrium, multilateral, and multi-stakeholder joint administration, as well as balance between freedom and order.

The top which is the core level comprises regime, law, political security, and ideology, which needs evidence and includes the governing foundations (执政根基) and embodies the core interests of the country. Legitimate differences do exist between states as a result of unique national conditions, religious, and cultural backgrounds. Diversity is the norm of human existence and cannot be formatted according to any single culture and should be respected. 

At the middle and bottom layers of the triangle, cyber sovereignty can be transferred to a certain degree, allowing a greater number of stakeholders to participate in governance, leading to a multi-stakeholder governance model.  At the top layer however, cyber sovereignty remains the remit of the government. According to the consensus affirmed by the United Nations Group of Governmental Experts “the right to make public policy on the Internet is part of a country’s sovereign role, and each country naturally has judicial power over the information conveyed by the domestic information infrastructure.” A basic premise for international cooperation is to respect countries’ choice of cyberspace developmental path and management model.

Comprehension of these three layers enables deeper understanding of the differences between multilateral and multi-stakeholder governance models. The two models do not conflict; they have different applicability in different areas and layers of cyberspace. With respect to ideology, policy, law, institutional and governmental security issues, national governments should maintain cyber sovereignty in multilateral governance, while foregoing certain elements of cyber sovereignty and accepting multi-stakeholder governance in other layers.

Resolving the Contradictions

Earlier we noted the apparent contradiction between cyber sovereignty and the unrestricted spirit of the Internet. There is no doubt that we live in one world with one cyberspace. Exerting limited cyber sovereignty is consistent with the spirit of the Internet; indeed cyber sovereignty is the necessary tool to help states participate equally in the global governance of the Internet, contributing not only to interconnectivity, but also shared responsibility.

We also noted the tensions between cyber sovereignty and cyberspace freedom. For example, developing countries who have erected firewalls as a result of facing the deteriorating security situation in cyberspace as a result of “color revolutions”. We would not expect any country facing the everyday threat of terrorist attacks to dissolve its armed forces. Likewise, we oppose any cyberspace power taking advantage of their national capability to traverse the firewalls put in place by other countries. As the cyberspace security situation improves, and with the deepening of mutual trust, maturity of democracy, and the development of technology, China will continue to improve its accuracy in blocking harmful information and will scale down the firewall. As we can see, the top level of the three perspectives theory covers the smallest area, and excessive expansion of or preoccupation with the top level is not conducive to achieving consensus on cyber sovereignty among other parties, which remains our ultimate objective.

With respect to the tension between multilateral and multi-stakeholder governance in cyberspace, advocating cyber sovereignty does not imply rejection of the multi-party or multi-stakeholder governance model. Governments are also among the multiple stakeholders: they should play appropriate roles in multi-party governance, but also respect and encourage other entities to participate in governance, including enterprises, non-governmental organizations, experts, and think tanks. Collectively we should prevent any stakeholder from excluding the participation of governments or denying governments’ appropriate role in key issues. At the core and application levels, the leading role of state governments must be ensured. When dealing with ideological, political, legal, institutional, and security issues the state role must be respected. The government must act fast before it is too late. It is obligatory for the government to assume the responsibility and decide when to let go or to control.

In the cyber era, cyber sovereignty can be characterized into layers. The core layer is inviolable, while the infrastructure and the application layers are characterized by shared transferability. The “color revolution” and public opinion chaos which are now more easily instigated through the Internet threaten a state’s core interests. State versus state abuse of Internet connectivity should be prohibited. The proportion of sovereign transferability to exclusivity is flexible and ever changing in response to the development of international rules.

Conclusion

1. Based on the principles of international law, cyber sovereignty should reflect national rights and responsibilities. A state should not reject or obstruct any other countries’ reasonable demands concerning sovereignty and global co-governance. Respect for cyber sovereignty is a prerequisite for international cooperation in this domain, and the basis for the construction of a beneficial cyberspace order. 
2. To understand cyber sovereignty in the context of globalization we need to break through the limitations of physical space and avoid binary oppositions. Instead, we should upgrade our vision to stand at the position of common destiny, and see the bigger picture, so we can scientifically reconcile the tensions between exclusivity and transferability to reach a unity of opposites. 
3. In the new time of cyber, the law of the jungle should give way to solidarity and shared responsibilities. Intolerance should be replaced by understanding. Unilateral values should yield to respect for differences while recognizing the importance of diversity.
4. Appropriate multi-stakeholder governance should not be opposed but we must not deny government’s proper role and responsibilities regarding major issues. The multilateral and multi-stakeholder models are complementary rather than exclusive. Governments and multi-stakeholders can play different leading roles at the different levels of cyberspace.

Belfer Center’s Response

by Eric Rosenbach and Shu Min Chong
August 2019

Executive Summary

The Three Perspectives Theory is a theoretical justification of the Chinese government’s perspective on the importance of national “cyber-sovereignty.” Overall, it outlines a more nuanced conception of cyber-sovereignty in China’s International Strategy of Cooperation on Cyberspace published in 2017. For example, the Theory acknowledges that netizens and the international community have a role in Internet governance. The Theory attempts to provide high-level clarity on how state power should be limited in cyberspace; however, the argument is weakened by abstract definitions and a lack of concrete examples.

We strongly doubt the proposed “layered approach to cyber-sovereignty”, which calls on states to exercise self-restraint, could prevent excessive state interference. The lack of recognition of the role of the private sector is also a gap in the Theory.

Fundamentally, state-centric multilateral Internet governance seems impractical, given that much of the technical expertise lies with the private sector and the technical community. Most importantly, no model of Internet governance can provide cover for governments to deny an individual’s privacy and human rights.

Reframing Criticisms as Contradictions

The Theory seeks to address three key criticisms levelled against cyber-sovereignty. To do so, it reframes each criticism as “contradictions”, driven by actors who seek to maximize their own interests. The term “contradiction” is understood in the Marxist sense, which essentially means “opposing forces”.

The Theory identifies three key actors in cyberspace: the nation, the netizen and the international community. Upon further clarification, we know that “the netizen” includes individuals, the civil society and private businesses. “International community” refers to international and regional intergovernmental and non-governmental organisations. These three actors each provide one of the three perspectives outlined in the theory.

In General Hao’s view, criticisms of cyber-sovereignty splintering the Internet represents a contradiction between the demands of “the nation” and “international community”. Worries that the cyber-sovereignty argument is being used as a thinly veiled excuse to restrict freedom of speech stems from the contradiction between the interests of “the nation” and “netizen”. Cyber-sovereignty is viewed as a threat to the multi-stakeholder model of Internet governance because the interests of “the nation” is in opposition of “the netizen” and “international community”.

The Theory argues that these contradictions can be easily resolved if one recognises that the “competing demands of each actor are not in absolute conflict”. This is referred to as the “unity of opposites”. Even when interests do conflict, each actor should not only focus on one’s own interests and ignore others. Instead, concessions have to be made to reach an optimal balance so that all three actors can exist peacefully in cyberspace.

It is true that the three actors have common interests. For example, the United Nations’ mission to make the Internet more open and inclusive is largely driven by individual states. Governments of the world have been at the helm of most initiatives to provide more universal access to the Internet. And while the assertion that “national or governmental entities should administer cyberspace and protect the legitimate rights and interests of netizens” remains contentious, it is difficult to deny growing calls on governments to address issues such as fake news and user privacy.

Resolved Contradictions, Unaddressed Criticisms

While the recognition of “unity of opposites” provides a theoretical resolution of the three contradictions, it does not substantively address criticisms of cyber-sovereignty. Cyber-sovereignty is viewed as a threat to the global Internet, freedom of speech and the multi-stakeholder governance model due to the fear of governments overstepping their authority. The very concept of cyber-sovereignty makes it extremely difficult for other actors to balance excessive state interference on the Internet.

We are very concerned that the Theory argues against individual freedom without state protection and unregulated Internet openness but omits the risks of unfettered governmental control. The Three Perspectives theory is fundamentally a national security argument, even while it calls for equal consideration of the interests of all parties.

It is undeniable that there are indeed security threats in cyberspace. However, as Broeders (2015) noted, it will be exceedingly difficult for states to exercise self-restraint if Internet governance is framed predominantly in terms of national security. Any model of Internet governance will need to at least include some limits on state intervention on the Internet.

Defining Sovereignty

General Hao did include a proposal to limit state influence, albeit a theoretical one. She proposed a “layered approach to cyber-sovereignty” which identifies “which elements of sovereignty must remain exclusive and which are transferable”.

It is necessary to first define ‘sovereignty’, which was not explicitly stated in the theory. Sovereignty is a contested concept in political science, although most scholars would agree that it broadly refers to a supreme authority within a territory. With sovereignty, states can claim and are mutually recognized as having exclusive political authority and control within a specified geographical boundary. State territorial boundaries are, by and large, fixed and static. Substantively, this means that the state, which in this context should be understood as a bureaucratic apparatus separate from society, is the only actor that can set and enforce rules within a territory. Sovereignty also implies that interference in the governing prerogatives of other states is illegitimate.

To understand General Hao’s three-layered cyberspace, it might be useful to consider Janice E. Thomson’s analysis of sovereignty¹:

“With sovereignty, states do not simply have ultimate authority over things political; they have the authority to relegate activities, issues, and practices to the economic, social, cultural, and scientific realms of authority or to the states’ own realm-the political. This is not to say that activities defined as apolitical are not intensely political but only that states will not treat them as political.”

“I want to suggest that, with sovereignty, states claim and are recognized as having the authority to define the political, the political being that which is subject to state coercion.”

Sovereignty accords states the power to define what activities will be controlled and how they will be controlled. In the following section, we will illustrate how this weakens the effectiveness of the “layered approach to cyber-sovereignty” proposed by General Hao.

Layered Cyberspace and Reasonable Transfer of Sovereignty

In the Theory, cyberspace is broken down into core, application and infrastructure layers. Ideally, states would only exercise unchallenged state authority on a narrow range of issues in the core layer. If states practice self-restraint in this manner, General Hao argues that there would not be a fragmentation of the Internet. A multi-stakeholder Internet model can therefore also co-exist with a multilateral model.

The core and application layer are both about activities and content on the Internet. Given that the Theory looks at Internet governance through a national security lens, the differentiating factor between ‘core layer’ and ‘application layer’ is the presence of a national security threat. Any activity or content that threatens national security would come under complete state control in the core layer.

These include information that undermines the integrity of state institutions or alternative ideologies that are politically destabilizing. General Hao believes that all social media platforms are necessarily politically destabilizing and should therefore be classified under the core layer. The Theory believes that regulation of the core layer should be free of foreign interference and international governance should be completely multilateral.

The application layer in the Theory is similar yet different from the application layer in the ‘7 Layer Internet Model’. While the 7 Layer Model treats all applications as neutral, General Hao classifies Internet applications and content based on the potential impact on national security. The application layer in the Theory therefore refers to applications and content that are relatively benign. An example would be e-commerce websites. Because these applications are not politically destabilizing, General Hao argues that sovereignty can be partially transferred. However, it is unclear whom sovereignty will be transferred to or what the framework for this would be. Would it be the transfer of regulatory power to a consortium of firms? Or setting up an international organisation to manage Internet content? In any case, the Theory suggests Internet governance at this layer to ideally be a mix of multilateral and multi-stakeholder agreements.

From our conversations with General Hao, we understand that the infrastructure layer essentially represents all seven layers of the ‘7 Layer Internet Model’. This includes all physical infrastructure and protocols that make the Internet run. Sovereignty can be largely transferred to the “international community” and “netizen” on technical issues on the Internet. Presumably, transferring sovereignty at this layer would allow existing multi-stakeholder arrangement to stay intact. However, two key questions are left unanswered in the Theory. Firstly, does the “international community” refer to organisations like ICANN or the International Telecommunications Union (ITU)? If it is the latter, even if states transfer sovereignty to a supranational organisation, multi-stakeholder Internet governance would still be threatened. Secondly, who represents the “netizen”, given that it includes three separate groups (private businesses, individuals and the civil society) with quite distinct interests? We do not think that data privacy is necessarily a shared core interest.

Fluid Layers and a Shaky ‘Balance’ of Power

Referring back to Thomson’s analysis of sovereignty, it is clear that the infrastructure and application layer refer to activities and issues that the state defines as apolitical. The core layer is deemed political and hence subject to state coercion.

So while this three-layered model of cyberspace could theoretically limit state control to a select range of issues, the definitional power on what constitutes ‘core’, ‘application’ and ‘infrastructure’ layer still lies with the state. Unless the international community (including both states and non-state actors) can come to a consensus on the definition of the three layers of cyberspace, the classification of Internet related activities can be dangerously fluid and uncertain. The Three Perspective theory as it is now, still allows a state to exercise control over anything on the Internet, as long as the country’s political leaders deem the activity or content a national security threat.

In our discussions, General Hao argued that all countries sort Internet content into ‘core’ and ‘application’ in the exact same way. In other words, she disagrees with Thomson and believes that the definition of what is political and apolitical is external to the state.

This claim seems implausible for two reasons. Firstly, definitions would necessarily differ from state to state. Something that is classified in the ‘core’ layer in one country can be completely benign for another. For example, the Wikipedia page for the 1989 Tiananmen incident is treated as any other webpage in Germany but is viewed as politically destabilizing in China. In addition, the definition of what constitutes a national security threat might not be the same. A protest can be seen as a security threat in some places and an individual right in others. Secondly, definitions change over time. General Hao raised Facebook as an example of an Internet application poses a national security threat in all countries. While some governments around the world are indeed paying more attention to Facebook (mostly when discussing misinformation, disinformation and individual privacy concerns), there was a time where governments did not view Facebook any differently from other Internet platforms.

Given that the characterization of Internet activity and content is circumstantial, ambiguous and largely determined by the state, we are unsure if General Hao’s “layered approach to cyber sovereignty” will truly be effective. The success of her theoretical proposal will be largely determined by the level of self-restraint exercised by states. However, we observe that majority of the proponents of cyber-sovereignty are often non-democratic states², which already have fewer institutional safeguards against abuse of state power. More elaboration on how “reasonable transfers of sovereignty” can limit state power will be helpful.

Missing Actor: Private Businesses

One suggestion to improve the Theory is to identify private businesses as a separate actor. A large majority of Internet infrastructure is built and operated by private firms³; our online lives are largely decided by Internet giants like Google and Alibaba. It is undeniable that private businesses are powerful actors in Internet governance. Although corporations are nominally subject to the laws of the state in which they are headquartered, contemporary capitalist structures mean that private businesses are able to proactively shape their relationships to states in ways that give them the greatest financial advantage and decision-making flexibility.⁴ Given that private businesses can, and often do, play an important role in balancing state authority, no convincing argument for cyber-sovereignty can be made without explicitly acknowledging the influence of private companies.

In the existing Three-Perspectives framework, private businesses are subsumed under “netizen”, along with individuals and NGOs. We argue that private businesses (and civil society for that matter) are distinctively different from “netizens”. The Theory identifies the pursuit of personal freedom as the core interest of the “netizen”. It is questionable if that is truly what private businesses care about.

Private companies are primarily driven by profits. While an open and free Internet helped many businesses minimize costs and scale their operations, the opposite can also hold true. For example, had China not had the Great Firewall, it is unlikely that Internet companies like Alibaba and Tencent would have been able to enjoy rapid growth free of competition. So while the interests of private firms are sometimes aligned with netizens, they should not be merged with individual Internet users.

The Internet is predominantly owned and run by the private sector. Private companies play a crucial role in all layers of the cyberspace. Given that the Internet is a distributed system, decisions at the infrastructure level such as who connects to whom and where networks are built have been business decisions made by private operators. They are motivated to ensure connectivity because this provides a better service and they profit. At the ‘application’ level, Internet content and services are created and provided by private companies. Even at the ‘core’ level, government networks in many countries are managed and protected by private cybersecurity companies operating on a commercial basis. Governments might also have to rely on the expertise of the private sector to regulate the Internet to minimize national security threats.

The Internet today (and likely in the future) is, to a large extent, the product of business decisions made independently by different companies. It is important to note that states have limited influence over business decisions. It is almost impossible for the state to mandate private companies to do something (especially if it is not profitable) without significant pushback from the firms themselves. The relation between private companies and states is a matter of power and counter-power, where the interests and agendas of corporations will sometimes align and sometimes conflict with national interest.

James Shires, a Belfer Fellow, has described the commercial perspective of private business and the national security perspective of states as two different practical worldviews where no one perspective is more foundational than the other.⁵ In this way, the inclusion of the private businesses as an actor would greatly improve the Three Perspectives theory. The influence of private businesses as a result of their commercial concerns can serve as an effective counterbalance to national security concerns and help guard against states overstepping their authority.

Private Firms and Cyber-sovereignty

This puts private companies in a unique position, especially in relation to the concept of cyber-sovereignty.

While firms have to abide by local regulations, major company-wide business operation decisions are hardly geography specific. For example, Microsoft’s new policy for storing customer communications (from self-declared country of residence to most frequent location) is applied worldwide and is in no way constrained by territorial boundaries.

In addition, it is also unclear which country’s national interests a private company would serve. Companies often occupy a very uneasy middle ground between their customers and various governments. They are expected to deal with their customers ethically and responsibly, but also to comply with the legal requirements and demands of the authorities. In international terms, that may sometimes be seen to mean that Google should work with the Chinese government but not with the US government, depending on the case and the nature of the request. ⁶

We are thus presented with a paradox. On one hand, including private firms in a theory of cyber-sovereignty helps address concerns of excessive state influence. On the other hand, private firms and their global influence on cyberspace challenges the territorial assumption inherent in cyber-sovereignty. Future iterations of the Three Perspectives Theory or any theory of cyber-sovereignty could further explore and address this paradox.

Final Thoughts

Overall, the Three Perspectives Theory outlines a more nuanced conception of cyber-sovereignty than that in China’s International Strategy of Cooperation on Cyberspace published in 2017⁷. Recognizing the need to consider the interests of Internet users and the international community, General Hao proposes a layered cyberspace that carves out opportunities for these actors to influence Internet policy. This reflects her firm belief in leveraging shared interests to find common ground among all actors in cyberspace.

In this response piece, we have identified two key gaps in General Hao’s theory: lack of effective safeguards against excessive state power and the omission of private businesses as a key actor. However, there is one more gap in the Theory that we have not discussed, and that is the protection of individuals’ right to free speech and privacy. General Hao argues that “to preserve the real freedom of every netizen, it is necessary to balance with order so it means the cyberspace cannot be a place outside of the laws.” We believe that while cyberspace should not be a lawless place, security cannot be an excuse for the lack of respect for individual rights. To achieve true “unity of opposites” between individual rights and security concerns in cyberspace, the Theory needs to explain how censorship is reasonable instead of claiming that it is inevitable in the face of security challenges.

General Hao mentioned that her aim is to use the Theory to change the current state of affairs. While the Theory could be furnished with more substantive examples and details, some of the ideas can already be used to spark a discussion for change. For example, the Theory calls for some transfer of sovereignty at the application level. Article 37 in China’s Cybersecurity Law⁸, which requires “critical information infrastructure operators” to store personal information and important business data in China, seems to conflict with this principle.

In addition, there is an internal paradox regarding the territorial assumption of cyber-sovereignty that has yet to be resolved. We are also doubtful if states need to argue for cyber-sovereignty, even in the face of growing security threats in cyberspace. The role of states in Internet governance is undeniable and if states need or want to play a larger role in Internet governance in the future, there is no lack of platforms and opportunities for states to shape policy. States-only multilateral Internet governance seems increasingly impractical, given that governments require the expertise of private firms and the technical community. Even the United Nations’ Group of Governmental Experts on Information Security, a multilateral platform, invites non-government organisations and private sector to attend meetings.

We look forward to receiving General Hao’s thoughts on our response.