International law has generally recognized that, “ sovereignty is perhaps the most fundamental [principle]. From [which] emerges, inter alia, notions of non-intervention; prescriptive, enforcement, and adjudicative jurisdiction; sovereign immunity; due diligence; and territorial integrity.” A sovereign state thus maintains the right “to conduct its affairs without outside interference. Between independent states , respect for territorial sovereignty is an essential foundation of international relations.” Extending this principal of independent sovereign control to the ephemeral territory of cyber space, Russia and China have actively advocated for cyber sovereignty—“the idea that states should be permitted to manage and contain their own Internet without external interference.” Advocates of cyber sovereignty seek to control cyberspace within their perceived territoriality because they too understand “information as a weapon . . . [thereby making] censorship . . . a legitimate matter of national security . . . [and] [d]igital information warfare . . . a legible threat.” However, this is much easier said than done—“[w]hereas sovereignty is an inherently territorial concept, cyberspace connects states in ways that seem to dilute territoriality,” making it difficult to draw boundaries on where one state’s control should end and where another’s begins.
The United States’ stance on sovereignty in international law has been traditionally weak— holding that sovereignty, rather than being a primary rule of international law, is a foundational principal upheld through other codified rules of international law, such as non-intervention or the prohibition on use of force. In a similar vein, it has refrained from applying sovereignty to cyberspace. Rather, as cyber territory has blurred borders, the United States has capitalized on its position as a technological superpower in order to export its political norms and maintain its position as a global hegemony. The United States’ refusal to impose international limits on cyberspace has been motivated in large part by what some have dubbed the proliferation of “‘data colonialism’ by Western companies and governments.” Furthermore, the United States and its global allies have taken a strong ideological stance against cyber sovereignty on the grounds that “[t]hese advances in authoritarian innovation should provoke concerns for democracies for reasons of security, human rights, and overall competitiveness.” However, this characterization of cyber sovereignty, or a lack thereof, makes it incredibly difficult to find a State guilty of violating another’s sovereignty through cyber activity because it requires an internationally wrongful act to occur in violation of a more stringent primary rules. Internationally wrongful acts are even more difficult to prove when respecting sovereignty is not deemed a primary rule in and of itself, as they consist of two elements: “[f]irst, there must be a breach of a State’s legal obligation through either commission or omission. Second, the act in question must be attributable to the State concerned pursuant to the law of State responsibility.” The cyber sphere complicates both the notion of obligation and attribution where the domain of the sovereign is unclear and the anonymization and complexity of cyber attacks allows attribution of actions to be obfuscated.
As the criticality of the cyber sphere to national infrastructure becomes more evident, however, the majority of U.N. Member States have moved away from the United States’ point of view “generally agree[ing] that cyberspace is subject to the principles of sovereignty and jurisdiction as well as prohibitions on intervention in the affairs of other States and the use of force.” China was the first to champion cyber sovereignty in 2010, releasing a White Paper explaining the need to control the information exchanged within its borders as “an issue that concerns national economic prosperity and development, state security and social harmony, state sovereignty and dignity, and the basic interests of the people.” In large part, this was a response to U.S. dominance in cyberspace. As home to many of the largest tech corporations and the leader in developing new information technology, the United States has long been the most dominant power, utilizing “international law to maintain [its] superior position and to prevent other states from engagingin what it perceives to be disruptive activities. . . . The [United States] has consistently [sought] to resist the creation of new legal constraints—such as those proposed by the Chinese and the Russians—that [might] limit American cyber capabilities.” The United States has staunchly opposed the Sino-Russian view of cyber sovereignty, arguing that it is merely, “away to justify practices deemed unacceptable in many democracies, such as tight control of [I]nternet gateways or the censorship of political content online .” The debate over cyber sovereignty thus ultimately evolved to represent “not merely an academic exercise in legal interpretation but also—if not primarily—about trying to reconcile colliding strategic interests and clashing ideological interests and clashing ideological worldview.”
Russia and China have reinforced this dichotomy, maintaining that the debate around cyber sovereignty is the result of “balancing the benefits of globalization and the digital revolution between the developed and developing countries.” Their fear is that without the acceptance of cyber sovereignty as an international legal norm, nations with “the most advanced and original technology,” such as the United States, are likely to, “intervene and control the cyber-territory of any other nation . . . [because they have] establish[ed] a more advanced electronic / cyber / virtual national sovereignty than . . . other, less-advanced nations.” As a result, “[t]he sovereignty debate has been most active in the realm of national security, where United Nations member states have for years debated norms governing cyber espionage and cyber warfare.” Recognition of cyber sovereignty, as proposed by Russia and China, would thus require states to “ refrain from using information and communication networks ‘to interfere in the internal affairs of other States’ . . . [to] ensure that other states cannot exploit a dominant position . . . [and] to undermine States’ right to
independent control of information and communications technology goods and services, or to threaten their political, economic and social security,” and recognize that it may be deemed necessary by any state under its own mandate of sovereignty “to make certain restrictions . . . for the protection of national security or of public order . . . or of public health or morals.”
The Sino-Russian approach to cyber sovereignty provides a flexible solution to states seeking to assert control; “they argue that countries should be exercising [cyber sovereignty] but do not present a specific plan for how to do so . . . allow[ing] countries to pick a repressive toolbox that suits them best—ranging from draconian censorship laws to network shutdowns.” “In places like Russia, China and in many states in the Middle East, [where] an open cyberspace is (rightly) considered a threat to existing governing structures,” such a broad based approach to cyber sovereignty is often characterized as an opportunity for abuse aimed at the political opposition, however, the sole motivation of the movement should not be equated with these repressive tendencies. Although cyber sovereignty does in fact pose concerns of human rights violations with regards to freedom of expression, it also provides nations with the ability to combat the chaos arising within their borders as a result of social media and new information technologies. India provides one of the most notorious examples, where rumors spread through services such as WhatsApp and Facebook led to public lynchings and acts of extreme violence.
To execute cyber sovereignty, China has put in place several laws restricting freedom of speech which are or may be subject to human rights offences and even notoriously blocking tech giants such as Facebook from accessing users in its territory. Where social media companies have sought to successfully enter the Chinese market, they have been forced to comply with the state’s standards of conduct. LinkedIn, for example, was only able to gain tacit approval from the government by demonstrating willingness to “play by Chinese rules on expression . . . [and] relinquishing 7 percent of its local operation to two well-connected Chinese venture capital firms.” In 2015, China’s National Security Law was adopted, “setting an expansive definition of national security that outlaw[ed] threats to China’s government, sovereignty and national unity as well as its economy, society and cyber and space interests.” Soon after, it adopted a controversial counterterrorism law restricting “the right of media to report on details of terror attacks, including a provision that media and social media cannot report on details of terror activities that might lead to imitation nor show scenes that are ‘cruel and inhuman.’” The law went so far as to impose additional proactive obligations “on telecommunications and Internet service operators . . . [requiring that] they . . . proactively monitor their networks for terrorism information and disclose such information to the authorities.” More recently, the Cyber Security Law adopted in 2017 expanded the institutions and legal tools at the government’s disposal “to monitor and control information disseminated online.” In essence, the Chinese government has sought to ensure its domestic sovereignty against foreign actors by restricting access and censoring information wherever it is deemed to pose a threat—“no website or social media account is allowed to provide news service on the internet without the Cyberspace Administration of China’s permission[and] internet users are blocked from foreign search engines, news websites, and social media platforms by the Great Firewall.”
Russia in turn has expanded formal Internet censorship in the past few years, requiring “Russian Internet service providers (ISPs) . . . to store six months of metadata and [imposing] laws forcing international companies to store Russian users data on Russian servers, so the government can have access to it if needed.” Some have gone so far as to say that, “Russia has actively mimicked China in its implementation of cyber sovereignty.” Similar to China, Russia has provided for an oversight body, Roskomnadzor, to actively monitor and block media content that it finds disruptive as well as that regarded as demonstrating“ ‘blatant disrespect’ for the state, the authorities, the public, the Russian flag or the constitution.” In 2019, Russia further formalized its desire for censorship by putting in place a “fake news” and “Internet insults” law that would “allow it to target individuals and websites for such nondescript crimes as spreading ‘fake news’ and ‘disrespecting’ state symbols or figures.” Later that year, the Kremlin put in place a Sovereign Internet law as well, “tightening state control over the global network . . . [and] aim[ing] to route Russian web traffic and data through points controlled by state authorities and to build a national Domain Name System to allow the Internet to continue working even if Russia [were to be] cut off from foreign infrastructure.” Most recently, the overbearing nature of Russia’s expanding cyber controls has been felt in Moscow as a result of the Coronavirus pandemic. In response to threats of an exponential epidemic, the Kremlin imposed a digital tracking system that requires all residents of Moscow, fourteen years and older, to “register on a government website, download an app on their smartphones . . . declare a route and a purpose [if they want to go anywhere] and then [wait for] a QR code, which authorities can track . . . the app has access to the user’s mobile information . . . includ[ing] calls, location, storage, camera, and network details.”
Developing nations, particularly those with authoritarian regimes, have largely followed in Russia and China’s footsteps, imposing their own cyber governance measures in an attempt to regain control from foreign private actors in this domain. Even smaller countries such as Kazakhstan have passed legislation as a part of their National Security laws that allow “the government to shut down internet access and mobile connection during mass riots or anti-terrorist operations held in the country.” Additionally, this legislation “force[s] Internet service providers and mobile operators to block their services when an official order is issued.” India, which leads the world in the number of Internet shutdowns, has done so in large part because disinformation and fake news has led to public hysteria resulting in violence or riots in the country. As a result, the government has “temporarily shut down mobile networks or blocked social media apps during riots and protests, claiming that the measures were necessary to halt the flow of disinformation and incitement to violence.” Sri Lanka similarly followed India’s lead in March 2018 when “online rumors that Muslims were trying to sterilize Sinhalese Buddhists, led a group of Buddhist men to beat a Muslim man and set fire to his shop.Extremists used Facebook to implore followers to ‘rape without leaving an iota behind’ and ‘kill all Muslims’ . . . .” The Sri Lankan “authorities reacted by blocking four social media platforms that they said were amplifying hate speech.” In Vietnam, the government’s new cybercrime legislation requires big tech “to store at least 36 months of local users’ data in the country [and] bans the use of social networks to organize anti-state activities, spread false information or create difficulties for authorities.” In Egypt, the government has sought to repress fake news by not only passing legislation that allows the shutdown of website “deemed to constitute a threat to national security or the economy,” but will also consider, “social media accounts and blogs with over 5,000 followers . . . [as] media companies [that are] subject to stricter censorship requirements,” and punish individuals found in violation of the law with jail time and monetary fines. Where the government does not itself possess the ability to impose censorship, it may enlist the help of tech giants by enacting domestic laws that require them to remove certain content as a matter of compliance. For example, Facebook released a transparency report that denotes the number of items it censors in a given country where required by law, notably restricting access to “items in the UAE, all reported by the Telecommunications Regulatory Authority, a federal UAE government entity responsible for information technology.” The restricted content was “reported for hate speech and was attacking members of the royal family, which is against local laws.” However, many countries feel either that these companies do not go far enough in censoring and policing for false information, or take issue with the outsourcing of regulation of speech to a foreign private actor. Thus, increasingly, countries such as Singapore are considering “legislation to ensure technology companies rein in online fake news and [hold] those responsible” criminally liable.
The need for cyber sovereignty as a means of national security and independence has even gained popularity in the West; “remarkably, technological sovereignty is also of great appeal to countries that fashion themselves as cosmopolitan and internationalist alternatives to Trump’s nationalist project [such as] France and Germany.” Faced with growing internal and external threats online, “Western democracies are, like their authoritarian peers, seeking more control . . . merely converging with China and Russia on common fears. This leads to a shared affinity for something like . . . [a] ‘paternalistic [I]nternet’ . . . [a]nd of course, paternalism appeals to everybody.” The sudden rise of populist parties and hate speech in Europe led, “the French defence minister [to announce that] she want[ed] to ‘lower [France’s] exposure to [U.S.] components’ . . .[and] and Member Of Parliament (MP) from President Macron’s centrist party [asked] the government if it would establish a commission on digital sovereignty.” In Germany, content regulations went into effect with the NetzDG Regulation, passed in 2017, requiring ISPs to implement notice-and-action complaint procedures such that “obviously illegal” content would be deleted within twenty-four hours of notification. Europe, as a whole, is now considering the passage of an EU-wide Digital Services Act that would force ISP providers to take on a more active role as intermediaries and assume some degree of liability and editorial responsibility to help minimize the spread of fake news. In India, where the Constitution guarantees its citizens freedom of speech, the government has struggled to strike a balance of preserving such rights and enacting regulations that
can preserve both the integrity of their elections and public order. At its core, “sovereignty conveys rights on two distinct planes or spheres . . . first in [the State’s] capacity as the entity entitled to exercise control over its territory and second in its capacity to act on the international plane, representing that territory and its people.” Although the Russian-Chinese push for cyber sovereignty likely originated in the states’ desire to convey its rights with regards to the former capacity, as the threat to the latter has become clear through misinformation campaigns and cyber espionage, their coalition to advance such goals on an international stage has grown tremendously. As cyber speech and activities continue to echo even more loudly in real world actions, we are likely to see this call for state regulation to grow. While private actors, such as social media companies, have begun to regulate speech and monitor for misinformation to address the current gap, such entities are neither proper nor prepared to take on such a momentous task. Those that previously advocated against cyber sovereignty did so on the basis of promoting “globalization and open trade. Today, however, there are no governments that can convincingly preach further liberalization of trade in data, software or hardware. All governments, thus, are forced to choose between two options: reasserting technological sovereignty—or doing nothing.” As it has become abundantly clear that, for the sake of public order, action will be taken by those states that feel their national security is threatened, states that choose to do nothing risk abdicating their cyber sovereignty. Those that fail to govern themselves, will thus likely fall prey to foreign powers or private actors that step in to dictate the rules of the cyber space in their absence.
In an increasingly technologically driven world, the war of global political influence has moved from the real world to online. Rather than having to invade a foreign nation in order to drastically alter its social or political landscape, such goals are now capable of being accomplished subtly through disinformation campaigns, cyber interference, and strategic investments. Over the course of the last decade, the proliferation of cyber legislation around the world has sought to enhance technological sovereignty and control, both by way of regulation and infrastructural capacity, in order to insulate States from the potential harms caused by both the internal and external threats. Although the United States still houses some of the world’s most influential tech giants, its brand of democracy has been threatened by the innovations that they have introduced to the world. Just as Freedom House documented a decline inglobal freedom online, Pew Research Polls found that across the majority of the twenty-seven countries they surveyed, dissatisfaction with democracy and democratic institutions was on the rise. Furthermore, the unavoidable realization that online speech unrestrained can easily result in real world harms has only furthered the cause of authoritarian regimes likeChina and Russia in leading “a cohort of countries [to move] toward digital authoritarianism by embracing . . . extensive censorship and automated surveillance systems.” While human rights groups have raised concerns that “efforts to control speech and information are accelerating, by both governments and private actors in the form of censorship, restrictions on access, and violent acts directed against those whose views or queries are seen as somehow dangerous or wrong,” few, if any, better alternatives have been proposed by democratic governments. The decline of freedom online has been acknowledged as a threat, yet the solutions proposed by democratic governments have thus far been relatively vague and ineffectual, such as that proposed by Sweden—“the solutions can only be found in discussions between all stakeholders— states, civil society and companies, as well as everyone who is dependent on the internet in their everyday lives and their work.” While such proposals may sound ideal, they are just that—idealistic, rather than pragmatic or capable of implementation. The emphasis in democracy on extensive deliberation and public input requires time and consideration, a luxury that the quick and dirty nature of the cyber sphere does not afford. Rather threats on the Internet require decisive action, speed, and flexibility in decision making—all attributes not characteristic of democratic society.
Without the expansive governmental powers of their authoritarian counterparts, democratic nations like the United States will not be able to maintain their position of global dominance much longer. Their attempts to compete thus far have threatened to erode the very foundations of their governing institutions—freedom of speech, a capitalist economy, and balance of powers. As democracy seeks to evolve in time with the digital revolution, it is beginning to turn on itself—“the irony is that more democracy—ushered in by social media and the Internet, where information flows more freely than ever before—is what has unmoored [democratic ] politics, and is leading us towards authoritarianism.” While some have described the erosion of trust in democratic institutions as a function of the rise of populism against elite institutions, others have deemed it a function of online manipulation and misconduct. Either way, the trend against democratic governance in the digital age is clear. Whether in response to domestic shortcomings or an inability to defend against foreign foes, democratic governments must either undergo serious change or bow out of the race for global hegemony, because without a strong cyber governance structure they will soon become obsolete in the digital age.