Presentations Session 1 – Cybersecurity Public Policies: Case studies from Italy, Estonia and South Africa
Digital (siege) State. The Digitization of Italian Public Administration and Cybersecurity
Giuseppe Borriello and Gaia Fristachi, University of Naples Federico II, Italy
As digital tools are increasingly asserted in the public sector, there is significant potential for policy improvement. Nonetheless, the digitization of public administration is not characterized solely by its advantages, but it forces us to consider a whole range of security concerns. Specifically, cyberspace has never been a strategic priority as it is today, as witnessed by the pandemic crisis and the rise of recent international conflicts. But even today, there is no issue as poorly understood as cybersecurity. Most studies on this topic focus on purely technical issues or on the condition of the private sector, neglecting that in times of pandemic, the government was the prime target of cyber-attacks. Given this, by using secondary quantitative data (2018-2022) and by adopting a diachronic-deductive approach, the present study provides insight into the extent and types of cyber attacks against the Italian public administration. The results show that the digital infrastructure of Italian public administration in 2022 is characterized by inherent technical fragilities, although slightly improved compared to 2018. The findings indicate differences between central and local administration in both vulnerability assessment and digital literacy, which emphasize an overall two-speed digital upgrade. Thus, this contribution provides an overview of the digital security challenges facing the Italian administration, underlining the need for practical measures based on clear policy responses. Therefore, on one hand, this paper is concerned about the urgent pace of digital transformation of Italy’s public sector, but on the other, it highlights the scope of defence and security challenges in cyberspace, making it necessary to take appropriate precautions to ensure the proper functioning of the State digital infrastructure.
REFERENCES
Bontempi, V. (2022), Lo Stato digitale nel Piano Nazionale di Ripresa e Resilienza, Roma, Roma Tre Press.
Bozzetti, M. R., Olivieri, L. e Spoto, F. (2021), Cybersecurity Impacts of the Covid-19 Pandemic in Italy, paper presentato alla V Conferenza italiana sulla cybersicurezza (Itasec), Online, 7-9 aprile.
Cert-Agid (2021), Secondo Monitoraggio dello Stato di Aggiornamento del Protocollo Https e dei Cms sui Sistemi della PA, https://cert-agid.gov.it/news/secondo-monitoraggio-dellostato-di-aggiornamento-del-protocollo-https-e-dei-cms-suisistemi-della-pa.
De Zan, T., Giacomello, G., & Martino, L. (2021). Italy’s Cyber Security Architecture and Critical Infrastructure. In Routledge Companion to Global Cyber-Security Strategy (pp. 121-131). Routledge.
Di Mascio, F., Angeletti, S. e Natalini, A. (2021), Lo smart working nelle pubbliche amministrazioni centrali ai tempi del Covid-19, in «Rivista Italiana di Politiche Pubbliche», 16(1), pp. 95-125.
Istat (2021), Censimento permanente delle istituzioni pubbliche: risultati preliminari 2020, l’anno dello smart working, https://www.istat.it/it/archivio/264696.
Presidenza del Consiglio dei ministri (2022), Relazione Annuale sulla Politica dell’Informazione per la Sicurezza 2021, https://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2022/02/RELAZIONE-ANNUALE-2021.pdf.
Ramadan, R. A., Aboshosha, B. W., Sulaiman Alshdukhi, J., Alzahrani, A. J., El-Sayed, A. e Dessouky, M. M. (2021), Cybersecurity and Countermeasures at the Time of Pandemic, in «Journal of Advanced Transportation», pp. 1-19.
Renzi, A. (2021), Slaughterbots e il futuro della guerra automatizzata, Osservatorio sullo Stato Digitale, Istituto di Ricerche sulla Pubblica amministrazione, 26 gennaio 2021, https://www.irpa.eu/slaughterbots-e-il-futuro-della-guerra-automatizzata.
Absorption Capacity and Policy Learning to Foster Cybersecurity Sustainability in the Public Sector
Giancarlo Vecchi and Jonathan Kamkhaji, Politecnico di Milano, Italy
The contribution considers Cybersecurity in public organizations as a public policy, i.e. in terms of a series of intentional attempts pursued by policy makers (at different levels and with different roles) to introduce, change or fine tune cybersecurity processes within the structures and the processes of a given public organization. Moreover, the idea is that cybersecurity policies can be considered in this period as innovation interventions that are designed, decided, and implemented dealing with two types of challenges, deriving from the technological and the organizational sides. Following this focus, we will analyze the debate on technological innovations and how the public sector can fruitfully rely on them and adapt them for their purposes, to define the main variables that play a role in fostering the adoption and sustainability of cybersecurity policies; the literature offers many different research lines that underlines four main challenges, i.e. expertise, learning, cooperation, and viability. The introduction, continuous adaptations to external pressures and crisis (war, pandemic, technological changes, etc.), and changes of cybersecurity programs requires the development of absorption capacities, to translate the information provided by the connections with the external environment in manageable practices; in addition, public organizations need to trigger learning processes to anticipate and/or to react to emerging risks or/and policy failures.
Other two challenges focus the intersection between the intra- and inter-organizational policy making; from one point of view, we hypothesized that cybersecurity as a technological and organizational change is a contentious intervention, with winners and losers, and the management of the process needs the choice among different strategies, as for example hierarchy, coalition-building, network/platform arrangements, ad hoc task force. Moreover, cybersecurity programs should maintain a viability direction, in terms of the capacity to produce a general-interest orientation and results over time, avoiding shortterm targets and opportunistic behaviors, and to captured by interest groups.
This contribution will be mainly a literature review paper, with the aim to analyze the cybersecurity policy characteristics using the proposed framework.
References
Atkins S. & C. Lawson. 2020. “An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure.” PAR 8(5): 847–861.
Atkins S. & C. Lawson. 2022. “Integration of Effort: Securing Critical Infrastructure from Cyberattack.” PAR.
Brantly A. 2019. “Conceptualizing cyber policy through complexity theory.” Journal of Cyber Policy.
Breznitz, D., & Ornston, D. 2018. The politics of partial success: fostering innovation in innovation policy in an era of heightened public scrutiny. Socio-Economic Review, 16(4), 721-741.
Christou G. 2016. Cybersecurity in the European Union. Basingstoke: Palgrave.
Colombo et al. 2022. Cybersecurity sostenibile. Come rendere la sicurezza informatica sostenibile nel tempo. Milano: Cefriel-Politecnico di Milano.
Lips M. 2020. Digital Government. Abigton: Routledge.
Patashnik, E. M., & Weaver, R. K. 2021. “Policy analysis and political sustainability.” Policy Studies Journal, 49(4), 1110-1134.
Tikk M.C. et al. 2020. Routledge Handbook of International Cybersecurity. Abigton:
Routledge.
The Evolution of Cybersecurity Policy in Italy: How Does Post-Crisis Learning Work?
Simone Busetti and Francesco Maria Scanni, University of Teramo, Italy
The extraordinary expansion of digitalisation has increased the vulnerability of public and private actors to cyber threats. Fraud, identity theft, terrorist attacks and cyber extortion are no longer sporadic phenomena but affect the daily lives of citizens and public institutions.
The multiplication of cybersecurity problems and the increasing reliance on data and information systems by governments, public administrations, businesses and individuals raises several questions about the appropriate administrative, organisational and policy tools to deal with such events.
The COVID -19 pandemic and the Russian-Ukrainian war have further accelerated this dynamic and increasedthe importance of the public policy of cybersecurity.
However, research on which instruments are most effective and under which political and institutional conditions they can work is still at an early stage. While the rise of cyber risks threatens our institutions, an evaluation of policy responses—their design, formulation and implementation—is critical to assess and improve effectiveness.
This article presents a desk review of the evolution and policy instruments of the Italian cybersecurity policy. In addition, it offers a first analysis of the incident-response strategy of public administrations within the National Cybersecurity Perimeter.
The selected case studies aim toinvestigate how incidents and cybersecurity crises trigger learning processes in the selected administrations and how such learning feeds into policy change.
Government Decision-Making in the Aftermath of Cybersecurity Crises Affecting e-Governance: Lessons from Estonia
Logan Carmichael, University of Tartu, Estonia
As governments across the world increasingly digitise their service provisions, considerations surrounding their cybersecurity should – and often do – follow. While, first and foremost, governments should set up security mechanisms in a manner that prevents the disruption or manipulation of their e-governance structures, how can governments best respond in the event of a cybersecurity crisis – a cyberattack or another type of cyber incident – in order to bolster cybersecurity in the future?
This paper examines responses to such events in Estonia, where e-governance practices including electronic identification (eID) and nationwide internet voting (i-voting) have been in place since the early 2000s, some of the earliest and most pervasive such examples globally. Although touted as a global leader in this space, Estonia has not been without cybersecurity crises, even those impacting its e-governance model. The focus of this paper is four key crisis points spanning across much of Estonia’s digital governance history: 2007 DDoS attacks impacting the websites of government, news media, and banks; the 2017 ‘eID’ crisis where a vulnerability in the eID cards was discovered; the COVID-19 pandemic; and the 2022 Russian full-scale invasion of Ukraine. Though the latter two events are not uniquely cybersecurity crises, they did come with new cybersecurity realities, and along with the former two events, meet the criteria set forth in crisis management literature to constitute a crisis.
Thus, this paper addresses the following research question: what are the key components of government decision-making in the aftermath of cybersecurity events that effectively address the future cybersecurity of their e-governance? This paper employs a constructivist and historical institutionalist theoretical approach, as a useful means to view governance and decision-making in the wake of cybersecurity incidents affecting the Estonian digital governance structure. Together, these approaches frame these topics in an Estonian context through a lens of ideation and experience, as well as institutional path dependencies over time and cybersecurity crises as critical junctures to study. Furthermore, this paper uses a qualitative research design, comprised of semi-structured expert interviews with individuals in decision-making positions at the time of these key junctures; interviews are triangulated with official government messaging, news media reportage, and political and public discourse.
Preliminary findings of this research indicate three key governmental approaches in the immediate aftermath of cybersecurity crises, which have evolved over time and contributed to an overall improvement in cybersecurity of e-governance: 1) what officials have called ‘radical transparency’ in their messaging to the public around the crisis; 2) an ‘all hands on deck’ approach to finding both immediate- and longer-term solutions to current pressing cybersecurity issues; and 3) expediting policy and resource mandates that may have been backlogged prior to the cybersecurity crisis.
Ultimately, this paper offers insight into how a government can undertake policy-driven change following cybersecurity crises, to ensure sufficient cybersecurity of their e-governance model, not only in the Estonian context, but elsewhere, should a state find itself in a crisis scenario, an ever-more likely occurrence, with cyber incidents increasing in both frequency and severity.
For Your Own Good: Securitisation and Digital Exclusion of People with Disabilities in South Africa
Lorenzo Dalvit, Rhodes University, South Africa
South Africa boasts one of the highest rates of Internet penetration in the world. The pursuit of universal broadband access is part of official government policy and considerable effort is put into supporting a Fourth Industrial Revolution in the country. At the same time, profound inequalities inherited from colonialism and apartheid are reproduced in the digital domain. As more and more services migrate online, large portions of marginalised sectors of the population are forced to adapt or fall behind. Alongside race, gender, socio-economic status, geographical area etc., (dis)ability presents a particularly interesting dimension to explore new forms of digital exclusion. Particularly in the Global South, digital inequalities are often understood in terms of deficit (e.g. of access, skills or ability to benefit). At the theoretical level, a growing body of scholarly literature explores how technological developments create new inequalities or exacerbate existing ones. A decolonial approach is proposed in order to contribute with a southern epistemological perspective. Current scholarship on (dis)ability emphasises its character as a socio-cultural construct and focuses on promoting awareness and removing barriers. In this paper, I focus on how cybersecurity features (e.g. time limits, OTPs, challenges etc.) represent (at times insurmountable) obstacles for people with disabilities. Following an intersectional approach, I explore how such challenges may be compounded by race, gender, language etc. The methodology consists of a cyber (auto)ethnography. When relevant, documents such as Government policies, user agreements, news articles etc. are analysed for context and background information. Expected findings include a taxonomy of disability-related issues complemented by anecdotal evidence. The goal is to contribute to challenging current dominant narratives of increased cybersecurity as not only desirable and indeed necessary, but also unconditionally positive.
Presentations Session 2 – Information Disorders as a Cybersecurity Issue
Theorizing Digital vs. Cyber Sovereignty Through the Lens of Disinformation Circulation Online
Asta Zelenkauskaite, Drexel University, USA
The focal point of this conceptual work is to contextualize disinformation as what scholars like DeNardis (2020) call a form of cyber-physical disruption. The first argument presented follows the premise that internet governance is the new battle space for political and economic power (DeNardis, 2016). And while it and has been used for public diplomacy, yet with the divergent visions by the USA policy makers (see DeNardis, 2020) and Russia (e.g., path to Runet) (see Zelenkauskaite, 2022) and the digital sovereignty visions (see Kokas, 2022) and information flooding (Roberts, 2018) in China.
The second aims at contextualizing national threats online from a relativist perspectives
drawing from cybersecurity where threats of foreign disinformation or critical infrastructure security are treated differently by countries’ national strategy and are not necessarily universal, thus creating some tensions and lack for coherent agendas by the western democratic partners. Similarly, democratic and non-democratic countries have created divergent framings and visions on how internet space is viewed. DeNardis describes how the US started the idea of the Internet Freedom presented by the secretary of state Hilary Clinton. Internet freedom has become part of the U.S. foreign policy (DeNardis, 2020). Yet, the discussion was mostly viewed from the content perspective. Yet, in my work on disinformation and Russian trolling, I outlined three phases of the changes in the policy landscape and its trickled down effects into content production from Russia’s governance perspective (Zelenkauskaite, 2022). In this case, the vision of Russia when it comes to online space, contrasts that of the U.S. radically, where the territorialism and infrastructure of the online spaces were treated as spaces of cybersecurity, the same as the physical spaces would be.
Thus, following the notion that (cyber)threat is contextual (e.g., Henrie, 2013) one needs to decontextualize it by focusing on identifying what scholars like Vishwanath (2022) called “the weakest link.” In the context of the (inter)national strategy, two oppositional views are discussed: the critical infrastructure vs. the disinformation breech. Finally, implications of disinformation online as a topic of debate are presented in the context of western notion such as digital sovereignty vs. authoritarian vision of cyber sovereignty (e.g., Griffiths, 2021) are presented.
References
DeNardis, L. (2014). The global war for internet governance. Yale University Press.
DeNardis, L. (2020). The Internet in everything. Yale University Press.
Griffiths, J. (2021). The great firewall of China: How to build and control an alternative version of the internet. Bloomsbury Publishing.
Henrie, M. (2013). Cyber security risk management in the SCADA critical infrastructure environment. Engineering Management Journal, 25(2), 38-45.
Kokas, A. (2022). Trafficking Data: How China Is Winning the Battle for Digital Sovereignty. University of Oxford Press.
Roberts, M. E. (2018). Censored: Distraction and Diversion Inside China’s Great Firewall, Princeton University Press.
Vishwanath, A. (2022). The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing. MIT Press.
Zelenkauskaite, A. (2022). Creating Chaos Online: Disinformation and subverted postpublics. University of Michigan Press.
EU Cybersecurity Policy as a Basis for Regulating Illegal Online Harm
Alison Harcourt, University of Exeter, United Kingdom
This paper examines how the EU’s policies on illegal online harm are rooted in cybersecurity policy. Following the adoption of the 1992 Maastricht Treaty and its creation of the Justice and Home Affairs (JHA) pillar II (renamed Police and Judicial Co-operation in Criminal Matters (PJCC) under the 1997 Amsterdam Treaty), the EU initiated several measures to fight crime. Pillar II provided the Council with an opportunity to address crime based upon intergovernmental cooperation. A 1998 Action Plan was drawn up to implement provisions of the Treaty of Amsterdam in the area of freedom, security, and justice. The Council proposed a Framework Decision in 2001 to combat illegal hate speech online which eventually culminated in the 2008 Framework Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law. DG Home began work on the Framework Decision with the establishment of the Centre of Excellence at the Radicalisation Awareness Network in 2011. In 2015, the European Agenda on Security was launched. The European Commission simultaneously established the EU Internet Forum based upon the findings of its first high-level conference on the criminal justice response to radicalisation. The Forum set up regular meetings between home and justice ministers, high level representatives of large internet corporations, Europol, European Parliament representatives and the EU Counter Terrorism Co-ordinator. Also in 2015, the East Stratcom Task Force was set up by the European External Action Service, which worked on countering disinformation originating from foreign sources. An EU vs DiSiNFO website was founded to raise awareness about disinformation with a focus on Russian misinformation. Within two years of its establishment, the East Stratcom Task Force had identified 4000 individual disinformation cases from Russia which were aimed at Europe. Two further task forces were subsequently established, the Task Force for the Western Balkans and the Task Force South for the Arab-speaking world.
Following the March 2016 suicide bombing attacks in Brussels, a Joint Statement was issued by the High-Level Group and an extraordinary JHA Council stating that ‘the Commission will intensify work with IT companies, notably in the EU Internet Forum, to counter terrorist propaganda and to develop by June 2016 a code of conduct against hate speech online’.
The first Code of Conduct on Countering Illegal Hate Speech online was agreed in May 2016 between IT companies and the European Commission. Signatories to the 2016 Code included Facebook, Microsoft, Twitter, and YouTube. The 2016 Code was based, not on police and judicial cooperation policy (pillar II), but on Article 16 of the 2000 Directive on electronic commerce, placing it firmly in the realm of the internal market and placing under the jurisdiction of the European Commission. Since this time, the Commission has agreed the 2018 and 2022 Codes of Practice on disinformation and the 2022 Digital Services Act.
The paper tracks the progression of these initiatives in the context of cybersecurity policy as a legal basis.
What Drives State-led Internet Shutdowns? Utilizing a Machine Learning Approach for Prediction and Factor Exploration
Fabiola Schwarz, Technical University of Munich, Germany
With the often-cited rise of digital authoritarianism, more and more regimes make use of
their domestic cyber-toolbox to repress citizens around the globe. The popularity of digital repression, such as surveillance through spyware as well as censorship through blocking websites, throttling bandwidth, and deep packet inspection has skyrocketed. The most extreme form of censorship is the so-called Internet shutdown or kill-switch observed in conjunction with human rights violations. During the last decade, the numbers of such Internet shutdowns and of countries deploying those have been steadily growing, especially on the African continent. Their far-reaching impact on civil society requires better understanding and preparation for these domestic cybersecurity abuses. Although Internet shutdowns are a common phenomenon often noticed to accompany intra-state conflicts, elections, and mass uprisings, we know comparatively little about factors that are associated with the deployment of Internet shutdowns, let alone about how to foresee this form of digital repression. Therefore, this paper asks two questions: How can the deployment of Internet shutdowns be predicted? And which factors are most important in doing so?
This is the first paper to forecast Internet shutdowns. To do so, I synthesize existing research into a conceptual framework to select predictors and apply a machine learning approach to predict the onset of Internet shutdowns in Africa.
Using a non-parametric approach, I train a random forest algorithm to evaluate prediction capacity and derive the most important factors for Internet shutdown forecasts. My theoretical framework comprises two levels, a structural and a dynamic model derived from a thorough review of research in the field. Therefore, I construct a country-week level dataset with over XX predictors, ranging from dynamic variables such as protest, elections, and violent conflict to structural factors, like economic, political, and demographic aspects of a country. Data on Internet shutdowns comes from the #KeepItOn coalition published by Access Now. First results show that pure event-based and pure structural models perform less well in predicting Internet shutdown onset than a joint model. It is a specific combination of event-based and structural variables that explain most of the model’s variance. Among those are Internet censorship practices, violent protests, elections, academic surveillance, and population size. In a future analysis, I expect the economic variable on Internet service provider ownership to play a key role in predicting Internet shutdowns. Such a finding would put Internet infrastructure and its ownership structures at the center of debates on how to ensure an open and resilient Internet and how to protect access to information as a fundamental right.
Thanks to the non-parametric, machine learning approach the results can portray the complexity of domestic cybersecurity practices like Internet shutdowns. My findings also outline avenues for future research on causal links between single factors and the deployment of Internet shutdowns. This study thus contributes to further theory-building in the wide research area of cybersecurity and more specifically, in the field of Internet shutdowns and censorship practices.
Presentations Session 3 – Cultures, Regimes and Norms of Cybersecurity
Global Cybersecurity Cultures
Francesco Amoretti, University of Salerno, Italy
On January 31st, 2003, the UN General Assembly adopted Resolution 57/239, noting that all operators and owners of internet technologies should be aware of relevant cybersecurity risks, with respect to their roles. The resolution was titled “Creation of a global culture of cybersecurity”, and called upon Member States and relevant international organizations to develop within their societies a culture of cybersecurity. Just a year earlier, the OECD Council, at its 1037th Session on 25 July 2002, adopted The Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, updating the Recommendation adopted on November 1992. This message has been echoed and repeated by several organizations. The report of the 2015 IGF Main Session on Cybersecurity underlined that “a culture of cybersecurity is needed on different levels”, from individual action to education. Cybersecurity cultures have been the subject of recent investigation, which is mostly focused on the organizational level. Studies on wider cultural differences or convergences at the global level are more rare.
Inspired by the work of Mary Kaldor’s Global Security Cultures (2018), and based on an extensive literature and policy review, the paper aims to identify the main patterns of cybersecurity culture that have emerged over the last 30 years at a global level. Echoing Kaldor’s definition, I define cybersecurity culture as “a specific pattern of behavior, or constellation of socially significant behaviors, or constellation of socially meaningful practices, that expresses or is the expression of norms and standards embodied in a particular interpretation of [cyber]security and that is deeply imbricated in a specific form of political authority or set of power relations”. A cybersecurity culture, in other words, comprises different and interconnected combinations of ideas, rules, people, tools, tactics and infrastructure, linked to different type of political authority and power relationships.
The paper is structured as follows. After a presentation of the rationale and the discussion of the theoretical perspective adopted, it will elaborate a typology of cybersecurity cultures, made of four ideal-types: Multistakeholder, Geopolitics, Military, and Corporate. Models will be compared each other in terms of operational and political logics, and their respective features will be analysed. The discussion will show how different cybersecurity cultures can coexist over time, although some may prevail in certain historical phases or in specific contexts.
European Cybersecurity Regulation – Standardization Without Control?
Federica Casarosa, Scuola Superiore Sant’Anna, Italy, and Jaroslaw Greser, Warsaw Institute of Technology, Poland
The EU have started to increase its attention over cybersecurity issues in the recent years through several legislative Acts: not only the recent adoption of the Directive 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) updated the legal framework applicable to cybersecurity breaches due to the technological developments occurred since the previous NIS directive in 2016. A recent set of proposals for legislation tackled first tentatively – in the Proposal for a Regulation on Artificial Intelligence (AI Act) – then with more attention – in the Proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (Cyber-resilience act) – the safeguards the business should adopt in case of digital tools that are connected through internet infrastructure. However, in all these legal acts the definition of the standards for cybersecurity is mostly left to the business themselves. Apart from the cases where the international standardization bodies have already defined specific standards or the Commission has adopted Common specifications, both the AI Act and the Cyberresilience Act leave the possibility for manufactures to identify the specific operational criteria that may be applicable in order to comply with the general requirements provided, respectively by Chapter 2 AI Act and Annex 1 Cyber-resilience Act.
From the perspective of the knowledge, expertise and timely definition of such standards, this option seems the most suitable one. It is obvious that the manufacturers producing Internet of things devices will be the one having better knowledge about the potential vulnerabilities of the hardware and software elements that are used for the production of the IoT device. However, given that the effects of the cybersecurity attacks may propagate across the borders of the internal market within a matter of minutes, is such self-regulatory not only sufficient but also effective in order to tackle the risks of cyber-attacks?
The issue is also linked to the approach adopted in the legislative acts as regards the type of conformity assessment required for the compliance with the self-defined criteria. Both acts include the possibility that, not only business and manufacturers are able to identify the criteria, but they will also be able to show the conformity through internal control procedure, without any involvement of third parties’ control (e.g. certifiers or notified bodies).
The paper will describe the current regulatory framework, showing the approach adopted by the European Commission in the legislative acts proposed, trying to identify alternative forms of standards definition and of compliance control, taking as example the certification process defined in the Regulation 2019/881 on ENISA and on information and communications technology cybersecurity certification (Cybersecurity Act).
Beyond Cyberspace Fragmentation: Conceptualizing Norms Dynamics as Practices of Territorialization
Giacomo Bruni, Peace Research Institute Oslo, Norway
The regulation of emerging technologies represents an area of international governance in which the normative dispute between great powers seems to reflect the increasing divergence between competing worldviews. The importance of norms as standards for state behaviour is widely recognized by academics and policymakers alike. In the last four decades, the IR literature flourished with numerous possible explanations for the emergence, evolution, and adoption of international norms, or, in other words, norm dynamics. Studies focusing on cyberspace often describe the domain as characterized by a contested system of governance due to the co-existence of different normative camps. This view sparked the idea of the so-called “islands of normativity”, envisioning the creation of separate technological ecosystems divided along political lines. Particularly, the IR literature focuses on the normative friction between the prevalent multistakeholder approach supported by the United States and the contrasting multilateral approach promoted by authoritarian states such as China and Russia.
These arguments are not without merit. States, particularly the US and China, are indeed engaging in severe normative competition in the digital domain. However, these analyses continue to rely on state-centric and do not account for the specific features of cyberspace.
Therefore, they fall short for four main reasons. Firstly, cybersecurity is not a monolithic issue. In effect, international norms governing cyberspace arise in multiple contexts and from different channels involving varied actors and technologies. Secondly, cyberspace does not configure as a desolate land of normativity. Rather, it is a densely populated domain of operation in which different actors promote often contrasting and overlapping norms.
Thirdly, cyberspace is dynamic over time and space. Assuming that agents statically promote either a multistakeholder or a multilateral model of governance does not account for the fact that actors’ normative stands are dynamic. Fourthly, technological progress significantly determines the dynamicity of actors’ stands over space and time. Therefore, the relationship between norms dynamics and technological advancements ought to be conceptualized as one of reciprocity.
The article suggests integrating the IR literature on norm dynamics with recent studies from critical geography, offering an alternative conceptualization of cyberspace that accounts for its distinctive features. Geography studies suggest that cyberspace should be conceptualized as composed of overlapping, non-exclusive, and intersecting territories in which social space and social action are inseparable. While this contribution shed light on the interplay between territory, technology, and social action, they dismiss the role of norms in the global governance structure, missing the crucial point that norms are, indeed, socially constructed through practice themselves. The article argues that these research traditions are complementary and should be integrated. Adopting a territorial ontology, the article conceptualizes norm dynamics in cyberspace as practices of territorialization emerging from dynamics of power and competing interests between different agents over the normativity of nonexclusive and overlapping territories constituted and renegotiated over time and space by the emergence of new technologies.
The Ambiguity of Digital Sovereignty Between Territory, Cyberspace, Digital Constitutionalism and Digital Authoritarianism
Nicola Palladino, Trinity College Dublin, Ireland
Digital sovereignty has become a popular concept in international relations and beyond.
An increasing number of countries started to vindicate greater control on data flows and digital infrastructures affecting their territories or citizens, especially with regard to security concerns.
Through in-depth quali-quantitative content analysis and impact assessment of selected policies of major geopolitical actors, such as the EU NIS directive, GDPR, Cybersecurity Act, the US Cloud Act, or the Chinese Personal Information Protection Law, the paper argues that the spread of sovereigntists’ claims is likely to increase geopolitical tensions and human rights concerns since actors employ a twofold and ambiguous notion of sovereignty applied to cyberspace.
On the one hand, we have a classical conception, based on the notions of territoriality, authority, and population, according to which states claim an exclusive faculty to control the digital infrastructure of their jurisdiction and the data of their citizens. On the other hand, the transborder nature of the Internet and its distributed architecture favoured the rise of a conception that disentangles the sovereign from the territory and shifts the focus from the “recognized authority on a territory” paradigm to concepts such as autonomy, power, and self-determination. This latter conception justifies the idea of a “sovereignty of cyberspace”, but paradoxically, it also constitutes the basis for States’ claim to extend their jurisdiction over processes taking place outside their boundaries, or in some no physical space, if they impact their national interests or citizen rights.
Then the paper addresses the question of the ambiguous relationship between digital sovereignty, digital constitutionalism, and digital authoritarianism. It argues that while digital sovereignty is a necessary condition for the affirmation of effective digital rights, it is not sufficient, and could easily lead to a threat to constitutional guarantees and a digital authoritarian approach.
Control over digital infrastructures and data flow within a country is crucial for effectively safeguarding fundamental rights and ensuring the rule of law, but it can also lead to mass surveillance and censorship policies. Similarly, de-territorialized digital sovereignty claims may serve to promote forms of ‘personal digital sovereignty’, or extend the reach of fundamental rights protection norms at the transnational level, as seen in the case of GDPR.
However, it can also be used as a projection of states’ power using tech companies as a proxy to extend the scope of mass surveillance and censorship programs, or to conduct cyber warfare operations.
Resorting to concrete examples, the paper outlines how state actors strategically alternate between different conceptions of sovereignty to pursue their goals. The paper points out how these practices foster geopolitical conflicts and legal uncertainty, hamper cooperation to find solutions within an international law framework, and, ultimately, undermine global efforts to guarantee fundamental rights in the digital environment.
Discourses on Cybersecurity in the EU. Digital Politics in Times of International Turmoil
Adriano Cozzolino, University of Campania Luigi Vanvitelli, and Maria Francesca De Tullio, University of Napoli Federico II, Italy
In this work we lay the foundations of a research project aiming to observe the evolution of EU cybersecurity policies. In the last decades the evolution of technology, the role of Internet governance and of digitalisation processes have greatly amplified the centrality of cybersecurity. Theoretically, the paper relies on a critical social-constructive approach, so that social issues are the outcome of a process in which specific actors (institutional, political, social and “economic”) try to foster specific meanings. In this respect, while technology constitutes the “materiality” and contextual condition for the rise of cybersecurity concerns, the concept and applications of cybersecurity are not natural or – worse – neutral, but depend on interests, ideas, meanings, identities that specific actors try to push forward. It is, in other words, the outcome of power relations within specific historical and institutional context.
The paper aims to make two main accomplishments: the first is mapping/unveiling, through Critical Discourse Analysis, how cybersecurity is framed by EU institutions, particularly the Commission (the key actor in legislative initiatives and policy-making). Secondly, we aspire to understand whether cybersecurity discourse has changed over time. We develop a specific research hypothesis: discourses are profoundly embedded in society and its contradictions, and the same applies to cybersecurity as a social construction: in this respect, our hypothesis is that cybersecurity has gone through processes of change in the light of significant international transitions – signally, the beginning of the war in Ukraine and the pandemic. While, in the first phase of cybersecurity policy (e.g. JOIN(2013)0001), it was mostly characterised by a certain “technocratic” approach typical of EU institution, we can hypothesis that, over the last years, the approach is shifting towards more explicit political- and conflict-based approach, in which the EU makes a stance in terms of global power within a more threatening world order.
While the new cybersecurity strategy (JOIN(2020) 18 final) aims to address a “threat landscape […] compounded by geopolitical tensions over the global and open Internet and over control of technologies”, the question is which vision and imaginary of “global and open internet” underlies the Commissions’ initiatives and how it influences the implementation not only of the Cybersecurity Strategy itself, but also of the European Code of Electronic Communications (ECEC) and the Digital Services Act (DSA). In particular, we can expect that EU’s geopolitical position will increase public intervention on online market competition as regulated in ECEC; moreover, the concerns over the integrity of electoral processes (COM(2020) 790) will probably affect the field of digital political speech and propaganda.
Finally, the paper assesses the need to couple cybersecurity with an accent on “cybersafety” of digital spaces, making them free of threatening or discriminatory discourses and actions. Hence, what kind of address has the potential to re-orient the public-private governance of rights in the digital sphere in a war scenario?
Presentations Session 4 – Democracy and Rule of Law Issues with the Global Governance of Cybersecurity
Governing the Internet through South-Based Regional Private Regimes: Legitimacy at AFRINIC, APNIC, and LACNIC
Debora Irene Christine, Tifa Foundation, Indonesia, Hortense Jongen, Vrije Universiteit Amsterdam, The Netherlands & University of Gothenburg, Sweden, Nahema Nascimento Falleiros, Federal University of Rio de Janeiro, Brazil, Gloria Nzeka, University of Maryland, USA, and Jan Aart Scholte, Leiden University, The Netherlands & University of Duisburg-Essen, Germany
Most regulation of Internet infrastructure transpires through global organizations centered in the global north, such as ICANN, IEEE, IETF, W3C, etc. However, there is a striking exception: the Regional Internet Registries (RIRs), of which three are based in the global south: the African Network Information Centre (AFRINIC), the Asia-Pacific Network Information Centre (APNIC) and the Latin American and Caribbean Network Information Centre (LACNIC).
The RIRs perform a crucial role in Internet governance, by overseeing the distribution of Internet numbers (IP addresses) and handling associated sensitive questions about accessible technology, content control, surveillance and shutdowns, cybersecurity, and data protection.
In doing so, they can substantially affect the human rights of people in their respective regions.
The RIRs are especially interesting for taking a regional approach to governing several key technical functions of the Internet. They also make rules through multistakeholder collaboration among business, civil society, and technical experts, with no formal role for government. Moreover, in the cases of AFRINIC, APNIC and LACNIC, the regulatory process lies firmly in southern hands.
Given this distinctive south-led regional approach to multistakeholder governance of the Internet, it is surprising that AFRINIC, APNIC and LACNIC have attracted hardly any academic research. This paper addresses this gap through a comparative analysis of the three southbased RIRs.
More specifically, we examine to what extent these alternative (in the sense of being regional, private, south-based) constructions have succeeded to attract legitimacy in relation to diverse audiences. We understand legitimacy as the belief and perception that a governing power (in this case, AFRINIC, APNIC and LACNIC) has the right to rule and exercises that rule appropriately. Legitimacy (or its absence) can have major implications for governance capacity, affecting the ability to secure mandate, acquire resources, attract participation, develop policies, obtain compliance, reach goals, and solve problems. In addition, an authority with weak legitimacy might also be challenged by competing organizations.
Drawing upon extensive mixed-method interviews with the board, staff, member organizations and other stakeholders of AFRINIC, APNIC, and LACNIC, this paper pursues three goals:
1) to map out the distinctive ways in which the three south-based RIRs operate and have shaped internet governance at the regional level;
2) to determine how far the RIRs are regarded as legitimate;
3) to explore how legitimacy perceptions vary depending inter alia on participants’ stakeholder affiliation, regional background, language skills, gender, and age.
Geopolitics of access to digital evidence: Second Additional Protocol to the Budapest Convention and access to registrant’s data
Magdalena Krysiak, University of Łódź, Poland
The proposed paper covers geopolitical implications of Second Additional Protocol to the Budapest Convention on Cybercrime (II AP). It explores implications for the enforcement of contemporary bilateral and multilateral arrangements on access to data and evidence sharing.
The author seeks to answer questions on an equitable balance between cross-border access to personal data and the protection of victims’ rights. She does so by following the human rights theoretical framework within its reiterations. Thus far signed by 34 countries the II AP offers a unique, human rights-oriented approach to electronic evidence collection. It is to be compared with the parallel legislative process within the UN’s Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes.
To identify cybercrime perpetrators international cooperation is necessary, yet as a direct result of the contemporary jurisdictional puzzle and national sovereignty arrangements, electronic evidence is stored in multiple jurisdictions. This implies a need for effective cooperation between states and the private sector and legal certainty for service providers.
This challenge has been most recently addressed by II AP. As per its design, it is to significantly alter judiciary-international cooperation on digital matters. This is to be achieved by allowing law enforcement agencies access to digital data outside their territorial jurisdictions. Hosted by the Council of Europe, II AP reflects the European approach to prioritizing personal data protection and security. It, therefore, offers a unique geopolitical perspective on the effective protection of cybercrime victims.
From an Internet governance perspective, Article 6 II AP is of particular interest. It fills the void created by ICANN’s decision for its notorious WHOIS database to go black. The multistakeholder community has failed to find a solution to comply with the General Data Protection Regulation. This resulted in disabling of a global database of registrants’ data, often used by LEAs. Article 6 II AP offers specific “procedures enhancing direct co-operation with providers and entities in other Parties” and sets a legal framework for a “request for domain name registration information”. Upon ratification, each state is to allow authorities to issue a request to an entity providing domain name registration services in the territory of another state for information in its possession or control. Such a request must be issued for specific criminal investigation and allow for identifying or contacting domain name registrants. States are also to permit entities within their territory to disclose such information, subject only to “reasonable conditions”.
Based on comparative legal methodologies, author identifies challenges to ratification and implementation of AP II, rooted in geopolitical and cultural approaches to security and human rights. She analyses likely scenarios for its application, contrasted with parallel dialogues on the same issue.
Expected findings include an evidence-based analysis of potential II AP implementation compared with ongoing UN processes. The paper will answer the question on whether II AP become the universal standard for access to electronic evidence or if other solutions should be sought.
The Global Digital Compact Consultations: Developing a Typology of Citizen Attitudes Toward Global Internet Governance
Dennis Redeker, University of Bremen, Germany
The United Nations consultation process for the creation of the Global Digital Compact (GDC) epitomizes the UN’s desire to be broadly inclusive when developing normative standards for the digital age. Who participates in the process and what public values are being put forward in the consultation phase likely contributes to shaping the global normative human rights-digital industries-national government nexus for the coming years.
This paper analyzes a new dataset on public opinion toward Internet governance in general and the GDC process specifically. The survey for the dataset has been primarily conducted in countries of the Global South and in Central and Eastern Europe, inter alia including twelve countries in Africa, thirteen countries in Latin America and the Caribbean, five countries in the MENA region. The underlying dataset of 15,568 respondents helps elucidate which topics citizens want to see addressed in the GDC and which stakeholder groups they hope the UN listens to. From these two questions, the paper develops a two dimensional typology loosely based on Mauro Santaniello’s typology of four Internet governance models, which unites the dimensions of inclusiveness and coercion.
The analytical dimensions included in the paper relate to bottom-up vs. top-down preferences regarding who should have influence in the GDC process (bottom-up vs. Topdown dimension) on the one hand, and online speech concerns (speech regulation dimension) on the other hand. The bottom-up vs. top-down dimension is measured by asking respondents whom the UN “should listen to” as part of the GDC consultations.
Respondents were presented with a range of actors to choose from. Actors coded as bottom-up consists of “users” and “civil society organizations” whereas actors coded as top-down consist of “nation states” and “corporations”. The speech regulation dimension is based on a question (to the same respondents) that asked to rate the level of concern people had with a battery of issues related to Internet use. The coding of the value on this dimension includes ratings related to the items of “hate speech” and “censorship”.
The level of analysis for the current paper consists of country-level averages. Four types of public attitudes toward global Internet governance (with respect to the GDC consultation) are presented: A low-regulation and top-down type (neoliberal); a high-regulation topdown type (authoritarian); a low-regulation bottom-up type (anarchic); and a highregulation bottom-up type (constitutionalist). The paper discusses similarities and differences between the types and possible explanatory variables for the grouping of countries within the typology. The paper also presents the new dataset (finalized in February 2023) and novel recruitment method in some detail. It also addresses larger questions concerning Internet governance such as the question if – given that many of the respondents prefer if users were to be listened to better in the consultation – there is a need to make the current multistakeholder model more inclusive, or even replace it by a more direct democratic process for Internet governance.
Presentations Session 5 – Data Security, Trust and People Safety
Imaginaries of Secure Messaging and their Links with Internet Fragmentation: the Case of Threema
Samuele Fratini, University of Padova, Italy
In the light of the turn to infrastructure in the Internet Governance, the power struggle among social forces has become visible in the sociomaterial construction of the digital infrastructures. Conversely, several historical turning points, exogeneous to the technical environment, e.g., the Snowden revelations, provoked shared discontent against the perceived corporate and governmental digital surveillance, producing a zeitgeist of technopessimism.
A significant result of these factors is the formation of a generation of digital companies aimed at ensuring some degree of data protection to users, pairing with the issuing of new attentive regulatory frameworks by policy-makers. In the realm of instant messaging, this led to the de facto standardization of the end-to-end encryption. Among others, the rise of Threema, a Swiss messaging application established in 2012 counting on 11 million users and 7000 corporate customers, represents a fruitful and overlooked case study. Its alterity can be understood under two main fields: technical features and shared imaginary.
On the first hand, Threema adopts an end-to-end encrypted protocol called Ibex, equips the user with a randomly generated unique ID key, thus not asking for the user’s phone number and allows for message repudiability. On the other hand, Threema has adopted a communication style which is mainly based on its opposition to US hegemonic applications and on its self-presentation as a “genuinely Swiss company”: its two datacenters are located in the Zurich area, escaping any non-Swiss legislation and ensuring that “no work is outsourced”. As a matter of fact, its approach has received undisputable appreciation from any social layer: after the acquisition of WhatsApp by Facebook in 2014, more than 200.000 users, mainly from Germany, left the US app for the Swiss one. Besides, the Swiss Army banned WhatsApp, Signal and Telegram among its personnel, and strongly recommended the use of Threema. Even Olaf Scholz, Chancellor of Germany, declared to be a Threema user. Despite the apparently developed degree of encryption characterizing those three foreign apps, this indicates that, especially after the issuing of the US CLOUD Act, inland datacenters are increasingly perceived as an advantage.
How are Internet fragmentation and global surveillance framed in its corporate discourse? Is the sociotechnical imaginary shared by Threema an instance of an unprecedented form of multilayered Digital Sovereignty enlarged to corporate actors? How is such an imaginary entangled into the German-speaking policy debate over cybersecurity? Does its partnership with the Swiss state let suppose a new form of hybrid governance? The present work addresses the outlined issues by drawing on a document analysis of both materials produced by the companies, e.g., advertising and whitepapers, and related news pieces, governmental documents and existing literature, the present analysis aims to understand how Threema enacts and embodies a collective call for digital security and what consequences it may have on the future of the cyberspace. Textual data will be analyzed through open coding in order to understand how Threema makes sense of cybersecurity and mass surveillance and how its conveyed imaginary may interrelate with the debate over Internet fragmentation.
Web PKI and Non-Governmental Governance of Trust on the Internet
Karl Grindal, University of New Hampshire, Milton Mueller and Vagisha Srivastava, Georgia Institute of Technology, USA
Over the past decade, inter-firm cooperation between Certificate Authorities (CA) and the companies that develop Browsers and Operating Systems have produced new standards and governance mechanisms to protect the security of websites. This cooperation is facilitated through the CA / Browser Forum (CA/B Forum), an unincorporated organization that serves as an industry-driven standards development organization for the web’s Public Key Infrastructure (PKI). Despite becoming a critical venue for Internet Governance, the CA/B Forum lacks significant social scientific study. Further, despite many papers on web PKI, academic computer scientists understand little of the dynamics shaping the industry’s selfgovernance.
This research explores how transnational, cooperative, private-sector governance through this Forum is overcoming the collective action problem to promote the adoption of security reforms. Over the past decade, significant initiatives facilitated through the Forum have included Network Security Requirements, evolving Baseline Requirements for Certificate Issuance, and, most recently, Certificate Transparency. The Forum has managed these reforms with a unique governance structure that gives certificate producers and consumers voting rights.
Using both qualitative and quantitative methods, we characterize the Forum’s actors, governance mechanisms, and voting behavior. Given these internal factors, we also present preliminary findings on external trends impacting the Forum, including CA market share, interoperability across Browser root stores, security incidents, and competing governance venues.
To analyze Forum participants, we web-scraped 369 CA/Browser Forum meeting minutes from 2013 y 2022. From these meeting minutes, we could section off attendance records that could be cleaned and structured. Additionally, we collected information on attendees’ organizational affiliation and nation of origin. Ultimately, this data provided attendance records for 553 unique participants from 123 organizations worldwide. Quantitative analysis also focused on the voting behavior of the Forum by analyzing the results from 192 Ballots since February 2013.
Qualitative insights are also presented from a review of organizational minutes, ballot language, forum bylaws, and semi-structured interviews with CA/Browser Forum leaders and active participants. Our interviews identified consistent themes shared across participants on topics ranging from a preference for consensus-based decision-making, to the power dynamics between the Certificate Authorities and Browsers, and the challenges non-native English speakers faced.
To explore external factors shaping participants’ activity in the Forum, we created a measure of CA market share, participation across various Root store programs, and a list of major incidents. These quantitative measures validate qualitative findings by demonstrating that the most active participants come from more prominent CA Firms and that most private sector CAs face significant market pressure to comply with all major root store programs.
We synthesize these findings to characterize potential opportunities and risks to the Forum’s sustainability and conclude with policy recommendations.
Can Encryption Save Lives? Secure Messaging Tools as Loci of Convergence Between Cyber-Warfare and “Conventional” Warfare
Ksenia Ermoshina and Francesca Musiani, Centre Internet et Société (CIS), CNRS, France
The controversies surrounding the right to privacy of individuals in a hyperconnected world are long-standing debates. Particular emphasis is placed on encryption technologies, which encode information by converting its original representations into alternative forms that computers cannot decipher, thus ensuring the security of communications.
These technologies are at the heart of a public controversy, in which privacy advocates clash with claims that encryption is a threat to general security as an enabler of subversive action.
We have analyzed this controversy and others in (Ermoshina & Musiani, 2022). Recent developments in the armed conflict in Ukraine renew questions that our previous work had begun to open up: In times of war, what is the role of encryption and privacy technologies? How does armed conflict challenge existing threat models, what are the new risks for civil society? Can encryption save lives? This contribution proposes to address these questions, by showing that encrypted messaging is the subject of convergence between the informational and physical aspects, “in the field”, of war in the 21st century. The aim is to show how these messaging tools and the digital ecosystem that makes their deployment possible (interfaces, access providers, telecom operators) are now an integral part of a war and resistance infrastructure (see also Trauthig, 2022) where the border between cyber warfare and conventional warfare are becoming more and more blurred. However, we will also underline the limits of a tool-centered approach, and demonstrate how, in case of the war in Ukraine, physical threats to civilians and infrastructure damage make it so that encrypted messaging is one among several innovative technical and social practices of holistic self-defense deployed by Ukrainians.
This article is based on field research carried out within two research projects funded by the European Commission and the French National Research Agency (further details removed for peer review). Several years of semi-structured interviews were conducted with developers and users of secure messaging in a variety of national contexts, including Ukraine and Russia, and different levels of risk. The article also benefits from an analysis of legal and regulatory documents, and technical documents related to the development of the tools (bug reports, release notes, pull requests, etc.)
The deployment of secure messaging as a strategic tool in times of war invites itself into broader debates concerning the regulation of digital technologies by States, one of the central issues of what Laura DeNardis has called the “war for Internet Governance” (DeNardis, 2014). Between the privatization of regulation and the need for digital and physical protection, the encryption of communications has not finished being a controversial issue – and shows how Internet governance is increasingly inviting itself into the conflicts of the 21st century.
References
DeNardis, L. (2014). The Global War for Internet Governance. New Haven, CT: Yale University Press.
Ermoshina, K. & Musiani, F. (2022). Concealing for Freedom. The Making of Encryption, Secure Messaging, and Digital Liberties. Manchester, UK: Mattering Press.
Trauthig, I. C. (2022). “Chat and Encrypted Messaging Apps Are the New Battlefields in the Propaganda War”, Lawfare, March 27. https://www.lawfareblog.com/chat-and-encryptedmessaging-apps-are-new-battlefields-propaganda-war