NANOG 89: Why Internet Governance Matters
In this blog
Earlier in October, I attended the 89th conference of the North American Network Operators' Group - NANOG. Always a worthwhile investment of time, NANOG is the post-1994 evolution of what used to be the NSFnet "Regional-Techs" meetings and serves as an educational and operational forum for the coordination and discussion of technical information related to networking technologies and operational practices.
The opening keynote talk for this meeting was given by John Curran, CEO of ARIN, on the topic of Internet Governance. John has graciously given permission for the quotes and images contained in this post.
Governance in this case differs from "Internet Coordination," which means operational items like domain names, IP addresses and protocols, and relevant organizations such as the IETF, ICANN and NANOG itself. Governance, though, is a larger concept consisting of policies, norms and (drumroll, please) regulations that guide societal usage of the Internet.
The Internet began life as a government-funded research project, transitioned into a commercial activity and is now much more integral to society and the daily lives of humans than when it began. Internet governance has evolved along with it – in 2005, the World Summit on the Information Society (WSIS) offered this definition:
The "respective role of government" in society broadly includes duties of the government such as:
- Establishing the common norms of conduct or behavior within society.
- Using force or threat of force to compel compliance with law and regulation.
- Engaging in the management of public resources for the common good.
Governmental duties/obligations specifically applied to the Internet, per Curran:
- National Defense: Protecting critical online infrastructure from cyber threats and espionage, and cyber incident response coordination.
- Providing Public Services: Ensuring that the Internet is accessible & affordable to all citizens and supporting initiatives that reduce the digital divide.
- Regulating the Economy: Overseeing e-commerce, digital taxation and competition among online businesses.
- Maintaining a Healthy Society: Regulating online conduct to reduce the spread of misinformation and protect minors from inappropriate content.
- Protecting Individual Rights: Safeguarding privacy and freedom of expression online and protecting against discrimination and harassment. * Ensuring Safety and Order: Implementing cybersecurity measures for Internet infrastructure, combating cybercrime and mandating cooperation for law enforcement
Why governance? Why now?
Economic impact:
- A 2016 Deloitte analysis of the potential impact of significant Internet disruption against economic GDP found that in a highly Internet-connected country, the per-day impact of a temporary shutdown would be on average $23.6 million per 10 million population. For medium and low Internet connectivity economies, the average estimated GDP impacts amount to $6.6 million and $0.6 million per 10 million population, respectively.
National security:
- "Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump's inauguration, forcing major citywide reinstallation efforts. City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city." (WaPo)
Public services impact:
- "In late April 2022, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. The Costa Rican government refused to pay the ransom and scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email or by hand on paper. The attack also affected the country's foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse." (SecurityIntelligence)
Human impact:
- Equifax, one of the three largest consumer credit reporting agencies in the United States, announced in September 2017 that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers and driver's license numbers. The credit card numbers of approximately 209,000 consumers were also breached. (EPIC)
- More than 200 victims of sex trafficking were rescued during a nationwide enforcement campaign including the identification or arrest of more than five dozen suspected human traffickers and 126 individuals accused of child sexual exploitation and trafficking offenses. The FBI-led "Operation Cross Country," also located 59 minor victims of child sex trafficking and sexual exploitation, and another 59 children who had been reported missing. (FBI)
- "Hackers have stolen roughly $1.9 million (USD) from South Korean cryptocurrency platform KLAYswap after they pulled off a rare and clever BGP hijack against the server infrastructure of one of the platform's providers. The BGP hijack hit KakaoTalk, an instant messaging platform popular in South Korea. South Korean cybersecurity firm S2W said that the attackers used a BGP hijack as a way to serve a malicious version of KakaoTalk's JavaScript SDK file … modified to include additional code at the end of the file that, once loaded inside a user's browser, would wait for them to initiate a transaction on the KLAYswap website, such as an asset deposit, swap or withdrawal. KLAYswap said that during a period of two hours — from 11:30 to 1:30, on February 3 — the attacker stole the equivalent of 2.2 billion Korean won worth of various cryptocurrency assets." TheRecord
Internet coordination: We're from the government, and we're here to help!
Government must fulfill their public policy obligations for a safer Internet, including measures such as filtering network traffic and DNS for content or security reasons, requiring user ID verification for website access, supporting law enforcement requirements for access to stored data and/or packet inspection for cybersecurity and national defense reasons.
The Internet technical community invests significant resources explaining the "voluntary" nature of Internet standards and practices, but the reality is that they don't appear to be voluntary – at least not when viewed from the perspective of governments. Curran provides examples:
- In order to interconnect successfully, one has to use the IETF's protocols (IP, DNS, routing, web).
- To make use of the associated registries, one has to follow ICANN and RIR (Regional Internet Registries, e.g., ARIN, RIPE, LACNIC, etc.) policies for DNS and Internet number resources.
Internet governance, what's coming?
Governments seek to control the affairs of those within their territory as a furtherance of their public policy objectives, and this includes all manner of endeavors including the Internet.
It has to happen: Government inability to fulfill their perceived public policy goals – due to lack of a clear framework for cooperation with the Internet technical community – has not caused governments to desist.
It is going to happen: Lacking a clear route via Internet coordination to achieve their perceived public policy objectives for the Internet, governments will instead pursue such via more traditional national and intergovernmental (bilateral, regional, and global) initiatives.
It may not work the same as it does today: Such governmental efforts will not necessarily make use of multistakeholder processes, nor the current norms/standards from those organizations doing Internet coordination.
You may not like it if it grows in a 'done to you, not by you' manner, and then it's too late: The ability of service providers of all types (ISP, hosting, DNS, cloud, content, social media, etc.) to continue to successfully operate a richly connected Internet, once made subject to numerous disjointed regulatory measures and associated norms, is unknown and may be challenging if the current ad hoc Internet governance approach is followed to its logical conclusion
It's already happening
Examples of Internet Governance efforts in the furtherance of government obligations:
Maintaining society (protection of minors)
- US Children's Online Privacy Protection Act (COPPA), COPPA 2.0, KOSA.
- US Digital Economy Act 2017.
- Individual US States: Arkansas, California, Louisiana, Texas, Utah.
Protecting rights of individuals (data privacy)
- European Union: General Data Protection Regulation (GDPR).
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA).
- US States: California - CCPA, Virginia - CDPA, Colorado Privacy Act - CPA.
Ensuring safety and order (cybersecurity and electronic evidence)
- US CLOUD Act.
- EU E-Evidence Act.
- California Bill C-26, ARCS.
- United Nations "Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes."
Associating these efforts across a timeline, we can see an evolutionary pattern applying:
- 1995: Research and Educational Internet - Multistakeholder Standards and Government Funding/Oversight.
- Government-funded backbone transitions to commercial backbones (1995).
- Identifier Administration passes from InterNIC to RIRs and ICANN (1997/1999).
- Regional-Techs becomes NANOG (1994-2010).
- IANA Stewardship Transition (2017).
- 2017: Commercial Internet - Industry-led Multistakeholder Norms, Standards and Oversight.
- Active Regulation: GDPR, EU e-Evidence, US CLOUD ACT.
- Increasing concerns about safety and privacy.
- Significant dependence upon the Internet: healthcare, finance, transportation, energy, emergency services.
- SOON: Public Internet – the Internet as a regulated public utility, still with industry-led, Multistakeholder Norms and Standards and also, Governmental Oversight.
How policies and standards interact
Curran posited that technical requirements and standards both inform and are informed by public policy goals. Public policy goals direct laws and regulations, and those laws in turn reference future or revised technical requirements and standards
Industry and government collaboration in their respective roles to advance safety and security is not new or difficult.
| Industry | Trade Association | Technical Standards Ref by Law |
|---|---|---|
| Automotive | Society of Automotive Engineers (SAE) | Vehicle safety, emissions, fuel efficiency |
| Road Transportation | American Association of State Highway and Transportation Officials (AASHTO) | Highway design, construction, maintenance, safety |
| Air Transportation | International Air Transport Association (IATA) | Air transport safety, security, efficiency |
| Rail Transportation | Railway Association of Canada (RAC) | Rail transport safety, efficiency |
| Trucking/Engines | Truck and Engine Manufacturers Association (EMA) | Emissions, safety, fuel efficiency |
| Aerospace | Aerospace Industries Association (AIA) | Aircraft safety, quality, environmental compliance |
How to govern the public Internet?
Governments have an established role and responsibility in establishing Internet public policy on a global and multilateral basis, and this includes developing laws and regulations where appropriate for implementation. These governmental efforts should, where appropriate, reference the global technical standards, norms and practices developed by the Internet technical community via its open and transparent multistakeholder processes.
This means we'll all have to cooperate: governments, industry and trade organizations, civil society, and yes - the Internet technical community.
Why me? Why my organization? I don't have to do anything!
It's true, you don't. But if you abstain, you may find yourself in the not-too-distant future saying things like:
- "I didn't know this was happening!"
- "I didn't know you meant me!"
- "I didn't have any way to persuade my org that this was important!"
- "I thought we had more time!"
Curran said it very well:
OK, what should I do?
If you're with a large org
Your organization may be aware of the increased governmental interest, and may have a plan for engagement. Find out who is running the engagement program on Internet public policy. Introduce yourself and ask to be kept informed. Bring relevant technical content to the discussion, and encourage your organization to support use of the multistakeholder model by intergovernmental organizations. Recognize that your org shares fate with others on the Internet – and that the spirit of technical coordination for common benefit of all participants does not always come naturally to participants in legal/regulatory settings.
If you're with a small org
The same goal applies – help guide the technical evolution of the Internet in a cooperative manner.
- Participate in Internet trade organizations to keep aware of developments and find others with whom you can coordinate action.
- Understand the government public policy objectives are valid, and provide technical input to aid in their informed development.
- Formulate the policy positions of your org and engage with others of similar inclination to advocate for solutions that will improve the Internet or at least not make it worse.
If you're an individual
The Internet is likely to evolve into a true public infrastructure within the next few decades. This evolution will require technical innovation and coordination to avoid fragmentation of regulation applicability.
We have norms and best practices which improve the Internet when widely deployed, such as the IETF BCP series and Mutually Agreed Norms for Routing Security – MANRS – deploy these things in your own network and encourage others to do likewise.
Work in/with Internet technical coordination groups on solutions to these and other technical challenges facing the Internet today.
Participate as a technical contributor when governmental consultation processes allow.
More information
Click here if you'd like to watch John's full talk.