Do We Need International Digital Laws?

German Chancellor Angela Merkel said a few weeks ago that the world needs international regulation of digital technology, much like we have international regulation for financial markets and banking.

She says that without some kind of regulations that isolated ‘islands’ of bad digital actors can emerge that are a threat to the rest of the world. I am sure her analogy is a reference to the handful of islands around the globe that play that same maverick role in the banking arena.

We now live in a world where a relatively small number of hackers can cause incredible harm. For instance, while never definitely proven, it seems that North Korea hackers pulled off the major hack of Sony a few years ago. There are accusations across western democracies that the Russians have been using hacking to interfere with elections.

Merkel certainly has a valid point. Small ‘islands’ of hackers are one of the major threats we face in the world today. They can cause incredible economic harm. They threaten basic infrastructure like electric grids. They make it risky for anybody to be in the Internet at a time when broadband access is becoming an integral part of the lives of billions.

There currently aren’t international laws that are aimed at fighting the nefarious practices of bad hackers or at punishing them for their crimes. Merkel wasn’t specific about the possible remedies. She said that the US and Germany have undertaken discussions on the topic but that it hasn’t gone very far. There are certainly a few things that would make sense at the international level:

  • Make certain kinds of hacking an international crime so that hacker criminals can more easily be pursued across borders.
  • Create a forum for governments to better coordinate monitoring hackers and devising solutions for blocking or stopping them.
  • Make laws to bring cryptocurrency under the same international auspices as other currencies.

But as somebody who follows US telecom regulation in this blog I wonder how fruitful such regulations might be? We now live in a world where hackers always seem to be one step ahead of the security industry that works to block them. The cat and mouse game between hackers and security professionals is a constantly changing one and I have to wonder how any set of rules might be nimble nimble enough to make any difference.

This does not mean that we shouldn’t have an international effort to fight against the bad actors – but I wonder if that cooperation might best be technical cooperation rather than the creation of regulations that might easily be out of date as they are signed into law.

Any attempt to create security regulations also has to wrestle with that fact that a lot of what we think of as hacking is probably really government sponsored cyberwarfare. How do we tell the difference between cyber-criminals and cyber-warriors? In a murky world where it’s always going to be hard to know who specifically wrote a given piece of code I wonder how we tell the criminal bad guys from the government bad guys?

I also see a dilemma in that any agreed-upon international laws must, by definition filter back into US laws. We now have an FCC that is trying to rid itself of having to regulate broadband. Assuming that Title II regulation will be reversed I have to wonder if the FCC would be able to try to require ISPs to comply with any international laws at a time when there might not even be many US laws that can be enforced on them.

It makes sense to me that there ought to be international cooperation in identifying and stopping criminal hackers and others that would harm the web. But I don’t know if there has even been an issue where the governments of the world engage in many of the same practices as the bad actors – and that makes me wonder if there can ever be any real cooperation between governments to police or control bad practices on the web.

How Vulnerable is Our Web?

The InternetWe all live under the assumption that the web is unbreakable. After all, it has thousands of different nodes and is so decentralized that there isn’t even as many as a handful of places that control the Internet. But does that mean that something couldn’t do enough harm to it to cripple it or bring it down?

Before I look at disaster scenarios, which certainly exist, there is one other thing to consider. The big global Internet as we think about it has probably already died. The Internet security firm Kaspersky reports that by the end of 2014 there were dozens of countries that had effectively walled themselves off from the global Internet. A few examples like China are well known, but numerous other countries, including some in Europe, have walled off their Internet to some degree in response to spying being done by the NSA and other governments.

So the question that is probably more germane to ask is whether or not there is anything that could bring down the US Internet for any substantial amount of time? In the US there are a handful of major hubs in places like Atlanta, Dallas, San Francisco, Northern Virginia, and Chicago. A large percentage of Internet traffic passes through these major portals. But there are also secondary hubs in almost every major city that act as regional Internet switching hubs, and so even if a major hub is disrupted somehow, these regional hubs can pick up a lot of the slack. Additionally, there is a lot of direct peering between Internet companies, and companies like Google and Netflix have direct connections to numerous ISPs using routes that often don’t go through major hubs.

But still, it certainly could be disastrous for our economy if more than one of the major hubs went down at the same time. Many people do not appreciate the extent that we have moved a large chunk of our economy to the Internet as part of the migration to the cloud. A large portion of the daily work of most companies would come to a screeching halt without the Internet and many employees would be unable to function during an outage.

There have been numerous security and networking experts who have looked at threats to the Internet and they have identified a few:

  • Electromagnetic Pulse. A large EMP could knock out Internet hubs in ways that make them difficult to restart immediately. While it’s probably unlikely that we have to be too worried about nuclear war (and if we do, the Internet is one of my smaller worries), there is always the possibility of a huge and prolonged solar flare. We have been tracking solar flares for less than a century and we don’t really know that the sun doesn’t occasionally pump out flares much larger than the ones that we expect.
  • Introducing Noise. It is possible for saboteurs to introduce noise into the Internet such that it would accumulate to make it hard to communicate. This could be done by putting black boxes into numerous remote fiber switching points that would inject enough noise into the system to garble the signals. If enough of these were initiated at the same time the Internet wouldn’t stop, but most of what is being sent would have enough errors to make it unusable.
  • Border Gateway Hijacking. The border gateway protocol is the system on the Internet that tells packets where to go. If the BGP routers at major Internet hubs could be infected or hacked at the same time the Internet could lose the ability to route traffic.
  • Denial of Service Attacks. DDoS attacks have become common and for the most part these are more of a nuisance than a threat. But network experts say that prolonged DDoS attacks from numerous locations directed against the Internet hubs might be able to largely halt other web traffic. Certainly nothing of that magnitude has ever been undertaken.
  • Cyberwarfare. Perhaps the biggest worry in coming years will be cyberattacks that are aimed at taking down the US Internet. Certainly we have enough enemies in the world who might try such a thing. While the US government has recently beefed up funding and emphasis on defending against cyberattacks, many experts don’t think this effort will make much improvement in our security.

Perhaps one of the biggest issues we have in protecting against these various kinds of attacks is that there is no ‘Internet’ infrastructure that is under the control of any one company or entity. There are numerous firms that own internet electronics and the fibers that feed the Internet; most of these companies don’t seem to be making cybersecurity a high priority. I’m not even sure that most of them know what they ought to do. How do you really defend against an all-out cyberattack when you can’t know ahead of time what it might look like?

This isn’t the kind of thing that should keep us up all night worrying, but the threats are there and there are people in the world who would love to see the US economy take a huge hit. It certainly will not be surprising to see a few such attempts over the coming decades – let’s just hope we are ready for it.