A few weeks ago, the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was re-introduced in the House of Representatives. Opponents immediately took up the fight against the bill, with internet freedom activists sending more than 300,000 signatures to Mike Rogers (R-Mich.), Chair of the House Intelligence Committee. The American Civil Liberties Union (ACLU) recently launched a public relations campaign urging citizens to pressure President Obama to veto CISPA. Internet freedom activists and consumer groups worry that CISPA, a bill that would permit private companies and government entities to share information about cyber security threats in the name of national security, would allow for unprecedented intrusion into the private digital lives on American citizens. Supporters of the bill — including major tech companies such as Facebook, Google, and IBM — argue that the legislation will provide a more established structure for sharing information on cyber security threats without infringing upon privacy rights and expectations of users.
The real issue for the United States right now, however, has more to do with the nature of the CISPA debate than with the content of the legislation itself. Although domestic government agencies, technology companies and internet activists all agree that privacy and expectations of the user must be protected, there is a disagreement among the three groups as to what level of transparency and accountability should be guaranteed in the wake of a cyber security threat. It is in this disagreement where the real long-term international cyber security threat lies. Unlike the threat of nuclear bombs – weapons internationally recognized as dangerous – the threat of cyber attacks on critical infrastructure is still an ambiguous and unexplored territory. Although nearly all nations understand the concept of Mutually Assured Destruction, it is for the most part unclear how nation-states would respond on the international stage in the face of a cyber attack. It is the uncertainty of the situation that makes a lack of international norms of internet governance all the more dangerous and the CISPA debate all the more critical — when the United States can't agree on the parameters regulating internet governance on the domestic front, all bets of coming to any consensus on international rules for war in the cyber sphere are off.
The debate over CISPA comes at a critical juncture in both domestic and international policymakers' assessment of cyber security threats. Recent cyber attacks on media conglomerates such as the New York Times and The Washington Post and private companies like Twitter and Google have elevated concerns in domestic circles, while the World Conference on International Telecommunications (WCIT) in December raised some alarming questions for sovereign nations on who, why, and what should govern the internet. Although ownership of the internet and who should govern it has been in contention for most of its existence, the current debate over international governance of the internet revolves mostly around a struggle between the U.S.-controlled ICANN and the United Nations-controlled International Telecommunications Union. At the WCIT this past December in Dubai, the United States refused to sign on to a treaty updating international telecoms standards over concerns that the treaty would give more control over the internet to the ITU, a UN agency. According to Terry Kramer, the U.S. ambassador to the ITU, handing over more control of the internet to the ITU would effectively allow countries with records of human rights violations to censor or manage the content on the internet, violating U.S. norms of liberty, transparency, and democracy. "There have been active recommendations that there be an invasive approach of governments in managing the internet, in managing the content that goes via the internet, what people are looking at, what they're saying. These fundamentally violate everything that we believe in terms of democracy and opportunities for individuals, and we're going to vigorously oppose any proposals of that nature," said Kramer.
The disagreement at the WITU embodies the tremendous dichotomy in internet value norms amongst various member nations. The United States is hesitant to sign on to a treaty on internet norms with China because of China's track record of censorship – but in not codifying some international framework on "rules of war" the United States is left in grey international law when deciding how to respond to Chinese cyber attacks.
To really address the national security cyber security threat, policymakers need to engage consumer groups, private companies, and national security agencies to craft a set of domestic norms that define appropriate parameters for what the internet is and how it should be regulated. Then, they need to follow these parameters and lead by example in the international community. For the U.S., CISPA is a step in the right direction in that it has started the discussion on domestic norms on cyber privacy, liberty, and security. But to be a real leader in this field internationally, the U.S. needs to make these discussions a priority. It is only when the U.S. has codified and implemented a set of domestic internet norms that a substantive discussion on international internet standards can begin – and real cyber diplomacy can commence.