Saturday, November 19, 2022

[Directions/EU Cyber Direct] Multi-stakeholder Governance of the Cyberspace -- Merely a Myth?

Multi-stakeholder Governance of the Cyberspace -- Merely a Myth?

Blocking non-state stakeholders' participation in discussions about the information and communication technology environment may set a dangerous precedent for the future

By Anna-Maria Osula and Charles Mok 

Different approaches to governing the internet and engaging stakeholders in agreeing on what is responsible behaviour in cyberspace has been a source of disagreement since the beginning of the wider spread of information and communication technologies (ICTs). John Perry Barlow famously called for keeping governments (‘weary giants of flesh and steel’) away from controlling cyberspace. Yet, today, states have assumed a central role in governing the development, implementation and employment of ICTs worldwide.

While non-state stakeholders’ role in running the internet (such as providing infrastructure, storing data, designing apps and services) is largely uncontested, fierce discussions over the engagement of these stakeholders in governing ICTs, or cyberspace in general, are ongoing. In addition to heated debates over the rights and obligations of these stakeholders (see, e.g. measures aimed at curbing the increasing power of some stakeholders, such as Big Tech companies), there is much broader disagreement on the substantial engagement of stakeholders in multilateral discussions. Should deliberations on governing ICTs be narrowly state-to-state and closed to other interested parties, or should they follow a truly multi-stakeholder approach and be based on openness and diversity?

Revisiting past discussions

There are plenty of examples of international consultations adopting ‘multi-stakeholderism’ as the most appropriate way forward. Importantly, in 2005, as part of the World Summit on the Information Society, the Working Group in Internet Governance established the core role of the multi-stakeholder approach in governing the internet by defining internet governance as ‘development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the Internet’. This reflects a general agreement that the involvement of relevant stakeholders in collectively shaping the development and use of ICTs has multiple benefits. These stakeholders’ diverse views and expertise make discussions better informed. Taking into account the opinions of various interest groups also adds to the legitimacy and quality of agreements and enhances their implementation.

Ideally, a multi-stakeholder governance framework should consist of an open-ended and innovative infrastructure, a decentralised governance institution and open, inclusive and bottom-up processes involving all participants. Participants should represent the private and public sector; industry and government; technical, academic and civil society; and users. It is the antithesis of a top-down policymaking model dictated by governments and others in positions of authority.

However, trends are emerging suggesting that the multi-stakeholder approach to governing ICTs is weakening. Two recent examples related to internet governance and peace and security in cyberspace merit further analysis.

Internet governance

One of the principle commitments of the high-profile Declaration for the Future of the Internet adopted by the U.S. and more than 60 partners, including the European Commission, in April 2022 was ‘multistakeholder Internet Governance’. That means protecting and strengthening ‘the multistakeholder approach to governance that keeps the Internet running for the benefit of all’, including the management of the internet’s technical standards and protocols, and refraining from undermining its technical infrastructure.

Indeed, the internet has almost always been run and governed by a multi-stakeholder policymaking model. The most notable example is the Internet Corporation for Assigned Names and Numbers (ICANN), the global organisation responsible for coordinating and maintaining the names and numbering assignments and databases critical to the running of the single, unified internet. 

Other key internet organisations or processes formed and run under the multi-stakeholder model include the Internet Engineering Task Force (IETF), the internet’s main standards-setting body, and the Internet Governance Forum (IGF), a global platform to facilitate the discussion of internet public policies convened by the UN. These bodies face increasing pressure from nations and authorities trying to usurp their mandates or assert greater government control and influence. 

For instance, the Chinese government, working through Chinese companies such as Huawei, is seeking to establish an alternative to current multi-stakeholder standards-setting procedures by proposing its ‘New IP’ standards through the UN’s International Telecommunications Union (ITU) rather than the IETF. This approach also seeks to avoid criticism of the new standards’ flawed technical foundation, surveillance-by-design capabilities and incompatibility with the existing internet. 

Even the UN’s own multi-stakeholder IGF recently appointed a 12-member ‘Leadership Panel’ in a process lacking transparency and provoking significant concern from civil society. Efforts by governments and intergovernmental organisations to embrace multi-stakeholderism are often held back by worries over inefficiency and the misplaced bureaucratic belief that categories of stakeholders can simply be represented by a few ‘leading figures’. Multi-stakeholderism is all about direct participation and not just a representative system. When such representations are chosen by authorities through an opaque process, the imitation pales further. 

But that is not all. In response to the U.S.-led Declaration for the Future of the Internet, China ‘transformed’ an annual event it has held since 2014, the World Internet Conference, into an ‘international organisation’ made up of an undisclosed list of ‘founding members including “institutions, organisations, businesses and individuals” from nearly 20 countries’. China has long used this forum to establish its vision for an alternative internet governance model, arguing for ‘respect for cyber sovereignty’ and that a new ‘international cyberspace governance’ should not be ‘unilateral’ or have ‘one party calling all the shots’. 

Stakeholders’ role in the discussions on norms of state behaviour in cyberspace
The UN Open-Ended Working Group (OEWG) was proposed as an inclusive setting for discussing international peace and security in cyberspace where ‘effective international cooperation would benefit from identifying mechanisms for the participation, as appropriate, of the private sector, academia and civil society organisations’. Yet, despite stakeholders being widely believed to enrich the discussion on international peace and security in a rapidly changing ICT environment, debates over how these stakeholders should participate in formal meetings have been fierce. At the first meetings, all the eighteen stakeholders that applied for the OEWG 2019-2021 were vetoed from formally joining the discussions. Such a ‘broad and categorical denial of access’ was seen as a dangerous precedent and viewed as extremely rare in UN disarmament and arms control fora. 

States have faced challenges in agreeing on the involvement of multi-stakeholders ever since, despite numerous calls during OEWG discussions to deepen multi-stakeholder engagement (e.g. High Representative for Disarmament Affairs Izumi Nakamitsu’s speech and the December 2021 letter to the Chair).

On one side are voices supporting the continuation of the previous OEWG practice allowing substantial input from stakeholders with official UN observer status or existing ECOSOC accreditation, as well as those invited to participate based on no-objection from other Member States. The issue was widely discussed during the UN OEWG first and second substantial sessions (for great overviews, see here and here). Some states believed that attending informal consultations held by the Chair and accessing the formal discussions via online broadcasting provided the stakeholders enough time and opportunity to express their views. Several countries argued that the OEWG sessions should retain the intergovernmental nature of the formal sessions, allowing all the UN Member States to interact, and that further engagement with stakeholders should not tilt this balance. Furthermore, some states expressed concern that spending too much time arguing about the modalities of stakeholder participation was distracting the OEWG from its mandate and blocking its work.

The opposing viewpoint argued for:

extended stakeholder participation which would also allow for non-accredited participation (with references to the long and cumbersome process for ECOSOC accreditation),
a transparent process for objections regarding stakeholder participation (especially for those already officially recognised by the UN in other contexts, and referring to other UN processes),
sufficient time to review documents and prepare input,
a hybrid format (allowing for more flexible use of resources by non-state stakeholders)
and ways for stakeholders who couldn’t formally join the discussions to express their views (see the letter here).

Stakeholders have expressed on several occasions that they want to be involved and heard in the process and are not arguing for the ability to vote during decision-making. Further, it was pointed out that the informal consultations implemented during the last OEWG are not a substitute for formal participation of stakeholders in the OEWG, which is crucial for the transparency, credibility and effectiveness of the process. Several countries supported giving stakeholders the opportunity to present views and contributions in the official meetings and substantive sessions, as well as during the intersession periods. 

After long discussions, and based on the Chair’s April 2022 proposal, countries finally managed to agree upon the modalities for non-state stakeholder engagement (involving a transparent non-objection mechanism) and to move on with formal discussions. However, despite the Chair’s encouragement that Member States ‘utilize the non-objection mechanism judiciously, bearing in mind the spirit of inclusivity’, over 30 non-state stakeholders were still vetoed from joining the OEWG formal discussions. They included the 150 technology companies represented by the Cybersecurity Tech Accord and the incident responders and security professionals represented by the Forum of Incident Response and Security Teams (FIRST).

The OEWG illustrates an example of an opportunity to benefit from the multi-layered expertise and experience of stakeholders interested in contributing to the discussions being turned into a political contest between states. It could be argued that this contest was fuelled by geopolitical complexities including Russia’s aggression in Ukraine. However, it should be acknowledged that efforts to limit the participation of non-state stakeholders may affect these stakeholders’ future investment in the implementation of the agreements put forward by the OEWG. It is clear that the private sector, academia, and NGOs are crucial for following through with the agreements and their implementation on the national, regional and international levels. Extended disagreements on engaging these stakeholders will also contribute to the substance of the OEWG discussions, eventually decreasing the relevance of the discussions in the global arena.

Muddy future ahead
That is why this is both the best of times and the worst of times for multi-stakeholderism. The enhanced levels of support and attention it receives from national governments may allow for its further adoption in various aspects of ICTs, cybersecurity and technical standards processes and policymaking systems. Yet, in an increasingly polarised global political environment, what some governments label multi-stakeholderism may not be the genuine item at all, but something else that suits their own political agenda. 

As can be seen from the OEWG example, compromises between states are often made at the expense of the non-state stakeholders. Even though the stakeholder engagement modalities included a step towards greater transparency by sharing which states objected to the participation of which stakeholders, such objections may still be employed as the basis for eliminating selected stakeholders based on political decisions. Yet, the efforts of some states to keep certain stakeholders from formally engaging with the OEWG have not decreased the civil societies’ appetite to partake in these discussions. On the contrary, despite their different views on some topics, their motivation to contribute has stayed strong and they stand unified in believing in the importance of diplomacy and of ensuring that member states benefit from relevant perspectives in their deliberations. Calls for robust civil society participation have also been made on other occasions, such as in the format of the UN Ad Hoc Committee on Cybercrime.

Multi-stakeholderism is not perfect and many aspects of its functioning need refinement. It can be inefficient, expensive and slow. In some countries, true multi-stakeholderism may not even be possible because autonomous stakeholders such as civil society may not be allowed to exist. But it is still by far the most open and participatory model that allows for accommodation and consensus building for the widest possible range of views and perspectives. It would be a mistake to criticise its shortcomings and then move in the opposite direction, towards less participation and more top-down power for the authorities. 

Therefore, avoiding the devaluation of the concept of multi-stakeholderism should be seen as a priority. Instead of it becoming an empty buzzword thrown around in official documents, states should find ways to meaningfully engage with stakeholders on international fora. In addition to increasing engagement in multilateral platforms, states should work on substantiating multi-stakeholderism on national and regional levels by encouraging discussions between domestic actors and drawing on their input in states’ official statements.

The civil society, research, technical and industry stakeholder groups must guard against political influence from state actors to revise or reject multi-stakeholderism. This would only lead to the splinternet, where the open, globally connected internet is divided into fragmented networks controlled by governments or, to a lesser extent, major corporations. If that happens, everyone will get less of what the internet has promised, and what each of us deserves.

Any views or opinions expressed in this blog are personal and do not represent those of institutions or organisations that the authors are associated with in their professional capacity.

Published Directions, an inititative by the EU Cyber Direct project coordinated by the EU Institute for Security Studies, November 18, 2022

Thursday, November 10, 2022

[Diplomat] Why Elon Musk’s Twitter Purchase Is a National Security Concern

Why Elon Musk’s Twitter Purchase Is a National Security Concern
Elon Musk’s Twitter deal reveals loopholes in U.S. national security oversight.

Two days before Elon Musk closed the deal to acquire Twitter on the court mandated deadline of October 28, he posted a short videoclip of himself cheerfully carrying a sink into the company’s headquarters in San Francisco, saying, “let that sink in.” He certainly did not waste any time making sure his presence sank in to the company, its staff, its advertisers, and its users.

Besides quickly laying off roughly half of Twitter’s global staff within a week of the takeover, Musk also changed his Twitter bio twice in recent weeks, first declaring himself as the “Chief Twit,” then Twitter’s “Complaint Hotline Operator.” These are hardly just random playful titles he lavishes on himself. Musk dissolved the company’s board and named himself sole director of Twitter just before the acquisition was completed, as disclosed in a securities filing on October 31, and fired the company’s executive team, including its chief executive officer and chief financial officer. In effect, Musk is not only the Chief Twit, but the Only Twit. The company will also be delisted from the New York Stock Exchange on November 8, according to its filing with the U.S. Securities and Exchange Commission, leaving Musk with total control over the privately-held company afterward.

Regarding Twitter’s content moderation policies, Musk said in his tweets on takeover day that he had “not yet made any changes to Twitter’s content moderation policies.” He added that the company would be “forming a content moderation council with widely diverse viewpoints,” and “no major content decisions or account reinstatements will happen before that council convenes.” But with Musk as the sole director and only person in charge of Twitter, he might as well also be the sole “complaint hotline operator” cum content decision-maker, with or without advice from people he will select later. Musk already fired the company’s entire human rights team, the entire “ethical AI” team, and almost the entire communications team.

National Security Implications

Yet, such chaos at Twitter after the Musk takeover pales in comparison to the serious national security alarms that were sounded in the weeks prior the closing of the deal. In a Financial Times interview published in early October, Musk disclosed that Chinese authorities made clear their disapproval of his Starlink rollout in Ukraine and sought assurances that he would not sell Starlink in China (read Taiwan).

Indeed, Musk has maintained a close relationship with senior Chinese government officials, having invited the Chinese ambassador in the U.S. to a test drive in an auto-piloted Tesla vehicle with him. Meanwhile, his Shanghai “Gigafactory” aim to churn out 1 million electric vehicles a year for Tesla, and last year already made up half of the company’s total global output. Moreover, China is already Tesla’s second largest market in the world, after the United States.

China can use its importance to Tesla to leverage influence on Musk’s other businesses, exemplified by the request made to Musk about Starlink, a system supported by SpaceX, another company with Musk as its chairman and CEO. The national security implications of SpaceX and its Starlink platform are obvious, direct, and significant, on top of its deployment in Ukraine and other countries such as Iran, in support of U.S. military or Internet freedom policy goals. But what about Twitter?

Although it is blocked by China’s Great Firewall and is not accessible inside the country, Twitter remains a major target for Beijing’s apparatus of online propaganda and coercion. As recently as in December, 2021, Twitter removed 2,048 accounts that were said to have “amplified Chinese Communist Party narratives related to the treatment of the Uyghur population.” Since the Musk takeover of Twitter and his decision to fire the company’s human rights team, users and civil society organizations have voiced many concerns, including over the possibility of Twitter turning over users’ personal details to China. Chinese authorities already have a track record of detaining people over things they tweeted, including while living overseas.

All these issues combined with a downsized workforce may result in weaker cybersecurity, much higher risk levels and potentially disastrous outcomes for Twitter and all its users.

And there is more to worry about than China. Also in early October, Ian Bremmer, head of political risk consultancy Eurasia Group, wrote to his clients that Musk informed him about a recent conversation he had with Russia’s president Vladimir Putin, just before Musk tweeted to urge Ukrainians to accept a negotiated solution with Russia by ceding Crimea to its enemy. Musk denied Bremmer’s allegation but Bremmer stood by his “honest” reporting.

Despite all these potentially explosive self-disclosures, and others’ allegations, over Musk’s connections and possible vulnerabilities to foreign powers, no action was taken by Washington to scrutinize any national security concerns associated with the Twitter deal. On the contrary, the White House actually came out to emphatically deny any security review. The silence was deafening.

Not Enough Tools for Timely Actions

After Musk completed his deal and released his list of equity co-investors, Senator Chris Murphy called on the government’s Committee on Foreign Investment in the U.S. (CFIUS) to conduct an investigation into the “national security implications” of the involvement of Saudi Arabian investors, who will become the second largest owner of Twitter behind Musk.

However, the scope of CFIUS is limited to foreign investments that may result in the control of U.S. businesses, with evidence that the transaction may threaten national security. Although its investigative power is not time-limited, in the case of Twitter, it may be limited only to the scrutiny of interests from countries such as Saudi Arabia and Qatar, rather than the more critical risks imposed by Musk himself – his own possible conflicts stemming from his business empire, with potential vulnerabilities exposed to China and Russia.

If the Biden administration can be so resolute on U.S. technological competitiveness in areas such as semiconductors and artificial intelligence, to the extent of restricting sales and investments to China for not only U.S. firms but also those from allies such as South Korea, Japan, Taiwan, and Europe, the way it treats Musk’s growing technology empire is grossly inadequate and inconsistent. Consider this: one man, who openly admits his close ties to Chinese government officials, now owns the largest electric vehicle maker in the world, with huge leverage in technologies such as AI, autonomous driving, batteries, robotics, and advanced manufacturing, all areas where China strives to excel; the largest low Earth orbit satellite company in the world, with leading space and communications technologies for both military and civilian use; and one of the largest and most influential global social media platforms in the world. The national security implications here should be clear to see — standalone or combined.

Maybe too much effort has been spent and wasted in Washington on regulating social media and enforcing content moderation by mistakenly focusing on reforming provisions such as Section 230 of the Communications Decency Act. There are obvious loopholes in the U.S. regulatory regimes as far as technology and national security oversights are concerned. In this case, multiple companies in different sectors, with interlocking interests in a global market, are involved, yet there is simply no avenue to demand timely actions. As the Twitter deal demonstrates, national security matters must be looked at in a more holistic way. Changes are urgently needed.

Published: The Diplomat, November 9, 2022