U.S. Strategy for Global Internet Security Needs to Better Leverage the Private Sector

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.

Between the security of the election and the continually evolving saga over TikTok, the video-sharing platform owned by Chinese firm ByteDance, the private sector’s role in digital security remains highly visible—whether tracking, mitigating, or serving as vectors for information operations, cybersecurity threats, and other technological problems.

This extends to the global internet, where U.S. companies have an outsized influence on both the internet’s physical topology and its digital rules. This includes companies building cables and server farms in the former case and implementing protocols and routing data in the latter. These private sector actors—such as internet service providers, cloud services providers, and content delivery networks—have an enormous impact on global internet security via this architectural control. Even though it remains an understudied phenomenon, this presents the U.S. government the opportunity to better leverage the private sector to improve global internet security.

At its inception, the internet was a U.S. government-run project, but the private sector’s influence on the internet particularly accelerated in 1992 after the National Information Infrastructure plan. Governments obviously remain powerful players today: whether through norm-setting, regulation, or myriad other mechanisms of statecraft, they still influence the internet’s shape and its behavior. This is perhaps most evident in authoritarian countries, such as with Russia’s recent plan to criminalize the use of internet encryption protocols in its borders. But a continually vital government role is applicable to many democracies as well, whose reevaluation of internet regulation (or lack thereof) underscores the internet’s malleable nature.

Nonetheless, the private sector’s influence on the internet’s physical topology and digital behavior is enormous. Internet service providers like AT&T and Verizon build and maintain the hard architecture for users to connect to the internet. Cloud companies like Amazon and Google lay fiber-optic cables on land and along the ocean floor to route data and rent out memory and computing power to clients. Even companies like Facebook, which one could assume to be purely digital, build physical architecture in addition to running their virtual platforms. And many of these firms, by managing the many smaller networks on the internet which collectively form the (relatively) global network, are the ones implementing protocols to route internet data worldwide. In some ways, multistakeholder internet governance has become [PDF] “the privatization of governance.”

Take protocols as one example: the implementation of something like the Border Gateway Protocol (BGP), the internet’s “GPS” for routing traffic, or the Domain Name System (DNS), the internet’s “phone book” for addressing traffic, could seem geopolitically inconsequential. Yet these protocols were not built for security—with BGP essentially operating on blind trust, and DNS vulnerable—and unlike a flaw in a single database, problems with these protocols are magnified across the entire internet ecosystem when they go unaddressed by the private sector. Attacks on BGP earlier this year, for instance, affected numerous companies and government organizations around the world by sending their data to or through the wrong places.

Insecurity in the internet’s core architecture and protocols matters because internet security is a national security issue. It’s also a selling point for authoritarian countries looking to undermine trust in a free and open internet model and replace it with a “sovereign and controlled” alternative, marked by efforts like China’s promotion of new and closed internet standards. Insecurity here affects civilian and business communications and individual privacy and cybersecurity.

This reality of insecurity presents an opportunity and responsibility for the private sector to better leverage its influence on global internet architecture to improve internet security—and for the U.S. government to better shape incentives for security by using tools it already has available.

In some cases, firms have solutions available to address these internet security problems but aren’t maximally deploying them. This is where better understanding the incentives at play and working to address them is critical. Policymakers, for example, could require adherence to internet protocol security best practices in federal procurement rules—aiming far beyond the aforementioned issues with BGP and DNS. This would incentivize large network operators to implement security protections to qualify for federal contracts.

In other cases, there could not be solutions yet available, or there could be far more complicated incentive misalignments at play. This is where the U.S. government should use its public-private convening power to host discussions on today’s internet security challenges and also those of the future—looking ahead to deal with internet security issues that remain unaddressed and which private sector actors have the opportunity to fix, like with ensuring trust in an internet packet’s routing path.

The U.S. government should simultaneously invest more in cyber diplomacy to advocate for norms of non-interference with core internet protocols at the global level. This would supplement the kind of nonstate, nonprofit work already underway [PDF] by the Global Commission on the Stability of Cyberspace, protecting what they call the “public core” of the internet. This kind of government investment could help further raise the costs for the several authoritarian countries that continue exploiting security problems in internet protocols for their own gain.

These recommendations, and others laid out in my new report, are not a silver bullet. But what they recognize is the U.S. private sector’s enormous yet understudied influence on global internet architecture—and, therefore, security—and the need for the federal government to reassess its cooperation with and strategy towards the private sector on these issues.