The Regime Complex for Managing Global Cyber Activities

When we try to understand cyber governance, it is important to remember how new cyberspace is. "Cyberspace is an operational domain framed by use of electronics to...exploit information via interconnected systems and their associated infra structure" (Kuehl 2009). While the US Defense Department sponsored a modest connection of a few computers called ARPANET (Advanced Research Projects Agency Network) in 1969, and the World Wide Web was conceived in 1989, it has only been in the last decade and a half that the number of websites burgeoned, and businesses begin to use this new technology to shift production and procurement in complex global supply chains. In 1992, there were only a million users on the Internet (Starr 2009, 52); today, there are nearly three billion, and the Internet has become a substrate of modern economic, social and political life. And the volatility continues. Analysts are now trying to understand the implications of ubiquitous mobility, the "Internet of everything" and analysis of "big data." Over the past 15 years, the advances in technology have far outstripped the ability of institutions of governance to respond, as well as our thinking about governance.

Since the 1970s, political scientists have looked at the international governance processes of various global affairs issues through the perspective of regime theory (Keohane and Nye 1977; Ruggie 1982). This paper is a mapping exercise of cyber governance using regime theory. Regimes are the "principles, norms, rules and procedures that govern issue areas in international affairs," but these concepts have rarely been applied to the new cyber domain (Krasner 1983). In its early days, thinking about cyber governance was relatively primitive.

Ideological libertarians proclaimed that "information wants to be free," portraying the Internet as the end of government controls. In practice, however, governments and geographical jurisdictions have been playing a major role in cyber governance right from the start (see Goldsmith and Wu 2006).

Cyberspace is a unique combination of physical and virtual properties.^[1] The physical infrastructure layer largely follows the economic laws of rival resources and increasing marginal costs, and the political laws of sovereign governmental jurisdiction and control. The virtual or informational layers have economic network characteristics of increasing returns to scale, and political practices that make government jurisdictional control difficult.^[2]

Attacks from the informational realm, where costs are low, can be launched against the physical domain, where resources are scarce and expensive. Conversely, control of the physical layer can have both territorial and extraterritorial effects on the informational layers.

Governments and non-state actors cooperate and compete for power in this complex arena. Cyber power can be defined in terms of a set of resources that relate to the creation, control and communication of electronic and computer-based information — infrastructure, networks, software and human skills. This includes the Internet of networked computers, but also intranets, mesh nets, cellular technologies, cables and space-based communications. Cyber power can be used to produce preferred outcomes within cyberspace, or it can use cyber instruments to produce preferred outcomes in other domains outside cyberspace. The Internet, which is a network of thousands of independently owned networks, is only part of cyberspace. Cyber attacks can come through several vectors, such as humans and hardware supply chains, as well as malware delivered over the network. Internet governance is the application by governments, the private sector and civil society of principles, norms, rules, procedures and programs that shape the evolution and use of the Internet (Working Group on Internet Governance [WGIG] 2005). Naming and numbering is only a small part of Internet governance, and while Internet governance is at the heart of cyberspace, it is only a subset of cyber governance.

^[1] Martin Libicki (2009, 12) distinguishes three layers of cyberspace: physical, syntactic and semantic. However, with applications added upon applications, the Internet can be conceived in multiple layers. See Blumenthal and Clark (2009, 206ff) for a four-layer model. Nazli Choucri (2012) has also proposed multiple layers.

^[2] Jonathan Zittrain points out that may change as unowned apps, such as email, give way to proprietary apps, such as Facebook or Twitter direct messaging (pers. comm.).

^{This paper was originally published by the Centre for International Governance Innovation and the Royal Institute for International Affairs as Paper No. 1 in the Global Commission on Internet Governance series.}

For the full paper, download the PDF below: