background and purpose of the mapping - cyber.harvard.eduashar/internet_ecosystem_m… · web...

‘Future of the Internet Initiative’ Opportunity MappingScanning the Internet Ecosystem for WEF Engagement

An Analysis from the Berkman Center for Internet & Society

In-progress Draft: October 14, 2015

Executive Summary

I. Background and Purpose of the Mapping

At the 2015 World Economic Forum meeting in Davos, conversations relating to the Forum’s Future of the Internet Initiative demonstrated two competing desires on the part of the participants: (1) the need and desire for additional conversation; and (2) a strong desire for action. The challenge was in identifying and prioritizing those issues ripe for action and those in need of additional research, education, and conversation. The “opportunity map” summarized here and provided below is the Berkman Center for Internet & Society’s contribution toward addressing that challenge. That map informs our recommendations for how the Forum and the FII can best contribute to the development of better decision-making, both in the public and private spheres, on critical issues of Internet policy.

The map highlights key opportunities and challenges for concrete contributions in selected areas of interest that the Forum asked us to explore. These four areas are: (1) data localization; (2) national/regional digital strategies; (3) Internet deployment; and (4) cyber-crime. For each of these areas, we identified and cataloged key public-private partnerships. Within these parameters and working in a bottom-up fashion, the mapping draws from the raw data several observations of emerging thematic trends, and describes how these trends create both opportunities and challenges for concrete engagement. That analysis is presented in full in the report below, and the catalogue of partnerships can be found in the appendix.

As requested, the mapping analysis identifies key themes and opportunities for engagement within the four areas of interest. In this summary, however, we take two steps back to observe and describe some key themes across the mapping. Based on this cross-topical analysis, we offer a set of reflections on how the Forum’s Future of the Internet Initiative might best capitalize on these cross-topical opportunities over the coming months and years. The observations and recommendations are informed by the mapping exercise, but are also shaped by our professional background as researchers and academics. Simultaneously, our recommendations are but one perspective in a larger debate that spans both the public and private spheres, and we offer this as a contribution and input to that debate.

II. Cross-Topical Themes and Observations

Looking across the four areas explored within the mapping, we observe the following key themes: (A) the convergence of online and offline spheres; (B) the significance of interoperability; and (C) the tension between bottom-up growth and top-down governance. We address each cross-sectional theme briefly below.

Work in Progress1

A. Convergence of Online and Offline

Dating back to John Perry Barlow’s 1996 declaration that the Internet was a space beyond the reach of governments—something he knew to be poetic exaggeration1—there has existed a belief in Internet exceptionalism. In other words, there has been a view that the Internet represented something different and set aside from the “real world” – a space with unique problems that required unique solutions. In many ways, such exceptionalism shaped the past 20 years of Internet policymaking, with laws and regulations often developed specifically to govern behavior and action online.2

As technology evolves and coping mechanisms aimed at dealing with the “new” stabilize, such exceptionalism is harder to justify. The rise of the Internet of Things is an important next step in this evolution. Now that Internet connectivity can be a critical component of everything from thermostats and cars to airplanes and manufacturing processes, it is increasingly difficult to say where the online world ends and the offline world begins. In such an environment, do policymakers continue to treat the Internet as its own space with its own issues and solutions?

Our mapping suggests that (in the areas we surveyed) a shift may be under way, indicating a growing convergence between online and offline policymaking. This is particularly evident where economic or security interests intersect. For example, on the issue of data localization, we observe several countries’ policies regarding online behavior being driven by a desire to stimulate manufacturing and management jobs in the offline world through the construction and operation of data centers. Similarly, in the contexts of digital strategies and Internet deployment, we observe a variety of actors recognizing and working to maximize the impact that Internet access and utilization can have on education, employment, economic growth, and innovation. Lastly, in the context of cyber-crime, cybersecurity has quickly become a key part of many countries’ broader national security strategies. In total, we are observing a trend away from digital policies toward more holistic policies that consider and even harness the role of the Internet.

B. The Significance of Interoperability

Central to the convergence of online and offline technology and policy is the concept of interoperability (or “interop”). At its most fundamental level, interop is the ability to transfer and render useful data and other information across systems, applications, or components. This ability functions across four broad layers of complex systems: (1) technological – the hardware and code that allows one system to physically connect to one another; (2) data - the ability of interconnected systems to understand each other; (3) human – the ability for humans to understand and act on the data that is exchanged; and (4) institutional – the ability of societal systems (e.g., legal systems) to engage effectively. Interop can enable innovation and has made

1 John Perry Barlow, “A Declaration of Independence of Cyberspace,” Feb. 8, 1996, https://projects.eff.org/~barlow/Declaration-Final.html.2 Exceptionalism has cast doubt on what rights extend online. See, e.g., NETmundial Multistakeholder Statement, Apr. 24, 2014, § 1, http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf.

Work in Progress2

possible the Internet of Things and mobile payment platforms, for example. At the same time, higher degrees of interop also pose a risk to security, privacy, and more.3

Our mapping identifies a continuing unease of policymakers in balancing the risks and benefits of highly interoperable systems. The national and regional digital strategies and the work to improve Internet deployment represent efforts at interconnecting more people and systems in order to boost innovation, competition, autonomy, access, and openness. At the same time, data localization policies represent attempts at reducing interconnectedness at the technological and data layers, often motivated by a desire to reduce potential security and privacy risks. Cyber-crime approaches are perhaps the most in tension, with policies that seek to reduce interop at the technological and data layers and policies that reorganize government to increase interop at the human and institutional layers.

Interoperability is not an end in itself. Highly interconnected systems can unlock greater levels of innovation but can also create new risks to privacy and security. The structure of the mapping, by proceeding topic-to-topic, creates the illusion that these decisions about balancing the risks and benefits of interop occur independently of one another. The challenge going forward, however, is to understand how choices made to optimize interop in one sector can impact or constrain the benefits of interop in other sectors. For example, some actors argue that reducing the availability of end-to-end encryption may have national security benefits, while others believe that may also suppress innovation in areas ranging from e-commerce to health records storage. Understanding and measuring those interrelations is a significant challenge for the future.

C. Tension Between Bottom-Up Growth and Top-Down Governance

Similar to the challenge of identifying the optimal level of interop, we observe throughout the mapping a tension between the bottom-up, organic growth of the Internet and top-down interventions made to directly shape its future development. In its short history, and after an initial phase of top-down decisions, the development of the Internet has largely been bottom-up as it has expanded and new services and technologies were layered on top of its relatively simple set of protocols. This piecemeal development has enabled both incredibly generative technologies,4 but has also enabled privacy and security threats, among other challenges.

Despite the significant bottom-up orientation of the Internet and its development, our mapping reveals in all four of the topical areas a focus on top-down policies generated through either the public or private sectors (e.g., national laws that limit data exports, multilateral digital strategies, major infrastructure development projects, and government approaches to cyber-crime). This is not a feature of the ecosystem as a whole; instead, the topics that the Forum selected for this mapping generally lean toward top-down governance. The role that these top-down approaches have and will continue to play in shaping the future of the Internet cannot be overstated, and exploring them in greater depth will help shape and improve the future development of Internet policies. At the same time, we must not lose sight of the fact that some of the greatest

3 See John Palfrey and Urs Gasser, Interop: The Promise and Perils of Highly Interconnected Systems (New York: Basic Books, 2012).4 See Jonathan Zittrain, The Future of the Internet and How to Stop It (New Haven: Yale University Press, 2008).

Work in Progress3

revolutions and developments have emerged from the edges of the network, in the spaces least touched by top-down regulation.

III. Recommendations and Next Steps

At the 2015 Davos meeting on the Future of the Internet Initiative, there was consensus about the need for further work in three broad categories: (1) Knowledge, Communication, and Education; (2) Facilitation and Network Building; and (3) Norm Creation and Catalyzing Action. The FII’s current approach reflects that consensus and our mapping confirms the value of these categories of action. The mapping goes into greater detail with concrete suggestions for the opportunities that exist for the Forum to contribute within each category.

The three cross-cutting themes, however, suggest opportunities to expand beyond the current approach in both substance and process. From a substance perspective, the FII is largely oriented toward the center of the network (i.e., the large public and private entities that own, control, or regulate large swaths of the Internet). It is this orientation that tends to shade the focus areas toward top-down governance approaches. However, the FII should also emphasize the complementary perspective. Specifically, it seems important to highlight that (1) innovation and bottom-up governance can occur end-to-end on the edges of the network; and (2) that negative externalities as the byproducts of higher levels of interop are often most felt by those at the edges of the network. In order to add such a perspective to the FII, we suggest a foundational paper that could serve as a basis for future discussion and highlight for the FII and its members some of the largely unseen activity at the edges of the network.

From a process perspective, the cross-cutting themes suggest two useful changes to the FII’s current approach. We recommend (1) a greater emphasis on relationships between focus areas to better highlight, capture, and understand areas of convergence and interdependence. The divisions between focus areas are necessary to achieve deliverables. Policymakers and informed policymaking require understanding not only each focus area, but also how the topics (and the ones not yet covered in the FII) interrelate. Further, we recommend (2) additional opportunities to include perspectives from stakeholders not typically part of the Forum or the Steering Committees, possibly creating new modes and mechanisms for participation to solicit inputs from stakeholders across the Internet ecosystem, and to include viewpoints and potential solutions that otherwise may go unobserved or unnoticed.

The diversity and dynamism of the Internet ecosystem create challenges for any mapping exercise, but also for the FII as a whole. While it is necessary to focus on discrete challenges within the ecosystem, the selection of topics and issues should not constrain the potential solution space and our understanding of the interdependencies between issues and actors. As the Forum and FII consider their role in the ecosystem going forward, there is an opportunity to think creatively about new partnerships and new opportunities that transcend the existing set of focus areas. Indeed, one could go further and see the role that the FII could play in informing all of the nine other Global Challenges – considering the Internet as an exceptional thing apart from issues such as the environment and the financial system risks ignoring how the Internet shapes and is shaped by developments in every other space.

For questions or comments, please contact Ryan Budish ([email protected])

Work in Progress4

mailto:[email protected])

Table of ContentsI. Introduction............................................................................................................................6A. Background and Purpose....................................................................................................................6B. Methodology.......................................................................................................................................6C. Scope..................................................................................................................................................8

II. Mapping Selected Areas....................................................................................................9A. Key Characteristics of Data Localization............................................................................................9

1. Introduction to Data Localization..................................................................................................92. Key Themes/Issues........................................................................................................................103. Conclusion and Core Observations..............................................................................................17

B. Key Characteristics of National/Regional Digital Strategies.............................................................181. Introduction to National/Regional Digital Strategies...................................................................182. Key Themes/Issues........................................................................................................................193. Conclusion and Core Observations..............................................................................................24

C. Key Characteristics of Improving Internet Deployment....................................................................251. Introduction to Internet Deployment.............................................................................................252. Key Themes/Issues........................................................................................................................263. Conclusion and Core Observations..............................................................................................29

D. Key Characteristics of Cyber-crime..................................................................................................301. Introduction to Cyber-crimesecurity.............................................................................................302. Key Issues/Themes........................................................................................................................313. Conclusions and Core Observations.............................................................................................41

III. Opportunities for Engagement.......................................................................................42A. Data Localization..............................................................................................................................42B. National and Regional Digital Strategies..........................................................................................43C. Improving Internet Deployment........................................................................................................43D. Cyber-crime......................................................................................................................................44

Work in Progress5

I. Introduction

A. Background and Purpose

The Berkman Center for Internet & Society (“Berkman”) and the World Economic Forum (“the Forum”) have entered into a collaboration built upon a shared commitment to fostering an open, interoperable, and affordable Internet, serving the global public interest. In this collaboration, Berkman is a research partner whose research capacity and network of academic centers will help the Forum scope and plan its Future of the Internet Initiative (“FII”) with a focus on building knowledge and digital problem-solving capacity among decision-makers and leaders from both the private and public sector through the development of resources, educational programs, and training modules.

An initial contribution to both the scoping of the FII and building educational resources is the development of an “opportunity map” in order to to create a shared foundational understanding of key opportunities and challenges in selected areas of key interest to the FII. In particular, this opportunity map identifies areas where the Forum and its collaborators could meaningfully contribute in the next year and beyond, leveraging the unique characteristics of the Forum’s platforms. At this stage, this document is intended as an internal “navigation aid”; a public-facing version of the document could be created after peer review and a consultation process.

Overall, the FII has identified five broad tracks of activity: (1) Governance on the Internet (focusing on policy and societal change through multistakeholder mechanisms, including issues of data localization, national and regional digital strategies, multistakeholder collaboration, code-based solutions, and the NETmundial initiative); (2) cyber-crime (focusing on combating cyber-crime, raising awareness and supporting resilience, and developing public-private partnerships to develop strategy and catalyze action); (3) Internet for all (focusing on developing best practices for Internet deployment and adoption that balance private and public investment in infrastructure); (4) improving information for decision-makers (focusing on providing better and more updated information to decision-makers on key issues relating to the future of the Internet); and (5) digital transformation of business models (focusing on the challenges and opportunities for businesses that the digital transformation creates).

Within this framework, the Forum asked Berkman to develop a map exploring four topical areas relating to the first three tracks: (1) data localization; (2) national/regional digital strategies; (3) Internet deployment; and (4) cyber-crime. Ultimately, within each of these areas of Internet policy, the Forum and the FII are seeking to understand how they can contribute to the development of better decision-making, both in the public and private spheres, on these critical issues.

B. Methodology

Our mapping explores concrete opportunities for engagement in four selected areas of interest that are part of the larger FII agenda: (1) data localization; (2) national and regional digital

Work in Progress6

strategies; (3) improving Internet deployment; and (4) cyber-crime. We explore each of these areas in sequence below.

For each area of interest and associated section below, we used a mixed-method approach including desk research, literature review, and database searches to gather relevant information.5 For the section on national and regional digital strategies, we constrained our detailed analysis to only those strategies from the countries with the twenty largest economies by GDP.

From this research we began by cataloging key public-private partnerships, keeping track of several data points relevant for identifying opportunities and methods of engagement in the context of the FII. This catalogue of raw mapping data is available in full in the included appendices. Where relevant, the appendices include for each partnership the following:

Key issues/objectives: The central issue(s) that the respective partnership seeks to address and/or what the partnership intends to achieve.

Key participants: The entities that actively participate as leaders and stakeholders within the partnership.

Primary mechanisms of participation and decision-making: The primary ways in which the partnership involves stakeholders in information gathering, solution identification, and solution implementation.

Intended outputs: The tangible or measurable outputs of the partnership (e.g., reports, draft legislation).

Upcoming meetings: Significant milestone events relating to the objectives and outputs of the partnership scheduled for the next year.

Other key milestones: Additional upcoming deadlines or significant events.

Understanding that the purpose of this map is to identify opportunities for engagement, we operated in a bottom-up fashion, using raw mapping data as a foundation for a narrative analysis centered around on-the-ground opportunities for engagement. From this raw mapping data we made observations of emerging real-world trends, and supplemented those observations with analysis from other academics and industry observers, where applicable. The narrative analysis below describes these key thematic trends in each of the four areas, highlighting opportunities for concrete engagement and prototypical public-private partnerships and entities whose actions significantly shape the ecosystem. Identifying spaces for concrete engagement in a rapidly evolving policy sphere inherently introduces a challenge: the environment is likely to shift as soon as it is captured. Instead of focusing on the more granular and short-term aspects of these ongoing debates, we have instead focused on the bigger picture, in order to provide a more useful document that helps the reader understand some of the tectonic forces shaping the policy landscape. Rather than describing every such partnership within the narrative analysis, we highlight prototypical partnerships that are representative of opportunities for Forum and FII engagement, and we direct the reader to the appendices for additional information.

5 Initial data was primarily compiled through keyword-based searches using standard search engines, academic databases, and reviews of publication collections produced by expert agencies in the relevant fields. Our searches were conducted using core terms (e.g., “data localization,” “internet fragmentation,” “data residency”) alongside regionally-relevant search terms where appropriate (e.g., “Schengen Net”). Where possible, we also conducted searches in non-English languages (English, French, German, and Portuguese) to obtain a broader perspective on the policy landscape in certain regions.

Work in Progress7

C. Scope

The mapping of opportunities in the Internet governance6 space is challenging due to at least two factors. First, the Internet ecosystem is characterized by a diversity of actors. There is no point of central control; instead, “[i]t is a multi-layered system of administration and operational oversight that spans areas as diverse as standards setting, cybersecurity, and interconnection agreements.”7 And within this system, there is a diversity of actors pursuing independent, and often divergent or competing, agendas.8 Second, it is a highly dynamic ecosystem.9 It is dynamic because the constellation of actors addressing any one particular challenge will be different from those addressing a different challenge. And even within a single challenge, the constellation of actors may change over time.

This diversity and dynamism presents a challenge to a mapping exercise such as this one. The constellation of actors changes from issue to issue and over time. Moreover, new actors may be created (or old ones dissolved) as the needs of the groups change. We can see the effects of this diversity and dynamism in a number of short examples throughout this mapping.

The diversity and dynamism that we observe in the Internet ecosystem has two significant implications for the Forum and the FII as it identifies opportunities for engagement in this sphere. First, because the constellation of actors addressing any one issue will shift in response to new circumstances and developments, any mapping represents a snapshot of a fixed and limited period of time. Second, the constant reconfiguration of participants means that a mapping cannot anticipate all of the new topics, issues, and entrants that will be important over the coming weeks and months. Taken together, these implications represent an opportunity: new entrants and partnerships have as much of a chance of influencing the debate as existing ones.

It is because of that diversity and dynamism that the proceeding narrative analysis focuses on describing key thematic observations in each of the four topical areas, highlighting prototypical actors, and identifying potential opportunities for Forum and FII engagement in each area. Although we include a fuller catalogue of entities in the appendices, we focus in this narrative on

6 To be clear, by “Internet governance” we do not refer only to the narrow set of questions about who determines top-level domains or sets underlying Internet protocols; instead, we use “Internet governance” to refer to the broader set of policy questions that ultimately influence how the Internet relates to law, business, and society. Under that broader conception, the topical areas of this mapping fall squarely within our understanding of Internet governance. See, e.g., DeNardis, Laura, and Mark Raymond. “Thinking Clearly About Multistakeholder Internet Governance,” 4–5, 2013. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2354377 (describing a taxonomy of Internet governance spanning six functional areas: (1) “Control of ‘Critical Internet Resources’”; (2) “Setting Internet Standards”; (3) “Access and Interconnection Coordination”; (4) “Cybersecurity governance”; (5) “Information Intermediation”; and (6) “Architecture-Based Intellectual Property Rights Enforcement”).7 DeNardis, Laura. The Global War for Internet Governance. 226. New Haven: Yale University Press, 2014.8 Dutton, William H. “Multistakeholder Internet Governance?” Rochester, NY, May 16, 2015. http://papers.ssrn.com/abstract=2615596. (noting that each actor “playing in one or more games within a larger ecology of interacting games.”).9 Ibid., 19; Ibid., 30-31 (describing Internet governance “as a dynamic ‘ecosystem’ or rapidly changing ecology of technical artifacts, people, including users, and techniques that comprise what we view broadly as the Internet and related ICTs….”).

Work in Progress8

http://papers.ssrn.com/abstract=2615596

prototypical actors because individual actors can change (and be changed) quite quickly. The examples we selected are highlighted because they are exemplary of the range of issues, the current gaps, and the opportunities for meaningful Forum and FII contributions to the ecosystem. Moreover, a mapping that overemphasizes the existing set of actors runs the risk of underemphasizing the dynamism of the space as a whole; the current constellation of actors should not serve to constrain the potential solution space and opportunities for engagement. As the Forum and FII consider their role in the ecosystem going forward, there is an opportunity to think creatively about new partnerships and new opportunities that transcend the existing landscape of actors.

II. Mapping Selected Areas

A. Key Characteristics of Data Localization

1. Introduction to Data Localization

Traditionally, data is routed across the Internet using autonomous servers that simply seek to deliver packets one hop closer to the destination. The process is then repeated from server-to-server until the packet is delivered. This traditional approach to packet routing typically moves data from one node to the next without respect to international borders.10 However, national concerns over local innovation, privacy, security, surveillance, and law enforcement—concerns driven by the growth of cloud storage11—have encouraged some jurisdictions to consider data localization legislation that would necessitate fundamental changes to how data is routed and ultimately stored across the Internet.12 “Data localization” generally refers to “laws that limit the storage, movement, and/or processing of data to specific geographies and jurisdictions, or that limit the companies that can manage data based upon the company’s nation of incorporation or principal situs of operations and management.”13

Data localization is just one aspect of a larger phenomenon referred to as “Internet fragmentation.” Internet fragmentation refers to a wide range of policies which collectively threaten the continued operation of a cohesive, global, interoperable network.14 The forthcoming

10 See Chander, Anupam, and Uyen Le. “Breaking the Web: Data Localization vs. the Global Internet.” UC Davis Legal Studies Research Paper, April 2014.11 See WEF in partnership with Accenture, “Advancing Cloud Computing: What to Do Now? Priorities for Industry and Government.” 2011. http://www3.weforum.org/docs/WEF_IT_AdvancedCloudComputing_Report_2011.pdf. 12 The pattern of governments seeking greater authority and control in emergent, and initially more unregulated spaces, is not a new phenomenon. See Drake, William. “Comments at NCUC Workshop.” presented at the NCUC Workshop, ICANN, Beijing, China, April 10, 2013. (“But of course to anybody who has a broad perspective on history none of this was new at all. Every media system, every electronic media system for global communications that has ever evolved has gone through a period in which essentially states have sought to embed it within frameworks of public authority. This is a natural phenomena that happens all the time and so we shouldn't be surprised that this is going on now in the Internet environment as well.”).13 Force Hill, Jonah. “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Industry Leaders.” 3. Lawfare Reserach Paper Series, July 21, 2014. http://tagteam.harvard.edu/hub_feeds/1783/feed_items/1339728.14 See Rosenbush, Steve. “Google’s Vint Cerf Warns Against Fragmentation of Internet,” May 14, 2015. http://blogs.wsj.com/cio/2015/05/14/internet-pioneer-vint-cerf-warns-against-fragmentation-of-internet/. (quoting

Work in Progress9

WEF report on Internet fragmentation identifies four broad categories of fragmentation: (1) infrastructure; (2) transactions and content; (3) data localization; and (4) commercial practices.15 Indeed, the range of policies with fragmentary effects is quite broad and includes those relating to language, cultural, and religious homogeneity, inequalities in access, Internet filtering, reactions to cybersecurity issues, and others. In sum total, these fragmentary policies serve to make it harder for systems and people to interact and interconnect through the network by erecting barriers at every level of interoperability: technology layer, data layer, human layer, and institutional layer.16 In some cases, the fragmentary effects are intentional and the policymaker seeks to make it harder to communicate or access certain content; in other cases the fragmentary effects are a secondary (and possibly unintended) effect of policies with some other objective.

Of the many kinds of fragmentary policies, countries and regions have shown particular interest in data localization policies over the past few years. Given the substantial developments in that space, we limit our analysis to the significant variety of laws and proposals relating to data localization policies. We can classify the data localization policies that have been implemented or proposed into three broad policy classes:

1. Data export limitations: policies limiting how data captured within a jurisdiction can be shared with those outside of the jurisdiction.

2. Location-based routing restrictions: policies altering the status quo for network routing in order to limit the flow of data to certain jurisdictions.

3. Data residency requirements: policies stating where certain data must be kept for access and/or processing.

Countries or regions can deploy a single one of these policies or can layer them together. We proceed by looking at each of these policy classes in turn. We next describe some of the factors motivating data localization policy, its impact on the ICT sector, and the complex relationship between data localization and privacy law. Finally, we identify key actors and outputs in the area of data localization.

2. Key Themes/Issues

a) Forms of Data Localization Policy

(1) Data Export Restrictions

Perhaps the most common form of data localization policies is that relating to the transmission of data (most often personal data) collected within a particular jurisdiction to individuals and systems located outside of the jurisdiction. Such restrictions are neither all-encompassing nor absolute; instead, the policies range in effect from those that offer minimal resistance to data

Vint Cerf stating ““In my view, fragmentation is destructive of the basic functioning of the Internet. … Fragmentation would be a terrible outcome [and] destroy value …. But we have to work to make sure there is no reason to fragment.”).15 See William J. Drake, Vint Cerf, Patrik Fältström, Wolfgang Kleinwachter, Forthcoming (Dec. 2015).16 Palfrey, John, and Urs Gasser. Interop: The Promise and Perils of Highly Interconnected Systems. 6. New York: Basic Books, 2012.

Work in Progress10

export, on the one hand, to those that make it impossible to export certain kinds of data, on the other. No country, however, has thus far enacted an outright ban on the export of all data.

As noted, countries’ approaches to export restrictions vary dramatically. Some countries, like the United States, take a less restrictive approach to the export of domestic data. Although the U.S. does limit the export of certain kinds of data,17 it generally does not interfere with the transmission of Internet traffic beyond the country’s borders. To a large extent, this leniency may be due to the fact that the economic and political factors which tend to motivate data localization policies in other countries (as discussed below) are simply not prevalent in the U.S. For example, U.S. law enforcement agents may not feel a need to demand export restrictions on most domestic Internet data because it is likely to stay in the control of domestic technology companies and service providers.

On the other end of the spectrum, we find onerous localization mandates like Russia’s Federal Law 242-FZ, which prohibits the export of any Russian personal data to any server beyond the country’s borders. Most countries’ export limitations exist between these extremes, with export restrictions based on the legislative environment of the recipient country, the category or type of data, or whether the data subject has consented to its transfer.

(a) Restrictions based on recipient country

Some countries allow data export only to countries or companies that meet certain privacy or security standards. This provides to the originating country some assurance that the data (and the citizens generating the data) will be afforded certain comparable, minimum protections.

Country examples:- European Union: 1995 Data Protection Directive allows the export of personal data only where the

recipient jurisdiction provides adequate privacy protection, or if there are contractually binding corporate rules with a recipient company for protecting the data. The ECJ recently struck down the “Safe Harbor” Data-Transfer provision of the 1995 Data Protection Directive, which previously permitted companies to self-certify that their transfer methods adequately protected the data of European users and complied with the Directive and with fundamental European rights to privacy. Now, data protection authorities cannot rely on the Safe Harbor provision when governing European data processing operations.18

South Africa: 2013 Protection of Personal Information Act is generally consistent with the limits of the E.U. Data Protection Directive.

17 Cryptography is one area where the US government has limited the export of data, although such restrictions have been eased over time. See, e.g., “Commerce Control List Supplement No. 1 to Part 774 Category 5 Part 2 – Telecommunications and ‘Information Security.’” Bureau of Industry and Security, December 7, 2012. https://www.bis.doc.gov/index.php/forms-documents/doc_view/335-supplement-no-1-to-part-774-category-5-part-ii-information-security. The restrictions are currently under renewed scrutiny as part of the United States’ approach to the Wassenaar Arrangement. Andrea Peterson. “The government is headed back to the drawing board over controversial cybersecurity export rules.” Washington Post. July 29, 2015. https://www.washingtonpost.com/news/the-switch/wp/2015/07/29/the-government-is-headed-back-to-the-drawing-board-over-controversial-cybersecurity-export-rules/. 18 Lomas, Natasha. “Europe’s Top Court Strikes Down ‘Safe Harbor’ Data-Transfer Agreement with U.S.” TechCrunch, Oct. 6, 2015 http://techcrunch.com/2015/10/06/europes-top-court-strikes-down-safe-harbor-data-transfer-agreement-with-u-s/

Work in Progress11

Brazil: On January 28, 2015, the government introduced a Preliminary Draft Bill for the Protection of Personal Data that would restrict transferring personal data to countries that do not offer comparable levels of protection.

(b) Restrictions based on content of data

Some export restrictions apply to particular categories of data that are believed to be too sensitive or dangerous to be kept on foreign servers. Most frequently this includes personal data collected by government entities.

Country examples: Nigeria: The National Information Technology Development Agency’s 2013 Guidelines for Nigerian

Content Development in Information and Communications Technology require that data and information management companies must host government data locally and cannot export that data without express approval.

Germany: In August 2015, German government IT officials agreed on rules that would limit government use of cloud services to those providers that agree never to subject the stored data to foreign disclosure obligations. Effectively, this means that German government cloud providers must process data entirely within Germany or operate only within other countries that could not, or would not, attempt to seize or access that data.

India: Section 4 of the Public Records Act of 1993 bars the transfer of public records outside of India. Canada: Local legislation in British Columbia and Nova Scotia requires that the data of public institutions,

as well as health data, not be moved to other jurisdictions. Australia: The Personally Controlled Electronic Health Records Act of 2012 bars the export of personally

identifiable health records. South Korea: The 2009 Act on Land Survey, Waterway Survey and Cadastral Records has been interpreted

to mandate that map data of South Korea not be stored on servers outside of the country. China: A 2011 notice from the People’s Bank of China prohibits banks operating in China from storing

abroad the financial data of any Chinese citizens. A 2015 draft law would mandate the local storage of data for operators of “crucial” information infrastructure, but it would allow exceptions for business reasons subject to passing a security review.19

(c) Restrictions based on consent

Another form of export restriction is based on the citizen providing consent for the export of their data.

Country examples: China: The 2013 Information Security Technology Guidelines for Personal Information Protection within

Public and Commercial Services Information Systems prohibits the export of data without the consent of the subject. In September 2015, the government asked technology companies to pledge their commitment to data export policies that restrict them from transferring, storing, or processing information outside the country’s borders without permission from the user any data collected within the Chinese market.

South Korea: The 2011 Personal Information Protection Act creates an obligation to obtain consent from a data subject and to provide the subject with extensive information about the transfer, including the reason for collecting personal information, and the period for which the data will be held.

Switzerland, Brazil, and Argentina: Customer consent is required before banks can send data outside of the country.

Thailand: Proposed legislation would require both that the data subject provide consent and that the destination jurisdiction meet certain minimum standards.

19 Wong, Gillian. “China to Get Tough on Cybersecurity.” Wall Street Journal, July 9, 2015, sec. Tech. http://www.wsj.com/articles/china-to-get-tough-on-cybersecurity-1436419416.

Work in Progress12

It is important to note that the fragmentary and localization effects of consent requirements depend largely upon the level of difficulty in obtaining effective consent. In most cases, the burden for obtaining consent is likely so low that it will not pose a major obstacle for data export. However, in places such as South Korea, which has more onerous disclosure requirements, the provisions may make it more difficult to obtain consent. Such difficulties indirectly create data localization effects by making it more difficult to export the data.

(2) Location-Based Routing Restrictions

Over the last three years, several proposals have emerged that would require that Internet traffic be routed only through certain territorial boundaries. Such a technological change would be a dramatic departure from the current operations of the Internet, where the autonomous systems that control network routing may determine that it is most efficient to send packets across a geographic border even when the sender and recipient are in the same jurisdiction. For example, an e-mail being sent from one neighborhood in Toronto to another could pass through nodes in the United States. In the wake of the Snowden disclosures, some became concerned that such cross-boundary routing could expose the data to additional surveillance risks. Indeed, there have been examples where unusual diversions of Internet traffic suggest that routing protocols have been altered or abused in attempts to monitor traffic.20 As a result, the goal of circumscribing the transmission of Internet traffic became a politically salient proposal in certain jurisdictions, whether advanced by proponents in government, the private sector, or civil society.

Country examples: Germany and France: These countries developed plans for an E.U. or Schengen-only routing restriction for

all traffic with start and end points in Europe; the plan appears to be abandoned. India: The Indian National Security Advisor has requested regulations that would require that all domestic

traffic is routed through the National Internet Exchange of India (NIXI) to prevent foreign surveillance; no such regulations have been proposed.

Private sector example: Deutsche Telekom: One of Europe’s largest telecommunications firms has spearheaded the development of

a national e-mail system that routes messages exclusively through Germany.

Civil society example: Canadian privacy and technology researchers: Some Canadian academics have advanced a range of

proposals to limit the percentage of traffic routed through the United States, including the development of improved infrastructure, new Internet Exchange Points, and explicit routing restrictions.

Overall, it is important to note that despite the development of voluntary, private sector products (like German-only e-mail routing), there has been almost no government action taken on routing restrictions. Changing the process of Internet routing would fundamentally alter the ways that the underlying network operates, making such changes both technically challenging but also risky to the openness and generativity of the network.

20 Goodin, Dan. “Repeated attacks hijack huge chunks of Internet traffic, researchers warn.” Ars Technica, Nov. 30, 2013. http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/

Work in Progress13

(3) Data Residency Requirements

Data residency requirements are policies that require companies to maintain a copy of user data on a domestic server. Such restrictions differ from data export requirements in that they generally allow the export of data, provided that at least a copy is stored within the country.

Country examples: Vietnam: Decree 72 requires that all online services operating within the country store a domestic copy of

an immense array of user data (from user credentials to complete activity logs) for the purposes of government inspection.

Russia: Starting on September 1, 2015,21 companies with a legal presence in Russia that collect personal information from Russian citizens must process and store those records on servers within the country. There is considerable uncertainty, however, about which companies are subject to these restrictions.22

Indonesia: Laws require that copies of data can be exported but a copy must remain inside Indonesia.

In some cases, residency requirements and export limitations converge. For example, a law that requires that data be stored exclusively on domestic infrastructure is both a residency requirement and an export limitation in the sense that data must reside inside the country and cannot reside anywhere else.

b) Contextualizing Data Localization

(1) Policy Motives for Data Localization

It is tempting to connect the rise of data localization to the Edward Snowden disclosures beginning in June 2013, but it would be an oversimplification to draw a causal connection between the two. In fact, there are several reasons—many unrelated to international surveillance—that explain why countries and regions have begun to explore or enact data localization requirements. While several governments have used surveillance controversies in order to advance data localization agendas, the underlying motivations driving these policies are fairly diverse.

One key motivating factor is economics, which may be just as important as concerns over surveillance, if not more so. Data localization requires significant infrastructure; where that infrastructure does not yet exist, new data centers must be built. Thus, in theory, data localization can have positive economic impacts through new construction, new technology procurement and investments, and employment opportunities for data center management, maintenance, and operation. Indeed, we observed in our research that domestic technology and ICT companies were often major proponents of data localization proposals within their countries. Although not all countries are so explicit in drawing the connection between economics and localization, in Nigeria local data storage requirements were a direct part of an economic agenda to develop the ICT sector through procurement policy and regulatory mandates. Some critics of 21See, e.g., King & Spalding. “Three Things In-House Counsel Needs to Know About Russia’s New Data Localization Law.” King & Spalding Client Alert, Sept. 2, 2015. http://www.kslaw.com/imageserver/KSPublic/library/publication/ca090215b.pdf.22 See, e.g., Rothrock, Kevin. “Russia Says Twitter Doesn’t Need to Comply With Its New Data-Localization Law.” Global Voices Advocacy, July 2015. https://advocacy.globalvoicesonline.org/2015/07/23/russia-says-twitter-doesnt-need-to-comply-with-its-new-data-localization-law/.

Work in Progress14

data localization, however, contend that the economic benefits, if any, tend to fall on a narrow set of industries, while overall suppressing economic opportunities through the restraint of global trade and discouraging investment.23

In some countries, another motivating factor for data localization may be the opportunity to obtain greater control over information flows and create new domestic surveillance opportunities. In Russia and Vietnam, for instance, opponents of data localization policies have frequently cited the risks of greater surveillance through data localization. While it is difficult to determine the extent to which domestic surveillance is a motivating issue, some countries have mandated data residency as part of law enforcement regulations, suggesting a motivating role. In other cases, accusations of domestic surveillance may simply provide an expedient argument for opponents to challenge inconvenient and costly trade barriers.

Despite the recent attention on international surveillance, it appears to be a weak motivating factor in the data localization ecosystem.24 In countries where outrage regarding the Snowden revelations served as the primary driving force for data localization proposals, such initiatives have lost momentum over time. This was the case in Brazil, where the proposed localization amendment to the draft Marco Civil da Internet was abandoned and a much tamer Draft Law for Personal Data Protection has been proposed in its place. Similarly, calls for a “European Internet” from French and German political leadership have subsided without concrete legislation, although the private sector in Germany did implement data localization services for voluntary data protection and cloud storage (e.g., Deutsche Telekom’s national e-mail service). Conversely, in countries where the motivation for data localization policies is rooted in domestic surveillance interests or economic development goals, data localization policies remain on the horizon.

(2) Divisions in the Technology Sector

Although there have been some attempts to quantify the economic impact of data localization policies at the national level,25 there has been little data assessing the impact at the level of economic sectors or companies. In fact, we observe that companies across the technology sector have responded in different ways to localization policies. At both the local and global levels we observe some companies in clear opposition, while others are advocating for such policies as a business opportunity. Industry observers have noted that several major companies in the technology sector that rely on serving a global audience, could see their business diminished as a result of data localization policies.26 At the same time, other major technology companies have

23 See Chander, Anupam, and Uyen Le. “Breaking the Web: Data Localization vs. the Global Internet.” 35. UC Davis Legal Studies Research Paper, April 2014.24 See Rosenbush, Steve. “Google’s Vint Cerf Warns Against Fragmentation of Internet,” May 14, 2015. http://blogs.wsj.com/cio/2015/05/14/internet-pioneer-vint-cerf-warns-against-fragmentation-of-internet/. (noting that data localization efforts as a backlash to the Snowden revelations have appeared to subside).25 Bauer, Matthias, Hosuk Lee-Makiyama, Erik van der Marel, and Bert Verschelde. “The Costs of Data Localisation: Friendly Fire on Economic Recovery.” ECIPE Occasional Paper, n.d. http://www.ecipe.org/publications/dataloc/.26 Goldstein, Gordon M. “The End of the Internet?” The Atlantic, August 2014. http://www.theatlantic.com/magazine/archive/2014/07/the-end-of-the-internet/372301/.

Work in Progress15

http://blogs.wsj.com/cio/2015/05/14/internet-pioneer-vint-cerf-warns-against-fragmentation-of-internet/

viewed these policies as an opportunity to sell the products and services necessary to operate data centers.

Industry examples: Internet Service Providers Association of India: The ISPAI has been one of the most active proponents of

data residency requirements and export restrictions in India. Deutsche Telekom: The German telecommunications giant has been a driving force behind the plan for a

“European Internet” and the largest corporate partner associated with the “e-mail made in Germany” service.

Google: The U.S.-based search and online services giant has been one of the most prominent opponents of data localization efforts, citing economic and security concerns alongside the risk of “Balkanization.”

Microsoft: The U.S.-based software and online services company responded to the backlash over NSA surveillance by announcing that customers would have the ability to choose the jurisdiction in which their data would be stored from among the company’s existing data center locations.

IBM and Salesforce: These companies, which specialize in building the hardware and software to manage infrastructure, have sought to build overseas data centers in order to preempt data localization laws.

(3) The Relationship Between Data Localization and Privacy and Security Laws

Data localization policy intersects with privacy and cybersecurity legislation in complex ways. Across jurisdictions, our initial analysis of privacy and data protection laws that include data localization provisions indicates that most do not actually create outright restrictions in the form of mandatory data residency or strict limitations on routing. Rather, these policies may be better categorized as a series of hurdles that may make it more difficult—but not impossible—to transfer data. One example is permissions-based requirements for international data transfer.

In some cases, data localization provisions evince a nexus with privacy and data protection legislation. For example, Australia mandates the domestic storage of personally identifiable health records. Keeping such sensitive records within the country may assist in ensuring that victims of a privacy breach can access appropriate legal recourse. In other cases, industry observers see little connection between data localization policies and the stated privacy objectives. In fact, in some countries, such policies may actively undermine privacy rights, either because of poor security or issues of domestic surveillance. Data localization efforts, even when done for privacy reasons, may impose practical costs; in the Australian case, opponents of the localization provision argued that it would jeopardize citizens’ ability to access important health records when travelling.

c) Additional Key Actors and Outputs

Given the nature of the data localization issue, key actors are necessarily state and region-specific. Beyond those already mentioned, we do, however, observe some additional key actors and reports at the global and regional level.

Example actors: Internet Governance Forum: Fragmentation and data localization was a key issue and program track at the

2014 Internet Governance Forum, with several panels such as “Geo-Localisation of Data, Threat or Opportunity?” “Across The Globe: Local Infrastructure is Local Development,” and “Privacy, Surveillance & the Cloud: Globalization Under Fire?” It is likely to be revisited at IGF 2015.

Work in Progress16

Global Commission on Internet Governance: This group has produced numerous reports addressing the issue of fragmentation and localization, including a report entitled Addressing the Impact of Data Location Regulation in Financial Services, which captures the views of global financial institution executives on data localization. The report includes a set of recommendations for financial institutions, some of which may be useful for the Forum and the FII to consider.

The European Centre for International Political Economy (ECIPE): This group has attempted to quantify the financial losses and perceived market inefficiencies resulting from data localization in a report entitled The Cost of Data Localisation, which reviews seven jurisdictions: Brazil, China, the European Union, India, Indonesia, South Korea, and Vietnam.

The CIGI-Ipsos Global Survey on Internet Security and Trust: This report includes several findings related to the user perception of data localization. For example, in the 24 countries surveyed, they found that 72% of users would like their online data and personal information to be physically stored on a secure server in their own country. When these preferences are broken out by country, there does not appear to be a strong correlation between a state’s official position and its citizen preference for localization.

Academic writing on the subject is relatively limited and—given the nature of the subject matter—becomes rapidly out-of-date. However, a few recent pieces of scholarship may be particularly useful.

Example scholarship: Anupam Chander, Uyen P. Le, Breaking the Web: Data Localization vs. the Global Internet, UC Davis

Legal Studies Research Paper, No. 378, April 2014. This paper provides a critical summary of the localization debate in over fifteen countries.

Jonah Force Hill, The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Industry Leaders, Lawfare Research Paper Series, July 21, 2014. This study includes a collection of high-level recommendations targeted toward U.S. business leadership and policymakers.

3. Conclusion and Core Observations

A country-by-country analysis suggests that understanding data localization is made complex because it is the result of a multi-layered, and sometimes uncoordinated, set of diverse policies; it is often not the result of a single piece of legislation or a coordinated omnibus set of carefully constructed regulations. Localization (and its fragmentary effects) often is driven by the cumulative effect of many separate and independent policies, often tied to specific types of data. This complexity poses challenges both for policymakers who seek to develop clear policies without unintended consequences, as well as for market participants who must navigate those policies, and end users who are ultimately most affected by them.

One approach to addressing this complexity is through the development of new analytical frameworks by which to unpack and further understand this complex network of policies. The FII’s ongoing fragmentation research is a valuable contribution in that effort.

This complexity also presents several additional opportunities for the Forum and the FII to serve an educational role in the ecosystem.

First, there is a need to help develop new tools and measures for assessing the impact of (both intended and unintended) data localization measures.

Second, there is a need to help policymakers find solutions for governmental concerns, without endangering the overall functioning, efficiency, and value of the Internet within their jurisdictions.

Work in Progress17

And third, there is a need to help apply best practices from entities, such as those in the financial sector, that have experience managing complex regulatory environments in an international context.

In addition to education, the data localization ecosystem suggests there is also a need for technical innovation. Data localization is an attempt on the part of policymakers to address governmental concerns through structural changes to the way the underlying network operates. The Forum and the FII could help identify and support technical alternatives to data localization policies, which could more effectively address concerns about privacy, security and surveillance without compromising the integrity of the underlying network.

Finally, we observe that economic factors are a large motivating factor for data localization at both the national and global levels. At the national level, the Forum and the FII can help countries find new ways to grow and support the development of their technology and ICT sectors. At the global level, there is a need to better understand the economic impact that the data localization initiatives have on both companies that are supporting the development of localization infrastructure, and those whose business models rely on a global, interoperable network.

B. Key Characteristics of National and Regional Digital Strategies

1. Introduction to National and Regional Digital Strategies

Data localization is one narrow example of how governments can approach questions of digital policy. Data localization policies, as described above, can sometimes be part of laws and regulations limited to only that matter, but in many cases they are part of broader digital strategies. Endorsed in the UN’s 2001 Digital Opportunity Task Force Report27 and WEF’s work on the Global Digital Divide Initiative,28 these broader strategies can exist at either the regional or national level, can be aspirational or enshrined in law, and can be broader or narrower.

In this section, we assess the ecosystem of the various national and regional digital strategies. We identify three significant forms of national and regional-level policy development:

1. Standalone information security and cybersecurity strategies: statements and policies focused on national security vis-a-vis online behavior and threats, including national intelligence, network and information security, defense, critical infrastructure, and cyber resilience.

2. Standalone e-government strategies: statements and policies focused on the delivery of government services through online systems.

3. Comprehensive national digital agendas: statements and policies that address a variety of online activity and development in a single, all-encompassing document.

27 United Nations. “Digital Opportunities for All: Meeting the Challenge. Final Report of the Digital Opportunities Task Force.” May 11, 2001. https://www.itu.int/wsis/docs/background/general/reports/26092001_dotforce.htm. 28 WEF. “Annual Report of the Global Digital Divide Initiative.” Jan. 2002. http://www.weforum.org/pdf/Initiatives/Digital_Divide_Report_2001_2002.pdf.

Work in Progress18

Moreover, because the Internet transcends political boundaries, many regions are moving toward harmonization of digital policies across nations, and we identify some of the most prominent developments at the regional level.


a) Information Security and Cybersecurity Strategies

Of all of the different kinds of digital strategies, none appears to be more common than cybersecurity strategies. There are over 50 such policies in place internationally, and 18 of the 20 largest countries by GDP have instituted such policies. Thus, a country is more likely to have an active national cybersecurity strategy than it is to have any other national strategy related to digital technology. Generally speaking, information security and cybersecurity strategies are focused on national security, encompassing a broad range of issues including national intelligence, network and information security, defense, critical infrastructure, and cyber resilience. Less commonly, the strategies may also address issues of online crime and law enforcement, as well as provide for public and civic education around issues of computer and network security.

Example countries: Netherlands: In 2011 the Netherlands released its National Cyber Security Strategy, which focused on

forming multistakeholder relationships, raising awareness of cybersecurity issues, and building capacity. In 2014, the Netherlands updated its strategy with a new document entitled “National Cyber Security Strategy 2: From awareness to capability.” This strategy builds on the previous strategy, including the application of lessons learned. Importantly, the 2014 strategy shifts to a model of acceptable risk as opposed to risk elimination, and emphasizes moving beyond awareness to addressing capability.29

Brazil: The armed forces play a central role in Brazil’s approach to cybersecurity.30 In 2010, Brazil’s Department of Information and Communications Security published the “Green Book on Cybersecurity,” which highlights the cybersecurity challenges Brazil faces in a variety of areas. In 2012, Brazil published the “White Paper to Guide Future Defense Priorities,” which outlined a Brazilian Center for Cyberdefense as part of the Brazilian military. Despite the emphasis on the military, a variety of stakeholders play a role in Brazil’s cybersecurity strategy. The Department of Information and Communications Security works with the University of Brasilia to manage a clearinghouse for information related to cybersecurity.31 And more generally, the Green Book emphasizes important roles for the private sector, academia and international fora including the OAS and the ITU.32

Germany: The “Cyber Security Strategy for Germany” addresses civilian cybersecurity issues such as the security of critical infrastructure and public administration and the training of additional cybersecurity staff

29 “National Cybersecurity Strategy 2: From Awareness to Capability.” National Coordinator for Security and Counterterrorism -The Netherlands. http://english.nctv.nl/images/national-cyber-security-strategy-2_tcm92-520278.pdf.30 Muggah, Robert, and Misha Glenny. “Why Brazil Put Its Military In Charge of Cyber Security.” Defense One, January 13, 2015. http://www.defenseone.com/technology/2015/01/why-brazil-put-its-military-charge-cyber-security/102756/.31 Rafael Canabarro, Rafael, and Thiago Borne. “Brazil and the Fog of (Cyber) War.” NCDG Policy Working Paper. National Center for Digital Government, March 1, 2013. http://www.umass.edu/digitalcenter/research/working_papers/13_002_Canabarro-Borne_BrazilandFogofCyberWar.pdf.32 Oppermann, Daniel. “Internet Governance and Cybersecurity in Brazil.” Multilateral Security Governance, Conference of Forte de Copacabana, 167–81. Rio de Janeiro, n.d. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2587178.

Work in Progress19

for federal agencies. The strategy places a heavy emphasis on international cooperation, including cooperation with the E.U., the Council of Europe, NATO, G8 and other multinational organizations. The strategy implements several institutional reforms, such as the creation of a National Cyber Response Center and a National Cyber Security Council. The National Cyber Response Center was created in order to foster cooperation between federal law enforcement and technical agencies, and its responsibilities include sharing information about vulnerabilities of IT products, the nature of attacks, and perpetrator profiles. The Security Council, with advice from the Response Center, represents the interface between German government agencies responsible for cyber defense and the business community. The strategy also emphasizes the development of technical and legal tools to improve responses to cyber attacks.33

China: China’s cybersecurity strategy has been largely fragmented and uncoordinated. However, since 2012, President Xi Jinping has been trying to address this, establishing the National Security Commission and Central Network Security and Information Leading Small Group.34 The National Security Commission focuses on domestic security concerns, while the Central Network Security and Information Leading Small Group focuses on network security relating to national security. In July 2015, China released a draft of a cybersecurity law that would enable the government to take stronger action against threats, including disabling access, creating emergency detection and response measures, and establishing industrial standards.35

Indonesia: Although there is no current cybersecurity strategy, President Joko Widodo announced in early 2015 that he would form a National Cyber Agency (NCA), which would have responsibility for coordinating cybersecurity efforts in various parts of the private and public sector.36

At the national level, the scope, content, and extent of implementation of these national policies varies widely. To address this disparity, there has been a recent movement toward regional coordination. These regional strategies represent an attempt to build a coordinated network of actors prepared to both prevent and respond to cyber attacks and cyber-crime. Primarily these regional strategies operate by requiring increased technical coordination, including the development and use of technical standards, sharing of threat intelligence, and building a stronger network of cybersecurity professionals.

Example regional agreements: African Union: The Convention on the Confidence and Security in Cyberspace, adopted in 2014, seeks to

establish a common framework for African cybersecurity. It emphasizes the security of electronic transactions, the protection of personal data, the need to defend against cyber-crime, and moves toward a coherent national cybersecurity monitoring and policy. It also aims to lay the groundwork for international cooperation and cybersecurity governance. However, the Convention has faced criticism at both the processing and content levels. Private sector and civil society stakeholders—including a consortium that included Google, iLabAfrica, iHub, and CIPIT at Kenya’s Strathmore Law School—expressed concern about the closed-door process and the lack of transparency and expert consultation in the Convention’s development. Similarly, stakeholders expressed concern over the Convention’s ability to limit freedom of speech, jeopardize privacy rights, and grant broad power to “investigating judges.”

European Union: The European Union’s Cybersecurity Strategy, adopted in 2013, sets out five strategic priorities: (1) achieving cyber resilience; (2) reducing cyber-crime; (3) developing cyber defense policy and capabilities; (4) increasing the industrial and technological resources for cybersecurity; and (5) establishing

33 “Cyber-Sicherheitsstrategie Für Deutschland.” Ministry of the Interior - Germany, 2011. http://www.bmi.bund.de/SharedDocs/Downloads/DE/Themen/OED_Verwaltung/Informationsgesellschaft/cyber.pdf.34 Chang, Amy. “Warring State: China’s Cybersecurity Strategy.” Center for a New American Security, December 2014. http://www.cnas.org/sites/default/files/publications-pdf/CNAS_WarringState_Chang_report_010615.pdf.35 Wong, Gillian. “China to Get Tough on Cybersecurity.” Wall Street Journal, July 9, 2015, sec. Tech. http://www.wsj.com/articles/china-to-get-tough-on-cybersecurity-1436419416.36 Parameswaran, Prashanth. “Indonesia’s Cyber Challenge Under Jokowi.” The Diplomat, January 21, 2015. http://thediplomat.com/2015/01/indonesias-cyber-challenge-under-jokowi/.

Work in Progress20

a coherent cyberspace policy for the E.U. The strategy was accompanied by the Network and Information Security Directive, which is nearing adoption. The Directive will require both public and private actors in critical sectors to adopt new policies and practices for cyber-crime reporting and risk management in order to improve detection, mitigation, and response. Exactly which private sector actors will be impacted by these new measures remains controversial, but at a minimum it appears to encompass those involved in critical infrastructure. Overall, the E.U.’s cybersecurity strategy emphasizes a multistakeholder approach, engaging industry leadership alongside E.U. member states, the European Parliament and Council, the European Defense Agency, the European Network Information Security Agency, and Europol.

Organization of American States: The Organization of American States adopted a Comprehensive Inter-American Cybersecurity Strategy in 2004, and has built upon existing cybersecurity initiatives since that time. Its role has shifted from promotion of best practices and the development of national CSIRTs in the early 2000s toward cyber-security crisis management and regional multi-stakeholder engagement. The OAS has provided a framework for developing cybersecurity response networks, increasing national capacity, and preventing cyber-crime throughout the Americas. The Strategy acknowledges the importance of private sector participation in cybersecurity issues given its role in the ownership and operation of ICT infrastructure. It supports “fostering public-private partnerships with the goal of increasing education and awareness and working with the private sector.” It emphasizes the formation of hemispheric networks for crisis and threat response, the adoption of common technical standards, and legal innovation to ensure OAS member states have the appropriate legislative mechanisms to respond to cyber crime. Particularly in recent years, the OAS has effectively operationalized this framework to support the adoption of national cybersecurity policies and strategies at the member state level. Colombia, Panama, Trinidad and Tobago, and most recently Jamaica have all adopted national strategies under OAS leadership, with similar projects currently underway in Dominica and Suriname and two more slated to begin this year in Peru and Paraguay, respectively.

Budapest Convention on Cybercrime: The Convention provides a foundation for fighting cyber-crime at a global level. The Council of Europe drafted the Convention in 2001, and 46 nations have ratified it, including non-Council of Europe member states such as the United States, Australia, and Japan. The countries bound by the Budapest Convention represent only 12% of world’s population, but more than 55% of gross world product. The Convention attempts to harmonize law and increase international cooperation in investigating and prosecuting cyber-crime. The convention defines crimes of illegal access, illegal interception, data interference, forgery, fraud, child pornography, and offences concerning copyright. The convention also provides for criminal procedures to aid investigations and collect evidence.

b) E-Government Strategies

Outside of the national security context, several governments have developed domestic strategies relating to the use of digital tools to manage and deliver government services. According to one definition, e-government is the “the use of ICT and its application by the government for the provision of information and public services to the people.”37 Traditionally, e-government has embodied three distinct and independent modes of operation: government-to-government, government-to-business, and government-to-consumer services. However, a recent UN survey observed that increasingly the lines between forms of e-government services are blurring.38 The “United Nations E-Government Survey” is a regularly published report on the current state of e-government strategies, which evaluates both national approaches and overarching trends in the ecosystem.39

37 “Global E-Government Readiness Report 2004.” United Nations Department of Economic and Social Affaris, Division of Public Administration and Development Management, November 2004. http://unpan3.un.org/egovkb/portals/egovkb/Documents/un/2004-Survey/Complete-Survey.pdf.38“United National E-Government Survey 2014.” United Nations Department of Economic and Social Affaris, Division of Public Administration and Development Management, 2014. http://unpan3.un.org/egovkb/Portals/egovkb/Documents/un/2014-Survey/E-Gov_Complete_Survey-2014.pdf.

Work in Progress21

E-government strategies exist along of spectrum of innovation. The least innovative are those that simply take analog government activities and move them to digital processes. For instance, some e-government approaches enable firms to apply for registrations, permits and other necessities online. Digitizing traditional government activities can be beneficial to the extent that it lowers costs (transactional or economic), however, it may also serve to reinforce and ossify existing, archaic processes.40 Other e-government strategies are more ambitious and seek to define new modes of interaction and engagement with government. For example, open data initiatives allow citizens and companies to utilize the substantial amount of data that government collects and repurpose it in new and innovative ways. Additionally, open data can increase transparency and market efficiency.41

Example e-government strategies: European Union: One of the most significant e-government strategies at the regional level is the E.U.’s

European eGovernment Action Plan 2011-2015.42 The plan has several goals. First, it aims to improve cross-border functionality of e-government services, with a particular focus on harmonizing laws for e-signatures and e-identities. Second, it aims to boost the use of those services, with usage targets of 80% of businesses and 50% of citizens. The E.U. is expected to launch a new eGovernment Action Plan in 2016, which will run through 2020. Currently, the focus of the new plan will be the E.U.-wide integration of business registers, the integration of European and national online portals into a single gateway, the full transition of all member states to e-procurement, and achieving interoperability for e-signatures.43 On July 1st, 2015, a public workshop on the e-government agenda was held in Brussels.44

Australia: In 2012, the Department of Finance and Deregulation of the Australian Government released the Australian Public Service Information and Communications Technology Strategy. This strategy has three main objectives: (1) using ICT to deliver better, more personalized, and linked government services; (2) using ICT to improve the efficiency of government operations; and (3) improving the engagement of stakeholders to improve decision-making. The strategy was intended to be implemented over several years by improving capacity and making key investments in ICT.

Switzerland: The 2007 Swiss e-government strategy focuses on three main objectives: (1) allowing businesses to complete administrative tasks with the government electronically; (2) allowing government entities to deal with each other electronically; and (3) allowing citizens to conduct certain administrative tasks with the government electronically. The e-government strategy identified several services that needed to be moved into interoperable online systems, and it also identified several changes to rules and systems that were required to enable those services.

United Kingdom: This 2012 strategy, updated in 2013, represents a commitment to “digital by default” in government services. The strategy included the redesign of several government services in order to increase the use of those services, including by those who have never been online. However, some observers have claimed that the online identity management system is insecure.

39 See “United Nations E-Government Surveys.” United Nations Public Administration, n.d. http://www.unpan.org/egovkb/global_reports/08report.htm.40 See Goldsmith, Stephen, and Susan Crawford. The Responsive City: Engaging Communities Through Data-Smart Governance. 25. San Francisco, CA: Jossey-Bass, 2014.41 See Bertot, John C., Paul T. Jaeger, and Justin M. Grimes. “Using ICTs to Create a Culture of Transparency: E-Government and Social Media as Openness and Anti-Corruption Tools for Societies.” Government Information Quarterly 27, no. 3 (July 2010): 264–71. http://www.sciencedirect.com/science/article/pii/S0740624X10000201.42 “The European eGovernment Action Plan 2011-2015: Harnessing ICT to Promote Smart, Sustainable & Innovative Government.” European Commission, December 15, 2010. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0743:FIN:EN:PDF.43 “Report: Workshop on New EU eGovernment Action Plan.” European Commission, May 22, 2015. https://joinup.ec.europa.eu/community/opengov/event/workshop-new-eu-egovernment-action-plan.44 Ibid.

Work in Progress22

c) Comprehensive National Digital Agendas

Some countries, instead of developing specific policies for e-government or cybersecurity, have adopted comprehensive policies that seek to provide a coordinated approach to a broad range of digital issues. Such comprehensive strategies address areas as diverse as physical ICT infrastructure and data and consumer protection, among others. In general, we observe that these comprehensive agendas have two major characteristics: (1) they articulate a progressive vision for how their citizens can engage with, and benefit from, digital technologies; and (2) they are political in the sense that they embody a set of policy choices tied to social and economic development.

Such comprehensive agendas differ in the complexity of their implementation. Some national agendas combine both regulatory reforms and public investments. Others focus on building a national framework for digital rights. For example, in 2014 Brazil enacted the Marco Civil da Internet, which outlines a set of legal rights and protections relating to digital society. Many other comprehensive national digital strategies, however, focus on improving public and private use of digital technologies through public investments in innovation and state-of-the-art ICT infrastructure.

Example countries: Canada: The Digital Canada 150 strategy has five core pillars: (1) improving digital connectivity and online

infrastructure; (2) improving the security of online transactions through tougher privacy and security laws; (3) supporting digital adoption in the business sector through an investment of CAD 200 million to support small and medium-sized businesses in adopting digital technologies; (4) providing more open government data; and (5) supporting the creation of Canadian content, including a review of copyright law.

Mexico: In November, 2013, Mexico released its National Digital Strategy. This strategy is intended to help fulfil the June 2013 amendment to the Mexican Constitution that compels to the state to provide access to information and communications technologies. The strategy envisions five key areas for ICT adoption: (1) using ICT to improve the experience of citizens in obtaining public services; (2) using ICT to foster economic growth in the digital economy; (3) using ICT to improve the quality of education; (4) using ICT to improve the coverage, quality, and efficiency of health care services; and (5) using ICT to coordinate public and citizen responses to public safety crises. The strategy seeks to address these challenges through improving connectivity, digital skills, interoperability of technologic and governance systems, legal harmonization, and open data.

Germany: In November 2010, the German Federal Ministry of Economics and Technology released the ICT Strategy of the German Federal Government: Digital Germany 2015. The strategy represents a commitment to expanding digital infrastructure, improving privacy and security online, increasing research in the ICT sector to develop new products and services, improve education for ICT-related skills, and using ICT to address a variety of social challenges.

d) Comprehensive Regional Digital Agendas

Concurrent with governments developing their own comprehensive digital agendas is a recognition that in many cases the challenges require a regional approach. We observe a pattern in both the cybersecurity and e-government contexts where national strategies subsequently give way to regional strategies that often supersede or supplement the national ones. We expect that a similar pattern may emerge in terms of comprehensive digital strategies, but currently only the E.U.’s Digital Agenda for Europe represents such a comprehensive regional strategy.

Work in Progress23

In 2010, the European Commission made the Digital Agenda for Europe one of seven flagship initiatives of its Europe 2020 Strategy. The primary goal of the Digital Agenda is achieving a digital single market (DSM) in Europe, where transactions can take place online across Europe, while minimizing the legal, technical, and economic barriers. The E.U. Commission estimates that a functioning single market could contribute to the E.U. economy EUR 415 billion every year.45 As part of achieving a DSM, the Digital Agenda focuses on:

Interoperability & Standards: improving the interoperability of devices, services, and data through standard setting.

Trust and Security: improving laws to protect against cyber-crime and readiness to fight cyber attacks.

Fast and Ultra-fast Internet Access: using public funds to invest in improved broadband infrastructure.

Research and Innovation: using public-private partnerships to expand research and innovation.

Enhancing Digital Literacy, Skills and Inclusion: using public-private partnerships between businesses and education providers to help provide better ICT education.

ICT-enabled Benefits for E.U. Society: using ICT in order to improve health care, manage climate change, digitize content, and more.

In May 2015, the European Commission announced sixteen initiatives to support the development of the DSM, with an aim to complete the initiatives by the end of 2016.46 These initiatives include reforming telecom rules, improving consumer protection, improving E.U. copyright law, streamlining the VAT process, and creating public-private partnerships on cybersecurity.


The development of national and regional digital strategies represents an acknowledgement on the part of policymakers of the importance of digital technologies for the delivery of government services, improving their economies, and protecting their citizens. Perhaps more importantly than an acknowledgement, the development of national and regional digital strategies is an attempt to address the challenges and benefits from digital technology in a coordinated, strategic fashion.

Despite the growth of national and regional digital strategies, we observe several critical gaps in the ecosystem that may threaten their overall effectiveness:

First, we observe that there is an absence of best practices regarding the development of national and regional digital strategies. In particular, these strategies are a relatively new development such that there has not yet developed a clear set of lessons learned to aid others in developing such agendas. The challenge is not only to write a document that expresses a nation’s hope for advancing steadily forward in the digital age, but to do so in an achievable and effective way.

45 “A Digital Single Market for Europe: Commission Sets out 16 Initiatives to Make It Happen.” European Commission, May 6, 2015. http://europa.eu/rapid/press-release_IP-15-4919_en.htm.46 Ibid.

Work in Progress24

Second, and related to the first issue, we do not observe a norm or best practice of developing these agendas through public-private consultations. Notably, we observe only a few of the digital strategies making explicit references to the inputs of public-private partnerships in the development of their strategies. Mexico’s National Digital Strategy evidences both the first and second issue in that it notes that the most recent strategy will be more effective than preceding strategies in Mexico precisely because the new one was developed through public-private consultations; thus, Mexico demonstrates both lessons learned over repeated attempts and the value of public-private partnerships.

These two issues present an opportunity for the Forum and the FII to help develop and identify lessons learned from past efforts at crafting digital agendas and to convert those into best practices. Moreover, the Forum and the FII can help those drafting such agendas build partnerships that can strengthen the quality of the agenda and improve its overall effectiveness.

A final issue is the challenge of measuring effectiveness. While there are many ambitious digital agendas, there is little research or evidence as to how many have been fully implemented and how effective they have been. This represents two challenges of effectiveness: effectiveness in implementation and effectiveness in results, and both need additional observable metrics and measurements. There is an opportunity for the Forum and the FII to help countries better measure their effectiveness in both translating agendas into action and in achieving the ultimate goals set out in the agenda. Additionally, improved measurements of effectiveness can help determine what aspects of digital agendas should be duplicated in other places, and which need improvement.

C. Key Characteristics of Improving Internet Deployment

1. Introduction to Internet Deployment

Connecting the “next billion” Internet users is a significant issue that requires simultaneously addressing technical, economic, social, institutional, and educational challenges. In that regard, it is a challenge well suited for public-private partnerships, as they can leverage their collective membership, intelligence, and resources, in order to address the challenge on multiple fronts. Indeed, we observe several such partnerships operating within the ecosystem.

More than half of the world’s population is still offline. Although three quarters of the population is already connected in developed countries, only thirteen percent in India and twenty percent in all of Africa are online.47 Of those connected in developing countries, most access the Internet through mobile phones, and only a small percentage have a fixed line Internet connection.48 Expanding this access could have substantial impacts on economic development. According to a recent Deloitte study, extending Internet access in developing countries to match that in developed countries would create as many as 44 million jobs in Africa and generate another 65 million in India.49 A study from the Copenhagen Consensus Centre concluded that 47 “Value of Connectivity: Economic and Social Benefits of Expanding Internet Access.” 9. Deloitte, February 2014. https://fbcdn-dragon-a.akamaihd.net/hphotos-ak-ash3/t39.2365/851546_1398036020459876_1878998841_n.pdf.48 Ibid., 10.49 Ibid., 15.

Work in Progress25

tripling the mobile broadband penetration in the developing world would return $17 for every dollar spent.50 Accordingly, the benefits of the expansion of Internet access into regions with poor connectivity could be substantial.

In this section, we assess some of the key actors and partnerships operating within the ecosystem in order to extend Internet access. We observe a few different, but overlapping, approaches to addressing this critical challenge. These can be described as approaches that: (1) address impediments to affordability; (2) address technical impediments; and (3) address legal and institutional impediments. Such categories inherently overlap. For example, addressing legal impediments or developing new technologies for deployment can both serve to lower costs. These three categories, however, are useful in distinguishing the primary way in which different partnerships attempt to address Internet deployment.


a) Addressing Cost Impediments

In many cases, access to the Internet is limited by the high costs of connection. Even in situations where a potential user has access to a device that could support a connection, the high costs of the service may suppress usage. For example, in Mauritania one gigabyte of post-paid mobile data (computer-based) costs $33.32; by contrast, in Indonesia it costs an average of $5.26 for the same volume.51 Such cost disparities can be a significant impediment to broad Internet access. For that reason, several partnerships have emerged with a specific focus on addressing the high costs of Internet access.

Example partnerships: The Alliance for Affordable Internet (A4AI): This partnership has over 70 members spanning the private

sector, governmental organizations, academia, civil society, and foundations. The goal of this organization is to achieve the UN Broadband Commission’s target of enabling people buy entry level broadband for 5% of monthly income or less. The A4AI has several modes of operation:

o First, it builds coalitions in countries with significant challenges for Internet access and affordability. Currently, they are working in the Dominican Republic, Ghana, Mozambique, and Nigeria; they plan to add coalitions in up to six more countries by the end of the year. These coalitions create partnerships and dialogues to help address issues relating to infrastructure, funding, transparency, data collection, spectrum policy, and anti-competitive behavior.

o Second, A4AI conducts extensive research into pricing and the policies that impacted the affordability of Internet service in various countries. This research is a key input into their Affordability Index.52

o Third, A4AI develops and publishes case studies in order to explore in depth the policy environments that have shaped the affordability of Internet access in particular countries. Currently these countries include, Cameroon, Ghana, Nigeria, Brazil, Dominican Republic, Peru, and Myanmar.

50 Gonzalez Fanfalone, Alexia, and Emmanuelle Auriol. “Post-2015 Consensus: Infrastructure Broadband Assessment Paper.” Copenhagen Consensus Centre, December 4, 2014. http://www.copenhagenconsensus.com/publication/post-2015-consensus-infrastructure-assessment-auriol-fanfalone.51 “Measuring the Information Society Report: 2014.” International Telecommunications Union, 2014. http://www.itu.int/en/ITU-D/Statistics/Documents/publications/mis2014/MIS2014_without_Annex_4.pdf.52 See “The Affordability Report 2014.” Alliance for Affordable Internet, 2014. http://a4ai.org/affordability-report/report/#the_affordability_index.

Work in Progress26

Internet.org: This Facebook-led partnership includes the support of Ericsson, Mediatek, Opera, Qualcomm, Samsung, and Nokia, with a goal of providing free basic internet services in places where access is otherwise unaffordable. Internet.org provides its free service, rebranded to “Free Basics,” by offering “zero-rating” service. This service is sponsored data provided in partnership with mobile providers in nearly 15 countries. The zero-rating means that mobile providers do not charge users for any data accessed through the Internet.org portal, which includes services like Facebook. Because the organization only offers zero rating for select services, as opposed to the Internet as a whole, the project has been criticized as a challenge to net neutrality in that it pushes users toward zero-rated content.53 Similar concerns have been raised about Wikimedia Foundation’s zero-rating service, which provides free access to Wikipedia through partnerships with mobile providers.54

Although Internet access is, as a general trend, becoming more and more affordable, significant challenges remain in sufficiently bringing down the cost in order the make it possible for the next billion users to connect. Although unique partnerships like zero-rating plans have emerged in the last few years, their controversial nature and lack of clear standards have seemingly inhibited broader deployment.

b) Addressing Technical Impediments

A significant challenge to access is a lack of sufficient physical infrastructure. In many cases, either physical infrastructure simply does not exist, or there is so little competition that monopoly pricing makes access too expensive. For that reason, we observe several partnerships that are focused on either indirectly supporting technical expansion (through best practices, education, etc.) or directly enabling technical expansion (through new, lower cost technologies).

Example indirect initiatives: African Internet Exchange System Project (AXIS): This is a partnership between the member states of the

African Union, the E.U.-Africa Infrastructure Trust, the Government of Luxembourg, and the Internet Society. The partnership was formed in order to assist in the development, creation, and operation of new national and regional Internet Exchange Points (IXPs) to increase intra-African connectivity. Currently, because of a lack of local IXPs, Africa relies on expensive and inefficient overseas carriers to route local African traffic. This partnership is building capacity and providing technical assistance in order to support the deployment of IXPs in Africa, and it is doing this primarily through trainings and workshops focused on best practices and technical development.

FibreForAfrica.net: This project of the Association for Progressive Communications (APC) and its members is focused on research, advocacy, and policy reform, with the goal of laying the groundwork for fiber deployment in Africa. In particular, the APC has focused on the impact of the SAT3/WASC cable in West Africa and assessing the ways in which monopoly pricing has impacted infrastructure and development.

Global Access to the Internet for All (GAIA): This project of the Internet Engineering Taskforce (IETF) aims to build collaboration between governmental organizations, researchers, companies, and practitioners, with a focus on research, best practices, workshops, and developing experimental revisions to the core Internet protocols.

Similarly, there are ongoing initiatives aimed at directly improving Internet infrastructure in developing countries. Many of these direct approaches are being led by for-profit companies,

53 Rai, Saritha. “Facebook’s Internet.org Faces Heat In India Over Net Neutrality.” Forbes, April 16, 2015. http://www.forbes.com/sites/saritharai/2015/04/16/facebooks-internet-org-faces-heat-in-india-over-net-neutrality/.54 See MacDonald, Raegan. “Wikipedia Zero and Net Neutrality: Wikimedia Turns Its Back on the Open Internet,” August 8, 2014. https://www.accessnow.org/blog/2014/08/08/wikipedia-zero-and-net-neutrality-wikimedia-turns-its-back-on-the-open.

Work in Progress27

either independently or in coalitions. Several of these approaches are fairly experimental, rather than investments in traditional infrastructure.

Example direct initiatives: M-Powering Development Initiative: This project of the International Telecommunications Union (ITU)

aims to increase the reach of mobile Internet technology to more people, particularly in rural and underserved areas. The initiative brings together industry associations, such as GSMA and individual firms, with governments from developing countries to launch projects and share best practices. The initiative is continually searching for additional partners.

Fiber-Speed Satellite Network: O3b Networks uses a constellation of Medium-Earth-Orbit (MEO) satellites to bring fiber-quality connections to locations where other Internet infrastructure would be too costly to build, including small islands and remote inland countries. Their network of satellites in focused on the Global South.

OneWeb: This partnership between OneWeb, Virgin Group, Qualcomm, and Airbus plans to design, build, and launch up to 900 satellites in order to provide Internet broadband service to the hundreds of millions of people residing in locations without existing access.

SpaceX: Elon Musk’s SpaceX has announced plans to build a global satellite network and has received significant funding from Google, Fidelity, and Founders Fund, among others.

Aquila: Facebook has announced plans to build solar-powered drones to deliver Internet access. Test flights are expected later in 2015.

Google: Similar to Facebook’s plan, Google’s Solara drones will aim to deliver broadband services to unconnected regions. In addition, Google’s Project Loon will use a network of weather balloons in order to provide internet access to people with LTE-enabled devices in rural and remote areas.

Outernet: This project uses satellites to broadcast a predetermined bundle of content, including news, weather, educational materials, and more. Solar powered boxes download the bundles of content and then make them available over Wi-Fi to nearby devices.

Many organizations and partnerships are working toward providing the technical infrastructure needed for Internet deployment. The approaches span building an educational foundation to traditional infrastructure, to entirely new forms of infrastructure. In all cases, significant progress is still necessary.

c) Addressing Legal and Institutional Impediments

Expanding Internet access sometimes requires addressing a variety of non-technical challenges that are perpetuated by outdated or inflexible legal and institutional systems. For example, in 2012, the Internet Society described the challenge in Africa as “80% social and 20% technical engineering.”55 The social “engineering” often involves addressing deficiencies in the legal and institutional structures within a country or a region in order to support functioning broadband markets, incentivize investments, or develop coordinated ICT strategies. According to A4AI, effective Internet strategies at an institutional level requires three things: (1) a strategic, forward-looking approach to ICT development; (2) rules that increase efficiency and enable market entry; and (3) the means and willingness to enforce the rules.

Example countries: Ethiopia: This is an example of a government that did not adapt outdated institutions. In Ethiopia there is

only one Internet provider—Ethio Telecom, a government-run company that outsources management to France Telecom. Competition is constrained because foreign companies are prohibited from investing in

55 Michuki Mwangi, Internet Society, IXP Deployment Experiences in Africa: 80% Social and 20% Technical Engineering (Aug. 15, 2012).

Work in Progress28

the country’s telecommunications market, and there is no domestic competition.56 Additionally, Ethio Telecom contributed around $300 million to the Ethiopian government’s budget, disincentivizing change.57 This means that prices for Internet connections exceed market levels in Ethiopia.58 In 2013, one gigabyte of mobile data cost 41 percent of per capita gross national income (GNI) in Ethiopia. For comparison, the same data in Kenya costs 15 percent of GNI.

Colombia: Recent revisions to law and regulation have enabled Colombia to improve the cost and service of Internet in the country. In 2009, Colombia introduced a new ICT law that lowered the barriers to market entry. As a result, today several companies are part of a competitive market that has driven prices down and quality of service up.59 Several companies are currently rolling out 4G technology. Additionally, the government explicitly targets the most underserved segments of society through expanding the National Optical Fibre Backbone project in order to connect every municipality to broadband infrastructure through the creation of hubs in national parks, and through financial assistance for families that cannot afford ICT equipment.60 Because of these policies, Internet is affordable and nearly half of the population has Internet access.


Connecting those in developed countries without access to the Internet requires simultaneously addressing technical, economic, social, institutional, and educational challenges. For that reason, we observe public-private partnerships playing a central role in this space and expect that they will continue to be central in addressing these varied challenges. Although there are many organizations currently operating in this space, the challenge remains substantial, presenting several opportunities for the Forum and the FII.

It is important to have accurate measurements of the scope and scale of Internet deployment today and over time. We observe several efforts at collecting that information, but current datasets are incomplete. The Organization on Economic Cooperation and Development (OECD), for example, has conducted studies in broadband growth and policies, but covers only the OECD countries.61 Organizations like the ITU and A4AI have significant datasets, but can provide only limited insight into (1) how policies have shaped the outcomes; (2) whether and how users ultimately take advantage of the access they have; and (3) what factors inhibit use in areas where basic access is available. Generating such information at a global level is collection and analysis intensive, and therefore expensive. There is an opportunity for the Forum and the FII to help supplement this understanding through raising relevant questions in its own surveys, supporting additional in-depth case study research, and supporting in-person survey research in additional countries.

56 Adam, Lishan. “Understanding What Is Happening in ICT in Ethiopia.” 12. Policy Paper. Research ICT Africa, 2012. http://www.researchictafrica.net/publications/Evidence_for_ICT_Policy_Action/Policy_Paper_3_-_Understanding_what_is_happening_in_ICT_in_Ethiopia.pdf.57 “Telecoms in Ethiopia: Out of Reach.” The Economist, August 24, 2013. http://www.economist.com/news/middle-east-and-africa/21584037-government-expands-mobile-phone-network-tightens-its-grip-out-reach.58 “The Affordability Report 2014.” Alliance for Affordable Internet, 2014. http://a4ai.org/affordability-report/report/#the_affordability_index.59 Ibid., 2.2.1.60 Ibid.61 See, e.g., “Broadband Growth and Policies in OECD Countries.” OECD. June 17, 2008. https://www.oecd.org/sti/broadband/40629067.pdf.

Work in Progress29

Several on-going initiatives in this space seek to provide education, primarily at the policymaker and infrastructure management levels. The Forum and the FII do not need to duplicate such efforts, but can leverage their extensive relationships with policymakers to ensure that existing educational tools are effective and reach the necessary individuals. Additionally, there is an opportunity for the Forum and the FII to consider what educational tools and resources may be necessary for ensuring that users can make the most effective use of Internet access once it is available.

Given the challenges of affordability, zero-rating service has tremendous potential in bringing Internet access to users at no additional costs using devices they already own. Zero-rating services, however, have been controversial because of the power it gives to the service providers to shape the content and knowledge available to the user.62 The Forum and the FII have an opportunity to help bridge the gap between policymakers, technology companies, and civil society, in order to identify best practices and standards in the deployment of such services.

Finally, there is an opportunity for the Forum and the FII to help ensure a match between technological development and the needs of policymakers and end users. As noted above, there are many experimental approaches to addressing the infrastructural challenges, including balloons and satellites. However, people such as Bill Gates have have criticized those efforts as out of touch with the needs on the ground, including power, water, and health care.63 Similarly, many projects aim to bring connectivity to existing mobile devices, which may lower costs while creating a mismatch between the necessary uses and the capabilities of the device. In both cases, the Forum and the FII can help foster dialogues to ensure that the technologies being developed and deployed are done so in way that best supports the needs of citizens.

D. Key Characteristics of Cyber-crime

1. Introduction to Cyber-crime

The cybersecurity and cyber-crime landscape is evolving at a rapid pace, with an ever-growing list of concerns and the continual emergence of new threats such as state-sponsored hacking, theft of intellectual assets, impairment of systems, fraud, and others. Although the specific stakeholders vary from country-to-country or region-to-region, the ecosystem as a whole relies upon frequent cooperation (or at the very least, interaction) between a variety of stakeholders including the government, the private sector, and the public at large. Much of the Internet is controlled and maintained by the private sector, necessitating alliances between governmental and private sector actors in order to address the growing corpus of cyber-crime and cybersecurity issues.

Before discussing some of the key issues of cooperation between the public and private sectors in the cyber-crime space, it is important to address two issues related to the scope of the

62 See Carolina Rossini and Taylor Moore. “Exploring Zero-Rating Challenges: Views From Five Countries.” Public Knowledge. July 2015. https://www.publicknowledge.org/assets/uploads/blog/Final_Paper-Jul_28-TM.pdf. 63 Dredge, Stuart. “Bill Gates Criticises Google’s Project Loon Initiative.” The Guardian, August 9, 2013. http://www.theguardian.com/technology/2013/aug/09/bill-gates-google-project-loon.

Work in Progress30

mapping. First is a definitional clarification; for purposes of this mapping, we consider the terms “cybersecurity” and “cyber-crime” to be closely related. At its most basic level, cybersecurity can be characterized as the range of defensive policies against cyber-crime. Cybersecurity encompasses approaches to defending and coordinating efforts against threats and attacks that are criminal in nature and the broader set of policies by which governments and private sector companies operate to secure the wide range of stakeholder interests against such threats. Because of their close connection, we use the terms cybersecurity and cyber-crime interchangeably, and where necessary we distinguish our use of the terms from those used by others.

Second, our mapping of the cybersecurity landscape is focused on a select set of issues relating to trust between public and private entities. The selection of this topic as an organizing principle emerged through the Berkman Center’s ongoing consultations with a variety of cybersecurity experts as part of its ongoing cybersecurity project. This project convenes a group of experts with unprecedentedly diverse experience within the government, private sector, civil society, and academia to identify and distill key issues around the set of government and private sector responsibilities related to cybersecurity. From those expert consultations, a single key issue has emerged as critical to partnerships between the public and private sectors: how can trust be established or increased between government and private sector actors? Informed by our conversations, we observe this issue play out in three important areas: (1) information sharing between public and private entities; (2) government cybersecurity reorganizations, sometimes to enable private partnerships; and (3) balancing security with government access to data. The mapping below describes these three areas of access to information, government reorganization, and balancing security and access, and identifies potential opportunities for the Forum and the FII.

Our approach highlights the key issues determined to be most salient to our network of cyber-crime experts. However, the landscape is richer than can be fully captured here. First, cyber-crime and cybersecurity are incredibly complex fields, and we cannot say that a different set of experts would highlight the exact same issues. Second, our experts have a U.S. focus and our mapping is largely informed by that perspective. We have strived to identify relevant international examples where applicable, and the Forum has identified many of the same issues in its own global cyber-crime initiative.

2. Key Issues/Themes

a) Information Sharing

Information plays an important role in the cybersecurity landscape. It is both responsive and preventative in nature. For example, government and private sector stakeholders use it to respond to ongoing cybersecurity incidents, assess vulnerabilities and potential harms, and build defenses against emerging threats. Effective information sharing, like many aspects of cybersecurity, relies upon carefully tailored partnerships between the public and private sector, in part due to information collection challenges and differing incentives. Individual actors within the private sector hold information that would be helpful to both the government and other actors within the private sector. A trust deficit makes such partnerships more challenging; moreover

Work in Progress31

actors within the private sector often lack the incentive to share with competitors or address long-term risks.64 In contrast, the government is in a unique position to think about long-term threats and the types of actors who are capable of carrying them out, as well as to aggregate information from a variety of sources. However, the need for secrecy within national security and intelligence agencies often prevents the sharing of detailed information.

There are a number of initiatives that have been formed to try to facilitate information sharing. Because of the complexity of information collection, these initiatives reflect an equally complex constellation of information flows. Initiatives can enable public-to-private, private-to-public, and private-to-private information flows or a combination of the three. In some countries, for example Germany and the U.K., the government plays a role in centralizing forums for the exchange of threat information across these different types of information flows.65 Although a variety of mechanisms exist for government and private sector actors to share cyber threat information, in reality their effectiveness is limited.

Country examples: United States: The U.S. government currently shares cyber threat information with the private sector

through the U.S. Department of Homeland Security’s offices of Intelligence and Analysis, Cyber and Communications, and National Cybersecurity and Communication Integration Center.66

United States: Information Sharing and Analysis Centers (ISACs) are used by private sector companies to pool together resources and sharing information on threats.67

Germany: The Bundesamt für Sicherheit in der Informationstechnik (BSI – Federal Office for Information Security) operates the Alliance for Cybersecurity, which is a community for members of the German private sector to engage in active cyber threat information sharing and the exchange of best practices.68

United Kingdom: The United Kingdom’s Centre for the Protection of National Infrastructure (CPNI) facilitates a network of “Information Exchanges” (IE) across numerous sectors.69 The Ies allow companies to build long-term relationships of trust over time in order to facilitate the exchange of information related to cyber-attack, as well as physical and personnel-related threats.

Despite the many ways in which information is shared, the sharing is often described by private and public sector actors as being ad hoc, messy, and uncoordinated. In other words, it is sub-optimal. In many cases, the public-to-private information sharing that does occur is based on old, pre-digital models that are not scaling well to the increasingly complex needs of the private

64 This has, on occasion, motivated security researchers to publicly disclose vulnerabilities in the hope that it will motivate technology creators to patch the vulnerability more quickly. In this process this potentially alerts bad actors to weaknesses in technology that may be exploited. See, e.g., Eduard Kovacs. “Google Discloses Unpatched Windows 8.1 Vulnerability.” Security Week. Jan. 5, 2015. http://www.securityweek.com/google-discloses-unpatched-windows-81-vulnerability. 65 See, e.g., “Bundesamt Für Sicherheit in Der Informationstechnik,”. https://www.bsi.bund.de/DE/Home/home_node.html; “ENISA Analyses the Incentives and Challenges to Public – Private Information Sharing — ENISA,” July 9, 2010. https://www.enisa.europa.eu/media/news-items/enisa-analyses-the-incentives-and-challenges-to-public-2013-private-information-sharing.66 “U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),”. https://www.us-cert.gov/nccic.67 See, e.g., “National Council of ISACs,”. http://www.isaccouncil.org/. 68 “Bundesamt für Sicherheit in der Informationstechnik,”. https://www.bsi.bund.de/DE/Home/home_node.html. 69 “ENISA analyses the incentives an challenges to Public-Private information sharing,” July 9, 2010. https://www.enisa.europa.eu/media/news-items/enisa-analyses-the-incentives-and-challenges-to-public-2013-private-information-sharing.

Work in Progress32

https://www.enisa.europa.eu/media/news-items/enisa-analyses-the-incentives-and-challenges-to-public-2013-private-information-sharing

https://www.enisa.europa.eu/media/news-items/enisa-analyses-the-incentives-and-challenges-to-public-2013-private-information-sharing

sector. For example, in the United States, information is frequently shared through the same channels as counterterrorism threat information is shared.70 In private-to-private sharing arrangements, which often occur within industry consortia and Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs), sharing in these forums can still be constrained by the number of organizations that participate and their willingness to divulge detailed information.

A number of inhibitors and challenges are to blame for the lack of information sharing. Our research indicates that in the context of public-private and private-public information sharing, one of the more significant inhibitors is the current state of mistrust between the government and private sector. Since the 2013 Snowden leaks, some companies have expressed concern about publicly collaborating with government actors. Companies like Apple, Facebook, Google, Twitter, Microsoft, AOL, and others have teamed up to protest government surveillance and efforts for surveillance reform, which is indicative of the sour relationship between government and the private sector.71 According to insiders, this extends to any efforts that might be perceived by the public or potential clients as collaborative activity between private sector companies and the global intelligence community.72 Financial concerns appear to be a significant factor, with some analysts estimating that the Snowden leaks will cost the major technology companies “billions of dollars over the next several years,” particularly if “international clients take their business elsewhere.”73

A second challenge to information sharing, particularly in the context of private-to-public and private-to-private information flows, are private sector concerns about legal liability for sharing information with the government and others in the private sector. This liability could emerge in several ways:

Direct liability: Companies fear that the very act of sharing could be a violation of law. In the United States, for example, a company may fear that sharing information with another private sector entity will violate the Stored Communication Act, which prohibits certain service providers from disclosing user information to others, including government officials.74 Similarly, in the European Union the Data Protection Directive would apply to information shared between private sector actors and the government.75

70 Threat information is shared with the private sector through: “U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),”. https://www.us-cert.gov/nccic. 71 See, e.g., Tummarello, Kate. “Tech Industry Wants Surveillance Focus after ‘Big Data’ Report.” The Hill, May 1, 2014. http://thehill.com/policy/technology/205001-tech-industry-wants-surveillance-focus-after-big-data-report; Cain Miller, Claire, and Edward Wyatt. “Tech Giants Issue Call for Limits on Government Surveillance of Users.” New York Times. December 9, 2013. http://www.nytimes.com/2013/12/09/technology/tech-giants-issue-call-for-limits-on-government-surveillance-of-users.html.72 See, e.g., Gross, Grant. “Defense Dept. wants to rebuild trust with the tech industry.” Computer World. April 23, 2015. http://www.computerworld.com/article/2914372/cyberwarfare/defense-dept-wants-to-rebuild-trust-with-the-tech-industry.html. 73 Gustin, Sam. “NSA Spying Scandal Could Cost U.S. Tech Giants Billions.” Time. December 10, 2013. http://business.time.com/2013/12/10/nsa-spying-scandal-could-cost-u-s-tech-giants-billions/. 74 18 USC § 2701 et seq; “Sharing Cyberthreat Information Under 18 USC 2702(a)(3).” US Department of Justice, 2014. http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/03/26/guidance-for-ecpa-issue-5-9-2014.pdf.

Work in Progress33

http://business.time.com/2013/12/10/nsa-spying-scandal-could-cost-u-s-tech-giants-billions/

https://www.us-cert.gov/nccic

Indirect liability: A related concern is that in the process of sharing information, a company may reveal evidence that gives rise to unrelated liability. For example, after sharing information about incidents with one government agency, a separate regulatory agency might find evidence of a legal infraction, such as negligent behavior or violations of consumer protection regulations.

Antitrust liability: Companies may fear collaborating with other private sector entities due to the risk of such collaborations being deemed restraints against trade in violation of antitrust laws.

Of course, the legal risk faced by private sector entities will vary from country-to-country based upon the existing legal framework. However, we have observed these issues in several locations, including the United States and the European Union.

In addition to liability concerns, private sector entities are often worried that information sharing may lead to the disclosure of trade secrets or other competitively valuable information. For example, disclosure to a government entity my subject those records to public records requests, which may in turn lead to further investigations by government agencies or lawsuits by individuals.76 In addition, some companies view their approach to cybersecurity as a competitive advantage, which makes them less willing to share detailed information with others in the private sector.

These legal and competitive concerns have made information sharing more challenging. There have been some attempts at realigning the incentives in order to enable greater sharing. For example, recent proposals in the U.S. have tried to clarify the liability and create safe harbors for sharing information about cybersecurity incidents and threats with the government.77 That said, some industry experts believe that the most recent proposals will not sufficiently address these issues and will not be enough to change the current paradigm. Others have also questioned the degree to which the legislative proposals would enable the sharing of the types of information that would actually be useful for the government and private sector companies.78

The third challenge of information sharing is that of generating, transmitting, and understanding the information in an actionable manner. Both private and public entities often receive so much complex data that it is challenging to decipher, or they receive too little information. In either case, it can be difficult for decision-makers to act on information received. Due to the challenges of interpreting data, information can be unintentionally contradictory at times,79 which can be

75 See “Cybersecurity Strategy for the European Union: An Open, Safe and Secure Cyberspace.” European Commission, February 7, 2013. http://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf.76 “Cyber Security Task Force: Public-Private Information Sharing.” Bipartisan Policy Center, July 2012. http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/Public-Private%20Information%20Sharing.pdf.77 See Johnson, Jeh.“Federal Cybersecurity Needs Improvement.” Politico. July 13, 2015. http://www.politico.com/magazine/story/2015/07/federal-cybersecurity-needs-improvement-120061.html#.VbZPxngWE2; Protecting Cyber Networks Act, H.R. 1560, 114th Cong. (2015-2016), https://www.congress.gov/bill/114th-congress/house-bill/1560. 78 See, e.g., Rozenweig, Paul. “The Administrations Cyber Proposals – Information Sharing.” Lawfare, January 16, 2015. http://www.lawfareblog.com/administrations-cyber-proposals-information-sharing.79 See, e.g., Zheng, Denise, and James Lewis. “Cyber Threat Information Sharing: Recommendations for Congress and the Administration.” Center for Strategic & International Studies, March 2015.

Work in Progress34

problematic when it’s necessary to attribute the source of a threat. In addressing cybersecurity, attribution can be very important for several reasons: first, by identifying who or what caused a particular incident (i.e., adversary or malfunction), an actor can choose from a variety of responsive tools; second, attribution can also reinforce deterrence against future attacks. However, attribution can be difficult in the cyber realm and it can often require coordination between public and private sector actors in cases with sophisticated adversaries.80 On several occasions, lack of coordination and incorrect attribution – as a byproduct of bad information sharing or not enough information – has led to negative consequences for companies and governments. 81

Example attribution challenges: United States: When Sony Pictures was hacked, one U.S. government agency reportedly declared the

aggressor to be Democratic People’s Republic of Korea. At the same time, other U.S. government agencies were still unsure, and the public cast doubts on the reports.82

Turkey: In 2008 there was an explosion in Turkey on the Baku-Tbilisi-Ceyhan oil pipeline. Initially, Turkey called it a malfunction and the pipeline owner claimed it was a fire. It took six years before it was revealed to be a cyber attack, although the company and government likely knew more prior to the public disclosure.83

Iran: The Stuxnet virus that disrupted nuclear centrifuges in Iran was intentionally constructed to create confusion about attribution.84

http://csis.org/files/publication/150310_cyberthreatinfosharing.pdf; Inserra, David and Paul Rosenzweig. “Cybersecurity Information Sharing: One Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace.” The Heritage Foundation, April 1, 2014. http://www.heritage.org/research/reports/2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace; “Exchange Cyber Threat Intelligence: There Has to Be a Better Way.” Ponemon Institute, April 2014. http://content.internetidentity.com/acton/attachment/8504/f-001b/1/-/-/-/-/Ponemon%20Study.pdf; “Cyber Security Task Force: Public-Private Information Sharing,” Bipartisan Policy Center, July 2012. http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/Public-Private%20Information%20Sharing.pdf. 80 See, e.g., Prince, Brian. “Cyberattack Attribution Requires Mix of Data, Intelligence Sources As False Flag Operations Proliferate,” Information Week Dark Reading, October 13, 2013. http://www.darkreading.com/government/cybersecurity/cyberattack-attribution-requires-mix-of-data-intelligence-sources-as-false-flag-operations-proliferate/d/d-id/1140592. 81 See Thursday, Kristen Eichensehr. “Cyber Attribution Problems—Not Just Who, but What.” Just Security, December 11, 2012. https://www.justsecurity.org/18334/cyber-attribution-problems-not-who/; Schneier, Bruce. “Attack Attribution and Cyber Conflict,” March 9, 2015. https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html. 82 Some of this played out publicly in the media. See, e.g., Schneier, Bruce. “Did North Korea Really Attack Sony? It’s too early to take the government at its word.” The Atlantic. December 22, 2014.http://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/; “Was FBI wrong on North Korea?,” CBS News. December 23, 2014. http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/; Altman, Alex and Zeke Miller, “State Department Insists North Korea Behind Sony Hack.” Time. December 31, 2014. http://time.com/3651171/sony-hack-north-korea-fbi/; Sanger, David and Martin Fackler, “NSA Breached North Korean Networks Before Sony Attack, Officials Say.” New York Times. January 18, 2015. http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?smid=tw-bna. 83 Robertson, Jordan and Michael Riley. “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar.” Bloomberg Business. December 10, 2014. http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar. 84 Sanger, David. “Obama Order Sped Up Wave of Cyberattacks Against Iran.” New York Times. June 1, 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=1.

Work in Progress35

http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar

http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar

http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?smid=tw-bna

http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?smid=tw-bna

http://time.com/3651171/sony-hack-north-korea-fbi/

http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/

http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/

http://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/

https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html

Even when attribution is not an issue, the information shared may be challenging to use in an actionable manner. Other challenges to use include:

Secrecy: Because of the nature of classified information, a government report about cyber threats might be stripped of useful information during the declassification process to such an extent that it is no longer useful for a private sector actor.

Timeliness: Many threats require real time responses, but the process of collecting, identifying, and sharing the data may take too long to for the data to still be actionable.

Empowerment: In order to respond, companies or governments need to have a designated person or team who is empowered to take action once information is received. In some cases such a person does not exist, does not have sufficient authority, or is not clearly identified to those who could share information.

b) Government Reorganization

As noted above, we observe a growing appetite for information sharing about cyber threats. However, in many cases the mechanisms and interface between the public and private sectors do not exist. In many practical ways, the lack of infrastructure to support information sharing has widened the trust gap.

In order to address this challenge, there have been recent experiments in constructing more effective interfaces. Recognizing the need for public-private collaboration in addressing cybersecurity, some of these experiments have taken the form of government reorganization at varying degrees of scale, including in the United States, France, Australia, and others.85 These reorganizations represent efforts at building public-private and public-public interfaces between the government and companies in the private sector, between particular agencies within the government with overlapping responsibilities, and between international governments. However, many of these cybersecurity initiatives are being developed within silos, without input from other stakeholders, or as “quick fixes” to temporarily fill gaps. They also place emphasis on some aspects of reorganization, such as agency-to-agency coordination, over other issues like improving existing interfaces with private sector stakeholders. This has led some experts to question whether these initiatives will ultimately be successful, whether they address the correct issues, and whether they serve the best interests of the private sector and the public at large.

Reorganization examples: United States: In March 2010, the White House declassified the executive summary of its Comprehensive

National Cybersecurity Initiative, which was aimed at strengthening the security of government and private sector system through a series of initiatives. 86 The full report remains classified. The U.S. Government Accountability Office (GAO) has written numerous reports since 2010 that question the effectiveness of the National Cybersecurity Initiative. The GAO notes that while the cybersecurity strategy has evolved over

85 See, e.g., “Cyber Security Strategy,” Australian Government, 2011. https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/AGCyberSecurityStrategyforwebsite.pdf; “France’s Strategy: Information systems defence and security,” Agence Nationale de la Sécurité des Systémés d’Information, 2011 https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/France_Cyber_Security_Strategy.pdf. See also “Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy,” OECD, 2012. http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf. 86 Nakashima, Ellen. “White House declassifies outline of cybersecurity program.” Washington Post. March 3, 2010. http://www.washingtonpost.com/wp-dyn/content/article/2010/03/02/AR2010030202113.html.

Work in Progress36

http://www.washingtonpost.com/wp-dyn/content/article/2010/03/02/AR2010030202113.html

http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/France_Cyber_Security_Strategy.pdf

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/France_Cyber_Security_Strategy.pdf

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/AGCyberSecurityStrategyforwebsite.pdf

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/AGCyberSecurityStrategyforwebsite.pdf

time, the U.S. government still “has not developed an overarching national cybersecurity strategy that synthesizes the relevant portions [of the Initiative] or provides a comprehensive description of the current strategy.”87 Among the key problems identified by the GAO are issues with public-private partnerships, which the GAO views as a critical component to the government’s strategy.

United States: In February 2015 the White House introduced a strategy to integrate disparate parts of the U.S. intelligence community through the Cyber Threat Intelligence Integration Center (CTIIC), a new center within the Office of the Director for National Intelligence responsible for integrating and coordinating the sharing of intelligence of threats across existing cyber centers within the government.88 According to experts, CTIIC is intended to serve as a one-stop-shop for government agencies within the intelligence community to share and access cyber intelligence information. Although CTIIC will provide the intelligence community with a single voice around cyber issues, it does not have any new authorities, it will not be involved in intelligence operations, and it is expressly prohibited from interacting with the private sector. The sole way for the government to interact with the private sector on cyber issues will continue to be through the existing authorities of particular agencies, like the Federal Bureau of Investigation and the Department of Homeland Security.

Beyond these U.S. examples, other industry observers have noticed similar patterns in the strategies created by other countries. For example, the OECD report on cybersecurity in 2012 notes that “the level of detail with regards to whether and how governments engage into a multistakeholder dialogue varies, with many strategies providing little or no details on this aspect.”89 The report also suggested that non-governmental stakeholders felt there could be improvements in multistakeholder collaboration and cooperation with governments in the development of cybersecurity strategies. According to the report, “greater emphasis on enhanced consultation and co-operation with business could help governments find the appropriate balance between sovereignty and economic and social cybersecurity.”90

Experts and government insiders have questioned whether national strategies and ad-hoc initiatives such as the U.S. CTIIC are focused on the most pressing issues and positioned to scale up to the needs that will likely arise in the future.91 Although these reorganizations are an attempt to build relationships between public and private entities, experts have noted that many of these initiatives are developed without widespread public debate or consultation with the private sector. As a result, the programs that emerge from the initiatives are not designed in ways that

87 “A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges: Testimony Before the Committee on Commerce, Science, and Transportation and the Committee on Homeland Security and Governmental Affairs, U.S. Senate.” United States Government Accountability Office, March 7, 2013. http://www.gao.gov/assets/660/652817.pdf.88 “Presidential Memorandum – Establishment of the Cyber Threat Intelligence Integration Center.” The White House, February 25, 2015. https://www.whitehouse.gov/the-press-office/2015/02/25/presidential-memorandum-establishment-cyber-threat-intelligence-integrat.89 “Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy,” OECD, 2012. http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf.90 Ibid., 47. Additionally, in some cases consultation with civil society may also be beneficial. For example, there has been significant civil society backlash in France to its recent intelligence reorganization, which creates a new National Commission for Control of Intelligence Techniques (CNCTR) to coordinate data sharing among agencies and oversee the collection of significant amounts of Internet metadata. See “French Parliament Approves New Surveillance Rules.” BBC. May 6, 2015. http://www.bbc.com/news/world-europe-32587377. 91 See, e.g., Bejtlich, Richard. “What are the prospects for the Cyber Threat Intelligence Integration Center?.” Brookings Institution, February 19, 2015, http://www.brookings.edu/blogs/techtank/posts/2015/02/19-cyber-security-center-bejlich.

Work in Progress37

http://www.brookings.edu/blogs/techtank/posts/2015/02/19-cyber-security-center-bejlich

http://www.brookings.edu/blogs/techtank/posts/2015/02/19-cyber-security-center-bejlich

http://www.bbc.com/news/world-europe-32587377



bring together the public and private sectors but instead add more fragmentation within relationships between the government and private sectors.

c) Balancing Cybersecurity and Government Access to Information

The challenge of trust between public and private entities has recently created significant tension regarding government access to data. In response to cybersecurity and privacy concerns a number of consumer-facing companies within the private sector, including Apple and Facebook, are deploying software with strong end-to-end encryption enabled by default in their mobile products.92 The keys needed to decrypt the data are tied to user passwords and stored locally on the devices. The result is these companies are technically incapable of providing to law enforcement with much of the communications data generated by users, which is often called “going dark.”93 The deployment of such technology has sparked a contentious debate between members of the private sector, law enforcement, and others within the government. At issue is the ability of law enforcement and intelligence agencies to obtain unencrypted communications that they are lawfully entitled to access. The outcome of this debate may have profound implications for the ability of companies, and their consumers, to use specific types of security measures.

Company examples: Apple: In late 2014, Apple announced its mobile operating system would feature end-to-end encryption

enabled by default.94

Google: Not long after Apple’s announcement, Google announced that its Android operating system would also enable end-to-end encryption by default, though it appears not to have implemented this plan yet.95

92 Sanger, David and Brian Chen. “Signaling Post-Snowden Era, New iPhone Locks Out NSA.” New York Times. September 24, 2014. http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html; Kuchler, Hannah. “Tech companies step up encryption in wake of Snowden.” Financial Times. November 4, 2014. www.ft.com/cms/s/0/3c1553a6-6429-11e4-bac8-00144feabdc0.html. Google has appeared to back down from its initial promise to offer end-to-end encryption on Android devices. Compare Timberg, Craig. “Newest Androids will join iPhones in offering default encryption.” Washington Post. September 18, 2014, http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/ with Andrew Cunningham. “Google Quietly Backs Away From Encrypting New Lollipop Devices By Default.” Ars Technica. Mar. 2, 2015. http://arstechnica.com/gadgets/2015/03/google-quietly-backs-away-from-encrypting-new-lollipop-devices-by-default/. 93 “Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it “Going Dark,” and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so. . . . There is a misconception that building a lawful intercept solution into a system requires a so-called ‘back door,’ one that foreign adversaries and hackers may try to exploit. But that isn’t true. We aren’t seeking a back door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by the law.” Comey, James B. “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course? Speech, Brookings Institution, Federal Bureau of Investigation, October 16, 2014. http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course.94 Sanger, David and Brian Chen, “Signaling Post-Snowden Era, New iPhone Locks Out NSA.” New York Times. September 24, 2014. http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html; “iOS Security Whitepaper.” Apple, n.d. https://www.apple.com/business/docs/iOS_Security_Guide.pdf. 95 Timberg, Craig. “Newest Androids will join iPhones in offering default encryption, blocking police.” Washington Post. September 18, 2014. https://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-

Work in Progress38

https://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/


http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-signaling-a-post-snowden-era-.html


http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course

http://www.ft.com/cms/s/0/3c1553a6-6429-11e4-bac8-00144feabdc0.html



Whatsapp: The Facebook-owned cross platform mobile messaging software implemented end-to-end encryption in November 2014.96

Country examples: U.S. Federal Bureau of Investigation: The FBI has expressed concerns about companies “going dark” by

implementing end-to-end encryption, which the Bureau sees as a major impediment to investigations.97

United Kingdom: Prime Minister David Cameron has publicly called for the introduction of backdoors into encryption technologies by companies, following the Charlie Hebdo terrorist attacks in early 2015.98

China: The People’s Republic of China adopted legislation in recent months that experts believe will mandate that companies provide the government with access to data.99

Not all government actors oppose the use of encryption; in a recent report, the UN Special Rapporteur on Freedom of Expression called it essential to the protection of free speech and access to information.100 Among those that do oppose its use, their primary concern is it inhibits their ability to “to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority.”101 Moreover, they believe strongly “if there is no way to access the data, encrypted systems and data, we may not be able to identify those who seek to steal our technology, our state secrets, our intellectual property, and our trade secrets,” thereby creating a safe haven for lawlessness.102 As a solution, in the United States, for example, law enforcement agencies and other members of government have lobbied legislators for legislative solutions that mandate companies to provide the government with access to the data, which would require alterations to their encryption systems.103 Although some law enforcement actors have raised strong concerns over the use of encryption, other experts have expressed doubt about how

join-iphones-in-offering-default-encryption-blocking-police/. 96 Greenberg, Andy. “Whatsapp Just Switched On End-to-End Encryption for Hundreds of Millions of User.” Wired. November 18, 2014. http://www.wired.com/2014/11/whatsapp-encrypted-messaging/. 97 Comey, James B. “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course? Speech, Brookings Institution, Federal Bureau of Investigation, October 16, 2014. http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course.98 Mason, Rowena. “U.K. spy agencies need more powers, says Cameron.” The Guardian. January 12, 2015. http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks; Temperton, James. “No U-Turn: David Cameron Still Wants to Break Encryption.” Wired. July 15, 2015, http://www.wired.co.uk/news/archive/2015-07/15/cameron-ban-encryption-u-turn (“The UK government still wants to fundamentally undermine encryption in the name of national security . . . .”).99 “China adopts new law on national security.” Xinhua News. July 1, 2015. http://news.xinhuanet.com/english/2015-07/01/c_134372966.htm. 100 See: UN Human Rights Council. “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye”. Twenty-ninth session, A/HRC/29/32. http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session29/Documents/A.HRC.29.32_AEV.doc101 Comey, James B. “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course? Speech, Brookings Institution, Federal Bureau of Investigation, October 16, 2014. http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course.102 Ibid.103 Mason, Rowena. “U.K. spy agencies need more powers, says Cameron.” The Guardian. January 12, 2015. http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks; Comey, James B. “Going Dark: Are Technology, Privacy, and Public Safety on a Collision Course? Speech, Brookings Institution, Federal Bureau of Investigation, October 16, 2014. http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course.

Work in Progress39



http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks



http://news.xinhuanet.com/english/2015-07/01/c_134372966.htm

http://www.wired.co.uk/news/archive/2015-07/15/cameron-ban-encryption-u-turn

http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks



http://www.wired.com/2014/11/whatsapp-encrypted-messaging/


prevalent encryption will become in the future or how much it in fact hinders the ability of the governments to conduct intelligence operations, criminal investigations, and prosecutions.104

A large number of private sector stakeholders stand in opposition to such proposals. They have urged executive and legislative branches to reject proposals that “deliberately weaken the security of their products,” stating that encryption protects individuals “from innumerable criminal and national security threats.”105 Any legislative scheme that requires companies to maintain the encryption keys “makes those products less secure against other attackers,” undermining cybersecurity, economic security, and human rights around the globe.106 These concerns are not theoretical. For example, in 2011 RSA, a security-focused subsidiary of U.S. company EMC, was breached in a sophisticated attack that compromised the seeds used to generate keys for its encryption products.107 The breach was then used to compromise RSA’s encryption used by other companies, including U.S. defense contractors, to exfiltrate product designs and schematics.108 For that reason, weakening encryption risks not only communications, but also economic and intellectual property assets. According to U.S. Deputy Secretary of Defense, William Lynn, “although the threat to intellectual property is less dramatic than the threat to critical infrastructure, it may be the most significant threat that the United States will face over the long term.”109 The same threat faces companies around the world.

New rules that prevent or restrict the use of encryption would also pose other challenges. In the 1990s, when the U.S. and Europe imposed stringent restrictions on the export of products with encryption, the U.S. National Research Council argued that export controls were negatively impacting the ability of U.S. technology companies to compete on a global scale, as many customers abroad sought products that could provide embedded security protections through encryption.110 The 1996 report they published – Cryptography’s Role in Securing the Information Society – influenced the policy debate, and the White House ultimately lessened the restrictions on export and adopted other policies in favor of allowing widespread use of encryption. Around the same time, the European Union took a similar stance and loosened its restrictions on exports. In the wake of the most recent debates, the authors of the National Research Council report revisited the issues in a July 2015 report – Keys on Doormats:

104 See e.g., Ashkan Soltani. “Why Apple’s Claim That It Can’t Intercept iMessages Is Largely Semantics.” Ashkan Soltani, October 21, 2013. http://ashkansoltani.org/2013/10/21/why-apples-claim-that-it-cant-intercept-imessages-is-largely-semantics/.105 “Letter to President Obama from Civil Society Organizations, Companies & Trade Associations, and Security & Policy Experts,” May 19, 2015. https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf.106 “Letter to President Obama from Civil Society Organizations, Companies & Trade Associations, and Security & Policy Experts,” May 19, 2015. https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf.107 Coviello, Arthur. “Open Letter from Arthur Coviello, Executive Chairman, RSA, Security Division of EMC, to RSA customers,” March, 2011.108 Poulsen, Kevin. “Second Defense Contractor L-3 ‘Actively Targeted’ With RSA SecurID Hacks.” Wired. May 31, 2011. http://www.wired.com/2011/05/l-3/. 109 Lynn, William. “Defending a New Domain.” Foreign Affairs, no. September/October 2010 (n.d.). https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain. 110 Dam, Kenneth, and Herbert Lin. Cryptography’s Role in Securing the Information Society. Washington, D.C: National Academies Press, 1996.

Work in Progress40

https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain

http://www.wired.com/2011/05/l-3/

Mandating Insecurity by Requiring Government Access to All Data and Communications – arguing that “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have 20 years ago.”111 The report notes that, in addition to the serious security challenges posed, a change in policy around encryption would be exceedingly expensive for private sector companies to implement and would likely chill innovations – “if all information applications had to be designed and certified for exceptional access, it is doubtful that companies like Facebook and Twitter would even exist.”112

As countries like the U.S., U.K., and China consider proposals that will affect the private sector’s ability to implement strong end-to-end encryption, the issues raised in these debates will only become more pressing.

3. Conclusions and Core Observations

A number of observations and potential opportunities for the Forum and the FII emerge from these themes. In general, there is a greater need for more coordination and collaboration between the public and private sectors. Although there are many examples of collaboration already occurring, we observe that there is still a significant trust gap between both sides that is impeding more organized and centralized efforts. Ultimately, more trust is needed between these sectors in order to facilitate open conversations between the groups.

First, the Forum and the FII have an opportunity to facilitate discussions with private and public actors around how to improve the current channels for information sharing. As noted above, there is a growing appetite within the private sector for more information sharing. However, the current channels for receiving and sending information to others are sub-optimal, particularly those between the public and private sector. Foremost, the lack of trust between these groups is a significant challenge, and given negative public perception, there is an opportunity for the Forum to facilitate conversations aimed at determining appropriate pathways for reestablishing trust.

Beyond the issue of trust, there remains a number of key questions that must be addressed in order to make improvements in how information is shared. For instance:

Determining the optimal scope of information that should be shared. Identifying the audiences with whom information should be shared. Coordinating the mechanisms for sharing information across organizations. Identifying and constructing the channels needed to reach the right people within private

sector organizations with information that is actionable, and those empowered to act upon such information.

111 Abelson, Harold, Ross Anderson, and Steven Bellovin. “Keys Under Doormats: Mandating Insecurity By Requiring Government Access to All Data and Communications.” MIT CSAIL Technical Report, July 6, 2015. http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8.112 Abelson, Harold, Ross Anderson, and Steven Bellovin. “Keys Under Doormats: Mandating Insecurity By Requiring Government Access to All Data and Communications.” MIT CSAIL Technical Report, July 6, 2015. http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8.

Work in Progress41

The Forum and the FII are well placed to convene experts to identify the key elements and best practices for sharing information. As the WEF Cybercrime Project Plan notes, information-sharing interactions could extend beyond sharing information about threats and incidents, to things such as enhancement of existing regulation, guiding principles and tool kits, best practices, joint operations, and research. The Forum and the FII could help create such opportunities for knowledge exchange, facilitating the design and implementation of information sharing platforms or hubs to effectuate such sharing.

Second, there are opportunities for private sector actors to be more involved in shaping national and supra-national cybersecurity strategies as well as ad-hoc efforts to improve certain interfaces between the government and private sectors. These interfaces are critically important, but many of the new strategies and initiatives do not seem to prioritize their improvement or describe their plans in any great detail. What seems to be missing are concerted plans by the government to improve these working relationships in practice. Rather, what has emerged in some cases is an increase in bureaucracy that is not meeting the most pressing needs of the private sector. In some cases, it does not seem particularly clear that the government understands which aspects of the working relationship with the private sector are successful, and which are not. This presents an opportunity for the Forum and the FII to convene government and private sector stakeholders to distill needs and issues from current approaches, and identify opportunities where the government’s reorganization efforts can be improved, particularly as it relates to its interactions with the private sector.

Third, important debates are ongoing around the ability of companies to implement strong encryption in their products and the ability of governments to gain access to user data held by those companies. On the one hand, the companies have a genuine interest in securing the technologies they offer to the public. Encryption plays a key role in protecting user data against cyber-crime and attacks from a wide range of adversaries, including foreign governments. On the other hand, the companies’ advertising-based business models, based on the collection of their users’ data, disincentivize extensive use of encryption or the minimization of the data they collect in the first place. Moreover, governments are increasingly encountering encryption that prevents them from analyzing data that they are lawfully entitled to access. Government officials are concerned that this will inhibit their ability to stop terrorism attacks and prosecute criminals. At the heart of this debate are some difficult questions about the delicate balance between security and privacy, and the outcome will likely have far-reaching effects. While the debate is ongoing within particular countries, such as the U.S. and U.K., it is likely to have broader international implications. There is an opportunity for the Forum to convene and facilitate discussions between stakeholders from government and private sector communities to understand the scope of the problem, key challenges, and potential solutions. At present, these stakeholders seem to be talking past one another, perhaps fueled by the lack of trust noted earlier. But by bringing together the stakeholders, the Forum may be able to facilitate a common understanding around the core issues in the debate.

III. Opportunities for Engagement

A. Data Localization

Work in Progress42

- Build relationships between the ICT sector and sectors (such as finance) that are experienced in dealing with diverse national regulatory regimes.

- Integrate indicators of data localization and fragmentation as a component of WEF analyses and reports.

- Help the Global South better understand the risks, costs, and benefits of various data localization initiatives.

- Improve the tools for measuring the economic impact of localization efforts.

- Support the development of tools that address governmental aims (law enforcement, ensuring privacy, etc.) without threatening the fundamental structure and operation of the underlying networks.

- Support the drafting of better legislation through knowledge sharing and capacity building, so that countries can better avoid unintended secondary effects.

B. National and Regional Digital Strategies

- Convene countries and regions that have developed digital strategies in order to identify lessons learned, share observations, and develop a set of best practices.

- Assist in the research and development of a comprehensive set of best practices for the development of effective digital strategies, and leverage Forum resources to share those best practices with countries and regions that could utilize those best practices in developing their own digital strategies.

- Support the use of public-private partnerships in the development and implementation of digital strategies.

- Assist in the development of measures of effectiveness, both for determining how effective countries and regions are in implementing their agendas and for determining how effective those measures are in bringing about the intended outcomes. Once metrics for effectiveness are developed, help countries and regions optimize their strategies.

C. Improving Internet Deployment

- Use the Forum’s existing survey and outreach tools to explore the relationship between policies and Internet deployment in order to identify effective and limiting policies.

- Identify and support the research of key case studies for conducting a deep exploration of the factors that lead to effective Internet deployment and use.

Work in Progress43

- Assist in conducting in-person survey research in key countries in order to better understand the obstacles for effective Internet use and the needs of end users.

- Leverage extensive relationships with policymakers to ensure that the existing educational tools are effective and reach the necessary individuals.

- Assess the educational tools and resources necessary for ensuring that users can make the most effective use of Internet access, and assist Forum members in developing new tools to address the gaps.

- Develop best practices and standards for zero-rating services.

- Help Forum members ensure a match between technologies being deployed and the needs of citizens and policymakers.

D. Cyber-crime

- Facilitate discussions between private and public actors with a focus on improving the current channels for information sharing.

- Work to establish trust between stakeholders through facilitating working groups that can find solutions to “low-hanging fruit” and less politically charged or controversial issues.

- Convene experts and stakeholders to define and organize new models for sharing information that extend beyond threats and incidents to issues such as enhancement of existing regulation, guiding principles and tool kits, best practices, joint operations, and research.

- Support research into needs assessments for both public and private actors to determine gaps in existing government organizational structures that inhibit or constrain opportunities for public-private information exchange.

- Facilitate dialogue on the balancing of cybersecurity needs and the law enforcement access to data.

Work in Progress44