Expert Speak Digital Frontiers
Published on Oct 26, 2020
Digital Sovereignty in a Time of Conflict

The architecture of the internet is changing as the concepts that underpin its technology also change. While the term ‘ideology’ can have negative connotations, it has a neutral meaning when referring to the framework of ideas and beliefs that guide internet decision-making.<1> The change is in the expansion of government control of network activities—sovereign control.  The risk from the expansion of sovereign control is not ‘balkanisation’ or technological fragmentation, not many separate internets, but a fragmentation of governing concepts, where the underlying technical protocols still support global connectivity, but this connectivity is overlaid with many uncoordinated and often dissonant rules for data, privacy and security driven by different and competing political agendas over what rights should be accorded to individuals.

The issue is not to prevent this ‘balkanisation’ but to manage it. Current efforts, both private and in multilateral institutions, are inadequate. The problem is compounded by larger international changes, where the US-led post-1945 order is in disarray and faces powerful challengers. The lack of adequate mechanisms for cooperation among states on the ‘rules’ for cyberspace—and this goes well beyond cybersecurity—is a major impediment for managing balkanisation.

The internet was commercialised soon after the end of the Cold War. Commercialisation, when the US government gave up its role as funder and controller of the Domain Name System, came at a time of economic deregulation, particularly in telecom, and a widespread belief that governance would follow the norms of market democracies and the role of government would shrink in a world where the antiquated “weary giants of flesh and steel” were unnecessary.<2> American values of open markets and free speech (shared by many, but not all countries) shaped the internet’s governance from the start and guided those who built its technology.

It is easy to mock these views, but not too long ago, they were enormously powerful and were part of a larger millennial utopianism that possessed many technocrats and some analysts of foreign policy. They shaped, and continue to shape, policies on encryption, privacy and authentication of identity in ways that often work against sovereign control. New technologies—artificial intelligence and data analytics, with their need for immense troves of data, and “cloud” infrastructures, which scatter data and services across continents—produce immediate tensions with the expansion of sovereignty.

The belief that cyberspace is a borderless commons is nonsense and only worth mentioning because some still believe it. The speed of internet connectivity gives the illusion that there are no borders, and the prevalent ideology reinforced this. However, cyberspace depends on a physical infrastructure entirely under the sovereign control of a state. The issue before us is not how to preserve an illusory commons but how to shape state action in extending regulation in ways that minimise damage to global connectivity and recognising that the interests of all nations do necessarily coincide.

What Drives Balkanisation

Terming the assertion of sovereign control ‘balkanisation’ fails to recognise the concerns that drive nations to extend sovereignty. The internet provides new and unparalleled opportunities, but this comes at a price we did not recognise at the start. The internet—for all its many benefits—erodes privacy, security is noticeably lacking, and tech giants stalk the earth with scant regard for governments. Few governments will now accept this. The shortcomings in the original, laissez faire approach when it came to protecting privacy and security remain central problems and impel governments to play a greater role to protect their citizens.

The internet serves a global population, with different values and different expectations regarding the role of government. This change in values and expectations took about a decade to come about.  In 2000, there was no Facebook or other social media, and Google was a tiny startup. By 2010, the internet had become the central global infrastructure of importance to commerce, finance and security. It created new and powerful social forces that test political stability. In response, countries began to assert sovereign control, making internet policy a new political arena for disputes within and among states.

These disputes are reinforced by concerns over anti-competitive behaviour by a few large companies (American and Chinese) that dominate the market<3> , and there is global discomfort with the oversized role of American firms. There is some irony in this, since the people who object to US tech dominance often rely on the services American firms provide. But the risks to privacy and security, combined with the erosion of national sovereignty from transnational connectivity, leads national governments to seek greater control of what is used within their borders.

The trend for the last decade has been the steady extension of sovereign control into cyberspace, as nations have found the laissez faire approach developed in the 1990s too weak. This laissez faire approach was appropriate at the onset of the internet’s commercialisation, as the US sought to shelter the fledging industry and accelerate its growth. Indeed, a regulation-heavy model could still throttle development and still poses a risk of slowing growth, but these risks are not always appreciated and as the internet turned into the most important global infrastructure, the laissez faire approach developed three decades ago is seen as inadequate.

There is an understandable and reasonable fear that moving from the original governance structure will damage the economic potential of the internet. A good case can be made that regulation, the chief tool for extending sovereign control, slows growth and innovation. Europe missed the tech boom, and while there are many reasons for this, overregulation is one.  However, between the two poles of laissez faire and overregulation there is a middle ground, and the task for policy analysis is to identify if there are ways to meet legitimate concerns without damaging the prospects for continued innovation and growth.

Balkanisation is a Symptom of Larger Conflicts

More importantly, the internet has become a primary arena for an intensifying contest between China, Russia and Iran on one hand, and the democracies on the other. There is some desire in the internet community not to admit this, since the conflict undercuts the belief in uninterrupted global connectivity and value of agreement (the current UN discussions can resemble the work on the Kellogg-Briand Pact<4> , which imprudently agreed to outlaw war as a tool of international affairs). The internet’s political transition takes place in the context of this larger shift in international relations as the post-1945 order disappears. There are obvious challengers in authoritarian regimes that would prefer a more government-centric internet.

China and Russia are often accused of seeking to splinter the internet. This misstates their objectives. They do not wish to create a new separate internet, they wish to control the existing internet through its governance structure, and cite a desire to protect national sovereignty and remedy the demonstrable weakness of the current arrangement in providing security as reasons for moving away from the 1990s governance regime.<5> These arguments resonate with some countries—in Europe because of a widespread belief that American tech giants have a cavalier attitude towards privacy, and in non-western countries because they find the tech giants to be unresponsive.

The internet and the digital world have never been truly open or free. The tech giants exercise quasi-government powers. It is worth recalling that internet search engines already filter results, usually without the users’ knowledge, so what you see know is only a fraction of what is publicly available.<6> Users are in effect confined to digital provinces determined by language and location. China had planned from the start to design its global internet connections to ensure control and avoid political risk. Russia and Iran follow China’s example, and the spectre of the Arab Spring and the Colour Revolutions drive their efforts and those in other countries to constrain individual rights online.

The argument that countries should accept political risk to maximise global economic returns that accrue mainly to Chinese and American companies is unpersuasive. Disparate governance regimes and the absence of an effective global mechanism for policy coordination increases instability. The concern over balkanisation comes at a time when global institutions are weakening generally and the tools for collective international action are fracturing. These institutions depended on a powerful transatlantic core that, with Japan, formed the ‘West’.  The last two decades have not been kind to the US, and Europe’s decline predates the US’ woes. Power has flowed from the transatlantic core as Europe’s economic and military strength declines and as US strategic incoherence increases.

There are still no substitutes for the West, however. The decline of the US does not mean the rise of China. China’s peculiar blend of an ethnic one-party state is not a substitute for international consensus. The UN, in its current incarnation, is simply too weak to impose order.  Perhaps, it can nurture it, but in the past, this has required a degree of comity among the great powers, usually resulting in some kind of binding international commitment, like those that created the International Monetary Fund, the International Telecommunications Union or the International Atomic Energy Agency. Disparate governance regimes increase instability, but this reflects the instability produced by competition among powerful states.

The most likely effect of balkanisation is an increase in ‘friction,’ inefficiencies produced by politically constrained connectivity. How hard will it be to connect as sovereign rule increases?  There are precedents. Countries have their own currencies, and there are costs to using them in other countries, but it is not impossible. Countries have national telecom service providers, but you can call from one country to another for a fee. The most likely change from the extension of sovereignty is this increase in friction, making it harder and more expensive to connect across borders.

Accommodating Digital Sovereignty

Faced with these pressures, change is inevitable. We are, in effect, redefining the ideology of the internet, the core concepts that underpin its governance and architecture. There is little consensus on how to do this, but if there is an alternative, it is the slowly emerging contours of the idea of digital sovereignty. This redefinition must start with a less-romanticised view of cyberspace. While the long-term goal for most states is to ensure privacy, security and individual rights in this new space, the immediate goal is to accommodate the concerns of states to protect their citizens without sacrificing fundamental freedoms.

The key concept for a new internet ideology is digital sovereignty. Digital sovereignty is the right of a state to govern its network to serve its national interests, the most important of which are security, privacy and commerce.<7> States impose national law and regulation upon networks and services to reduce risk and ensure opportunities for their citizens and, in unpopular regimes, to reduce political risk. The problem with this national approach is that the internet and its underlying architecture are global by design and function. A complex web of commercial connections and technical dependencies underpin what we call cyberspace. It is not an aggregate of national networks but a system whose boundaries follow the logic of networks and markets, not politics. It was not designed or built to respect borders. To be effective, sovereign control must be extended beyond a state’s physical borders, making it extraterritorial. But extraterritorial measures are never popular with other countries, and there are neither precedents for imposing extraterritorial control over online content and connectivity nor mechanisms to negotiate an agreement on common rules.

The most salient of these efforts to extend digital sovereignty is the General Data Protection Regulation (GDPR). The European Commission has global ambitions in issuing the GDPR. The GDPR has been influential and has inspired similar rules in Brazil and California.<8> As a result of the GDPR, the European Union (EU) now drives global privacy policy, and the GDPR is the first in a suite of actions that include enquiries on anti-competitive behaviour and tax policy for non-European service providers.

While the European Commission remains very respectful of the multistakeholder internet governance model, it is also moving to establish a regulatory framework for companies that operate in Europe, even if they are not physically located within its territory. This is a new model of extraterritorial reach driven by the ‘app economy’ where services are built in one nation, distributed globally and consumed in ‘third countries’. Those third countries must find ways to extend their jurisdiction to these third-party services (the US’s ‘capture’ of TikTok is another example of this).

Data localisation—government measures that compel companies to store digital data locally within their jurisdiction—is the sovereign response to transborder connectivity. It does not mean that the internet will be ‘broken’. Almost 80 countries (including the EU) have passed laws that restrict the flow of data across borders.<9> Personal data represents the most common form of data that countries restrict from leaving their borders, followed by financial and accounting data, government data (including some public records, defence-related data) and tax data (especially VAT-related). The enforcement of these laws varies by country. Data localisation need not result in balkanisation, but it will complicate companies’ business models and likely slow overall growth. The costs of data localisation fall first on companies with a global presence. The long-term opportunity cost is that newer or smaller firms may lose opportunities to service a global market.<10>

Balkanisation is unlikely because it is costly. The costs from the damage to connectivity and commercial interests that would result from true balkanisation will deter most countries. A nation could impose new technical standards or protocols for network connectivity, as China has proposed,<11> and if adopted by many countries, this would ‘fracture’ the global internet, but only at serious economic cost, something that is likely to deter widespread adoption (unless it is coerced, perhaps as a requirement for Chinese investment).

Greater sovereign control, if it is badly designed, means that countries will not extract the full economic benefits from digital connectivity. Other priorities (security, privacy, sovereignty) will trump income. Countries will make a political decision to balance the economic cost of regulation against the benefits of privacy and security, but none will decide on actions that lead to major fracturing. The precedent here is China. China’s users are denied access to valuable information (Chinese researchers complain of this) and have a strange view of events that the Communist Party distorts to serve its interests. But this does not prevent Chinese companies from doing business. China is an extreme example.

Data localisation laws that require that citizens’ personal data or accounting records be stored or processed within the country became more common after 2010. However, most laws that impose restrictions on international data transfers allow data transfers provided certain conditions are met. Examples include explicitly requiring the consent of the data subject or restricting export to countries that have laws ensuring ‘adequate data protection’. Data localisation laws can be a barrier to companies expanding their international presence, and some companies often lack the personnel, financial and legal resources to develop compliance strategies. However, many governments see trading some potential growth for greater protection of sovereignty as a reasonable exchange.

Mechanisms to Reshape Cyberspace

The trends reshaping the digital world—decoupling, regulation, militarisation and mistrust—are symptoms of larger international problems—the resurgence of nationalism around the world, the declining power of global institutions and the growing conflict with authoritarian powers. But just as nations can have different political systems or even different cuisines and still do business with each other, the internet will continue to serve as a platform for global connectivity. Airspace is split along national lines, but international air travel remains possible, in part because there are international agreements on standards and safety, under the auspices of a UN organisation.

The lack of a strong mechanism to coordinate and guide national actions is a central problem for reducing friction and managing the spread of sovereign controls. The UN, the logical place to locate such a mechanism, is itself in crisis. The UN Secretary General’s High-Level Panel<12> was an effort to remedy this, but it has structural issues and its report and the work following its release have not gained traction. The competing powers have suspended meaningful security dialogues. Arms control and disarmament is eroding as international tensions increase. The ‘militarisation’ of cyberspace is a symptom of these increased tensions, and treating the symptom rather than the cause will not lead to an improvement. If the likelihood of armed conflict is increasing, which country will disarm? Creating peace institutes or having concerned netizens call for peace does not address the fundamental problem that authoritarian states seek to reshape global rules and institutions to better server their interest, reduce Western influence and shrink the space of free expression at a time when its defenders are enfeebled.

There is a real risk that the democratic principles and values that guide it now will be devalued online as global politics is restructured. This is not inevitable, but it is more likely to occur if we rely on appeals to the concepts of the past to defend the existing multi-stakeholder structure.  A more persuasive narrative for a global audience is needed. It was reasonable to argue that the laissez faire approach to the internet, which maximises economic returns, was best but only when it was embedded in a larger framework of understandings and shared values for international relations. Now that this larger framework has fractured, appeals to commercial advantage or accelerated innovation will be unpersuasive as countries consider the trade between the constraints that sovereign control requires.

The situation is difficult, not hopeless. Building a mechanism for coordination in cyberspace is a first step. This would first need to be a mechanism composed of like-minded states. Privately funded initiatives lack legitimacy. The Paris Call for Trust and Security in Cyberspace, although a valiant effort, lacked political substance and had procedural problems—one of the major powers declined to sign after being given a ‘final’ text a week in advance for review. The text itself was not compelling because it did not address the central problem of international conflict over democratic values and individual rights. Any effort that fails to win support from India, the US, Russia and China cannot be called a success.

If the Paris Call is a precedent, it is unfortunate, but it offers instructive lessons. In 1915, concerned about the First World War, Henry Ford purchased a ship (informally christened the ‘Peace Ship’), assembled a group of clergy and academics (ancestors of today’s multistakeholder community) and set sail for Europe to press the case for peace. The warring powers received Ford and his compatriots coldly, if at all, and the press ridiculed his effort. Well-meaning private efforts carry insufficient weight when the central interests of great powers clash, and attempting to restore an earlier age of apparent digital peace can no longer succeed.<13>

However, it is not 1915. These precedents are imperfect. There is already extensive conflict in cyberspace, but it has not yet caused death<14> or destruction. To avert the reception afforded the Peace Ship, three things are needed—recognition of the true nature of cyber conflict and the powerful political disagreements that drive it; the limited space for agreement between opponents; and the absence of effective mechanisms for achieving any reduction in conflict or tension even among like-minded nations. This international conflict drives balkanisation as much as national desires for digital sovereignty to remedy shortcomings in privacy and security.

It is possible to manage risk on the internet without closing off commercial opportunity or expanding restrictions on human rights like free expression. One option is for countries to allow access to commercial information, while restricting access to politically-sensitive information.  China was an early master of being open for business and closed for politics, which is difficult but not impossible (at least in the near term). The development and availability of technologies that allow government to exercise greater authority in content and surveillance are increasingly easy to come by.

This does not mean that this kind of cyber sovereignty is a desirable outcome, however, particularly for those who see the internet as a tool for expanding fundamental freedoms. And ill-conceived approaches to digital sovereignty will harm innovation and economic growth. It is not that balkanisation is increasing, it is that freedom online and off is shrinking. The vision of the internet as a vehicle for personal freedom and individual rights is only over if we fail to work together. Some balkanisation is unavoidable, if by this we mean the establishment of regulatory boundaries, but a core group of democracies can guide this to address the challenges to privacy, security and commerce while preserving, at least in their own sphere, fundamental rights.

This conflict takes place in the context of political changes the internet has helped create.  Citizens now expect to have free access to information and see access to information as a fundamental right. Democratic political discourse is under pressure from the boost to extremism and polarisation that the internet provides. It is likely that the internet’s easy access reinforces nationalism and populism (although we do not wish to overestimate this effect). But it is essential to remember that the same pressures apply to non-democratic states that are ultimately less able to deal with them. The internet increases the fragility of authoritarian states and their efforts to minimise this should not be allowed to shape any new internet architecture and ideology.

It would be useful to articulate a new ideology based on principles that respect not only sovereignty but also individual rights. A second step is to develop a robust, formal mechanism for cooperation among like-minded democracies and use this as a platform to negotiate to avoid risks of damage from balkanisation while meeting the legitimate concerns that are reshaping the internet.

This mechanism cannot be a global effort, at least at first. For the foreseeable future, the world is fracturing along political lines and the internet will follow suit. Any new mechanism must exclude those who are not demonstrably committed to fundamental rights. Seeking consensus with the authoritarians is a waste of time. The internet in its initial ideology had an ideal of personal freedom at its core, making it the ultimate child of the Enlightenment and its emphasis on individual rights. The choice before us is not to prevent balkanisation but to manage it to collectively defend the internet as a space for individual action—in speech, in data and in innovation.


<1> Pamela Zave and Jennifer Rexford, “The compositional architecture of the Internet” (paper presented at Conference’17, Washington, DC, USA, July 2017).

<2> John Perry Barlow, “A Declaration of the Independence of Cyberspace,Electronic Frontier Foundation, February 8, 1996.

<3>Parmy Olson, “European Regulators Target Big Tech Companies,Wall Street Journal, January 20, 2020.

<4>The Kellogg-Briand Pact, 1928”, Office of the Historian.

<5> Sarah Rainsford, “Russia internet: Law introducing new controls comes into force,BBC, November 01, 2019.

<6> Simon Ensor, “How to escape Google’s filter bubble,Search Engine Watch, August 18, 2017.

<7> Tambiama Madiega, Digital Sovereignty for Europe, (European Parliamentary Research Service, July 2020).

<8> Bart Van den Brande, “Data protection laws inspired by GDPR are spreading across the world. Is New York next?”, Lexology, September 12, 2019.

<9> William Alan Reinsch, “A Data Localization Free-for-All?”, The Center for Strategic and International Studies, March 9, 2018.

<10> Leviathan Security Group, Quantifying the Cost of Forced Localization, (Leviathan Security Group, 2015).

<11> Madhumita Murgia and Anna Gross, “Inside China’s controversial mission to reinvent the internetFinancial Times, March 27, 2020.

<12>Secretary-General’s High-level Panel on Digital Cooperation”, United Nations, June 11, 2020.

<13> University of Michigan, The Peculiar Case of Henry Ford, (University of Michigan, Michigan in the World).

<14> The reported death of an unfortunate German citizen while being transferred among hospitals hardly qualifies as a “weapon.”

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.


James A. Lewis

James A. Lewis

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies (CSIS). He ...

Read More +