Expert Speak Digital Frontiers
Published on Oct 22, 2019
How the cyberspace narrative shapes governance and security

Cyberspace has become a global infrastructure, essential for business and security. When it was created, no one understood how it would bind economies and societies together in new and complex ways. In the broadest sense, governance is the understandings and expectations among states on international behavior, a framework for relations that provides a degree of predictability in interactions in security, trade or politics. Governance of the internet and cyberspace is a new and important aspect of this, as countries are bound more closely together and as the perception of transnational risk increases. In this context, cybersecurity becomes the ability of countries to defend their national sovereignty and advance their national interests individually and cooperatively.

The initial approach to governing the new infrastructure was ad hoc, voluntary, and based on engineering and business concepts. Non-state actors from companies and civil society would work as equal partners with governments organized into a multistakeholder community providing light governance that did not get in the way of growth. This minimalist approach was the right way to rapidly build a global network, but now that it is built, it needs reconsideration. However, light governance also created the “Wild West” environment that nations have been quick to exploit and where crime is untrammeled. Imperfect software sold without liability quickened adoption and implementation, but also contained the many vulnerabilities that today make cyberspace a shaky pillar for global commerce. This model of governance was the right one to launch and build the new global infrastructure, but now we need to ask if it needs to change.

How cyberspace now actually works and how it is changing cannot accurately be explained by the idealized, millennial, multistakeholder beliefs from the 1990s of a borderless world of shared values. One explanation for the current lies in the work of Antonio Gramsci and his theory of hegemony. The hegemony under consideration here is that of the cyberspace narrative, which distorts our perceptions and justifies the status quo. Gramsci wrote that our consent to a governance system is achieved through ideology, when people believe that existing economic and political conditions are natural and inevitable, rather than the creation of groups with a vested interest.

The US invented the internet and for fifteen years after it commercialized the internet, American ideas dominated views and shaped policy. That period has come to an end but what will take its place is unclear, given the growing role of states in cyberspace and the declining power of the US (perhaps accompanied by the growing power of other countries) in shaping global governance. Better cybersecurity requires a fresh look. Let’s begin the discussion with two testable assertions:

1) States are the most powerful actors in cyberspace and responsible for the majority of dangerous cyber actions.

2) The multistakeholder model of governance is too western, insufficiently democratic, and too limited for the political challenges that a dependence on digital technologies is creating.

This is heresy, of course, but both assertions are provable and important for cybersecurity, since the cyber actions that pose the greatest risk demonstrably come from state actors or their proxies, not from some amorphous or unidentifiable source. This means that finding ways to constrain the behavior of states in cyberspace is the most important task for security.

Some of the initial ideas about the internet are no longer in serious contention. It is not a democratizing force per se, but one that erodes political legitimacy and authority and encourages extremism. Cyberspace clearly has borders, since it is based on a physical infrastructure located in national territories (or subject to national jurisdiction if undersea or in space). State sovereignty and international law clearly apply, endorsed unanimously by all member states in 2015, but how they apply is a subject for dispute. It is not a borderless commons.

If there is consensus that cyberspace is no longer a commons, there is no consensus on what it has become. The trends created by technology and political changes complicate our ability to understand the core political dynamics of cyberspace, but at their center are three significant issues that will shape governance and cybersecurity. These are questions about the changing nature of sovereignty, new requirements for legitimacy, and the effect of resurgent nationalism.


The multistakeholder model was an attempt to replace the Westphalian system modified after 1945 with one that recognized the diffusion of economic and political power away from states and the erosion of borders in the face of economic and social globalization. A new model of governance that substituted a global stakeholder community for Westphalian states was expected to work best in this new space in providing public goods. There was even discussion of the end of Westphalian model of sovereignty as a result of globalization and the effect of the internet, but the sovereign state has proven to be both resilient and flexible. While the multistakeholder model is strong at managing the technical resources of the internet, there is general dissatisfaction with the performance of a “light,” privately guided and shared governance, in privacy, anti-competitiveness, and security. However, the alternatives to the post-1945 order—untrammeled authoritarian sovereigns or fuzzy multi-stakeholder governance—prove even less attractive.

The expansion of sovereignty in cyberspace, while unavoidable, raises troubling problems. When cyberspace was ungoverned and considered ungovernable, it became a playground for spies and criminals, but the same openness provided a new and untrammeled arena for the exercise of fundamental rights, most importantly the right to free expression. The pioneers of cyberspace believed it would be democratizing, even liberating. This was somewhat optimistic, but as governments expand their power to protect their interests (and this includes the safety and privacy of their citizens), the space for free expression is shrinking. The multistakeholder community is too weak to protect it, and some states ignore their commitments under the Universal Declaration of Human Rights. An inability to confirm commitment to human rights is one of the greatest impediments to new models of governance and the difficult and not well understood relationship between online information and security (information is not a weapon, but it can be “weaponized, i.e. used for coercive purposes online) also affects the ability to devise common understandings for cybersecurity.

As cyberspace has become a central domain for international conflict (and not the millennial vision of an end to conflict), security and the role of states has become more important. States see cyberspace as an unconstrained arena for espionage and coercion, and several powerful states also support cybercrime, either as a tool of state power for simple profit. Those who argue, for example, that states have lost their monopoly on force usually have never experienced the full range of violence a powerful state is able to inflict and equate a cyber-attack with kinetic or nuclear action. The most dangerous and damaging attacks require resources and a degree of engineering knowledge that are beyond the capabilities of non-state actors. A few criminal groups possess these capabilities, but these groups are located in states where they are in effect proxy forces, beholden to the national government.


Legitimacy requires the assent of the governed. There is no good mechanism for expressing this assent for cyberspace. In the international system, states are the legitimate representatives of their societies (acquiring or asserting legitimacy through the mechanism of national elections). States possess sovereign rights and authorities, and they coordinate the exercise of sovereignty with other states through a series of understandings and mechanisms. The governmental and international approaches developed in the West in response to the global crises of the 1930s—multilateral institutions and rules, and the macroeconomic, managerial state—are no longer adequate (unless reformed). The original model of governance no longer ensures the assent of the governed.

Nor are all ‘stakeholders’ equal. States are understandably reluctant to entrust their fundamental security to private actors. Big companies have significant power over how cyberspace operates but are ultimately second to states if those states choose to challenge them and have the resources to do so. Gramsci would say big companies have until recently been unchallenged because of the dissuasive effect of the old, hegemonic multistakeholder narrative. Big tech companies will assert their independence from governmental control insofar as it does not cost them significant market share. The current governance model does an excellent job on the technical management of the internet, but it needs to be more representative of a global population, more transparent in its processes. In this we need to recognize that no actor other than a state has the legitimacy, legal authority or armed force necessary for security.


The internet brought western and American ideas to previously insulated nations. In cyberspace, cultures rub against each other; there are interconnections that bring change to even the most remote locations. One unexpected result of the internet is a general discontent with the ideas we once thought embodied progress since they were at the center of an American-driven globalization. The result is a powerful reaction in defense of national cultures and state sovereignty.

The reaction to globalism and the spread of western and Americanized culture has been resurgent nationalism, as societies seek to protect their own values, accompanied by a general discontent with western values on governance and individual rights that were once thought to embody progress. This is the antithesis of the “one world, no borders” approach of internet visionaries. The reemphasis of sovereignty and the right of a state to govern itself without external interference - and the internet is seen by many as external interference - sharpens conflict and makes international cooperation more difficult.

One result of this resurgent nationalism is that it has moved the global community to a post-1945 world when it comes to rules and institutions, and this has broad implications for cyberspace security and governance. Before 1945, governments played a role that was less constrained domestically and internationally. Some nations would prefer to return to this traditional definition of sovereignty, where universal rights were less important than sovereign interests in guiding national policy. Once the lens through which we view cyberspace moves away from the outdated 1990s narrative, securing and controlling cyberspace becomes an engineering problem, where states will need to build (or acquire) the tools needed for management and security. Borders can be better defended, and rules imposed with the right policies in place and the right technologies to implement these policies. Governance can be established with the ability to write software to strengthen borders, manage online activity, and increase sovereign control.

Next Steps for Cybersecurity and Governance

Securing cyberspace is a complex problem for the international community. It involves a set of interrelated issues affecting business, human rights and national security. Other governance structures for international activities, such as air travel or finance, are more apolitical and lack the political consequences of cyberspace. This connection of political values makes the internet governance and cybersecurity problem much more difficult. What worked in the pioneering phase of cyberspace will no longer suffice.

While there is debate over the extent to which new rules and new mechanisms (including multistakeholder mechanisms) are needed, nations are gravitating toward an approach to cybersecurity that is placed within the exiting framework of international relations and creates shared understandings and rules for better cybersecurity. For governance, change is more difficult as incumbents and the powerful millennial ideology slow any transformation, but there is also impatience in many countries over key areas such as data protection, public safety and competitiveness where the status quo is seen as unacceptable.

This points to a reconsideration of the relationship between cybersecurity and internet governance. Cybersecurity is an element of a larger governance framework and while there does not need to be some single, overarching entity to govern cyberspace, the growth of reliance on digital technology means that it is time to transition to new approaches on how it is governed that assigns governments the central responsibility. This process of change will require the continued involvement of the multistakeholder community, but the nature of this involvement, the change in the relative positions of governments and private entities mean that the old model of governance will need to be replaced to make it less western, more inclusive and more democratic.

Such a change may be difficult for the “West,” given the power of the old internet ideology, and new models of governance are more likely eventually to emerge from other sources, albeit in a piecemeal basis that addresses issues like data protection or localization first. If there is a contest over the future of governance, it may be well be between the democracies of the global source and the re-energized authorization states.

The need for better cybersecurity is a central driver for change in how we think about cyberspace. The current international approach is to further develop and implement norms, confidence-building actions, and capacity-building measures, but this has been expanded to consider the need for permanent mechanisms and binding rules (topics that came up in the 2015 GGE). Progress will also depend on finding ways to involve the multistakeholder community, after a fresh look that recognizes both its strengths and its limits.

Relations among states are defined by an elaborate web of power, influence, expectations, goals and commitments. Cyberspace is a still undefined element in this web of relationships. Governments are increasingly reluctant to accept the limited role assigned to them in securing an essential global infrastructure upon which their economies depend, and which has become the source of new and powerful threats, but at the same time, they cannot govern without the involvement of other actors from the private sector and society. There are steps that could be taken in the near term to reduce risk and uncertainty in cyberspace and reshape the landscape for governance in positive ways. Defining a post-millennium model for governance of the digital environment and creating new rules and mechanisms in the international community is the central task for a more secure and stable cyberspace.

This essay originally appeared in Digital Debates — CyFy Journal 2019.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.


James A. Lewis

James A. Lewis

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies (CSIS). He ...

Read More +