The second model to emerge in the last ten years is known as the multilateral model. Embraced by more authoritarian states such as Russia, China, and Iran, this model is state-centric. There is no place at the Internet governance table for non-state actors, even though these may be the heaviest users and developers of the Internet. This model seeks to dramatically reduce the number of voices involved in governance issues and return the Internet to more direct state control. Neither vision has been reduced to treaty form as yet.
The West, backing the multi-stakeholder model, has resisted the notion of constraining this free-form approach to governance into a treaty approved by states, and state actors promoting the multilateral model have not succeeded in garnering enough support to achieve a multilateral treaty among states. All of that has recently changed. In the wake of the 2016 U.S. presidential election hacking and disinformation campaign undertaken by Russia, Microsoft, which had been working to thwart further attacks, called for a Digital Geneva Convention.
Citing the rise in cyberattacks by nation-states, the proposed Digital Geneva Convention seeks to protect critical infrastructures and financial transactions in addition to data held by journalists and intellectual property held by corporations through restraints on the development, use, deployment and proliferation of cyber weapons. Simultaneously, Microsoft created a Digital Crimes Unit to combat further Russian hacking efforts and a Threat Intelligence Center to protect the U.S. Department of Defense cloud that is under constant cyberattack from Russia, North Korea, and Iran, among others. France, which hosted the 2018 IGF meeting in Paris, embraced the initiative as part of the “Paris Roadmap of Trust & Security in Cyberspace.”
Working within United Nations legal structures, Russia countered with a draft treaty “Countering the Use of ICT for Criminal Purposes.” Having failed previously to win support for a broader Internet governance treaty, Russia appears to instead be taking a piecemeal approach, beginning with cybercrime, after the adoption of which it would then move to seek approval of draft treaties in other Internet governance sectors. This approach is working. The draft Russian treaty was adopted by the U.N.’s Third Committee and then proceeded onto the agenda of the General Assembly, where it was adopted on a vote of 88 for, 58 against, and 34 abstentions. Most of the votes against were from the West; many of the votes in favor were either client states of Russia or smaller states that are large recipients of foreign aid from China.
Russia’s draft cybercrime treaty criminalizes “information” offenses (such as those that may be made by journalists), undermines freedom of online expression, emphasizes sovereignty and state control of the Internet, provides for state seizure of property and shutdowns, and includes specific provisions for corporate criminal/civil liability as well as transfer of legal proceedings to other jurisdictions and extradition. The corporate provisions in particular seem to be aimed at Microsoft. As one E.U. official put it, “this is not about cybercrime. This is about who controls the Internet.”
The United States and the West have not done a good job promoting and defending the current Internet governance model, which has allowed this opening for authoritarian regimes to succeed in promoting a more restrictive vision of governance that could be supported by enough states to eventually become law via treaty. The result could be two rival Internets or even an ultimately state-controlled Internet across the board.