The founding myth of the internet as a lawless area, totally self-regulated and devoid of territoriality, has been debunked.

The role of the Internet Corporation for Assigned Names and Numbers (ICANN) in the management of the domain name system (DNS) contradicts this illusion: the internet is indeed controlled. Territories and therefore national laws remain a fundamental component of regulation of the internet. Yahoo, for example, was obliged to adapt to the French law on sales of Nazi objects. The world has also become aware of the fact that cyberspace may be virtual, but that it involves very real risks. For now, these are mainly financial, prompted by the greed of cyber criminals. But our societies’ dependence on information technology and its omnipresence in sensitive infrastructures creates risks for citizens’ security. Over and above its cognitive dimension, the internet is embodied in multiple physical infrastructures (cables, routers, satellites), or even makes it possible to steer the real world.

Yet sovereignty, which can be defined as the legal translation of exercise of the state’s rights, can no longer be expressed in the same way. No connected country is in a position today to cut off internet completely. Bypass systems, barriers and filters prove ineffective, as illustrated in the Iranian crisis during the summer of 2009. Although sovereignty does not stop where digital space begins, it has to be reinvented to adapt. The concept of digital sovereignty cannot be copied from the traditional concept of state sovereignty. The states have to a large extent lost it to a multitude of private players. So what are the levers of digital sovereignty? How can and must it be exercised?

Digital sovereignty is in fact a composite concept that comprises several levers that can be used to greater or lesser degrees by states.

INTERNET GOVERNANCE

The internet has so far eluded traditional regulation schemes and has been built around exclusively technical players. The agreement, signed on 30 September 2009 between the ICANN and the US Department of Trade, represents a significant breakthrough since it gives an important role to a governmental supervisory committee. This was what the European Union had been seeking since 2005. Supervision of the DNS is all the more important because the functions of the name system will in the future be extended to objects with the ONS (Object Name Service) and the internet of objects.

CAPACITY TO INFLUENCE STANDARDS

Standardisation is a strategic activity, whether for organisations in charge of the standardisation of internet protocols, such as the Internet Engineering Task Force (IETF), or for IT working groups organised by the private sector. States must be in a position to act upstream to federate players and develop common positions.

INDUSTRIAL AND TECHNOLOGICAL BASE

The US industrial domination that was the keystone of the American supremacy in cyberspace has declined . Today, the software is still American but the hardware is often Chinese. The best example is that of the IPv6 protocol, where American firms used to be the specialists. China first started producing under license, then imitated, improved and developed its own solutions. The same phenomenon was seen with semiconductors, which constitute the foundation of telecommunications equipment: some analysts consider that China is only two to three years behind the United States. As this new balance is struck between the United States and China, Europe has a master card to play, notably in the area of quantum technologies. However, playing this card will take a major effort to boost investments in R&D.

This industrial and technological ecosystem must rely on a highly qualified workforce. The gap in this area is widening between the United States on the one hand, and China and India on the other. As American students stay away from scientific and technical studies, China and India are training 500,000 and 200,000 new engineers, respectively (many in the United States).

Most internet infrastructures are managed by private operators, which makes them difficult to control. Having a few national champions naturally offers a strategic advantage but the main objective for a state is to foster the exchange of information between operators and to regulate the market. Here, too, the geopolitics of the internet is evolving: the United States is gradually losing control over global telecommunications avenues as the internet becomes more regionalised. In South-East Asia, India controls networks. In the Chinese sphere, the firms Putian, Huawei and ZTE are now present in numerous countries.

NETWORK SECURITY CAPACITY

Before being offensive, this capacity must first be defensive. The aim is to develop the resilience of critical infrastructures, and internet to start, to be able to resist massive attacks. It is important to have intervention capacities and an appropriate legal arsenal to be able to police one’s own network. In the case of private individuals acting on their own behalf, “the state does not have direct liability, but may be indirectly liable, which means that it can be held responsible for having tolerated the action concerned or for not having prevented it,” explains the Tallinn-based Cooperative Cyber Center for Excellence, which has published a report on the attacks against Georgia ⁽¹⁾.

It is through these different levers that a state may respond to three key challenges: the competitiveness of enterprises, the security of the state and of sensitive networks, and protection of citizens’ privacy. Clearly, the term ‘digital sovereignty’ is not just a figure of speech. It is state sovereignty itself that is at stake if cyber threats are not taken into account at every level.

n

⁽¹⁾ ‘Cyber attacks against Georgia: Legal lessons identified’ at www.carlisle.army.mil/DIME/documents/Georgia %201%200.pdf