The New Digital Age

CHAPTER 3

The

Future of States

What do we talk about when we talk about the Internet? Most people have only a vague sense of how the Internet works, and in most cases that’s fine. The majority of users don’t need to understand its internal architecture or how a hash function works in order to interface fluidly with the online world. But as we turn to a discussion about how state power affects, and is affected by, the Internet, some basic knowledge will help make clear a few of the more conceptually difficult scenarios that come into play.

As it was initially conceived, the Internet is a network of networks, a huge and decentralized web of computer systems designed to transmit information using specific standard protocols. What the average user sees—websites and applications, for example—is really the flora and fauna of the Internet. Underneath, millions of machines are sending, processing and receiving data packets at incredible speed over fiber-optic and copper cables. Everything we encounter online and everything we produce is ultimately a series of numbers, packaged together, sent through a series of routers located around the world, then reassembled at the other end.

We have often described the Internet as a “lawless” space, ungoverned and ungovernable by design. Its decentralized makeup and constantly mutating interlinking structure make government attempts to “control” it futile. But states have an enormous amount of power over the mechanics of the Internet in their own countries. Because states have power over the physical infrastructure connectivity requires—the transmission towers, the routers, the switches—they control the entry, exit and waypoints for Internet data. They can limit content, control what hardware people are allowed to use and even create separate Internets. States and citizens both gain power from connectivity, but not in the same manner. Empowerment for people comes from what they have access to, while states can derive power from their position as gatekeeper.

So far we have focused mostly on what will happen when billions more people come online—How will they use the Internet? What kinds of devices will they use? How will their lives change?—but we haven’t yet said what their Internet will look like, or how states will make the most of it in their own physical and virtual dealings with other states and with their own people. This will increasingly matter, as populations with different alphabets, interests and sets of norms become connected, and as their governments bring their own interests, grudges and resources to the table. Perhaps the most important question in ten years’ time won’t be if a society uses the Internet, but which version of it they use.

As more states adapt to having large portions of their populations online, they’ll strive to maintain control, both internally and on the world stage. Some states will emerge stronger—more secure and with greater influence—from this transition into the virtual age, benefiting from strong alliances and smart uses of digital power, while others will struggle just to keep up with and adapt to technological changes both domestically and internationally. Friendships, alliances and enmities between states will extend into the virtual world, adding a new and intriguing dimension to traditional statecraft. In many ways, the Internet could ultimately be seen as the realization of the classic international-relations theory of an anarchic, leaderless world. Here’s how we think states will respond to each other and to their citizens.

The

Balkanization of the Internet

As we said, every state and society in the world has its own laws, cultural norms and accepted behaviors. As billions of people come online in the next decade, many will discover a newfound independence—in ideas, speech and conversation—that will test these boundaries. Their governments, by contrast, would largely prefer that these users encounter a virtual world that allows the powers that be to mirror their physical control, an understandable if fundamentally naïve notion. Each state will attempt to regulate the Internet, and shape it in its own image. The impulse to project laws from the physical world into the virtual one is universal among states, from the most democratic to the most authoritarian. What states can’t build in reality they’ll try to fashion in virtual space, excluding those elements of society that they dislike, the content that contravenes laws and any potential threats they see.

The majority of the world’s Internet users encounter some form of censorship—also known by the euphemism “filtering”—but what that actually looks like depends on a country’s policies and its technological infrastructure. Not all or even most of that filtering is political censorship; progressive countries routinely block a modest number of sites, such as those featuring child pornography.

In some countries, there are several entry points for Internet connectivity, and a handful of private telecommunications companies control them (with some regulation). In others, there is only one entry point, a nationalized Internet service provider (ISP), through which all traffic flows. Filtering is relatively easy in the latter case, and more difficult in the former. Differences in infrastructure like these, combined with cultural particularities and objectives of filtering, account for the patchwork of systems around the world today.

In most countries, filtering is conducted at the ISP level. Typically, governments put restrictions on the gateway routers that connect the country and on DNS (domain name system) servers. This allows them to either block a website altogether (e.g., YouTube in Iran) or process web content through “deep-packet inspection.” With deep-packet inspection, special software allows the router to look inside the packets of data that pass through it and check for forbidden words, among other things (the use of sentiment-analysis software to screen out negative statements about politicians, for example), which it can then block. Neither technique is foolproof; users can access blocked sites with circumvention technologies like proxy servers (which trick the routers) or by using secure https encryption protocols (which enable private Internet communication that, at least in theory, cannot be read by anyone other than your computer and the website you are accessing), and deep-packet inspection rarely catches every instance of banned content. The most sophisticated censorship states invest a great deal of resources to build these systems, and then heavily penalize anyone who tries to get around them.

When technologists began to notice states regulating and projecting influence online, some warned against a “balkanization of the Internet,” whereby national filtering and other restrictions would transform what was once the global Internet into a connected series of nation-state networks.¹ The World Wide Web would fracture and fragment, and soon there would be a “Russian Internet” and an “American Internet” and so on, all coexisting and sometimes overlapping but, in important ways, separate. Each state’s Internet would take on its national characteristics. Information would largely flow within countries but not across them, due to filtering, language or even just user preference. (Evidence shows that most users tend to stay within their own cultural spheres when online, less for reasons of censorship than because of shared language, common interest and convenience. The online experience can also be faster, as network caching, or temporarily storing content in a local data center, can greatly increase the access speed for users.) The process would at first be barely perceptible to users, but it would fossilize over time and ultimately remake the Internet.²

The first stage of this process, aggressive and distinctive filtering, is under way. It’s very likely that some version of the above scenario will occur, but the degree to which it does will greatly be determined by what happens in the next decade with newly connected states—which path they choose, whom they emulate and work together with, and what their guiding principles turn out to be. To expand on these variations, let’s look at a few different approaches to filtering in today’s world. We’ve identified at least three models: the blatant, the sheepish, and the politically and culturally acceptable.

First, the blatant: China is the world’s most active and enthusiastic filterer of information. Entire platforms that are hugely popular elsewhere in the world—Facebook, Tumblr, Twitter—are blocked by the Chinese government. Particular terms like “Falun Gong”—the name of the banned spiritual group in China associated with one flank of the opposition—are simply absent from the country’s virtual public space, victims of official censorship or widespread self-censorship. On the Chinese Internet, you would be unable to find information about politically sensitive topics like the Tiananmen Square protests, embarrassing information about the Chinese political leadership, the Tibetan rights movement and the Dalai Lama, or content related to human rights, political reform or sovereignty issues. When it comes to these topics, even some of the best-known Western media outlets fall victim to censorship. Bloomberg News was blocked in both English and Chinese following its June 2012 exposé on the vast family fortune of the then vice-president (and now president), Xi Jinping. Four months later, The New York Times experienced a similar fate after publishing a similar story about the then premier, Wen Jiabao. Unsurprisingly, information about censorship circumvention tools is also blocked. We learned how comprehensive and particular Chinese censorship authorities could be when, following a contentious trip by Google’s executive chairman, Eric, to Beijing in 2011, all traces of his visit were wiped from the Chinese Internet, while media coverage of his trip remained accessible everywhere else.

To the average Chinese user, this censorship is seamless—without prior knowledge of events or ideas, it would appear that they never existed. Further complicating matters, the Chinese government is not above taking a more proactive approach to online content: one estimate in 2010 suggested that Chinese officials had hired nearly three hundred thousand “online commenters” to write posts praising their bosses, the government and the Communist Party. (This kind of activity is often called Astroturfing—i.e., fake grassroots participation—and is a popular tactic with public-relations firms, advertising agencies and election campaigns around the world.)

China’s leadership doesn’t hesitate to defend its strict censorship policies. In a white paper released in 2010, the government calls the Internet “a crystallization of human wisdom” but states that China’s “laws and regulations clearly prohibit the spread of information that contains contents subverting state power, undermining national unity [or] infringing upon national honor and interests.” The Great Firewall of China, as the collection of state blocking tools is known, is nothing less than the guardian of Chinese statehood: “Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected.” This type of unabashed and unapologetic approach to censorship would naturally appeal to states with strong authoritarian streaks, as well as states with particularly impressionable or very homogenous populations (who would fear the incursion of outside information on an emotional level).

Next, there are the sheepish Internet filterers: Turkey has taken a much more subtle approach than China, and has even shown responsiveness to public demands for Internet freedom, but nevertheless its online censorship policies continue with considerable obfuscation. The Turkish government has had an uneasy relationship with an open Internet, being far more tolerant than some of its regional neighbors but much more restrictive than its European allies. It is impossible to get a completely unfiltered connection to the Internet in Turkey—an important distinction between Turkey and Western countries. YouTube was blocked by Turkish authorities for more than two years after the company refused to take down videos that officials claimed denigrated the country’s founder, Mustafa Kemal Atatürk. (In keeping with a 1951 law that criminalizes public insults to Atatürk, YouTube agreed to block the videos for the Turkish audience, but the government wanted them removed globally from the platform worldwide.) This ban was highly visible, but subsequent censorship has been more covert: Some eight thousand websites have been blocked in Turkey without public notice or official government confirmation.

The sheepish model is popular with governments that struggle to strike a balance between divergent beliefs, attitudes and concerns within their population. But by pursuing this path, the government itself can become the enemy if it goes too far, or if its machinations are exposed. To give a recent example from Turkey: In 2011, the government announced a new nationwide Internet filtering policy featuring a four-tier system of censorship, in which citizens would have to choose the level of filtering they wanted (from the most to least restrictive: “child,” “family,” “domestic” and “standard” levels). The Information and Communications Technologies Authority (known by its initials in Turkish as BTK) said the scheme was intended to protect minors and promised that people who chose the “standard” level would encounter no censorship. Many people skeptical of BTK’s record on transparency balked. In fact, the plan generated such an outcry among the population that thousands of people in more than thirty cities around Turkey took to the streets to protest the proposed changes.

Under pressure, the government dialed back its plan, ultimately instituting just two content filters—“child” and “family”—which users could adopt voluntarily. But the controversy didn’t end there. Media-freedom groups reported that their own tests of the censorship system revealed a more aggressive filtering framework than BTK would admit. In addition to the expected banned terms having to do with pornography or violent content, they found that ordinary news websites, content that was culturally liberal or Western (e.g., anything including the word “gay,” or information about evolution) and keywords related to the Kurdish minority were all blocked under the new system. Some activists argued that blocking information about Kurdish separatist organizations with the “child” filter was evidence of the state’s nefarious intent; the international media watchdog group Reporters Without Borders called the Turkish policy “backdoor censorship.”

The Turkish government responded to some of the public concerns about the new system. When a Turkish newspaper reported that educational websites about scientific evolution were blocked while content from a prominent Turkish creationist were not, the authorities eliminated the block immediately. But there is little to no transparency around what content is censored under these policies, so the government is forced to react only when such discrepancies are brought to light by citizens. The sheepish model of Internet filtering, then, combines a government’s ability to evade accountability with its willingness to take constructive action when pressure mounts. This approach would appeal to countries with growing civil societies but strong state institutions, or for governments without reliable bases of support but enough concentrated power to make such unilateral decisions.

The third approach, politically and culturally acceptable filtering, is employed by states as diverse as South Korea, Germany and Malaysia. This is limited and selective filtering around very specific content, based in law, with no attempt to hide the censorship or the motivations behind it. Outliers within the population might grumble, but the majority of citizens often agree with the filtering policies for reasons of security or public well-being. In South Korea, for example, the National Security Law expressly criminalizes public expressions of support for North Korea in both physical and virtual space. The South Korean government regularly filters Internet content affiliated with its northern neighbor—in 2010 it was reported that the government blocked some forty websites associated with or supportive of the North Korean regime, took down a dozen accounts with potential ties to Pyongyang on social-networking sites like Facebook and Twitter, and forced website administrators to delete more than forty thousand pro–North Korea blog posts.

Germany has strong anti-hate-speech laws that make Holocaust denial and neo-Nazi rhetoric illegal, and consequently the government blocks websites within Germany that express those views. And Malaysia, despite promising its citizens that it would never censor the Internet—going so far as to codify it in its Bill of Guarantees—abruptly blocked access to file-sharing sites like Megaupload and the Pirate Bay in 2011, claiming that the sites were in violation of another law, the country’s Copyright Act of 1987. In a statement, the Malaysian Communications and Multimedia Commission defended the move, writing, “Compliance with the law is not to be construed as censorship.” Many Malaysians disagreed, but the block remained politically and legally acceptable.

Of the three models, activists will pray that the third approach becomes the norm for states around the world, but this seems unlikely; only countries with highly engaged and informed populations will need to be this transparent and restrained. Since most governments will make such decisions before their citizens become fully connected, they will feel little incentive to proactively promote the kind of free and open Internet exhibited by countries in the “politically acceptable model.”

The trends we see today will continue in ways that are, for the most part, fairly predictable. All governments will feel as if they’re fighting a losing battle against an endlessly replicating and changing Internet, and balkanization will emerge as a popular mechanism to address this challenge. The next stage in the process for many states will be collective editing, states forming communities of interest to edit the web together, based on shared values or geopolitics. Collective action—be it in the physical or virtual world—will be a logical move for many states that find they lack the resources, the reach or the capability to influence vast territories. And even with balkanization, cyberspace is still a lot of ground to cover, so just as some states leverage each other’s military resources to secure more physical ground, so too will states form alliances to control more virtual territory. For larger states, collaborations will legitimize their filtering efforts and deflect some unwanted attention (the “look, others are doing it too” excuse). For smaller states, alliances along these lines will be a low-cost way to curry favor with bigger players and simultaneously gain some useful technical skills and capacity that they might lack at home.

Collective editing may start with basic cultural agreements and shared antipathies among states, such as what religious minorities they dislike, how they view other parts of the world or what their cultural perspective is on historical figures like Vladimir Lenin, Mao Zedong or Mustafa Kemal Atatürk. In the online world, shared cultural and normative sensibilities create a gravitational pull among states, including those who might not otherwise have reason to band together. Larger states are less likely to engage in this than smaller ones—they already have the technical capabilities—so it will be a fleet of smaller states, pooling their resources, that will find this method useful. If some member countries in the Commonwealth of Independent States (CIS), an association of former Soviet states, became fed up with Moscow’s insistence on standardizing the Russian language across the region, they could join together to censor all Russian-language content from their national Internets and thus limit their citizens’ exposure to Russia altogether.

Ideology and religious morals are likely to be the strongest drivers of these collaborations. They are already the strongest drivers of censorship today. Imagine if a group of deeply conservative Sunni-majority countries—say, Saudi Arabia, Yemen, Algeria and Mauritania—formed an online alliance around their common values and strategic needs and decided to build a “Sunni Web.” While technically this Sunni Web would still be part of the larger Internet, it would become the main source of information, news, history and activity for citizens living in these countries. For years, the development and spread of the Internet was highly determined by its English-only language standard, but the continued implementation of internationalized domain names (IDN), which allow people to use and access domain names written in non-Roman alphabet characters (e.g., http://), is changing this. The creation of a Sunni Web—indeed, all nationalized Internets—becomes more likely if its users can access a version of the Internet in their own language and script.

Within the Sunni Web, depending on who participated and who led its development, the Internet could be sharia-complicit: e-commerce and e-banking would look different, since no one would be allowed to charge interest; religious police might monitor online speech, working together with domestic law enforcement to report violations; websites with gay or lesbian content would be uniformly blocked; women’s movements online might somehow be curtailed; and ethnic and religious minority groups might find themselves closely monitored, restricted or even excluded. In this scenario, how possible it would be for a local tech-savvy citizen to circumvent this Internet and reach the global World Wide Web depends on which country he lived in: Mauritania might not have the desire or capacity to stop him, but Saudi Arabia probably would. If the Mauritanian government became concerned that its users were bypassing the Sunni Web, on the other hand, surely one of its new digital partners could help it build higher fences. Within collective editing alliances, the less paranoid states would allow their populations to access both versions of the Internet (somewhat like an opt-in parental control for television), betting on user preference for safe and uniquely tailored content instead of using brute force.

There will be some instances where autocratic and democratic nations edit the web together. Such a collaboration will typically happen when a weaker democracy is in a neighborhood of stronger autocratic states that coerce it to make the same geopolitical compromises online that it makes in the physical world. This is one of the rare instances where physical proximity actually matters in virtual affairs. For example, Mongolia is a young democracy with an open Internet, sandwiched between Russia and China—two large countries with their own unique and restrictive Internet policies. The former Mongolian prime minister Sukhbaatar Batbold explained to us that he wants Mongolia, like any country, to have its own identity. This means, he said, it must have good relations with its neighbors to keep them from meddling in Mongolian affairs. “We respect that each country has chosen for itself its own path in development,” he said. With China, “we have an understanding where we stay out of Tibet, Taiwan and Dalai Lama issues, and they do not interfere with our issues. The same applies with Russia, with which we have a long-standing relationship.”

A neutral stance of noninterference is more easily sustainable in the physical world. Virtual space significantly complicates this model because online, it’s people who control the activity. People sympathetic to opposition groups and ethnic minorities within China and Russia would look at Mongolia as an excellent place to congregate. Supporters of the Uighurs, Tibetans or Chechen rebels might seek to use Mongolia’s Internet space as a base from which to mobilize, to wage online campaigns and build virtual movements. If that happened, the Mongolian government would no doubt feel the pressure from China and Russia, not just diplomatically but because its national infrastructure is not built to withstand a cyber assault from either neighbor. Seeking to please its neighbors and preserve its own physical and virtual sovereignty, Mongolia might find it necessary to abide by a Chinese or Russian mandate and filter Internet content associated with hot-button issues. In such a compromise, the losers would be the Mongolians, whose online freedom would be taken away as a result of self-interested foreign powers with sharp elbows.

Not all states will look to collaborate with others during the balkanization process, but the end result just the same will be a jumble of national Internets and virtual borders. The trend toward globalized platforms like Facebook and Google creates a system for technology that is more likely to spread, which will mean a broader distribution of engineering tools that people can use to build their own online structures. Without state regulation that inhibits innovation, this growth trend will happen very rapidly. In the early stages, users won’t realize when they are on another country’s Internet because the experience will be seamless, as it is today. While states work to carve out their autonomy in the online world, most users will experience very little change.

That homeostasis, however, will not last. What started as the World Wide Web will begin to look more like the world itself, full of internal divisions and divergent interests. Some form of visa requirement will emerge on the Internet. This could be done quickly and electronically, as a method to contain the flow of information in both directions, requiring that users register and agree to certain conditions to access a country’s Internet. If China decides that all outsiders need to have a visa to access the Chinese Internet, citizen engagement, international business operations and investigative reporting will all be seriously affected. This, along with internal restrictions of the Internet, suggests a twenty-first-century equivalent of Japan’s famous sakoku (“locked country”) policy of near-total isolation enacted in the seventeenth century.

Some states may implement visa requirements as both a monitoring tool for international visitors and as a revenue-generating exercise—a very small fee would be charged automatically upon entering a country’s virtual space, even more if one’s online activities (which the government could track by cookies and other tools) violated the terms of the visa. Virtual visas would appear in response to security threats related to cyber attacks; if your IP came from a blacklisted country, you would encounter heightened screenings and monitoring.

Some states, however, would make a public show of not requiring visas to demonstrate their commitment to open data and to encourage other states to follow their example. In 2010, Chile became the first country in the world to approve a law that guarantees net neutrality. About half of Chile’s 17 million people are online today, and as the country continues to develop its technological infrastructure, public statements like this will no doubt endear Chile to other governments that support its forward-looking communication policies. Countries coming online now will weigh the Chilean model against others. They might be asked to sign no-visa commitments with other states in order to build trade relations around e-commerce and other online platforms, like a Schengen Agreement (Europe’s borderless zone) for the virtual world.

Under conditions like these, the world will see its first Internet asylum seeker. A dissident who can’t live freely under an autocratic Internet and is refused access to other states’ Internets will choose to seek physical asylum in another country to gain virtual freedom on its Internet. There could be a form of interim virtual asylum, where the host country would share sophisticated proxy and circumvention tools that would allow the dissident to connect outside. Being granted virtual asylum could be a significant first step toward physical asylum, a sign of trust without the full commitment. Virtual asylum would serve as an extra layer of vetting before the physical asylum case reached the courts.

Virtual asylum will not work, however, if the ultimate escalation occurs: the creation of an alternative domain name system (DNS), or even aggressive and ubiquitous tampering with it to advance state interests. Today, the Internet as we know it uses the DNS to match computers and devices to relevant data sources, translating IP addresses (numbers) into readable names and vice versa. The robustness of the Internet depends on all computers and networks’ using the same official DNS root (run by the Internet Corporation for Assigned Names and Numbers, or ICANN), which contains all the top-level domains that appear as suffixes on web addresses—.edu, .com, .net and others.

But there are alternative DNS roots in existence, operating in parallel with the Internet but not attached to it. Within tech circles, most believe that the creation of an alternative DNS would go against everything the Internet represents and was built to do: namely, share information freely. No government has yet achieved an alternative system,³ but if a government succeeded in doing so, it would effectively unplug its population from the global Internet and instead offer only a closed, national intranet. In technical terms, this would entail creating a censored gateway between a given country and the rest of the world, so that a human proxy could facilitate external data transmissions when absolutely necessary—for matters involving state resources, for instance.

For the population, popular proxy measures like VPNs and Tor would no longer have any effect because there wouldn’t be anything to connect to. It’s the most extreme version of what technologists call a walled garden. On the Internet, a walled garden refers to a browsing environment that controls a user’s access to information and services online. (This concept is not limited to discussions of censorship; it has deep roots in the history of Internet technology: AOL and CompuServe, Internet giants for a time, both started as walled gardens.) For the full effect of disconnection, the government would also instruct the routers to fail to advertise the IP addresses of websites—unlike DNS names, IP addresses are immutably tied to the sites themselves—which would have the effect of putting those websites on a very distant island, utterly unreachable. Whatever content existed on this national network would circulate only internally, trapped like a cluster of bubbles in a computer screen saver, and any attempts to reach users on this network from the outside would meet a hard stop. With the flip of a switch, an entire country would simply disappear from the Internet.

This is not as crazy as it sounds. It was first reported in 2011 that the Iranian government’s plan to build a “halal Internet” was under way, and more than a year later it seemed that the official launch was imminent. The regime’s December 2012 launch of Mehr, its own version of YouTube with “government-approved videos,” added yet another data point that the regime was serious about the project. Details of the plan remained hazy, but according to Iranian government officials, in the first phase the national “clean” Internet would exist in tandem with the global Internet for Iranians (heavily censored as it is), then it would come to replace the global Internet altogether. This would entail moving all the “halal” websites to a particular block of IP addresses, which would make it trivially easy to filter out websites that are outside the halal block. The government and affiliated institutions would provide the content for the national intranet, either gathering it from the global web and scrubbing it, or creating it manually. All activity on the network would be closely monitored, facilitated by the government’s top-level infrastructure control and agency over software (something Iranian officials are very concerned about, judging from a 2012 ban on the import of foreign computer security software). Iran’s head of economic affairs told the country’s state-run news agency that they hoped their halal Internet would come to replace the web in other Muslim countries, too—at least those with Farsi speakers. Pakistan has pledged to build something similar.

It is possible that Iran’s threat is merely a hoax. How exactly the state intends to proceed with this project is unclear both technically and politically. How would it avoid enraging the sizable chunk of its population that has access to the Internet? Some believe it would be impossible to fully disconnect Iran from the global Internet because of its broad economic reliance on external connections. Others speculate that, if it wasn’t able to build an alternative root system, Iran could pioneer a dual-Internet model that other repressive states would want to follow. Whichever route Iran chooses, if it is successful in this endeavor, its halal Internet would surpass the Great Firewall of China as the single most extreme version of information censorship in history. It would change the Internet as we know it.

Virtual Multilateralism

In parallel with these balkanization efforts, we will see the rise of virtual multilateralism based on ideological or political solidarity, involving both states and corporations working together in official alliances. States like Belarus, Eritrea, Zimbabwe and North Korea—authoritarian, with strong personality cults and a pariah status elsewhere in the world—would have little to lose by joining an autocratic cyber union, where censorship and monitoring strategies and technologies could be shared. As these countries collaborated to build virtual-age police states, it would become increasingly difficult for Western companies, from a public-relations standpoint, to conduct business there, even if it was legal. This would create space for non-Western companies, whose shareholders may have fewer qualms and who are used to working in similar environments, to play a more active business role within a network of autocratic states.

It’s no accident, for example, that the company that owns 75 percent of North Korea’s only official mobile network, Koryolink, is the Egyptian telecom Orascom, a firm that thrived under the long reign of Hosni Mubarak. (The other 25 percent is owned by North Korea’s Ministry of Posts and Telecommunications.) For North Korean subscribers, Koryolink service is a walled garden, a highly limited platform that allows for only basic functionality. Koryolink users can’t make or receive international calls; nor can they access the Internet. (Some people can access the North Korean intranet, an odd pastiche of online content, mostly propaganda, that government officials transfer over from the Internet.) Local phone calls and text messages are almost certainly monitored, and The Economist reported that the network is already a platform for the dissemination of government propaganda, with the North Korean daily Rodong Sinmun sending users the latest news by text message. While it is not officially a requirement, most people are “encouraged” to pay their phone bills in euros (which are unofficially in circulation), a tall order for most North Koreans. Even so, the demand for phones was so great that adoption soared in the country, leaping from three hundred thousand subscribers to more than a million within an eighteen-month period ending in early 2012. Koryolink’s gross operating margin of 80 percent means big business for Orascom.

In Iran, following a very public crackdown on the country’s green movement in 2009, Western technology companies like Ericsson and Nokia Siemens Networks (NSN) sought to distance themselves from the regime. In their absence, the Chinese telecommunications giant Huawei swept in and seized the opportunity to dominate the large (and state-controlled) Iranian mobile market. While its Western predecessors faced a backlash at home for selling products to the Iranian government that were used to track and suppress democracy activists, Huawei actively promoted its products in an authoritarian-friendly light. Its catalog was unapologetic, according to a story in The Wall Street Journal, with products like location-based tracking equipment for law enforcement (recently purchased by Iran’s largest mobile operator) and a censorship-friendly mobile news service. Huawei’s favorite domestic partner in Iran, Zaeim Electronic Industries Co., is also the favorite of government branches, including the Revolutionary Guards and the office of the president.

Officially, Huawei claims to offer Zaeim only “commercial public-use products and services,” but according to The Wall Street Journal, in off-the-record pitch meetings with Iranian officials, Huawei made clear its expertise in information censorship, mastered in China. (Huawei published a press release shortly after the story’s publication denying several of its assertions, and a month later stated that it would “voluntarily restrict” its business operations in Iran due to the “increasingly complex situation.”)

In response to these collaborations between autocratic countries, democratic states will want to build similar alliances and public-private partnerships to promote a more open Internet with greater political, economic and social freedom. One goal will be to contain the spread of highly restrictive filtering and monitoring technologies to countries with low but growing Internet penetration. This could manifest itself in many different strategies, including bilateral assistance packages with specific preconditions and making an open Internet a premier policy objective for a country’s ambassadors. There could also be transnational campaigns to change the international legal framework around free expression and open-source software. The shared, “bigger picture” goals of these states—access to information, freedom of expression, and transparency—would trump the minor policy or cultural differences between them, creating a kind of revived Hanseatic League of connectivity. The Hanseatic League wielded collective power across Northern Europe from the thirteenth century through the fifteenth through its economic alliances between adjacent city-states; its contemporary equivalent could be based on similar principles of mutual assistance but in a far larger, globalized version. No longer will alliances rely so heavily on geography; everything is equidistant in virtual space. If Uruguay and Benin find cause to work together, it will be easier to do so than ever before.

Part of defending freedom of information and expression in the future will entail a new element of military aid. Training will include technical assistance and infrastructural support in lieu of tanks and tear gas—though the latter will probably remain part of the arrangement. What Lockheed Martin was to the twentieth century, technology and cyber-security companies will be to the twenty-first. Indeed, traditional defense-industry leaders like Northrop Grumman and Raytheon are already working with the U.S. government to develop cyber-capacity. Weapons manufacturers, airplane builders and other parts of the military-industrial complex might not lessen—conventional militaries will always require guns, tanks and helicopters—but big military operations, already heavily privatized, will carve out space in their budgets for technical assistance.

Development assistance and foreign aid will take on a digital dimension too, buoyed by these new multilateral alliances. The trade of foreign assistance for future influence won’t change, but the components will. In a given developing country, one foreign power might be building roads, another investing in agriculture and a third building fiber networks and cell towers. In the digital age, modern technology becomes yet another tool for forging alliances with developing states; we shouldn’t underestimate how important technological competency will be for these countries and their governments. The push for foreign aid in the shape of fast networks, modern devices, and cheap and plentiful bandwidth may come from the population, pressuring the governments to agree to the necessary preconditions. Whatever the impetus, future states in the developing world will make a long-term bet on connectivity and align their diplomatic relationships accordingly.

New alliances will form around commercial interests as well, particularly copyright and intellectual-property issues. As commerce moves increasingly to the online world, the dynamics around copyright enforcement will lead to another layer of virtual alliances and adversaries. Most copyright and intellectual-property laws are still centered on the notion of physical goods, and there are divergent attitudes about whether theft or piracy of online goods (movies, music and other content) are equivalent to the theft of physical versions of those same items. In the future, states will begin to wade more deeply into legal battles over copyright and intellectual property because the health of their commercial sectors will be at stake.

There have been multiple international agreements dealing with copyright laws: the Berne Convention of 1886, which requires mutual recognition of the copyrights of other signatory states; the Agreement on Trade-Related Aspects of Intellectual Property Rights of 1994, which set the minimum standards for intellectual-property rights in World Trade Organization (WTO) states; and the World Intellectual Property Organization (WIPO) Copyright Treaty of 1996, which protects information-technology copyrights against infringement. The laws that govern copyright around the world are generally the same. But each country is responsible for enforcement within its borders, and not all countries are equally vigilant. Given the ease with which information crosses borders, people who pirate copyrighted material are typically able to find virtual safe havens in countries with less stringent regulation.

The great concern among intellectual-property watchers in the technology world is China. Because it is a signatory to the conventions above, technically it is bound to the same standards as other countries, including the United States. At the Asia-Pacific Economic Cooperation (APEC) CEO Summit in 2011, then Chinese president Hu Jintao privately told a small group of business leaders that China would “fully implement all of the intellectual property laws as required by the World Trade Organization and modern Western practices.” We attended this meeting, and as we filed out of the room after President Hu’s comments, the American business contingent clearly expressed skepticism toward his claim. And with good reason: It’s estimated that U.S. companies lost approximately $3.5 billion in 2009 alone because of pirated music recordings and software from China, and that 79 percent of all copyright-infringing goods seized in the United States were produced in China. Clearly, it’s not the absence of laws that contribute to this problem, but their lack of enforcement. Officially, it’s against Chinese law to produce counterfeit goods or to copy intellectual property for profit, but in practice, officials are discouraged from pursuing criminal prosecution of these crimes; violators are allowed to keep their profits. Moreover, the fines for violating the laws are too low and too irregularly issued to be effective in deterring such behavior, and corruption at local and regional levels encourages officials to turn the other way and ignore repeated violations.

China is by no means the only state unwilling or unable to enforce international intellectual-property norms. Russia, India and Pakistan have all been singled out for their equally dismal enforcement of these laws. Israel and Canada aren’t normally considered hotbeds of copyright infringement, but neither country has fully implemented the standards and laws of the WIPO, making them a haven for Internet piracy. And within the group of states that do have strong protections for intellectual-property rights, there are usually significant and exploitable differences in interpretation. For example, the notion of fair use (as the United States terms it) or fair dealing (as the British do), which allows for the limited use of copyrighted material without consent from the copyright holder, is far more tightly controlled in the European Union than it is in either the United States or the United Kingdom.

Virtual Statehood

One of our recurring themes is that in the virtual world, size matters less. Technology empowers all parties, and allows smaller actors to have outsized impacts. And those actors need not be known or official. To wit, we believe it’s possible that virtual states will be created and will shake up the online landscape of physical states in the future.

There are hundreds of active violent and nonviolent secessionist movements in the world today, and this is unlikely to change in the future. A large portion of the movements are motivated by perceived ethnic or religious discrimination, and shortly we will discuss how physical discrimination and persecution of these groups will play out online, changing shape but not intent. In the physical world, it’s not uncommon for persecuted groups to be subject to different laws and vulnerable to indeterminate detention, extrajudicial killings, the absence of due process, and all manner of restrictions on their civil and human liberties, and most of these tactics will find their way online, aided significantly by technology that helps regimes monitor, harass and target their restive minority populations.

Hounded in both the physical and virtual worlds, groups that lack formal statehood may choose to emulate it online. While not as legitimate or useful as actual statehood, the opportunity to establish sovereignty virtually could prove to be, in the best cases, a meaningful step toward official statehood, or in the worst cases, an escalation that further entrenches both sides in a messy civil conflict. The Kurdish populations in Iran, Turkey, Syria and Iraq—the four countries where they are most concentrated—might build a Kurdish web as a way to carve out a sort of virtual independence. Iraqi Kurdistan is already quasi-autonomous, so the efforts could begin there. Kurds could establish a top-level domain (e.g., www.yahoo.com.krd), with “krd” standing for Kurdistan, by registering a new domain and basing the servers in a neutral or supportive country. Then they’d build upon that.

Virtual statehood would be much more than just a gesture and a domain name. Additional projects could also develop a distinct Kurdish presence online. With enough effort, the Kurdish web could become a robust version of other countries’ Internet, in the Kurdish language, of course. From there, Kurdish or sympathetic engineers could build applications, databases and other online destinations that not only support the Kurdish cause but actually facilitate it. The virtual Kurdish community could hold elections and set up ministries to deliver basic public goods. They could even use a unique online currency. The virtual minister of information would manage the data flow to and from the online Kurdish “citizens.” The minister of the interior would focus on preserving the security of the virtual state and protecting it from cyber attack. The foreign minister would engage in diplomatic relations with other, actual states. The economic and trade minister would promote e-commerce between Kurdish communities and outside economic interests.

Just as secessionist efforts to move toward physical statehood are typically resisted strongly by the host state, such groups would face similar opposition to their online maneuvers. The creation of a virtual Chechnya might cement ethnic and political solidarity among its supporters in the Caucasus region, but it would no doubt worsen relations with the Russian government, which would consider such a move a violation of its sovereignty. The Kremlin might well respond to virtual provocation with a physical crackdown, rolling in tanks and troops to quell the stirrings in Chechnya.

For the Kurds, who stretch across several countries, this risk would be even more pronounced, as a Kurdish virtual-statehood campaign would be met with resistance from the entire neighborhood, some of whom lack Kurdish populations but would fear a destabilizing effect. No effort would be spared to destroy the Kurdish virtual institutions through low-grade cyber-meddling and espionage, like cyber attacks, disinformation campaigns and infiltration. The populations on the ground would surely bear the brunt of the punishment. The governments would be aided, of course, by the massive amounts of data that these citizens produced, so finding the people involved or supportive of virtual statehood would be easy. Very few secessionist movements have the level of resources and international support that would be required to match this level of counterattack.

Declaring virtual statehood would become an act of treason, not just in restive regions but almost everywhere. It’s simply too risky an avenue to leave open. The concept of virtual institutions alone could breathe new life into secessionist groups that have tried and failed to produce concrete outcomes through violent means, like the Basque separatists in Spain, the Abkhaz nationalists in Georgia or the Moro Islamic Liberation Front in the Philippines. One failed or unsuitable effort could also break the experiment altogether. If, for example, the lingering supporters of the Texas secession movement rallied together to launch a virtual Republic of Texas, and they were met with derision, the concept of virtual statehood might be sullied for some time. How successful these virtual statehood claims would be (what would constitute success, in the end?) remains to be seen, but the fact that this will be feasible says something significant about the diffusion of state power in the digital age.

Digital Provocation and

Cyber War

No discussion on the future of connected states would be complete without a look at the worst things they’ll do to each other: namely, launch cyber wars. Cyber warfare is not a new concept, nor are its parameters well established. Computer security experts continue to debate how great the threat is, what it looks like and what actually constitutes an act of cyber war. For our purposes, we’ll use the definition of cyber warfare offered by the former U.S. counterterrorism chief Richard Clarke: actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.⁴

Cyber attacks—including digital espionage, sabotage, infiltration and other mischief—are, as we established earlier, very difficult to trace and have the potential to inflict serious damage. Both terrorist groups and states will make use of cyber-war tactics, though governments will focus more on information-gathering than outright destruction. For states, cyber war will primarily meet intelligence objectives, even if the methods employed are similar to those used by independent actors looking to cause trouble. Stealing trade secrets, accessing classified information, infiltrating government systems, disseminating misinformation—all traditional activities of intelligence agencies—will make up the bulk of cyber attacks between states in the future. Others fundamentally disagree with us on this point, predicting instead that states will seek to destroy their enemies by heavy-handed methods like cutting off power grids remotely or crashing stock markets. In October 2012, the U.S. secretary of defense, Leon Panetta, warned, “An aggressor nation … could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” We tend to take the optimist’s perspective (at least when it comes to states) and say that such escalations, while possible, are highly unlikely, if only because the government that first starts this trend would itself become a target as well as set a precedent that even the most erratic regimes would be cautious to approach.

It’s fair to say that we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it. Right now, the government of a foreign country could be hacking into your government’s databases, crashing its servers or monitoring its conversations. To outside observers, our current stage of cyber war might seem benign (indeed, some might contend that it’s not really “war” anyway, as per the classical Clausewitzian framework of “war as a continuation of policy by other means”). Government-backed engineers might be trying to infiltrate or shut down the information systems of companies and institutions in other countries, but no one is getting killed or wounded. We’ve seen so little spillage of these cyber wars into the physical world that for civilians, a cyber attack seems more an inconvenience than a threat, like an attack of the common cold.

But those who underestimate the threat of cyber war do so at their peril. While not all the hype surrounding cyber war is justified, the risks are real. Cyber attacks are occurring with greater frequency and more precision with each passing year. The increasing entwining of our lives with digital-information systems leaves us more vulnerable with each click. And as many more countries come online in the near future, those vulnerabilities will only expand and become more complicated.

A cyber attack might be the state’s perfect weapon: powerful, customizable and anonymous. Tactics like hacking, deploying computer worms or Trojan horses and other forms of virtual espionage present states with more reach and more cover than they would have with traditional weapons or intelligence operations. The evidence trails they leave are cold, providing perpetrators with effective camouflage and severely limiting the response capability of the victims. Even if an attack could be traced back to a particular region or town, identifying the responsible parties is nearly impossible. How can a country determine an appropriate response if it can’t prove culpability? According to Craig Mundie, Microsoft’s chief research and strategy officer and a leading thinker in Internet security, the lack of attribution—one of our familiar themes—makes this a war conducted in the dark, because “it’s just much harder to know who took the shot at you.” Mundie calls cyber-espionage tactics “weapons of mass disruption.” “Their proliferation will be much faster, making this a much stealthier kind of conflict than has classically been determined as warfare,” he said.

States will do things to each other online that would be too provocative to do off-line, allowing conflicts to play out in the virtual battleground while all else remains calm. The promise of near-airtight anonymity will make cyber attacks an attractive option for countries that don’t want to appear overtly aggressive but remain committed to undermining their enemies. Until the world’s technical experts get better at determining the origin of cyber attacks and the law is able to hold perpetrators to account, many more states will join in on the activities we see today. Blocks of states that are already gaining connectivity and technical capacity, in Latin America, Southeast Asia and the Middle East, will begin launching their own cyber attacks soon, if only to test the waters. Even those who lack indigenous technical skills (e.g., local engineers and hackers) will find ways to get the tools they need.

Let’s consider a few recent examples to better illustrate the universe of cyber warfare. Perhaps the most famous is the Stuxnet worm, which was discovered in 2010 and was considered the most sophisticated piece of malware ever revealed, until a virus known as Flame, discovered in 2012, claimed that title. Designed to affect a particular type of industrial control system that ran on the Windows operating system, Stuxnet was discovered to have infiltrated the monitoring systems of Iran’s Natanz nuclear-enrichment facility, causing the centrifuges to abruptly speed up or slow down to the point of self-destruction while simultaneously disabling the alarm systems. Because the Iranian systems were not linked to the Internet, the worm must have been uploaded directly, perhaps unwittingly introduced by a Natanz employee on a USB flash drive. The vulnerabilities in the Windows systems were subsequently patched up, but not after causing some damage to the Iranian nuclear effort, as the Iranian president, Mahmoud Ahmadinejad, admitted.

Initial efforts to locate the creators of the worm were inconclusive, though most believed that its target and level of sophistication pointed to a state-backed effort. Among other reasons, security analysts unpacking the worm (their efforts made possible because Stuxnet had escaped “into the wild”—that is, beyond the Natanz plant) noticed specific references to dates and biblical stories in the code that would be highly symbolic to Israelis. (Others argued that the indicators were far too obvious, and thus false flags.) The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five.

Sure enough, it was revealed in June 2012 that not one but two governments were behind the deployment of the Stuxnet worm. Unnamed Obama administration officials confirmed to the New York Times journalist David E. Sanger that Stuxnet was a joint U.S. and Israeli project designed to stall and disrupt the suspected Iranian nuclear-weapons program.⁵ Initially green-lit under President George W. Bush, the initiative, code-named Olympic Games, was carried into the next administration and in fact accelerated by President Obama, who personally authorized successive deployments of this cyber weapon. After building the malware and testing it on functioning replicas of the Natanz plant built in the United States—and discovering that it could, in fact, cause the centrifuges to break apart—the U.S. government approved the worm for deployment. The significance of this step was not lost on American officials.⁶ As Michael V. Hayden, the former CIA director, told Sanger, “Previous cyberattacks had effects limited to other computers. This is the first attack of a major nature in which a cyberattack was used to effect physical destruction. Somebody crossed the Rubicon.”

When the Flame virus was discovered two years later, initial reports from security experts suggested that it was unconnected to Stuxnet; it was much larger, used a different programming language and operated differently, focusing on covert data-gathering instead of targeting centrifuges. It was also older—analysts found that Flame had been in existence for at least four years by the time they discovered it, which means it predated the Stuxnet worm. And Sanger reported that American officials denied that Flame was part of the Olympic Games project. Yet less than a month after the public revelations about these cyber weapons, security experts at Kaspersky Lab, a large Russian computer-security company with international credibility, concluded that the two teams that developed Stuxnet and Flame did, at an early stage, collaborate. They identified a particular module, known as Resource 207, in an early version of the Stuxnet worm that clearly shares code with Flame. “It looks like the Flame platform was a kick-starter of sorts to get the Stuxnet project going,” a senior Kaspersky researcher explained. “The operations went separate ways, maybe because Stuxnet code was mature enough to be deployed in the wild. Now we are 100 percent sure that the Stuxnet and Flame groups worked together.”

Though Stuxnet, Flame and other cyber weapons linked to the United States and Israel are the most advanced known examples of state-led cyber attacks, other methods of cyber warfare have already been used by governments around the world. These attacks needn’t be limited to highly consequential geopolitical issues; they can be deployed to harass a disliked fellow state with equal panache. Following a diplomatic fight in 2007 over the Estonian government’s decision to remove a Russian World War II memorial in its capital, Tallinn, a mass of prominent Estonian websites, including those of banks, newspapers and government institutions, were abruptly struck down by a distributed denial of service (DDoS) attack. Estonia is often called the most wired country on Earth, because almost every daily function of the state (and nearly all of its citizens) employs online services, including e-government, e-voting, e-banking and m-parking, which allows drivers to pay for their parking with a mobile device. Yet the country that gave the world Skype suddenly found itself paralyzed due to the efforts of a group of hackers. The systems came back online, and the Estonians immediately suspected their neighbor Russia—the Estonian foreign minister, Urmas Paet, accused the Kremlin directly—but proving culpability was not possible. NATO and European Commission experts were unable to find evidence of official Russian government involvement. (The Russians, for their part, denied the charges.)

Some questions that arise—Was it an act of cyber warfare? Would it be if the Kremlin hadn’t ordered it, but gave its blessing to the hackers who executed it?—remain unanswered. In the absence of attribution, victims of cyber attacks are left with little to go on, and perpetrators can remain safe from prosecution even if suspicion is heightened. (One year after the Estonian attacks, websites for the Georgian military and government were brought down by DDoS attacks, while the country was in a dispute with, you guessed it, Russia. The following year, Russian hackers targeted the Internet providers in Kyrgyzstan, shutting down 80 percent of the country’s bandwidth for days. Some believe the attacks were intended to curb the Kyrgyz opposition party, which has a relatively large Internet presence, while others contend that the impetus was a failed investment deal, in which Russia had tried to get Kyrgyzstan to shut down the U.S. military base it hosted.)

Then there is the example of Chinese cyber attacks on Google and other American companies over the past few years. Digital corporate espionage is a rowdy subcategory of cyber warfare, a relatively new phenomenon that in the future will have a severe impact on relations between states as well as national economies. Google finds its systems under attack from unknown digital assailants frequently, which is why it spends so much time and energy building the most secure network and protections possible for Google users. In late 2009, Google detected unusual traffic within its network and began to monitor the activity. (As in most cyber attacks, it was more valuable to our cyber-security experts to temporarily leave the compromised channels open so that we could watch them, rather than shut them down immediately.) What was discovered was a highly sophisticated industrial attack on Google’s intellectual property coming from China.

Over the course of Google’s investigation, it gathered sufficient evidence to know that the Chinese government or its agents were behind the attack. Beyond the technical clues, part of the attacks involved attempts to access and monitor the Gmail accounts of Chinese human-rights activists, as well as the accounts of advocates of human rights in China based in the United States and Europe. (These attacks were largely unsuccessful.) In the end, this attack—which targeted not only Google but dozens of other publicly listed companies—was among the driving factors in Google’s decision to alter its business position in China, resulting in the shutdown of its Google China operations, the end of self-censorship of Chinese Internet content, and the redirection of all incoming searches to Google in Hong Kong.

Today, only a small number of states have the capacity to launch large-scale cyber attacks—the lack of fast networks and technical talent holds others back—but in the future there will be dozens more participating, either offensively or defensively. Many people believe that a new arms race has already begun, with the United States, China, Russia, Israel and Iran, among others, investing heavily in stockpiling technological capabilities and maintaining a competitive edge. In 2009, around the same time that the Pentagon gave the directive to establish United States Cyber Command (USCYBERCOM), then secretary of defense Robert Gates declared cyberspace to be the “fifth domain” of military operations, alongside land, sea, air and space. Perhaps in the future the military might create the equivalent of the Army’s Delta Force for cyberspace, or we could see the establishment of a department of cyber war with a new cabinet secretary. If this sounds far-fetched, think back to the creation of the Department of Homeland Security as a response to 9/11. All it takes is one big national episode to spur tremendous action and resource allocation on the part of the government. Remember, it was the United Kingdom’s experience with Irish terrorism that led to the establishment of closed-circuit television (CCTV) cameras in every corner of London, a move that was welcomed by much of the populace. Of course, some raised concerns about their every move on the streets being filmed and stored, but in moments of national emergency, the hawks always prevail over the doves. Postcrisis security measures are extremely expensive, with states having to act quickly and go the extra mile to assuage the concerns of their population. Some cyber-security experts peg the cost of the new “cyber-industrial complex” somewhere between $80 billion and $150 billion annually.

Countries with strong engineering sectors like the United States have the human capital to build their virtual weapons “in-house,” but what of the states whose populations’ technical potential is underdeveloped? Earlier, we described a minerals-for-technology trade for governments looking to build surveillance states, and it stands to reason that this type of exchange will work equally well if those states’ attention turns toward its external enemies. Countries in Africa, Latin America and Central Asia will locate supplier nations whose technological investment can augment their own lackluster infrastructure. China and the United States will be the largest suppliers but by no means the only ones; government agencies and private companies from all over the world will compete to offer products and services to acquisitive nations. Most of these deals will occur without the knowledge of either country’s population, which will lead to some uncomfortable questions if the partnership is later exposed. A raid on the Egyptian state security building after the country’s 2011 revolution produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime.

For countries looking to develop their cyber-war capabilities, choosing a supplier nation will be an important decision, akin to agreeing to be in their “sphere of online influence.” Supplier nations will lobby hard to gain a foothold in emerging states, since investment buys influence. China has been remarkably successful in extending its footprint into Africa, trading technical assistance and large infrastructure projects for access to resources and consumer markets, in no small part due to China’s noninterference policy and low bids. Who, then, will those countries likely turn to when they decide to start building their cyber arsenal?

Indeed, we already see signs of such investments under the umbrella of science and technology development projects. Tanzania, a former socialist country, is one of the largest recipients of Chinese foreign direct assistance. In 2007, a Chinese telecom was contacted to lay some ten thousand kilometers of fiber-optic cable. Several years later, a Chinese mining company called Sichuan Hongda announced that it had entered into a $3 billion deal with Tanzania to extract coal and iron ore in the south of the country. Shortly thereafter, the Tanzanian government announced it had entered into a loan agreement with China to build a natural-gas pipeline for $1 billion. All across the continent, similar symbiotic relationships exist between African governments and big Chinese firms, most of which are state-owned. (State-owned enterprises make up 80 percent of the value of China’s stock market.) A $150 million loan for Ghana’s e-governance venture, implemented by the Chinese firm Huawei, a research hospital in Kenya, and an “African Technological City” in Khartoum all flow from the Forum on China-Africa Cooperation (FOCAC), a body established in 2000 to facilitate Sino-African partnerships.

In the future, superpower supplier nations will look to create their spheres of online influence around specific protocols and products, so that their technologies form the backbone of a particular society and their client states come to rely on certain critical infrastructure that the superpower alone builds, services and controls. There are currently four main manufacturers of telecommunications equipment: Sweden’s Ericsson, China’s Huawei, France’s Alcatel-Lucent and Cisco in the United States. China would certainly benefit from large portions of the world using its hardware and software, because the Chinese government has dominating influence over what its companies do. Where Huawei gains market share, the influence and reach of China grow as well. Ericsson and Cisco are less controlled by their respective governments, but there will come a time when their commercial and national interests align and contrast with China’s—say, over the abuse of their products by an authoritarian state—and they will coordinate their efforts with their governments on both diplomatic and technical levels.

These spheres of online influence will be both technical and political in nature, and while in practice such high-level relationships may not affect citizens in daily life, if something serious were to happen (like an uprising organized through mobile phones), which technology a country uses and whose sphere it’s in might start to matter. Technology companies export their values along with their products, so it is absolutely vital who lays the foundation of connectivity infrastructure. There are different attitudes about open and closed systems, disputes over the role of government, and different standards of accountability. If, for example, a Chinese client state uses its purchased technology to persecute internal minority groups, the United States would have very limited leverage: Legal recourse would be useless. This is a commercial battle with profound security implications.

The New

Code War

The logical conclusion of many more states coming online, building or buying cyber-attack capability and operating within competitive spheres of online influence is perpetual, permanent low-grade cyber war. Large nations will attack other large nations, directly and by proxy; developing nations will exploit their new capabilities to address long-standing grievances; and smaller states will look to have a disproportionately large influence, safe in the knowledge that they won’t be held accountable because of the untraceable nature of their attacks. Because most attacks will be silent and slow-moving information-gathering exercises, they won’t provoke violent retaliation. That will keep tensions on a slow burn for years to come. Superpowers will build up virtual armies within their spheres of influence, adding an important proxy layer to insulate them, and together they’ll be able to produce worms, viruses, sophisticated hacks and other forms of online espionage for commercial and political gain.

Some refer to this as the upcoming Code War, where major powers are locked in a simmering conflict in one dimension while economic and political progress continues unaffected in another. But unlike its real-world predecessor, this won’t be a primarily binary struggle; rather, the participation of powerful tech-savvy states including Iran, Israel and Russia will make it a multipolar engagement. Clear ideological fault lines will emerge around free expression, open data and liberalism. As we said, there will be little overt escalation or spillage into the physical world because none of the players would want to jeopardize their ongoing relationships.

Some classic Cold War attributes will carry over into the Code War, particularly those pertaining to espionage, because governments will largely view their new cyber-warfare capabilities as extensions of their intelligence agencies. Embedded moles, dead letter drops and other tradecraft will be replaced by worms, key-logging software, location-based tracking and other digital spyware tools. Extracting information from hard drives instead of from humans may reduce risk to traditional assets and their handlers, but it will introduce new challenges, too: Misinformation will remain a problem, and very sophisticated computers may give up secrets even less easily than people.

Another Cold War attribute—war by proxy—will see a revival in these new digital-age entanglements. On one hand, it could manifest in progressive alliances between states to counter dangerous non-state elements, where the cyber attack’s lack of attribution provides political cover. The United States could covertly fund or train Latin American governments to launch electronic attacks on drug-cartel networks. On the other hand, war by digital proxy could lead to further misdirection and false accusations, with countries exploiting the lack of attribution for their own political or economic gain.

As with the Cold War, there will be little civilian involvement, awareness or direct harm, which deleteriously affects how states perceive the risks of such activities. States with ambition but a lack of experience in cyber warfare might go too far and unintentionally start a conflict that actually does harm their populations. Eventually, mutually-assured-destruction doctrines might emerge between states that stabilize these dynamics, but the multipolarity of the landscape promises to keep some measure of volatility in the system.

More important, there will be a great deal of room for error in the new Code War. The misperceptions, misdirection and mistakes that characterized the Cold War era will reappear with vigor as all participants go through the process of learning how to use the powerful new tools at their disposal. Given the additional layer of obfuscation that cyber attacks provide, it might end up being worse than the Cold War—even exploded missiles leave trails. Mistakes will be made by governments in deciding what to target and how, by victims who out of panic or anger retaliate against the wrong party, and by the engineers who construct these massively complicated computer programs. With weapons this technically complex, it’s possible that a rogue individual would install his own back door in the program—a means of access that bypasses security mechanisms and can be used remotely—which would remain unnoticed until he decided to use it. Or perhaps a user would unknowingly share a well-constructed virus in a way its creators did not intend, and instead of skimming information about a country’s stock exchange, it would actually crash it. Or a dangerous program could be discovered that would bear several false flags (the digital version of bait) in the code, and this time the targeted country would decide to take action against the apparent source.

We’ve already seen examples of how the attribution problem of cyber attacks can lead to misdirection on a state level. In 2009, three waves of DDoS attacks crippled major government websites in both the United States and South Korea. When security experts reviewed the cyber attack, they found Korean language and other indicators that strongly suggested that the network of attacking computers, or botnet, began in North Korea. Officials in Seoul directly pointed their fingers at Pyongyang, the American media ran with the story and a prominent Republican lawmaker demanded that President Obama conduct a “show of force or strength” against North Korea in retaliation.

In fact, no one could prove where the attacks came from. A year later, analysts concluded they had no evidence that North Korea or any other state was involved. One analyst in Vietnam had earlier said that the attacks originated in the United Kingdom, while the South Koreans insisted that North Korea’s telecommunications ministry was behind them. Some people even thought it was all a hoax orchestrated by the South Korean government or activists attempting to incite U.S. action against the North Korean regime.

These attacks were, by most accounts, rather ineffectual and fairly unsophisticated—no data was lost, and the DDoS method is considered a rather blunt instrument—which in part explains why the situation did not escalate. But what happens when more countries can build Stuxnet worms, and even more sophisticated weapons? At what point does a cyber attack become an act of war? And how does a country retaliate when the instigator can almost always cover his tracks? Such questions will have to be answered by policy-makers the world over, and sooner than they expect. Some solutions to these challenges exist, but most options, like international treaties governing cyber attacks, will require substantial investment as well as honest dialogue about what we can and cannot control.

The episodes that prompt these discussions will probably not be state-to-state cyber warfare; a more likely driver will be state-sponsored corporate espionage. States can contain the fallout of attacks on their own governmental networks, but if companies are targeted, the attacks are much more public and can affect more people if user or customer data is involved. Globalization also makes digital corporate espionage a more fruitful endeavor for states. As companies look to expand their reach into new markets, inside information about their operations and future plans can help local entities win contracts and regional favor. To examine why this is true and what it means for the future, we have to look, again, at China.

While China is by no means the only country engaging in cyber attacks on foreign companies, today it is the most sophisticated and prolific. Beijing’s willingness to engage in corporate espionage, as well as to sanction its companies to do the same, results in a heightened vulnerability for foreign corporations, not just those looking to work in China but those everywhere in the world. The previously mentioned Chinese cyber attack against Google and dozens of other companies in 2009 is hardly an isolated case; in only the past few years, the industrial-espionage campaign led by Chinese spy agencies has targeted American companies producing everything from semiconductors and motor vehicles to jet-propulsion technology. (Of course, corporate espionage is not a new phenomenon. In one famous nineteenth-century example, England’s East India Company hired a Scottish botanist to smuggle Chinese plants and secrets from China into India—which he did successfully, dressed as a Chinese merchant—to break the Chinese monopoly on tea.)

What is new about this latest iteration of corporate espionage is that, in the digital era, so much work can be done remotely and near-anonymously. As we’ll see shortly in our discussion of automated warfare, this is a crucial new technological development that will affect many areas in our future world. We live in an age of expansion, and as China and other emerging superpowers seek to expand their economic foothold around the world, digital corporate espionage will greatly enhance their abilities to grow. Whether officially state-sponsored or simply encouraged by the state, hacking into competitors’ e-mails and systems to obtain proprietary information will certainly give players an unfair advantage in the market. Several business leaders of major American corporations have told us in confidence about deals they lost in Africa and other emerging markets because of what they believe to be Chinese spying or theft of sensitive information (which was then used to thwart or commandeer their deals).

Today, the majority of cases of corporate espionage between China and the United States appear to involve opportunists rather than the visible hand of the state. There was the Chinese couple in Michigan who stole trade information related to General Motors’ research into hybrid cars (which the company estimated to be worth $40 million) and tried to sell it to Chery Automobile, a Chinese competitor. There was the Chinese employee of Valspar Corporation, a leading paint and coatings manufacturer, who illegally downloaded confidential formulas valued at $20 million, intending to sell them to China, and the DuPont chemical researcher who stole information on organic light-emitting diodes, which he planned to give to a Chinese university. None of these actors was tied directly to the Chinese government, and in fact they may simply have been private individuals looking to profit from confidential trade secrets. But we also know that in China, where most major companies are state-owned or heavily influenced by the state, the government has conducted or sanctioned numerous intelligence-gathering cyber attacks against American companies. There can be little doubt that the attacks we know about represent a small percentage of those attempted, whether successful or not.

The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play. This is a difference in values as much as a legal one—as we discussed earlier, China today does not rate intellectual property rights very highly. But the disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage. American firms will have to fiercely protect their own information and patrol their network’s borders, as well as monitor a range of internal threats (all of the individuals in the above examples legitimately worked for those companies), just to remain competitive.

• • •

The current economic espionage will continue for decades, both between the United States and China and between other nations that gain the required technical capabilities and see the competitive advantages it offers. There will be no dramatic escalation for the same reason that we’ll have an ongoing but relatively stable Code War: the lack of attribution in cyber attacks. The Chinese government is free to support or partake in any number of cyber attacks against foreign companies or human-rights organizations so long as their involvement cannot be definitively proven.⁷

But there are strategies we can use to mitigate the damage caused by cyber attacks in addition to introducing some vulnerability on the part of the attackers. One idea comes from Microsoft’s Craig Mundie: virtual quarantine. As we’ve described, many cyber attacks today come in the form of DDoS attacks and regular denial-of-service (DoS) attacks, which require the use of one “open” or insecure computer on a network that the attacker can use as a base of operations to build his “zombie army” of compromised devices. (DoS attacks could be generated by a small number of hyperactive attacking machines; DDoS attacks are generated by a large, distributed—hence the extra “D”—network of attacking machines, often comprised of hacked computers owned by everyday users ignorant of the fact that their computers are being manipulated in this way.) One neglected or unprotected device on the network—a never-used laptop in a science lab, or a personal computer an employee brings to work—can become the attacker’s base and then compromise the whole system.⁸

Quarantine mechanisms contain this attack by enabling the ISP to shut off an infected computer as soon as it recognizes it, unilaterally and without owner authorization, taking the computer off-line. “The basic premise is that when you have a network disease, you have to find a way to slow the spread rate,” Mundie explained. “We quarantine people involuntarily, but in cyberspace we haven’t yet decided that quarantining is the right thing to do.” When any machine shows signs of virus or disease, it must be “isolated, contained and healed before being exposed to healthy systems,” he added. Users often don’t recognize when their computers have been compromised, so allowing the ISPs to conduct these actions will bring about a much faster resolution. Depending on how the mechanism works and what kind of attack is being used, the attackers may or may not recognize that the infected device is off-line—but the user would find his Internet connection inoperable, by mandate of the ISP. By denying the attackers the ability to reach through the infected computer, the harm they can do is greatly reduced.

In Mundie’s vision, there would be a neutral international organization to which ISPs could report the IP addresses of infected computers. This way ISPs and states around the world could refuse to let quarantined IP addresses into their online space, cutting off the range of the cyber attack. In the meantime, investigators could watch the cyber attackers from a distance (the attackers would not know the device had been quarantined) and gather information about them to help trace the origin of the attacks. Only when the user had certifiably cleaned his device (with special antivirus software) would his IP address be released from quarantine. In addition to an international organization leading these changes, we might see in parallel the creation of an international treaty around the automatic takedown mechanism. International agreement about swift action to deal with infected networks would be a big step forward in fighting cyber attacks. States that do not agree to the treaty might risk having their whole country considered quarantined, thus putting it off-line for much of the world’s users.

Stronger network security will improve the odds for potential targets well before any quarantining is required. One of the basic problems in computer security is that it typically takes much more effort to build defenses than to penetrate them; sometimes programs to secure sensitive information rely on 10 million lines of code while attackers can penetrate them with only 125 lines. Regina Dugan, a senior vice-president at Google, is a former director of DARPA (the Defense Advanced Research Projects Agency), where her mandate included advancing cybersecurity for the U.S. government. She explained to us that, to effectively counter this imbalance, “We went after the technological shifts that would change that basic asymmetry.” And, like Mundie, Dugan and DARPA turned to biology as one of the ways to counter the imbalance: They brought together cybersecurity experts and infectious-disease scientists; the result was a program called CRASH, the Clean-Slate Design of Resilient, Adaptive, Secure Hosts.

The philosophy behind CRASH recognized that human bodies are genetically diverse and have immune systems designed to process and adapt to viruses that pass through them, while computers tend to be very similar in their structure, which enables malware to attack large numbers of systems efficiently. “What we observed in cybersecurity,” Dugan said, “is that we needed to create the equivalent of an adaptive immune system in computer security architecture.” Computers can continue to look and operate in similar ways, but there will have to be unique differences among them developed over time to protect and differentiate each system. “What that means is that an adversary now has to write one hundred and twenty-five lines of code against millions of computers—that’s how you shift the asymmetry.” The lesson learned is undoubtedly applicable beyond cybersecurity; as Dugan put it, “If that initial observation tells you this is a losing proposition, you need something foundationally different, and that in and of itself reveals opportunities.” In other words, if you can’t win the game, change the rules.

Still, despite some tools for dealing with cyber attacks, lack of attribution online will remain a serious challenge in computer and network security. As a general rule, with enough “anonymizing” layers between one node and another on the Internet, there is no way to trace data packets back to their source. While grappling with these issues, we must remember that the Internet was not built with criminals in mind—it was based on a model of trust. It’s challenging to determine who you are dealing with online. Information-technology (IT) security experts get better at protecting users, systems and information every day, but the criminal and anarchic elements on the web grow equally sophisticated. This is a cat-and-mouse game that will play out as long as the Internet exists. The publication of cyber-attack and malware details will help, on a net level; once the components of the Stuxnet worm were unpacked and published, the software it used was patched and cyber-security experts could work on how to protect systems against malware like it. Certain strategies, like universal user registration, might work too, but we have a long way to go before Internet security is effective enough everywhere to prevent simple cyber attacks. We are left once again with the duality of the online world: Anonymity can present opportunities for good or ill, whether the actor is a civilian, a state or a company, and it will ultimately depend on humans how these opportunities manifest themselves in the future.

To summarize: States will long for the days when they only had to think about foreign and domestic policies in the physical world. If it were possible to merely replicate these policies in the virtual realm, perhaps the future of statecraft would not be so complex. But states will have to contend with the fact that governing at home and influencing abroad is far more difficult now. States will pull the most powerful levers they have, which include the control they hold over the Internet in their own countries, changing the online experiences of their citizens and banding together with like-minded allies to exert influence in the virtual world. This disparity between power in the real world and power in the virtual world presents opportunities for some new or underappreciated actors, including small states looking to punch above their weight and would-be states with a lot of courage.

States looking to understand each other’s behavior, academics studying international relations, and NGOs and businesses operating on the ground within sovereign territory will need to do separate assessments for the physical and virtual worlds, understanding which events that occur in one world or the other have implications in both, and navigating the contradictions that may exist between a government’s physical and virtual foreign and domestic policies. It is hard enough to get this right in a world that is just physical, but in the new digital age error and miscalculation will occur more often. Internationally, the result will be more cyber conflict and new types of physical wars, and, as we will now see, new revolutions.

¹ We recommend the 2006 book Who Controls the Internet?: Illusions of a Borderless World, by Jack Goldsmith and Tim Wu, which puts forth this scenario with great clarity.

² Internet Balkans, as we refer to them, are different than intranets. An intranet uses the same Internet protocol technology but is limited to a network within an organization or local area, instead of a network of other networks. Corporate intranets are often protected from unauthorized external access by firewalls or other gateway mechanisms.

³ Smaller incidents, however, do suggest that governments are capable and perhaps comfortable manipulating DNS routing on occasion. More than a few times, Google’s web address has mysteriously directed people to www.Baidu.com, China’s local search competitor.

⁴ We distinguish between “cyber attack” and “cyber terrorism” by looking at the individual or entity behind the attack and assessing motives. The two, however, may manifest themselves in very similar ways, such as economic espionage.

⁵ When we asked the former Israeli intelligence chief Meir Dagan about the collaboration, his only comment was, “Do you really expect me to tell you?”

⁶ Larry Constantine, a professor at the University of Madeira, in Portugal, challenges Sanger’s analysis in a September 4, 2012, interview podcast with Steven Cherry, an associate senior editor at IEEE Spectrum, the magazine of the Institute of Electrical and Electronics Engineers, arguing that it is technically impossible for Stuxnet to have spread in the manner that Sanger described (e.g., Stuxnet could spread only over a LAN—local area network—not the Internet). Our view is that Constantine’s argument has enough validity to at least warrant debate.

⁷ Eventually, the Chinese government will be caught red-handed in one of these industrial attacks. If the case is presented to the United Nations Security Council, no resolution will ever be approved, owing to China’s veto power, but the outcome will nevertheless be serious geopolitical embarrassment.

⁸ There’s an important distinction that needs to be made here. For the purposes of DoS and DDoS attacks, it’s not always relevant whether any compromised computers are inside or outside the target’s network. Where it matters most is in industrial espionage, when the goal is information extraction; in those cases, computers must be inside the network.