There are 2.8 billion active monthly users on Facebook, 1.3 billion on WeChat, and 1 billion on TikTok. During the Covid-19 pandemic, the netizen population grew rapidly when people and businesses migrated online, resulting in a process of digital transformation. As a result, organizations and infrastructure—from electricity grids, telecommunications networks, and police departments, to banks, hospitals, and schools—are accumulating vast amounts of data to provide value to users.
While digital technology enables connectivity, convenience, and efficiency, the pervasive use of data collection and analytics in the social, financial, industrial, and military sectors has exposed the vulnerability of cyberspace in ways never previously experienced. Cybersecurity threats— whether from an individual, an organization, or a global syndicate—have the potential to damage private and public interests, destabilize the international order and endanger world peace.
The international community has yet to reach a global consensus about a digital order that can deal with issues in this increasingly complex space. Without such a consensus governing cyberspace, a global digital disorder will soon arrive.
An International Digital Disorder
When discussing potential disorder as a result of competition between two nuclear-powered states, Henry Kissinger said, “Neither side would use its weapons of mass destruction because the adversary was always able to inflict an unacceptable level of destruction in retaliation.” Kissinger’s assumption was that states know who their adversaries are, and can even have signals of potential attacks and prepare for them. Therefore, a strategy of deterrence was effective.
Unfortunately, this calculation doesn’t work in cyberspace anymore. Cyberspace largely exists on the internet. Except in dedicated networks, most users and smart devices interact and exchange information freely in cyberspace.
An underground hacker or syndicate that illicitly accesses these networks can cause catastrophic consequences. They can access the cyber domains of governments or businesses to disable and potentially destroy critical national infrastructure or networks. Others can simply be motivated by money, stealing data to trade on the black market or demanding a ransom. For example, in Australia, a cyberattack on the telecommunications company Optus and a ransomware attack on Medibank compromised the personal data of almost 20 million people, including their names, phone numbers, government-issued IDs, and other sensitive information. The real challenge is that it is very often almost impossible to identify the hackers or attribute them to any sovereign state.
Amid heightened geopolitical tensions, cyberattacks can also be launched by states, which can threaten the national security of their adversaries and inflict costs equivalent to conventional war.
While cyberspace is assuming enormous importance, it is becoming a less orderly territory, where no clear, commonly agreed upon international order governs the behavior of actors—which include governments, private organizations, individuals, and, increasingly, artificial intelligence-empowered devices. In the absence of such an international digital order, actors will continue to follow their own rules and norms, and the likely outcome is chaos in cyberspace.
Of all the issues related to the international digital order, cyberspace sovereignty stands out, even though the concept is vaguely defined. Currently, the international consensus is that cyber sovereignty should follow the rules of sovereignty outlined in the United Nations Charter.
Since the establishment of the UN, there has been a consensus that sovereign autonomy is the basis for international law. Because of the open, multi-layered, anonymous, and borderless nature of cyberspace, it is difficult to distinguish between domestic and international breaches of law. For this reason, the UN’s sovereignty rules cannot be easily applied to cyberspace. If cyber sovereignty exists independently in the online world, does cyber sovereignty belong to each country? Or is there—or should there be—a supra-national, supra-sovereign global body that governs cyber actors and their activities?
The challenge of building an international consensus on cyber sovereignty is that different countries have different perspectives and different needs. For example, China has long promoted international rules to guarantee cyberspace sovereignty. Beijing’s argument is that when the cyber sovereignty of a state is attacked, its network systems can be invaded and networked data will be compromised. In such situations, without a common understanding of the jurisdictional boundaries of cyber sovereignty, it is difficult to punish the attacker or counteract the invasion.
In the first decade of the twenty-first century, the United States began promoting a “network super-sovereignty” concept, arguing that sovereign states have little sovereign jurisdiction over the internet, as it should belong to the global population and be a platform for freedom and democracy. The essence of this theory is to oppose cyberspace sovereignty by promoting cyberspace hegemony, which has laid the foundation for the framework of U.S. internet policy.
In response to recent calls to build a co-governance framework, the United States has shifted its internet policy away from advocating openness and freedom and pursued global “multi-stakeholder” governance, which has received support from large tech firms and countries with significant cyber capabilities. However, internet users and their representatives in countries without dominant cyber capabilities have little opportunity to participate in this framework.
Data Security and National Security
Regulations and rules for data security, especially in cross-border data flows, are another imperative for building an international digital order.
Due to the dual-use nature of digital technologies such as artificial intelligence (AI) and quantum computing, the boundaries between national economic interests and security interests have blurred, which has led sovereign states, especially the United States and China, to consciously or unconsciously regard data security as synonymous with national security. Indeed, with the advent of big data analytics empowered by AI algorithms, the importance of personal data to national security is increasing, and data can be used or manipulated by one country to achieve its geopolitical goals against others. If a country’s citizens’ private data, such as their political affiliations, medical records, biometric data, or even data about their physical movements, is captured by hackers or hostile states, that data can be analyzed to create a security threat to the host country. It was for this reason that the Chinese government investigated and subsequently punished the ride-hailing company Didi after its initial public offering on the Nasdaq.
In contrast to the limited nature of traditional strategic resources such as land, oil, and minerals, data has the characteristic of non-exclusiveness, or network effects—the more data is used, the more value it has. At the individual level, data can be personal property and can carry the imputation of privacy. At the economic level, data can be a factor of productivity and a competitive advantage for an enterprise. And at the state level, data can be a strategic resource and can carry significant security value. Therefore, data can be sold for profit; there are black markets for trading stolen data through specialized hidden websites, creating yet another layer of complexity in identifying data hackers.
While most governments and organizations have implemented technologies to safeguard their data security, there are two main dynamics that can expose their vulnerabilities to potential cyber threats.
First, the prevalence of cloud computing, which enables organizations to outsource all or part of their data management to third-party companies, a field that is currently dominated by several leading firms in the United States and China. The top five—Amazon, Microsoft, Alibaba, Google, and Huawei—accounted for over 80 percent of the global market in 2021. Second, many organizations and even governments have to rely on third-party vendors—usually involving multiple suppliers—to build their cyber capabilities, which can leave the “back door” open for a so-called “supply-chain attack.” Therefore, many governments and organizations have started to adopt a “zero-trust framework” in their networks. It was for this reason that China’s vendors of 5G or web camera equipment have been suspended in network systems in the United States and allied countries.
The reality is that the digital economy is replacing the commodity trade and traditional financial activities as the main driver of globalization, which is reflected in the growing trade of data-oriented services. There is an urgent need to build a global consensus on the cross-border data trade, including financial services data, governing data acquisition, processing, storage, and transfer across borders.
Great Power Rivalry in Cyberspace
Great power competition in cyberspace between the United States and China carries enormous strategic significance for both countries. Washington and Beijing’s core objective in this competition is to use supremacy in cyber capabilities to their geopolitical advantage. Underlying cyber capability is a country’s accumulated technological power in semiconductor chips, computer operating systems, and electronic design automation tools, which lay the ground for high-performing computing, AI, and next-generation internet and mobile communication networks.
For this reason, the escalation of the great power rivalry between America and China, from trade war to tech war, has centered on competition in those advanced foundational technologies, as they have become critical resources for national sovereignty, economic development, and national security.
This competition is not just about technical standardization—it has also shifted to the political arena, where both parties are fighting over rules and regulations for the management of data transfers and data storage. The U.S. strategy to contain China’s advancement in semiconductors is a conspicuous manifestation of this competition.