Following the horrific attack in London this weekend, Prime Minister Teresa May’s response reinforced the tight interplay between virtual and physical security. May outlined four key changes for counter-terrorism strategy, two of which focus uniquely on the cyber domain. May’s response has already been criticized as a push to drive terrorists offline. While she certainly seeks to limit physical safe spaces (e.g. ISIS in Iraq in Syria) and virtual safe spaces, her comments pertaining to international regulations have received more scrutiny. In light of last year’s Investigatory Powers Bill, which expanded UK surveillance capabilities, it is understandable that any references to regulation may raise eye brows. However, she frames these changes within an international agreements framework, eluding once more to the growing push for international norms to counter malicious use of the internet, and the need to modernize policy to counter modern threats.
When it comes to removing virtual safe spaces for violent ideologies, she notes:
“Second, we cannot allow this ideology the safe space it needs to breed. Yet that is precisely what the internet, and the big companies that provide internet-based services provide. We need to work with allied democratic governments to reach international agreements that regulate cyberspace to prevent the spread of extremist and terrorism planning. And we need to do everything we can at home to reduce the risks of extremism online.”
This reference to international agreements reflects the growing push by countries across the globe, as well as multi-national corporations, to foster a norms-based approach to establishing rules of the road when it comes to cyberspace. While she limits the inclusion to democracies, as discussions at the UN Group of Governmental Experts (UN GEE) demonstrate, there are certain commonalities that can reach across regime type and could help begin to chip away at establishing mutually agreed upon behavior. These baseline norms can then help governments coordinate and more effectively respond to activities that occur outside of those rules of the road, including information sharing to address online extremism. While norms certainly aren’t a silver bullet, May’s reference to international agreements highlights the role that digital norms as well as more formal global cooperation can have both on cybersecurity as well as counter-terrorism.
May also indirectly calls out the role of social media platforms for allowing extremist ideology a safe space. She brings to the forefront a conversation which has been growing in the United States and elsewhere in Europe, especially when seeking to balance free speech with personal safety and privacy. Twitter’s censorship has reached oral arguments at the Supreme Court, while the leak of Facebook’s content policy has been criticized in how it handles various forms of abusive or extremist content. This policy surfaced following the French election, when Facebook took down 30,000 accounts they deemed fake for spreading misinformation or deceptive content. Facebook also has been vocal in shaping the discussion around information operations and already has a policy in place to investigate terrorist content. Google also has been vocal in its efforts to combat online illicit activity, ranging from a global anti-phishing campaign to combating fake news. These social media platforms have commented on May’s remarks, arguing that many of her recommended changes are already in place.
This back-and-forth between the government and large tech companies is indicative of the need for policy modernization, one that balances security, privacy and free speech. May’s fourth point acknowledged this current policy shortcoming, noting, “as the nature of the threat we face becomes more complex, more fragmented, more hidden, especially online, the strategy needs to keep up.” The UK is not the only country lagging in policy modernization to counter the realities of the digital age. In the US, the thirty-year old Computer Fraud and Abuse Act remains the foundational policy, while there is increasingly vocal demand for a coherent cybersecurity strategy from some members of Congress, such as Senator John McCain. Technology has dramatically outpaced policy, but hopefully there are glimmers of progress as many realize that innovation must occur not just in technology, but in the policy realm as well.
The UN GGE meets later in June to finalize a framework for internalizing and operationalizing a set of digital norms. At that time, we may learn details about the UK’s position on the establishment of international agreements. While the UN GGE formulates a voluntary framework, these voluntary forms of cooperation often establish the foundation for more formalized international agreements. With the rise of censorship globally, many are understandably concerned that May is heading down a more restrictive path. However, over the last year there has been a major shift from both the tech companies and those in government to find solutions that balance security and privacy. This is no easy feat, but one that is essential as the virtual world increasingly impacts political, economic, social, and physical stability across the globe.