In the conventional understanding of national sovereignty, a country protects its legitimate and internationally-accepted territories on land, air and sea. These three are ‘tangible’ domains where the state can deploy military and paramilitary forces for national defence. When it comes to defending national sovereignty in cyberspace, countries face a dilemma of massive proportions.
Big Data Analytics has transformed commercial Internet and social media enterprises into powerful corporations that can process large amounts of user data for political, economic, social or military leverage. Though global ‘by function’, these companies are bound to the laws of the nation state hosting their headquarters. In the case of giants such as Google, Amazon, Facebook, Twitter, WhatsApp etc. the US is at a clear advantage. In similar vein, Russia maintains an advantage through VK and Telegram and China through WeChat, Weibo etc.
Till a few years ago, cyberspace was merely a medium of exchanging information and communication. Today, increased contestation among state and non-state actors has prompted certain developed and developing countries to include threats from cyberspace in their national security threat matrices. The question to ask is this: Is cyberspace a ‘free and open’ global common or should it be ‘territorialised’ through ICT asset-mapping of world countries?
In principle, states are entitled to regulate cyberspace affairs falling within their national sovereign jurisdictions by enforcing relevant domestic laws. These legal bindings, however, cannot be emplaced upon content service providers which are ‘operating’ nationally but ‘based’ overseas. The logical solution to this conundrum is to either persuade the service provider to localise data servers or, in case of legal lacunae, appoint a liaison person for coordination with state authorities.
The question to ask is this: Is cyberspace a ‘free and open’ global common or should it be ‘territorialised’ through ICT asset-mapping of world countries?
China was the first to foresee potential threats emanating from an uncharted and free-for-all cyberspace long before Stuxnet had been executed or Edward Snowden had revealed massive global espionage by the Five Eyes. Work on the Great Firewall of China (GFW) started in 1998 and was completed in a decade.
For Beijing, the broad objectives of securing national sovereignty in cyberspace were three-fold: maintain the political system’s integrity, assure national security and sovereignty and facilitate economic development through an inside-out approach. Some may view the GFW as part of exercising autocratic control over public access to the Internet but in pragmatic terms, it has proved resourceful in identifying online content pushed by elements which Beijing believes are associated with the ‘Three Evils’ i.e. Terrorism, Separatism, Extremism.
From Pakistan’s perspective, ‘informational’ or psychological threats in cyberspace are viewed with more concern instead of technical threats. This is because influence operations carried out by hostile elements directly impact the ordinary Internet users who are prone to ideological subversion and subjugation whereas technical exploits are used against, and known to, a specific target group.
In South Asia’s power dynamics, the war of narratives pushed by competing arch-rivals Pakistan and India is largely played out on social media platforms often by state elements to exercise plausible deniability through lack of attribution. On the other hand, these techniques are also used by elements promoting the ‘Three Evils’ to expand their support base. It has also been seen that certain sectarian groups have engaged in social media campaigns which have directly affected foreign policy relations with friendly countries. Domestic users also partake in such activities but some influential instigators are either of foreign origin or locals based overseas.
In South Asia’s power dynamics, the war of narratives pushed by competing arch-rivals Pakistan and India is largely played out on social media platforms often by state elements to exercise plausible deniability through lack of attribution.
The State of Pakistan’s writ is further compounded when efforts to curtail terrorist propaganda (Daesh etc.) or controversial content (blasphemy videos) are zeroed through non-cooperation by foreign-origin and foreign-based service providers. The only alternative solution, therefore, is outright censorship. Telegram (Russia-based) was banned for enabling anti-national content whereas YouTube (US-based) was temporarily banned for not removing blasphemy videos.
Lately, there has been talk of promulgating a framework to regulate social media. As ambitious as it may sound, it is both technically and socially impossible to implement; Pakistan’s questionable record in government transparency as also its low Internet penetration is not conducive for necessary bargaining. Also, a growing youth bulge in Pakistan comprising millennials is likely to reject demands for regulation.
The dilemma is that state authorities in Pakistan are themselves unfamiliar with the scope and scale of sovereign rights in cyberspace. A careful reading of the draft Personal Data Protection Act (October 2018) currently being debated in national policymaking circles reveals the following glaring anomalies:-
- The Act conditions processing and control of personal data belonging to Pakistani citizens (functions) but does not regulate the process of data flow itself within Pakistan’s territory (compliance) which may not relate to an individual entity but directly impacts national security such as challenging the national ideology and prestige [reference Section 3 (1)]. Absence of compliance obligations is alarming.
- The Act will not apply to data handlers who ‘reasonably believe’ that publication of content will serve public interest in the freedom of expression [reference Section 3 (5)(b)(ii)]. It is baffling how the data handler, and not the sovereign state, will decide which data is suited for public interest and which is not.
- The Act is promulgated for commercial data processing of citizens ‘by a government entity’ [reference Section 5(c)]. In effect, private ICT corporations are exempt from liabilities. Ironically, these companies are the biggest impediment in timely and effective case prosecution by law-enforcement authorities in Pakistan.
In the Pakistani context, ‘Cyber Sovereignty’ can be roughly defined as:-
“Establishing and maintaining the federal government’s writ over content flows within the entire national cyber territory to protect core national interests and national values”. Here, “national cyber territory” can be described as “all ICT assets, systems and architectures hosted on Pakistani territory and owned by individuals or entities of local and foreign origin”. A multi-stakeholder dialogue at the national level will need to be initiated to decide what constitutes “national interests” (such as Ideology of Pakistan and Kashmir Cause) and “national values” (support for minorities etc.).
Relevant government authorities in Pakistan should encourage knowledge exchange with Chinese counterparts in the legal, diplomatic and technical organisations for better insights into Beijing’s novel approach to cyber sovereignty. Since Pakistan and China have starkly different governing structures, Pakistan should then build upon this insight and participate in similar exchanges with other developed countries both bilaterally as well as in multi-lateral forums to finally develop a framework suited to its unique national requirements. The process must begin with the education and awareness of government functionaries.