Beijing and Brussels are effectively writing the rules that may determine the future of the global internet | Pool photo by Virginia Mayo/EPA China, EU seize control of the world’s cyber agenda The US guided global internet policy for decades. Now, the EU and China are taking the lead.

WASHINGTON — The United States is losing ground as the internet’s standard-bearer in the face of aggressive European privacy standards and China’s draconian vision for a tightly controlled web.

The weakening of the American position comes after years of U.S. lawmakers and presidents, including both Donald Trump and Barack Obama, backing the tech industry's aversion to new regulations. The EU has stepped in to fill part of that gap, setting privacy standards that companies like Facebook and Google must follow.

At the same time, China is dictating companies' security practices and demanding to see their products' source code — developments that experts say will undermine global cybersecurity. And while the global tech industry is adapting to these new realities, no one in the Trump administration has devised a clear plan to rebut either of these agendas.

The result: Beijing and Brussels are effectively writing the rules that may determine the future of the global internet. And China's vision is spreading across the developing world as it influences similar laws in Vietnam, Tanzania and Nigeria.

Experts in cyberpolicy say the trends could slow the internet's growth, stunt innovation and erect new market barriers for American businesses.

"The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet" — Adam Segal

"The U.S. cannot afford to be on the sidelines," said Chris Painter, who was America's top cyber diplomat from 2011 to 2017. "Other countries are doing things legislatively that affect the U.S.," said Painter, now with the Global Commission on the Stability of Cyberspace, "and the U.S. is on the back foot."

The implications extend beyond pure cybersecurity issues. China's law raises concerns about internet freedom, censorship and surveillance. The EU has placed an emphasis on citizens' privacy. But all these policies, experts say, affect America's ability to set the terms of global cybersecurity conversations.

"The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet," said Adam Segal, director of the Council on Foreign Relations' cyberpolicy program. "And we don't particularly have a coherent response to it."

Senator Ron Wyden (D-Ore.), one of Congress' leading voices on cybersecurity and technology issues, blames his colleagues for the U.S. predicament.

"The United States is failing on cybersecurity because our Congress has been captured by corporations who have successfully killed any effort to impose meaningful cyber standards," he told POLITICO in an email. "Until lawmakers decide to put consumers ahead of corporations, Americans will continue to face more cyber threats, with less recourse, than people elsewhere in the world."

Losing ground

For years, the U.S. pushed back aggressively when China and other authoritarian regimes tried to co-opt international venues to push their cyber agendas. In 2015, China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan introduced a "code of conduct for information security," but behind-the-scenes work by the Western governments halted its momentum. The U.S. blocked similar efforts at a U.N. technology commission. And in 2010, the U.S. helped prevent a vote to give the International Telecommunications Union a role in internet policymaking.

"In all bilateral and multilateral encounters heretofore, the United States has successfully and consistently, in a bipartisan way, opposed" authoritarian visions for cyberspace, said a former State and Commerce Department official who spent eight years working on cyber issues and requested anonymity to speak candidly.

Meanwhile, the U.S. passed a cyber information sharing law in 2015 that gave companies legal immunity for sharing threat data with the government, and the technical standards agency NIST introduced a widely celebrated voluntary framework for managing digital security risks. Industry groups praised these efforts. "A lot of those things get cascaded internationally through dialogues and other interactions that [U.S. officials] have," said Josh Kallmer, the senior vice president for global policy at the Information Technology Industry Council.

Because cyber issues are so fundamental to Chinese stability, Xi has taken a personal interest in the topic

But beyond these piecemeal, voluntary steps, the U.S. has advanced no coherent vision of cybersecurity regulation to counter the ones from China and Europe. And Russia will soon try again with its cybersecurity "code of conduct."

The U.S. is at a disadvantage, Painter said, because while China and others roll out ambitious new plans, American diplomats call for only modest reforms. "If the U.S. line is, 'Leave the status quo as it is,'" he said, "that's always hard."

Beijing's grand vision

In February 2014, Chinese President Xi Jinping spoke at the inaugural meeting of his new cybersecurity commission. "Without cybersecurity, there is no national security," he said. "Without informatization, there is no modernization."

It was a dramatic preview of Beijing's growing ambitions. Communist Party leaders see cybersecurity "as a fundamental part of their governance model," said Samm Sacks, a senior fellow at the Center for Strategic and International Studies. "Not just in the tech space, but as it applies to the broader economy and national and social stability."

Because cyber issues are so fundamental to Chinese stability, Xi has taken a personal interest in the topic, above and beyond how most world leaders engage with an issue that many still consider esoteric.

Beijing's iron grip on domestic affairs gives it an advantage over the U.S. when it comes to laying down the law, literally and figuratively. Authoritarian governments "face less pushback when promoting cyber regulations and governance policies," Amy Chang, a cyber expert at Harvard's Belfer Center, said in an email, "and they are also better equipped at promoting these regulations/policies with a sense of unanimity and consistency."

The result is China's cybersecurity law, which took effect on June 1, 2017, creating vaguely defined inspection regimes for network operators and critical infrastructure owners. These businesses must let Chinese officials test their equipment and software at any time. They must also store their data in China so investigators can access it. One provision could let Beijing demand companies' decryption keys, which would effectively ban the unbreakable encryption found in apps like Signal.

But even as the fractious Chinese bureaucracy prepared to implement the law, Beijing was busy promoting its view of digital security controls abroad, focusing on developing nations that it hopes will join a coalition to counter the West's internet agenda.

In a digital extension of its sweeping One Belt One Road initiative, China began spending vast sums to expand internet connectivity in small and underdeveloped countries. It donated computers to governments in nearly three dozen countries, from Pakistan to Malawi to the small island state of Tonga. Huawei, the Chinese telecom giant that U.S. officials consider a cybersecurity risk, set up armies of security cameras in the Kenyan cities of Nairobi and Mombasa as part of its "Safe City" initiative.

To cyber experts, the partnerships raised massive red flags. Behind China's generosity, they suspected, lay strategic self-interest: Beijing wants to have a foothold in these emerging countries' computer networks.

Evidence has occasionally emerged to support this view. In January, the French newspaper Le Monde reported that China had spent years spying on the African Union, whose headquarters it built and donated to the international organization in 2012. Buried in the facility's ready-made computer network, the paper said, were backdoors letting Beijing monitor the African Union's activities.

But for the most part, China's plan has gone off without a hitch — and other countries are starting to follow its lead. Vietnam recently passed a cybersecurity law that bears a striking resemblance to Beijing's. Tanzania and Nigeria, where China invested heavily in technological improvements, have done the same.

"China's influence is second to none in terms of its relationships with developing countries and in terms of its expanding relationship, recently, with developed countries," explained the former State Department official. As a result, they said, "Chinese companies are essentially the lead [and] have inside access" to countries' systems.

China's restrictive model appeals to many countries that value what Sacks called "a strong, top-down national articulation of, 'How do you govern in this essentially ungovernable space?'" It is not a coincidence that many such governments face their own internal stability concerns.

China will continue to press the attack, including at the ITU, which elected a Chinese official as its new secretary-general in 2014. Cybersecurity is expected to play a prominent role in the ITU's next major meeting this fall.

Europe enters the game

While China has created the most headaches, the U.S. must also contend with the European Union. Despite shared values, Europe's strict regulatory regime poses a threat to the lighter-touch U.S. model.

In August 2016, the EU enacted its first major cyber law, which requires "operators of essential services" to "take appropriate and proportionate ... measures to manage" their cyber risks. The EU is now considering another law that would task its cyber agency, ENISA, with certifying security products in EU member states.

Once EU member states agree on a cyber regulation, their status as a major international bloc makes it hard to propose a competing vision.

Both of these laws will force U.S. companies with European footprints to redesign their security measures to comply, and the more they do so, experts said, the more the EU position becomes the default.

And then there is the EU's General Data Protection Regulation, which, despite being primarily a privacy law, has cybersecurity implications.

The White House is reportedly preparing to introduce a GDPR competitor, but it may be too late. GDPR effectively kneecapped the U.S.' ability to set global privacy standards at a lower level. "If you're a company," said the former State Department official, "you have to abide by the stricter standard."

The EU's size poses a significant challenge to the U.S. as it contemplates alternate approaches. Once EU member states agree on a cyber regulation, their status as a major international bloc makes it hard to propose a competing vision.

How to get off the sidelines

The question for the U.S. is whether to abandon its insistence on a voluntary, industry-led approach and enact more bright-line regulations that reflect a clear U.S. vision.

Many experts said the American tradition of letting the private sector shape the debate has undercut the U.S.'s standing globally. Other countries "have looked around and said, 'Alright, this doesn't really seem to be accomplishing very much,'" Segal said.

One option would be to follow China and the EU in passing a sweeping national cyber law. If it took a light touch but still imposed rules, and if the U.S. could demonstrate that it improved security, other countries would take note. But as recent history shows, such a law stands no chance of passing Congress.

James Lewis, a cyber expert at CSIS, said the U.S. was the only country where extreme distrust of government prevented meaningful cyber regulations. "That's not how it works in the rest of the world," he said. "And I say that for both democracies and dictatorships. This overwhelming angst we have about government is not reflected anywhere else on the planet."

Naturally, industry executives say regulations aren't the answer. Chris Boyer, assistant vice president of public policy at AT&T, said the best "opportunity for the U.S. to proactively lead this conversation" lay in voluntary Internet of Things standards built around the NIST framework.

But many security experts argue that isn't enough. "These voluntary frameworks," Segal said, "have not really, as far as we can tell, improved U.S. security significantly."

Regardless of how the U.S. moves forward, experts said it must engage more aggressively in the international debate. "We should try to provide a clear roadmap of the type of approach we want to see other countries adopting," said the former State official. "Silence just cedes the ground to other views and other approaches that we fundamentally disagree with."

Sustained engagement will require a strategy on the part of the Trump administration. For now, the former official said, U.S. diplomats attending these meetings "don't say anything" and are "not relevant."

The administration's cyber leadership void has exacerbated the problem. National security adviser John Bolton eliminated the White House cyber coordinator role, the central figure overseeing all U.S. cyber activities, and former Secretary of State Rex Tillerson nixed Painter's top cyber diplomat role. A deputy assistant secretary of state, Rob Strayer, now manages cyber diplomacy, though a bill to elevate his office is nearing passage.

The State Department did not make Strayer available for an interview about the U.S.'s strategy.

"The degradation or the removal of certain roles is hugely important," according to Kallmer, who said his meetings with administration officials often involve "trying to reverse those things."

China, meanwhile, has only increased the importance of cybersecurity in its bureaucracy, elevating its cyber regulatory body to commission status. The contrast between the U.S. and China in this respect is "just comical," Sacks said.

Lewis said he recently returned from conferences in Europe and Asia where allies told him, "We can't wait for you people to make up your mind anymore."

"They would prefer us to lead," Lewis said. "But they're not going to wait."

Looming policy 'contagion'

If the U.S. doesn't step up, the course of global internet policymaking will change forever, experts warn. "Extraneous issues" like censorship would start "driving cyber policy," said the former State official.

There would also be a "contagion of bad policy," Kallmer said, as more countries followed Vietnam in rushing to China's corner.

"For the first time, many, many, many countries ... rank much higher in influence than the U.S." — Former State official

Global confidence in the internet would suffer. "How much can you trust this medium," said the former State official, "if the rules ... are being set by a country that doesn't share our democratic values?"

The battle isn't over yet, and China's agenda still faces hurdles. For one thing, much of its cyber law has not yet been enacted, and different regulatory agencies are competing over how to implement it. Plus, Chinese firms that want to dominate global markets are pushing back on Beijing's attempt to balkanize the internet. "There are constraints internally in China's system that are going to be a check on some of the more alarming parts of this vision," Sacks said.

But even so, China is making a greater effort than the U.S., and the EU isn't far behind. "For the first time," said the former State official, "many, many, many countries ... rank much higher in influence than the U.S."

Industry groups remain confident that the U.S. approach will eventually prevail. "Existing U.S. leadership is pretty good," Kallmer said, "and prospects for continued U.S. leadership are quite good."

Lewis, reflecting on his recent conversations in Europe and Asia, was more pessimistic. "The internet is going to be regulated, and it'll be regulated from Brussels and Beijing," he said. "We're kind of out of it, because we don't have a good counter."