Concerns about cyberwar, cyberespionage, and cybercrime have burst into focus in recent years. The United States and China have traded accusations about cyber intrusions, and a December 2012 U.N. conference broke down over disagreements about cyberspace governance. These events show the increased risk of cyberconflict and the corresponding need for basic agreement between states about governing cyberspace.
States agree that something must be done, but they disagree about almost everything else. Two competing visions of cyberspace have emerged so far: Russia and China advocate a sovereignty-based model of cyber governance that prioritizes state control, while the United States, United Kingdom, and their allies argue that cyberspace should not be governed by states alone.
Prior academic writing has focused on cyber issues related to states’ regulation of their citizens, but this Article addresses the now-pressing state-to-state issues. A limited analogy to existing legal regimes for the high seas, outer space, and Antarctica shows that global governance of cyberspace is possible. Moreover, these existing regimes provide a menu of options for governance and establish a baseline against which cyber governance can be assessed.
The Article examines three fundamental questions that states have answered for the other domains and must now answer for cyber: (1) what role, if any, private parties should play in governance; (2) how the domain should be governed (no governance system, treaty, or norms); and (3) whether and how to regulate military activities in the domain. The answers for the old domains were similar — multilateral governance, governance by treaty, and some level of demilitarization. But cyber differs from the old domains in important ways that suggest the answers for cyber should be different. This Article argues for multistakeholder governance, governance through norms, and regulated militarization.