Growing concerns about cybersecurity have sparked an intense international debate about data sovereignty and the degree to which governments should control the flow of data—both within and across their borders. How individual nations and the world community ultimately address these issues will have a profound effect on the global information and communications technology (ICT) market and on globalization itself. Globalization, fueled by ICT, has propelled decades of positive information exchange, innovation, and trade, and enabled unprecedented economic growth for both developed and developing nations. The Industrial Internet of Things alone is expected to add $14.2 trillion to the global economy by 2030.
Despite the growth and opportunity that a highly connected computing environment provides, certain governments have begun to initiate legislative process to enforce “data sovereignty” (government control over all data collected within a country), including the need for “data residency” (mandatory data storage location) and “data retention” (mandatory recording of data transactions). The desire for information control is not new, but the idea of developing laws to contain data flow within ones border is —and it is an alarming development for all parties that are active in the areas of global trade, technology, and public policy.
The majority of governments share the belief that, under the existing globalization model, productive use of the global Internet and technology innovation by private sectors will drive economic growth and create wealth. As a result, they are taking measures to grow their domestic technical capabilities while benefiting from access to the global market. However, enforcing stronger control of data residency, restricting commercial data, and breaking down enterprises’ decades-long operating model of managing cost-efficient global operations will neither prevent unauthorized access to sensitive data nor reduce the damage from cyberattacks on any country’s key sectors. As recent data-hacking incidents against U.S. retailers, health insurers, financial institutions, and movie studios demonstrate, cyber attackers don’t respect borders in cyberspace.
Furthermore, legislation meant to restrict data flow and information exchange in the name of cybersecurity and sovereignty may have unintended consequences that prevents rather than enables productive use of the Internet. Such legislation could stall or hinder scientific discovery, medical research, global education, and economic growth, and deny people including women, youth and small business owners’ much-needed opportunities to unleash their potential, especially in developing countries.
Nations are now at a crossroad where they must decide whether enforcing restrictions of data residency and commercial data flows as well as limiting the freedom of commercial operations within national borders are the most effective ways to protect sensitive information. Moreover, nations must ask themselves what real sovereignty in cyberspace is without the ability to maintain and improve mechanisms that allow their citizens and enterprise to benefit from the productive use of the Internet, which depends on rigorous innovation and the global exchange of services and data.
The need to create a global cyber-environment that advances national economic interests and secures sensitive information while supporting global economic growth has become a compelling challenge for all.
This paper explores the key challenges that emerging data sovereignty and data residency regimes present, and explains how such requirements erode security and endanger trade. First, the paper explains why the global flow of information and services is so valuable to both developed and developing economies. Second, it describes nations’ varied and evolving perspectives on how cyber threats are best managed, acknowledging the challenges and competing interests with which nations must struggle at domestic and international levels. Finally, the paper proposes a way forward. It encourages government, private sectors, and members of the civil society to work together, not only to improve global cybersecurity but also to retain the economic benefits of globalization while still respecting national domestic priorities to grow technology innovation capabilities, and to ensure public safety, security and privacy.
Global Data Flow, Economy and Cybersecurity
The existing globalization model allows rapid growth of the Internet and the Internet-based economy. Without legal restrictions to prevent data flow across borders, cloud and mobile technologies have transformed how people everywhere share information, exchange goods and services, make scientific discoveries, and conduct their personal and professional business. The increasing flow of goods, services, finances, and people among nations, along with the underlying data and digital communication services that support those movements, have created a tightly interconnected and rapidly expanding global collaboration.
Nearly 3 billion people worldwide (about 40 percent of the global population) now use the Internet—up from just 16 million in 1995. Furthermore, two-thirds of those users are in the developing world. In 2014, mobile-cellular subscriptions rose to nearly 7 billion, only slightly less than the number of people that inhabit the planet, with developing countries accounting for 78 percent of the total.
The growing participation of emerging economies in global trade is also apparent. In 1990, 54 percent of all goods traded internationally were exchanged among developed countries, according to the McKinsey Global Institute, but by 2012 that figure had dropped to 28 percent. Conversely, emerging economies accounted for 40 percent of goods traded in 2012, and 60 percent of those goods went to other emerging economies.
As the volume and value of international trade continued to increase, digital communication and the cross-border exchange of data exploded. The monthly volume of global online traffic grew from 84 petabytes (one petabyte is roughly equivalent to a thousand terabytes) in 2000 to more than 40,000 petabytes in 2012, nearly 500 times higher in just a dozen years. In addition, cross-border Internet traffic grew 18-fold between 2005 and 2012. McKinsey found that cross-border voice traffic had more than doubled during the previous decade, primarily as a result of the sharp increase in digital calls. As an example, the volume of Skype call minutes increased more than 500 percent between 2008 and 2012.
Although the rapid increase of cross-border Internet traffic and digital communication clearly helped drive global economic growth and the rising prosperity of developing countries, it also led to heightened cybersecurity concerns. Those concerns range from an increase in cybercrimes that steal information from millions of Internet users and well-established commercial entities to cyberattacks that target government networks and threaten national security.
At the same time, users’ concerns have been amplified at times by the operations and lack of security and privacy protections by many organizations in both private and public sectors, which collect, process, and store massive amounts of data.
Despite challenges, the existing globalization and governance model, which evolved over the past few decades, continues to bring benefits to businesses of all sizes and the users of commercial and non-profit services in both developed and developing countries. Organizations are leveraging the global ICT infrastructure to enable transnational data flow and to deliver both centralized and distributed services with minimum cost and maximum efficiency. Nevertheless, key players in the global Internet no longer trust each other as before.
Evolving Cyber Sovereignty, Cybersecurity and Internet Governance Perspectives
As nations struggle with these issues, competing visions for how to manage cyberspace and ensure data sovereignty and data security have started to emerge.
In May 2011, the White House published its “International Strategy for Cyberspace”. The paper envisions the Internet as a global network without borders, which enables the free flow of information and provides unrestricted cross-border commerce and communication. The position was consistent with the existing Internet governance model and American principles of free speech, free association, and personal privacy. The paper nevertheless made clear that the United States is prepared to retaliate against cyberattacks with military force if necessary.
Four months later, in September 2011, China, Russia, Tajikistan and Uzbekistan submitted to the 66th session of the United Nations General Assembly an “International Code of Conduct for Information Security.” The document proposed a voluntary set of rules including strict enforcement of cyber sovereignty, which gives a government the legal right to enforce its own laws within its own borders and control the flow of data.
The issue of data sovereignty became a sharp focus of debate in June 2013, when Edward Snowden, a former contractor for the National Security Agency, leaked classified information about PRISM, the U.S. government global surveillance program. According to those documents, the United States was systematically spying on governments and citizens worldwide, including U.S. allies and at least 35 world leaders. These developments, along with an increase in cyber-terrorism and other attacks, caused many countries to reconsider their own positions on cyber sovereignty and what they need to do to protect their citizens and critical infrastructure. At the same time, Internet users and businesses everywhere started asking how much access governments should have to personal information such as email, photos, and text messages. This inevitably led to questions about the degree to which private companies should be held responsible for protecting user data.
Leading Internet companies began to provide stronger encryption of user data flowing from their worldwide data centers to user devices. Not long after, the terrorist attacks in Paris reminded everyone that government surveillance and proper information exchanges among key Internet players, permitted by law and required for public safety, are still critical.
Within the past few months, an increasing number of countries have implemented new policies or regulations designed to retain control of data collected within their borders. Russia passed a law in July 2014 mandating that cloud-service providers doing business in Russia comply with a strict data residency requirement, meaning that they must hold the data they collect in databases located within the territory of the Russian Federation.
In March 2014, the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) announced its intent to relinquish control of key Internet domain-name functions and requested that the Internet Corporation for Assigned Names and Numbers (ICANN) work with the global multi-stakeholder community to propose a transition plan to replace NTIA’s current role of managing the Internet’s domain-name system at the end of September 2015. This demonstrated the U.S. government’s decision to create a multi-stakeholder governance model for the Internet, in which governments, private industries, and civil societies all have roles and responsibilities in deciding Internet policies and operations.
In January 2015, the members of the Shanghai Cooperation Organization (SCO), led by China and Russia, updated their previous proposal of an international code of conduct for information security. The revised code reaffirmed that “policy authority for Internet-related public issues is the sovereign right of States, which have rights and responsibilities for international Internet-related public policy issues.” It also required participating nations to respect the “sovereignty, territorial integrity and political independence of all States.” In addition, the revised code requested the creation of “multilateral, transparent and democratic international Internet government mechanisms, which ensure an equitable distribution of resources, facilitate access for all, and ensure the stable and secure functioning of the Internet.” This illustrated China and Russia’s position on an Internet governance model that would be government controlled.
To make the U.S government’s position clear to the public, and in response to a series of cyberattacks on U.S. businesses, President Obama signed an executive order in February 2015 at the Cybersecurity Summit held at Stanford University. The purpose of the order was to promote public- and private-sector collaboration on cybersecurity and information sharing. The White House issued a statement about the strategy, including the roles and responsibilities played by government and the private sector: “Cybersecurity is a shared responsibility. …Yet much of our nation’s critical infrastructure and a diverse array of other potential targets are not owned by the Federal government. The Federal government cannot, nor would Americans want it to, provide cybersecurity for every private network. Therefore, the private sector plays a crucial role in our overall national network defense.”
During a speech at the Stanford Graduate School of Business on April 23, 2015, U.S. Secretary of Defense Ash Carter announced the latest Department of Defense Cyber Strategy. He articulated the need for broad collaboration between government and industry to “protect not just the freedom the Internet affords and the new opportunities to advance human welfare that technology enables, but also our country, our future, our children, our people.” Specifically, he said, “I believe we must renew the bonds of trust and rebuild the bridge between the Pentagon and Silicon Valley.”
On May 8th, during China President Xi Jinping’s visit to Russia, the Russian Foreign Ministry signed a cyber agreement with China. The agreement outlined potential cyber threats, a list of cyber cooperation, as well as principles of the collaboration. It stated that the cooperation will be “consistent with generally recognized principles and norms of international law, including the principles of peaceful settlement of disputes and conflicts, non-use or threat of force, non-interference in internal affairs, respect for human rights and fundamental freedoms and the principles of bilateral cooperation and non-interference in the information resources of the Parties.” “Each Party shall have an equal right to protection of information resources of their state against misuse and unauthorized intervention, including by cyberattacks on them. Each Party shall not with respect to the other Party of such actions and assist the other Party in implementing this law.” This agreement demonstrated China and Russia’s decision to create an alliance in the cyberspace and reflected both countries’ cybersecurity interests and priorities.
The challenge for the private sector, however, is that companies have no diplomatic immunity as governments do. A multinational commercial Internet service provider must maintain a workable balance between protecting its own network, maintaining its user-data integrity and privacy when delivering reliable services, and simultaneously complying with national or regional laws that may differ from the rules of its home country. Especially, when a government requires technology providers to share sensitive data upon request, both within borders and across borders, no matter where the data center is located, it puts the industry in a difficult position. In other words, it’s not only cyber attackers who have no respect for the borders in cyberspace. Many governments also claim the legal power to access citizens’ data beyond their borders under domestic rules.
Challenges in Creating a Global Solution
Although cybersecurity and data sovereignty affect the government, industry, and citizens of every nation, countries often view these issues based on their own domestic agendas, interests, and perspectives. Each country may approach data protection and cybersecurity in its own ways, yet even with opposing political priorities and goals all nations face many common issues and technical challenges.
While fundamental divisions in values can make it difficult for nations to engage in constructive discussions about these sensitive issues, it is not impossible for them to explore a common set of concerns. These common concerns and global expectations regarding the benefits of the Internet could enable nations to forge productive collaborations, even though certain aspects of their political agendas, core values, individual laws, or policies could differ from each other. Nations must decide what will be the most important principles when it comes to serving the interests of all parties.
In other words, nations can and must seek common ground and solutions to treat the Internet as a global asset, just as nations share common rules that govern global financial transactions and transportation systems. Whatever their other goals and priorities may be, policymakers in all nations should weigh the benefits and the cost of these policies to ensure minimum impact to the global economy and the well-being of human society as a whole.
Creating effective and unified global governance of cyberspace may take time, and keeping pace with technology innovations can also be challenging. Governments need to review and update existing policies concerning user-data protection and cybersecurity enforcement mechanisms at both domestic and international levels. For example, the European Union drafted its data protection directive in the early 1990s, and the United States adopted the Electronic Communications Privacy Act in 1986. Countries created many of the existing laws for a different time—before smartphones and mobile devices, before most people had even heard of the Internet. It is also important to make the enforcement of the rules more efficient, and to keep in mind that technology will continue to advance rapidly.
In addition to laws and policies, governments have the option of adopting advanced security technologies for data protection and national security purposes. In many cases, investment in security-technology innovation and adoption of global security best practices would be better strategies than simply segregating data and restricting data flow. As an example, CESG, the British national information security assurance authority, has promoted the concept of “Secure by Default” and the use of IT security solutions based on global security standards such as the Trusted Platform Module (TPM), produced by the Trusted Computing Group, an international industry standard organization. Among other functions, the TPM enables hardware-based security to help provide full-disk encryption of computers and mobile devices in an effort to protect data no matter where it resides. The TPM also offers features such as generating encryption keys, enabling attestation between devices, and securing device identity and health to prevent unauthorized access.
Making the Right Choice
As the urgency to create global cyberspace governance principles increases, each country must decide how to deal with the dilemma of balancing the needs of different nations while avoiding economic losses and the disruption of international trade. Each country must face the potential and existing cyber and terrorism threats within its borders, as France recently did, while asking the hard questions of how to work with other countries to prevent such threats to the global community. At what point does protecting personal data security undermine public safety? When does cross-border data flow begin to threaten national security? How does the private sector provide trusted and transparent services to its customers without being seen as non-supportive of law-enforcement and government-security initiatives in different countries? The right balance may vary as each nation decides how best to deal with these issues within its own borders, but the impact on the Internet may still be global in nature.
Data flow restriction and cyber isolation will fundamentally change globalization. As technology innovations move at an ever-faster pace, each country must govern so that it continues to benefit from the Internet, the efficient borderless network that functions as a well-developed engine for economic growth. The policies of individual nations should avoid reducing Internet efficiency or disrupting the global economy. Although it’s tempting to talk about “cyber” as somehow separate from the real world, it would be a mistake to think that restrictive policies will not diminish the freedom and innovation that supported the growth of the Internet-based economy in the first place. In today’s world of mobile technology, cloud computing, and instantaneous global communication, cyberspace is as much a part of the real world as any bank or post office around the corner.
It is crucial to recognize that the future of the Internet still depends on a highly connected, open, and trusted environment where people can share information and ideas, exchange goods and services, and actively participate in the global community. It is equally important to recognize that having widely accepted principles to safeguard Internet use also helps prevent abuse and misuse by different actors. Governments need to consider how their laws will affect the Internet, cross-border communication, and data transfer to avoid creating a patchwork of conflicting laws and regulations that will do little to enhance cybersecurity, personal privacy, or economic growth.
How should nations construct a set of principles that is both practical and effective at the global level? As a starting point, governments must acknowledge how technology and globalization have led to increased scientific collaborations, advanced medical research, created new industries, offered job opportunities, delivered faster public services and energized local economies. Cybersecurity laws and measures should be about keeping information secure and ensuring a better quality of life for everyone. They should not be used to create barriers by isolating Internet users, increasing the cost of delivering information and services, restricting innovation, disrupting trade, and preventing sustained economic growth.
In developing a set of principles to help address cybersecurity and data sovereignty, three elements are critical:
- A new paradigm for cyber policy and the international rule of law
Mobile devices. Social media. Cloud computing. The Internet of Things. Many of the technologies that become mainstream today didn’t exist a few years ago. Data location and ownership in the cyber space can be a complicated issue when the actual storage location is not visible to users who trust technology providers to keep their data secure and to transmit it on demand, no matter where they are. A new paradigm of cyber policy must address the dynamic nature of technology and the impact on individual nations and the world. National priorities must take into consideration a country’s international obligations, and international cyber rules need to acknowledge the rights of nations. The globalization model may change to meet the demands of both increasingly customized markets and a globally shared economy.
The international rule of law will need to evolve to reflect the definitions of digital assets and methods of protection while providing a foundation that enables harmonization of the laws of individual nations, and creating a mechanism to address international disputes peacefully. Well-written treaties, such as the Council of Europe Treaty or the Budapest Convention on global anti-cybercrime collaboration, could offer both best practices and lessons learned for resolving differences of approaches towards combating cybercrimes, and in turn inspire nations to work together to enable productive use of the Internet on a global scale. The G20 could also be used as a forum to get world leaders on the same page in terms of defining a common approach to cyber governance. As nations work together to develop and agree on a set of common principles, in consultation with experts in related fields such as technology, law, trade, and consumer rights, they should focus on reinforcing the rule of international law rather than pursuing conflicting national policies that could diminish the growth and positive impact of the Internet.
- Transparency and innovation
Transparency is a requirement for trust. Innovation alone won’t offer the types of services that users will trust. For citizens to trust their government services, they must understand what the government is doing to protect their information. To maintain user trust, Internet service providers, and technology companies in general, must offer transparency to ensure supply-chain trust and enable proper use of the Internet infrastructure with adequate protection of customer data. Greater transparency and continued innovation could help grow the global Internet economy. Industry and government should work together to rebuild public trust of the Internet and technology. Service providers in the public and private sectors should be encouraged to be transparent about their measures for user-data protection to improve overall cybersecurity at an even faster pace.
- Accountability and partnership
Governments and corporations are both accountable for cybersecurity. Civil society and individual Internet users also need to be aware of methods for security and privacy protections from cyberattacks. Increasing investments by organizations for data protection, wherever the data may be, is no longer a nice-to-have. It should be considered as an obligation. Neither global industry leaders nor government officials can solve cyber threats and related problems on their own. As cyberattacks increasingly affect citizens, businesses and governments, security partnerships and collaboration among key players will undoubtedly become critical in creating long-term solutions, at both national and international levels.
The global community has an opportunity to come together and identify shared priorities of global cybersecurity and protecting the global economy. Nations must promote innovation and enable productive use of the Internet while keeping it secure. Restricting data flow will not end cybercrime, and keeping data in one geo-location will not guarantee data security. It is time to map out a realistic and balanced approach to safeguard cybersecurity and maintain the Internet as a growth engine for the world economy.
The Author wishes to thank Scott Charney, Paul Nicholas, Larry West, Diane Aboulafia and other reviewers for their feedback and contributions to improve this paper.
 Winning with the Industrial Internet of Things, Accenture, January 2015.
 Measuring the Information Society Report 2014, United Nations International Telecommunications Union, November 2014.
 Global flows in a digital age: How trade, finance, people, and data connect the world economy, McKinsey Global Institute, April 2014.
 International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World. White House Policy Document, May 2011.
 Bill number 553424-6: On Amendments to Certain Legislative Acts of the Russian Federation (to clarify the processing of personal data in information and telecommunications networks. http://www.theregister.co.uk/2014/07/07/russianlawwillforcecitizenspersonaldatatobestoreddata_locally/.
 NTIA Announces Intent to Transition Key Internet Domain Name Functions, http://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions.
 Council on Foreign Relations’ report of China, Russia, Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan’s submission of a revised International Code of Conduct on Information Security to the UN Secretary General. http://blogs.cfr.org/cyber/2015/01/28/will-china-and-russias-updated-code-of-conduct-get-more-traction-in-a-post-snowden-era/?utmcontent=bufferbf28b&utmmedium=social&utmsource=twitter.com&utmcampaign=buffer.
 “FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing,” Internet, http://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform (date accessed: 12 February 2015).
 FACT SHEET: White House Summit on Cybersecurity and Consumer Protection,” Internet, http://www.whitehouse.gov/the-press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-protection (date accessed: 13 February 2015).
 Carter Unveils New DoD Cyber Strategy in Silicon Valley http://www.defense.gov/news/newsarticle.aspx?id=128659.
 The DoD Cyber Strategy http://www.defense.gov/home/features/2015/0415_cyber-strategy/.
 Remarks by Secretary Carter at the Drell Lecture Cemex Auditorium, Stanford Graduate School of Business, Stanford, California, http://www.defense.gov/Transcripts/Transcript.aspx?TranscriptID=5621 (date accessed: 23 April 2015).
 The Government of Russian Federation Order, dated April 30th, 2015 No. 788-p, on signing the Agreement between the Government of the Russian Federation and the Government of the People's Republic of China on Cooperation in Ensuring International Information Security.
 Responding to government legal demands for customer data http://blogs.microsoft.com/on-the-issues/2013/07/16/responding-to-government-legal-demands-for-customer-data/.
Jing de Jong-Chen is Senior Director, Global Security Strategy and Diplomacy Group in the Corporate, External and Legal Affairs Division at Microsoft Corp. She has 20 years of industry experience and domain expertise in cybersecurity policy, technology and strategic partnership development.