Be careful what you wish for: why more fragmentation might hurt global cybersecurity

Abstract

Governmental representatives often cite security concerns as a reason when justifying policies that contribute to internet fragmentation. Restrictions, such as on the use of foreign soft- and hardware or data localisation requirements, are meant to lessen cybersecurity risks, including disruptive cyberattacks or state-led surveillance campaigns. Intuitively, it seems self-explanatory that these measures translate into cybersecurity gains – the more control a government has over a system, the more secure it should be. Although critics strongly dispute such measures by making an economic case, they hardly ever question the assumption made regarding cybersecurity benefits. Our article challenges this view, taking public goods theory as our analytical point of departure to criticise notions of ‘weaponized interdependence’. Furthermore, we challenge the idea of secure national controls, which are key building blocks within justifications of governmental fragmentation policies at the application layer. More specifically, we argue that such justifications ignore negative impacts on the availability of key public goods in global cybersecurity, as well as other externalities. For example, while technological decoupling may well lead to less vulnerability to cyberattacks, it may also eliminate important incentives for self-restraint on the part of attackers due to potential blowback effects. It is with a view to such unintended consequences that we call for a more thorough assessment of the security risks and benefits within public policy debates on digital trade restrictions and data localisation.