Examining both the technical and sociopolitical types of internet resilience helps develop a deeper understanding of threats to, and drivers of, resilience.
In the context of internet governance, resilience is by no means a new concern. The goal of building and maintaining resilient systems has driven the development of standards, protocols and cybersecurity measures since the internet was in its infancy. However, in recent years, the notion of resilience has gained traction in security discourse, research and practice. In the field of cyber policy and governance, resilience thinking is at least partial evidence of a shift towards a human-centric, whole-of-society approach to security.
For those involved in technical aspects of the internet, resilience often simply means the internet’s capacity to ‘bounce back’ from disruptive incidents, ranging from outages to malicious cyberattacks. Several experts interviewed for this paper – from a variety of sectors, including industry and the technical community – described resilience as a measure of a network’s ability to recover through the repair of impaired or impacted systems, patching of vulnerabilities and restoration of reliable access to the end user. The Internet Society, an internet governance and technical body, defines resilience as an ‘acceptable level of service… in the face of faults and challenges to normal operations’. In this sense, resilience is contingent on perceived, predicted and actual (cyber)security risks and unintentional accidents.
But analysts have become increasingly concerned by the non-technical side of resilience, seeking a fuller picture of risks to the internet, its applications and users. Some analysts have sought to gauge resilience by looking at market dynamics (such as traffic localization) and technical performance (such as the performance of internet service providers). These wider notions of resilience often aim to be human-centric and subject-driven, rooted in an individual’s experience of internet access and use. These notions are therefore dependent on perspective. Perceptions of resilience also have a degree of ‘complex temporality’, in that benchmarks are responsive to, and defined by, both past and future incidents.
Wider notions of resilience aim to be human-centric and subject-driven, rooted in an individual’s experience of internet access and use.
Conceptual flexibility – and the idea that resilience can mean different things in different settings – is not necessarily an analytical shortcoming. Careful and strategic merging of technical and non-technical approaches gives rise to ecosystem-level thinking, and demands the consideration of resilience for whom, where, why and when. For example, an incident responder at a national cyber agency may define resilience in terms of technical benchmarks such as availability and recoverability. However, if that responder is also partially responsible for developing their country’s national cybersecurity strategy, their approach to resilience may then focus more on improving the experience of individuals online. If said responder then becomes a contributor to an international standards development organization, the same individual may instead define a resilient internet in terms of the strength of processes and mechanisms required to ensure the interoperability of the global internet.
This paper therefore distinguishes between two types of internet resilience:
- Technical resilience refers to the continued, reliable operation of internet infrastructure and architecture at all levels, including the ability to recover from incidents.
- Sociopolitical resilience refers to the local, organizational, national and/or international processes, policies, and non-technical systems and responses in place to ensure continued availability and meaningful use of the internet. While technological innovations increase internet resilience (for example, cloud data storage or secure transmission protocols), they do so within a particular sociopolitical context, and their impact is neither uniform nor determined solely by the technology itself.
In addition, this paper suggests two scope conditions that can aid understanding of internet resilience in any given case. First, internet resilience depends on setting, defined in geospatial or contextual terms. This includes locations (e.g. a certain country) and contextual environments (e.g. an active military conflict). For the purposes of this paper, conflict and crisis are considered as settings. Internet resilience in a particular setting and internet resilience at a global or holistic network level are closely interrelated, as demonstrated by the discussion of Ukraine in Chapter 4. Crucially, while all layers of the stack are interdependent, it is possible for some layers to demonstrate resilience while others do not. This underlines the need for a contextual approach to defining resilience, in addition to one that considers both global and local resilience.
Second, internet resilience is dependent on the relevant stakeholders. This paper defines stakeholders as those involved in the construction, maintenance and challenging of internet resilience, as opposed to those experiencing resilience (or lack thereof). Stakeholders can be loosely defined by sector or more specifically defined at the individual or organizational level.
These two distinctions provide an overall structure for the paper, as follows:
- There are two types of resilience within the scope of this paper: technical and sociopolitical.
- The settings considered in this paper are conflict and crisis settings at the national or immediate cross-border level, detailed below. Although outside of the scope of this paper, other settings could vary in levels of political and economic stability and security (e.g. peacetime, post-conflict or post-disaster, transitional).
- As explored in this section, the internet resilience landscape involves a diverse variety of stakeholders. While this paper broadly considers the private sector, others may include armed groups, militaries, international organizations, civil society organizations and others.
As described above, this paper considers internet resilience only during conflict and crisis. Conflict is defined as a setting with sustained, antagonistic military or security engagement between two or more parties with misaligned strategic objectives at the local, national or cross-border level. Conceptually, conflict is closely related to crisis. Crisis settings are more ambiguous – and can include political, military and/or other security turbulence, turnover and takeovers at the local, national or cross-border level, as well as post-conflict settings. Perhaps most importantly, both conflict and crisis settings are ones in which security risks – including risks to internet resilience – are usually heightened.
Conflicts around the world often have a direct impact on the continued, reliable operation of internet infrastructure and architecture. A violent military takeover, for instance, could lead to the physical disruption of internet infrastructure. As a representative from a major technology company commented, ‘conflict changes how [internet] infrastructure works’, but it ‘doesn’t necessarily mean it’s less resilient’. A commonly cited example of technical internet resilience is the ability of internet service providers (ISPs) to recover from localized disruptions, whether these are outages or direct attacks. However, while conflict poses severe threats to resilience, it may also provide the opportunity for demonstrating resilience. The same interviewee above commented that ‘you would assume that, during conflict, of course the internet is less resilient. But what we’ve found is that conflict teaches us lessons about resilience’.
Conflicts around the world often have a direct impact on the continued, reliable operation of internet infrastructure and architecture.
Sociopolitical internet resilience has increased salience during conflict. For instance, an ISP’s operations may be considered technically resilient if it can resume service provision to end users in the event of disruption. However, from the perspective of sociopolitical internet resilience, resumption of service must lead to the resumption of the meaningful use of everyday services for those end users. From the end user’s perspective, resilience hinges on basic functioning. As an academic researcher specializing in Ukraine noted, this means that the end user is not ‘thinking about whether [the internet] will be there the next day’.
By examining these two kinds of internet resilience in conflict and crisis, this paper can help policymakers, practitioners and researchers better understand the threats and drivers of resilience under stress. Conversely, analysing internet resilience in these settings can also reveal economic, security, political and military dynamics about the conflict or crisis itself. For instance, activists and researchers have long used open-source methodologies to track network shutdowns, bandwidth-throttling and service-based blocking of communication platforms. But this practice can also enable them to raise the necessary alerts about the use (or abuse) of internet shutdowns by repressive states to curb social upheaval.
This paper focuses on one particular set of stakeholders in the internet resilience ecosystem: the private sector. Private sector actors are individuals operating on behalf of a privately owned or publicly listed company, a company acting as a consolidated entity or several entities operating together. There are no definitional limits on organizational size, scope or remit. Indeed, the diversity of private sector actors is a key consideration in both case studies. In some cases – including that of Ukraine – whether an individual is acting on behalf of a company is not always easy to ascertain, as many initial contributions to Ukrainian cyber defence were made by individuals outside their corporate commitments. While this paper focuses on private sector stakeholders, it also considers, where relevant, the role that other non-state stakeholders may play in internet resilience. These ‘others’ range from representatives of non-profit internet governance organizations, ‘white hat’ hackers and cybercriminals, to digital rights activists and civil society advocates.
The private sector’s perceived and actual roles and responsibilities differ from ‘business-as-usual’ in two ways. First, conflict and crisis settings disrupt private sector activities due to newly created or amplified barriers to operation and risks faced in service provision on the one hand, and direct attacks, complicity or implication in conflict dynamics on the other. For instance, as an employee at a large threat-intelligence and incident-response company commented, private sector companies ‘are in the crosshairs of government operations’ and may ‘already be an intelligence target’. This new reality is encouraging private sector actors to change or adapt their posture to maintain operations.
Second, notions of duty and responsibility may also expand in such settings. Multiple interviewees from the private sector commented that in conflict environments, private sector actors will take additional steps to protect both their commercial interests and the physical security of their staff. Other interviewees commented on new modes of communication, collaboration and information sharing between the UK government and technology companies that was prompted by the Ukraine conflict (although at least two noted that similar arrangements were worryingly ‘ad hoc’). The extent of these expanded roles depends on the context of specific cases, such as those discussed in the following chapters.