Network Working Group LH. Liu, Ed. Internet-Draft WJL. Wang, Ed. Intended status: Informational ZCY. Zhang, Ed. Expires: 27 December 2023 Tsinghua University PMT. Zhang, Ed. Sunderland University MJ. Ma, Ed. Oxford University 25 June 2023 Framework for Rule-based International Cyberspace Governance draft-hanliu-ricg-00 Abstract Cyberspace involves politics, economy, culture, and technology; it engages governments, international organizations, Internet companies, technology communities, civil society, and citizens, forming an integrated, organic body. In a word, cyberspace is the online version of a community with a shared future for mankind. This memo tries to outline a new framework for rule-based international cyberspace governance regime in the context of IPv6 application, which looks into the future international cooperation of cyberspace governance. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 27 December 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. Liu, et al. Expires 27 December 2023 [Page 1] Internet-Draft Rule-based International Cyberspace Gove June 2023 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. General Principles . . . . . . . . . . . . . . . . . . . . . 4 3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Fundamental Principles and Objectives . . . . . . . . . . 4 3.3. Respect Sovereignty . . . . . . . . . . . . . . . . . . . 5 3.4. Human Rights Protection . . . . . . . . . . . . . . . . . 5 3.5. Rule of Law and Justice . . . . . . . . . . . . . . . . . 5 3.6. Comity and Reciprocity . . . . . . . . . . . . . . . . . 5 3.7. Flexible Governance . . . . . . . . . . . . . . . . . . . 6 3.8. Capacity Enhancement . . . . . . . . . . . . . . . . . . 6 4. Cyberspace Development . . . . . . . . . . . . . . . . . . . 6 4.1. Cooperative Development . . . . . . . . . . . . . . . . . 6 4.2. International Communication Channel . . . . . . . . . . . 6 4.3. Ensure Multi-Participation . . . . . . . . . . . . . . . 7 4.4. Promote Safe and Orderly Data Flow . . . . . . . . . . . 7 4.5. Respecting Patterns of Technological Development . . . . 7 5. Cyberspace Security . . . . . . . . . . . . . . . . . . . . . 7 5.1. Network Infrastructure Protection . . . . . . . . . . . . 8 5.2. Security of Internet Names and Digital Address . . . . . 8 5.3. Prohibition of Network Eavesdropping . . . . . . . . . . 8 5.4. Prohibition of Cyber Attacks and War . . . . . . . . . . 8 5.5. Teenagers Protection OF Teenagers . . . . . . . . . . . . 9 5.6. Cross-Border Collaboration of Electronic Evidence Retrieval . . . . . . . . . . . . . . . . . . . . . . . . 9 5.7. Protection of Data Security . . . . . . . . . . . . . . . 9 5.8. Protection of Personal Information And Privacy . . . . . 10 5.9. Cooperation in Combating Cybercrime and Cyberterrorism . 10 6. Credit System for Network Governance Enforcement Mechanism . 10 6.1. Network Credit System Construction . . . . . . . . . . . 10 6.2. Credit Status Determination . . . . . . . . . . . . . . . 11 6.3. Credit Information Management . . . . . . . . . . . . . . 11 6.4. Credit Alert Platform . . . . . . . . . . . . . . . . . . 11 6.5. Creditworthy Incentives and Discipline . . . . . . . . . 12 6.6. Credit Repairment . . . . . . . . . . . . . . . . . . . . 12 Liu, et al. Expires 27 December 2023 [Page 2] Internet-Draft Rule-based International Cyberspace Gove June 2023 7. Operational Mechanisms for Cooperation in Network Governance . . . . . . . . . . . . . . . . . . . . . . . 12 7.1. Rulemaking . . . . . . . . . . . . . . . . . . . . . . . 12 7.2. Cooperation Platform . . . . . . . . . . . . . . . . . . 13 7.3. Establishing and Cybersecurity Alert Institution . . . . 13 7.4. Funding . . . . . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 10. Normative References . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction As for governance, cyberspace exhibits complexity. From a technological point of view, cyberspace is layered: it can be roughly divided into the physical layer, the logical layer, and the content layer. From the perspective of governance, these strata are interrelated and interlinked. The difficulty of international governance of cyberspace lies in the disharmony between the logic of technological layering and the logic of governance connectivity. Information technology, however, demarcated the boundaries of governance and coevolves with governance structure. In the IPv4 era, regulations on DNS resource allocation, as the core issue, is characterized by unclear governance subject, weak rules and chaotic mechanism. In the IPv6 era, technological progress has brought new opportunities and new perspectives for improving governance. International cyberspace governance requires the participation of various parties, each performing its own duties and making full use of its capabilities, and making concerted efforts to build a new system of rules. This draft tries to outline a new, rule-based international cyberspace governance regime in the context of IPv6 application, which looks into the future international cooperation of cyberspace governance. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Terminology Data: any electronic or other means of information on the record. Liu, et al. Expires 27 December 2023 [Page 3] Internet-Draft Rule-based International Cyberspace Gove June 2023 Data Processing: the collection, storage, use, processing, transmission, provision, and disclosure of data. Data Security: taking the required steps to ensure that data is effectively protected and used lawfully, as well as having the ability to guarantee a continual state of security. Network Data Processing: the collection, storage, use, processing, transmission, provision, and disclosure of network data. Personal Information: a variety of information related to identified or identifiable natural persons recorded mainly in electronic form, not limited to the use of the network generated or processed in the personal information, but does not include the anonymization of the information after processing. Network Credit: an IP address (hereinafter referred to as the credit subject), in the cyberspace activities to comply with the legal obligations, the state of fulfilling the agreed obligations. Network Credit Information: the objective data and information that can be used to identify, analyze and judge the credit status of the credit subject. 3. General Principles 3.1. Purpose In accordance with the basic spirit of the Charter of the United Nations and the fundamental principles of international law, the following rules are formulated so as to safeguard state sovereignty and promote human rights protection in cyberspace, improve the security and credibility of the global Internet and capacities of comprehensive governance, encourage innovation and change in network information technology, industry and applications, and promote, encourage governance in cyberspace sharing and cooperation among countries as well as high-quality Internet development in each country, and to strengthen the orderly open sharing of data resources and the level of information security protection. 3.2. Fundamental Principles and Objectives Cyberspace governance SHOULD follow principles of sovereign equality, peace and cooperation, fairness and justice, openness and inclusiveness, mutual benefit and progress; and SHOULD aim to create a community of common destiny, interests and responsibilities based on mutual political trust, economic integration, and cultural integration, and endeavor to construct a well order in which mankind Liu, et al. Expires 27 December 2023 [Page 4] Internet-Draft Rule-based International Cyberspace Gove June 2023 shares the achievements of global development. 3.3. Respect Sovereignty Governance in cyberspace SHOULD respect the sovereignty of all countries. State sovereignty in cyberspace is independent and equal. Rights of jurisdiction and defense are the embodiments of a country's sovereignty and SHOULD be respected and maintained by all countries. Countries MUST obey the fundamental principles and general rules of international law, refrain from infringing on the sovereignty of other countries through the Internet and interfering in the internal affairs of other countries, and bear the responsibility for prudent prevention and security of cyber activities within the scope of sovereign control. 3.4. Human Rights Protection Governance in cyberspace SHOULD fully protect human rights. Countries SHOULD protect the security of personal information and privacy, and cooperate to combat cyber attacks, cybercrimes and cyber terrorism. They SHOULD guarantee equal access and smooth communication in the Internet, prohibit discrimination and other unreasonable differential treatments. They SHOULD jointly promote the development of Internet infrastructure, ensure the safe flow of data, aim to close the digital divide, and protect and promote the rights and interests of the broadest range of Internet development. 3.5. Rule of Law and Justice All activities and acts in cyberspace MUST comply with the law and MUST NOT contravene the regulations, principles, and basic spirit of international law. Governments SHOULD NOT use their dominating position in the cyber domain in terms of facilities, technology, systems, and data to interfere with other countries' exercise of cyber sovereignty and to pursue cyber hegemony, cyber isolation, and other unfair activities. 3.6. Comity and Reciprocity Countries exercising cyber sovereignty SHOULD follow the principles of self-restraint, comity and reciprocity, so as to reduce friction and confrontation, avoid mutual constraints, and promote economic cooperation and security collaboration. Liu, et al. Expires 27 December 2023 [Page 5] Internet-Draft Rule-based International Cyberspace Gove June 2023 3.7. Flexible Governance Countries SHOULD strengthen mutual trust, actively collaborate, comprehensively improve Internet governance capacity, cooperate to establish a credit-based flexible governance system, achieve incentives for trustworthiness and constraints for breach of trust, and establish a secure, good faith, and honest cyberspace. 3.8. Capacity Enhancement Governments SHOULD actively engage in dialogues and encourage multi- field, multi-level, and multi-faceted cooperation to improve the overall security and defense capability of the cyberspace, as well as to promote socio-economic development. 4. Cyberspace Development 4.1. Cooperative Development Countries SHALL intensify their cooperation in the fields of information network technology, product and service innovation, and talent training, as well as to collaborate to overcome technical problems that threaten cybersecurity, develop cybersecurity products collaboratively, innovate network economic development models, and build a high-level, high-quality network talent team. Countries SHALL encourage collaboration in developing a network security alerting platform and the establishment of a shared security alerting mechanism to compensate for disparities in network management capacities. Countries SHALL enhance research and development of inclusive health care, inclusive education, and inclusive network products and services that promote minors' healthy development. 4.2. International Communication Channel Countries SHALL endorse multi-field, multi-level, and multi-faceted exchanges and collaboration, support trade organizations, enterprises, educational and scientific research institutions, relevant professional institutions and personnel of various countries to carry out exchanges and sharing activities on the development and utilization of network data security technologies, and promote education and training on cybersecurity. Liu, et al. Expires 27 December 2023 [Page 6] Internet-Draft Rule-based International Cyberspace Gove June 2023 4.3. Ensure Multi-Participation Countries SHOULD actively promote the formation of a well environment for governments, enterprises, relevant social organizations, and the public to participate in governance, and promote mutual recognition of cybersecurity and data processing rules and standards made by other countries and international organizations. 4.4. Promote Safe and Orderly Data Flow On the premise of ensuring data security and protecting personal information , privacy rights and interests, countries SHALL promote the safe and orderly flow of data, jointly explore the new growth of data economy, promote the innovation and development of network information technology, and facilitate the establishment of cross- border factor flow rules and risk prevention mechanisms. 4.5. Respecting Patterns of Technological Development Governance in cyberspace SHOULD respect and adapt to the objective patterns of technological development, and promote the coexistence and progress of mankind and technology. Countries SHOULD respect the nature of connectivity in cyberspace, maintain the unity of the Internet and avoid fragmentation of the Internet. Countries SHOULD NOT maliciously exclude other countries' suppliers, information technology and products, fiber optic cables and other facilities, nor SHOULD they take advantage of their own technological, economic, or political advantages to unfairly distribute or block important cyber resources and jeopardize the security of global supply chains. Countries SHOULD strive to overcome the problems of Internet Protocol Version 4 (IPv4), such as the depletion of network addresses, the difficulty of ensuring service quality, and the inefficiency of transnational collaborative governance, and give full play to the advantages of Internet Protocol Version 6 (IPv6) in network addresses, innovation space and governance, so as to improve the carrying capacity and service level of their own network. Countries with technological advantages MAY provide necessary assistance to countries in need. 5. Cyberspace Security Liu, et al. Expires 27 December 2023 [Page 7] Internet-Draft Rule-based International Cyberspace Gove June 2023 5.1. Network Infrastructure Protection Countries have the right to protect their network infrastructure in accordance with domestic laws. No country, military, government, government-authorized organizations or individuals SHALL attack or damage network infrastructure of other countries. An attack on another country's network infrastructure constitutes a violation of that country's sovereignty. A state MAY restrict or protect Internet access in accordance with the principle of sovereignty. Access to the Internet does not mean that the country gives up its sovereignty. In case of damage, loss of function or data leakage, key information infrastructure that MAY seriously endanger national security and public interests, a country MAY carry out critical measures of protection and defense, and MAY request assistance from other countries when necessary. 5.2. Security of Internet Names and Digital Address Internet root servers, communication protocols and IP addresses and other key Internet resources are global public resources. Countries SHOULD actively promote the fair allocation and management of Internet key resources and the international reform of the Internet name and digital address allocation authority, and effectively improve its representativeness and the openness and transparency of its decision-making and operation. 5.3. Prohibition of Network Eavesdropping Network eavesdropping and wiretapping activities are prohibited among countries. To ensure the safe operation of the Internet in each country, countries have the right to regulate their networks, impose access licenses for unlawful websites, and discontinue providing services to websites that do not conform to management, etc. 5.4. Prohibition of Cyber Attacks and War Launching of cyber attacks and cyber war are prohibited. Consultations, discussions, and other peaceful methods of resolving disputes SHALL be sought first, and if necessary, relevant agencies and organizations established by these rules MAY be requested to collaborate in order to resolve disputes at the minimum cost. Liu, et al. Expires 27 December 2023 [Page 8] Internet-Draft Rule-based International Cyberspace Gove June 2023 5.5. Teenagers Protection OF Teenagers Countries SHOULD punish according to law the use of the Internet to engage in activities that endanger the physical and mental health of minors, and provide a safe and healthy Internet environment for minors. They SHOULD cooperate to combat Internet use of child pornography and violent crime. Where an online data processor processes the personal information or other online data of a minor under the age of 14, it SHALL obtain the consent of the minor's parents or other guardians. Where there are provisions in the domestic laws of each country, such provisions SHALL prevail. Cyberspace governance bodies of all countries MAY, in accordance with domestic laws, consciously undertake the obligation to review, screen and intercept content that harms or MAY harm the physical and mental development of minors, and punish the production, dissemination and provider of harmful information according to law. If conditions permit, channels for reporting illegal content SHOULD also be provided to individuals and organizations in their own countries and other countries. 5.6. Cross-Border Collaboration of Electronic Evidence Retrieval For cybercrimes committed within the territory of a country or against that country, if the law enforcement authorities of that country request the public authorities, enterprises or individuals of another country to provide relevant electronic evidence for assistance, the country requested MAY, in accordance with the provisions of its domestic law, provide necessary assistance on the premise of not harming its national security, public interests and significant rights and interests of individuals. 5.7. Protection of Data Security Data conveying a country's economy, culture, national defense security, and other key public interests, as well as citizens' rights and interests, SHOULD be processed under the premise of data security. Data processing activities SHOULD adhere to international treaties, norms, and legal principles, and SHALL NOT jeopardize national security, public interest, or the legitimate rights and interests of citizens of other nations. Liu, et al. Expires 27 December 2023 [Page 9] Internet-Draft Rule-based International Cyberspace Gove June 2023 Countries SHOULD urge domestic data processors to consciously assume international and domestic social responsibilities, respect social justice, business ethics and professional ethics, and fulfill the corresponding data security protection obligations in their network data processing activities. 5.8. Protection of Personal Information And Privacy If it is truly necessary for states to collect personal information of citizens of other countries in the course of commercial cooperation, judicial cooperation or other processes, they SHALL do so for clear and reasonable purposes and in accordance with the principles of legality, legitimacy, necessity and good faith. On the basis of obtaining the consent of the relevant subject, the obligation of protection SHALL be properly fulfilled in respect of the collection, storage, use, processing, transmission, provision, disclosure, deletion and other links of personal information. If the country where the data is collected has relevant regulations, such regulations SHALL be complied with. 5.9. Cooperation in Combating Cybercrime and Cyberterrorism Countries SHALL explore to establish a new cybercrime convention that is more inclusive and transparent. To address the new threats posed by new technologies such as artificial intelligence and cloud computing, and to take aim at new forms of complex and diverse cybercrimes and new threats of cyber terrorism, countries SHALL explore to establish a new convention that covers the legitimate appeals and major concerns of all contracting parties, with transparent procedures and reasonable mechanisms. 6. Credit System for Network Governance Enforcement Mechanism 6.1. Network Credit System Construction Countries SHOULD cooperate in establishing a credit system in cyberspace, comprehensively improve the network credit information management capabilities, promote the unification of credit status determination standards, realize credit-based prior risk prevention and security warning mechanism, create a safe and reliable cyberspace for economic development and provide guarantee for economic development and information exchange. Liu, et al. Expires 27 December 2023 [Page 10] Internet-Draft Rule-based International Cyberspace Gove June 2023 6.2. Credit Status Determination Countries SHALL, in accordance with the principles of legality, objectivity, prudence and relevance, identify the credit status of the credit subject and load it into the credit file according to the network credit information directory and network credit status identification criteria. The network credit information directory aims to standardize the credit information included in the scope. The collection of credit information SHALL NOT exceed the scope stipulated in the catalogue of network credit information. The standard of network credit status identification aims at standardizing the principle, basis and rating standard of credit status identification and credit file recording. The identification of network credit status and the recording of credit files SHALL strictly comply with the identification standards of network credit status. The catalogue of network credit information and the standards for the identification of network credit status SHALL be determined by the countries through consultation. Each country MAY, in accordance with its domestic laws and regulations, compile supplementary catalogues of online credit information and detailed rules on standards for the identification of online credit status applicable to its own country. 6.3. Credit Information Management Countries SHALL establish credit files of credit subjects with a uniform or mutually identifiable logo and open the inquiry portal to member countries within rules stipulated in this Framework Rules. Sharing of credit files and other credit information is encouraged. Credit exchange of information SHALL respect each country's sovereignty and protect basic human rights, not to jeopardize national security or to breach personal rights to information or privacy. 6.4. Credit Alert Platform Countries SHALL jointly establish a unified credit early alert platform. Countries SHOULD take the initiative to conduct early risk alert on that platform for the credit subjects with serious trust- breaking behaviors in their own countries. If a country finds that a credit subject of another country has committed serious dishonesty, it SHALL submit the relevant information to the credit early warning Liu, et al. Expires 27 December 2023 [Page 11] Internet-Draft Rule-based International Cyberspace Gove June 2023 coordinating body, which SHALL decide to issue the early alert information. 6.5. Creditworthy Incentives and Discipline Countries MAY give incentives to credit subjects with good credit standing in accordance with their domestic laws. Countries MAY, in accordance with their domestic laws, impose credit punishments on credit subjects that break faith. The subject of credit who receives incentives to keep faith and punishments for breaking faith SHALL be recorded in credit files. Countries MAY impose restrictions on other countries' seriously dishonest credit subjects, and the restrictive measures SHALL be determined by consensus of all countries through consultation. Binding measures SHOULD NOT violate the Charter of the United Nations and the basic principles of international law. 6.6. Credit Repairment Credit information recorded in error SHOULD be corrected. Countries SHOULD make credit repair legislations, implement credit repair procedures, and provide credit subjects with feedback, complaints, and other forms of relief. If the credit information on the credit alert platform is erroneous, it is the responsibility of the credit warning coordinating agency to fix it. The credit alert coordination body SHALL establish remedies and corrective standards. 7. Operational Mechanisms for Cooperation in Network Governance 7.1. Rulemaking Countries SHOULD actively formulate rules for cyberspace governance that are inclusive, feasible and developable on the basis of respecting cyber sovereignty and consultations on an equal footing. Under the guidance of this Framework Rules, countries SHOULD actively formulate rules on cyberspace security, rules on digital economy cooperation, rules on credit information evaluation and sharing, and rules on consultation and mediation of cyberspace disputes. Liu, et al. Expires 27 December 2023 [Page 12] Internet-Draft Rule-based International Cyberspace Gove June 2023 7.2. Cooperation Platform Countries SHOULD cooperate in establishing a network security alert platform and credit alert platform, and explore for a digital economy cooperation platform and a cyberspace technology research, development and exchange platform. 7.3. Establishing and Cybersecurity Alert Institution Countries SHOULD establish a cybersecurity early warning institutions on the basis of respect for national sovereignty, in accordance with the principles of equality, justice, democracy, openness and scientificity. An advisory committee to provide assistance to alert institutions on decision-making SHALL be established. Members of that committee SHALL comprise of Scientific and technological institutes, commercial institutions, other organizations and relevant experts. A decision-making committee to exercise final decision-making authority based on advisory opinions SHALL be established. The members of that committee SHALL be composed of governments from all countries. 7.4. Funding The funds required for activities such as the formulation of normative documents, the establishment of platforms and the establishment of institutions under this Framework Rules SHALL be prepared by all countries through consultation in accordance with the principle of equity. The share of funds MAY be reasonably adjusted according to the actual situation such as the level of economic development of each country. 8. IANA Considerations This memo includes no request to IANA. 9. Security Considerations This document only defines a framework for network resources categorization. This document itself does not directly introduce security issues. 10. Normative References Liu, et al. Expires 27 December 2023 [Page 13] Internet-Draft Rule-based International Cyberspace Gove June 2023 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997, . Authors' Addresses Han Liu (editor) Tsinghua University Beijing 100084 China Email: liuhan@tsinghua.edu.cn Jilong Wang (editor) Tsinghua University Beijing 100084 China Email: wjl@tsinghua.edu.cn Chengyuan Zhang (editor) Tsinghua University Beijing 100084 China Email: chengyua21@mails.tsinghua.edu.cn Pardis M Tehrani (editor) Sunderland University Sunderland SR1 3SD United Kingdom Email: pardis.tehrani@sunderland.ac.uk Ji Ma (editor) Oxford University Oxford OX1 2JD United Kingdom Email: ji.ma@mansfield.ox.ac.uk Liu, et al. Expires 27 December 2023 [Page 14]