Digital Sovereignty | Cybersecurity Policy

Slide 1 of 14 | CSP-W4-01 | Week 4

Digital Sovereignty
National Strategies, CI Protection, Future Trends

Digital Sovereignty • Critical Infrastructure • National Strategies • Cyber Warfare • Tallinn Manual • Internet Governance • Data Sovereignty • Tech Sovereignty • Election Security • Emerging Challenges • Global Norms

Every nation on earth is racing to answer the same question: who controls the digital infrastructure that underpins modern society? Sovereignty -- the foundational principle of the Westphalian state system -- is being redefined by data flows that ignore borders, supply chains that span continents, and cyber weapons that can cripple a nation without a single soldier crossing a line. This deck maps the geopolitical landscape of cybersecurity: from critical infrastructure protection to the emerging norms that may -- or may not -- prevent a digital catastrophe.

14 Slides CSP-W4-01 Week 4 CIS2208 -- Cybersecurity Policy

Slide 2 of 14

What Is Digital Sovereignty?

Data localization, technological independence, internet governance -- the three pillars of state control in cyberspace.

Data Sovereignty

The principle that data is subject to the laws and governance structures of the nation where it is collected or stored. When a French citizen's medical records sit on a US-owned cloud server in Ireland, three legal systems collide. Data localization mandates (Russia, China, India, Vietnam) force data to remain within national borders. The policy question: does data sovereignty protect citizens, or does it fragment the internet?

Technological Independence

The capacity of a nation to develop, maintain, and control its own critical technology stack -- from semiconductors to operating systems to cloud infrastructure. Dependence on foreign technology creates strategic vulnerability. The 2020 Huawei bans demonstrated how supply chain dependencies can become geopolitical leverage. Nations that cannot build their own chips, encrypt their own communications, or host their own data are digitally dependent.

Internet Governance

Who sets the rules for how the internet operates? The multistakeholder model (US/EU preference) distributes governance across governments, private sector, civil society, and technical community. The sovereign model (China/Russia preference) treats the internet as national territory subject to state control. The ITU, ICANN, and IGF represent competing visions of who should govern the global network.

Digital sovereignty is not a technical concept -- it is a political one. It represents the extension of Westphalian sovereignty into cyberspace: the claim that a nation has the right to control what happens within its digital borders. The tension is fundamental -- the internet was designed to be borderless, but the political systems that govern human societies are defined by borders.

The Sovereignty Spectrum

At one end: the "open internet" model, where data flows freely and governance is distributed. At the other: the "sovereign internet" model, where the state controls all digital infrastructure, content, and data within its borders. Most nations fall somewhere in between, and the trend line is moving toward more state control, not less. Even the EU -- champion of digital rights -- now mandates data localization, platform regulation, and technology audits.

Slide 3 of 14

Critical Infrastructure: The 16 Sectors

PPD-21 designates 16 CI sectors -- the assets, systems, and networks so vital that their destruction would debilitate national security, economic stability, or public health.

Interdependency Risk

Critical infrastructure sectors do not operate in isolation. The energy sector depends on IT and communications. Healthcare depends on energy, water, and transportation. Financial services depend on IT, communications, and energy. A cascading failure across interdependent sectors is the nightmare scenario -- and it is not theoretical. The 2021 Colonial Pipeline ransomware attack disrupted fuel supply across the US Southeast, demonstrating how a single attack on one sector (energy) can cascade into transportation, emergency services, and public order.

Slide 4 of 14

National Cybersecurity Strategies

Five nations, five approaches -- each shaped by political systems, threat landscapes, and strategic priorities.

US National Cyber Strategy -- Five Pillars

(1) Defend critical infrastructure -- minimum security requirements for CI sectors. (2) Disrupt and dismantle threat actors -- use all instruments of national power. (3) Shape market forces to drive security and resilience -- shift liability to software vendors. (4) Invest in a resilient future -- secure the technical foundations of the internet. (5) Forge international partnerships -- build coalitions for responsible state behavior. The 2023 strategy marks a fundamental shift: the US government is moving from voluntary to mandatory security requirements.

Slide 5 of 14

Cyber Warfare and State-Sponsored Attacks

Attribution challenges, proportional response, and the blurred line between espionage, sabotage, and acts of war.

Attribution Challenges

Attackers use false flags (Olympic Destroyer planted Russian code to frame North Korea), compromised infrastructure in third countries, and outsourcing to criminal proxies. The Volt Typhoon campaign (China) lived entirely off legitimate tools -- no custom malware to fingerprint. Technical attribution is science; political attribution is policy.

Proportional Response

International law requires that responses to hostile acts be proportional. But how do you calibrate proportionality when a cyberattack's effects are ambiguous? The US response to SolarWinds (sanctions, diplomatic expulsions) was deliberately restrained. Israel's response to an Iranian attempt to poison its water supply in 2020 was a retaliatory cyberattack on an Iranian port.

Major State Actors

Russia: SolarWinds, NotPetya, Ukraine grid attacks. China: Volt Typhoon (CI pre-positioning), APT10 (IP theft). North Korea: Lazarus Group (financial theft, $1.5B+ stolen). Iran: Shamoon (Saudi Aramco wiper), Albanian government attacks. Each nation has different objectives: Russia destabilizes, China steals, North Korea funds, Iran retaliates.

The Gray Zone Problem

Most state-sponsored cyber operations fall below the threshold of armed conflict -- espionage, intellectual property theft, election interference, pre-positioning in CI networks. This "gray zone" is deliberate: it allows aggressors to impose costs on adversaries without triggering a military response. International law has no clear rules for this space, which is exactly why states operate there.

Slide 6 of 14

Tallinn Manual and International Law in Cyberspace

The most comprehensive academic analysis of how existing international law applies to cyber operations -- and its limits.

Tallinn Manual 1.0 (2013)

Focused on the law of armed conflict (jus ad bellum and jus in bello) applied to cyber warfare. Written by an international group of legal scholars at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Key finding: existing international law -- including the UN Charter's prohibition on the use of force -- applies to cyberspace. A cyberattack that causes physical destruction or death can constitute an armed attack under Article 51, triggering the right of self-defense.

Tallinn Manual 2.0 (2017)

Expanded to cover peacetime cyber operations -- the gray zone where most state-sponsored activity occurs. Addressed sovereignty, due diligence, jurisdiction, international human rights law, and the law of the sea and air as they apply to cyber. Key principle: a state that knowingly allows its territory to be used for hostile cyber operations against another state violates its due diligence obligation. Non-binding, but the most authoritative legal reference for state practice.

Sovereignty

A state's sovereignty extends to cyber infrastructure within its territory and to cyber operations conducted from its territory. Remotely causing effects within another state's territory may violate sovereignty -- but the threshold is debated. Russia and China reject the idea that sovereignty alone creates binding legal obligations in cyberspace.

Use of Force

Article 2(4) of the UN Charter prohibits the use of force. A cyber operation rises to "use of force" when its scale and effects are comparable to a kinetic attack. Stuxnet (physical destruction of centrifuges) likely qualifies. Espionage (even massive) does not. The Schmitt Analysis evaluates severity, immediacy, directness, invasiveness, measurability, military character, state involvement, and presumptive legality.

Jus ad Bellum

The right to go to war. Article 51 permits self-defense in response to an "armed attack." If a cyberattack constitutes an armed attack (physical destruction, casualties), the victim state may respond with proportional force -- including kinetic force. But anticipatory self-defense against imminent cyber threats raises temporal questions: by the time you detect a cyber operation, the damage may already be done.

Limitations

The Tallinn Manual is not a treaty -- it is an academic analysis with no binding legal authority. Major cyber powers (US, China, Russia) have not endorsed it. Its conclusions depend on analogies between cyber and kinetic operations that adversaries may reject. And its coverage of AI-driven autonomous cyber operations -- which did not exist when it was written -- is minimal. The manual describes the law as scholars believe it is, not necessarily as states practice it.

Slide 7 of 14

Internet Governance

ICANN, IGF, ITU -- competing institutions, competing visions of who controls the global network.

ICANN

Internet Corporation for Assigned Names and Numbers. Manages the DNS root zone, IP address allocation, and protocol parameters. Transitioned from US government oversight (NTIA) to a multistakeholder model in 2016. The IANA transition was a flashpoint -- critics argued the US gave up control of the internet's addressing system. Supporters argued it was never US property to keep.

IGF

Internet Governance Forum. A UN-convened multistakeholder platform for policy dialogue on internet issues. No binding decision-making authority -- purely deliberative. Created by the 2005 World Summit on the Information Society (WSIS). Annual meetings produce no treaties but shape the global conversation on digital rights, access, cybersecurity, and governance.

ITU

International Telecommunication Union. UN specialized agency. China and Russia have pushed to give the ITU authority over internet governance -- replacing the multistakeholder model with a state-centric treaty-based model. The 2012 World Conference on International Telecommunications (WCIT) split: 89 nations signed a new treaty expanding ITU authority; 55 (including the US and EU) refused. The internet governance battle is a proxy for broader geopolitical competition.

Slide 8 of 14

Data Sovereignty

GDPR transfers, Schrems II, data localization mandates, and the CLOUD Act -- the legal battle over where data lives and who can access it.

Schrems II Impact

Max Schrems, an Austrian privacy activist, challenged Facebook's transfer of EU personal data to the US. The CJEU invalidated the EU-US Privacy Shield in July 2020, finding that US surveillance laws (FISA Section 702, EO 12333) did not provide adequate protection for EU data subjects. The ruling affected 5,000+ companies relying on Privacy Shield. Organizations scrambled to implement SCCs with supplementary measures -- but the CJEU suggested that even SCCs may be insufficient if the destination country's surveillance laws override contractual protections.

Data Localization Laws

Russia (Federal Law 242-FZ): personal data of Russian citizens must be stored on servers physically located in Russia. LinkedIn was blocked for non-compliance. China (PIPL/DSL): critical information infrastructure operators must store data in China; cross-border transfers require security assessments. India (DPDP Act 2023): allows transfers to approved countries but reserves the right to restrict. Vietnam, Indonesia, Nigeria, Turkey, and Saudi Arabia all have varying data localization requirements. The global trend is toward more restriction, not less.

The CLOUD Act Conflict

The US CLOUD Act (2018) allows US law enforcement to compel US-based tech companies to produce data regardless of where that data is physically stored. This directly conflicts with data localization laws and GDPR: if Microsoft stores EU data in Ireland, the US can demand it while the EU prohibits disclosure. Executive agreements between the US and partner nations (UK agreement signed 2022) attempt to resolve this, but the fundamental conflict between extraterritorial jurisdiction and data sovereignty remains unresolved.

Slide 9 of 14

Technological Sovereignty

5G and the Huawei debate, semiconductors and the CHIPS Act, cloud independence and GAIA-X -- the race to own the stack.

The Huawei Debate

The US banned Huawei from 5G networks citing national security risks -- alleged backdoors and Chinese intelligence law requiring cooperation with state agencies. The UK reversed its initial approval. The EU left it to member states. The debate exposed a fundamental tension: Huawei equipment was cheaper and arguably more advanced, but deploying it in CI creates a dependency on a potential adversary's technology.

CHIPS Act

The US CHIPS and Science Act (2022) provides $52.7 billion in subsidies and tax credits to incentivize domestic semiconductor manufacturing. Driven by the realization that 92% of advanced chip fabrication occurs in Taiwan -- a single point of failure adjacent to an assertive China. TSMC, Samsung, and Intel are building US fabs. The EU Chips Act provides EUR 43 billion for similar goals. The semiconductor supply chain is now a national security priority.

GAIA-X

A European initiative to build a federated cloud infrastructure that ensures data sovereignty, transparency, and interoperability. Born from frustration with dependence on US hyperscalers (AWS, Azure, GCP) and the CLOUD Act's extraterritorial reach. Progress has been slow -- critics say it is more vision than product. France's "trusted cloud" label and Germany's Sovereign Cloud Stack are national implementations. The goal: European data processed on European infrastructure under European law.

Slide 10 of 14

Election Security

Disinformation, foreign interference, and the infrastructure that underpins democratic legitimacy.

Disinformation Operations

Russia's Internet Research Agency (IRA) ran coordinated influence campaigns targeting the 2016 US election -- creating fake social media personas, organizing real-world rallies, and amplifying divisive content. The goal was not to elect a specific candidate but to erode trust in democratic institutions. Similar operations targeted the 2017 French election (Macron leaks), 2016 Brexit referendum, and elections across Europe, Africa, and Latin America. Deepfake technology is making detection exponentially harder.

Infrastructure Attacks

Election infrastructure includes voter registration databases, electronic poll books, voting machines, vote tabulation systems, and results-reporting websites. In 2016, Russian actors scanned election systems in all 50 US states and breached voter registration databases in at least two. The 2020 election saw unprecedented defensive measures: paper ballot trails, post-election audits, CISA's #Protect2020 initiative, and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC).

Technical Defenses

Voter-verified paper audit trails (VVPAT), risk-limiting audits (RLA), air-gapped tabulation systems, multi-factor authentication for election officials, and physical chain-of-custody for ballots. The US Election Assistance Commission (EAC) certifies voting systems. CISA provides free vulnerability assessments to election jurisdictions. But 10,000+ local election offices create a massive attack surface.

Legal Framework

Election infrastructure was designated as critical infrastructure in 2017 (GCC/SCC structure). The Honest Ads Act (proposed) would regulate online political advertising. Section 230 shields platforms from liability for hosting disinformation. International law is ambiguous -- the Tallinn Manual's sovereignty principle suggests foreign interference violates sovereignty, but enforcement is effectively impossible.

The Perception Problem

The greatest threat to election security may not be actual vote manipulation but the perception that votes can be manipulated. If citizens lose trust in election outcomes, democracy is undermined regardless of whether the count is accurate. Transparency, audibility, and public education are as important as technical security. The "big lie" phenomenon demonstrates that perception can detach entirely from technical reality.

Global Pattern

Election interference is not unique to the US. Russia targeted Ukraine's 2014 election with a vote-counting system hack. China was linked to interference in Taiwan's 2020 election. Iran targeted the 2020 US election with voter intimidation emails. The pattern is consistent: adversary nations target elections because democracies are uniquely vulnerable to legitimacy attacks. An authoritarian regime does not need to worry about public trust in its election outcomes.

Slide 11 of 14

Emerging Challenges

AI governance, quantum computing, space cybersecurity, digital currencies -- the frontiers that will define the next decade.

AI Governance

The EU AI Act (2024) creates a risk-based regulatory framework. The US relies on executive orders and sectoral guidance. China requires algorithm registration and content labeling. Key cybersecurity questions: who is liable when AI generates malware? Can autonomous cyber defense systems make targeting decisions without human oversight? The weaponization of AI for social engineering, vulnerability discovery, and adaptive malware is already happening. Governance is trailing capability by years.

Quantum Computing

A cryptographically relevant quantum computer (CRQC) would break RSA, ECC, and Diffie-Hellman -- the foundations of internet security. NIST finalized post-quantum cryptography (PQC) standards in 2024 (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+). The "harvest now, decrypt later" threat is already real: adversaries are collecting encrypted data today to decrypt when quantum computers mature. Migration timelines: 10-15 years for full PQC adoption across global infrastructure.

Space Cybersecurity

Satellites are critical infrastructure for GPS, communications, weather, and military ISR. The 2022 Viasat hack (KA-SAT) at the start of the Ukraine invasion disrupted European satellite communications. Most satellite protocols lack encryption. Space systems have 15-20 year lifespans with minimal update capability. The Artemis Accords and the UN Committee on the Peaceful Uses of Outer Space (COPUOS) have no binding cybersecurity provisions for space assets.

Digital Currencies

Central bank digital currencies (CBDCs) could give governments unprecedented visibility into financial transactions -- a surveillance tool or a transparency mechanism depending on perspective. China's digital yuan is operational. The EU's digital euro is in development. Cryptocurrency enables ransomware payments, sanctions evasion (North Korea's Lazarus Group), and money laundering. The policy tension: enabling innovation versus preventing financial cybercrime.

Slide 12 of 14

The Future: Global Cyber Norms

Paris Call, cyber peacekeeping, digital Geneva Convention -- the search for rules in an ungoverned domain.

Paris Call for Trust and Security

Launched by France in 2018, the Paris Call is a multistakeholder initiative with 80+ national governments and 700+ organizations committed to nine principles: protecting the electoral process, defending intellectual property, preventing ICT-enabled attacks on CI, securing the "public core" of the internet, preventing proliferation of cyber weapons, strengthening digital hygiene, preventing private hack-back, promoting norms, and protecting the integrity of the supply chain. Notable absences: the US (until 2021), Russia, and China.

Digital Geneva Convention

Proposed by Microsoft's Brad Smith in 2017, the concept calls for a binding international treaty establishing norms for state behavior in cyberspace -- modeled on the Geneva Conventions that govern armed conflict. Proposed commitments: no targeting CI, no stockpiling vulnerabilities, no offensive operations against election systems, attribution through an independent body. Critics argue it is unenforceable -- no verification mechanism, no penalties, and the nations most likely to violate it are the ones least likely to sign.

Cyber Peacekeeping

An emerging concept: international organizations deploying cyber incident response teams to conflict zones, monitoring ceasefires in cyberspace, and providing neutral forensic analysis after attacks. The UN's ICT for Peace foundation has explored this. Challenges include the lack of "ceasefire lines" in cyberspace, the speed of cyber operations versus diplomatic timelines, and the question of who staffs and funds a cyber peacekeeping force.

UN GGE vs OEWG

Two parallel UN processes: the Group of Governmental Experts (GGE, 25 members, consensus-based) and the Open-Ended Working Group (OEWG, all UN members). The GGE produced the foundational 2013 and 2015 reports. The OEWG was proposed by Russia as an alternative -- critics saw it as an attempt to dilute Western influence. Both processes now affirm that international law applies to cyberspace, but disagree on how. The OEWG continues through 2025.

The Enforcement Problem

Norms without enforcement are aspirational documents. The 2015 UN GGE norms prohibit attacks on CI during peacetime -- yet Russia attacked Ukraine's power grid that same year. Attribution challenges, lack of penalties, and great power vetoes at the UN Security Council make enforcement nearly impossible. The result: a growing body of agreed norms that major cyber powers routinely violate.

Slide 13 of 14

Key Takeaways

01 Digital sovereignty extends Westphalian sovereignty into cyberspace -- the claim that nations have the right to control data, technology, and internet governance within their borders. Three pillars: data sovereignty, technological independence, and internet governance models. The spectrum runs from open internet to sovereign internet, and the global trend is toward more state control.

02 16 critical infrastructure sectors underpin national security -- designated by PPD-21 and coordinated by CISA. Interdependencies between sectors create cascading failure risks. Colonial Pipeline demonstrated how a single ransomware attack on one sector can cascade into transportation, emergency services, and public order across an entire region.

03 National cybersecurity strategies reflect political systems -- the US shifts liability to vendors, the EU regulates through NIS2 and the Cyber Solidarity Act, China mandates state control and self-reliance, Israel integrates military-civilian talent pipelines, and Australia builds Pacific partnerships. The 2023 US National Cyber Strategy marks a shift from voluntary to mandatory security requirements.

04 Attribution is the central problem of cyber warfare -- confidence degrades as you move from technical artifacts to political responsibility. The gray zone below the threshold of armed conflict is where most state-sponsored operations occur. International law has no clear rules for espionage, IP theft, or CI pre-positioning that falls short of armed attack.

05 The Tallinn Manual is the most authoritative legal analysis of how international law applies to cyberspace -- but it is not binding. It establishes that sovereignty, use of force, and self-defense principles apply to cyber operations. Major cyber powers have not endorsed it, and its coverage of AI-driven operations is minimal.

06 Data sovereignty creates a three-way collision between GDPR extraterritorial reach, the US CLOUD Act's global data access claims, and national data localization mandates. Schrems II invalidated the EU-US Privacy Shield. The EU-US Data Privacy Framework (2023) is a temporary fix -- a Schrems III challenge is expected.

07 Technological sovereignty is a supply chain security problem -- semiconductor fabrication concentrated in Taiwan (TSMC 54%), 5G infrastructure dependent on a handful of vendors, and cloud services dominated by US hyperscalers. The CHIPS Act, GAIA-X, and Open RAN are policy responses to strategic dependency.

08 Global cyber norms are growing but unenforceable -- the Paris Call, UN GGE/OEWG consensus reports, and Digital Geneva Convention proposals all point toward agreed rules of behavior. The enforcement gap is the fundamental problem: norms that major powers routinely violate are aspirational, not operational.

The Bottom Line

Digital sovereignty is the defining geopolitical issue of the next decade. Every cybersecurity professional must understand the intersection of technology, law, and politics that shapes this landscape. The questions are not abstract -- they determine where data is stored, who can access it, which vendors build national infrastructure, how nations respond to cyber attacks, and whether the internet remains a global commons or fragments into sovereign enclaves. The answers will be written by the generation entering the field now.

Slide 14 of 14 | Complete

Presentation
Complete

Digital Sovereignty -- 14 slides

Digital Sovereignty • Critical Infrastructure • National Strategies • Cyber Warfare • Tallinn Manual • Internet Governance • Data Sovereignty • Tech Sovereignty • Election Security • Emerging Challenges • Global Norms

CIS2208 Cybersecurity Policy Week 4