The Internet is founded on the ideal of a global, open cooperation of networks, allowing individuals and companies to freely provide services, consume content, and do business anywhere in the world.
In its early days, this digital utopia seemed possible. However, in recent years, the explosion in the amount of Internet data, in addition to global political incidents, has shaken the “completely open” model.
We are now witnessing a splintering of the Internet, as nations assert more control over their digital borders. This movement is reshaping how services are produced and consumed, with a growing emphasis on national security and risk management. Governments are increasingly looking to keep digital services close to home, creating a more compartmentalized Internet.
Read: What is the Splinternet and Why you Should be Paying Attention
The Main Force Behind Splintering is the Nation-State
Historically, countries have had near total control over their own territory and citizens. However, the open nature of the Internet challenges this sovereignty along two axes.
Along one axis, citizens and companies may be involved in actions that are illegal or unwanted by the government, such as immoral activities, planning of anti-governmental actions, spreading of misinformation, exam cheating, or tax evasion.
Along another axis, a country’s citizens, businesses, and government depend on digital services, and there is a growing concern about the risks of not having full ownership and control of these resources.
This risk is not unfounded. In 2022, following the Russian military actions towards Ukraine, the Ukrainian government requested that Russia be forcefully disconnected from the Internet.
Other outages have been observed caused by digital border control, fiber cuts, and other unplanned outages. Many of these have the effect of splitting at country borders, and a strong dependency on international services may render national digital services inoperable during such events.
To understand how self-sufficient countries are in the Internet sphere, we conducted research using a few key indicators.
Measuring Internet Trust Between Countries
Most countries do not have complete self-sufficiency, so they need to trust other countries to handle some of their services securely.
As a proxy for Internet trust, we have used the geographic locations of IP addresses used for web hosting using data from the Tranco 1M list. We then apply the Louvain algorithm to identify mutual relationships between countries and identify clusters of mutual trust. The results were as anticipated.
In Figure 1, many countries have a large part of their Internet domains hosted in their own territory (green), while some smaller countries are completely dependent on their larger allies (red).
An interesting observation is that Iran, an increasingly isolated country, still records a median number of outsourced domains. The likely explanation for this is political changes take time to reflect on Internet trust.
Figure 2 shows that clusters of mutual trust exist where we would expect. Interestingly, we see stronger ties between the large European states (United Kingdom, Germany, France, and Russia) and their former colonies than we see internally in the EU.
If we zoom into the “pan Slavic” cluster (Figure 3), we can see it excludes some expected members, namely Russia, Belarus, and Romania.
Likewise, the Latin American cluster (Figure 4) shows that Cuba is outside the mutual trust.
Certificate Authorities Show Concentration of Trust
We see a very different world when we focus on another critical commodity, certificate authorities (CA).
CAs are the backbone of online security, providing the trust anchors for the TLS/SSL certificates that keep our web communications secure. A breakdown of this system could render all digital secure services useless.
The vendors of Internet browsers have the authority to trust any CAs that they deem useful. In practice, the Cabforum is a voluntary forum for Certificate Issuers and Certificate consumers. The CAs have the power to revoke any certificate, which creates a risk of revocation by error and by ill intent. Recently, there was a significant change in European law (known as eIDAS legislation), which now requires web browsers to trust all digital certificate issuers approved under a specific European system. This new system has been criticized for “forced trust” of CAs that is not up to trustworthy standards.
A small number of multinational companies dominate the market for globally trusted TLS/SSL server certificates. While 35 countries across all continents (except South America) have national root CAs, a staggering 99.4% of all domains rely on CAs from just three countries: the USA (81.8%), Ireland (16.6%), and Belgium (1.0%).
Internet Trust is Not Random
Internet trust relationships follow the same pattern as traditional trade and trust and are subject to explicit or implicit risk evaluation.
However, there is a glaring oversight in how we handle CA risks. The dominance of just a few countries in the CA market leaves national security vulnerable, and it’s clear that more needs to be done to mitigate this and other market concentration risks.
Track the market concentration of core web technologies and infrastructure
Jan Marius Evang is a research engineer at the Center for Resilient Networks and Applications at Simula Metropolitan Center for Digital Engineering and a 2024 Pulse Research Fellow.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.
Photo by Nick Fewings on Unsplash