多益网络_网络安全的未来日益激烈的信息控制之战

Over two decades ago, Alphabet CEO Eric Schmidt noted, “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.”

二十多年前，Alphabet首席执行官埃里克·施密特(Eric Sc​​hmidt)指出：“互联网是人类建立的第一件事，人类无法理解，这是我们有史以来最大的无政府状态试验。”

This ongoing experiment in internet anarchy is at an inflection point. Significant technological shifts such as 5G, artificial intelligence, and the internet of things offer great potential for ground-breaking societal innovations. At the same time, these same technologies enable governments across the globe to seek complete information and societal control within their borders through internet sovereignty.

正在进行的互联网无政府状态实验正处于拐点。 5G，人工智能和物联网等重大技术变革为突破性的社会创新提供了巨大潜力。 同时，这些相同的技术使全球政府可以通过互联网主权寻求其边界内的完整信息和社会控制。

The future of the internet, and therefore cybersecurity, is at a critical juncture. The battle over information control is already in full gear. Bots now comprise over half of internet traffic, deep fakes and voice mimicry will augment any disinformation campaigns and foment chaos. Data compromises continue to top previous records. A proliferation of attackers, tactics, and techniques continue to transform the threat landscape, and no target is off limits. Data integrity is at risk as disinformation campaigns seek to influence hearts and minds across the globe, while automation and artificial intelligence enable both global reach and tactical precision.

互联网的未来以及由此带来的网络安全正处于关键时刻。 信息控制之战已经全面展开。 僵尸网络现在占互联网流量的一半以上，深层的伪造和模仿语音会加剧虚假宣传活动和骚乱。 数据泄露继续是以前的记录。 攻击者，战术和技术的激增继续改变着威胁的格局，并且没有目标越界。 随着信息宣传运动试图影响全球范围内的人们的思想，数据完整性正处于危险之中，而自动化和人工智能既可以实现全球覆盖又可以实现战术精确性。

To manage this risk, the global regulatory landscape is further altering the risk calculus. Within this chaotic and rapidly changing environment, a Balkanization of the internet, or Splinternet, is emerging based on two dominant frameworks: digital authoritarianism and an emerging democratic blueprint. As Amy Zegart recently noted, Team Autocrat is winning. Before exploring a counterweight to this trend, and looking at the innovative opportunities ahead, it is essential to first understand the core components of digital authoritarianism and its impact in restructuring cybersecurity and the future of the internet.

为了管理这种风险，全球监管格局正在进一步改变风险计算方式。 在这个混乱且Swift变化的环境中，基于两个主导框架的互联网巴尔干化或Splinternet出现了：数字威权主义和新兴的民主蓝图。 正如艾米·泽加特(Amy Zegart)最近指出的那样 ，Autocrat团队正在获胜。 在探索这种趋势的对立面并寻找未来的创新机会之前，必须首先了解数字威权主义的核心组成部分及其对重组网络安全和互联网未来的影响。

数字威权主义：剧本 (Digital Authoritarianism: The Playbook)

While it is a common refrain that policy, law, and ethics lag behind technology, this is not necessarily the case for authoritarian regimes. Freedom House recently highlighted this diffusion of digital authoritarianism as the core threat to internet freedom, with direct implications for fundamental human rights and conflict globally. The authoritarian playbook is a holistic cyber strategy that marries cyber attacks, disinformation, and automation and machine learning. While each of these is often treated as independent silos, they comprise the digital authoritarian playbook, which is increasingly adapted by both state and non-state actors. This playbook — comprised of bots, trolls, and warriors as the leading cast of characters — is already contributing to global instability and significant power shifts, and will do so for the foreseeable future with even more profound impact as it proliferates.

尽管普遍认为政策，法律和道德落后于技术，但专制政权并不一定如此。 自由之家最近强调了数字威权主义的传播，这是对互联网自由的核心威胁，直接影响着全球的基本人权和冲突。 威权主义剧本是一种综合的网络策略，将网络攻击，虚假信息以及自动化和机器学习结合在一起。 尽管通常将这些中的每一个视为独立的孤岛，但它们构成了数字威权剧本，越来越多地由国家和非国家参与者改编。 这本剧本由机器人，巨魔和战士组成，是主要角色，已经在加剧全球动荡和重大权力转移，并将在可预见的未来做出贡献，并随着其扩散而产生更深远的影响。

网络战士 (Cyber Warriors)

The first main characters in the authoritarian playbook are cyber warriors — experts in computer network exploitation. The growing reach and impact of cyber attacks is thanks in large part to a proliferation of these attackers and their capabilities.

威权主义剧本的第一个主要角色是网络勇士，即计算机网络开发专家。 网络攻击的范围越来越广，影响越来越大，这在很大程度上归功于这些攻击者及其功能的扩散。

While most rightfully think of China, Great Britain, Iran, Israel, North Korea, Russia, and the U.S. as having either the most sophisticated or most prolific cyber warriors, a growing number of governments are getting into the action as well, often targeting domestic populations and corporations. For instance, a spyware campaign has been linked to the Mexican government as part of an effort targeting journalists and NGOs. Vietnamese government linked groups have similarly been accused of carrying out attacks against companies, journalists, and foreign governments, including in Germany, the U.S., and China. Sudan has the Electronic Jihad group to ostensibly counter ISIS, including hacking WhatsApp, but involves larger domestic computer and cell phone surveillance against government dissidents. They are not unique in Africa, from Ethiopia to Gambia many more countries similarly are leveraging the internet for surveillance.

虽然最正确地认为中国，英国，伊朗，以色列，朝鲜，俄罗斯和美国拥有最先进或最多产的网络战士，但越来越多的政府也开始采取行动，通常将目标对准国内人口和公司。 例如，作为针对记者和非政府组织的努力的一部分， 间谍活动已与墨西哥政府联系在一起。 越南政府联系组织也被指控对包括德国，美国和中国在内的公司，记者和外国政府进行攻击。 苏丹的电子圣战组织表面上反击ISIS，包括入侵WhatsApp，但涉及对政府持不同政见者进行更大范围的家用计算机和手机监视。 从埃塞俄比亚到冈比亚，它们在非洲并非唯一，许多其他国家也正在利用互联网进行监视。

Each of these cases is symptomatic of the growth of smaller countries leveraging cyber espionage and digital offense against both economic and national security rivals. Importantly, authoritarian governments do not have the monopoly on this playbook, with the private sector adopting some of the practices, and even offering these interference tactics as a service.

这些案件中的每一个都是较小国家成长的征兆，这些国家利用网络间谍活动和针对经济和国家安全竞争对手的数字攻击。 重要的是，专制政府在这本剧本上没有垄断权，私营部门采取了一些做法，甚至提供了这些干扰手段作为服务 。

At the same time, anti-government cyber warriors are pushing back, such as Venezuela’s Binary Guardians, who have attacked government sites. Ukraine’s RUH8 — roo hate — is indicative of Ukrainian hactivists or patriotic hackers digitally countering the range of Russian digital attacks. These groups are indicative of the growth of non-state cyber warriors, which will only continue to expand into the future. From terrorist groups with mainly ideological objectives to criminal groups seeking financial gain and profit to the mercenaries who are funded by nation-states for geopolitical gain, technology is shifting power structures. Thanks to the asymmetric nature of cyber attacks, actors with limited resources can have an outsized impact.

同时，反政府的网络战士正在反击，例如委内瑞拉的“ 二进制卫报”袭击了政府站点。 乌克兰的RUH8 (roo hate)表示乌克兰的激进主义者或爱国黑客以数字方式对付俄罗斯的数字攻击范围。 这些群体表明非国家网络战士的增长，这种增长只会持续到未来。 从主要具有意识形态目标的恐怖组织到谋求经济利益的犯罪集团，再到由民族国家为地缘政治利益而资助的雇佣军，技术正在改变权力结构。 由于网络攻击的非对称性质，资源有限的参与者可能会产生巨大的影响。

Whether state or non-state actors, cyber warriors have a growing range of tools and tactics at their disposal. They deploy the same, tried and true techniques such as phishing, malware, and various exploit kits, but ransomware continues to wreak havoc, especially for cities. Cryptomining skyrocketed in 2018 — where attackers may hijack a computer to mine cryptocurrencies — and illustrates the vulnerabilities in these new digital currencies. Wiper malware has also increasingly become a warrior favorite, and reflects the evolution from recon to more destructive objectives. In short, there is no one size fits all, and thanks to the proliferation of open source capabilities — such as through the Shadow Brokers and Vault 7 dumps — the number of open source tools and exploits available to both state and non-state cyber warriors is only growing.

无论是国家行为者还是非国家行为者，网络战士都可以使用越来越多的工具和策略。 他们部署了相同的，久经考验的，真实的技术，例如网络钓鱼，恶意软件和各种漏洞利用工具包，但勒索软件继续造成严重破坏，尤其是对于城市而言。 2018年，加密货币的交易量激增(攻击者可能劫持计算机来开采加密货币)，并说明了这些新数字货币的漏洞。 雨刮器恶意软件也越来越成为战士的最爱，并且反映了从侦查向更具破坏性的目标的演进。 简而言之，没有一个适合所有人的规模，而且由于开源功能的泛滥(例如通过Shadow Brokers和Vault 7转储)，州和非州网络战士都可以使用的开源工具和攻击数量只是在增长。

巨魔 (Trolls)

While warriors focus on compromising machines, trolls focus on compromising hearts and minds, and they are similarly proliferating across the globe. The Russian trolls of the Internet Research Agency are well-known and discussed in the U.S., but their reach extends at least across Europe as well. They aim to augment societal tension and instability to the advantage of the Russian government through a combination of state-owned media with social media outlets. But they aren’t the only ones. China also has the Fifty Cent Army of government-affiliated workers pushing forth positive narratives about the government and the United Front Group spreading disinformation favoring Chinese strategic objectives. China has also learned from Russian election interference, and similarly has the targeted election overseas, including in Cambodia and Taiwan.

战士专注于破坏机器，而巨魔则专注于破坏心灵，并且类似地在全球范围内扩散。 互联网研究机构(Internet Research Agency)的俄罗斯巨魔在美国广为人知并进行了讨论，但它们的影响力至少也遍及整个欧洲 。 他们旨在通过国有媒体与社交媒体的结合来增强社会紧张局势和不稳定，从而使俄罗斯政府受益。 但是它们并不是唯一的。 中国还拥有五十名由政府下属的工人组成的军团 ，对政府和联合阵线集团散布有利于中国战略目标的虚假信息进行了积极的叙述。 中国还从俄罗斯大选的干预中学到了东西，类似地，有针对性的大选也在海外进行，包括在柬埔寨和台湾 。

Other governments are quickly adapting these techniques as well. Turkey’s AK Trolls, the social media team affiliated with the ruling Justice and Development party, focus on drowning out critiques of the government, often in conjunction with bots. Rodrigo Duterte, president of the Philippines, has a keyboard army aimed to spread propaganda and drown out critics of the government. Iran, more often discussed for their cyber troops than troll armies, has been connected to global disinformation campaigns, including creating fake personas who target corporate executives in critical industries in the Middle East, U.S., and Europe.

其他政府也Swift采用了这些技术。 土耳其的AK Trolls是与执政的正义与发展党有联系的社交媒体团队，其工作重点通常是与机器人配合，以淹没对政府的批评。 菲律宾总统罗德里戈·杜特尔特(Rodrigo Duterte)拥有一支键盘军，旨在散布宣传并淹没政府的批评者。 伊朗(比其巨魔军队更多地讨论其网络部队)已与全球虚假宣传活动联系在一起 ，其中包括创建针对中东，美国和欧洲关键行业企业高管的假冒人物角色 。

The creation of fake persona or accounts is just one of many tactics deployed by trolls. Another favorite troll tactic is astroturfing — replacing negative narratives with positive ones about the government seemingly from grassroots sources — which results in distinct form of censorship of legitimate information. In contrast, disinformation, the practice of deliberately spreading false information to deceive, is the most commonly discussed tactic. Another favorite tactic is computational propaganda, which refers to the use of algorithms, automation, and human curation to purposefully distribute misleading information over social media networks. We’ve seen prominent examples of each of these, ranging from praising the government or censoring dissent during catastrophes, using false information to justify the use of force, to undermining media as a direct affront on democracy.

伪造角色或帐户的创建只是巨魔部署的许多策略之一。 另一个最喜欢的巨魔策略是打草稿 -用看似来自基层的政府的消极叙述代替消极的叙述-这导致对合法信息的审查形式不同。 相反，故意传播虚假信息以欺骗他人的虚假信息是最常讨论的策略。 另一种最受欢迎​​的策略是计算宣传 ，它是指使用算法，自动化和人工管理在社交媒体网络上有目的地分发误导性信息。 我们已经看到了每一个方面的突出例子，从称赞政府或在灾难期间审查异议 ，使用虚假信息为使用武力辩护，到破坏媒体作为对民主的直接侮辱 。

机器人 (Bots)

Of course, disinformation and espionage existed before the internet, so it’s no surprise even more sophisticated versions exist in the virtual world. The distinction now is the role of automation and the emerging applications of artificial intelligence (AI). For the purposes of the authoritarian playbook, bots serves as an umbrella term addressing the implementation of automation, machine learning, and AI by trolls and warriors, and manifests in everything from DDoS to malvertising to ransomware fueled by propagating worms to social bots.

当然，虚假信息和间谍活动在互联网之前就已经存在，因此在虚拟世界中甚至存在更复杂的版本也就不足为奇了。 现在的区别是自动化的作用和人工智能(AI)的新兴应用。 出于威权主义剧本的目的，僵尸程序是一个笼统的术语，用于解决巨魔和勇士实施自动化，机器学习和AI的情况，并且在从DDoS到恶意传播再到由蠕虫传播到社交机器人的勒索软件中都有体现。

The reach of bots continues to expand significantly year over year. 2016’s Mirai Botnet — a self-propagating botnet virus — impacted 400 thousand internet of things (IoT) devices such as webcams and routers and took down major social media sites, as well as internet access across sections of the East Coast. That attack paled in comparison to the recent targeted DDoS attack against GitHub, which clocked in at 1.35 terabit-per-second and exploited spoofed IPs, or the BrickerBot which impacted over ten million machines in 2017.

僵尸程序的影响范围每年都在继续扩大。 2016年的Mirai Botnet (一种自我传播的僵尸网络病毒)影响了40万个物联网(IoT)设备，例如网络摄像头和路由器，并摧毁了主要的社交媒体站点，以及整个东海岸地区的Internet访问。 与最近针对 GitHub的DDoS攻击相比，该攻击 相形见,,后者的攻击速度为每秒1.35 TB并利用了欺骗性IP，或者称为BrickerBot ，后者在2017年影响了超过一千万台计算机。

Bots also impact the reach of malvertising. The 2017 Great Fireball adware hijacked 250 million machines, including one in five corporate networks. Bot-powered malvertising campaigns can now reach over hundreds of millions of machines by a single individual, while automation-powered ad fraud is expected to reach $44 B by 2022.

僵尸程序还会影响恶意广告的范围。 2017年的Great Fireball广告软件劫持了2.5亿台计算机，其中包括五分之一的企业网络。 Bot驱动的恶意广告活动现在可以由一个人到达数亿台机器，而自动化驱动的广告欺诈预计到2022年将达到$ 44B。

Self-propagating worms, such as WannaCry, NotPetya, and BadRabbit, have also achieved global reach thanks to automation. NotPetya, a ransomware with a wiper malware component, was one of the most destructive attacks. It originally targeted Ukrainian infrastructure, but thanks to the self-propagation, companies across the globe became collateral damage, costing both FedEx and Merck upwards of $300M each. Their impact remains evident today. Several years after WannaCry affected hundreds of millions of machines, a million computers remain vulnerable.

自蔓延蠕虫，例如WannaCry，NotPetya和BadRabbit，也由于自动化而达到了全球范围。 NotPetya是一种带有垃圾邮件恶意软件组件的勒索软件，是最具破坏性的攻击之一。 它最初的目标是乌克兰基础设施，但是由于自我传播，全球各地的公司都受到了附带损害，联邦快递公司和默克公司各自损失了超过3亿美元。 今天，它们的影响仍然显而易见。 WannaCry影响了数亿台计算机之后的数年，仍有100万台计算机处于脆弱状态。

The trolls similarly benefits from automation and machine learning as they target specific subsets of the population, generally through social media, to optimize the impact, and achieve widespread reach. For instance, Russian-language bot activity targeting NATO exercises demonstrates the ability to integrate both tactical targeting as well as widespread automation. Ecuador has internalized this playbook as well, spending millions on malware and troll armies to foster pro-government narratives, reflecting the growing diffusion of this model.

巨魔同样从自动化和机器学习中受益，因为它们通常通过社交媒体来针对特定人群，以优化影响并获得广泛的影响。 例如，针对北约演习的俄语自动程序活动展示了整合战术目标和广泛自动化的能力。 厄瓜多尔还对该书进行了内部化 ，在恶意软件和巨魔军团上花费了数百万美元，以促进亲政府的叙事，这反映出这种模式的传播日益广泛。

Looking ahead, the playbook will increasingly integrate bots, trolls, and warriors to achieve an effect. Whether the 2017 French election, the Qatar boycott, to augmenting Venezuelan instability, this playbook will only continue to innovate and achieve even more significant impact.

展望未来，剧本将越来越多地结合机器人，巨魔和战士来达到效果。 无论是2017年法国大选 ， 卡塔尔抵制， 加剧委内瑞拉的不稳定性 ，这本剧本都将继续创新并取得更大的影响。

立法信息控制 (Legislating Information Control)

While bots, trolls, and warriors remain foundational to the playbook, authoritarian regimes also are leveraging localized data laws to further control information flows within their borders. China’s Great Firewall, a term first dubbed in 1997, is the most prominent example of a country’s attempt to control information and data flows within its borders. The Great Firewall aims to censor and control information within China’s borders through a combination of legislative policies as well as technical solutions, such as URL filtering that denies access to certain sites and blocking Virtual Private Networks (VPN). It has sparked similar aspirations in Iran, Russia, and Venezuela for internet autarky.

虽然机器人，巨魔和战士仍然是剧本的基础，但专制政权也正在利用本地化数据法来进一步控制其境内的信息流。 中国的“长城防火墙”一词最早于1997年被冠以 ，它是一个国家试图控制其境内信息和数据流的最典型例子。 长城防火墙旨在通过立法政策和技术解决方案相结合来审查和控制中国境内的信息，例如URL过滤拒绝访问某些站点并阻止虚拟专用网(VPN)。 它在伊朗 ， 俄罗斯和委内瑞拉激发了类似的自给自足的愿望。

Data localization — data storage within sovereign borders — is also a core contributor to a fractured global internet. By requiring data storage domestically and unrestricted data access, governments seek greater control over individuals and information within their borders. Increasingly, many of the new data localization policies (e.g., new laws in Vietnam and Thailand) fall under broader cybersecurity legislation that also involves elements of censorship, especially with regard to controlling anti-government rhetoric.

数据本地化 (主权边界内的数据存储)也是导致全球互联网破裂的核心因素。 通过要求国内存储数据和不受限制地访问数据，政府寻求对个人和其边界内的信息进行更大的控制。 越来越多的新数据本地化政策(例如越南和泰国的新法律)受到更广泛的网络安全法规的约束，该法规也涉及审查的内容，尤其是在控制反政府言论方面。

Many of these new data laws offer a glimpse into what’s coming over the next decade. For instance, Turkey has the Law on the Protection of Personal Data, which limits the transfer of personal data out of Turkey, requiring some local data storage. Iran similarly has local data storage requirements, as do a growing majority of countries across the globe, each with disparate requirements across a broad range of data localization approaches.

这些新的数据法中有许多使您可以窥见未来十年的发展趋势。 例如，土耳其制定了《个人数据保护法》，该法限制了将个人数据从土耳其转移出去，要求存储一些本地数据。 伊朗也同样具有本地数据存储要求，全球越来越多的国家/地区也有同样的要求，每个国家/地区在广泛的数据本地化方法上都有不同的要求。

This is the new authoritarian playbook. Thanks to its diffusion, it is already significantly impacting economic growth, democracy, security, and innovation. The emergence of 5G, artificial intelligence, quantum computing, internet of things, and cloud computing will only add to this complexity. This emerging cybersecurity frontier comes with great challenges, but also great opportunities. Let’s now turn to what democracies can and are beginning to do to counter this playbook within this increasingly complex and dynamic regulatory and threat landscape.

这是新的威权主义剧本。 由于它的扩散，它已经对经济增长，民主，安全和创新产生了重大影响。 5G，人工智能，量子计算，物联网和云计算的出现只会增加这种复杂性。 这个新兴的网络安全领域面临着巨大的挑战，但也带来了巨大的机遇。 现在，让我们转向民主国家在日益复杂和动态的监管和威胁形势下可以并且将开始采取哪些行动来反击这一剧本。

新兴的安全和隐私民主计划 (An Emerging Democratic Blueprint for Security and Privacy)

Democracies are playing catch-up when it comes to countering the authoritarian playbook. Senator Mark Warner (D-VA) noted, “We have failed to recognize that our adversaries are working with a totally different playbook…We are allowing other nations to write the playbook on cyber..” These points are echoed by Senator Ben Sasse (R-NE) who noted, “We don’t have a playbook. It’s time to draft one.”

在反抗威权主义剧本方面，民主国家正在追赶。 参议员马克·沃纳(Mark Warner)(D-VA) 指出 ：“我们未能意识到对手正在使用完全不同的剧本……我们允许其他国家在网络上撰写剧本。”参议员本·萨斯(Ben Sasse) 表示赞同 。 R-NE)指出：“我们没有剧本。 该起草一份了。”

While the United States debates how to counter this playbook, in 2018 the European Union took one of the most significant steps aimed at data protection. The European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, reaches beyond its borders to establish a democratic, if hotly debated, baseline for individual data security and privacy. While it takes a more prescriptive approach than the United States, it nonetheless reflects democratic norms that are absent from the authoritarian models.

在美国辩论如何反击这本剧本的同时，2018年欧盟采取了针对数据保护的最重要步骤之一。 欧盟的《通用数据保护条例》( GDPR )于2018年5月生效，它跨越了国界，为个人数据安全和隐私建立了民主的，甚至引起激烈争论的基准。 尽管它采用了比美国更具规范性的方法，但它仍然反映了独裁模式所缺乏的民主规范。

The GDPR is a far-reaching data protection framework that impacts everything from marketing to artificial intelligence to breach notification. At a quick glance, the GDPR may seem equivalent to the data localization and sovereignty laws referenced with regard to the authoritarian playbook. They do both focus on data access that differs by regulatory regimes. However, there are (at least) two core distinctions. First, the GDPR does not require local storage. The EU was created to facilitate cross-border flows of capital, goods, and people, which remains a motivating mission with cross-border digital flows as well. Local data storage would be anathema to this foundational objective. Instead, as described in Article 44, the GDPR requires data protections for the data of EU citizens, wherever it goes.

GDPR是一个影响深远的数据保护框架，它会影响从营销到人工智能再到违规通知的所有内容 。 乍一看，GDPR似乎等同于关于威权主义剧本的数据本地化和主权法律。 他们俩都专注于数据访问，这取决于监管制度。 但是，(至少)有两个核心区别。 首先，GDPR不需要本地存储。 建立欧盟是为了促进资本，商品和人员的跨境流动，这仍然是跨境数字流动的一项激励使命。 本地数据存储将使这一基本目标陷入困境。 相反，如第44条所述，GDPR要求无论身在何处，都必须为欧盟公民的数据提供数据保护。

Second, they differ dramatically based on intent. The data localization laws of authoritarian regimes are often accompanied by data access requirements and are meant to empower governments with the ability to access any data within their borders. In contrast, the GDPR reflects the political and economic union of 28 democratic members, reinforcing some of the values and norms of individual freedoms, privacy, and human rights that are foundational to the EU.

其次，它们基于意图而有很大差异。 专制政权的数据本地化法律通常伴随着数据访问要求，旨在使政府能够访问其边界内的任何数据。 相比之下，GDPR反映了28个民主成员的政治和经济联盟，强化了一些个人自由，隐私和人权的价值观和规范，这些价值观和规范是欧盟的基础 。

With that objective in mind, the GDPR maintains a strong emphasis on individual data protections, which includes personally identifiable data (PII), but extends to content about an individual. Key data protection features within the GDPR includes the right to erasure (aka the right to be forgotten), and the right for an individual to access their data and to rectify incorrect data.

考虑到这一目标，GDPR一直非常重视个人数据保护，其中包括个人身份数据(PII)，但扩展到有关个人的内容。 GDPR中的关键数据保护功能包括擦除权 (又称被遗忘权)，以及个人访问其数据并纠正不正确数据的权利。

In contrast, the United States has historically taken a light-touch regulatory approach, focusing attention on industries with greater perceived risks, and too often maintaining a reactionary stance in managing the digital policy innovations from abroad. Many industries, such as healthcare and finance, have established sector-specific approaches to data protection and privacy, and even within those sectors there are distinct protocols that provide additional complexity to the patchwork of regulations. And absent a comprehensive national policy framework, various U.S. states are implementing their own data protection legislation.

相比之下，美国历来采取宽松的监管方式，将注意力集中在具有更大感知风险的行业上，并且在管理国外数字政策创新时经常保持反动立场。 许多行业，例如医疗保健和金融业，已经建立了针对数据保护和隐私的特定于行业的方法，即使在这些行业中，也存在不同的协议 ，这些协议为法规的拼凑提供了额外的复杂性。 由于缺乏全面的国家政策框架，美国各州正在实施自己的数据保护法规。

However, this may soon change as U.S. public opinion has shifted dramatically over the last year in on data protection and privacy, with many favoring stricter regulation of the tech giants. This makes U.S. federal data privacy legislation increasingly likely within the decade, if not within the next few years. In fact, both political parties have recently introduced their own version of a federal privacy bill. If done well, a U.S. federal privacy framework could play a pivotal role in providing global leadership focused on protecting individual data rights and privacy, while prompting greater innovation. By elevating the role of privacy and data protection, the U.S. could reassert soft power and introduce a framework and aspirations for governments and populations across the globe. However, even if done well, a data protection law is not enough. More is needed, which is the topic of the final section.

但是，随着美国公众舆论在过去一年中在数据保护和隐私方面发生了巨大变化，许多人赞成对科技巨头进行更严格的监管，这种情况可能很快就会改变。 这使得美国联邦数据隐私立法在十年内(如果不在未来几年内)变得越来越可能。 实际上，两个政党最近都推出了自己的联邦隐私法案。 如果做得好，美国联邦隐私框架可以在提供全球领导力方面发挥关键作用，侧重于保护个人数据权和隐私，同时促进更大的创新。 通过提升隐私和数据保护的作用，美国可以重新确立软实力，并为全球政府和人民引入框架和愿望。 但是，即使做得很好，数据保护法还是不够的。 还需要更多，这是最后一节的主题。

从社会技术角度看网络安全的未来 (A Socio-Technical Look at the Future of Cybersecurity)

Looking ahead, cybersecurity will be equally impacted by technological innovation as well as geopolitics. It is a socio-technical system and must be analyzed as such. Starting with technology, artificial intelligence will shape the new frontier and impact everything from IoT to nuclear defenses. This knowledge frontier will further be augmented by 5G and the rapid streaming of data of any size and type, as well as the ability of cloud-computing to store these zettabytes of data. These are generally discussed in future forecasts of cybersecurity. Instead of reiterating these well-trodden areas, it is instead useful to focus on three core areas that deserve additional attention: a growing emphasis on usable security and privacy, the emerging frontier of digital transformation, as well as the current fracturing of the worldwide web. This section will address each of these in turn.

展望未来，网络安全将同样受到技术创新和地缘政治的影响。 这是一个社会技术系统，因此必须进行分析。 从技术开始，人工智能将塑造新的前沿领域，并影响从物联网到核防御的一切事物。 5G和任何大小和类型的数据的快速流传输以及云计算存储这些零字节数据的能力将进一步扩大这一知识前沿。 这些通常在未来的网络安全预测中讨论。 与其重述这些经常遇到的问题，不如将精力集中在三个值得进一步关注的核心领域上：日益强调可用的安全性和隐私性，数字化转型的新兴领域以及当前全球互联网的破裂。 本节将依次解决这些问题。

可用的安全性和隐私 (Usable Security and Privacy)

As an industry, cybersecurity lags behind other industries in the area of usability. The requirement to manage an endless list of complex passwords alone is proof that usability has been an afterthought for the industry. From new forms of authentication to more intuitive privacy settings, intuitive interfaces and responsiveness will be a driving factor in making security and privacy accessible to the masses.

作为一个行业，网络安全在可用性方面落后于其他行业。 仅管理一个无数复杂密码列表的要求就证明了可用性已成为业界的事后考虑。 从新的身份验证形式到更直观的隐私设置，直观的界面和响应能力将成为使大众能够获取安全和隐私的驱动因素。

As digital authoritarianism continues to spread to state and non-state actors, privacy will become a competitive advantage in the global marketplace, and usability will be core to this advantage. Corporations already attempt to ‘out-privacy’ each other, but this is often more talk than action currently. In the future, privacy prioritization will be essential to compete, thus instigating greater cyber security innovation, especially in the area of usability.

随着数字威权主义继续传播给国家和非国家行为者，隐私将成为全球市场上的竞争优势，而可用性将成为这一优势的核心。 公司已经尝试彼此“ 脱离隐私 ”，但这通常比当前采取行动更多。 将来，隐私优先级对于竞争至关重要，因此将引发更大的网络安全创新，尤其是在可用性方面。

信任但要验证 (Trust but Verify)

This new innovation is long overdue. The perimeter mindset — focused on firewalls, a static network environment, and external threats — remains all too common despite the growing attack surface and a business environment reliant on bring your own device (BYOD) and cloud computing. This is beginning to change toward a zero-trust approach, which focuses on additional verification layers based on granular and segmented privileges, and entails an overarching emphasis on persistent verification to access to data and folders or lateral movement within a network. With a zero-trust mindset, security that travels with the object is essential and is already sparking innovative solutions that break the perimeter mindset mold.

这项新的创新早就该了。 尽管攻击面越来越大，而且依赖于自带设备(BYOD)和云计算的业务环境，但围绕防火墙，静态网络环境和外部威胁的外围思想仍然很普遍。 这已开始向零信任方法转变，该方法集中在基于细化和分段特权的附加验证层上，并强调了对访问网络中数据和文件夹或横向移动的持久性验证的总体重点。 有了零信任的心态，随对象而行的安全性是必不可少的，并且已经引发了创新的解决方案，打破了外围思维定型。

The success of this mindset will yet again rest on usability features. If new security solutions interfere with the normal workflow, users will simply find a means to circumvent them. This is why encryption — one of the most foundational means to secure data — lacked significant implementation until applications made it part of the natural workflow. Usable security and privacy must accompany a zero trust approach for it to succeed.

这种思维方式的成功将再次取决于可用性功能。 如果新的安全解决方案干扰了正常的工作流程，则用户只会找到一种规避它们的方法。 这就是为什么加密(保护数据的最基本方法之一)在应用程序将其纳入自然工作流程之前一直没有实现的重要原因。 可用的安全性和隐私必须伴随着零信任方法才能成功。

不断增长的Splinternet (The Growing Splinternet)

As internet penetration continues to increase across the globe, it would be a mistake to assume the online experience — or level of security — will be uniform. The notion of a ‘borderless internet’ emerged in the 1990s and continues to shape assumptions about the future of the internet. Unfortunately, it’s a completely false premise. Thanks to the emerging data regulations and cybersecurity laws, the internet is fracturing and will continue to do so over the next decade. We have already addressed the data localization and protection laws instigating this fracturing, but cyber norms and encryption will both further impact the depth of the Splinternet, as will the role of corporations in inserting global policy across each of these.

随着全球互联网普及率的不断提高，假设在线体验(或安全级别)是统一的，将是一个错误。 “无边界互联网”的概念出现于1990年代，并继续塑造着有关互联网未来的假设。 不幸的是，这是完全错误的前提。 由于出现了新的数据法规和网络安全法律，互联网正处于破裂状态，并将在未来十年继续如此。 我们已经解决了促使这种分裂的数据本地化和保护法，但是网络规范和加密都将进一步影响Splinternet的深度，公司在每个策略中插入全球政策的作用也会受到影响。

网络规范 (Cyber Norms)

For over a decade, the United Nations Group of Governmental Experts (GGE) debated the creation of cyber norms — those informal standards of appropriate behavior in cyberspace. The main objective was to tame the anarchy of cyberspace with some foundational agreement specifying what behavior was unacceptable. Proposed guidelines ranged from non-intervention in critical infrastructure in peacetime to non-interference in cybersecurity emergency response teams.

十多年来 ，联合国政府专家小组(GGE)一直在争论网络规范的创建，即网络空间中适当行为的非正式标准。 主要目的是通过一些基本协议来驯服网络空间的无政府状态，该协议规定了什么行为是不可接受的。 拟议的指导方针包括从和平时期不干预关键基础设施到不干涉网络安全应急响应团队。

These negotiations collapsed in 2017, along the ideological divide of regimes favoring cyber sovereignty — the right to control information within its boundaries — and those preferring a free, open, secure approach, and thus reinforcing notions of a digital iron curtain. This divide was further entrenched at the end of 2018 when both Russia and the United States introduced competing resolutions that would create working groups to identify new cyber norms.

这些谈判在2017年因意识形态上的政权分歧而破裂 ，这种政权主张网络主权(即在其边界内控制信息的权利)，而后者则倾向于自由，开放，安全的方式，从而强化了数字铁幕的概念。 2018年底，当俄罗斯和美国都提出了相互竞争的决议 ，这些决议将建立工作组以识别新的网络规范时，这种分歧进一步加剧。

Absent significant progress from the United Nations, corporations are stepping in to define global norms and shape the rules of the road. For instance, Microsoft introduced ‘A Digital Geneva Convention’ concept to protect against the range of offensive attacks, and has garnered over 30 signatories from high-tech companies. Siemens has similarly introduced a Charter of Trust focused on supply chain standards and has over a dozen of the world’s largest companies as signatories, while two government authorities have also joined its ranks. This convergence of the private sector and governments will only continue, as the Paris Call for Trust and Security in Cyberspace and the Global Commission on the Stability of Cyberspace demonstrate, each of which have significant contributions from the private and public sectors. The Paris Call has over 450 signatories, including 100 countries and private sector tech giants such as IBM, Cisco, Facebook, and Google.

在联合国缺乏重大进展的情况下，公司正在介入以定义全球规范并制定道路规则。 例如，微软推出了 “数字日内瓦公约”的概念，以防止受到一系列进攻性攻击，并吸引了30多家高科技公司的签名者。 西门子同样推出了以供应链标准为重点的《信任宪章》，并有十多家世界上最大的公司作为签署人，而两个政府机构也加入了该行列。 正如《 巴黎网络空间信任与安全呼吁》和网络空间 稳定性全球委员会所表明的那样，私营部门和政府的这种融合将一直持续下去，它们各自都在私营和公共部门做出了重大贡献。 巴黎电话会议有450多个签署方，包括100个国家和私人部门的技术巨头，例如IBM，Cisco，Facebook和Google。

Of course, these efforts are in sharp contrast to those put forth by authoritarian regimes such as China and Russia. How these norms diffuse, and who is shaping them, has significant implications for cybersecurity and defense postures across the globe.

当然，这些努力与诸如中国和俄罗斯这样的专制政权所进行的努力形成鲜明对比。 这些规范的传播方式和形成者，对全球的网络安全和防御态势具有重要意义。

数据安全和隐私状态 (Data Security and Privacy Postures)

Just as global norms reflect an ideological fracturing, this divide is also growing thanks to various approaches to security and privacy. We already covered the regulations that are prompting part of this global fracturing. Looking ahead, how governments handle encryption may well further deepen the Splinternet. Encryption has been around for decades, but over the last few years has been under attack by both authoritarian regimes and democracies.

正如全球规范反映出意识形态分裂一样，由于各种安全和隐私方法，这种鸿沟也在扩大。 我们已经介绍了促使全球破裂的法规。 展望未来，政府如何处理加密可能会进一步加深Splinternet。 加密已经存在了几十年，但是在过去的几年中，威权政权和民主国家都在对其进行攻击。

End-to-end encryption is one of the few security measures that is not cost-prohibitive and is increasingly usable for non-tech aficionados. However, a growing global effort exists to weaken encryption, including by authoritarian regimes such as China, Russia, and Iran. For instance, in 2018 Russia attempted to ban the messaging app, Telegram, following its refusal to hand over encryption keys, and accidentally took banks and online stores and services offline. Following this debacle, one state-run media source argued that the end of globalization is here, and “all countries will build virtual borders … it’s inevitable, and it’s very good for all of us.”

端到端加密是为数不多的，成本不高且对非技术爱好者越来越有用的安全措施之一。 但是， 全球正在采取越来越多的努力来削弱加密，包括中国 ， 俄罗斯和伊朗等威权政权的加密。 例如，俄罗斯在拒绝交出加密密钥后，于2018年试图禁止消息传递应用Telegram ，并意外使银行，在线商店和服务下线。 这场灾难之后 一个国营媒体源认为 ，全球化到底是在这里，和“所有国家都将建立虚拟边界......这是不可避免的，这是对我们所有人的非常好。”

Like other authoritarian strategies, this digital strategy has spread. Malawi requires government approval of encryption keys, while China requires local encryption key storage. Turkey linked anyone using ByLock, an encryption-based messaging app, to coup involvement, while India is exploring a law to require a backdoor, targeted at WhatsApp. German leaders have requested similar access to encrypted content, while Brazil continues to go back and forth on banning WhatsApp and its end-to-end encrypted services. The United States, Australia, Canada, New Zealand, and the United Kingdom, issued a joint statement introducing their intent to seek lawful access to encrypted content. Australia made good on this promise a few months later, passing a contentious law requiring access to encrypted content. Based on a discussion at the National Security Council in June 2019 and the latest comments from Attorney General Barr, the United States may soon follow soon suit.

像其他威权主义策略一样，这种数字策略也已经普及。 马拉维需要政府批准加密密钥，而中国需要本地加密密钥存储。 土耳其将使用基于加密的消息传递应用程序ByLock的任何人与政变联系起来，而印度正在探索一项法律 ，要求针对WhatsApp的后门。 德国领导人已经要求对加密内容进行类似的访问，而巴西则继续来回禁止WhatsApp及其端到端加密服务。 美国，澳大利亚，加拿大，新西兰和英国发表了联合声明，介绍了其寻求合法访问加密内容的意图。 几个月后，澳大利亚兑现了这一诺言，通过了一项有争议的法律，要求访问加密内容。 根据2019年6月国家安全委员会的讨论以及巴尔总检察长的最新评论 ，美国可能很快就会效仿。

These policies that weaken security pose significant risk to businesses and individuals. This combination of data storage requirements and data access through weakened encryption should increasingly inform corporate cyber risk assessments over the next decade.

这些削弱安全性的策略会对企业和个人构成重大风险。 数据存储需求与通过弱化加密进行数据访问的结合，将在未来十年内逐渐为企业网络风险评估提供依据。

展望未来 (Looking Ahead)

The dominant paradigms in cybersecurity are ‘assume breach’ and ‘privacy is dead.’ This nihilistic attitude is understandable given the proliferation of the authoritarian playbook coupled with the monetization of data. While there is a sense of acquiescence when it comes to the loss of privacy and data protection, doing nothing is not an option. There is too much at stake.

网络安全中的主要范例是“假设违规”和“ 隐私已死” 。 鉴于威权主义剧本的泛滥以及数据的货币化，这种虚无主义的态度是可以理解的。 虽然在失去隐私和数据保护方面有一种默认的感觉，但是什么也不做是不可行的。 有太多的风险了。

The future of the internet is at an inflection point, one that is intertwined with geopolitics, the new frontier of emerging technologies, individual freedoms, and a global, interconnected economy. The fracturing of the internet is already well underway with divides that are only likely to grow in the next ten years.

互联网的未来正处于一个转折点，与地缘政治，新兴技术的新领域，个人自由和全球互联的经济交织在一起。 互联网的分裂已经在进行中， 分歧在未来十年可能会加剧。

If crisis breeds innovation, expect some significant cybersecurity innovations over the next decade. With so much at stake, the challenges are great, but so too are the opportunities. Innovative security and privacy solutions are beginning to emerge to counter digital authoritarianism in favor of aspiring toward the original aspiration of a free, open, and secure internet.

如果危机滋生了创新，那么在未来十年中，将期待一些重大的网络安全创新。 面临如此多的挑战，挑战是巨大的，机遇也是。 创新的安全性和隐私解决方案已开始出现，以对抗数字威权主义，以期向自由，开放，安全的互联网的最初愿望倾斜。