On Climate Change and Cyber Attacks

It is difficult to think of two issues with a greater potential to negatively impact both our environment and the global economy than climate change and cyber attacks. Though long-term estimates on both are notoriously tough to pin down, contested assessments on the cost of cyber attacks range from approximately $400 billion for 2014 to more than $3 trillion by 2020 (a figure, if true, larger than the global illegal drugs market). Similarly, the cost of climate change has been estimated at some $1.2 trillion annually, which works out to roughly 1.6 percent of global GDP, while the least developed nations face losing more than 10 percent of their GDP. In other words, there is an urgent, global need to mitigate the risk of both cyber insecurity and a changing climate. With the twenty-first conference of the parties to the UN Framework Convention on Climate Change (COP21) getting underway in Paris this week, the question is whether twentieth century solutions designed to address previous global problems still resonate in the twenty-first century.

Although the atmosphere and cyberspace are distinct arenas, they share similarities of overuse, difficulties of enforcement, and the associated challenges of collective inaction and free riders. Moreover, "[m]illions of actors affect the global atmosphere[,]" just as they do the Internet. With weather patterns shifting, global sea levels rising, and temperatures set to exceed 1.5 degrees Celsius by 2100, climate change is a problem affecting the entire world, but one in which benefits are dispersed and the harms are often concentrated, making the politics difficult. Similarly, the cost of cyber attacks is often focused even as more nations become havens for cybercriminals

But it is also true that actions taken by a multiplicity of actors can positively impact both the global climate and cyberspace. This is part and parcel of the literature on polycentric governance--sometimes called the Bloomington School of Political Economy--which is quickly coming into vogue as the preferred model of tackling "new" global collective action problems marking a shift from twentieth century multilateral models of global commons governance.

For those unfamiliar, according to Nobel Laureate Professors Elinor Ostrom who did much to develop the field, a "commons" is a general term meaning a resource shared by a group of people. The global commons, then, are those areas of the world (and beyond) that are open to use by the international community. At its height, the global commons comprised nearly 75 percent of the Earth's surface, including the high seas and Antarctica, as well as outer space, the atmosphere, and some argue, cyberspace. Enter polycentric governance, which offers an alternative to rigid, top-down multilateral treaties and instead encourages bottom-up solutions. The basic idea is that regimes that are multi-level, multi-purpose, multi-type, and multi-sectoral in scope are able to complement top-down governance models favored throughout much of the history of climate governance, as has already occurred in Internet governance, which has enjoyed a more organic development trajectory.

The movement toward polycentric governance structures in both cyberspace and the atmosphere seems to be going mainstream with the head of ICANN and the President of Estonia discussing a "polycentric" Internet governance ecosystem. Similarly, more than one hundred nations have lined up to offer national pledges to address climate change, as have myriad cities, states, and regions around the world. At this point, both atmospheric and Internet governance may be considered to be increasingly multi-stakeholder and polycentric. There are distinct benefits to this arrangement in terms of innovation, experimentation, and empowerment, but COP21 delegates meeting in Paris should also be aware of the dangers including gridlock due to a lack of defined hierarchy. As such, polycentric regulation has its faults, but so too does waiting for consensual, binding agreements in either the climate change or cybersecurity contexts, which may come too late, if at all.

Both the global collective action problems of climate change and cyber attacks deserve our sustained attention from all governance levels, from individuals on up to the United Nations. There is much we all can do to make the global local and, while not neglecting multilateral forums, promote the spread of small groups of stakeholders developing and spreading best practices. Only by working together through such polycentric partnerships can we both mitigate the effects of global climate change and promote cyber peace; that is an important legacy of Professor Ostrom's vital work in this arena, and a torch that we should all be happy to raise.

Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy, sustainability, and international business law among other courses. He is also a senior fellow at the Center for Applied Cybersecurity Research, a National Fellow at Stanford University's Hoover Institution, and a term member of the Council on Foreign Relations. For a full version of this article, see Scott J. Shackelford, On Climate Change and Cyber Attacks: Leveraging Polycentric Governance to Mitigate Global Collective Action Problems, __ VANDERBILT JOURNAL OF ENTERTAINMENT AND TECHNOLOGY LAW __ (forthcoming 2016), available here.