Internet coordination and the multistakeholder model

ICANN86 was held in Seville last week. On the agenda was everything from the size of ML-DSA signatures and their effect on UDP-use to the Internet Governance Forum (IGF) and The World Summit on the Information Society (WSIS)+20. 

The scope of discussions and sessions gives an opportunity to reflect on the purpose and the design of the Internet’s multistakeholder model. In this article, I will discuss where I think we have deviated from it and what we should do going forward.  

Back in the beginning of the Internet era, it became clear there was a need to coordinate both standards and policy (e.g., how you use standards). This ultimately led to the structures we have today: the Internet Engineering Task Force (IETF) became the forum for developing technical standards and operational best practice; the Internet Corporation for Assigned Names and Numbers (ICANN) became the forum for coordinating policies related to the Internet's unique identifiers, including domain names; and the Regional Internet Registries (RIRs) became responsible for developing policies for the allocation and management of Internet Number Resources (IP addresses and Autonomous System Numbers) in their respective regions and with their respective communities. 

There are more actors involved in the multistakeholder model, particularly the IGF and related WSIS structures, and their regional counterparts. But at a global level IETF, ICANN and the RIRs, and their associated communities, are the main producers of standards and policies which organisations have to follow to be part of the global Internet. Part of the global Internet, in this context, refers to the technical settings, configurations, and operational practices required for interoperability. This is regardless of whether you are an Internet service provider, an Internet Exchange Point, a Top-Level Domain registry, a registrar, a web-hosting service or a cloud provider. 

Historically, adherence to policy and standards has been driven by self-interest rather than a need to follow government regulation. That is, there were no ex-post damages, liabilities or similar if you deviated from set policies or standards. Market economy can hit back pretty hard, though, and we have seen examples of those who were non-interoperable and non-collaborative, that have failed in the market.

As the Internet transitioned from a specialised network to critical infrastructure for banking, healthcare, and public services, to name a few, the informal and trust-based accountability mechanisms inherent in the multistakeholder model came under pressure. Societal expectations, legal requirements and concerns around resilience and cybersecurity increased. This has created a space that national regulators have sought to address with frameworks like NIS2 (the EU’s directive on cybersecurity).

The multistakeholder model needs to respond appropriately. To avoid the fragmentation caused by national and regional regulatory approaches, the system must continue to mature its operational accountability structures, balancing its inherently decentralised nature with more formal accountability structures capable of addressing contemporary societal demands.

Actors and functions pertaining to Internet names, numbers, and the technical coordination required to operate them should be held accountable by structures within the multistakeholder framework, and not by national regulators. 

Note that we are not arguing for an increased accountability burden; we are arguing that the accountability for globally coordinated Internet functions should be exercised through a globally coordinated multistakeholder framework.

If NIS2, or similar national or regional regulatory frameworks, impose accountability on actors within their respective jurisdictions, they should do so in line with the globally agreed policies and standards set by the multistakeholder system. As far as possible, accountability should be exercised through mechanisms agreed by the multistakeholder system itself. 

Anything else risks fragmenting the system, the Internet itself. DNS resolution must be done the same way across the globe, as must Internet packet addressing and routing, DNSSEC-signing, and any other Internet-related coordination. 

National and regional regulatory agencies undoubtedly have an important role in matters pertaining to individual jurisdictions, such as how a registry as a business entity is held accountable for its business activities; this does not mean they should specify the technical details of how these entities interact within the global Internet ecosystem.

Ultimately, the multistakeholder model was slow to develop mechanisms that could address the formalisation deficit now targeted by national regulation. However, it is not too late to strengthen those mechanisms and ensure that the governance of globally coordinated Internet functions continues to be anchored in the multistakeholder system. 

At its core, the multistakeholder model is built on the belief that an interoperable and interconnected Internet is the most effective way to serve the global public interest. Netnod remains committed to supporting the continued evolution of multistakeholder accountability mechanisms, helping to ensure they remain the primary, globally recognised framework for Internet governance.