Cyber Security Basics 📂 Foundation · 8 of 15 69 min read

The Internet as a Global Commons — Governance, Stewardship, Threats, and the Future of an Open Network

A 22-section walkthrough of the Internet as humanity's most ambitious shared resource. Covers Ostrom's commons theory, ICANN/IETF/IGF stewardship, the multistakeholder model, splinternet pressures, mass surveillance, MANRS routing security, DNS root systems, FIRST.org incident response, Digital Public Infrastructure (UPI, PIX, X-Road), AI commons-vs-enclosure, and Ostrom's eight design principles applied to digital governance.

Section 01

A Commons of Unprecedented Scale

The Internet is the largest cooperative system humans have ever built — and the numbers behind it tell a story no other shared resource in history can match. No nation owns it. No company controls it. Every router, every cable, every name server is part of a resource that humanity has built — and must defend — together.

👥
People Share This Commons
5.5 Billion
More than two-thirds of humanity now uses the Internet. Each user depends on the same shared protocols, the same root DNS system, the same routing infrastructure.
🌊
Submarine Cables Connect Us
574
Roughly 95% of all international Internet traffic travels through undersea fibre cables — quietly carrying everything from banking to family calls.
💾
DNS Root Server Systems
13
A through M. Each is a globally-distributed anycast cluster, totalling 1,500+ physical instances worldwide. They are the navigational backbone of the Web.
🌐
Autonomous Systems
70,000+
Independently-operated networks that voluntarily peer with each other. The Internet is, literally, a network of networks — 70,000 of them.
📐
The Framing for This Tutorial

Across the next 22 sections we ask: what kind of resource is this thing we call the Internet? Who governs it? What threatens it? Who defends it? And what futures are at stake right now? The answers borrow as much from political economy and international law as they do from computer science — because the Internet is no longer just a technology. It is shared civilisational infrastructure.


Section 02

What Is a "Commons"?

Resources Communities Govern Themselves
A commons is a resource — natural or constructed — that is shared by a community and governed by collectively-agreed rules rather than purely by private property or state command. A village pasture where every household grazes a few sheep is a commons. So is a coral reef fished by neighbouring communities. So is the radio spectrum, where users coordinate to avoid interfering with each other.

For centuries, classical economics insisted that commons either get privatised or get destroyed by overuse. Then in 2009, an unlikely Nobel Prize laureate proved otherwise.
🏆
Elinor Ostrom — Nobel Prize in Economics, 2009

Ostrom was the first woman to win the Nobel in Economics. Her field work across decades — Maine lobster fisheries, Swiss alpine meadows, Nepalese irrigation systems — showed that communities can sustainably govern common-pool resources, provided they design institutions with clear boundaries, monitoring, graduated sanctions, and collective choice. Her eight design principles (which we revisit in Section 21) are now the foundational framework for thinking about any commons — including the Internet.

Examples of Global Commons

🌊
The Oceans
UNCLOS treaty
International waters beyond any nation's territorial sea. Governed since 1982 by the UN Convention on the Law of the Sea — fisheries, shipping, seabed mining all subject to shared rules.
🌤
The Atmosphere
Paris Agreement
A literal global commons — every breath drawn shares it. Climate has been governed since 2015 by the Paris Agreement on emissions, the most ambitious multilateral commons treaty ever.
🛰
Outer Space
1967 Outer Space Treaty
Res communis — "the common heritage of mankind." No nation can claim sovereignty over the Moon, Mars, or orbits. Increasingly stressed by satellite mega-constellations and commercial space mining.
📚
Knowledge
open science, Wikipedia
Open science, peer-reviewed publications, public-domain works, Wikipedia (62M+ articles in 300+ languages). Knowledge is inherently non-rivalrous — sharing it doesn't diminish it.
🌐
The Internet
the focus of this tutorial
The youngest — and most contested — global commons. Born from a public research project, now privately operated yet collectively governed, under pressure from every direction.
👣
Antarctica
1959 Antarctic Treaty
An entire continent designated as a scientific preserve, with all territorial claims frozen. A standing example that even very valuable real estate can be governed as a commons when there is political will.

Section 03

Why the Internet Qualifies as a Commons

Six structural properties make the Internet a textbook commons — unique in human history. Each one matters for understanding what is at stake when the commons is threatened.

🌍
Shared by All
no membership fee
Anyone with a connection can use it. No nationality test, no creed requirement, no economic threshold. The barrier to entry is the device and the link, not the protocol. 5.5 billion users and counting.
</>
Open Protocols
RFC-based standards
TCP/IP, HTTP, DNS, BGP, TLS — every foundational protocol is an open standard, freely implementable. There is no licence fee to speak HTTP. No patent toll on TCP. The protocols are public goods.
📥
Non-Rivalrous Information
infinitely copyable
Bits can be copied without limit. Knowledge shared is not knowledge lost. My reading this Wikipedia article does not stop you from reading it too. This is fundamentally different from grazing land or fish stocks.
📦
Decentralised
no single point of ownership
No central server, no master authority, no kill-switch. Thousands of independently-operated networks voluntarily peer together. Resilience and governance both emerge from this distribution.
🤝
Built Collaboratively
RFCs, open-source, IETF
The Internet's standards are written by anyone who shows up to an IETF meeting with a working implementation. "Rough consensus and running code" is the engineering motto. The protocols were built in the open — and remain so.
⚠️
Vulnerable to Abuse
the commons can be polluted
Like any commons, the Internet can be polluted (spam, DDoS, malware) or enclosed (walled-garden platforms, sovereign Internets). The same openness that makes it valuable also makes it exploitable.

Section 04

The Internet Commons Stack — Four Layers, Four Stewardships

The Internet commons is not one thing — it is a stack of overlapping commons, each with distinct stewards, distinct threats, and distinct defenders. Understanding the layered structure is essential to understanding how the commons can be defended layer by layer.

📚 The Four-Layer Internet Commons
L4 SOCIAL LAYER Norms, communities, open-source culture, digital rights, civic participation 👥 stewards: EFF, ACLU, Article 19, Access Now civil society at large L3 CONTENT LAYER Open standards (HTML, Markdown), public-domain knowledge, Wikipedia, OpenStreetMap 👥 stewards: W3C, WMF, Creative Commons, open-data communities L2 LOGICAL LAYER Protocols (TCP/IP, HTTP, DNS, BGP, TLS), naming, addressing, routing 👥 stewards: IETF, ICANN, IANA, RIRs, network operators L1 PHYSICAL LAYER Submarine cables, IXPs, data centres, satellites, last-mile networks, spectrum 👥 stewards: carriers, ITU, governments, IXP operators Each Layer Is Its Own Commons — With Distinct Stewards and Distinct Threats Defending the commons means defending all four layers — not just protocols

Section 05

The Tragedy of the Digital Commons

The Grazing Field, Revisited as Internet Backbone
In a 1968 Science essay titled "The Tragedy of the Commons," biologist Garrett Hardin argued that shared resources are inevitably overused because each individual benefits privately while the cost of overuse is shared by all. His example was a village grazing field: every shepherd's marginal sheep yields a private gain, but the field's eventual exhaustion is a cost spread across the community.

The Internet faces structurally analogous pressures. Each spammer benefits from a sent email; the inbox-pollution cost is paid by every recipient. Each botnet operator benefits from a successful DDoS; the bandwidth-consumption cost falls on every transit network in the path. Each surveillance actor benefits from data collection; the trust-erosion cost falls on the commons as a whole.

Ostrom's later work showed that tragedy is not destiny — communities can govern commons sustainably when they design the right institutions. The question is whether the Internet community will.

Six Tragedies the Internet Faces Right Now

📧
Spam & Phishing
cost externalised to everyone
Senders externalise the cost of unwanted email onto every recipient, every mail server, every spam filter. Roughly 45–50% of all email sent globally is still spam, despite three decades of countermeasures.
DDoS Attacks
bandwidth weaponised
Botnets weaponise the bandwidth of unsuspecting devices against shared infrastructure. Record sizes keep climbing: 3.8 Tbps in October 2024, 11.5 Tbps in August 2025, 31.4 Tbps from the Aisuru botnet in December 2025.
🛍️
BGP Hijacking
trust abused
Forged route announcements redirect global traffic. A single misbehaving AS can break the world — as the Cloudflare 1.1.1.1 BGP hijack of June 2024 showed, when a Brazilian ISP's bad announcement affected 300 networks across 70 countries.
👁️
Surveillance
openness extracted
Both states (Snowden disclosures) and corporations (ad-tech tracking) extract value from a commons designed for openness. The cost — chilled speech, eroded trust, concentrated power — falls on every user.
🏭
Hyperscaler Capture
enclosure of a distributed system
A handful of clouds (AWS, Azure, GCP) host most of the Web. Two app stores (Apple, Google) gate most mobile distribution. One CDN (Cloudflare) proxies a meaningful share of all HTTP. Concentration is itself a tragedy of a once-distributed commons.
🚫
Censorship & Walls
enclosure by nation-state
Nation-states fragment the commons by blocking content, throttling protocols, and constructing "splinter-nets." Each wall is rational from one sovereign's perspective — yet collectively they degrade the universal reachability that defines the Internet.

Section 06

Stewards of the Global Commons — A Constellation, Not a Ruler

No single ruler governs the Internet. Instead, a constellation of bodies — each with a distinct mandate and constituency — stewards different pieces. Understanding who does what is essential to understanding how the commons is governed.

Body Founded Role How It Works
ICANN (Internet Corporation for Assigned Names & Numbers) 1998 Coordinates the DNS root, IP allocation, and gTLD policy California non-profit with multistakeholder governance; broke from US gov't oversight in 2016 transition
IETF (Internet Engineering Task Force) 1986 Develops Internet standards via the open RFC process "Rough consensus and running code" — anyone may submit a draft; standards emerge through working groups
IANA (Internet Assigned Numbers Authority) 1988 Allocates protocol numbers, root zone, IP blocks Operated by ICANN's Public Technical Identifiers (PTI); the registry of all globally unique identifiers
RIRs (Regional Internet Registries) 1992 onwards Distribute IP addresses regionally Five bodies: ARIN (North America), RIPE NCC (Europe + ME), APNIC (Asia-Pacific), LACNIC (Latin America), AFRINIC (Africa)
W3C (World Wide Web Consortium) 1994 Develops Web standards: HTML, CSS, accessibility, payments Founded by Tim Berners-Lee at MIT; multi-stakeholder member-led standards body
ISOC (Internet Society) 1992 Promotes open development and policy; supports IETF Non-profit umbrella; chapters in 130+ countries; runs MANRS programme
IGF (Internet Governance Forum) 2006 Multi-stakeholder policy dialogue venue under the UN Annual UN-convened forum; no decision-making power but agenda-setting influence
ITU (International Telecommunication Union) 1865 UN agency for telecoms; sets some standards and spectrum policy Traditional treaty-based intergovernmental body; the only Internet steward that pre-dates the Internet
📐
Why This Constellation?

The constellation evolved organically. Each body was created to solve a specific governance problem at a specific time — IP allocation, standards, domain names, policy dialogue. The result is not tidy, but it works: no single failure can break the system, because no single body can. This is a feature, not a bug.


Section 07

The Multistakeholder Model — Distributed Sovereignty in Practice

A Deliberate Experiment
Unlike traditional treaty-based international governance — where only nation-states have seats at the table — the Internet is steered through a multistakeholder model. Multiple categories of stakeholders meet as peers. No single voice dominates. Decisions emerge through rough consensus rather than majority vote.

This is genuinely novel in global governance. It is part of why the Internet has grown so quickly — innovation is "permissionless" in a way it is not for, say, civil aviation or maritime trade. It is also part of why the model is now contested by states that prefer treaty-based, sovereignty-first governance.
🤝 The Five Stakeholder Communities
INTERNET GOVERNANCE GOVERNMENTS sovereignty, security, law enforcement PRIVATE SECTOR operators, registrars, platforms, vendors CIVIL SOCIETY digital-rights NGOs, end-users, consumers TECHNICAL COMM. engineers, researchers, IETF, operators INTERNATIONAL ORGS UN, regional bodies, treaty orgs Five Communities, One Conversation, Rough Consensus Openness · Transparency · Bottom-up consensus · Permissionless innovation

Section 08

Six Major Threats to the Global Commons

Six pressures, if unaddressed, would degrade or break the shared Internet. Each is real, each is current, each is being actively fought over today.

🚩
Fragmentation
States carve the Internet into national sub-networks. Universal reachability — the founding promise that any host can talk to any other — gives way to gateways, blocks, and walls. China's Great Firewall is the canonical case; Russia, Iran, and others are following.
universal reachability lost
👁️
Mass Surveillance
State and corporate interception erode trust, chill speech, and concentrate power. The Snowden disclosures (2013) revealed the scale of state programs like PRISM and Tempora. Commercial tracking now covers most of the public Web through ad-tech telemetry.
trust eroded at scale
🚫
Censorship
Content blocking and protocol-level filtering restrict information flow asymmetrically — citizens in some jurisdictions cannot reach the same Web that others use freely. The result is an Internet of unequal access.
information flow restricted
🏭
Market Concentration
Three clouds (AWS, Azure, GCP), two app stores (Apple, Google), one CDN (Cloudflare) — a handful of private actors now handle a majority of global Internet activity. The CrowdStrike-Microsoft outage of July 2024 showed what one bad update can do.
single points of mass failure
🧹
Cyber Conflict
State-sponsored attacks treat the commons as a battlespace. Infrastructure itself becomes a target: SolarWinds 2020, Colonial Pipeline 2021, NotPetya 2017, AIIMS Delhi 2022. Civilian critical infrastructure is now routinely caught in geopolitical crossfire.
infrastructure as battlespace
🌍
Climate & Energy
Data centres and networks consume approximately 3% of global electricity and emit 1.4% of global greenhouse gases. AI workloads are pushing those numbers up sharply. Sustainability is now a structural concern, not a side issue.
structural sustainability problem

Section 09

Splinternet — The Fragmenting Commons

One Internet or Many?
The biggest existential question for the commons: will the Internet remain one network, or become many? The term "splinternet" describes the gradual fragmentation of the once-universal network into national or regional sub-networks with limited interoperability.

Fragmentation is not just a policy concern — it is a measurable, observable trend. Five major patterns are reshaping the commons right now.

Five Patterns of Fragmentation

📍 Where Walls Are Being Built
China
Sovereign Internet. The Great Firewall blocks Google, Facebook, X, YouTube, WhatsApp, and most foreign news sites. Domestic alternatives (WeChat, Weibo, Baidu) are mandatory. Estimated to be the largest single-jurisdiction blocklist on Earth.
Russia
Disconnect Drills. The "RuNet" sovereign Internet law (2019) gives the state legal authority and technical capability to disconnect from the global Internet during "emergencies." Drills have been conducted multiple times since 2019.
Iran
National Information Network. A domestic intranet with throttled foreign access. During the Mahsa Amini protests of 2022, foreign Internet access was reduced to near-zero for weeks while the domestic intranet stayed available.
EU
Regulatory Fragmentation. GDPR (2018), DSA (2022), DMA (2022), AI Act (2024) create distinct compliance zones — companies must build EU-specific data handling, content moderation, and AI risk management. De-facto sovereignty without infrastructure walls.
USA
Decoupling Pressure. Sanctions, export controls, TikTok and Huawei bans split tech supply chains. The 2022 CHIPS Act, the 2024 TikTok divestment law, and ongoing semiconductor export restrictions formalise the split with China.

What Fragmentation Breaks

🔗
Universal Reachability
the founding promise
"One Internet" means any host can talk to any other. Fragmentation kills this. The same domain may resolve to different (or no) IPs depending on the country of the resolver.
👥
Cross-border Communities
diaspora, science, commerce
Diasporas, families, scientific collaborations, multinational businesses — all depend on a shared substrate. Walls disrupt all of them, often invisibly until the connection breaks.
📚
Free Flow of Knowledge
Wikipedia, journals, Stack Overflow
The open Web — Wikipedia, ArXiv, Stack Overflow, MOOCs — is fragile to balkanisation. Even partial blocking can cut populations off from the global knowledge commons.
🛡️
Collective Cyber Defence
threat intel, incident response
CERT cooperation, threat-intel sharing, vulnerability disclosure — all need open channels. Fragmentation hampers defence against the very attacks that threaten everyone.

Section 10

Surveillance — The Twin Pressures on the Commons

Surveillance comes in two flavours, both eroding the commons. State surveillance uses legal powers (or quietly bypasses them) for security and intelligence purposes. Corporate surveillance turns user behaviour into data products. Both rely on the same plumbing — and both treat privacy as a resource to be extracted.

🏭️ State Surveillance
VectorReal Cases
Bulk InterceptionSnowden disclosures (2013) revealed PRISM, XKeyscore, Tempora — programmes intercepting traffic at the backbone level
Legal Hacking PowersEncryption back-door debates ("Going Dark"), lawful-access laws, US CLOUD Act (2018) for cross-border data requests
Cross-Border RequestsMutual Legal Assistance Treaties (MLATs) strained by global data flows — average response time now years
Targeted SpywarePegasus (NSO Group, Israel), Predator (Intellexa) — commercial spyware sold to 30+ states, used against journalists, dissidents, lawyers worldwide
🏢 Corporate Surveillance
VectorReal Cases
Behavioural AdvertisingReal-time bidding (RTB) leaks billions of behavioural profiles per day to thousands of partners — the bidder ecosystem is largely unregulated
Data BrokersAcxiom, Equifax, LexisNexis trade in location, health, financial, and demographic data — largely without consent or knowledge
Algorithmic ProfilingML models infer attributes (political view, sexual orientation, mental health, pregnancy) that users never disclosed — and use them for targeting
Platform Lock-inData portability is theoretical; the switching cost is real. GDPR's "right to data portability" remains weakly enforced
⚠️
The Convergence Risk

State and corporate surveillance increasingly converge. Governments can buy commercial data they would never be allowed to collect directly. Companies routinely receive subpoenas for data they didn't even know they had. The result is a hybrid surveillance system more invasive than either pole could have built alone — and largely invisible to the user being watched.


Section 11

Cyber Norms & International Diplomacy

Beyond the technical commons sits a diplomatic commons: the evolving set of voluntary norms that govern how states should behave in cyberspace. There is no treaty, no enforcement mechanism, and no court — but there is a slowly-thickening web of agreements that constrain state action.

Key Processes & Instruments

Process / Instrument Origin What It Did
UN GGE (Group of Governmental Experts) UN, 2004–2021 Produced 11 voluntary norms for responsible state behaviour in cyberspace, agreed in 2015 and reaffirmed in 2021
OEWG (Open-Ended Working Group) UN, 2018 onwards Successor to GGE with broader membership — every UN member state participates
Tallinn Manual NATO CCDCOE, 2013 / 2017 Independent expert analysis of how international law applies to cyber operations; the de-facto reference work
Budapest Convention Council of Europe, 2001 Treaty on cybercrime — 70+ ratifications; the only widely-adopted binding cybercrime treaty
Paris Call France, 2018 Multistakeholder declaration for trust and security in cyberspace — 1,200+ supporters including states, companies, NGOs
Christchurch Call NZ + France, 2019 Tech companies and states aligned against violent extremist content online, after the Christchurch mosque attack livestream

Examples of Agreed Norms

🏥
Don't Attack Critical Infrastructure
peacetime restraint
States should not knowingly damage critical infrastructure — hospitals, power grids, financial systems — in peacetime. The norm is widely violated but has growing moral weight.
🧹
Protect CERTs
defenders are off-limits
Don't target CERT / CSIRT teams. They are humanity's incident responders — attacking them is like attacking ambulances. A relatively newly-agreed but increasingly respected norm.
🤝
Cooperate on Incidents
respond to requests
States should respond to requests for assistance regarding malicious activity originating from their territory. The norm fails in practice where geopolitical adversaries are involved — but holds among most democracies.
🏭
Don't Allow Your Territory to Host Attacks
due diligence
States have a due-diligence obligation to prevent their territory from being used for internationally wrongful acts (ICT operations against others). Strong consensus in principle; weak enforcement in practice.
🔗
Supply Chain Integrity
no back-doors in ICT
States should take reasonable steps to ensure ICT supply-chain integrity — not insert back-doors, not weaken cryptography, not subvert hardware in transit.
📋
Report Vulnerabilities Responsibly
don't stockpile zero-days
States should consider responsible reporting of ICT vulnerabilities they discover. The norm aspires to a "vulnerabilities equities process" — but most states still stockpile zero-days for offensive operations.

Section 12

Global Incident Response — The Commons Defends Itself

When attacks happen, the commons defends itself through a planetary mesh of CERT and CSIRT teams (Computer Emergency Response Teams, Computer Security Incident Response Teams). They cooperate faster than diplomacy can — often within hours of a new threat appearing — and they do it through voluntary trust networks rather than treaty obligations.

🧥 FIRST.org — The Hub of Global Incident Response
FIRST .org 700+ teams 100+ countries APCERT Asia-Pacific regional CERTs AfricaCERT African continent CERTs OIC-CERT Islamic-cooperation member states AMERICAS CSIRTAmericas, US-CERT, etc. TF-CSIRT European task force ENISA EU agency for cybersecurity Trust-Based Cooperation Across Jurisdictions, Faster Than Diplomacy

What Gets Shared (and How)

📢 The Five Streams of CERT Cooperation
IOCs
Indicators of Compromise. STIX/TAXII standardised feeds — malware hashes, command-and-control IPs, attacker infrastructure. The defender's equivalent of a "be on the lookout" bulletin.
CVD
Vulnerability Coordination. Responsible disclosure, CVE assignment by MITRE, coordinated embargoes so vendors can patch before public release. Handled by national CERTs in partnership with researchers.
Takedowns
Takedown Requests. Hosting providers, registrars, and sinkhole operators cooperate to take over malware C2 domains, seize illegal servers, and protect victims.
Forensics
Cross-border Forensics. Mutual aid in attribution and evidence preservation across jurisdictions. Often the only way to attribute state-sponsored attacks.
Capacity
Playbooks & Training. Joint exercises (Locked Shields, Cyber Storm), capacity-building programmes for emerging CERTs, common toolchains. The slow but steady work of building global defensive capability.

Section 13

DNS — A Critical Common-Pool Resource

Thirteen Letters That Hold the Web Together
The Domain Name System runs on 13 logically-distinct root server systems, named A through M and operated by 12 different organisations across the world (one organisation runs two roots). Each "letter" is not a single computer — it is a globally-distributed anycast cluster, with the same IP advertised from hundreds of locations. The 13 logical names actually map to 1,500+ physical instances worldwide.

The DNS root is a textbook commons. It is a single global name space — one root for the whole planet. It is operated by neutral, geographically-diverse organisations. It is coordinated by IANA functions (now run by ICANN's Public Technical Identifiers, PTI). And it is funded primarily by registry fees and voluntary efforts.
📙 The 13 DNS Root Server Systems
A — M (operated by 12 organisations across the world) A B C D E F G H I J K L M Each letter = a globally-distributed anycast cluster — 1,500+ physical instances worldwide The most replicated, most coordinated, most surveillance-resistant naming system humans have ever built
✅ Why DNS Is a Commons
Property
Single global name space — one root for the whole planet
Operated by neutral, geographically diverse organisations
Coordinated by IANA functions (ICANN PTI)
Funded primarily by registry fees and voluntary efforts
Standards developed openly through IETF RFCs
🛡️ Threats & Collective Defence
ThreatDefence
Cache poisoning & spoofingDNSSEC signing
Surveillance of queriesDNS-over-HTTPS (DoH), DNS-over-TLS (DoT)
Censorship via NXDOMAIN injectionAlternative resolvers (1.1.1.1, 9.9.9.9)
Registrar compromiseDNS-CAA records, registry lock

Section 14

BGP & Routing — The Trust-Based Commons

How 70,000 Networks Coordinate Daily
BGP (Border Gateway Protocol) is the routing protocol that glues the Internet together. It is how an AS in Singapore knows that an IP range "belongs" to an AS in Brazil — and that the best path to reach it goes via Tokyo, Los Angeles, and Miami.

BGP runs on trust. Any AS can announce any prefix, and historically the rest of the Internet just believed it. This was fine when the network had 50 ASes who knew each other. It is not fine with 70,000 ASes including hostile actors. The result has been a steady drumbeat of BGP hijacks — sometimes accidental (Pakistan Telecom blackholing YouTube globally in 2008), sometimes deliberate (Rostelecom's hijack of 8,800+ routes in April 2020).
🧥
MANRS — Mutually Agreed Norms for Routing Security

Launched by the Internet Society in 2014, MANRS is the collective answer. It is a voluntary commitment by network operators to implement four pillars that defend the global routing commons. Over 900 ISPs, content providers, and IXPs participate. It is not a treaty, it is not a regulation — it is a textbook example of an Ostrom-style commons institution.

The Four Pillars of MANRS

🔒 MANRS Pillars — What Operators Commit To
1 FILTERING Validate route announcements from customers 2 ANTI-SPOOFING Block traffic with spoofed source (BCP38) 3 COORDINATION Maintain accurate, globally-reachable contact info 4 VALIDATION Publish & validate RPKI ROAs (sign route ownership) Four Norms — Voluntary, Verifiable, Globally Coordinated As of 2025, ~900+ network operators participate — about 50% of global BGP prefixes have RPKI ROAs

Section 15

How the Commons Defends Itself — Six Voluntary Mechanisms

Beyond formal bodies and treaty norms, the real immune system of the Internet commons is voluntary collaboration. Six mechanisms in particular show what stewardship looks like in practice.

</>
Open-Source Security
shared code, collectively audited
Linux, OpenSSL, OpenSSH, BIND, Nginx, Apache — the Internet runs on shared code that is collectively read, audited, and patched. The XZ Utils backdoor (March 2024) was caught by a Microsoft engineer noticing a 500ms delay; open-source made the discovery possible.
🧹
Bug Bounties & CVD
researchers as immune system
Coordinated Vulnerability Disclosure (CVD) and bounty programmes turn security researchers into a planetary immune system. HackerOne paid out $81 million in bounties in FY 2024–25 alone, with an estimated $3 billion in avoided breach losses.
📢
Threat Intel Sharing
near-real-time IOCs
ISACs (FS-ISAC, H-ISAC, E-ISAC), MISP, AlienVault OTX, the Cyber Threat Alliance — operators share Indicators of Compromise in near-real-time across organisations, sectors, and borders.
🚀
Industry Sinkholes
malware C2 taken over
Researchers and ISPs cooperate to take over malware command-and-control domains and protect victims worldwide. Microsoft's Digital Crimes Unit has supported takedowns of ZeroAccess, Necurs, LabHost, Lumma Stealer, and many others.
🔐
Let's Encrypt
free TLS for the whole Web
A free, automated, open Certificate Authority that has issued 6+ billion TLS certificates. Single-handedly turned HTTPS from a paid luxury into a free default. HTTPS now protects >95% of Web traffic — directly because of Let's Encrypt.
📚
Standards Bodies' Security Work
security in protocols
IETF, W3C, FIDO Alliance and others embed security into the protocols themselves — TLS 1.3 (RFC 8446), QUIC (RFC 9000), OAuth 2.0, WebAuthn / Passkeys. The best defence is the one users never see.

Section 16

Digital Public Infrastructure (DPI) — Building Public Goods on the Commons

Society-Wide Digital Systems as Public Goods
Digital Public Infrastructure (DPI) is the emerging idea that society-wide digital systems — identity, payments, data exchange — should be built as public goods with open standards, interoperability, and inclusion at the core. Not as walled-garden products from a single vendor, and not as siloed government IT projects either.

The model is gaining traction worldwide. India, Brazil, Estonia, Singapore, and the EU all run major DPI programmes, often serving hundreds of millions of users. They show what governance for the commons looks like when it works.

The Three Foundational DPI Layers

Layer 1
Digital Identity
Provable identity for citizens — enables KYC, e-signing, public-service access. Aadhaar (India), Singpass (Singapore), EU eIDAS Wallet.
Layer 2
Real-Time Payments
Instant, low-cost, interoperable payment rails. UPI (India), PIX (Brazil), FedNow (US), SEPA Instant (EU).
Layer 3
Data Exchange
Consent-based, secure data sharing between government systems and citizens. Account Aggregator (India), X-Road (Estonia).

DPI in the Wild

Country Programme Scale What It Delivers
🇮🇳 India India Stack — Aadhaar + UPI + Account Aggregator 1 billion+ users National digital ID, instant payments, consent-based data sharing — UPI alone handled over 16 billion transactions/month in 2025
🇧🇷 Brazil PIX 150M+ users since 2020 Free instant payments, 24/7. Now used for the majority of person-to-person transfers in Brazil
🇪🇪 Estonia X-Road nationwide since 2001 Data exchange between government systems with full audit trail. Citizens see every query made about them, by whom
🇸🇬 Singapore Singpass 5M citizens, 700+ services Federated digital ID for both public and private services. National authentication backbone
🇪🇺 EU eIDAS 2.0 / EU Digital Identity Wallet mandatory by 2026 Cross-border digital ID and credentials wallet — every EU citizen will be able to use one wallet across all 27 member states

Section 17

Net Neutrality & Open Access

Can the commons remain neutral when commercial pressures favour "preferred lanes" for those who can pay? The principle of net neutrality says yes — and three sub-principles operationalise it.

🚫
No Blocking
first principle
ISPs should not block lawful content, applications, services, or non-harmful devices. The pipe carries what the customer asks for, full stop.
🔄
No Throttling
no preferential slowdowns
Carriers should not impair or degrade lawful Internet traffic based on content, source, or application. Streaming video and email get the same treatment.
💸
No Paid Prioritisation
no "fast lanes"
No "fast lanes" or "slow lanes" — traffic should not be sorted by who pays the ISP. The Internet's competitive innovation depends on a level playing field for new entrants.

Where Things Stand Globally

🌐 Net Neutrality by Jurisdiction
EU
BEREC guidelines enshrine net neutrality with limited specialised-service exemptions. Among the strongest formal protections in the world.
USA
Policy has oscillated with administrations: enacted 2015, repealed 2017, FCC reinstated Title II neutrality rules in 2024 — currently subject to court challenges. The US has been the most contested major jurisdiction.
India
TRAI banned discriminatory pricing in 2016 — the famous "Free Basics" ruling that blocked Facebook's zero-rated walled garden. Among the strongest net neutrality protections globally.
Brazil
Marco Civil da Internet (2014) enshrines net neutrality as a foundational legal principle — a "constitution" for the Brazilian Internet predating most other countries' formal rules.
Many others
Chile (2010, first in the world to enact net neutrality law), Netherlands (2012), Argentina, Mexico, South Korea — net neutrality protections vary widely but are gradually proliferating.

Section 18

AI and the Future of the Commons

Generative AI as the Newest Commons-vs-Enclosure Fight
Foundation models — the large neural networks behind ChatGPT, Claude, Gemini, and Llama — are trained on the Internet commons. They ingested Wikipedia, open-access papers, GitHub, public web pages, books, conversations. The commons fed them.

The resulting models, however, are concentrating power in a handful of firms that can afford the $100M+ training runs. How this is resolved over the next decade will define whether AI becomes part of the commons — or enclosed atop it.
🌿 Forces Toward Openness
ForceExamples
Open-weight modelsLlama (Meta), Mistral, DeepSeek, Falcon, Qwen — large weights released freely
Open datasetsC4, The Pile, RedPajama — training corpora shared openly
Open evaluationHELM, MMLU, LMSys Arena, OpenLLM Leaderboard — common benchmarks anyone can run
Open standardsMCP (Anthropic), OpenAI-compatible APIs, ONNX, Hugging Face Hub
Open scienceArXiv preprints, EleutherAI, BigScience BLOOM — research conducted in the open
🔐 Forces Toward Enclosure
ForceExamples
Compute concentrationFrontier training requires $100M+ runs — only a handful of firms can afford them
Closed weightsGPT-4, Gemini Ultra, Claude Opus — weights private, APIs only
Data lockupTraining corpora getting siloed via exclusive licensing deals (Reddit-Google, OpenAI-publishers)
Regulatory captureCompliance moats benefit incumbents over open models — frontier-model regulations may be easier for $100B firms than open-source contributors
Chip export controlsGeopolitical restrictions on advanced AI accelerators concentrate capability in a few countries

Section 19

Sustainability of the Internet Commons

The Internet has an invisible but enormous environmental footprint. Data centres are massive consumers of electricity and water. Network equipment becomes e-waste. AI workloads have pushed all of these numbers up sharply since 2023.

Global Electricity Used
~3%
ICT — data centres, networks, devices — consumes approximately 3% of global electricity. AI workloads are pushing this share up rapidly.
🌍
Global GHG Emissions
~1.4%
Carbon emissions from ICT are comparable to the aviation industry. Largely invisible to users — but accumulating fast.
🚀
E-Waste Per Year
55 Mt
Million tonnes of e-waste generated annually. Less than 20% is properly recycled. Devices designed for replacement, not repair.
💰
ICT Recycling Shortfall
$10B+
Annual gap between the cost of proper e-waste processing and what is actually being spent. Most e-waste ends up in developing countries.

Paths to a Sustainable Internet Commons

🍃
Renewable-Powered Data Centres
24/7 carbon-free energy
Hyperscalers (Google, Microsoft, Amazon) committing to 24/7 carbon-free energy procurement — not just net-zero accounting, but actually matching consumption with renewable generation hour-by-hour.
⚙️
Energy-Efficient Protocols
do more with less
HTTP/3 over QUIC reduces round-trips. ARM-based servers cut watts per query. Efficient codecs (AV1, H.265) reduce streaming bandwidth. Architecture decisions add up to massive aggregate savings.
Circular Hardware
right-to-repair, modular
Right-to-repair laws (EU, several US states), modular phones (Fairphone), refurbishment markets, e-waste treaties (Basel Convention amendments). Extending device lifetimes is one of the biggest sustainability levers.
📊
Transparency & Metrics
measure what matters
GHG Protocol Scope 3 disclosures, Power Usage Effectiveness (PUE) reporting, Water Usage Effectiveness (WUE). Investors and regulators increasingly demand auditable sustainability data.

Section 20

Two Futures of the Commons

The decisions taken this decade will determine which path becomes irreversible. The two futures are not abstract — they are visible right now in current policy debates, technical choices, and business decisions.

📋 The Fork in the Road
TODAY'S CHOICES policy, protocol, governance, capital 🚫 FRAGMENTED FUTURE "Sovereignty wins, openness loses" ● Multiple national Internets, limited interop ● Data flows require permission per jurisdiction ● Different protocols and identity systems ● Cybercrime cooperation collapses ● Innovation slows — permissioned only ● AI capabilities concentrated geopolitically 🌍 OPEN FUTURE "Stewardship adapts, openness endures" ● One Internet with mutual safeguards ● Privacy & security baked into protocols ● AI as open commons, not a cartel ● Robust collective defence (CERT + norms) ● Climate-positive by design ● DPI as global public infrastructure The path taken depends on choices made now — in standards, policy, code, classrooms, and votes

Section 21

Ostrom's Principles — Adapted for the Digital Era

Recall Elinor Ostrom's eight design principles from her Nobel-winning work on common-pool resources. They were derived from centuries of experience with fisheries, grazing lands, and irrigation systems — but they translate remarkably well to the digital commons. Each principle has a direct Internet analogue.

📍
1. Clear Boundaries
commons vs private
Define what's commons vs private. Protocols, the root DNS, the BGP table — these belong to all. Particular products, networks, and content can be private. Mixing the two creates governance chaos.
🏘️
2. Rules Fit Local Context
calibrate to reality
Norms must be calibrated to actual users and operators — not abstract principles. The rules that work for a small ISP differ from those for a Tier-1 carrier. One-size-fits-all governance fails.
👥
3. Participatory Governance
those affected have voice
Those affected by decisions must have a real voice in making them. The multistakeholder model is the Internet's answer; it works imperfectly but better than the alternatives have so far.
🔎
4. Monitoring
observable commons
Open measurement, transparency reports, audit trails — the commons must be observable. RIPE Atlas, M-Lab, Cloudflare Radar, transparency reports from major platforms all make the Internet measurable.
⚖️
5. Graduated Sanctions
proportional response
Proportional, escalating responses to abuse — not nuclear options as first response. MANRS-style peer pressure precedes formal de-peering. Suspension precedes ban. Bans precede legal action.
🤝
6. Conflict Resolution
fast, fair, low-cost
Fast, fair, low-cost ways to settle disputes — arbitration, ombudspeople, Online Dispute Resolution (ODR). ICANN's UDRP for domain disputes is one working example. Courts are too slow for Internet-speed conflicts.
🛡️
7. Recognition of Self-Governance
respect autonomy
External authorities must respect the right of stakeholders to govern their commons. Treaty-based bodies that try to take over technical coordination from IETF or ICANN have repeatedly failed — for good reason.
📚
8. Nested Enterprises
polycentric, not hierarchical
Layered governance from local to global — polycentric, not hierarchical. An ISP, a regional registry, a global standards body each handle different scales of the same commons. No single point of authority. Ostrom's final principle, and perhaps the most Internet-native one.

Section 22

Key Takeaways — Six Ideas to Carry Home

🎯 The Distilled Lessons
01
The Internet IS a Commons. Open protocols, shared infrastructure, voluntary governance — the most ambitious commons humans ever built. It is also the only commons that grew from research project to civilisational substrate in a single human lifetime.
02
Tragedy Is Possible — But Not Inevitable. Spam, DDoS, surveillance, hyperscaler capture, fragmentation — all are classic tragedies of the commons in digital form. Ostrom's lesson is that well-designed institutions can prevent tragedy. The work is to build them.
03
Governance Is Distributed by Design. No single ruler — ICANN, IETF, IGF, RIRs, W3C, ISOC, ITU and a constellation of bodies steward together. The constellation can look messy, but it has proven far more resilient than centralised alternatives.
04
Defence Is Collective. CERTs (FIRST.org, APCERT, AfricaCERT), MANRS for routing, open-source security, threat-intel sharing, Let's Encrypt — the immune system is communal, not central. It works because people show up.
05
Sovereignty vs Openness Is the Big Choice. Tolerable safeguards within one Internet, or many splinter-nets? Almost every current cyber policy debate — content moderation, AI rules, data localisation, encryption — is a proxy for this larger question.
06
Stewardship Is a Verb. Commons survive when communities show up — in standards work, policy submissions, code reviews, classroom teaching, voting, public-interest journalism. The Internet's future is not predetermined. It depends on whether enough people choose to steward it.
🎯
The Internet Belongs to Everyone — And Therefore to You

No nation owns it. No company controls it. Every router, every cable, every name server is part of a resource that humanity has built — and must defend — together. Whether you are an engineer writing protocols, a policy researcher writing comments, a citizen showing up to a hearing, or a teacher explaining how the Internet works — you are part of the commons' immune system. The commons survives because people choose to steward it. Be one of them.