Cyber Security Basics
📂 Foundation
· 10 of 15
36 min read
What is Governance? Governing the Internet
A practical guide to internet governance for security professionals, covering what governance actually is, the multistakeholder vs multilateral debate, the key bodies (ICANN, IETF, W3C, ITU, IGF, RIRs), the layered governance model, and four landmark 2025–2026 cases — the €120M EU fine on X, the US Sixth Circuit net neutrality strike-down, the Supreme Court's TikTok ruling, and India's 3-hour content takedown amendment.
Section 01
The Story That Explains Governance
📖 Real World Analogy
Who Decides How a Road Works?
Imagine a busy road running through three towns. Who decides which side of the road
you drive on? Who paints the lines? Who sets the speed limit? Who pays the police to
enforce it? Who builds the next bridge? Who arbitrates when two trucks collide and
each blames the other?
No single person decides all of these. The national government writes
traffic laws. Local councils repair potholes. Engineers
set technical standards for road signs. Insurance companies price risk.
Citizens vote and complain. Courts settle disputes. The
road works because all of these actors, with different powers and motives, coordinate
around a shared resource. That coordination — written down or unwritten — is
governance.
Now scale that road up to a network of 5.5 billion users, 200+ countries, and
millions of interconnected networks. That's the Internet, and the same
question applies: who decides how it works? Welcome to one of the most important and
least understood topics in cybersecurity.
As a cybersecurity professional, you cannot understand attacks, defenses, or compliance
without understanding governance. Every standard you implement, every regulation
you obey, every court ruling that constrains your operations traces back to a
governance decision made somewhere by someone. This tutorial walks through what governance
means, how the Internet is actually governed, the bodies that shape it, and the
real-world cases — from EU fines on X to the US TikTok ban — that show governance in
action right now.
💡
The Core Insight
Governance is not the same as government. Government is one institution that
uses law and force. Governance is the whole system of rules, norms, processes,
and actors — public and private, formal and informal — that together shape
how a shared resource is used. The Internet has no single government, but it has
enormous amounts of governance.
Section 02
What is Governance? A Working Definition
Governance is the set of structures, processes, rules, and decisions
through which a community manages its collective affairs. It answers four basic questions:
WHO
Decides?
Which actors — states, companies, technical bodies, users — have the authority to set rules and resolve disputes?
WHAT
Is Decided?
What domains of behaviour are governed — speech, security, identity, money, data — and what is left unregulated?
HOW
Are Decisions Made?
Through law, contracts, technical standards, codes of conduct, market pressure, or rough consensus?
WHY
Should Anyone Obey?
What makes the decisions legitimate — democratic mandate, expertise, voluntary participation, raw enforcement?
Governance Has Three Distinct Tools
⚖️
Hard Law
Statutes & Regulations
Binding legal rules enforced by states with penalties — GDPR, the EU Digital Services Act, India's IT Act. Breaking these draws fines, criminal charges, or shutdowns.
🤝
Soft Law & Norms
Voluntary Frameworks
Non-binding agreements, codes of conduct, multistakeholder declarations. The OECD AI Principles, the Paris Call for Cyberspace, the UN Tunis Agenda.
🔧
Technical Standards
Code Is Law
Protocols and reference implementations that simply work — TCP/IP, DNS, TLS, HTTP. Lawrence Lessig's famous "Code is Law" argument: technical design constrains behaviour as powerfully as any statute.
Section 03
What is Internet Governance?
The most widely cited definition comes from the UN Working Group on Internet
Governance (2005): Internet governance is "the development and application by
governments, the private sector, and civil society, in their respective roles, of shared
principles, norms, rules, decision-making procedures, and programmes that shape the
evolution and use of the Internet."
Notice three things. First, it is explicitly multi-actor — not just
states. Second, it covers both evolution (the technical future) and
use (everyday behaviour). Third, it includes principles, norms,
rules — three different forms of authority, not just law.
🛡️
Why It Matters for Cybersecurity
Every important cybersecurity question — Should encryption be backdoored? Who owns user
data? Can a government order an ISP to block a website? Should an AI deepfake be
labelled? — is at heart a governance question. The answer depends on
who has authority to decide, what process they use, and what consequences follow for
non-compliance.
Animated Diagram — The Internet Governance Ecosystem
🌐 Live Animation — Five Stakeholder Groups, One Internet
Each stakeholder group takes its turn shaping the same shared resource — no single one is sovereign over the Internet.
Section 04
The Two Competing Models
The history of Internet governance has been a long fight between two visions of who
should be in charge — and that fight is more intense today than ever.
🌐 MULTILATERAL MODEL
Who decides
Governments only, through treaties at bodies like the UN and ITU
Authority
State sovereignty — each country has one vote
Backed by
Russia, China, Iran, Saudi Arabia, many G77 states
Strength
Democratic legitimacy of states; clear accountability
Weakness
Slow, politicised, can entrench censorship and fragmentation
🤝 MULTISTAKEHOLDER MODEL
Who decides
Governments + private sector + technical community + civil society + academia, all together
Authority
Rough consensus + running code (the IETF motto)
Backed by
US, EU, Japan, India, most Western democracies, the technical community
Strength
Includes technical expertise and user voice; agile
Weakness
Power asymmetries — big firms and rich states dominate
📚
Recent Milestone — IGF Made Permanent
In December 2025, the UN General Assembly's WSIS+20 Review made the
Internet Governance Forum (IGF) a permanent UN body — a major
victory for the multistakeholder camp. The technical community, including the Internet Corporation for Assigned Names and Numbers (ICANN), welcomed this achievement as recognition of the IGF's enduring value. ICANN announced a one-time $1 million contribution to support the IGF's long-term sustainability, signalling that even private bodies are stepping in to keep the open model alive.
Section 05
The Key Internet Governance Bodies
Internet governance is done by an alphabet soup of organisations, each with a specific
remit. Here are the ones every cybersecurity professional must recognise on sight:
🌐
ICANN
Names & Numbers
Coordinates the global Domain Name System and IP address allocation. As the trusted steward of the Internet's unique identifier systems, ICANN is dedicated to strengthening the single, globally interoperable Internet for all. Headquartered in Los Angeles, governed by a multistakeholder board.
🔧
IETF
Protocols & Standards
The Internet Engineering Task Force writes the RFCs that define TCP, IP, HTTP, TLS, QUIC, DNS, BGP — virtually every protocol you use. Operates by "rough consensus and running code." No formal membership; anyone can participate.
🌍
W3C
Web Standards
The World Wide Web Consortium standardises HTML, CSS, the Web platform APIs, and accessibility. Led for decades by Tim Berners-Lee. Sets the rules that every browser obeys.
🏠
ITU
Treaty-Based Telecoms
The UN's telecommunications agency, founded 1865. Allocates radio spectrum, satellite orbital slots, and global phone codes. The International Telecommunication Union (ITU) Plenipotentiary (PP) Conference is the ITU's main decision-making body and is held every four years. A favoured platform for the multilateral camp.
💬
IGF
Permanent UN Forum
The Internet Governance Forum is the UN's annual multistakeholder dialogue space. Made permanent by the WSIS+20 review in 2025. No binding decisions — but where every other actor talks to every other actor on equal footing.
📍
RIRs
Regional IP Registries
Five Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AfriNIC) allocate IP address blocks and AS numbers in their regions. They are who an ISP buys IPv4 and IPv6 space from.
Quick Comparison — Who Has Which Power?
Body
Founded
Decision Model
What They Actually Control
If You Ignore Them
ICANN
1998
Multistakeholder
Root DNS, gTLDs, IANA functions
You cannot get a domain
IETF
1986
Rough consensus
Internet protocols (RFCs)
You build something nobody can interoperate with
W3C
1994
Consensus + member votes
Web standards (HTML/CSS)
Your site breaks in real browsers
ITU
1865
One-state-one-vote treaty
Spectrum, satellite, phone codes
Your spectrum use is illegal
IGF
2006
Multistakeholder dialogue
Nothing binding — agenda-setting only
No legal effect
National regulators
varies
Statute
Local enforcement, fines, blocks
Massive fines, criminal liability
Section 06
The Layered Model of Internet Governance
A useful way to think about it: just like the network stack has layers, governance has
layers too. Each layer has its own actors, rules, and enforcement.
🏙️ Animated Diagram — Four Layers of Governance
Different actors dominate at different layers. A national parliament owns L1 spectrum rules; the IETF owns L3/L4 protocols; platforms write their own L7 community standards — until governments override them.
Section 07
Case Study — The EU Digital Services Act and the X Fine
📰 Real Case — December 2025
€120 Million Fine: The DSA Enters the Enforcement Phase
On 5 December 2025, the European Commission imposed a €120 million fine on X (formerly
Twitter). In a landmark step for digital regulation, the European Commission has issued its first major enforcement decision under the Digital Services Act (DSA), imposing a €120 million fine on social media platform X, formerly Twitter. The case
is the textbook example of modern internet governance in action — and worth dissecting
line by line.
The Three Violations
⚖️ What the European Commission Found
1
Deceptive blue checkmark. On X, anyone can pay to obtain the 'verified' status without the company meaningfully verifying who is behind the account, making it difficult for users to judge the authenticity of accounts and content they engage with.
2
Opaque ad repository. The DSA requires Very Large Online Platforms to maintain a usable, searchable database of every ad served, including who paid for it. X's repository missed key fields — blocking journalists and researchers from spotting malvertising and disinformation campaigns.
3
Blocking researcher access. Under Article 40(12) of the DSA, VLOPs must allow eligible researchers access to public data to study systemic risks. However, the Commission says X actively restricted such access by banning independent scraping in its terms of service.
Why This Matters for Governance
⚠️
Geopolitics Came to the Surface Immediately
The fine triggered exactly the political reaction that internet-governance scholars
have predicted for years. Elon Musk, the owner of X, responded with sweeping denunciations, calling for the dissolution of the European Union and portraying the decision as censorship dressed in regulatory garb. US political figures soon joined the chorus, framing the case as an assault on US technology giants. The Commission's response was equally telling — restrained and legalistic, framing the case as consumer protection, not censorship.
💡
The Brussels Effect in Action
The DSA applies to any platform serving EU users, regardless of where
it is headquartered. Under DSA enforcement rules, companies can be fined up to 6% of global annual turnover. This is the "Brussels effect" — Europe sets a rule, and global platforms either segment their products or apply the rule everywhere. Privacy professionals saw it with GDPR; we are now seeing it with content moderation.
Section 08
Case Study — The US Net Neutrality Decision
📰 Real Case — January 2025
Sixth Circuit Strikes Down the FCC's Open Internet Order
On 2 January 2025, in Ohio Telecom Association v. FCC, the US Court of Appeals
for the Sixth Circuit struck down the FCC's net neutrality rules. A federal appeals court struck down the Federal Communications Commission's net neutrality rules, ending a 20-year push to regulate internet service providers like a public utility. This single ruling reshaped American internet governance overnight.
The Twenty-Year Pendulum
2015
Obama FCC introduces net neutrality
Broadband reclassified as a Title II "telecommunications service," subjecting ISPs to common-carrier rules — no blocking, throttling, or paid prioritization.
2017
First Trump FCC repeals the rules
Then-chairman Ajit Pai reclassifies broadband back to a Title I "information service" — light-touch regulation returns.
2024
Biden FCC reinstates net neutrality
May 2024 vote restores Title II classification. USTelecom, representing AT&T and Verizon, immediately sues.
2025
Sixth Circuit kills it for good (probably)
In one of the first appellate decisions since the Supreme Court of the United States overturned Chevron deference in Loper Bright Enterprises v. Raimondo (2024), the U.S. Court of Appeals for the Sixth Circuit's decision in Ohio Telecom Association v. FCC (2025) held that the Federal Communications Commission (FCC) lacks authority to reinstate its 2015 net neutrality rules.
The Governance Lesson — Three Branches, Three Rules
⚖️
When Courts Reshape Internet Governance
This case isn't really about net neutrality — it's about who gets to make
internet rules when Congress hasn't spoken clearly. After the Supreme
Court's 2024 Loper Bright decision ended Chevron deference, federal
agencies like the FCC can no longer fill statutory gaps with their own
interpretations. The court emphasized that any future FCC effort to reinstate net neutrality "would require clear congressional authorization." A single Supreme Court ruling on administrative law completely reshaped what the FCC can do about ISPs.
📍
Federalism Creates a Patchwork
Federal net neutrality is gone — but state laws like those in California and Washington still apply and influence nationwide provider practices. The result is the classic governance dilemma: a national network with fifty different rulebooks, and ISPs in practice applying the strictest one (usually California's) everywhere because building per-state systems is too expensive. Sub-national governance can end up overriding federal inaction.
Section 09
Case Study — The TikTok Ban and National Security Governance
📰 Real Case — January 2025
TikTok Inc. v. Garland — The Supreme Court Allows the Ban
On 17 January 2025, the US Supreme Court unanimously upheld the Protecting Americans
from Foreign Adversary Controlled Applications Act (PAFACA). "There is no doubt that, for more than 170 million Americans, TikTok offers a distinctive and expansive outlet for expression, means of engagement, and source of community. But Congress has determined that divestiture is necessary to address its well-supported national security concerns regarding TikTok's data collection practices and relationship with a foreign adversary," the court wrote in an unsigned opinion.
What Actually Happened
Date
Event
April 2024
Congress passes PAFACA — ByteDance must divest TikTok within 270 days or face a US ban
Dec 2024
DC Circuit upholds the law against TikTok's First Amendment challenge
Jan 10, 2025
Supreme Court hears oral arguments on an emergency timeline
Jan 17, 2025
The Supreme Court on Wednesday unanimously upheld a federal law that will require TikTok to shut down in the United States unless its Chinese parent company can sell off the U.S. company by Jan. 19.
Jan 18, 2025
TikTok briefly goes dark in the US
Jan 19–20, 2025
Service restored after Trump signals he will not enforce the ban immediately
The Governance Tensions on Display
🇺🇸
Free Speech vs National Security
The Court applied intermediate (not strict) scrutiny, accepting Congress's national security justification. A foreign-owned platform serving 170 million Americans was treated as a national security asset, not a pure speech forum.
🇨🇳
Data Sovereignty
The core fear: under China's National Intelligence Law, ByteDance could be compelled to hand over US user data. The ruling effectively says: the nationality of the platform's parent matters, even online.
🤟
The Splinternet Becomes Real
India banned TikTok in 2020. The US joined in 2025. The EU is investigating. A platform with one billion users may end up serving fundamentally different versions in different blocs — the "splinternet" thesis made concrete.
💡
A Narrow Ruling — On Purpose
"That caution is heightened in these cases, given the expedited time allowed for our consideration. Our analysis must be understood to be narrowly focused in light of these circumstances," the justices wrote. The Court itself signalled that PAFACA-style bans should not be applied promiscuously to every foreign-owned app. The governance precedent is real but bounded.
Section 10
Case Study — India's IT Rules and the Speed of Takedowns
📰 Real Case — 2021 to 2026
The Three-Hour Takedown Rule
India's Information Technology (Intermediary Guidelines and Digital Media Ethics
Code) Rules, 2021 were one of the most consequential pieces of internet
governance in the Global South. They were amended again in 2026 to address the rise of
generative AI — and the trend is unmistakable: shorter timelines, more
obligations, and personal liability for platform officers.
What the Rules Require
🇮🇳 Significant Social Media Intermediary (SSMI) Obligations
Personnel
Must appoint a Chief Compliance Officer, a 24×7 nodal contact for law enforcement, and a Resident Grievance Officer — all resident in India and personally liable
Takedowns
Original 2021 rules: 36 hours. The timeframe for removing content after receiving a government order under Rule 3(1)(d) has been reduced from 36 hours to just 3 hours, while the deadline for taking down non-consensual intimate images or deepfake pornography under Rule 3(2)(b) has been cut from 24 hours to 2 hours.
Traceability
Messaging SSMIs (WhatsApp, Signal) must enable identification of the "first originator" of a message — a direct challenge to end-to-end encryption
AI Labelling
All AI-generated content must now be prominently labelled so that users can immediately recognize it as synthetic. Permanent metadata or unique digital identifiers must be embedded
The Governance Significance
🔒
Traceability vs End-to-End Encryption
The traceability requirement is one of the most-watched governance fights globally.
End-to-end encrypted messaging services do not have the capability to read messages shared on their platform or identify the first originator of messages. Complying with the rule effectively requires weakening encryption — a textbook case of governance demands clashing with a fundamental security architecture. WhatsApp has challenged the rule in court, arguing it would force the platform to break the security promise made to billions of users worldwide.
📰
When Old Rules Hit New Technology
The 2026 amendments were a direct response to viral deepfakes — including the widely
reported fake video of actress Rashmika Mandanna being "arrested." Governance is
almost always reactive: rules tighten after a harmful event makes
headlines, not before. Cybersecurity professionals should expect this pattern with
every major incident — and build compliance programs that can absorb sudden timeline
changes.
Section 11
The "Splinternet" Problem — Internet Fragmentation
Add up these cases — DSA in Europe, PAFACA in the US, IT Rules in India, the Great
Firewall in China, the RuNet in Russia — and a worrying picture emerges. The Internet's
founding promise was one global, interoperable network. Internet
governance today is increasingly about preserving (or breaking) that promise.
🇺🇸
US Approach
Light federal regulation, strong First Amendment protection for platforms, national security carve-outs (PAFACA), state-level patchwork on privacy and net neutrality.
market-led, judicial check
🇪🇺
EU Approach
Comprehensive regulation by statute — GDPR, DSA, DMA, AI Act. Heavy fines, designated VLOPs, extraterritorial reach through the "Brussels effect."
rights-based, regulator-led
🇨🇳
China Approach
Cyber-sovereignty: the Great Firewall, foreign platform bans, mandatory data localisation, real-name registration, content control by the Cyberspace Administration of China.
state-led, closed
🇷🇺
Russia Approach
RuNet — a "sovereign internet" law allowing physical and logical isolation from the global Internet, with Roskomnadzor as the central regulator and many foreign platforms blocked.
state-led, isolatable
🇮🇳
India Approach
Multistakeholder rhetoric, but increasingly direct executive control via the IT Rules: short takedowns, personal liability for officers, traceability mandates, AI content labelling.
hybrid, executive-led
🌍
The Global South
Many states want a stronger UN-led model (ITU, IGF) to reduce US-led dominance. Concerned about data colonialism and dependence on Northern platforms.
treaty-based, multilateral
Section 12
Governance Meets Cybersecurity — Frameworks Every Professional Should Know
Internet governance isn't only an abstract international debate — it cashes out as the
compliance frameworks that shape every cybersecurity program on Earth. These are the
documents your CISO actually has to satisfy.
Framework
Body
What It Governs
Who Must Comply
GDPR
EU
Personal data processing
Anyone with EU users
DSA / DMA
EU
Online platforms & gatekeepers
VLOPs serving EU users
NIS2 Directive
EU
Critical infrastructure cybersecurity
Essential & important entities in EU
HIPAA
US (HHS)
Health data privacy & security
US healthcare providers, insurers
CCPA / CPRA
California
Consumer data rights
Businesses processing CA resident data
DPDP Act
India
Personal data protection
Anyone processing data in India
PIPL
China
Personal data + cross-border transfer
Anyone processing PRC resident data
NIST CSF 2.0
US (NIST)
Voluntary cybersecurity framework
Industry best practice baseline
ISO/IEC 27001
ISO
Information security management
Voluntary certification, contractually mandated by many enterprises
PCI DSS 4.0
PCI SSC
Payment card data security
Anyone storing/processing card data
🎯
Compliance Is Downstream of Governance
Every one of these frameworks exists because of a governance decision somewhere — a
treaty, an act of parliament, a regulator's notification, a multistakeholder
consensus. When you implement encryption-at-rest because PCI DSS demands it, or
appoint a DPO because GDPR demands it, you are operationally translating governance
into engineering. Knowing which governance body produced which
requirement helps you anticipate what's coming next.
Section 13
Animated Diagram — A Governance Decision in Motion
⚡ Live Animation — How a Rule Becomes Reality
The yellow packet is one governance idea — say, "AI deepfakes must be labelled" — moving from a viral incident through to court tests. Every real case in this tutorial followed this same path.
Section 14
Golden Rules — Internet Governance for the Security Professional
🎯 Non-Negotiable Takeaways
1
Governance is broader than government. States, companies, technical
bodies, and civil society all shape the Internet. A CISO who only watches government
regulators misses half the rules they need to follow.
2
The multistakeholder model is contested, not settled. The IGF was
just made permanent (2025) — but the ITU's 2026 Plenipotentiary will be a major test
of whether states reassert control over technical governance.
3
Know the bodies. ICANN runs DNS. IETF writes protocols. W3C writes
web standards. ITU runs spectrum. IGF talks. Your national regulator enforces. Putting
every rule in the right box is half the battle.
4
The Brussels effect is real. EU rules (GDPR, DSA, DMA, AI Act) bind
global platforms. If you operate anywhere with an Internet connection, you very likely
have to comply with European law.
5
National security trumps free speech in the courts — narrowly. The
TikTok ruling is real precedent for forced divestiture, but the Supreme Court itself
called it narrow. Don't read it as a blanket rule.
6
Takedown timelines are shrinking. India just moved from 36 hours to
3 hours for government orders. The EU's DSA expects near-real-time response on illegal
content. Build compliance for the future timeline, not yesterday's.
7
Encryption is a governance flashpoint. India's traceability rule, UK
Online Safety Act provisions, EU CSAM proposals, US EARN IT Act drafts — multiple
jurisdictions are pressing on end-to-end encryption. Treat your crypto stack as a
regulatory risk, not just a technical control.
8
Fragmentation is the threat to watch. The single, globally
interoperable Internet that we inherited was a historical accident. Keeping it whole —
or splintering it into US, EU, Chinese, and Russian blocs — is the central governance
fight of the next decade.