Distinguishing the Internet’s Core From What Is Built on Top

The rise of digital economies and the cyber threats they attract

The Internet has enabled entire digital economies, from e-commerce and financial tech to social media and remote work applications. These advancements have brought profound benefits, spurring socioeconomic progress and creating new avenues for communication and commerce. However, they also come with inherent cybersecurity challenges. As more digital solutions are built on the Internet’s infrastructure, they become targets for cyber threats like data breaches, ransomware, and phishing attacks.

Yet, these cybersecurity risks typically affect the applications, services, and devices layered on top of the Internet — not the Internet core itself. The open, general-purpose nature of the Internet allows anyone to build and deploy applications, but it also requires that developers and organisations take responsibility for securing their own digital solutions. Consequently, the vulnerabilities that lead to cyber threats exist primarily in application layers rather than in the Internet’s foundational structure.

When it comes to strengthening the security of the Internet’s core, the Internet technical community continuously identifies and develops standards and protocols like Domain Name System Security Extensions (DNSSEC), Transport Layer Security (TLS), and Resource Public Key Infrastructure (RPKI). These standards help secure core services the Internet needs to function, enhancing the integrity, privacy, and authenticity of data exchanged across networks. By setting and adopting these security standards, the technical Internet community actively works to safeguard the Internet’s core, ensuring a more resilient and trustworthy foundation for the digital solutions that rely on it.

The risks of conflating Internet and application layers in policy

With increased geopolitical tensions, governments are understandably placing a greater focus on cybersecurity and resilience measures. This has led to increased regulation and involvement from competent authorities. If these agencies are not well-informed about these technical distinctions, there is an increased risk of conflating Internet and application layers in policy and implementation.

One of the biggest challenges today is the misunderstanding of the Internet’s role and structure within policy and regulation realms. Terms like “Internet”, “Web”, “digital” and “cyber” are often used interchangeably in policy conversations, leading to regulations that conflate the Internet’s core infrastructure with the applications that run on top of it.

Understanding this distinction is essential for effective policy and regulation. While security risks must be addressed, policy solutions should focus on securing the specific layers at risk rather than targeting the Internet’s core. Efforts to regulate the Internet itself risk undermining the permissionless innovation, openness, and resilience that define it.

Governments today also face the challenge of balancing these security risks with the need to advance their national or regional digital agendas. Nations strive to keep their digital landscapes open for business and foster new economic opportunities, as digital applications built on the Internet promise significant economic gains and growth. However these promises come with the introduction of new cyber risks. Striking this balance is essential but should not come at the cost of compromising the global interoperability of the Internet that has made all of this possible in the first place.

These misunderstandings can result in overreaching policies that attempt to solve problems rooted in specific applications or digital services by regulating the Internet itself. A regulatory approach that targets the Internet as a whole, rather than the specific layers built upon it, risks compromising its openness, security, and capacity to evolve.