Distinguishing the Internet’s Core From What Is Built on Top

Understanding the Internet’s core and distinguishing it from what is built on top of it is essential for preserving its unique role as a permission-less, general-purpose platform for innovation.

The Internet: A global network of networks

The Internet is a global, interconnected network of networks that enables devices and systems worldwide to communicate — a platform for general-purpose connectivity that fosters permissionless innovation through seamless interoperability across thousands of networks, regardless of their underlying technology or vendor. As such, it allows people and systems to create, share, and access information with an unprecedented level of freedom, opening up endless potential for innovation and communication.

The core of the Internet comprises the protocols, services, and governance structures necessary to provide end-to-end global connectivity. These elements define the technical underpinning essential to the Internet’s availability and make all other Internet-based applications possible.

The Web: A killer app, but not the Internet

The World Wide Web is one of the most transformative applications ever developed. Since its creation in the early 1990s, it has allowed for widespread information sharing, collaboration, and innovation on a global scale. Its simplicity and openness have made it one of the most popular ways for people to experience and use the Internet.

The day-to-day necessity of all this was perhaps not really fully appreciated until the outbreak of COVID-19, when access to the web and its applications became essential for people to work, learn, and stay connected from home. This reliance showcased the web’s value for human connection and productivity, but it’s essential to remember that the web is built on top of the Internet — it is not the Internet itself. Instead, it’s a powerful, albeit separate, layer of applications and content that the Internet enables.

The rise of digital economies and the cyber threats they attract

The Internet has enabled entire digital economies, from e-commerce and financial tech to social media and remote work applications. These advancements have brought profound benefits, spurring socioeconomic progress and creating new avenues for communication and commerce. However, they also come with inherent cybersecurity challenges. As more digital solutions are built on the Internet’s infrastructure, they become targets for cyber threats like data breaches, ransomware, and phishing attacks.

Yet, these cybersecurity risks typically affect the applications, services, and devices layered on top of the Internet — not the Internet core itself. The open, general-purpose nature of the Internet allows anyone to build and deploy applications, but it also requires that developers and organisations take responsibility for securing their own digital solutions. Consequently, the vulnerabilities that lead to cyber threats exist primarily in application layers rather than in the Internet’s foundational structure.

When it comes to strengthening the security of the Internet’s core, the Internet technical community continuously identifies and develops standards and protocols like Domain Name System Security Extensions (DNSSEC), Transport Layer Security (TLS), and Resource Public Key Infrastructure (RPKI). These standards help secure core services the Internet needs to function, enhancing the integrity, privacy, and authenticity of data exchanged across networks. By setting and adopting these security standards, the technical Internet community actively works to safeguard the Internet’s core, ensuring a more resilient and trustworthy foundation for the digital solutions that rely on it.

The risks of conflating Internet and application layers in policy

With increased geopolitical tensions, governments are understandably placing a greater focus on cybersecurity and resilience measures. This has led to increased regulation and involvement from competent authorities. If these agencies are not well-informed about these technical distinctions, there is an increased risk of conflating Internet and application layers in policy and implementation.

One of the biggest challenges today is the misunderstanding of the Internet’s role and structure within policy and regulation realms. Terms like "Internet", "Web", "digital" and "cyber" are often used interchangeably in policy conversations, leading to regulations that conflate the Internet’s core infrastructure with the applications that run on top of it.

Understanding this distinction is essential for effective policy and regulation. While security risks must be addressed, policy solutions should focus on securing the specific layers at risk rather than targeting the Internet’s core. Efforts to regulate the Internet itself risk undermining the permissionless innovation, openness, and resilience that define it.

Governments today also face the challenge of balancing these security risks with the need to advance their national or regional digital agendas. Nations strive to keep their digital landscapes open for business and foster new economic opportunities, as digital applications built on the Internet promise significant economic gains and growth. However these promises come with the introduction of new cyber risks. Striking this balance is essential but should not come at the cost of compromising the global interoperability of the Internet that has made all of this possible in the first place.

These misunderstandings can result in overreaching policies that attempt to solve problems rooted in specific applications or digital services by regulating the Internet itself. A regulatory approach that targets the Internet as a whole, rather than the specific layers built upon it, risks compromising its openness, security, and capacity to evolve.