Cyberspace security challenges are generally considered the ‘emerging frontiers’ in the security discourse although the reality is that they already represent a clear and contemporary danger to India and the rest of the world. While states are aware of and have acknowledged the challenges, it has been difficult to agree upon a common approach to addressing these challenges. Therefore, unlike in the nuclear arena and to a more limited extent the outer space domain (another emerging security frontier), cyberspace continues to be driven by broad acceptance on basic principles rather than specific agreements, institutions or norms. The imperative today is to move from the former to the latter. Given the global nature of the issue, this is an effort that has to be inclusive rather than one limited to just the major powers.
I argue here that there are both global and domestic imperatives that push for clear articulation of policies and strategies that could contribute to ensuring safe, secured and uninterrupted use of the cyber domain. In this essay, I first outline the current global architecture governing cyberspace and its weaknesses and then at the challenges faced by India in this domain from a national perspective. This is followed by a discussion on India’s approach thus far to meet these challenges, which has essentially been more ad hoc in nature. The paper concludes with some suggestions about how we might move forward at both the national and the global level.
A major problem with cyber security is defining it. The International Telecommunication Union (ITU) uses a fairly broad explanation, describing it as ‘systems and services connected either directly to or indirectly to the Internet, telecommunications and computer networks.’
1 But we also need to make a distinction between information security and cyber security. States have an obvious interest in securing information for national security purposes. But cyber security should ideally be looking at integrity and availability of computer networks. A serious concern here is the difficulty of identifying sources of attacks, as well as the fact that cyber attacks could prevent authorized and legitimate users access to systems and technologies when these are most required.
2 However, measures to secure this domain should not replicate the more traditional ones related to arms control.
3
This is particularly so for two key reasons: one, the technology is widespread and given the centrality of individuals in the larger consumer base, efforts to effectuate control through arms control-like measures is unlikely to work. Put simply, controlling state behaviour alone is insufficient. Two, non-traditional aspects of the cyber domain also need to be emphasized as terrorists or criminals intending to create large-scale chaos and interruption can deploy dangerous programmes such as ‘cyber-worms’ to attack and disrupt a country’s critical assets. Traditional arms control measures cannot control these actors.
As noted earlier, tackling cyber security at the global level has had far less success as compared to some of the other security domains. There are no overarching laws and regulations as yet in place for the cyber sector. With no treaty and such like arrangements, cyber security is ensured through a few broad guidelines underlined in ITU’s key principles for ‘cyberpeace’ and the Group of Governmental Experts (GGE) reports.
4 These loose set of norms are also non-binding in nature, depending upon the goodness of states for their enforcement.
Being the principal UN body on information and communication technologies (ICT), the key function of the ITU is to act as the coordinating point for governments and private sector. In addition, the ITU is also central to creating and sustaining security and confidence in the domain by developing appropriate networks and services.
5
According to the ITU Secretary General, there are five key principles that should govern cyber peace: (
i) every government should commit itself to giving its people access to communications; (
ii) every government should commit itself to protecting its people in cyberspace; (
iii) every country should commit itself to not harbour terrorists/criminals in its own territories; (
iv) every country should commit itself to not be the first to launch a cyber attack on other countries; and (
v) every country must commit itself to collaborate with each other within an international framework of cooperation to ensure that there is peace in cyberspace.
6
Three GGEs has so far been convened under the aegis of the UN and their reports have addressed many of these issues. The first GGE was established on the basis of a Russian proposal in 2003 and the group came into existence in 2004 to look at the entire gamut of issues involved in cyber security. However, disagreements within the group meant that it did not arrive at any consensus about how to proceed further. These disagreements centred around implications of ICTs on national security and military affairs.
7 The second GGE that was convened in November 2009 managed reasonable consensus and recommended development of norms in order to reduce risks while protecting vital infrastructure such as information exchange regarding national legislation. However, the divide regarding the protection of information content versus information infrastructure continued.
8
As compared to the two previous GGEs, the third one has achieved far more success. Established in August 2012, it submitted its report in June 2013 and acknowledged the applicability of international law to cyber-space. It stated that, ‘International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.’
9 The report also recommended that ‘state sovereignty and international norms and principles that flow from sovereignty apply to state conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory.’
10 However, ‘respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments’ are to be given equal emphasis and recognition. The report also suggests that states must ‘meet their international obligations regarding internationally wrongful acts attributable to them.’ The report details a series of suggestions in the area of confidence building measures (CBMs) and exchange of information. While these are ideal steps that states must adopt and promote, the weakness of the entire exercise is that these are merely recommendations and not binding on states.
Furthermore, the report asserts that ‘there is a need to enhance common understanding’ without making an effort on actual definition or clarification of, for instance, what constitutes responsible behaviour in the cyber domain. The report nevertheless reflects progress over the previous initiatives, the major addition being a reference to international law.
The key problem in cyber security is that there exist two broad sets of concerns – one articulated by the West and the US in particular, and the other by China and Russia and some of the developing countries. The West’s concerns are with regard to potential attacks on their cyber networks: essentially, how others could break into their networks, jam them, change the communication channels, send wrong and misleading information, and so on. The West has particularly emphasized protection of networks and critical infrastructure while being generally supportive of the free flow of information. The West’s approach is far more comprehensive and includes information and communication technologies as well as cyber networks, whereas the Chinese and Russian focus is only on the former.
11
Concerns from China and Russia have centred around a fear of use of social media and other information sharing platforms to incite social tensions and threaten regime security, particularly with external help. The Chinese concerns are specifically related to their need to control restive populations in the Uighur and Tibet regions and anti-regime groups such as the Falun Gong. Russia is concerned about the so-called ‘colour revolutions’ and how external players may use social media and other means of communication to spark domestic uprisings. However, protection of vital infrastructure is an equally important priority for Russia, even if not so articulated in their larger discourse.
12
Russia and China, along with Uzbekistan and Tajikistan, have proposed an international code of conduct for information security. Their proposal talks about instituting rights and responsibilities of states in safeguarding information and cyber networks while calling on states to respect domestic laws and sovereignty. The Chinese emphasis has been on the technologies, including social media platforms such as Twitter and Facebook, which Beijing sees as ‘weapons if their use violate
individual state laws.’13
The proposed code says that states should not ‘use information and communication technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate information weapons or related technologies.’14 It goes on to say that states should not engage in ‘the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.’ While these clauses sound innocuous as general principles, they could impinge upon freedom of speech, among other basic freedoms and human rights. Though some aspects of the Russian-Chinese proposals are important, some of these negative elements need to be removed.
Despite the differences between these two camps, the proposed international code still provides an opportunity for ‘continued discussion about mutual restraint, cooperation, and on what should be the rules of cyberspace.’15 In fact, it did provide for a broader debate at the global level on measures to govern outer space, such as norms, transparency and CBMs or more binding mechanisms such a treaty. The code specifically, however, does not delve into such measures, which is a key limitation.
In the broader global context, cyber concerns and challenges include cyber fraud, defamation, privacy intrusion, cyber attacks through proxy actors, attacks on critical infrastructure, cyber espionage, sabotage and disturbance of social harmony. Finding the right balance between internet freedom and cyber warfare is going to be a major challenge but is nevertheless essential to making cyberspace safe, secure and predictable.
What has India’s approach been to these disputes and the challenge of cyber security? India’s approach towards cyber security is unclear when compared to traditional security issues. Its broad policy approach is guided by two drivers: national security and social harmony, something of an amalgamation of the western and the Russian-Chinese approach. Earlier, India’s approach used to be driven primarily by the former concern, given the large number of hacking and jamming related incidents in the country and on Indian missions abroad. Lately, the debate has shifted to one with a greater emphasis on social cohesion, which has resulted in stricter monitoring and surveillance of internet and social media activities.
In April 2011, India brought out new Information Technologies (IT) rules under the IT Act 2000 that mandate websites and service providers to act on requests to remove content that is considered ‘blasphemous’, ‘hateful’ or ‘disparaging’ within thirty-six hours of notification. Later in the year, the government lodged formal complaints against major IT firms like Microsoft, Facebook, Yahoo and Google, asking for the removal of objectionable and inflammatory content as well as ‘pre-screening’ of content.
The statistics from the Transparency Report of Google is evidence of the tighter control that New Delhi is seeking.16 While requests from governments across the world on user information have been on the rise, India has made the second largest number of such requests – 2,691 during January-June 2013.17 The numbers have gone up since the previous year. The report for 2012 said that in the six-month period between January and June 2012, the Indian government had asked for web user details of as many as 2,319 cases and got 596 items removed (doubled over the previous six months) from Google’s associated pages such as YouTube videos, Orkut, certain search results and images.18 The government’s rationale for such intrusive measures included privacy and security, defamation issues, pornography, anti-government criticism, impersonation, national security and copyright issues.
New Delhi points to serious social stability issues in defence of such activism. In August 2012, miscreants used social media to spark rumours of attacks on citizens from Northeastern India living in South Indian cities leading to one of the largest internal exodus in the country. Up to 30,000 people fled the IT capital of Bangalore that August. Following the incident, the Indian government decided to block over 250 websites that it accused of carrying ‘inflammatory’ pictures and videos that triggered this mass exodus.
Meanwhile, to deal with the challenge of critical infrastructure protection, the government amended the IT Act 2000 with IT (Amendment) Act in 2008 (ITAA 2008), instituting more stringent measures for data protection. With the passage of ITAA 2008, IT organizations were asked to consider stricter audit practices, including ISO 27001, as a means to strengthen IT security practices in India. However, there are vague terms and concepts such as ‘reasonable security practices’ and ‘sensitive personal information’ in the act that need to be defined with greater clarity. Further amendment of the IT act and the IT Rules are required although the government appears to be putting off tougher issues from the agenda for the time being. Instead, it has plans to erect a cyber security architecture with 24/7 monitoring equipped with adequate manpower so that the system remains foolproof.
New Delhi’s other efforts, such as the 2011 IT rules, have generated sharp criticism with critics pointing out that these infringe on individual freedom of speech and expression enshrined in Article 19 of the Constitution. The government’s blanket ban approach is unlikely to curb this problem because the penetration of cyber technology is taking place in a manner that makes these measures ineffective. For example, since cell phones (particularly the new generation smartphones) have now penetrated India’s remotest areas, even those without computers or internet are active in the social media. The reach of social media through such technologies is far greater than computer ownership or even literacy, and thus no government measure can be fully effective. A country with 900 million mobile subscriptions, of which around 70 million use 3G/ 4G connections, indicates the challenges. The 70 million 3G/4G users are forecast to grow at a rapid pace, and government measures to restrict web users through intermediaries (one of the measures suggested in the 2011 IT Rules) will be difficult.
Therefore, India’s concern regarding the protection of its cyber networks is going to be far more challenging. A report card on the government approach in handling such threats does not inspire confidence. India’s justification has been that it is not well networked and, therefore, the vulnerability to attacks is remote. However, the reality is different: India is prone to data theft, hacking and cyber terrorism, and has been regularly attacked by cyber ‘warriors’ from outside the country for the last few years. The Computer Emergency Response Team-India (CERT-IN) data depicts this story in numbers: hacking incidents on government websites went up to 303 in 2010, 308 in 2011 and 294 in 2012 (till October).19 CERT-IN says that the total number of ‘security incidents’ have tripled since 2007, having handled more than 22,000 cases in 2012. Both hacking and defacement have direct economic costs as well as demonstrate India’s vulnerability. Some hacking (many originating from China), such as that of Indian think tank websites, may not have resulted in the loss of any confidential information nor have had much economic impact but they prove India’s continuing vulnerability. In addition, of the 7,000-odd government websites, half remain outside the ambit of security audit, which is mandatory. Lack of adequate manpower is the usual explanation for not carrying out the mandatory security audits.
While there is no universally adopted definition of cyber security, in simple terms, it means the ability to guarantee safe, secure, uninterrupted and sustained access to for the use of cyber-space. But India needs to move from a purely defensive approach to a deterrence based approach. Even as achieving deterrence in cyberspace is going to be extremely challenging, deterrence will be the key driver in India’s approach to cyberspace security.
As India formulates its cyberspace policy, a few issues have to be highlighted and addressed. First, India needs to clearly mark the boundaries that cannot be crossed when it comes to cyber security. It is important to draw these boundaries in terms of activities from a national security as well as an international rule making perspective. Codification of activities and marking clear red lines is the first step in ensuring deterrence in cyberspace. A code or a mechanism that identifies certain activities as irresponsible and unacceptable would help in deterring such actions. Identifying boundaries and codifying activities will go a long way in determining, at the national level, when an activity can be termed as an act of war, and when defensive responses can be activated and justified. Lack of clarity or ambiguity about red lines not only undermines deterrence but increases the potential for miscalculation: states would benchmark red lines for others based on their own internal calculations which others might not be aware of, thus leading others to cross such red lines inadvertently.
However, drawing red lines and boundaries in the cyber domain will prove to be very challenging. Will a state’s deliberate attack on another’s critical infrastructure be categorized as an ‘armed’ attack and, if so, how should states respond? Under what circumstances should states invoke their right to self or collective defence under the UN Charter? Clearly, states have an inherent right to respond if their vital infrastructure and installations come under attack, but this becomes complicated if it is a cyber attack rather than a traditional military attack. In addition, states need to be able to correctly assess who the attacker is. Identification and attribution are critical in determining any counter-attack measures.
Second, while there are difficulties in identification and attribution of prohibited activities, the bigger challenge is to design punitive steps once prohibited activities are verified. Means to effectively deter those actions in the future will also prove to be difficult. States have to agree upon a set of temporary and reversible measures to make deterrence effective in the cyber domain. Identification and attribution are much harder in the case of cyber threats. Indeed, with a growing number of players in the cyber arena, including private sector actors, attribution and verification are likely to become even harder in the future. Moreover, attributing the role of states or state support to a particular cyber crime is going to be a major challenge.
Meanwhile, India’s institutional mechanism and structures to deal with cyber security are at an early phase and there is far less clarity as compared to the more traditional security domains. The cyber domain is relatively new and the structural mechanisms are slowly taking shape in the face of multiple incidents in the last few years. The government has begun to appreciate the criticality of issues involved and is thus taking a few baby steps. The Minister for Telecom and Information Technology, Kapil Sibal stated that India is investing about US$ 200 million over the next four years to create the necessary infrastructure.20
In 2013, the government took the next step in formulating a cyber policy.21 Releasing its National Cyber Security Policy, it appointed CERT-IN as the nodal agency for cyber security issues in India.22 The government is also in the final stages of approving the establishment of a Joint Cyber Space Command that would synergize the efforts of the armed forces as well as the civil agencies involved.23 The policy also announced the establishment of a 24/7 National Critical Information Infrastructure Protection Centre (NCIIPC) under the National Technical Research Organization (NTRO), meant to protect and enhance resilience of national critical information infrastructure. The policy also envisages appointment of a Chief Information Security Officer (CISO) who will oversee the government efforts in enhancing cyber security. Furthermore, India aims at creating a workforce of 500,000 cyber professionals within the next five years. The policy also encourages involvement of private sector to strengthen its preparedness by conducting security audits. The role of private sector is also significant with respect to developing indigenous security products to meet domestic demand as well as developing ‘standard security practices and processes.’
In June 2013, the National Technical Research Organization (NTRO) released the Guidelines for Protection of National Critical Information Infrastructure that outlines key principles for critical sectors so as to develop a road map for protection of their information infrastructure.24 In a move that will strengthen India’s indigenous capacity to provide certification for electronics and IT products, India was acknowledged as an ‘Authorizing Nation’ under the international Common Criteria Recognition Arrangement (CCRA) in September 2013. India is the 17th nation to be so recognized. This recognition allows India to test and certify electronics and IT products related to cyber security. This new status means India is no longer only a ‘consuming nation’ and opens up the opportunity to invest in and develop laboratories and technologies. It also makes a strong case for public-private partnership in the cyber domain.
Given the increasing number of challenges in the cyber domain, there is a need to draw clear lines that will bring about certain restraints in terms of national capabilities and behaviour. Currently, there is no globally agreed upon approach to addressing these challenges. In the interest of prudence, it may be worthwhile to start with the least common denominator: one possibility is establishing broad norms regarding acceptable behaviour and strengthening Transparency and Confidence Building Measures (TCBMs), which could gradually move towards more legally binding and verifiable agreements and institutions.
At the domestic level, India’s policy initiatives represent a good start, although the policy requires more clarity. While some of these measures are deemed necessary from a security perspective, issues of privacy, intrusion and infringement on individual freedoms are equally important to consider in mind. As a democracy, it is particularly important for India to find a balanced and nuanced approach as it streamlines its policy.
Finally, India should play an active role in the global dialogue on cyber security. Such a dialogue can lead to a cyber security regime, which initially could be in the form of broad norms and TCBMs. Taking an active role will enable India to shape the regime in accordance with its security concerns. More importantly, it will ensure that a regime is not imposed on New Delhi at a later stage but rather will be one which India has actively helped shape, thereby giving it a sense of ownership and legitimacy.
Footnotes:
1. Frederick Wamala, The ITU National Cybersecurity Strategy Guide, September 2011, http://www.itu.int/ITU-D/cyb/cyber-security/docs/ITUNationalCybersecurity StrategyGuide.pdf.
2. Ibid.
3. Russia, for instance, has suggested ‘measures limiting the spread of information weapons; regime prohibiting the development, proliferation and use of information weapons’, among others. However, approaching the cyber domain in the traditional arms control sense is not feasible given the permeating nature of ICT. See, Statement by the Russian Participant at the UNIDIR Cyber Security Conference, What Does A Stable Cyber Environment Look Like? Geneva, 8-9 November 2012, http://www.unidir.ch/files/conferences/pdfs/looking-towards-the-future-of-cyber-security-what-does-a-stable-cyber-environment-look-like-russian-federation-en-1-794.pdf
4. For an excellent overview of instruments on cyber security, see Ben Baseley-Walker, ‘Transparency and Confidence-Building Measures in Cyber Space: Towards Norms of Behaviour’, UNIDIR, http://www.unidir. org/pdf/articles/pdf-art3166.pdf
5. Hamadoun I. Toure, Secretary-General of the International Telecommunication Union and the Permanent Monitoring Panel on Information Security, World Federation of Scientists, The Quest for Cyber Peace, January 2011, http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf
6. Ibid.
7. United Nations Office for Disarmament Affairs, ‘Developments in the Field of Information and Telecommunications in the Context of International Security’, Fact Sheet, June 2013, http://unoda-web.s3.amazonaws.com/wp-content/uploads/2013/06/Information_ Security_Fact_Sheet.pdf
8. United Nations, Report of the First Committee, ‘Developments in the Field of Information and Telecommunications in the Context of International Security’, 9 November 2010, available at http://daccess-dds-ny.un.org/doc/UNDOC/GEN/N10/544/25/PDF/N1054425.pdf?OpenElement.
9. Report of the Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security. Submitted to the UN General Assembly 68th Session, 24 June 2013, http://www.un.org/ga/search/view_ doc.asp?symbol=A/68/98
10. Ibid
11. India, too, has articulated a broad approach incorporating both information and communication technologies. See Amandeep Gill, ‘What Does a Stable Cyber Environment Look Like?’ UNIDIR Cyber Security Conference, 8-9 November 2012, Geneva, http://www. unidir.ch/files/conferences/pdfs/looking-towards-the-future-of-cyber-security-what-does-a-stable-cyber-environment-look-like-india-en-1-793.pdf
12. For instance, a Russian statement emphasized this aspect, saying, ‘the danger of use of information weapons against critical structures is comparable to the danger of use of weapons of mass destruction.’ See, statement by the Russian participant at the UNIDIR Cyber Security Conference, op cit., fn. 3.
13. Timothy Farnsworth, ‘China and Russia Submit Cyber Proposal’, Arms Control Today, November 2011, http://www.arms control.org/act/2011_11/China_and_Russia_ Submit_Cyber_Proposal
14. Ministry of Foreign Affairs of the Republic of China, ‘China, Russia and Other Countries Submit the Document of International Code of Conduct for Information Security to the United Nations’, 13 September 2011, http://www.fmprc.gov.cn/eng/wjdt/wshd/t858978.htm
15. Robert Deibert, ‘Tracking the Emerging Arms Race in Cyberspace’, Bulletin of the Atomic Scientists, January/February 2011, http://thebulletin.org/2011/januaryfebruary/ronald-deibert-tracking-emerging-arms-race-cyberspace.
16. For a more detailed and updated coverage, see, Google Transparency Report: India, https://www.google.com/transparencyreport/removals/government/IN/?p=2013-06
17. Shruti Dhapola, ‘Google Transparency Report: India Second in Seeking User Data’, First Post, http://www.firstpost.com/tech/google-transparency-report-india-second- in-seeking-user-data-1235285.html?utm_ source=ref_article
18. PTI, ‘India’s Requests for Web Content Removal, User Details Rise: Google’, 15 November 2012, available at http://articles. economic times.indiatimes.com/2012-11-15/news/35111753_1_data-from-government-entities-transparency-report-orkut
19. PTI, ‘Over 270 Government Websites Hacked During Till July This Year’, The Economic Times, 4 September 2012, http://articles.economictimes.indiatimes.com/ 2012-09-04/news/33581976_1_government-websites-cyber-attacks-cert; Indian Computer Emergency Response Team (CERT-In), Department of Information Technology, Ministry of Communications and Information Technology, Government of India, Annual Report 2012, pp. 4-7.
20. PTI, ‘Government to Invest $200 mn in Four Years on Cyber Security Infrastructure’, The Economic Times, 30 October 2012, http://articles. economictimes.indiatimes.com/2012-10-30/news/34817067_1_cyber-security- cyber-crime-fight-cybercrime.
21. Ministry of Communication and Information Technology, Department of Electronics and Information Technology, National Cyber Security Policy-2013 (NCSP-2013), 2 July 2013, http://deity.gov.in/sites/upload_files/dit/files/National%20Cyber%20Security %20Policy%20(1).pdf
22. CERT-IN has established counterparts within various departments such as CERT-Army, CERT-Navy and CERT-Air Force. The National Technical Research Organization (NTRO) and Intelligence Bureau are also among those also involved. However, the role and functions are still scattered.
23. Rajat Pandit, ‘Tri-service Commands for Space, Cyber Warfare,’ Times of India, 18 May 2013, http://articles.timesofindia. india-times.com/2013-05-18/india/39353403_1_ aerospace-command-cyber-command-new-commands
24. National Technical Research Organization, Guidelines for Protection of Critical Information Infrastructure, June 2013, http://www.ficciweb.info/conf-cell/Guidelines.pdf
Source:
Seminar Magazine
http://www.india-seminar.com/cd8899/cd_frame8899.html
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
