After man learnt to split the atom and put it to military use nearly seven decades ago, the relations among major powers have changed irrevocably. When coupled with missile technology, it became possible to deliver enormous explosive power within minutes at any other point on the earth. This compelled fundamental changes in the logic of military strategy thanks to the deterrent effect – on one’s adversaries as well as the possessor of nuclear weapons and missiles. Although nuclear weapons were used only once, the prospect for such development and the perceived need for deterrence saw an expansive race to build nuclear weapons and deploy them in different domains – land, air, on and under water. Even as the great powers sought a delicate balance of nuclear terror between themselves, they joined hands to prevent the spread of nuclear and missile technologies to other states. Regulating the nuclear arms race among the great powers and building a firewall between civilian and military uses of atomic energy became one of the most intense political, diplomatic and strategic activities in the second half of the twentieth century. Even after the Cold War ended and the prospect of a nuclear conflict among the major powers diminished, the spread of nuclear weapons and associated weapons of mass destruction has remained at the top of the global security agenda and a source of continuing conflict. For the first time since the Second World War came to a close, a new kind of warfare has begun to eclipse the international concerns about nuclear weapons and the proliferation of weapons of mass destruction. Cyber security has begun to overtake the traditional concerns about weapons of mass destruction and their proliferation. Unlike nuclear weapons, whose ownership is limited to a few, many countries have cyber warfare capabilities and have not been shy about using them. Unlike nuclear energy, whose military applications came before civilian uses, cyber warfare is emerging out of an expansive civilian industry that has become integral to the lives of most people in the world. Regulating the military uses of this technology and preventing states using cyber weapons to destabilize each other will be far more demanding than efforts that went into the management of the atom over the last decades, and the need for it has become increasingly self-evident as more countries develop cyber warfare capabilities. According to a recent report by the United Nations Institute for Disarmament Research, at least 40 nations have developed cyber warfare capabilities. Although a late entrant to the cyber warfare domain, India is set to press ahead and announced a national cyber security strategy in 2013. India is also reportedly considering the establishment of a ‘cyber command’ as a joint enterprise among the navy, air force, and the army to coordinate India’s cyber defence and offence capabilities. This essay is divided into three parts that follow this introduction. The first reviews the current efforts at generating international cooperation in regulating security competition in cyberspace. The second deals with the relevance of past negotiations on arms control for the management of international security in cyberspace. Whether we want it or not, the language of nuclear arms control as we know has already begun to suffuse the international debates on cyber security. The third and concluding part attempts to draw a set of lessons for India as it seeks to influence the global negotiations on cyber arms control and governance. The increasing frequency and intensity of cyber attacks and a growing recognition of the vulnerability of corporations and states have generated a growing demand for some form of negotiated international control over cyberspace. It is also widely understood that the solutions to cyber security cannot be found within the national framework alone. Much in the manner that states negotiated norms for newly emerging domains – like oceans and outer space – they have begun to cope with the challenges of devising some rules of the road for cyberspace. The recognition of these trends have generated considerable support for the idea of a cyber treaty or a cyber convention. The only international agreement so far in the cyber domain has been the Budapest Convention on Cybercrime which came into effect in 2004. Developed by the Council of Europe, the convention is yet to garner widespread ratification. Meanwhile discussions have begun at the United Nations and other international forums to assess the impact of information and communication technologies on international security and explore the prospects for drafting a convention for cyber security that will have a much broader ambit than the Budapest Convention. Such an instrument could be similar to the Land Mines Convention that came into force in 1998, the Chemical Weapons Convention (1997), the Nuclear Non-Proliferation Treaty (1970), or the Outer Space Treaty (1967). There is much skepticism in some quarters on the possibility of negotiating such a comprehensive cyberspace treaty or convention. Others, however, argue that such a convention is becoming a vital necessity. What in theory could such a convention among states achieve? For one it could simply come up with acceptable definitions of the terms in the emerging discourse on cyber security. As a new but consequential domain, there is need for clarity on how the discourse is intelligible to each other and accessible to the wider public. The convention could articulate a broad set of norms that states must comply with in cyberspace. It could also outline a set of confidence building measures to improve trust among state parties and reduce tensions in the management of cyberspace. More ambitiously, the cyber treaty could agree on a set of restrictions or limitations on what nations could do and not do in cyberspace during war and peace. The treaty could also impose certain forms of state responsibility in the arena of cyber security. Finally, the treaty could promote regional and international mechanisms for interstate cooperation on cyber security and the enforcement of a new set of agreed cyber norms. The good news is that a broad consensus appears to be emerging among major nations on some important issues relating to cyber security. A discussion initiated among governmental experts appointed by the UN Secretary General since 2010 has made considerable progress in generating some shared understanding on cyber security issues. A report issued by a governmental group of experts in August 2013 put out a set of recommendations that the UNSG said ‘point the way forward for anchoring ICT security in the existing framework of international law and understandings that govern state relations and provide the foundation for international peace and security.’ One of the central recommendations of the report was an assertion that the traditional principles of international law are applicable to the cyber domain, thereby clinching an important debate. Given the virtual nature of the cyber domain and the difficulties of delimiting state boundaries and affixing state responsibilities, many had argued that traditional international law is not of much use in regulating cyberspace. The explicit affirmation that international law, particularly the principles of the UN Charter, is applicable to state activities in cyberspace, including to activities of non-state actors attributable to states, will allow the international community and affected states to react to violations more effectively. In cyberspace, states have to comply with the prohibition on use of force, the requirement to respect territorial sovereignty and independence, and the principle of settling disputes by peaceful means in much the same way as in the physical world. The right, specified in Article 51 of the UN Charter, to self-defence including the use of force would apply if a cyber attack reached the level of an ‘armed attack’. The report, however, refrained from spelling out when this could be the case as the legal debate on this issue has only just begun. The report offered a set of recommendations on the principles of responsible behaviour in cyber space, proposed a slew of confidence building measures such as exchange of information on national cyber policies, sharing knowledge on best practices, promotion of regional consultations, and expansion of cooperation in law enforcement and international assistance for capacity building. While the recommendations of the report are a step forward, translating them into treaty language will not be easy. The devil as they say is always in the detail, and there is continuing resistance in many influential quarters against a formal treaty to regulate cyberspace. As the world prepares to negotiate norms and restrictions on state behaviour in cyberspace, it might be relevant to recall the experience of arms control. At least four tensions that dominated the negotiation of past arms control treaties are likely to have some bearing on the prospective negotiations on cyber security. First is the enduring tension between lawmaking, technological change and national strategies. Unlike the earlier technologies – chemical, nuclear and space – changes in the communication and computing technologies has been much faster. Laws defined at a point in time might look impractical soon after. There is also a deeper problem of understanding the nature of international law. Much of the discussion on cyber governance is centred on the challenges of extending international law to the cyber domain. In concentrating the international efforts on developing legal principles for the cyber domain, it is easy to forget that great power interests have long shaped the evolution of international law. Any serious framework for regulating cyberspace must therefore consider the dynamic interaction between law and strategy, for strategy compels a reconsideration of laws, while the law itself shapes strategy. Meanwhile technological changes and their application for warfare compels great powers to redefine their security strategies. The second is the tension between multilateralism and great power relations. Multilateral negotiations tend to focus on general principles and norms, but past experience suggests they can’t always prevail over the interests of the dominant powers. The 1967 Outer Space Treaty, for example, emphasized space as the common heritage of mankind and its peaceful uses. Yet, within the first decade after the treaty came into force, there was a dramatic expansion of using space for military purposes by the great powers. Another limitation of most multilateral treaties is that they do not have enforcement mechanisms; any legitimate use of enforcement measures requires consensus among the five permanent members of the United Nations Security Council. The NPT, CTBT and many other treaties emerged out of a formal multilateral process, but understanding and compromises among major powers was critical for many of the major outcomes in the treaties. And when treaties tend to limit the options of the major powers down the road, they have not hesitated to reinterpret the meanings or ignore the original text wherever convenient or necessary. The negotiations on cyber security are likely to be complicated by the notion of ‘multi-stakeholderism’ that brings in the private sector and civil society groups into the global negotiations on cyber security. Many functional nuclear arms control agreements have come from bilateral talks among the major powers, especially America and Soviet Union, reflecting the distribution of power in the international system during the Cold War. The current discourse on cyber security is taking place amidst a historic power shift among the major powers. The rise of China is the most notable new factor, as is the growing capabilities of other powers in what was once considered the South. It is interesting to note that while America and the Soviet Union dominated the nuclear arms control process, the talks between the US and China are today seen as critical for any cyber security arrangements in the world. That in turn brings us to the third set of tensions between great power relations and arms control treaties. If, as we noted, great power agreement is critical for the creation and enforcement of norms, the rivalry between them makes it difficult to develop cyber norms. Today, the divisions between the West on the one hand and China and Russia on the other are profound when it comes to understanding the nature of the cyber domain and how the world should approach its regulation. The US, for example, focuses on the protection of computer networks from theft and attack. Russia and China, in contrast, emphasize information security and right to control cyber-space within their territories. America, for example, is interested in prohibiting attacks against civilian targets. The Chinese and Russians believe this protects the American reliance on private networks while leveraging its strengths in the military sector. They would like to focus, then, on American vulnerabilities. Often times, the great powers could agree on prohibitions that have no real operational meaning, for example the ban on deployment of nuclear weapons on the moon. More broadly, each great power wants to protect its strengths from treaty limits while its adversary focuses on constraining these very specific advantages. There is also the possibility that major powers will try and enforce a common understanding between themselves on other countries in the international system. The enduring asymmetry of interests and structures forms the fourth set of tensions in the negotiation of a cyber treaty. A set of norms derived logically from first principles will be unacceptable to one or another great powers because of the asymmetric impact on the adversaries. Given the variation in the strategic geographies of great powers, the differences between their domestic political orientation and the competing objectives, negotiating a mutually acceptable set of norms will remain a big problem. Even within alliances that share a common set of political objectives, the impact of norms can be different given the asymmetry in the distribution of power. Unlike nuclear and missile technology, cyber capabilities are already widely dispersed and are not the monopoly of a few countries. That makes controlling the spread of these technologies difficult, although efforts to do so have begun within the Wassenaar Arrangement – a group of advanced countries that regulates the sale of conventional arms and associated technologies. The arms control agreements arrived through mutual understanding among the great powers might not be acceptable to many nations. More importantly, it does not require massive capabilities for a weak state or a non-state actor to target the cyber vulnerabilities of a major power. The attractiveness of the asymmetric warfare, then, complicates the traditional power calculus among states and reinforces all the difficulties that the major powers had to deal with in facing terrorism from non-state actors. Consider, for example, the idea of fixing state responsibility for cyber crimes originating from the territory of a particular state, one of the central themes of the current debate on cyber security. We have seen how hard it is to compel regimes to take responsibility in the case of controlling international terrorism. In some cases, it could be a genuine lack of capacity to control cyber events on one’s soil; some states could deliberately build ambiguity. Pakistan, for example, maintains plausible deniability in supporting terror groups operating in Afghanistan and India, and the international system has been unable to compel Pakistan to change its behaviour. The reference to all these challenges does not mean there is no value in the development of cyber security norms for the international community. In all likelihood some kind of a cyber treaty or at least a code of conduct might well be within grasp in the coming years. What kind of a role and strategy should India adopt in the current international discourse on regulating cyberspace? India has an active and unique record of participation in global negotiations on arms control. Three D’s can be used to sum up this record. One is the emphasis on disarmament rather than arms control that underlines India’s extraordinary idealism in international affairs. The former focuses on comprehensive abolition of weapons of mass destruction, while the latter seeks to regulate interstate competition rather than eliminating it. The second is a focus on what we might call ‘developmentalism’ that prioritizes the application of strategic technologies for peaceful uses, demands liberal international transfer of technologies, and claims to represent the interests of the developing countries as a whole. The third is a determined defiance of what it consider as unequal or discriminatory arms control arrangements. Although these features gave a special cache for India in the early years of arms control negotiations, this idealist baggage tended to become a millstone around India’s neck and prevented it from effectively pursuing its national interest. India refused to declare itself a nuclear weapon power in 1974 when it conducted a ‘peaceful nuclear explosion’. This mix of developmentalism and idealism placed the country in the worst of all worlds. It provoked the world into imposing sanctions against India, while Delhi refused to announce itself as a nuclear weapon power for another quarter of a century. India’s emphasis on equity and fairness had little resonance with the constituency that Delhi thought it was representing – the developing world. Most countries of the South signed onto the NPT to make it near universal, fully accepting its inequities. After it declared itself a nuclear weapon power in 1998, India has adopted a different, pragmatic approach to bring its national interests and international negotiating positions in line with each other. India has begun to project itself as a responsible major power that is willing to support the objective of nonproliferation and make some concessions to become a part of the global nuclear order. Instead of rejecting all forms of arms control, India has begun to initiate arms control and confidence building measures with its two nuclear neighbours – China and Pakistan. The transition towards pragmatism, however, is not complete. In the domain of outer space India continues to emphasize that its primary focus is on peaceful uses, even as pressures mount to develop a coherent military space programme. Its scientific, military and diplomatic establishments speak with different voices when it comes to India’s outer space policy. India, however, does not have the luxury of taking a long detour to get its approach to international negotiations on cyber security right. For unlike the nuclear and space domains, cyber technologies are evolving at a rapid pace and envelop a much larger segment of the domestic economy. Its security implications cover the full spectrum from crime to protection of industrial infrastructure, intellectual property and securing the international balance of power. India’s own ICT sector, which has contributed significantly to its recent economic growth, has become a major target of cyber attacks and a source of attack on others. In a belated response to these imperatives, Delhi announced its national cyber security policy in July 2013 that has put in place a broad architecture for the management of cyber challenges. India’s policy, however, does not dwell very much on the international dimension of cyber security. At the practical level, of course, cyber cooperation with other countries has emerged as a major component of India’s diplomacy in recent years. At the public level, at least, little attention has been devoted to the impact of cyber technologies on the global balance of power between Washington, Moscow and Beijing and its consequences for India’s interests. Nor has there been much clarity on how India should position itself in the current discourse on regulating cyber security at the international level. That India will be compelled to join the debate and respond effectively is not in doubt. A number of lessons from India’s past experience with arms control present themselves. For one, India must strive to find an appropriate balance between the articulation of universalist principles and national security interests. Far too much focus on the former has tended to load the dice against India in the real world. A temptation to present itself as a champion of the South must be resisted for there is always the danger that India will find many weak states with very different stakes from those of India as an emerging major power in the international system. The emphasis must be on building functional coalitions that will serve India’s best interests. India must also resist being trapped into all-or-nothing arguments. Delhi must retain sufficient flexibility and be ready to find compromises on issues of secondary interest while protecting the core concerns. India must also recognize that successful cyber diplomacy will have to be rooted in building strong domestic capabilities. Failure to build domestic competence could put India at the mercy of possible nonproliferation arrangements agreed upon by the United States, Europe, Russia and China. Given the speed at which international cyber dynamic is evolving, there is not much time to lose.     Source: Seminar Magazine, March 2014 http://www.india-seminar.com/2014/655/655_c_raja_mohan.htm  
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.