The use of cyber space for crime, terrorism and warfare has brought to sharp focus the issue of cyber security. Further, recent reports about the use of Stuxnet and Flame malware for industrial sabotage and espionage have heightened concerns about cyber warfare by states. There is speculation that these malware programmes have been supported by some states.
The London Conference (2011) and the Group of Governmental Experts (GGE, 2011) have accepted the need for codifying some kind of rules for state behaviour in cyber space. A UN appointed Group of Governmental Experts will meet shortly to discuss the issue further.
Several countries, notably Russia and China, have been active in promoting the idea of an international convention on information security. They make a crucial distinction between information security and cyber security. For Russians, Chinese and others, the issue of content in cyber space is as important as the physical and technical structure of cyber space. They are worried that ‘information’ or the content in cyber space can be used to destabilise states. Further, given the border-less nature of cyber space, states are also worried about the weakening of their sovereignty.
While for many countries the issue of maintenance of the freedom of expression and association in cyber space is paramount and should be preserved, almost all countries are worried about the fact that the critical infrastructure that relies on cyber space is vulnerable to attacks originating in cyber space.
There are also sharp differences among states on the question of internet governance. At the heart of this debate is the vital question who owns the internet and how should it be run. The United States is in a unique position in this regard as it retains control over many of the technologies used in cyber space. Nine out of 11 root servers, which form the backbone of the internet, are physically located in the United States. Potentially, the United States has the capability to shut down the internet. This makes other countries anxious.
As seen in the London conference and in the deliberations of the GGE, the international community is coming round to accept the view that international cooperation is required to deal with threats in cyber space. But there is little agreement on how to proceed further. Cyber space is viewed differently by different countries and divergent interest groups and agendas.
Some states emphasise the need to protect and assert state sovereignty in cyber space. Others view cyber space in the context of preserving the freedom of expression. Some others see cyber space as a haven for terrorists, criminals and spies. Differing views on what cyber space means makes it difficult to generate a consensus.
It is obvious that cyber security issues cannot be dealt with by countries in isolation. International cooperation is a must. Despite differing interpretations and perceptions, international dialogue on cyber security must go on to arrive at some measure of consensus and agreements. This dialogue must be inclusive and include all stakeholders and particularly the private sector which owns an overwhelmingly large chunk of the ICT infrastructure. Besides, governments will have to find ways to take on board the voices of different components of civil society.
What should be India’s approach to these issues?
India should support the idea of TCBMs (transparency and confidence building measures) as a first step towards a code of conduct or eventual cybersecurity convention. India must participate wholeheartedly and proactively in an international dialogue on cyber security both at inter-governmental as well at non-governmental level. Participation in cyber security discussions at academic, think tank and NGO levels will be immensely useful.
Despite differences in perceptions, some measure of agreement can be achieved more easily on some issues than on others. For instance, everyone agrees that cyber crime and cyber terrorism pose a major threat to individuals, states and societies. It should therefore be easier to agree on cooperation measures to deal with these threats. A number of UNSC resolutions on terrorism can be made applicable to cyber terrorism and cyber crime as well. India should be proactive in building a consensus on how to deal with cyber crime and cyber terrorism.
India can propose that the principles of the UN Charter—maintenance of international peace and security, international cooperation, universalism of human rights, etc.—should form the basis of rules of the road, code of conduct or CBMs in cyber space. Thus any new ideas that are proposed in the context of cyber space must first be checked for validity against norms mentioned in the UN Charter. Where there are ambiguities and disagreements, further discussion and dialogue must be held to remove them or formulate new approaches.
A great deal of discussion has been held at various UN forums, World Summits on Information Security and numerous technical forums on information security and cyber security. It would be useful to collate principles which have been enunciated at these gatherings. True, these are mostly declaratory in nature but they do reflect a measure of consensus. For instance, most countries would agree that the digital divide should be bridged, capacities should be built, cooperation among law enforcement agencies should be promoted, technical cooperation should be encouraged, etc. Thus there are a number of ideas on which a considerable amount of agreement exists. India can examine such ideas which can form the basis of TCBMs in cyber space.
On contentious issues—the use of cyber space for espionage, surveillance, military purposes, warfare, etc.—India should propose regular, institutional dialogue among the stake holders. For instance, there could be open, institutionalised discussions on arriving at a common agreement on definitional issues such as the meaning of cyber space, cyber warfare, militarization of cyber space and how to prevent it, the concept of the use of force in cyber space, attacks against civilian targets, the concept of liability against damage to civilian targets, incorporation of cyber space as the fifth dimension of warfare, etc. There are bound to be disagreements on these issues. That is why a regular, institutionalised dialogue is a must. Taking a leaf out of discussions on preventing the militarization of outer space and promoting its peaceful uses, a committee of the UNCOPUOS kind and its legal and technical committees can be formed to discuss issues related to cyber space. These two committees of the UNCOPUOS have done an enormous amount of useful work in advancing the cause of space law and space technologies for peaceful purposes. A similar model can be followed for cyber law and cyber technologies for peaceful purposes.
More specifically, what are the ideas that India can support and which are the ones it will have difficulty in supporting?
India should have no difficulty on ideas such as equal access to cyber space and technologies, bridging the digital divide, cooperation to act against terrorists and cyber criminals, public-private partnership, capacity building, enactment of national laws that balance privacy with state intrusion in private affairs, development of secure technologies, promoting technical cooperation on network technologies, reliable access to cyber space, global interoperability, adoption of best practices, etc. These are mostly managerial, technical approaches to the maintenance of cyber security through international cooperation.
Where some difficulty might arise is when cyber space and cyber security are seen through the prisms of political ideologies. Thus proposals have been made to the effect that states should not be the first to launch a cyber attack. This formulation has been borrowed from nuclear terminology. The problem here is that it is not easy to determine what an attack in cyber space is nor is it easy to attribute it to a particular actor.
Similarly, the cyber doctrines of some countries assert the right of self-defence against aggressive acts in cyber space. What is self defence and how is to be defined in cyber space? This is a contentious issue. Nor is it easy to determine what ‘proportionate response’ in cyber space is. India will have difficulty in indiscriminately treating ‘information’ or content in cyber space as a destabilising agent and authorising censorship. In a democratic society, the authority to censor has to be restricted and exercised in accordance with well laid out laws and procedures. But these issues can be discussed and a common minimum arrived at.
For India to participate in cyber security discussions at international forums meaningfully and effectively, it will have to take several actions at home. India is regarded as an IT superpower but its record on IT security is not too brilliant. It is a big victim of cyber espionage, cyber crime and cyber terrorism but it does not have a coherent, holistic cyber security strategy. It does not have the required number of experts and professionals in cyber security. It has been hesitant in coming up with ideas and solutions at the international forums. India must overcome its hesitation and take urgent steps at home to strengthen cyber security and participate in effective international cooperation projects. It must make its presence felt at international forums.
The author is Director General, Institute for Defence Studies and Analyses, New Delhi. The views expressed here are his own.