Even as imagined and real cyber security threats scale new heights, the story coming out of the recently concluded Second International Conference on Cyberspace in Budapest was one of a widening gulf between countries, notwithstanding the stated intent of bridging differences through dialogue. With most countries sticking to already established positions, there appears to have been very little progress made between the previous iteration in London in 2011 and the present one. If anything, the various sets of actors and alliances on the issue pushing different agendas seem to have dug their heels in even further.
In terms of various agendas, the European countries highlighted the human rights aspects of cybersecurity, based on their characterization of internet freedom as a fundamental right, leading the Chinese representative to acerbically ask whether he was at a human rights conference or a cybersecurity conference. The Chinese approach to cyberspace was enunciated through five principles, the first one being that of “network sovereignty” with the emphasis on sovereignty. This principle paved the way for the second principle of “balance”, i.e., the need to balance the free flow of information against the potential of harmful threat to national security, social order, and violations of the legitimate rights of the people. Yet another concern was addressed in the third principle, that of “peaceful use of networks” and curbing the development and use of cyber weapons that would be a threat to international peace and security. The fourth and fifth principles called for “equitable development” and “international cooperation” respectively, with a call, on behalf of the developing countries, for equal rights in managing the Internet and equitable distribution of the critical resources of the Internet. In line with these principles, the Chinese also indicated their preference for discussions on cybersecurity to be held under UN auspices and also called for a cyberspace arms control treaty during the course of the conference. These were countered by US delegates who described such policies as a throwback to the past and inconsistent with the requirements and realities of the 21st century.
The sovereignty issue also came to the fore in the discussions on cybercrime where the Russians stoutly resisted a push to get more countries to sign on to the Budapest Convention on Cybercrime. They described it as both outdated and ineffective and wanted it to be debated in the United Nations. To buttress this statement, a Russian delegate pointed out that so long as the use of Stuxnet was not considered a state act, it had to be considered as a cyber crime, and the Budapest Convention was ineffective in this regard. That said, arriving at a consensus in the United Nations would be a sure way to put the Convention into deep freeze.
If the third set of actors, the various private sector representatives gathered at the venue, had a message to put out, it was that there was no need for governments to get involved in cybersecurity since practical issues had to be addressed in cyber time, not “political consultation time.” A representative from one of the CERTs was also of the view that increased interference by governments was destroying the trust-based system that had been developed over the years since some requests for information were now seen to be politically motivated.
India’s contribution to the deliberations was in the form of a keynote address by Sachin Pilot, the Minister of State for Telecommunications, where he called for internet governance to be made more equitable and effective. India’s approach to the internet has been tech-centric and free of ideological overlays, although that approach seems to have run its course. There are concerns that simply trusting in private companies to deliver on cybersecurity without adequate safeguards or assurances don’t pass muster. As the Minister pointed out in his speech and in an earlier interview, the thrust of the Indian government’s policies were to create a pool of 500,000 cyber security professionals and to improve its record of public-private partnership. The government has already begun to walk the talk insofar as getting on board the views of all the various stakeholders is concerned, facilitating as well as being an active participant in the Indian Internet Governance Conference held on the same days as the Budapest Conference in New Delhi.
The other notable initiative coming out of Budapest was the announcement by the the UK government of plans to create a Centre for Global Cyber-Security Capacity Building with an investment of 2 million pounds. Practical initiatives of this type that emphasise upon collaboration, skills sharing and capacity building would go a long way towards improving global cybersecurity. However, not only are such governmental initiatives too few and far between, the climate of distrust that has begun to pervade cybersecurity means that they will be viewed with suspicion and might not find many takers. From the Russian delegate’s complaint that the organisers did not include Russian documents on information security in the Conference literature to the sniping between Chinese and Japanese delegates reflecting their current offline hostilities, such distrust was very much evident at the Conference itself.
With the next iteration of the Conference scheduled in Seoul next year, and the East West Institute’s Conference coming up in Delhi at the end of this month, there is no dearth of venues to discuss cyber security. The moot question is whether these would have any impact or relevance in the face of fundamental disagreements on cyberspace governance that are unlikely to go away.