Tuesday, October 21, 2014

ORF-Heritage Report: Indo-US Cooperation on Internet Governance and Cybersecurity

State Responsibility in the Cyber Commons: Deepening the India-US Relationship


Two countries which share so many common values―democracy, rule of law, freedom of expression, liberty, multiculturalism, freedom of religion―have not yet been able to operationalise a strategic partnership that would define the 21st century. That ‘big idea’, which could form the basis for the next phase of the US-India relationship, has seemed elusive. Strategic thinker C. Raja Mohan suggested in 2010 that this need not be the case, and the basis of this partnership could be protection of the global commons―the oceans, air, outer space and cyberspace. In the backdrop of the instability of these commons, and the growing pressure on the US’s ability to secure these spaces, Raja Mohan maintained that since free flow of information and trade across the global commons is vital for both economies, India could serve as a natural ally for the US.[1] Admittedly, this is not an easy task, especially in the cyber domain. Misapprehensions about US dominance, its capabilities and intent as revealed by the Edward Snowden disclosures, cast a shadow over common areas of interest. Yet, both countries seem to understand there is much to be gained from closer collaboration, especially given the increasing intensity of threats to their digital boundaries and the state’s responsibility for controlling the proliferation of such activities.

Globally, accusations citing cyber attacks from across borders are becoming increasingly common. In fact, many countries which have been vocal about being victims of cyber attacks, have been at times perpetrators themselves. For example, the United States, which in May 2014, indicted members of the Chinese military for engaging in acts of hacking and spying on US businesses and entities, has itself been accused of launching the virus Stuxnet in 2010 (in collaboration with Israel) on Iran’s nuclear centrifuges, destroying one-fifth of them. And in turn, Iran has been accused of ‘non-stop cyber attacks’ on major computer systems in Israel.[2] There is also the 2014 case of Russian hackers attacking US bank J.P. Morgan and stealing sensitive data to sell in the global black market. Some analysts suggest that these actions are in retaliation to Western economic sanctions against Russia. Therefore some common, global understanding of the rules of state behaviour in cyberspace is needed.

Currently, under Article 51 of the UN Charter, states, individually or collectively, have the right to defend themselves against an ‘armed attack’ in cyberspace.[3] There is much work being done in the area of international law to understand the terms ‘armed act,’ ‘acts of aggression’ and ‘force’ when they relate to the cyber world, as there is no international consensus on the issue. As witnessed in the US case, acts of espionage (which have been attributed to a state, in this case China) fall short of a cyber attack, but are still considered to have significant consequences on the economy. Under these circumstances, and others that have preceded it, the global conversation has been veering towards chalking out rules of cyberspace.

Two schools of thought have emerged. The first is a solution put forward by China, Russia and a few other countries: have an international code of conduct with a view to protecting information security. This has been formalised in the Eurasian grouping called the Shanghai Cooperation Organisation (SCO). The members are China, Russia, Uzbekistan and Tajikistan, among others. India has observer status at the SCO and is up for full membership. Their 2009 Yekaterinburg Declaration stated: “The SCO member states stress the significance of the issue of ensuring international information security as one of the key elements of the common system of international security.” In 2013, Russia and China submitted an ‘International Code of Conduct for Information Security’ to the UN.[4] The code dwells on information security in a few parts, including “…curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.”

This is the point of departure for many other nations, which are less concerned with ‘information security,’ often seen as securitisation of free speech. Instead, they prefer to focus on ‘network security’―that is, keeping the critical resources that keep cyberspace functioning, protected. This is also the stated point of view of the US. To that end, some experts have pointed out that countries should share, to some extent, their military doctrines on how they will use cyber techniques for offensive purposes to achieve international stability in cyberspace.[5]
This also leads to the very pertinent question of what constitutes an act of war in cyberspace. Here, an argument has been made for the international community to set ‘norms’, to shape behaviour and limit conflict in cyberspace. This view has been worked on at the United Nation’s Group of Governmental Experts meetings, and has included the US and its NATO allies, India and even China. The report of the third meeting of the GGE in June 2013 concluded that “international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”[6] The non-binding exercise seeks to derive norms from existing laws. It also says that states must meet their international obligations regarding wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-state actors for unlawful use of information and communications technologies (ICTs).
Presently, the Tallinn Manual, produced by the NATO in 2013, seeks to examine how existing international norms apply to cyber ‘warfare’. It states in Rule 11 that “a cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” These operations are to be measured taking into account a variety of factors: severity, immediacy, directness, invasiveness, measurability of effects, military character of the cyber operation, the extent of state involvement, and presumptive legality.[7]
However, some experts have criticised its narrow view of state responsibility, saying that it gives the initiative to attackers, sending the message that huge numbers of cyber-intrusions are possible with impunity. The question they ask is whether this encourages cyber-aggressive states to push the envelope[8]. The growing concern is understandably protection of their critical infrastructure, which is vulnerable to cyber attacks from all quarters. This is a concern for the US and India alike.

The reality is that even if digital forensics could trace the origin of a cyber attack, it can be extremely difficult to get states to even acknowledge there is non-state activity emanating from their territories. Indian security experts feel that in some cases, there will be a genuine lack of capacity to control cyber events on one’s soil; in other cases, some states could deliberately build ambiguity to mask their role. Another question worth considering is whether the state is complicit in a cyber attack, either by financial or other forms of assistance.

Offline, India’s own experience with Pakistan, while trying to control international terrorism, has not been very positive. The country maintains plausible deniability about its support to terror groups operating in Afghanistan and India, and the international system has been unable to compel Pakistan to change its behaviour.[9] Add to this scenario a statement made by India’s Minister for Communications and Information Technology to the Indian Parliament in July 2014: cyber attacks on India originate in the UAE, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the US.[10]

The question then, for India and the US, is how the global governance regime can induce other states to reduce threats from within their borders. Norms that constrain cyber attacks is one strategy. This is also where their ‘big idea’―of protecting the cyber commons―could, in part, be met with another strategy. Closer cooperation for technological solutions will complement the political solutions. Knowledge exchanges between their Computer Emergency Response Teams (CERTs), war games, educational, scientific and research cooperation, and other safeguards could help build formidable digital borders that rogue states and groups would not want to risk infiltrating.

Cooperation also includes strengthening the India-US Counter Terrorism Initiative, established in 2009, which is continuing through India-US strategic dialogue meets. However, there are some bottlenecks that need to be ironed out. As was visible in the investigations that followed the horrific November 2008 terror attacks, fissures can crop up between intelligence agencies of the two countries. At first, Indian intelligence agencies cried foul saying the US had not shared information about terrorist David Headley with them. Later, India’s limited access to Headley revealed how much these information exchanges are susceptible to sovereign immunities. Both countries need to make a definite push to fix national legislation in order to share data about terrorist activities, unhindered by domestic laws. This is essential to safeguard the growing digital partnership.

Closer cooperation on digital forensics―and identifying the source of attacks―would, in the longer term, help simplify the application of international law in cyberspace. It would also provide a much-needed deterrent to states indulging in economic espionage and cyber crimes. A framework of cooperation is the order of the day to keep the networks both countries so heavily rely on stable and secure.

[1] C Raja Mohan, “India, the United States and the Global Commons.” Centre for a New American Security. October 2010, at  http://www.cnas.org/files/documents/publications/CNAS_IndiatheUnitedStatesandtheGlobalCommons_Mohan.pdf.

[2]Iran ups cyber attacks on Israeli computers: Netanyahu”, Reuters, June 9, 2013, at http://www.reuters.com/article/2013/06/09/us-israel-iran-cyber-idUSBRE95808H20130609.

[3] UN Charter, ‘Chapter Vii: Action With Respect To Threats To The Peace, Breaches Of The Peace, And Acts Of Aggression,‘ Article 51, at http://www.un.org/en/documents/charter/chapter7.shtml.

[4] International code of conduct for information security. UNGA, 66th Session, Item 93 on Provisional Agenda, at http://www.rusemb.org.uk/data/doc/internationalcodeeng.pdf.
[5] Jim Lewis, “Multilateral Agreements to Constrain Cyberspace,” Arms Control Today, June 2010.
[6] Report of the Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security, submitted to the UN General Assembly 68th Session, June 24, 2013.
[7] Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare, ed. Michael N. Schmitt (Cambridge: Cambridge University Press, 2013), 13.
[8] Peter Margulies, “Sovreignity and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility,” 2013, Melbourne Journal of International Law, Volume 14, University of Melbourne, at http://www.law.unimelb.edu.au/files/dmfile/05Margulies-Depaginated.pdf
[9] C Raja Mohan, “Negotiating Cyber Rules,” in the Cyber Debates special issue of Seminar Magazine March 2014, at: http://www.india-seminar.com/2014/655/655_c_raja_mohan.htm.
[10] Shauvik Ghosh, “Govt looks to beef up cybersecurity before Independence Day,” August 9, 2012, at http://www.livemint.com/Politics/hpNSiKsZcwu3Ldy8TslOsL/Govt-looks-to-beef-up-cybersecurity-before-Indepence-Day.html?utm_source=copy.

Thursday, October 02, 2014

Global Policy publishes my Issue Brief on Internet Governance + India

The Observer Research Foundation’s Mahima Kaul unpacks India’s approach to internet global governance.

Governments around the world seem to be straddling the dichotomy the internet has brought into our lives: the endless possibilities of innovation, commerce, expression, big data, along with the challenges of cyber crime, security, disinformation and surveillance. The weight given to each of these outlooks ends up determining a governments approach towards internet governance. And since global internet governance itself is distributed across various foras, governments are free to change their strategy to suit their outlook, depending on the topic being discussed. The same government might approach the management of critical resources with a strict nationalistic outlook, yet look to forge agreements on cyber crime bilaterally, create norms of state behavior multilaterally, and discuss human rights and free expression via a multistakeholder process. This is also the reason that democracies need not necessarily agree on global governance mechanisms even if they converge on values.

It must be kept in mind that the internet has fundamentally changed over the years. Its potential to cross barriers and serve as a platform for the free exchange of goods and knowledge remains immense, and some of those who have seen the development of the internet from its inception are fighting bitterly to keep it such. But, the reality is that is not quite the version of the internet that many new users experience. They have inherited an internet fraught with crime such as hate speech and cyber bullying, it is an internet where net neutrality is being threatened in the very country that created it, an online world where big corporations are pushing stringent intellectual property regimes and where ‘free trade’ over the internet seems to be a well crafted narrative to promote the supremacy of US companies. Navigating these waters, for people and governments alike, can be complex.
Currently, the US dominates the global internet governance architecture and pushes a multistakeholder system that banks on the participation and maturity of all stakeholders. Countries like India, tiptoeing into many of these foras, do not share the same enthusiasm for these governance mechanisms. The vast majority of Indian citizens are not yet online. In fact, the Indian government is most concerned about the current management structure of critical internet resources, the uncoordinated national approaches to determine cyber jurisdiction over transactions that span multiple territories, and ensuring universal access through affordable (and secure) devices. With this background, it can be understood why the world’s most diverse democracy has resisted “multistakeholderism” as a global governance mechanism, a system inherently democratic in its description, but not yet suited to its objectives.

Yet, for a people famously called argumentative by Nobel laureate Amartya Sen, Indians have been curiously lacking in explanations about these particular decisions. The international press, confused by the government of India’s contrarian views, simplistically bunches it along with authoritarian countries who oppose the US’s global governance framework.

The below Issue Brief attempts to unpack India’s approach to global governance, and its attempt to seek a new global governance paradigm: http://www.globalpolicyjournal.com/blog/30/09/2014/global-internet-governance-indias-search-new-paradigm

Sunday, September 21, 2014

Digital strategies for disaster management: Lessons from Kashmir

In a passionate letter explaining his government’s failure to coordinate relief efforts in Jammu and Kashmir, Chief Minister Omar Abdullah stated that a breakdown in connectivity due to unprecedented flooding caused a ‘missing government’ in a time of crisis. Recounting the chain of events in a newspaper, he wrote: ‘Initially I was relieved to find that broadband Internet services and BSNL cellphone services were functioning, but that relief was a short-lived one because a few hours later, we were effectively cut off from the rest of the world — no phones, no Internet, no roads and, once electricity went off, no access to TV stations either.”

The floods of Jammu and Kashmir, in time, crippled all modern modes of communication. Phone lines and internet connections were down as telecom infrastructure was severely damaged. At a point, only network operator Aircel managed to provide service as its mobile centers were on high rises. All telephone exchanges were submerged save one. Authorities estimated it would take a few days, at the minimum, to repair connectivity. A week later, the army and local administration are working on restoring 2G services. Add to that, electricity lines were severely damaged, hampering restoration of normal services.

Those who managed to find signal briefly called friends and family to be rescued. Others, who were fortunate enough to be rescued, informed people, many of whom were stationed outside Jammu and Kashmir with full connectivity, of the whereabouts of stranded neighbors. Quickly, as people have started doing in times of crisis, reports of those who needed rescuing and those who had been rescued started making their way onto social media platforms. Google released a ‘Person Finder’ page which allowed people to feed in names of those they were looking for, or add information about those they knew had been found. Facebook communities like ‘Kashmir Flood Information Channel’ had over 22,000 people on it, adding pictures, tidbits, hopes and prayers along with real-time information about loved ones. Soon enough the process became formalized, making the connection between information and where it needed to go. A top executive at Twitter India offered to organize information on flood victims and feed it directly to the Army. At the same time senior army personal used Whatsapp to feed information to senior commanders, so as to direct them on where to go next for rescues. Some reports say that over 12,000 people were helped thanks to social media.

The army, on its part, was able to connect to social media content because it was using satellite phones. These phones do not use terrestrial cellular sites like the ‘normal’ phone that most of us use, but instead are linked to satellites in geostationary orbit, which is essentially a fixed position in the sky.  These phones are generally not made available to the general public because of security concerns, as they use encryption and are hard for the authorities to intercept. Therefore, satellite phones in India, can only be used after obtaining a license. According to reports, the army has begun sharing satellite phones with civil administration, along with 100 Mobile Cell Communication Sets, to enable the relief efforts. Plans also include setting up STD booths as connectivity is restored, as well as moving generator sets into the state. In fact, satellite phones have been used in disasters when regular mobile networks have failed, ranging from Hurricane Katrina to the Haiti Earthquake, and interestingly, are even used by reporters in war zones for safe and assured communication. On another note, there are cases of people with solar chargers for their phones who were able to maintain battery levels despite the lack of electricity, and connect with the outside world as soon as they found signal. And now, sending shipments of solar lamps are being sent to the state to help with the relief effort.

So, the situation as it were is this: in the worst natural disaster Jammu and Kashmir has seen in recent memory, all phone and internet connections were down, causing a communication blackout. Friends and well wishers, mainly using the internet (therefore, based outside the state for the most part), had organized themselves in a manner that they were able to tunnel information to the Indian army which could connect to these people through their satellite phones. A week later, connectivity is slowing getting restored, either due to receding water, new communication equipment brought in from the outside and the work of engineers.

At this juncture, a few questions must be asked. Firstly, why is there no disaster management plan in the case of a communication blackout? This is perhaps even more pertinent given that the remote corners of India, be they coastal, mountainous or otherwise, are not well connected to modern telecom networks. The most recent figures (July 2014) from the Telecom Regulatory Authority of India for Jammu and Kashmir reveal that teledensity in the state is at 69.31% with wireless subscriptions growing at a rate of 0.33%.  In this case, it is fortunate that Jammu and Kashmir has a significant deployment of army personnel who had access to satellite phones so that some communication channels were open even as telecom infrastructure is down. However, disaster management cannot be left to luck. And given rising dependence on technology, which has in fact rendered a government completely paralyzed without it, special focus needs to be given to creating a parallel communication technology network that can be used without telecom infrastructure and electricity.

The second question is, what are the current limitations of social media in rescue efforts and how can that be changed? It would seem that those who were able to send messages to friends using social media benefitted from this effort. But, does this leave people out? What about those in smaller villages who might not have friends using Facebook or Twitter? Data based analysis is hard to come by, but perhaps one can ask, anecdotally, why the 2008 Bihar floods saw no such significant social media campaign to coordinate rescue efforts (especially from urban pockets like New Delhi/Mumbai) while in contrast in the same year, Mumbai used social media extensively to disseminate information about missing persons and rescue efforts during the Terror Attacks. Socio-economic factors, access to the internet, and personal networks could well be tied to social media usage in times of emergency. If anything, the benefits of last mile connectivity and digital literacy have been made all too clearly with the Kashmir floods.

The final question that should be answered is, to what extent is India leveraging ICTs in disaster management efforts? Has a disaster communication system that integrates phone, internet, television and radio outputs been designed to warn people? It might surprise some to find out that the Ministry of Home Affairs, has a National Policy on Disaster Management (2009), which alludes to the important role ICTs can play in such a scenario. A document called ‘ICT for Disaster Risk Reduction’ has also been released. An online inventory of resources by district is being built. The plan also seeks to deploy a VSAT network to connect states to the center, and also to connect them to medical centers. As witnessed in Kashmir, this is indeed needed as satellite phones were moved in to help the civilian administration function again. GIS – Geographic Information System – technology, that integrates data from topographical maps, aerial views and satellite imagery, used to predict natural disasters has also been flagged as an important technology to be leveraged. Where this has reached can be traced by looking at disaster management from the 2004 Indian Ocean tsunami, to the 2008 floods in Bihar, to the 2014 Kashmir floods.

Ultimately technology is as effective as the people who use it. Individual and institutional efforts alike have shown us glimpses of its potential in disaster management. It is time India goes beyond the planning stages to the implementation stages. Lives depend on this.

Mahima Kaul is Head of the Cyber and Media Initiative at the Observer Research Foundation, New Delhi.

Wednesday, September 03, 2014

BBC interview on Indian politics, PM Modi and social media

I was on BBC World Service's radio show "Click" last evening, talking about Modi, Twitter and the media. Have a listen:


Wednesday, August 27, 2014

India’s Modi bypasses mainstream media and takes to Twitter

Prime Minister Narendra Modi's penchant for using social media to address the public directly has apparently caused a rift with India's mainstream press.

Indians don’t usually take much notice of the prime minister’ speech on independence day in the middle of August. This year was different. This year there was so much discussion on social media that it became a trending topic.

In contrast to the way other prime ministers have handled this moment, new Prime Minister Narendra Modi of the Bharatiya Janata Party (BJP), wowed a large section of Indian society not just with what he said, but the way he said it. People are gushing over the fact that he spoke without notes, and did not use the usual bulletproof glass. Others are impressed with the content; he touched upon topics as diverse as rape, sanitation, manufacturing, and nation building, using easily accessible language. Modi is also using social media to get his views across direct to the public, and bypassing the mainstream media.

This straight-talking style only adds to Modi’s brand, but he is also attracting criticism from the mainstream media for not being willing to answer hard questions. His chosen methods of communicating with the public have one common thread: he prefers to address the public directly, plainly, without going through the mainstream media or any reliance on further explanation by them. His social media accounts on Facebook and Twitter have completely changed the way information comes out of the prime minister’s office (PMO). Modi’s tweets, both from his personal and his prime ministerial account, keep citizens updated on his various trips (“PM will travel to Jharkhand tomorrow. Here are the details of his visit”). He also updates on his musings (“I am deeply saddened to know about Yogacharya BKS Iyengar’s demise & offer my condolences to his followers all over the world”) and highlights from speeches made across the country  (“when the road network increases the avenues of development increase too”), as well as photographs and videos. Citizens are getting a front row seat at his speeches and thoughts. But not everybody is happy about this — especially not the private mainstream media.

Unlike the previous government, Modi is yet to appoint a press advisor. That person, normally chosen from senior journalists in New Delhi, advises the prime minister on media policy. There isn’t a point person from the PMO for the mainstream media — or the MSM, as it is called — to discuss stories and scoops. He only takes journalists from the public broadcasting arms — radio and TV — on his foreign trips, in contrast to his predecessor, who brought along more than 30 journalists from the public and private channels. In fact, Modi has reportedly instructed his MPs to refrain from speaking to journalistsIndian mainstream media is filled with complaints that Modi is denying journalists the opportunity to engage with complex subjects like governance beyond official statements and limited briefings. Meanwhile, some other publications have scoffed that the mainstream media is only complaining because it will be forced to analyse the news and work towards coherent reporting instead of relying of well honed cosy relationships with people in power.

This apparent rift between the PMO and the private mainstream media has to be viewed through a variety of prisms for it to make any sense. The first is the very volatile relationship between Modi and the MSM which harks back to his time as chief minister of Gujarat, when a brutal communal riot took place. The second is the state of the mainstream media itself, continuously called out for unethical practices by the likes of the Telecom Regulatory Authority of India.

The relationship between Modi and the mainstream media is complex. No court has indicted Modi for any criminal culpability in the Gujarat riots of 2002, but many in the media have held him morally responsibly for the mass killings that carried on over three days, and let their feelings colour reports on him. But right before Modi’s historic sweep of the Indian general elections, this section of the press seemed to have begrudgingly warmed to the man they had long vilified.

One of India’s most respected journals, Economic and Political Weekly, published the article Mainstreaming Modi, deconstructing this new wave of coverage. It argued that the reasons for this change “range from how even the United Kingdom and the European Union have ‘normalised’ relations with him [Modi], that he has been elected thrice in a row to the chief ministership of Gujarat, which surely speaks of his abilities as an ‘efficient’ and ‘able’ administrator, that Gujarat has become corporate India’s favourite investment destination, and most importantly, that he is the guy who can take ‘decisions’ and not keep the nation waiting for action.”

During this year’s election campaign, Modi’s use of the media was innovative. Stump speeches were tailor made for the towns he was campaigning in. Modi’s 3D holograms, deployed in small towns while gave a speech elsewhere, were a spectacle not seen before in India. Though Modi had been speaking to Hindi and other Indian language media, he delayed giving interviews to the English language “elite” media, watched by a small but influential section of the population. He finally consented to doing a one-on-one interview with Arnab Goswami of Times Now, known as one of India’s loudest and most aggressive anchors. People readied themselves for the ultimate combative hour on television, but Modi’s no-nonsense answers, it seemed, won over both the anchor and the audience — especially as they were in sharp contrast to the vague statements put across by Modi’s challenger, Indian National Congress Party candidate Rahul Gandhi.

After the election win, India’s mainstream media has been forced to reassess what it wants from the prime minister. Is it information or is it access? The mainstream media undoubtedly has had a very complicated and close history with the political class. A Congress-led government has been ruling New Delhi for a decade, building up close relationships with senior editors and journalists. Some of these relationships were exposed through leaked conversations between members of the press and corporate lobbyists in a scandal now known as the Radia Tapes. They revealed, among other things, how journalists used their connections to politicians to pass on messages from lobbyists.

In fact, the indictment of improper behaviour by the media is a fairly regular occurrence in India. Just this month, the Telecom Regulatory Authority of India released their latest report, which recommends that corporate and political influence over the media can be limited by restricting their direct ownership in the sector. For this reason, the credibility and true affiliation of the media is always under the scanner. 

But Modi and his team also need to respond to questions about why they will not deal with some parts of the media. How do they view the role of a combative media? Is only the public broadcaster, which reports the story as the government wants, to be allowed access? Are critical questions being avoided?

Perhaps, the last word can go to Scroll.in, one of India’s newest online magazines: “[T]he rat race for the ego scoop undermines the most important scoop, the thought scoop. We often don’t look at the big picture, don’t take the long view, don’t see the obvious, forget the past, don’t study the boring reports, substitute access journalism for ground reporting, believe the official word. Narendra Modi might just be doing us a favour by keeping us away.”


Monday, August 25, 2014

Lessons from BRICS: Developing an Indian Strategy on Global Internet Governance

Written for the Science, Technology and Security Forum of The Manipal Advanced Research Group (MARG) at Manipal University. 

In between headlines of a BRICS bank and other successes at Fortaleza, Brazil in July 2014, there was another aspect to India’s Prime Minister Narendra Modi’s speech that had special relevance to cyber analysts. Addressing the conference, he said, “…while cyber space is a source of great opportunity, cyber security has become a major concern. BRICS countries, should take the lead in preserving Cyber Space, as a global common good. I am happy we are cooperating on this through our National Security Advisors.”
For India, this might be the first public occasion when its new Prime Minister, Narendra Modi, has officially mentioned cyber issues, although, quite squarely from the prism of security. In the arena of cyber security, India has already committed itself to bilaterals with countries like the US, UK, Australia and Japan, and seems to have a keen focus on beefing up cyber security to protect both its critical infrastructure as well as its IT industry and service sector. The same was revealed in last year’s National Cyber Security Policy 2013, which also aimed to train about 500,000 cyber security experts over the ensuing five years. However, India’s official policy towards cyber governance, on the other hand, has been difficult to read.
Presently, the governance architecture of the internet is divided between various platforms – separated into layers (as characterized by Vint Cerf) of infrastructural- logical (ITU, ICANN, IEEE etc), content (WIPO, WTO, OECD, IGF) and social (HR Council and UNESCO). There are also conferences such as Netmundial, held in Brazil in April 2014 in the aftermath of the Snowden revelations, that sought to build a consensus in the international community about the attitude towards values prescribed to the internet and also global governance mechanisms. India’s stand has varied in language, but the sentiment has indicated that it is not comfortable with the current Western-dominated structure of internet governance, especially given the fact that the West seeks to encourage commercial interests by keeping the internet a free trade zone, while developing countries like India are still struggling with baser questions of access and inclusion. Therefore, India is keen to retain a system that is government-led and not market-led. In fact, in a speech by an Indian official at Netmundial in April 2014, the term “equinet” was used to denote the quality being ascribed to the purpose of the internet. These competing philosophies, while moving towards the aim of keeping the internet “free” and a “global common good”, have often put India at odds with the US, Europe and other countries at global internet governance meets.
It would then also be fair to say that members of the BRICS grouping are also in the same boat as India – they do not align themselves completely with the multi-stakeholder internet governance structures the West promotes. In fact, given that the BRICS members are divided between these two differing views of internet governance, it is interesting to see civil society actors express hope that perhaps the BRICS could provide a new model of internet governance to the world. A statement released by the JustNet coalition, an association of organizations that seeks to bolster the view from the Global South states that, “to ensure a just and effective distribution globally of the rewards and benefits of the digital economy”. The demands include a number of action points, including ensuring that the internet’s critical resources are developed in the global public interest, the digital domain is subject to ‘legitimate’ political authority and not private (read: corporate) law, human rights abuses by multinational corporations are reined in, and finally open internet platforms and tools are promoted.
A wish-list from a coalition aside, it is interesting to note the internal dynamics of internet governance in the BRICS countries. China, quite famously, has strongly indicated that it believes in the internet beingsubject to its national laws, as was indicated in a White Paper released in 2010. China’s People’s Daily newspaper has carried articles that seek to explain this view further. They seem to stress that cyberspace should essentially be under different domestic spheres and not subject as a whole to international values. It seems China would look to build an international consensus on this idea, especially “defining cyberspace boundaries and rules of conduct.” In particular, China has been critical of the US using its technological advantages to conduct cyber espionage and attacks. However, China’s distinct worldview has not hindered it from making some interesting moves on the international world stage when it comes to internet governance. At the Internet Corporation for Assigned Names and Numbers (ICANN) – 50 held at London, in June 2014, China’s Minister for Cyberspace Affairs, Lu Wei, addressed the gathering, showing China’s willingness to engage with the organization. However, at the same meeting, he made China’s position quite clear, which involved countries adhering to certain principles of internet governance that included ‘equal and open’ internet, which in turn means respecting the sovereignty of each country’s network, the right to develop that network, network management rights, and the right to participate in internet governance. Some panelists have read the speech as China asking for ‘intergovernmental supervision of ICANN’, ironically at one of the largest multi-stakeholder meetings.
Meanwhile, the Russian approach to international governance has also been critical of the current dominant governance paradigm. After the Netmundial meeting in April 2014, the Russians revealed the various facets of internet governance they objected to: the first had to do with surveillance. Referring to the Netmundial outcome statement, Russia stated that “these documents actually confirm the right of intelligence services of the countries, in which the basic units of Internet traffic exchange are located, for uncontrolled collection of information about individuals from around the world.” There was also disappointment expressed that this document did not refer to the roles of the UN, ITU and other core internet bodies. Since the Russian government felt that the Netmundial document largely ignored the view of states and NGOs, it feels it cannot be used as an internationally approved document. Russian President Vladimir Putin has also famously called the internet a “CIA project”.
Brazil, of course, has been much in the news because of its President, Dilma Rousseff’s highly vocal reaction to the Snowden revelations of extensive US spying on international citizens. The very idea of Netmundial came up because of this, and at the time even Edward Snowden has indicated he wanted to seek asylum in Brazil. However, events following the announcement of this conference clearly indicated that the US and Brazil had reconciled. Brazil denied that Snowden had requested asylum. Netmundial moved its focus away from US espionage programs; the term ‘surveillance’ was used in the outcome document, instead of the world ‘espionage’. At the same time, moving away from its former position of 2012, in which Brazil had joined China and Russia to call for a government-led internet, the country squarely put its weight behind the multi-stakeholder system. However, there can be no doubt that by taking the lead on the global stage in the aftermath of the Snowden revelations, and hosting a conference that the world felt invested in, Brazil has catapulted itself to the status of a leading nation in the sphere of global internet governance.
South Africa had also put its weight behind a government-led internet governance system in 2011, after an India-Brazil-South Africa (IBSA) meeting. This proposal, tabled by India at the UN, had signalled a move away from multi-stakeholder platforms like the ICANN and IGF to an UN-led system. The United Nations Committee for Internet­ Related Policies (CIRP) was to be a 50 member body – based on geographical representation -- that would meet for two working weeks in Geneva to discuss internet issues, and would take inputs from Advisory Groups through the year. The proposal was dismissed by most media as trying to put an archaic, bureaucratic, controlling system on something as free, open and dynamic as the internet. Though the suggestion has been tempered over time (even India no longer believes the body necessarily needs to be under UN aegis), the sentiment has remained. More recently, South Africa was also part of the group of governments that co-hosted Netmundial.
Therefore, the BRICS grouping, aside from Brazil, which seems to have moved closer to the US position, share a certain affinity in their view of the global governance system, but for vastly different reasons. In fact, within the countries there is a huge divide in the way the internet is regulated. In China and Russia, content is highly regulated. Brazil has just signed into law the Marco Civil Bill that is aimed at guaranteeing some principles in the use of the internet like privacy and open government among others. Indeed, internet is a tool for democracy and it has become indispensible to the exercise of civil rights. India and South Africa both guarantee the right to free expression, with reasonable restrictions, in their respective Constitutions. How difficult it would be to come up with a joint “values” based approach is evident in another civil society appeal to the BRICS countries, this time from Brazil’s Association for Progressive Communications (APC). The group has called for the BRICS countries to address a number of issues including, “the commitment of BRICS countries to promote and protect human rights online and to implement their obligations from international agreements…” and “the inclusion of civil society in democratic, inclusive, transparent, and multi-stakeholder processes on internet-related public policy at a national, regional and global level.”
This lofty goal might not be in reach, but there are learnings from the individual positions of the BRICS nations. Most have engaged with the international system in a deep manner, even if they were in disagreement with it. Some have even proposed new ideas and philosophies to guide any global consensus. India too, must develop some of the ideas it has alluded to on the international stage, and present them to the world as workable alternatives – or complimentary ideas – to the current dominant governance structures. At Netmundial, India called for the development of ‘cyber jurisprudence’ to institutionalize safeguards against misuse of the internet and ensure free flow of information. A detailed report on how this could be achieved would help India further this debate. Another policy challenge India has often highlighted is the inability of the current internet governance structures to respond to some of the core and strategic concerns of member states, and this includes, very much, the management of critical internet resources. India has mentioned broad basing these institutions. However, no concrete proposal has arisen from the country. Further research must flow into developing these ideas. For example, France has suggested in a report released by the French Senate, the idea that internet governance should evolve by an international treaty open to all states and that ICANN be reformed into the ‘World ICANN’ or WICANN, where it would adhere not to US law but the international or Swiss law.
Ultimately, if not together, but individually, the BRICS countries have tried to move internet governance debates by taking strong stands at the global level. India too, has flirted with the idea, time and again. If nothing else, the biggest takeaway from this grouping needs to be the commitment to putting across new ideas to the global community. Only then can India hope to assume the mantle of one of the more significant players in international internet governance, a status befitting its heavy internet user base.

Friday, August 08, 2014

When it comes to internet governance, India still actively engages with the UN

A final draft resolution at the United Nations, passed in July 2014, has focused on the UN General Assembly’s review process of World Summit on the Information Society outcomes implementation. India has been lauded for its leadership in producing this document which calls information and communication technologies (ICTs) ‘enablers and drivers for the achievement of Millennium Development Goals and the promotion of the economic, social and environmental components of sustainable development and should be given due consideration in the elaboration of the post-2015 development agenda.’ There is also another achievement India is proud of; the document reaffirms the centrality of the General Assembly to this review process, as well as the role of the Commission on Science and Technology for Development in assisting the Economic and Social Council as the focal point in the system-wide follow-up. In his statement on the matter, India’s Permanent Representative to the UN Ambassador Asoke Mukerji, welcomed this document as a win for multilateral negotiation processes. He also welcomed that the fact that the review has been mandated as an “intergovernmental negotiation process” which takes into account inputs from member states, observer states, observers and all relevant WSIS stakeholders.
What exactly is this WSIS then? The WSIS, as it is known, was a two phase UN summit that strived to achieve a vision of a ‘people-centric, inclusive and development-oriented Information Society where everyone can create, access, utilize and share information.’ This meeting included not just governments in the process of crafting a vision of the future, but civil society, businesses, engineers and academics as well. It held its first meeting in Geneva, Switzerland in 2003, and its final meeting in Tunis, Tunisa in 2005. By the time it had concluded, the WSIS had prepared a document known as the Tunis Agenda. The document had focused on the particular problem of the ‘digital divide’, giving information and communication technologies (ICTs) a pride of place as a development tool. In its first part, the document focused on the financial instruments needed to bridge this digital divide, the document ‘encouraged governments’ to ‘give appropriate priority to ICTs, including traditional ICTs such as broadcast radio and television, in their national development strategies.’ The document also gave weight to the growing importance of ICTs as a development enabler, to achieve the goals and objectives of the Millennium Development Goals and called for a ‘Digital Solidarity Fund’.
The Tunis Agenda also went on to focus on internet governance mechanisms, and called for a multistakeholder effort to build an information society. It also suggested that ‘governments and other stakeholders should identify those areas where further effort and resources are required, and jointly identify, and where appropriate develop, implementation strategies, mechanisms and processes for WSIS outcomes at international, regional, national and local levels.’ The document certainly acknowledged the leading role of governments, and even had a clause for ‘enhanced cooperation’ stating: ‘we further recognize the need for enhanced cooperation in the future, to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues.’
There was another facet to WSIS. The process had actually sought to involve multistakeholders in internet governance, inviting business and private sector to actively participate in the intergovernmental preparatory process of the Summit and the Summit itself. Unfortunately, the exact nature of this involvement was never quite clear, and the end result was a bitter fight about the contours of participation. Ultimately, the official (government) WSIS declaration was accompanied by a Civil Society WSIS Declaration as well, entitled ‘Shaping Information Societies for Human Needs.’ Since then, a struggle over a government-led internet governance structure or a multistakeholder internet governance system has been raging. And in the intervening years, the internet itself has matured, the global cyber market has grown, as has crime, and the promises of ICT for development are steadily being acted upon the world over. Many have sought to ‘retire’ the Tunis Agenda as it espouses a classical, pre-Internet view of policy making that reserves it exclusively to sovereign states, thought it should be pointed out that the document also created the Internet Governance Forum, a global multistakeholder platform that feeds into internet policy issues around the world.
In a sense, this resolution, negotiated by India on behalf of Group of 77 and China, is a continuing effort by the country to keep alive the multilateral mechanisms relating to internet governance issues relevant, with specific focus on issues that matter to developing countries; bridging the digital divide being a good example. In this context, this move, to complete modalities for the overall review of the outcomes of WSIS has special significance. This significance should also be seen in the backdrop of Indian participation at Netmundial in Brazil in 2014, where theIndian representative squarely listed outIndia’s desire to achieve an ‘equinet’ and talked of the ‘the role of the governments in the Internet governance, of course in close collaboration and consultation with other stakeholders is an imperative,’ a strategy being demonstrated with further engagement with the UN system.

Friday, August 01, 2014

Reframing the global Internet ecosystem

As the conversations around internet governance become trapped in confrontational language – ‘war’ between sovereigntist and multistakeholder models – it is time to move the emphasis back to the evolution of governance structures and decision making that works for all.

Mainstream media might not quite betray it yet, but there is a slow nuance to global internet governance debates that seek to understand the apparent face-off between two camps – the (market-led) multistakeholder camp and the (government-led) sovereigntist camp. There is an effort by scholars to move away from the dominant discourse – that a vote for multistakeholderism (MSM) is a vote for democracy, and anyone who dares to question the effectiveness of a multistakeholder decision making governance process is actually voting against democracy. This simplification, often offered by Western media and then echoed around the world, might be able to capture some of the arguments being made for either system, but it often fails to understand the nuances of what is really being debated, and why some governments offer an alternative viewpoint. The geo-political dimensions of this debate needs to be examined deeply and unpacked a little.

The first step is to understand the current distributed nature of internet governance structures. Broadly speaking, there is an‘infrastructural layer’, which has organizations like the ITU (International Telecommunications Union) and the IEEE (The Institute of Electrical and Electronics Engineers). According to some scholars, this is the layer concerned with connectivity, universal access and concepts such as net neutrality. There is then the ‘logical layer’ of the internet, defined by ICANN (Internet Corporation for Assigned Names and Numbers). ICANN has been in the news of late, where a battle over who gets to decide the internet’s Domain Name System – online real estate, if you will – and the operation of root name servers, is underway. This would be one of the fundamental critical resources that the internet is built on. A third, ‘content layer’, hosts organizations such as WTO (World Trade Organization), WIPO (World Intellectual Property Organization, IGF (Internet Governance Forum) and the OECD (Organization for Economic Cooperation and Development) that deal with intellectual property rights, cyber crime and other issues. Vint Cerf, in his paper ‘Internet Governance Is Our Shared Responsibility’[1] has also added another layer to the mix – the ‘social layer’ where organizations like the Human Rights Council and UNESCO (United Nations Educational, Scientific and Cultural Organization)work on trust, identity, human rights, and internet governance principles (which would include net neutrality).

A good place to start is identifying the debate: (i) are governments fighting between a distributed governance structure as we have now, or a single body (either under the aegis of the UN or simply government-led) to decide on all governance issues, (ii) are governments agreeing to stay with the distributed structure but arguing that about their role in some of these organizations, that is, some governments want their vote to carry more weight within a multistakeholder system, and (iii) are some governments calling for some common rules – a treaty perhaps --  for cyber security (including cyber warfare, surveillance, crime) while insisting the rest of major internet governance decisions should be taken within national borders.

In the first paper released by the Global Commission on Internet Governance, launched by two independent global think tanks, the Centre for International Governance Innovation (CIGI), the former dean of the Kennedy School at Harvard, Joseph Nye, writes, “it is unlikely that there will be a single overarching regime for cyberspace any time soon. A good deal of fragmentation exists now and is likely to persist. The evolution of the present regime complex, which lies halfway between a single coherent legal structure and complete fragmentation of normative structures, is more likely.”[2]

Some of this fragmentation persists because of the very different reactions the concept of multistakeholderism elicits. The current system seeks to give all actors a seat on the table; government, business, civil society, academia and the technical community alike. This democratic setup is ideally meant to ensure that the internet should not be bogged down by unnecessary regulation, and decisions are taken at ‘appropriate’ forums by relevant stakeholders. For example, some internet scholars believe the government-led body, ITU, is not the forum to discuss limiting spam, ostensibly to ‘control unsolicited bulk electronic communications and minimize its impact on international telecommunication services,’ as the conversation quickly devolves into regimes limiting free speech by terming it (as a Russian proposal sought to do in 2012) as ‘having no meaningful message.’ Using examples like this, they argue, a multistakeholder environment will ensure the internet does not fall victim to the proposals of authoritarian regimes.

Despite this logic, it isn’t easy to sell multistakeholderism across the board. There are a few explanations for this. The first pushback comes from authoritarian countries for whom democracy isn’t an inherent political philosophy they subscribe to, and so they favour a sovereign approach to IG. On the flipside, it cannot be assumed that support for MSM comes from countries who do not wish to control the internet. As Vint Cerf suggests in his paper, ‘in a more cynical view, with the recent discussions on Internet surveillance, it is also possible that one group of governments have the preference and tradition of exercising control and influence through restrictions, regulations and laws, while other governments see the openness of the Internet as an opportunity to control through surveillance of it.’[3]

The second question raised about multistakeholderism is that the entire process has been hijacked by vested interests. For example, if business were to influence civil society or even governments to vote for decisions that secure their profits, then in truth, business would, by proxy, have the most votes at the table. It might be kept in mind that private companies own most of the infrastructure the internet is built on.

The third reason is that multistakeholder arrangements are not appropriate for all discussions, for example, when discussing national cyber security issues. Most stakeholders do tend to agree that certain spaces of internet governance are the domain of the state due to the nature of the problem.

Finally, and this is a view, offered by India when it sought to reframe the view of the ‘internet’ as ‘equinet,’ which essentially makes the argument that the developed world has one set of problems that it deems are immediate – for example, intellectual property and the internet as a free trade zone – which are not the pressing problems of the developing world, where countries are still grappling with access, inclusion and last mile connectivity. Therefore, multistakeholder arrangements at the global stage might work better for countries that have attained a certain maturity in reaching internet penetration and creating markets, and government can confidently share equal space with commercial and civil society interests. For other governments, such as the Indian view expressed at Netmundial, their role as the driver of internet adoption is still key and therefore they are unwilling to share their role with commercial interests and burgeoning civil society groupings just yet. To them, while MSM has its place in the internet governance ecosystem, it cannot be applied unconditionally to any and all discussions.

However, no discussion about internet governance will be complete without mentioning another point of contention; jurisdiction. What laws is the internet subject to? Is it US law, international law, or will each country adhere to its own laws and function through bilateral and multilateral treaties? As of now, the laws of the country where data servers are located come into play. The previous Indian government suggested that the jurisdiction of the country affected should apply; that is, if Indians are victims of a certain cyber crime then Indian jurisdiction should apply, not the country where the server is located. A similar complaint is echoed when law enforcement officials from one country ask those in another country, where the server is located, to furnish information. As a reaction to jurisdictional issues (and also surveillance), recently there has been a move by many countries to locate their servers in the host country. This move is often called ‘breaking the internet’ as with costs of doing business going up (commercial enterprises will have to use multiple servers across the world) and the plethora of laws that will come into play, the internet’s default setting – a free trade zone – will be destroyed.

But crime is only one aspect of the jurisdictional issue. What laws apply to the many decentralized internet governance institutions that exist, which are decision making bodies? For example, ICANN, the organization with the power to award domain names internationally, is subject to US laws. A district court in Columbia, USA as ruled that ICANN should seize Iran’s internet domain name (.ir) and IP addresses to recover damages over $1 billion owed to terror victims. Does this mean that a US court can direct ICANN, and in a way, override the entire multistakeholder decision making process it has carefully constructed? Presently ICANN has responded to the ruling, denying that the domain names are the ‘property’ of any country, but the matter is far from over.

In fact, the French, miffed at ICANN for other reasons have actually put out an interesting proposal in the French senate on internet governance. The idea is that internet governance should evolve by an international treaty open to all states; that the Internet Governance Forum should be transformed into a ‘World Council for the Internet’ to ensure some form of conformity in the decisions taken at the various internet governance forums. Lastly, this proposal in the French Senate calls for ICANN to be reformed into the ‘World ICANN’ or WICANN, where it would adhere not to US law but the international or Swiss law. WICANN could then be under the authority of the new World Council for the Internet. Whether this idea will gain any momentum is yet to be seen, but it does make an attempt at reaching beyond the existing suggestions.

Any overhaul of the internet governance structure, or even a tweaking of the current arrangement needs to keep two important aspects in mind, other than decision-making processes: real accountability and operational feasibility. The fact is that extensive surveillance by the US government has also put a dent in international cooperation over these issues, due to a loss of trust. The answers might not be with us yet. To keep the internet free, a little freedom of thought might be in order.

The writer is a Fellow at the Observer Research Foundation

[1]Cerf, Vinton G. and Ryan, Patrick S. and Senges, Max, Internet Governance Is Our Shared Responsibility (August 13, 2013). I/S: A Journal of Law and Policy for the Information Society, 10 ISJLP 1 (2014).. Available at SSRN: http://ssrn.com/abstract=2309772

[2]Nye, Joseph, The Regime Complex for Managing Global Cyber Activities (May 2014). Global Commission on Internet Governance, Paper Series No. 1, (2014). Available at: http://www.cigionline.org/publications/regime-complex-managing-global-cyber-activities
[3]Cerf, Vinton G. and Ryan, Patrick S. and Senges, Max, Internet Governance Is Our Shared Responsibility (August 13, 2013). I/S: A Journal of Law and Policy for the Information Society, 10 ISJLP 1 (2014).. Available at SSRN: http://ssrn.com/abstract=2309772

AVAILABLE AT ORF'S CYBER MONITOR, AUGUST 2014: http://orfonline.org/cms/export/orfonline/html/cyber/cybermonitor_august2014.pdf