Tuesday, October 21, 2014

ORF-Heritage Report: Indo-US Cooperation on Internet Governance and Cybersecurity

State Responsibility in the Cyber Commons: Deepening the India-US Relationship


Two countries which share so many common values―democracy, rule of law, freedom of expression, liberty, multiculturalism, freedom of religion―have not yet been able to operationalise a strategic partnership that would define the 21st century. That ‘big idea’, which could form the basis for the next phase of the US-India relationship, has seemed elusive. Strategic thinker C. Raja Mohan suggested in 2010 that this need not be the case, and the basis of this partnership could be protection of the global commons―the oceans, air, outer space and cyberspace. In the backdrop of the instability of these commons, and the growing pressure on the US’s ability to secure these spaces, Raja Mohan maintained that since free flow of information and trade across the global commons is vital for both economies, India could serve as a natural ally for the US.[1] Admittedly, this is not an easy task, especially in the cyber domain. Misapprehensions about US dominance, its capabilities and intent as revealed by the Edward Snowden disclosures, cast a shadow over common areas of interest. Yet, both countries seem to understand there is much to be gained from closer collaboration, especially given the increasing intensity of threats to their digital boundaries and the state’s responsibility for controlling the proliferation of such activities.

Globally, accusations citing cyber attacks from across borders are becoming increasingly common. In fact, many countries which have been vocal about being victims of cyber attacks, have been at times perpetrators themselves. For example, the United States, which in May 2014, indicted members of the Chinese military for engaging in acts of hacking and spying on US businesses and entities, has itself been accused of launching the virus Stuxnet in 2010 (in collaboration with Israel) on Iran’s nuclear centrifuges, destroying one-fifth of them. And in turn, Iran has been accused of ‘non-stop cyber attacks’ on major computer systems in Israel.[2] There is also the 2014 case of Russian hackers attacking US bank J.P. Morgan and stealing sensitive data to sell in the global black market. Some analysts suggest that these actions are in retaliation to Western economic sanctions against Russia. Therefore some common, global understanding of the rules of state behaviour in cyberspace is needed.

Currently, under Article 51 of the UN Charter, states, individually or collectively, have the right to defend themselves against an ‘armed attack’ in cyberspace.[3] There is much work being done in the area of international law to understand the terms ‘armed act,’ ‘acts of aggression’ and ‘force’ when they relate to the cyber world, as there is no international consensus on the issue. As witnessed in the US case, acts of espionage (which have been attributed to a state, in this case China) fall short of a cyber attack, but are still considered to have significant consequences on the economy. Under these circumstances, and others that have preceded it, the global conversation has been veering towards chalking out rules of cyberspace.

Two schools of thought have emerged. The first is a solution put forward by China, Russia and a few other countries: have an international code of conduct with a view to protecting information security. This has been formalised in the Eurasian grouping called the Shanghai Cooperation Organisation (SCO). The members are China, Russia, Uzbekistan and Tajikistan, among others. India has observer status at the SCO and is up for full membership. Their 2009 Yekaterinburg Declaration stated: “The SCO member states stress the significance of the issue of ensuring international information security as one of the key elements of the common system of international security.” In 2013, Russia and China submitted an ‘International Code of Conduct for Information Security’ to the UN.[4] The code dwells on information security in a few parts, including “…curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.”

This is the point of departure for many other nations, which are less concerned with ‘information security,’ often seen as securitisation of free speech. Instead, they prefer to focus on ‘network security’―that is, keeping the critical resources that keep cyberspace functioning, protected. This is also the stated point of view of the US. To that end, some experts have pointed out that countries should share, to some extent, their military doctrines on how they will use cyber techniques for offensive purposes to achieve international stability in cyberspace.[5]
This also leads to the very pertinent question of what constitutes an act of war in cyberspace. Here, an argument has been made for the international community to set ‘norms’, to shape behaviour and limit conflict in cyberspace. This view has been worked on at the United Nation’s Group of Governmental Experts meetings, and has included the US and its NATO allies, India and even China. The report of the third meeting of the GGE in June 2013 concluded that “international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”[6] The non-binding exercise seeks to derive norms from existing laws. It also says that states must meet their international obligations regarding wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-state actors for unlawful use of information and communications technologies (ICTs).
Presently, the Tallinn Manual, produced by the NATO in 2013, seeks to examine how existing international norms apply to cyber ‘warfare’. It states in Rule 11 that “a cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.” These operations are to be measured taking into account a variety of factors: severity, immediacy, directness, invasiveness, measurability of effects, military character of the cyber operation, the extent of state involvement, and presumptive legality.[7]
However, some experts have criticised its narrow view of state responsibility, saying that it gives the initiative to attackers, sending the message that huge numbers of cyber-intrusions are possible with impunity. The question they ask is whether this encourages cyber-aggressive states to push the envelope[8]. The growing concern is understandably protection of their critical infrastructure, which is vulnerable to cyber attacks from all quarters. This is a concern for the US and India alike.

The reality is that even if digital forensics could trace the origin of a cyber attack, it can be extremely difficult to get states to even acknowledge there is non-state activity emanating from their territories. Indian security experts feel that in some cases, there will be a genuine lack of capacity to control cyber events on one’s soil; in other cases, some states could deliberately build ambiguity to mask their role. Another question worth considering is whether the state is complicit in a cyber attack, either by financial or other forms of assistance.

Offline, India’s own experience with Pakistan, while trying to control international terrorism, has not been very positive. The country maintains plausible deniability about its support to terror groups operating in Afghanistan and India, and the international system has been unable to compel Pakistan to change its behaviour.[9] Add to this scenario a statement made by India’s Minister for Communications and Information Technology to the Indian Parliament in July 2014: cyber attacks on India originate in the UAE, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the US.[10]

The question then, for India and the US, is how the global governance regime can induce other states to reduce threats from within their borders. Norms that constrain cyber attacks is one strategy. This is also where their ‘big idea’―of protecting the cyber commons―could, in part, be met with another strategy. Closer cooperation for technological solutions will complement the political solutions. Knowledge exchanges between their Computer Emergency Response Teams (CERTs), war games, educational, scientific and research cooperation, and other safeguards could help build formidable digital borders that rogue states and groups would not want to risk infiltrating.

Cooperation also includes strengthening the India-US Counter Terrorism Initiative, established in 2009, which is continuing through India-US strategic dialogue meets. However, there are some bottlenecks that need to be ironed out. As was visible in the investigations that followed the horrific November 2008 terror attacks, fissures can crop up between intelligence agencies of the two countries. At first, Indian intelligence agencies cried foul saying the US had not shared information about terrorist David Headley with them. Later, India’s limited access to Headley revealed how much these information exchanges are susceptible to sovereign immunities. Both countries need to make a definite push to fix national legislation in order to share data about terrorist activities, unhindered by domestic laws. This is essential to safeguard the growing digital partnership.

Closer cooperation on digital forensics―and identifying the source of attacks―would, in the longer term, help simplify the application of international law in cyberspace. It would also provide a much-needed deterrent to states indulging in economic espionage and cyber crimes. A framework of cooperation is the order of the day to keep the networks both countries so heavily rely on stable and secure.

[1] C Raja Mohan, “India, the United States and the Global Commons.” Centre for a New American Security. October 2010, at  http://www.cnas.org/files/documents/publications/CNAS_IndiatheUnitedStatesandtheGlobalCommons_Mohan.pdf.

[2]Iran ups cyber attacks on Israeli computers: Netanyahu”, Reuters, June 9, 2013, at http://www.reuters.com/article/2013/06/09/us-israel-iran-cyber-idUSBRE95808H20130609.

[3] UN Charter, ‘Chapter Vii: Action With Respect To Threats To The Peace, Breaches Of The Peace, And Acts Of Aggression,‘ Article 51, at http://www.un.org/en/documents/charter/chapter7.shtml.

[4] International code of conduct for information security. UNGA, 66th Session, Item 93 on Provisional Agenda, at http://www.rusemb.org.uk/data/doc/internationalcodeeng.pdf.
[5] Jim Lewis, “Multilateral Agreements to Constrain Cyberspace,” Arms Control Today, June 2010.
[6] Report of the Group of Governmental Experts on Development in the Field of Information and Telecommunication in the Context of International Security, submitted to the UN General Assembly 68th Session, June 24, 2013.
[7] Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare, ed. Michael N. Schmitt (Cambridge: Cambridge University Press, 2013), 13.
[8] Peter Margulies, “Sovreignity and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility,” 2013, Melbourne Journal of International Law, Volume 14, University of Melbourne, at http://www.law.unimelb.edu.au/files/dmfile/05Margulies-Depaginated.pdf
[9] C Raja Mohan, “Negotiating Cyber Rules,” in the Cyber Debates special issue of Seminar Magazine March 2014, at: http://www.india-seminar.com/2014/655/655_c_raja_mohan.htm.
[10] Shauvik Ghosh, “Govt looks to beef up cybersecurity before Independence Day,” August 9, 2012, at http://www.livemint.com/Politics/hpNSiKsZcwu3Ldy8TslOsL/Govt-looks-to-beef-up-cybersecurity-before-Indepence-Day.html?utm_source=copy.

Thursday, October 02, 2014

Global Policy publishes my Issue Brief on Internet Governance + India

The Observer Research Foundation’s Mahima Kaul unpacks India’s approach to internet global governance.

Governments around the world seem to be straddling the dichotomy the internet has brought into our lives: the endless possibilities of innovation, commerce, expression, big data, along with the challenges of cyber crime, security, disinformation and surveillance. The weight given to each of these outlooks ends up determining a governments approach towards internet governance. And since global internet governance itself is distributed across various foras, governments are free to change their strategy to suit their outlook, depending on the topic being discussed. The same government might approach the management of critical resources with a strict nationalistic outlook, yet look to forge agreements on cyber crime bilaterally, create norms of state behavior multilaterally, and discuss human rights and free expression via a multistakeholder process. This is also the reason that democracies need not necessarily agree on global governance mechanisms even if they converge on values.

It must be kept in mind that the internet has fundamentally changed over the years. Its potential to cross barriers and serve as a platform for the free exchange of goods and knowledge remains immense, and some of those who have seen the development of the internet from its inception are fighting bitterly to keep it such. But, the reality is that is not quite the version of the internet that many new users experience. They have inherited an internet fraught with crime such as hate speech and cyber bullying, it is an internet where net neutrality is being threatened in the very country that created it, an online world where big corporations are pushing stringent intellectual property regimes and where ‘free trade’ over the internet seems to be a well crafted narrative to promote the supremacy of US companies. Navigating these waters, for people and governments alike, can be complex.
Currently, the US dominates the global internet governance architecture and pushes a multistakeholder system that banks on the participation and maturity of all stakeholders. Countries like India, tiptoeing into many of these foras, do not share the same enthusiasm for these governance mechanisms. The vast majority of Indian citizens are not yet online. In fact, the Indian government is most concerned about the current management structure of critical internet resources, the uncoordinated national approaches to determine cyber jurisdiction over transactions that span multiple territories, and ensuring universal access through affordable (and secure) devices. With this background, it can be understood why the world’s most diverse democracy has resisted “multistakeholderism” as a global governance mechanism, a system inherently democratic in its description, but not yet suited to its objectives.

Yet, for a people famously called argumentative by Nobel laureate Amartya Sen, Indians have been curiously lacking in explanations about these particular decisions. The international press, confused by the government of India’s contrarian views, simplistically bunches it along with authoritarian countries who oppose the US’s global governance framework.

The below Issue Brief attempts to unpack India’s approach to global governance, and its attempt to seek a new global governance paradigm: http://www.globalpolicyjournal.com/blog/30/09/2014/global-internet-governance-indias-search-new-paradigm