Strategy in cyberspace
SANDEEP BHARDWAJ
UNDERSTANDING Indian policy in cyberspace and the rationale behind its decision making processes is not easy. To begin with, there are the definitional issues emerging from the vague nature of what we conceive of as the Internet. Further, the technological novelty of cyberspace, combined with its ever growing, pervasive multidimensionality, has complicated the question of what exactly is there to govern.
These problems have resulted in creating a tendency amongst analysts to focus on specific aspects of cyber-space rather than engaging in a broader study. To an extent, one predictable consequence of this has been of missing the proverbial forest for the trees. An examination of any Internet related policy of the Indian government, limited in both scope and time (given the relatively short history of the Internet), often presents a timeline marked by sudden innovative initiatives, which is followed by long periods of inertia or the decision making process running up a blind alley. Accordingly, the impression that has emerged amongst most observers is of the government, hemmed in by a slow learning curve, reacting to various technological developments and events through a purely bureaucratic and technocratic lens. Such policies, whether laudable or confused, are then seen as a micro-level response rather than part of a greater strategy.
1I do not contest this interpretation. However, I argue that beyond these limitations and tendencies, there is a broader pattern to be noticed and analyzed within India’s Internet related policies. On a larger scale, the government’s policies have largely been driven by a set of guiding principles. These principles, internalized by the government, have served as a larger framework within which various policy options are deliberated and decided upon. While the plethora of Internet related issues lie beyond the scope of this essay, I will address three issues that have emerged as the most pertinent for the Internet, and try to demonstrate the operationalization of these principles.
The essay is divided into five sections. The first fleshes out the guiding principles and the next three analyze the Indian response to the three most critical Internet related issues – the militarization of cyberspace, global debates over Internet governance and the unbridled opportunities of surveillance and censorship offered by the network technologies. The final section presents my key conclusions.
T
he guiding principles which have driven India’s Internet related policies so far are derived from its larger foreign policy, democratic values and approach to maintaining internal stability and social cohesion. This is not to say that there was a conscious effort to distil the essence of these values and approaches and translate them for the cyberspace domain. Rather, perhaps, wherever the policy making process of Internet related issues came in contact with these larger concerns, the government’s general thinking about the latter seeped into the former. Accordingly, there are at least three general principles which can consistently be seen at work in most policy decisions taken by the government on cyberspace.The first is an effort to retain as many policy choices as possible when engaged in global debates over the Internet. This draws from India’s contemporary foreign policy, which many have argued to be a reimagined version of the principles of nonalignment. If the core objective of Indian foreign policy is ‘to give India maximum options in its relations with the outside world – that is, to enhance India’s strategic space and capacity for independent agency’,
2 then India’s position in global debates on cyberspace can be seen to follow this line.A second principle has been to preserve India’s democratic values in terms of the state’s interaction with cyberspace. This approach has been complicated by two unique features of the net. One, emerging network technologies allow the state unparalleled opportunities to violate its citizen’s privacy and freedom.
3 Two, deciding the limits of what state behaviour in cyberspace can be construed as democratic and what passes onto the realm of authoritarianism remains an open question, which can be answered only after decades of experimentation. India’s solution to these problems, so far, has been to create democratic limits for its behaviour based on allocentric definitions rather than experimenting on its own. This has essentially translated into the practice of operating within the framework of perceived legitimacy created by the actions of other democratic governments, particularly the United States.
H
owever, this self-restraint has complicated the much larger question of the state’s presence in cyberspace. In this regard, India has adopted the third principle – establishing supremacy of the state. Over the last couple of decades, the virtual world has encouraged and nurtured the aspirations of civil society and private individuals to challenge the state in terms of authority, leading to widespread debate over the future of governance itself.4 For India this debate has come in conflict with the government’s critical task, ‘the Hobbesian one of keeping order’ over India.5 Therefore, the Indian government, while allowing the participation of various stakeholders in an advisory capacity, has time and again asserted its supremacy over them within cyberspace. Not only has it sought to retain the capability to do so, it has also strived to attach legitimacy to it.These three principles – retaining maximum options, maintaining self-restraint and establishing state supremacy – have resulted in a framework within which India has defined its Internet related policies. The first principle has often served to push India to explore various, often innovative, policy options. The other two, somewhat contradictory to each other, act as a ceiling and floor limit of state behaviour in cyberspace. With this as a guide, we shall now turn our attention to various specific policy areas.
P
erhaps the most pressing Internet related issue facing a majority of countries in the world is the militarization of cyberspace. The Georgian War, Ghost Net, Stuxnet and the Snowden revelations are just some of the many instances of states employing Internet based tools for espionage and coercion. Just as significantly, there are now at least five nations – the United States, Russia, China, United Kingdom and Israel – with demonstrated cyber offensive capabilities. These capabilities have not just added to the military power of these nations, but in many cases have acted as a force multiplier. Regardless of the academic debate surrounding it, ‘cyber war’ is here to stay.6India, admittedly lagging behind in this field, has sought to meet this challenge by a multi-pronged strategy. First are its efforts to develop domestic infrastructure capable of both offence and defence. Several initiatives have been taken to protect both civilian and government networks: the creation of a National Critical Information Infrastructure Protection Centre (NCIIPC) under India’s signals intelligence agency, National Technical Research Organization (NTRO),
7 establishment of Computer Emergency Response Team (CERT-In) to protect government networks, developing industry standards to be enforced on corporate India8 and the highly ambitious target of training 500,000 cyber security professionals by 2017.9
P
arallel to it are India’s expanding efforts to develop its own espionage and cyber offensive capabilities. Foremost is the much talked about Centralized Monitoring System (CMS), which is designed to collect Internet usage data ‘upstream’. This will allow the security agencies to monitor various Internet based communications very similar to the US National Security Agency’s MUSCULAR programme (and not PRISM programme that it is often compared to).10 This is combined with the government’s regulatory policy of forcing various data carriers to provide it with their encryption methods.11 Second, are the Indian military’s efforts to develop domestic production of defence technologies in cyberspace12 and the plans to establish a cyber command.13However, New Delhi recognizes the technological limitations imposed on it by lack of resources and technical know-how. Attempting to compete with other nations, which have already invested tremendous amounts of resources and have a ready base of technically competent manpower, is likely to be an uphill battle. India has sought to compensate for these deficiencies by seeking security cooperation with other nations like the US and the UK.
14 India is aided in this effort by the fact that its networks are home to enormous amounts of data about American and British companies and individuals held by Indian BPO/KPO industry. This data presents vulnerabilities for the US and UK which can only be secured either by a massive restructuring of their economy to minimize outsourcing or beefing up Indian networks. The latter option, cheaper of the two, is likely to result in technology transfers and knowledge sharing which will aid Indian cyber security efforts.
T
he third prong of Indian strategy has been to explore the possibility of curtailing the capabilities of others – through establishing norms for cyber warfare and imposing international cyber weapons control – something that has been consistently opposed by the United States. To this end, the Indian National Security Adviser Shivshankar Menon called out for ‘rules of the game’ in cyber warfare in 2011.15 Russia, which has been ineffectively trying to raise the issue of a cyber weapons control treaty in the United Nations since 1998, has recently gained India’s support.As we can see, India’s efforts have been to consciously retain maximum options, all the while developing a capacity to establish the state’s supremacy within its domestic setting. It must be noted that this was not the only path open to India. The United Kingdom, faced with similar challenges, chose to have a much closer alliance with the US, sharing intelligence data on a massive scale. China has ensured the security of its networks by tightly controlling them. Russia, aided by limited Internet penetration in the country, and the relatively low levels of digitization and mechanization of the economy (a situation similar to India’s), has used the consequent low vulnerability as a window of opportunity to aggressively leapfrog other nations in its offensive capabilities. Brazil has reacted to the Snowden revelations by embarking on an aggressive public campaign to reduce American dominance over the Internet. All of these seek to demonstrate the wide variety of strategic choices that India could have made, but did not.
T
he second issue of growing significance relates to Internet governance. Internet governance, which essentially means control and regulation of key Internet infrastructure like the domain name servers and the Internet protocol, has been a hotly contested topic for over a decade. Over the last three years, polarization over this issue has been growing on three different axes – West vs. East, authoritarian vs. democratic and intergovernmental vs. multistakeholder. First, countries like Russia and China have argued against greater international control over the Internet infrastructure, which is currently under undue American influence. Second, is the effort of authoritarian regimes to promote an international regulatory framework which allows them greater capacity of surveillance and censorship. Finally, there is the effort of non-governmental organizations and individuals to keep the Internet free of governmental control and instead regulate it within a multistakeholder approach.
B
y the beginning of this decade, India had formulated a coherent position on the subject. The Indian position on the issue of Internet governance transcends the current polarization. While India seems to agree with the Russia-China coalition to permit greater multilateral control of the Internet, it has sided with the US regarding privacy and censorship. Essentially, its position is pro-democratic, for East-West balance and supporting the idea of supremacy of governments over other stakeholders. India’s own proposals to create an inter-governmental regulatory agency within the UN and to reform by Demote the multistakeholder Internet Governance Forum (IGF) have met with significant opposition.16Since then, India has refused to commit itself to either side of the inter-governmental debate (East-West and authoritarian-democratic) while arguing for the supremacy of government over other stakeholders. A prominent display of this was at the World Conference on International Telecommunications in 2012, where both sides – a US-led bloc of European nations and a coalition of China, Russia and Middle Eastern nations – were busy drawing lines in the sand. The conference resulted in a walkout by the US-led bloc. India remained non-committal during the debate, only contributing in so far as it pushed for greater control of governments over their national networks.
17 At the end, while India chose to walk out of the conference along with the US-led bloc, it made sure to clarify the distinction between its own position and the American one.18 As the debate draws to a closure, it is unclear whether India’s non-committal position will prove to be an asset or a burden.
A
nother interesting aspect of Internet related policies, where a study of the Indian government’s behaviour might be illuminating, is the topic of surveillance and censorship. Although the two issues are quite distinct, they have very similar implications for policy in cyberspace.This is an area where the Indian position is unique in the world. While a democracy, India has a different political and social construction of individual privacy and freedom of expression. India also has a history of executive prerogatives on such issues, which are often accepted unchallenged. In regards to the Internet, the Indian government has vested itself with a tremendous amount of unchecked power through the controversial Article 66A of the Information Technology Act.
19 Most Internet service providers and data carriers operating within India have been historically amenable to the government’s requests of censorship and surveillance (in contrast to say, the United States, where such requests for cooperation are often challenged by the companies in court). And companies, which have tried to challenge the government’s authority, have been coerced to back down.Given this context, it is easy to assume that the Indian government has a track record of surveillance and censorship very distinct from that of other democracies. However, this is not the case. Until now, India has remained within the bounds of perceived legitimacy set by the precedents of other democracies.
F
or instance, let’s consider government requests for cooperation to major platforms like Google and Facebook. In the first six months of 2013, India ranked third in the number of requests to Google to remove certain search results from its website.20 In the same period, it ranked second in asking Facebook for sharing its user content.21 However, in both cases, it shared that list with other democracies. While India asked Facebook to share details of 3,245 accounts, US asked for the details of over 11,000 accounts. Indian requests for Google content removal were exceeded by the US by 382. A cursory glance at the same list showed other western democracies like the United Kingdom, at a somewhat similar position to India.However, an interesting facet of these statistics is to be found at the bottom of the list, where authoritarian regimes like Saudi Arabia and Iran feature with almost no requests, while China is conspicuously missing. This is due to the fact that these countries have chosen to implement their censorship and surveillance not with the cooperation of the content providers such as Google, but through installing web filters and monitors at the bottlenecks of their national networks. These are inexpensive and easily available technologies which are now employed in practically every Middle Eastern country, China and Russia.
Again, in terms of selecting content for censorship, India has been discriminating. Apart from a few infamous cases, India has not chosen to censor government criticism (its requests to Google dropping to zero in 2012 and staying there). Its choice of social and security related censorship has also remained very limited, usually aimed at a particular URL, rather than a blanket ban on keywords as is often the case in many countries.
T
his is not to say that Indian censorship and surveillance methods are exactly similar to those employed by other democracies. The Indian government has often favoured using executive prerogative rather than court orders. In the case of Google, 86% of the requests came from the executive and only 14% from court orders. Moreover, India continues to employ very selective filtering through its ISPs, a method not commonly used by some democracies like France and Germany (which employ other filtering mechanisms).22However, by and large, Indian policy in this regard has been to retain wide-ranging capabilities but exercise self-restraint within the limits set by globally acceptable levels. Whether those levels actually help preserve democratic values or supplant them is a much wider debate. For the moment, India has chosen to remain away from it.
T
he objective of this article was to challenge the common perception that India’s Internet related policies have been technocratic reactions to various events and demonstrate that instead, such policies emerged from a set of guiding principles. These principles, in turn, draw from the much larger experience of the Indian state. While most policy decisions were precipitated by certain new developments within India and abroad, they have been crafted within a larger framework internalized by the Indian leadership and bureaucracy.The three areas discussed in this article – militarization of cyberspace, debate over Internet governance, and the issue of surveillance and censorship – are not the only ones in which the effects of these principles can be felt. A whole host of other Internet related challenges confront the government today, ranging from issues of copyright, cyber crime, to the rising cost of the Internet. A study of Indian response to these issues is likely to show a similar overarching theme.
Nevertheless, the three issues discussed in this article remain the most pertinent and urgent ones. The Snowden revelations have brought the question of the Internet’s militarization centre stage for most nations, including India. Failing to respond immediately or follow it through, is likely to result in a gap which will not be easy to fill. The polarization over the debate on Internet governance is at least likely to find some kind of closure by 2015, when the current treaty on International Telecommunication Regulations expires. A failure to meaningfully engage in that debate beforehand will likely result in an Internet that India wouldn’t want. The emerging technologies of surveillance and censorship are likely to prove extremely tempting tools, especially in a setting like India. Their usage by India in the coming years is likely to set the institutional tone for the foreseeable future.
As we have seen, India has begun to respond to all three challenges, at least to a certain extent. However, the Indian position continues to remain tentative and hence easily reversible. The incoming government of 2014 can easily choose to change its positions or let these issues slide down the priority list, and let the current initiatives die out. However, it is unlikely that the government after next (presumably in 2019) is likely to find the situation so malleable. By that time, India’s positions would have hardened, either by governments choice or by external developments.
F
inally, one may stretch the argument by asserting that the principles discussed in this essay betray ideological roots of the ruling government. Almost all the Internet related policy decisions in the last years have been made under the Congress-led government. And these principles, to a certain extent, reflect its ideology. Nonalignment or some variant of it, espoused by the Congress for decades, finds its similarity with the notion of retaining maximum options. Contrast this with the ideological position of the Bharatiya Janata Party (BJP), which prefers closer relationships with certain nations, while maintaining a distance with others. The choice to censor for the purpose of maintaining internal order and stability may be challenged by those political parties which endorse social censorship. Maintaining the supremacy of the state over all the other stakeholders is directly contradicted by the libertarian ideology of the Aam Aadmi Party (AAP). Accordingly, one cannot rule out fundamental, albeit subtle, changes in Internet related policies with a change in the government itself.
Footnotes:
1. For instance, see C. Raja Mohan, ‘No Splinternet’, The Indian Express, 19 March 2014; H.S. Puri, ‘In Strategic Interest, and for Self-respect’, The Indian Express, 30 January 2014.
2. Sunil Khilnani, et al., Nonalignment 2.0: A Foreign and Strategic Policy for India in the 21st Century. Penguin, UK, 2013.
3. See Ronald Deibert, Black Code: Surveillance, Privacy, and the Dark Side of the Internet. McClelland & Stewart, 2013.
4. Some key texts on this debate are Lawrence Lessig, Code and Other Laws of Cyberspace. Basic Books, 1999; Milton L. Mueller, Networks and States: The Global Politics of Internet Governance. MIT Press, 2010; Daniel W. Drezner, ‘The Global Governance of the Internet: Bringing the State Back in’, Political Science Quarterly 119(3), 2004, pp. 477-498.
5. Sunil Khilnani, et al., op. cit.
6.Thomas Rid, Cyber War Will Not Take Place. Oxford University Press, 2013.
7. Guidelines for Protection of National Critical Information Infrastructure, NCIIPC, June 2013.
8. National Cybersecurity Policy, Department of Electronics and Information Technology, Ministry of Communications and Information Technology, Government of India, 2013.
9. Indrani Bagchi and Vishwa Mohan, ‘5 Lakh Cyber Warriors to Bolster India’s E-defence’, The Times of India, 16 October 2012.
10. Annual Report 2011-2012, Centre for Development of Telematics, Government of India, 2013.
11. Vikas Bajaj, ‘India Warns it Will Block BlackBerry Traffic That it Can’t Monitor’, The New York Times, 12 Aug 2010; Phred Dvorak, Amol Sharma and Margaret Coker, ‘RIM Offered Security Fixes’, The Wall Street Journal, 14 August 2010.
12. http://articles.economictimes.indiatimes. com/2013-12-16/news/45256400_1_security-agencies-drdo-cabinet-secretariat
13. http://www.dnaindia.com/india/report-india-readies-cyber-command-service-to-combat-espionage-threats-online-1950997
14. ‘Sharing Cyber Crime Info Tops India-US Talks Agenda’, The Times of India, 3 December 2013; Kalyan Parbat, ‘India, UK Talks on Cyber Security on December 3’, The Economic Times, 30 November 2013.
15. P.D. Samanta, ‘India Wants Rules of "Cyber War" Defined’, The Indian Express, 7 February 2011.
16. For details see Sandeep Bhardwaj, ‘Security in Cyberspace’, in W.P.S. Sidhu, et al. (eds.), Shaping the Emerging World: India and the Multilateral Order. Brookings Institution Press, 2013; See also Anja Kovacs, ‘Is India Reviving its Proposal for a Multilateral UN Body to Take Over the Governance of the Internet?’, Internet Democracy Project, 14 November 2013.
17. WCIT-12, ‘India (Republic of): Proposals for the Work of the Conference’, Document 21-E, 3 November 2012, www. wcitleaks.org; point-by-point comparison of India’s final proposals with others can be seen at WCIT-12, ‘Proposals Received from ITU Member States for the Work of the Conference’, Document DT/1-E, 30 Nov 2012, www.itu.int/en/wcit-12
18. ‘India’s Officially Submitted Stand on ITR at WCIT-2012’, Press Information Bureau, Government of India, 14 December 2012.
19. Aparna Viswanathan, ‘An Unreasonable Assertion’, The Hindu, 20 February 2013.
20. Google Transparency Report, Google, 2013.
21 Facebook Transparency Report, Facebook 2013.
22. Ronald Deibert, et al., Access Denied: The Practice and Policy of Global Internet Filtering. MIT Press, 2008.