The legal contours of India’s ‘sovereign cyberspace’
EARLIER this year, India gained the unenviable distinction of being the most ‘cyber attacked’ nation in the world. However, the legal tools deployed to mitigate the threat of cyber attacks so far have proved insufficient. This article provides a birds-eye view of India’s policy positions in relation to recent efforts at various multilateral and multi-stakeholder for a seeking to upgrade interpretations of international rules, or formulate new ones to combat the growing malicious use of increasingly sophisticated information communication technologies (ICT).
In a short span of 20 years since the promulgation of the Information Technology Act, 2000 cyber attacks have become the most significant threat to the security of the state. Data released by the India’s Computer Emergency Response Team (CERT-In) reveals a ten-fold increase in incidents like network scanning and probing between 2017 and 2018 alone. From 9359 incidents in 2017, CERT-In recorded 127481 such incidents in 2018. The National Crime Records Bureau (NCRB) reported a doubling of ICT-enabled crimes under the Indian Penal Code between 2016 and 2017. According to the NCRB, more than half of the reported cyber crime in India is economically motivated, causing great financial losses to citizens and perpetuating economic insecurity.
However, these statistics on malicious cyber activity and cyber crime do not reveal whether the origin of these cyber attacks against Indian targets can be attributed to another state, or non-state actors or individuals, who may be foreign or domestic. As a consequence of numerous barriers – including technological, strategic and legal – to decisive attribution of cyber attacks and incidents, India is faced with a kind of ‘Schrödinger’s cyberwar’. The state is defending itself against adversaries whose legal status, and consequently, rights and obligations remain unclear in law, often due to technological obfuscation. This problem is further compounded by limited technological capacity of the government. In most cases, the identity of the adversary – which may be another state, non-state entity or individual – as perceived by the victim state remains in flux.
For a sovereign nation to build effective cyber defences, evolution of the applicable domestic and international law is essential to complement efforts to upgrade the technological capacity of the state and bolster avenues to strengthen international cooperation. Domestically, recent policy trends have been focused on ‘digital sovereignty’, manifested in policies like data localization, which was watered down under the 2019 Personal Data Protection Bill. Owing to the inherent nature of cyberspace as a borderless realm, such policies cannot be implemented without sovereign control over cyberspace, including its physical layer (DNS route servers, routers, fibre optic cables, hardware etc.) as well as logical layer (code, such as the Transmission Control Protocol/Internet Protocol, or ‘TCP/IP’), or cooperation of the private sector, especially Big Tech corporations. Such a scenario poses serious hurdles for domestic law enforcement – an inherently sovereign function – and consequently, manifests as a government restriction on freedom of expression exercised through censorship, or ‘moderation’ of the content layer (e.g. Websites, social media, e-marketplaces etc.), that remains the most visible and accessible component of cyberspace. In extreme cases, cutting off access to this layer altogether by way of internet shutdowns tends to be the preferred mode of ‘preventive policing’ of cyberspace.
Additionally, the skewed global distribution of infrastructure and knowledge comprising the physical and logical layers of the internet, heavily concentrated in western nations, but under the effective control of private actors, poses insurmountable challenges for India’s domestic legal system. The need for a coherent international legal framework to enable effective investigation and attribution of cyber incidents is apparent to effectively grapple with their international dimensions.
Although the IT Act mandates the exercise of jurisdiction beyond India’s territorial borders, it is rarely implemented owing to difficulties in cooperation with foreign law enforcement agencies, incompatible legal regimes and red tape, as well as challenges in domestic regulation of Big Tech, especially social media intermediaries. A salient example is the WhatsApp traceability issue currently pending verdict, where the Indian government has mounted an offensive against end-to-end (E2E) encrypted communications. This attitude was also shared by the governments of the United Kingdom (UK), United States (US) and Australia, who jointly wrote an open letter to Facebook last year, in a bid to discourage the use of E2E encryption without providing for a backdoor to enable lawful access to content by law enforcement agencies.
This example is also useful to illustrate the pivotal role of the private sector in the global governance of ICT, stemming from their control over its infrastructure. The tussle for technological supremacy between pre-eminent cyber powers tends to drive technical know-how and expertise deeper into the opaque cover of national security. Additionally, the far-reaching influence of transnational private sector players like Facebook, WhatsApp, Apple on the one hand and Huawei, Xiaomi, ByteDance on the other, creates a ‘cyber landscape’ that is a potential minefield for governments to navigate, especially for those aspiring to become cyber powers themselves.
Although China has traditionally been the rival to India’s claim to primacy in South Asia, India’s domestic legal approach appears to mirror that of China, given our domestic policy emphasis on sovereignty in cyberspace and its manifestations. Huawei’s entrenchment in the Indian telecom scene adds to the complexity of our posturing in the broader context of this struggle for technological supremacy. The question that remains is whether we will do the same in our strategy to engage with international institutions tasked with formulating these norms. The paradoxes of (cyber) war certainly appear to engender a ‘reversal and even coming together of opposites’.1
Given international law’s state-centric approach to the formulation and implementation of legal rules and norms, a borderless cyber space poses unique challenges to peaceful coexistence and cooperation among actors of the international community in cyberspace. Additionally, the existence of diverse models to regulate the private sector across jurisdictions and exacerbation of the ‘digital divide’ through rapid proliferation of technologies make it exceptionally difficult for governments to formulate and implement universally acceptable rules and norms.
Thus, India finds itself positioned rather awkwardly between the East and the West. While there is widespread agreement that international law applies in cyberspace, there is pervasive disagreement among nations as to exactly how it applies. Last year, India’s External Affairs Minister S. Jaishankar spoke of a new approach to India’s foreign policy with a pre-emptive defence posturing that has abandoned its old policy of non-alignment, replaced by an issue-based ‘multi-alignment’2 to advance national interests and priorities. However, India is yet to clearly define its interests in cyberspace. So far, seven nations, including Australia, Estonia, France, Germany, the Netherlands, the UK, and the US have issued comprehensive national statements on how international law applies to cyberspace.
It remains to be seen whether India’s National Cybersecurity Strategy slated for release in 2020 will employ the language of international law to articulate its interests and ambitions in this new domain of warfare. Meanwhile, the task before Indian negotiators is a formidable one – to reconcile two apparently incompatible approaches3 in parallel processes currently ongoing under the aegis of the United Nations.
The United Nations Group of Governmental Experts on advancing responsible state behaviour in cyberspace (GGE) has pushed the agenda of a ‘free, open internet’ through voluntary, non-binding norms to govern state behaviour. On the other hand, the UN Open Ended Working Group (OEWG) on Developments in the Field of ICTs in the Context of International Security led by Russia, which has emphasized ‘cyber sovereignty’ and the development of a legally binding framework of rules to govern state behaviour in cyberspace. The GGE consists of a few states selected on the basis of equitable geographical distribution whereas the OEWG is open to all UN member states. It is noteworthy that the call for cyber norms is rooted in Russian-led arms control resolution dating back to 1998, focused on mitigating threats from information weapons and information wars, while pushing for the ability to retain control over information environments.
Certain commentators have termed this dynamic between western interpretations and Sino-Russian interpretations of international law as a state of ‘Mutually Assured Diplomacy’4 – predicting it is likely that both the GGE and OEWG processes will fail or both will yield results, creating two separate but overlapping legal frameworks or interpretations competing for universal acceptance.
The GGE, set up in 2004 and currently in its sixth iteration has issued consensus reports in 2010, 2013 and 2015. India has been a participating member state in all its sessions, except in 2015. The 2015 Report of the GGE is a significant milestone, in its affirmation of the applicability of international law in cyberspace, and the need to further explore how international law applies in cyberspace. However, in its 2017 session the GGE failed to arrive at a consensus. This failure was largely due to strong opposition from some states including Russia, China and Cuba on the inclusion of an explicit reference to the applicability of the right of self-defence, countermeasures and international humanitarian law (IHL) in the draft report. In their view, such provisions would legitimize the ongoing militarization of cyberspace and compromise its stability and security.
Soon after UNGGE talks broke down, two separate resolutions were passed in the UN – one US-led,pushing for a new GGE to be constituted, and one Russia-led, calling for an open-ended working group on rules, norms and principles for responsible state behaviour in November 2018. The OEWG is due to report to the UN General Assembly (UNGA) in its 75th Session in September 2020, and now appears to consider voluntary non-binding norms as complementary to binding obligations in international law, attempting to build upon the GGE’s 2015 Report.5 However, the scope of state sovereignty and the right to self-defence in cyberspace as well as the scope for the application of IHL remain unresolved issues.
Having voted in favour of both these resolutions, setting up the GGE and OEWG, India has yet to take an explicit stance on the divide between the two camps, or articulate a middle ground. Some have argued that India’s ambiguous stance may create a strategic advantage; however, this is only partially true. A foreign policy aimed at ‘multi-alignment’ in search for a more prominent role in contested domains in a rapidly changing international order must identify and collaborate with ‘like-minded nations’ to distinguish between our allies and adversaries in cyberspace. There is little clarity to be gained from other states’ legal interpretations tailored to serve their own interests.
At the OEWG’s June 2019 session, India’s remarks were focused on encouraging bilateral and multilateral efforts aimed at developing a better understanding of international legal concepts that underpin the discussion on states’ use of ICTs – including cyber sovereignty, jurisdiction, attacks, and threshold for invoking the right to self-defence under the UN Charter.6 Undoubtedly, conceptual clarity is indispensable. Without a conceptualization of what category of cyber crimes and cyber incidents may constitute ‘cyber attacks’ and therefore, be treated as an infringement of India’s sovereignty that necessarily merit a proportionate response in law, the roadmap towards build an ‘open, secure, stable, accessible, interoperable and peaceful ICT environment’ is akin to driving in the dark.
In seeking a more prominent role on the international stage, there are multiple hurdles before India on its path from an international rule-taker to a rule-shaper. The multiplicity of platforms for discussion of cyber norms is a major challenge in navigating international lawmaking processes. For instance, some states have also indicated a preference to refer to the task of codifying international law applicable to cyberspace to the International Law Commission. Other multi-stakeholder efforts have proliferated in recent times, in a bid to catalyse the crystallization of universally acceptable ‘rules of the road’ for responsible behaviour in cyberspace.
The expansion of the UN GGE mandate in 2015 to examine the question of how international law applies to cyberspace engendered a three-year long effort by NATO to gather a group consisting entirely of western inter-national law scholars and cyber security experts to produce the ‘Tallinn Manual’ on the International Law Applicable to Cyberspace. A second edition, with nominally better representation was released in 2018, but appears to have found little support in actual state practice.
The Global Commission on the Stability of Cyberspace (GCSC) established in 2015, articulated eight norms dubbed as the ‘Singapore Norm Package’ in 2018. In its final report of 2019, the GCSC also recommended the protection of the ‘public core of the internet’ – originally proposed by the Government of the Netherlands that did not gain support from all members of the GGE. The GCSC comprised 26 Commissioners representing a wide range of geographic regions as well as industry, technical and civil society stakeholders. Many of its members are former officials with various governments, including India’s former Deputy National Security Advisor, Ambassador Latha Reddy.
The Paris Call for Trust and Stability in Cyberspace of 12 November 2018 led by French President Emmanuel Macron, articulated nine principles to secure cyberspace. These principles reaffirmed the applicability of international law and norms to cyberspace and encouraged cross-sectoral collaboration in recognizing the role and importance of the private sector in promoting trust and security in cyberspace. The Paris Call has so far garnered the support of 78 states and over 400 civil society organizations. Notably, both India and the United States have not joined the call.
The Paris Call considers the Budapest Convention on Cyber Crime as a key tool to strengthen defences against cyber criminals. This reference to the Budapest Convention is an apparent reason for India’s refusal to join the Paris Call, choosing instead to sign a bilateral digital partnership with France in 2019. India’s hesitation to accede to the Budapest Convention is unclear but appears grounded in first, its perception of the Eurocentric process of negotiation and drafting through the Council of Europe, and second, its substantive concerns with provisions under the convention that seek a harmonization of domestic substantive and procedural criminal law of the states parties. This continues to hamper the effective investigation and the overall implementation of domestic law on cyber crime, including especially, the provision for extraterritorial enforcement of the IT Act.
Terrorism is another domain where India has struggled with the international dimension of crimes committed on its sovereign territory and has repeatedly called for greater international cooperation to tackle cross-border terrorism. New Zealand and France led the drafting and adoption of the Christchurch Call to Action in May 2019, two months after the terrorist attack that killed 51 people at two mosques at Christchurch in New Zealand was live streamed on social media. This call outlines ‘collective’ and ‘voluntary’ commitments from governments and online service providers intended to address the issue of terrorist and violent extremist content online and to prevent the abuse of the internet. Notably, while India is a signatory to the Christchurch Call, the United States refused to join, citing its potential to impinge upon free speech rights protected under its constitution.
Similarly, private sector initiatives have mushroomed in the last few years since talks at the GGE broke down. It is unsurprising that corporations have rushed in to fill the void where state governments are unable to arrive at a consensus, considering first, that the responsibility to implement any norms that may be agreed upon will rest on their shoulders; second, that their technological capabilities will supply nuance to an otherwise political debate; and third, that their financial resources may supplement states’ limited resources that can be diverted to engagements at international platforms. However, a proactive role for the private sector has not equally palatable to all concerned parties.
Microsoft’s call for a ‘Digital Geneva Convention’ in 2017 urged corporations to commit to not participate in cyber attacks; the call also urged governments to do more to protect civilians and called for an independent international body to investigate and attribute cyber attacks against countries which received only a lukewarm response. Some criticized Microsoft for venturing into what has traditionally been the exclusive prerogative of the sovereign state under international law.
Over a year later, Microsoft pioneered the Cybersecurity Tech Accord in 2018, which has now been adopted by over 100 companies who espouse four principles – stronger defence, no offence, capacity building and collective action with like minded organizations. The list of signatories includes Facebook, ARM, Cisco and FireEye among others. The establishment of the Cyber Peace Institute under Microsoft’s leadership in 2019 to provide assistance and promote collaborations for responsible behaviour is yet another step forward in the direction of international cooperation for a peaceful cyberspace underwritten by the private sector. The Charter of Trust initiated by Siemens at the Munich Security Conference in 2018 started with eight signatory corporations who endorsed a set of principles broadly aimed at reducing cyber risks. Its membership grew to include corporations including Cisco, Dell Technologies and IBM and now stands at 16.
For greater engagement with such norm-shaping and norm-making processes, the government needs to guide and equip Indian companies through industry associations to play a proactive role. Improvement of international efforts to capacity building across the public and private sectors undoubtedly needs to be an area of focus for India in these multi-stakeholder forums. Necessarily, this will also help us to better understand the needs of the domestic cyber security sector specifically and the ICT and Information Technology Enabled Services (ITES) sector at large.
It is exceptionally difficult to decisively predict how the international order will change and evolve from the COVID-19 pandemic. In today’s borderless, but gradually fragmenting cyberspace, one thing is clear – India’s unwavering commitment to protect and preserve its rights as a sovereign state even when pitted against faceless adversaries. The broader political challenge in the formulation of an international cyber policy lies in preserving the international legal principle of sovereign equality.
The process of developing new norms and interpretations of existing law needs to recognize common interests and shared responsibilities in the face of differential access to the means and methods of waging cyber wars, along with other weapons of mass disruption. Whether voluntary, non-binding norms will be adequate to restrain, if not halt their disruptive effects is the question India’s strategists have to answer to help India’s negotiators navigate the paradoxes of cyber war.
1. Edward Luttwak, Strategy: The Logic of War and Peace. Harvard University Press, Cambridge, Mass, 1987.
2. External Affairs Minister S. Jaishankar’s Speech at the 4th Ramnath Goenka Lecture, 14 November 2019. https://mea.gov.in/Speeches-Statements.htm?dtl/32038/External+Affairs+Ministers+speech+at+ the+4th+Ramnath+Goenka+Lecture+2019.
3. Josh Gold, ‘Two Incompatible Approaches to Governing Cyberspace Hinder Global Consensus’, Leiden Security and Global Affairs Blog, 16 May 2019. https://leidensecurity-andglobalaffairs.nl/articles/two-incompatible-approaches-to-governing-cyberspace-hinder-global-consensus
4. Dennis Broeders, ‘Mutually Assured Diplomacy: Governance, "Unpeace" and Diplomacy in Cyberspace’, ORF Digital Debates, 2019, at pp. 26-29. https://www.orfonline.org/wp-content/uploads/2019/10/Digital_Debates_2019_V7.pdf
5. United Nations Open-Ended Working Group, Initial ‘Pre-draft’ of the Report of the OEWG on Developments in the Field of Information and Telecommunications in the Context of International Security, 16 March 2020, https://unoda-web.s3.amazonaws.com/wp-content/uploads/2020/03/200311-Pre-Draft-OEWG-ICT.pdf
6. Statement delivered by India at the Organisational Session of the Open-Ended Working Group (OEWG) on ‘Developments in the field of Information and Telecommunications in the Context of International Security’, in New York on 3 June 2019. http://meaindia.nic. in/cdgeneva/?8251?000