By Lily Xiao
On 7 June 2016, ongoing discussions between Prime Minister Narendra Modi and President Barack Obama culminated in the US-India Cyber Relationship Framework, expected to be signed within 60 days. As part of a deepening strategic partnership between the US and India, the Framework establishes a bilateral commitment to an open, interoperable, secure and reliable cyberspace environment, and bilateral measures to combat cybercrime. As India’s interests find commonality with those of the US, this post considers what implications the Framework has for India’s foreign policy on Internet governance.
Cybersecurity measures and the Budapest Convention
The Framework instructs on the implementation of a range of bilateral and cooperative cybersecurity measures. They include information sharing, on a real or near real time basis regarding malicious cybersecurity threats; developing joint mechanisms for practical cooperation to mitigate cybersecurity threats; cooperation in research and development; and improving the capacity of law enforcement agencies through joint training programs.
These measures bear some resemblance to Article 23 of the Convention on Cybercrime or Budapest Convention, which was drafted by the Council of Europe in 2001. Article 23 stipulates that signatories ‘shall cooperate with each other… to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence’. The US has suggested that India should join the Budapest Convention, and reiterates this bid in the Framework to ‘[promote] the applicability of international law to state conduct in cyberspace and further exploring how it applies to state conduct in cyberspace’.
However up until now, India has refused to sign the Budapest Convention because they were not involved or consulted in its drafting. While the insistence of the US may be a political factor India considers, this does not change the crucial problem India has with the Budapest Convention; namely that it does not sufficiently reflect India’s priorities regarding cybersecurity. In order to prevent cyber attacks, most notably from China, India’s priority is to establish an equitable and inclusive multilateral instrument, which is created with active participation from all signatories, not just those in Europe.Multilateral cooperative agreements are the most viable solution to combat cybercrimes, because the Internet, by is nature, is unconstrained by state borders, making cybercrimes difficult to attribute to a single country of origin. Thus, bilateral agreements, like the one initiated by this Framework with the US, can only go so far in combatting cybercrime.
India’s recommitment to multi-stakeholderism
In August 2015, India came out in favour of multi-stakeholderism, the model of Internet governance in which all stakeholders have an equal role to play. The Framework indicates the apparent convergence of the US and India’s approaches to Internet governance, citing bilateral support for the multi-stakeholder model of Internet governance that is ‘transparent and accountable to its stakeholders including governments, civil society and the private sector, and promotes cooperation among them’. Questions over India’s commitment to multi-stakeholderism were raised following the joint statement released in April 2016 with Russia and China. Understandably, the US had concerns following the release of this joint statement, which may have led them to ensure the language of the Framework was clearly in support of multi-stakeholderism. The consequences of this Framework for India’s relationship with Russia and China will be considered later.
However, India’s implementation of multi-stakeholderism is not without limitations.The Minister for Communications and IT has stated thatIndia’s approach to multi-stakeholderism is qualified by national security matters, as the government’s role should be given primacy over other stakeholders in this regard.Additionally, India has yet to develop consistent and wide-ranging domestic mechanisms for implementing multi-stakeholderism, which would allow India to increase its participation in Internet governance at the international level.By including a bilateral commitment to multi-stakeholderism and continued dialogue and engagement in the Internet governance fora, the Framework can be interpreted as the US addressing India’s hesitations regarding the multi-stakeholder model. However, whether the approaches of India and the US towards Internet governance truly converge outside of this Framework remains to be seen.
Conflicting interests of Russia and China, and India as a swing state
The Framework comes after the aforementioned joint statement issued by Russia, China and India earlier this year. Paragraph 12 of this joint statement emphasised the need for a ‘broader international universal regulatory binding instrument under the UN’to tackle cybercrime, suggesting a preference for a multilateral governance model with entrenched state sovereignty. In the same paragraph, the Ministers emphasised the need to ensure Internet governance will be based on ‘multilateralism, democracy, transparency with multi-stakeholders in their respective roles and responsibilities’. This language is nearly identical to that used in the outcome document from WSIS +10 High Level Meeting, which stipulates ‘the management of the Internet as a global facility includes multilateral, transparent, democratic and multi-stakeholder processes’. The only qualifying phrase in the joint statement that indicates the reluctance of Russia and China to embrace multi-stakeholderism is that multi-stakeholders ought to be considered ‘in their respective roles and responsibilities’.
Therefore, while the debate over Internet governance is framed as one between the increasing acceptance of multi-stakeholderism, and those who hold out for a state-centric governance model, the language used in diplomacy between the two sides is remarkably similar. As a ‘swing state’ in this diplomatic arena, India holds power as being politically valuable to both sides of the debate. If India can continue to take advantage of the flexibility in discourse of multi-stakeholderism by appealing to both the US, and Russia and China, it can act successfully as a ‘swing state’. However, if, and when India and the US commit to the agreement this Framework pertains to, India should ensure that its bilateral relationship with the US does not impede its relationship to Russia and China.
This Framework is part of a wider arrangement for the US-India relations to deepen ties and to look to each other as ‘priority partners’ in the Asia-Pacific and Indian Ocean region.It remains to be seen whether all these provisions regarding cybersecurity will be included in the final signed agreement, but if they are included, it may contribute to the further acceptance of multi-stakeholderism on a global scale, and be an indication of cybersecurity norms to be taken up by other governments.