Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills. 

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

• India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
• Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 

Building capacity of CERTs and law enforcement agencies	1. Cybersecurity technology cooperation relevant to CERT activities. 2. Exchange of information on prevalent cybersecurity policies and best practices. 3. CERT-to-CERT Cooperation. 4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building	1. Human resource development including  training of Govt. officials in e-governance. 2. Institutional cooperation among the academic and training institutions. 3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification	1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies. 2. Cooperation in exchanging and developing technology. 3. Standardisation, testing and certification.
B2B cooperation and economic advancement	1. Enhancing B2B cooperation in cyber security. 2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments. 3.Exploring third country markets. 4. Favourable environment for the business entities through various measures to facilitate trade and investment.

Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html

list-bilateral-agreements-in-the-field-of-ictDownload

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from First Substantive Session

Sukanya Thapliyal

Image by United Nation Photo. Licensed via CC BY-NC-ND 2.0

Earlier this month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

In this blog, we present a brief overview and our observations from the discussions during the first substantive session of the Ad-hoc Committee. Furthermore, we also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

1. Background 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions and was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

Presently, the Budapest Convention, also known as Convention on Cybercrime is the most comprehensive and widely accepted legal instrument on cybercrime which was adopted by the Council of Europe (COE) and came into force in July, 2004. However, the work of the Ad-hoc Committee is significant and can pave the way for the first universal and legally binding instrument on cybercrime issues. The Committee enjoys widespread representation from State and Non-State stakeholders (participation from the non-governmental organizations, civil society, academia and private organizations) and other UN bodies, including the United Nations Office on Drugs and Crime (UNODC), serving as the secretariat for the process. 

The Ad-hoc Committee, over the next two years, is set to have six sessions towards developing this cybercrime convention. The convention is expected to foster coordination and cooperation among state actors to combat cybercrime while giving due regard to the peculiar socio-economic conditions prevailing in the developing and least-developed countries. 

The first substantive session of the Ad-hoc Committee was scheduled for 28 February-11 March 2022 to chart out a clear road map to guide subsequent sessions. In addition, the session also provided opportunity to the Member States to explore the possibility of reaching a consensus on the objective and scope of the Convention, which could provide a general framework for future negotiation without constituting a pre-condition for future stages. 

2. Discussions at the First Ad-hoc committee

The first session of the Ad-hoc Committee witnessed extensive discussions in sessions on general debate, objective and scope of the convention, exchange of preliminary views on key elements of the convention. In addition, a fruitful engagement took place in the sessions dedicated to arriving at a consensus on the structure of the convention (A/AC.291/L.4/Add.4). Member states also reached consensus on  discussion and decision-making on the mode of work of the Ad Hoc Committee during subsequent sessions and intersessional periods (A/AC.291/L.4/Add.6). As the negotiations commenced days after the Russia-Ukraine conflict began, the negotiations proceeded in a tense environment where several Member States expressed their concerns and-inability to negotiate in “good faith” in the light of the current state of play and condemned Russia for the military and cyber operations directed at Ukraine.

A. Scope of the convention: From “Cyber-Enabled” to “Cyber-Dependent” Crimes 

There was complete agreement on the growing importance of ICT technologies, the threat created by cybercriminals, and the need for a collective response within a sound international framework. However, countries highlighted different challenges that range from ‘pure cybercrimes’ or cyber dependent crimes to a broader set of crimes (cyber-enabled crimes) that includes misuse of ICT technologies and digital platforms by terrorist groups, deepfakes, disinformation, misinformation, false narrative, among others. 

While there was a broad consensus on including cyber dependent crimes, there was significant disagreement on whether cyber-enabled crimes should be addressed under the said convention. This divergence was evident throughout the first session with the EU, the US, the UK, New Zealand, Australia, Liechtenstein, Japan, Singapore and Brazil advocating to limit the operation of such a convention only up to cyber dependent crimes (such as ransomware attacks, denial of services attack, illegal system interference, among others). The member states maintained that the said convention should exclude vague and broadly defined crimes that may dilute legal certainty and disproportionately affect the freedom of speech and expression. Furthermore, that the convention should include only those cyber enabled crimes whose scale scope and speed increases substantially with the use of ICT technologies (cyber-fraud, cyber-theft, child sexual abuse, gender-based crime). 

On the other hand, the Russian Federation, China, India, Egypt, South Africa, Venezuela, Turkey, Egypt expressed that the convention should include both cyber dependent and cyber enabled crimes under such a convention. Emphasizing the upward trend in the occurrence of cyber enabled crimes, the member states stated that the cybercrime including cyber fraud, copyright infringement, misuse of ICTs by terrorists, hate speech must be included under the said convention.

There was overall agreement that cybersecurity, and internet governance issues are subject to other UN multilateral  fora such as UN Group of Governmental Experts (UNGGE) and UN Open Ended Working Group (OEWG) and must not be addressed under the proposed convention. 

B. Human-Rights

The process witnessed significant discussion on the protection and promotion of human rights and fundamental freedoms as an integral part of the proposed convention. While there was a broad agreement on the inclusion of human rights obligations, Member States varied in their approaches to incorporating human rights obligations. Countries such as the EU, USA, Australia, New Zealand, UK, Canada, Singapore, Mexico and others advocated for the centrality of human rights obligations within the proposed convention (with particular reference to the right to speech and expression, privacy, freedom of association and data protection). These countries also emphasized the need for adequate safeguards to protect human rights (legality, proportionality and necessity) in the provisions dealing with the criminalization of offenses, procedural rules and preventative measures under the proposed convention. 

India and Malaysia were principally in agreement with the inclusion of human rights obligations but pointed out that human rights considerations must be balanced by provisions required for maintaining law and order. Furthermore, countries such as Iran, China and Russia emphasized that the proposed convention should be conceptualized strictly as a technical treaty and not a human rights convention.

C. Issues pertaining to the conflict in jurisdiction and legal enforcement

The Ad-hoc Committee’s first session saw interesting proposals on improving the long-standing issues emanating from conflict of jurisdictions that often create challenges for law enforcement agencies in effectively investigating and prosecuting cybercrimes. In its numerous submissions, India highlighted the gaps and limitations in the existing international instruments and the need for better legal frameworks for cooperation, beyond Mutual Legal Assistance Treaties (MLATs). Such arrangements aim to assist law enforcement agencies in receiving metadata/ subscriber information to establish attribution and to overcome severe delays in accessing non-personal data. Member states, including Egypt, China supported India’s position in this regard. 

Mexico, Egypt, Jamaica (on behalf of CARICOM), Brazil, Indonesia, Iran, Malaysia also highlighted the need for the exchange of information, and greater international cooperation in the investigation, evidence sharing and prosecution of cybercrimes. These countries also highlighted the need for mutual legal assistance, 24*7 contact points, data preservation, data sharing and statistics on cybercrime and modus operandi of the cybercriminals, e-evidence, electronic forensics and joint investigations. 

Member states including the EU, Luxembourg, UK supported international cooperation in investigations and judicial proceedings, and obtaining electronic evidence. These countries also highlighted that issues relating to jurisdiction should be modeled on the existing international and regional conventions such as the UN Convention against Corruption (UNCAC), UN Convention against Transnational Organized Crimes (UNCTOC), and the Budapest Convention.

D. Technical Assistance and Capacity Building

There was unanimity among the member states to incorporate provisions on capacity building and technical assistance to cater to the peculiar socio-economic conditions of the developing and least-developed countries. However, notable inputs/ suggestions came from Venezuela, Egypt, Jamaica on behalf of CARICOM, India and  Iran. Venezuela highlighted the need for technology transfer, lack of financing and lack of sufficient safeguards for developing and least-developed countries. The countries outlined technology transfer, financial assistance, sharing of best practices, training of personnel, and raising awareness as different channels for capacity building and technical assistance for developing and least-developed countries. 

E. Obligations for the Private Sector 

The proposal for instituting obligations  on non-state actors , including the private sector (with particular reference to digital platforms and service providers), witnessed strong opposing views by member countries. Countries including India, China, Egypt and Russia backed the proposal on including a strong obligation on the private sectors as they play an essential role in the ICT sector. In one of its submissions, India explained  the increasing involvement of multinational companies  in providing vital services in different countries. Therefore, in its view, such private actors must be held accountable and should promptly cooperate  with law enforcement and judicial authorities in these countries to fight cybercrime. Iran, China and Russia further emphasized the need for criminal liability of legal persons, including service providers and other private organizations. In contrast, member states, including the EU, Japan and USA, were strictly against incorporating any obligations on the private sector. 

F. Other Issues

There was a broad consensus including EU, UK, Japan, Mexico, USA, Switzerland and others  on not reinventing the wheel but building on the work done under the UNCAC, UNCTOC, and the Budapest Convention. However, countries, including Egypt and Russian Federation, were skeptical over the explicit mention of the regional conventions, such as the Budapest Convention and its impact on the Member States, who are not a party to such a convention. 

The proposals for inclusion of a provision on asset recovery, and return of the proceeds of the crime elicited a lukewarm response by Egypt, Iran, Brazil, Russia, China, Canada, Switzerland, USA Jamaica on behalf of CARICOM countries, but appears likely to gain traction in forthcoming sessions.

3. Way Forward

Member countries are expected to submit their written contributions on criminalisation, general provisions, procedural measures, and law enforcement in the forthcoming month. These written submissions are likely to bring in more clarity about the expectations and key demands of the different member states. 

The upcoming sessions will also indicate how the demands put forth by developing, and least developing countries during the recently concluded first session are taken up in the negotiation process. Furthermore, it is yet to be seen whether these countries would chart out a path for themselves or get subsumed in the west and east binaries as seen in other multilateral fora dedicated to clarifying the rules governing cyberspace. 

---

Note: 

*The full recordings of the first session of the Ad-hoc Committee to elaborate international convention on countering the use of information and communications (ICTs) technologies for criminal purposes is available online and can be accessed on UN Web TV.

**The reader may also access more information on the first session of the Ad-hoc Committee here, here and here.

Cybersecurity and Trade: Understanding Linkages for the Global South

Sukanya Thapliyal^*

1. BACKGROUND: 

Cybersecurity concerns are increasingly creeping into the international trade arena. Emerging technologies such as Big Data, Artificial Intelligence (AI), Internet of things (IoT), among others, have led to the digitalisation of the economy and society and has transformed our day-to-day lives. In addition, the COVID-19 pandemic has further accelerated the digitalisation process. As a result, countries, businesses and individuals worldwide are embracing this shift and are becoming increasingly reliant on digital technologies. The digital economy has significantly contributed to the increase in services trade, reduced trade costs, and increased participation of micro, small and medium enterprises (MSMEs) within international trade. The shift towards the digital economy has also empowered enterprises in amassing and analysing massive amounts of data. This helps businesses or organisations improve their operations and develop better products and services for existing and prospective consumers. 

However, ensuing interconnectivity and reliance on digital technologies exposes society/economies to several risks. These include threats of cyberattacks such as ransomware, political espionage, economic espionage, identity theft, and intellectual property theft.  These threats impact national defence authorities, critical infrastructures, commercial enterprises, and enforcement agencies alike. Such threats can emerge from both State and Non-State actors. However, countries vary greatly in their ability to understand and address these challenges. A recent study by Kaspersky Labs has identified Asia-Pacific Countries (APAC) as among the most prominent targets of cyberattacks owing to their rapidly increasing usage of digital technologies coupled with lack of awareness regarding cybersecurity, and limited resources deployed towards mitigation. India features among the top five countries most prone to cyberattacks along with China and Pakistan.

This piece seeks to map the dominant discourse on Cyber Security and International Trade. First, it examines the current World Trade Organization (WTO) framework and selects certain Free Trade Agreements (FTAs) to understand how cybersecurity concerns are presently understood only as related to national security or potential non-tariff barriers (NTB). Rooted in the fact that cybersecurity is inextricably linked to the technical capacity of a Member State to identify vulnerabilities, it argues that there is an urgent need to repurpose cybersecurity as an issue within the capacity building and technology transfer discussions.

image by geralt. Licensed via CC0.

2. CYBERSECURITY ISSUES UNDER WORLD TRADE ORGANIZATION (WTO)

Despite rising cybersecurity concerns, international trade rules have minimal engagement in this area. Prominent international trade organisations (such as WTO) and other legal instruments like Free Trade Agreements (FTAs) have primarily focused on setting rules for digital commerce and have addressed cybersecurity as an incidental and secondary issue.  Within WTO’s existing framework, cybersecurity issues do not fall within a single set of rules.¹ Depending on the context and subject of the dispute, several WTO Agreements, including General Agreement on Tariffs and Trade in Goods (GATT), General Agreement on Trade in Services (GATS), Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) and WTO Agreement on Technical Barriers to Trade (TBT Agreement), can have some bearing on the result of the dispute. As a result, the emerging cybersecurity issues can only be understood and interpreted on a case-by-case basis.² 

Currently, countries impose cybersecurity measures that range from complete prohibition on the trade of goods or services, tariff and non-tariff barriers, imposition of certification requirements and imposition of domestic standards, among others. Although none of these cybersecurity measures has been challenged at the WTO’s Dispute Settlement System so far, concerns were raised against China’s imposition of cybersecurity measures on ICT products and services by the European Union, USA, Canada, Japan and Australia in 2017. In another instance, China raised concern over Australia banning Chinese companies from supplying equipment for a 5G mobile  network on the grounds of national security. 

Propelled by similar developments, where Member States imposed different types of cybersecurity measures (prohibition on trade in technology goods, imposition of certification requirements and domestic standards), the discourse on cybersecurity and trade primarily focused on the cybersecurity measures as potential non-tariff barriers. As WTO primarily focuses on strengthening economic cooperation and reducing or eliminating trade barriers (tariff and non-tariff), the primary discourse has been centered only around these concerns. Numerous studies have identified the need to distinguish between genuine domestic cybersecurity policy measures taken by the Member States from those that are merely disguised protectionism or purely political in nature. 

Scholars also highlighted that Member States might justify such actions based on national security exceptions articulated under the GATT (Article XXI), GATS (Article XIV bis), TRIPS (Article 73) and other WTO Agreements. The national security exception, as broadly understood, allows Member States to take measures as they consider necessary for the protection of their essential security interests. This is problematic from several perspectives. 

The security exception was long touted as a self-judging provision and outside the purview of judicial review of the Dispute Settlement Body (DSB). This understanding was substantially modified in the context of GATT’s security exception in Russia – Traffic in Transit by the WTO Panel Report in 2019. The Panel opined that Article XXI (b) is not totally self-judging and that the term “essential security interests” are restricted to specific scenarios related to military facilities, nuclear facilities and measures taken in time of “war” or “other emergency in international relations”. Further, the Panel also emphasised that such a measure must be invoked in “good faith”. While Russia – Traffic in Transit Panel Report does provide a straightforward interpretation of the scope of the provision, several scholars, including Sarah Alturki and Neha Mishra have examined the security exceptions laid down under GATT and GATS as problematic in addressing cybersecurity measures. They maintained that the existing security exceptions under the WTO framework provisions are dated and were not conceived to cover cyber conflicts. Although the DSB may undertake to read such provisions in an evolutionary manner, the ambiguous nature of cyber-threats coupled with the lack of international consensus on cybersecurity governance makes it extremely challenging to resolve cybersecurity-related disputes. 

3. CYBERSECURITY PROVISIONS UNDER FREE TRADE AGREEMENTS (FTAs)

Besides security exceptions under the WTO framework, some Free Trade Agreements, in their digital trade/e-commerce chapters, have dedicated provisions concerning inter-State cooperation in cybersecurity. For instance, Article 14.16 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) recognises the importance of capacity building and collaborating mechanisms to identify and mitigate malicious intrusions or dissemination of malicious code that affect the electronic networks of countries which are Party to the Agreement. Article 12.13 of the Regional Comprehensive Economic Partnership (RCEP) features an identical provision. Further, Article 19.15 of the United States-Mexico-Canada Agreement (USMCA) features an expanded version of this condition. The provision obligates the Member States to share information and best practices and employ risk-based approaches that rely on consensus-based standards to detect, respond to, and recover from cybersecurity events.

To contain the misuse of cybersecurity measures that can harm free trade and economic cooperation among participating countries, several FTAs have included a provision to deter such behavior. Such provisions include the prohibition on disclosure of source code³, prohibition on the requirement to locate computing facilities in a specific jurisdiction⁴ and provisions mandating cross-border transfer of information by electronic means⁵. The measures relating to prohibition on disclosure of source code, restriction on mandating location of the computing facilities and others often find themselves in the cross-fire of a host of concerns emanating from economic development, transparency and cybersecurity. 

It is also important to note that these provisions also target policies restraining the free flow of cross-border data (data-localisation policies) prevalent in a number of countries including India, China, Vietnam, among others. 

4.  OTHER POSSIBLE FRONTIERS FOR CYBERSECURITY AND INTERNATIONAL TRADE IN RESPECT OF GLOBAL SOUTH 

Beyond the above mentioned concerns, cybersecurity is also a question of technical competence and resources available for several developing and least-developed countries. Several studies and reports, including the recent Kaspersky projections for 2022, indicate a wide gap in countries’ ability to detect, assess and effectively respond to cyber-attacks. There has been a steep rise in the adoption of digital tools often outpacing the establishment of necessary state institutions, legal regulations and capacity to manage new challenges.  Digital solutions are seen as the gateway to economic growth and social development. These developments should not be seen in isolation from cybersecurity capacity building. The unbridled adoption of digital solutions without being secured can have far reaching implications for the economy and can lead to poor infrastructures and hollow digital development for countries in the global south. 

As mentioned above, the current provisions, under the FTAs and discussions at the WTO surrounding cybersecurity concerns for international trade, extend only up to sharing information and best-practices. Such glaring vulnerabilities can only be addressed through development assistance that includes technology transfers and offering cybersecurity capacity building and requires active cooperation from the developed countries. The discussions around digital development must be embedded in digital security. Developing countries, including India, should leverage their positions in economic forums and constructively channel the discussions around tech-transfer and technology facilitation mechanisms (TFM) on cybersecurity, as they have done in the past in the context of drug development and climate change. Existing tools for developing and least-developed countries incorporated under Article 66 and 67 of the TRIPS Agreement are insufficient, have seen weak implementation, and are unlikely to bridge this gap. As India is assuming the G20 presidency on December 1, 2022, it can lead the path for such momentous changes and offer the global south perspective the world needs.

---

*The author is grateful for the comments and contributions by Ms Garima Prakash, Deputy Manager, NASSCOM.

References:

1. It is important to note that the WTO Agreements dates back to 1994 did not treat cyber issues specifically, but their rules nevertheless have application to cyber-related policies. See: Kathleen Claussen, ‘Economic cybersecurity law’ in Routledge Handbook of International Cybersecurity, pp.341-353 (Routledge, 1, 2020). See also: Dongchul Kwak, “No More Strategical Neutrality on Technological Neutrality: Technological Neutrality as a Bridge Between the Analogue Trading Regime and Digital Trade” World Trade Review (2021), 1–15.
2. Post-2017, around 70 WTO Member States spearheaded by the USA and other developed countries have initiated “exploratory work together towards future WTO negotiations on trade-related aspects of electronic commerce.”  India and South Africa are not part of this initiative. Nevertheless, the result of these discussions shall have some bearing on the future of cybersecurity and trade.
3.  Article 19.16 of USMCA (Similar provisions are incorporated under other trade agreements including CPTPP and RCEP).
4. Article 19.12 of USMCA. (Similar provisions are incorporated under other trade agreements including CPTPP and RCEP).
5. Article 19.11 of USMCA. (Similar provisions are incorporated under other trade agreements including CPTPP and RCEP).