The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session

Sukanya Thapliyal

  1. Background/ Overview 

Last month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the Fourth Session of the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions.  It was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

The three previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and a first reading of the provisions on criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others. (We had previously covered the proceedings from the First Session of the Ad-Hoc Committee here.)

The fourth session of the Ad Hoc Committee was marked by a significant development – the preparation of a Consolidated Negotiating Document (CND) to facilitate the remainder of the negotiation process. The CND was prepared by the Chair of the Ad Hoc Committee keeping in mind the various views, proposals, and submissions made by the Member States at previous sessions of the Committee. It is also based on existing international instruments and efforts at the national, regional, and international levels to combat the use of information and communications technologies (ICTs) for criminal purposes. 

As per the road map and mode of work for the Ad Hoc Committee approved at its first session (A/AC.291/7, annex II), the fourth session of the Ad Hoc Committee conducted the second reading of the provisions of the convention on criminalisation, the general provisions and the provisions on procedural measures and law enforcement. Therefore, the proceedings during the Fourth Session involved comprehensive and elaborate discussions around these provisions amongst the Chair, Member States, Observer States, and other multi-stakeholder groups. 

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the fourth substantive session of the Ad-hoc Committee. Part I of the blog (i) discusses the methodology employed by the Ad-Hoc Committee discussions and (ii) captures the consultations and developments from the second reading of the provisions on criminalisation of offences under the proposed convention. Furthermore, we also attempt to familiarise  readers with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

In part II of the blog series, we will be laying out the discussions and exchanges on (i) the general provisions and (ii) provisions on procedural measures and legal enforcement. 

  1. Methodology used for Conducting the Fourth session of the Ad-Hoc Committee

The text-based negotiations at the Fourth Session proceeded in two rounds. 

Round 1: The first round of discussions allowed the participants to share concise, substantive comments and views. Provisions on which there was broad agreement proceeded to Round 2. Other provisions were subject to a co-facilitated informal negotiation process. Co-facilitators that spearheaded the informal negotiations reported orally to the Chair and the Secretariat. 

Round 2: Member Countries progressed through detailed deliberations on the wording of each of the provisions that enjoyed broad agreement. 

  1. Provisions on Criminalization (Agenda Item 4)

The Chapter on “provisions on criminalization” included a wide range of criminal offences that are under consideration for inclusion under the Cybercrime Convention. Chapter 2 under the CND features 33 Articles grouped into 11 clusters as:

  1. Cluster 1: offences against illegal access, illegal interference, interference with computer systems/ ICT systems, misuse of devices, that jeopardises the confidentiality, integrity and availability of system, data or information;
  2. Cluster 2: offences that include computer or ICT-related forgery, fraud, theft and illicit use of electronic payment systems;
  3. Cluster 3: offences related to violation of personal information
  4. Cluster 4: infringement of copyright.
  5. Cluster 5: offences related to online child sexual abuse or exploitation material
  6. Cluster 6: offences related to Involvement of minors in the commission of illegal acts, and encouragement of or coercion to suicide
  7. Cluster 7: offences related to sexual extortion and non-consensual dissemination of intimate images.
  8. Cluster 8: offences related to incitement to subversive or armed activities and extremism-related offences
  9. Cluster 9: terrorism related offences and offences related to the distribution of narcotic drugs and psychotropic substances, arms trafficking, distribution of counterfeit medicines.
  10. Cluster 10: offences related to money laundering, obstruction of justice and other matters (based on the language of United Nation Convention against Corruption (UNCAC) and United Nation Convention against Transnational Organised Crime (UNTOC))
  11. Cluster 11: provisions relating to liability of legal persons, prosecution, adjudication and sanctions. 

Round 1 Discussions 

  1. Points of Agreement (taken to the second round) 

The first round of discussions on provisions related to criminalisation witnessed a broad agreement on inclusion of provisions falling under Cluster 1, 2, 5, 7, 10 and 11. Member States, Observer States and other parties including the EU, Austria, Jamaica (on the behalf of CARICOM), India, USA, Japan, Malaysia, and the UK strongly supported the inclusion of offences enlisted under Cluster 1 as these form part of core cybercrimes recognised and uniformly understood by a majority of countries. 

A large number of the participant member countries were also in favour of a narrow set of cyber-dependent offenses falling under Cluster 5 and 7. They contended that these offenses are of grave concern to the majority of countries and the involvement of computer systems significantly adds to the scale, scope and severity of such offenses. 

Several countries such as India, Jamaica (on behalf of CARICOM), Japan and Singapore broadly agreed on offences listed under clusters 10 and 11. These countries expressed some reservations concerning provisions on the liability of legal persons (Article 35). They contended that such provisions should be a part of the domestic laws of member countries. 

  1. Points of Disagreement (subject to Co-facilitated Informal Negotiations)

There was strong disagreement on the inclusion of provisions falling under Cluster 3, 4, 6, 8 and 9. The EU along with Japan, Australia, USA, Jamaica (on the behalf of CARICOM), and others objected to the inclusion of these cyber-dependent crimes under the Convention. They stated that such offenses (i) lack adequate clarity and uniformity across countries(ii) pose a serious threat of misuse by the authorities, and (iii) present an insurmountable barrier to building consensus as Member Countries have exhibited divergent views on the same. Countries also stated that some of these provisions (Cluster 9: terrorism-related offenses) are already covered under other international instruments. Inclusion of these provisions risks mis-alignment with other international laws that are already employed to oversee those areas.

  1. Co-Facilitated Informal Round

The Chair delegated the provisions falling under Cluster 3, 4, 6, 8 and 9 into two groups for the co-facilitated informal negotiations. Clusters 3, 4 and 6 were placed into group 1, under the leadership of Ms. Briony Daley Whitworth (Australia) and Ms. Platima Atthakor (Thailand). Clusters 8 and 9 were placed into group 2, under the leadership of Ambassador Mohamed Hamdy Elmolla (Egypt) and Ambassador Engelbert Theuermann (Austria). 

Group 1: During the informal sessions for cluster 3, 4 and 6, the co-facilitator encouraged  Member States to provide suggestions/views/ comments on provisions under consideration. The positions of Member States remained considerably divergent. Consequently, the co-facilitators decided to continue their work after the fourth session during the intersessional period with interested Member States.

Group 2: Similarly for cluster 8 and 9, the co-facilitators, along with interested Member States engaged in constructive discussions. Member States expressed divergent views on the provisions falling under cluster 8 and 9. These ranged from proposals for deletion to proposals for the strengthening and expansion of the provisions. Besides, additional proposals were made in favour of the following areas – provision enabling future Protocols to the Convention, inclusion of the concept of serious crimes and broad scope of cooperation that extends beyond the provisions criminalised under the convention. The co-facilitators emphasised the need for future work to forge a consensus and make progress towards finalisation of the convention. 

Round 2 Discussions: 

Subsequently, the second round of discussions witnessed intensive discussions and deliberation amongst the participating Member Countries and Observer States. The discussions explored the possibility of adding provisions on issues relating to the infringement of website design, unlawful interference with critical information infrastructure, theft with the use of information and communications technologies and dissemination of false information, among others. 

Conclusion:

Since the First Session of the Ad-Hoc Committee, the scope of the convention has remained an open-ended question. Member Countries have put forth a wide range of cyber-dependent and cyber-enabled offences for inclusion in the Convention.  Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (such as online child sexual abuse or exploitation material, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. Countries must agree on the scope of the Convention if they want to make headway in the negotiation process. 

(The Ad-Hoc committee is likely to take up these discussions forward in the sixth session of the Ad-Hoc Committee 21 August – 1 September 2023.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 3):Confidence Building Measures, Capacity Building and Institutional Dialogue

Ananya Moncourt & Sidharth Deb

“Smoking Gun” by Claudio Rousselon is licensed under CC BY 4.0
  • Introduction

In Part 1 this three-part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) we critiqued how the OEWG is incorporating the participation of non-governmental stakeholders within its process. In Part 2 we reflected on States’ (including India’s) participation on discussions under three main themes of the OEWG’s institutional mandate as detailed under para 1 of the December 2020 dated UN General Assembly (GA) Resolution 75/240.

This analysis revealed how lawfare and geopolitical tensions are resulting in substantive divides on matters relating to (a) the definition and identification of threats in cyberspace; (b) the future direction and role of cyber norms in international ICT security; and (c) the applicability of international law in cyberspace. In Part 3 our focus turns to discussions at the second session as it related to inter-State and institutional cooperation. Specifically, we examine confidence building measures, cyber capacity building, and regular institutional dialogue. The post concludes by offering some expectations on the way forward for ongoing international cybersecurity and cybercrime processes.

  • Confidence Building Measures (CBMs)

Under CBMs, States focused on cooperation, collaboration, open dialogue, transparency and predictability. These included  proposals operationalising a directory of national point of  contacts (PoCs) at technical, policy, law enforcement and diplomatic levels. Several States suggested that CBMs would benefit from including non-governmental stakeholders and integrating with bilateral/regional arrangements like ASEAN, OSCE and OAS. States identified UNIDIR’s Cyber Policy Portal as a potential platform to advance transparency on national positions, institutional structures and best practices. South Korea, Malaysia and others proposed using the portal for early warning systems, new cyber norms discussions, vulnerability disclosures, and voluntary information sharing about national military capabilities in cyberspace. Other priority issues included (a) collaboration between CERTs to prevent, detect and respond to cybersecurity incidents; and (b) critical infrastructure protection.

CBMs were another site of substantive lawfare. Russia and its allies stressed on the need for objective dialogue to prevent misperceptions. They urged States to consider all technical aspects of cyber incidents to minimise escalatory risks of “false flag” cyber operations. As we have discussed earlier in Part 2, Iran and Cuba argued against States’ use of coercive measures (e.g. sanctions) which restrict/prevent access to crucial global ICT infrastructures. These States also highlighted challenges with online anonymity, hostile content, and the private sector’s (un)accountability.

India focused on cooperation between PoCs for technical (e.g. via a network of CERTs) and policy matters. They espoused the benefits of integrating CBM efforts with bilateral, regional and multilateral arrangements. Practical cooperation through tabletop exercises, workshops and conferences were proposed. Finally, India stressed on the importance of real-time information sharing on threats and operations targeting critical infrastructures. The latter is a likely reference to challenges States like India face vis-a-vis jurisdiction and MLAT frameworks.

  • Capacity Building

Consistent with the first OEWG’s final report, States suggested that capacity building activities should be:

  • sustainable,
  • purpose and results focused,
  • evidence-based,
  • transparent,
  • non-discriminatory,
  • politically neutral,
  • sovereignty respecting,
  • universal, and
  • facilitate access to ICTs.

States advocated international capacity building activities correspond with national needs/priorities and benchmarked against internationally determined baselines. The UK recommended Oxford’s Cybersecurity Capacity Maturity Model for national assessments.  States recommended harmonising capacity building programmes with bilateral and regional efforts. Iran and Singapore proposed fellowships, workshops, training programmes, education courses, etc as platforms for technical capacity building for State officials/experts. States suggested UNIDIR assume the role of mapping global and regional cyber capacity building efforts—spanning financial support and technical assistance—aimed at compiling a list of best practices. Disaster and climate resilience of ICT infrastructure was a shared concern among Member States.

Even under this theme Russia and their allies addressed unilateral issues like sanctions which limit universal access to crucial ICT environments and systems. Citing the principle of universality, Russia even proposed the OEWG contemplate regulation to control State actions in this regard. Iran built on this and proposed prohibiting States from blocking public access to country-specific apps, IP addresses and domain names.

India recommended capacity building targeting national technical and policy agencies. It proposed funnelling capacity building through regular institutional dialogue to ensure inclusivity, neutrality and trust. India proposed a forum of CERTs, under the UN, to facilitate tabletop exercises, critical infrastructure security, general cybersecurity awareness campaigns, and cyber threat preparedness. India proposed establishing an international counter task force comprising international experts in order to provide technical assistance and infrastructural support for cyber defences and cyber incident response against critical infrastructure threats. Member Sates requested India to elaborate on this proposal.

  • Regular Institutional Dialogue

Several States like France, Egypt, Canada, Germany, Korea, Chile, Japan and Colombia identified a previously proposed Programme of Action (PoA) to facilitate coordinated cyber capacity building. France proposed the PoA assist States with the technical expertise for cyber incident response, national cybersecurity policies, and critical infrastructure protection. States also identified the PoA to maintain a trust fund for cyber capacity building projects, and serve as a platform to assist States identify national needs and track implementation of cyber norms. Prior to the third substantive session, co-sponsors are expected to share an updated version of its working paper with the OEWG secretariat. These States have also proposed that the PoA serve as a venue for structured involvement of non-governmental stakeholders.

In order to harmonise the mandates of the OEWG and the PoA, Canada proposed that the OEWG serve as the venue where core normative aspects are finalised, and the PoA works on international implementation. The Sino-Russian bloc and developing countries expressed concerns about the PoA as a forum for regular institutional dialogue. Iran suggested that the OEWG instead operate as an exclusive international forum on cybersecurity. Cuba and Russia maintained that a parallel PoA would undercut the OWEG’s centrality.

While India’s intervention recognises the importance of regular institutional dialogue, it insists that such interactions be intergovernmental. It recommends that States retain primary responsibility for issues in cyberspace relating to national security, public safety and the rule of law.

  • Way Forward

The OEWG Chair aims to finalise a zero draft of its first annual progress report, for consultations and written inputs, approximately six weeks prior to the OEWG’s third substantive session in July 2022. It will be interesting to track how lawfare affects the report and other international processes.  

In this regard, it is crucial to juxtapose the OEWG against the UN’s ongoing ad-hoc committee in which States are negotiating a draft convention on cybercrime. Too often these conversations can be stuck in silos, however these two processes will collectively shape the broad contours of international regulation of cyberspace. Already, we observe India’s participation in the latter is shaped by its doctrinal underpinnings of the Information Technology Act—and it will be important to track how these discussions evolve.

Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from First Substantive Session

Sukanya Thapliyal

Image by United Nation Photo. Licensed via CC BY-NC-ND 2.0

Earlier this month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

In this blog, we present a brief overview and our observations from the discussions during the first substantive session of the Ad-hoc Committee. Furthermore, we also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

  1. Background 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions and was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

Presently, the Budapest Convention, also known as Convention on Cybercrime is the most comprehensive and widely accepted legal instrument on cybercrime which was adopted by the Council of Europe (COE) and came into force in July, 2004. However, the work of the Ad-hoc Committee is significant and can pave the way for the first universal and legally binding instrument on cybercrime issues. The Committee enjoys widespread representation from State and Non-State stakeholders (participation from the non-governmental organizations, civil society, academia and private organizations) and other UN bodies, including the United Nations Office on Drugs and Crime (UNODC), serving as the secretariat for the process. 

The Ad-hoc Committee, over the next two years, is set to have six sessions towards developing this cybercrime convention. The convention is expected to foster coordination and cooperation among state actors to combat cybercrime while giving due regard to the peculiar socio-economic conditions prevailing in the developing and least-developed countries. 

The first substantive session of the Ad-hoc Committee was scheduled for 28 February-11 March 2022 to chart out a clear road map to guide subsequent sessions. In addition, the session also provided opportunity to the Member States to explore the possibility of reaching a consensus on the objective and scope of the Convention, which could provide a general framework for future negotiation without constituting a pre-condition for future stages. 

2. Discussions at the First Ad-hoc committee

The first session of the Ad-hoc Committee witnessed extensive discussions in sessions on general debate, objective and scope of the convention, exchange of preliminary views on key elements of the convention. In addition, a fruitful engagement took place in the sessions dedicated to arriving at a consensus on the structure of the convention (A/AC.291/L.4/Add.4). Member states also reached consensus on  discussion and decision-making on the mode of work of the Ad Hoc Committee during subsequent sessions and intersessional periods (A/AC.291/L.4/Add.6). As the negotiations commenced days after the Russia-Ukraine conflict began, the negotiations proceeded in a tense environment where several Member States expressed their concerns and-inability to negotiate in “good faith” in the light of the current state of play and condemned Russia for the military and cyber operations directed at Ukraine.

A. Scope of the convention: From “Cyber-Enabled” to “Cyber-Dependent” Crimes 

There was complete agreement on the growing importance of ICT technologies, the threat created by cybercriminals, and the need for a collective response within a sound international framework. However, countries highlighted different challenges that range from ‘pure cybercrimes’ or cyber dependent crimes to a broader set of crimes (cyber-enabled crimes) that includes misuse of ICT technologies and digital platforms by terrorist groups, deepfakes, disinformation, misinformation, false narrative, among others. 

While there was a broad consensus on including cyber dependent crimes, there was significant disagreement on whether cyber-enabled crimes should be addressed under the said convention. This divergence was evident throughout the first session with the EU, the US, the UK, New Zealand, Australia, Liechtenstein, Japan, Singapore and Brazil advocating to limit the operation of such a convention only up to cyber dependent crimes (such as ransomware attacks, denial of services attack, illegal system interference, among others). The member states maintained that the said convention should exclude vague and broadly defined crimes that may dilute legal certainty and disproportionately affect the freedom of speech and expression. Furthermore, that the convention should include only those cyber enabled crimes whose scale scope and speed increases substantially with the use of ICT technologies (cyber-fraud, cyber-theft, child sexual abuse, gender-based crime). 

On the other hand, the Russian Federation, China, India, Egypt, South Africa, Venezuela, Turkey, Egypt expressed that the convention should include both cyber dependent and cyber enabled crimes under such a convention. Emphasizing the upward trend in the occurrence of cyber enabled crimes, the member states stated that the cybercrime including cyber fraud, copyright infringement, misuse of ICTs by terrorists, hate speech must be included under the said convention.

There was overall agreement that cybersecurity, and internet governance issues are subject to other UN multilateral  fora such as UN Group of Governmental Experts (UNGGE) and UN Open Ended Working Group (OEWG) and must not be addressed under the proposed convention. 

B. Human-Rights

The process witnessed significant discussion on the protection and promotion of human rights and fundamental freedoms as an integral part of the proposed convention. While there was a broad agreement on the inclusion of human rights obligations, Member States varied in their approaches to incorporating human rights obligations. Countries such as the EU, USA, Australia, New Zealand, UK, Canada, Singapore, Mexico and others advocated for the centrality of human rights obligations within the proposed convention (with particular reference to the right to speech and expression, privacy, freedom of association and data protection). These countries also emphasized the need for adequate safeguards to protect human rights (legality, proportionality and necessity) in the provisions dealing with the criminalization of offenses, procedural rules and preventative measures under the proposed convention. 

India and Malaysia were principally in agreement with the inclusion of human rights obligations but pointed out that human rights considerations must be balanced by provisions required for maintaining law and order. Furthermore, countries such as Iran, China and Russia emphasized that the proposed convention should be conceptualized strictly as a technical treaty and not a human rights convention.

C. Issues pertaining to the conflict in jurisdiction and legal enforcement

The Ad-hoc Committee’s first session saw interesting proposals on improving the long-standing issues emanating from conflict of jurisdictions that often create challenges for law enforcement agencies in effectively investigating and prosecuting cybercrimes. In its numerous submissions, India highlighted the gaps and limitations in the existing international instruments and the need for better legal frameworks for cooperation, beyond Mutual Legal Assistance Treaties (MLATs). Such arrangements aim to assist law enforcement agencies in receiving metadata/ subscriber information to establish attribution and to overcome severe delays in accessing non-personal data. Member states, including Egypt, China supported India’s position in this regard. 

Mexico, Egypt, Jamaica (on behalf of CARICOM), Brazil, Indonesia, Iran, Malaysia also highlighted the need for the exchange of information, and greater international cooperation in the investigation, evidence sharing and prosecution of cybercrimes. These countries also highlighted the need for mutual legal assistance, 24*7 contact points, data preservation, data sharing and statistics on cybercrime and modus operandi of the cybercriminals, e-evidence, electronic forensics and joint investigations. 

Member states including the EU, Luxembourg, UK supported international cooperation in investigations and judicial proceedings, and obtaining electronic evidence. These countries also highlighted that issues relating to jurisdiction should be modeled on the existing international and regional conventions such as the UN Convention against Corruption (UNCAC), UN Convention against Transnational Organized Crimes (UNCTOC), and the Budapest Convention.

D. Technical Assistance and Capacity Building

There was unanimity among the member states to incorporate provisions on capacity building and technical assistance to cater to the peculiar socio-economic conditions of the developing and least-developed countries. However, notable inputs/ suggestions came from Venezuela, Egypt, Jamaica on behalf of CARICOM, India and  Iran. Venezuela highlighted the need for technology transfer, lack of financing and lack of sufficient safeguards for developing and least-developed countries. The countries outlined technology transfer, financial assistance, sharing of best practices, training of personnel, and raising awareness as different channels for capacity building and technical assistance for developing and least-developed countries. 

E. Obligations for the Private Sector 

The proposal for instituting obligations  on non-state actors , including the private sector (with particular reference to digital platforms and service providers), witnessed strong opposing views by member countries. Countries including India, China, Egypt and Russia backed the proposal on including a strong obligation on the private sectors as they play an essential role in the ICT sector. In one of its submissions, India explained  the increasing involvement of multinational companies  in providing vital services in different countries. Therefore, in its view, such private actors must be held accountable and should promptly cooperate  with law enforcement and judicial authorities in these countries to fight cybercrime. Iran, China and Russia further emphasized the need for criminal liability of legal persons, including service providers and other private organizations. In contrast, member states, including the EU, Japan and USA, were strictly against incorporating any obligations on the private sector. 

F. Other Issues

There was a broad consensus including EU, UK, Japan, Mexico, USA, Switzerland and others  on not reinventing the wheel but building on the work done under the UNCAC, UNCTOC, and the Budapest Convention. However, countries, including Egypt and Russian Federation, were skeptical over the explicit mention of the regional conventions, such as the Budapest Convention and its impact on the Member States, who are not a party to such a convention. 

The proposals for inclusion of a provision on asset recovery, and return of the proceeds of the crime elicited a lukewarm response by Egypt, Iran, Brazil, Russia, China, Canada, Switzerland, USA Jamaica on behalf of CARICOM countries, but appears likely to gain traction in forthcoming sessions.

3. Way Forward

Member countries are expected to submit their written contributions on criminalisation, general provisions, procedural measures, and law enforcement in the forthcoming month. These written submissions are likely to bring in more clarity about the expectations and key demands of the different member states. 

The upcoming sessions will also indicate how the demands put forth by developing, and least developing countries during the recently concluded first session are taken up in the negotiation process. Furthermore, it is yet to be seen whether these countries would chart out a path for themselves or get subsumed in the west and east binaries as seen in other multilateral fora dedicated to clarifying the rules governing cyberspace. 


Note: 

*The full recordings of the first session of the Ad-hoc Committee to elaborate international convention on countering the use of information and communications (ICTs) technologies for criminal purposes is available online and can be accessed on UN Web TV.

**The reader may also access more information on the first session of the Ad-hoc Committee here, here and here.

Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

  1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.
  1. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

  1. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing ita clear violation of the rule of non-intervention.

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

  1. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 7: Use of Force in Modern Times: Sisyphus’ First World Boulder

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION 

In this post, we discuss a rather contentious point that whether in international law, a mere threat or use of force by a State against another State would give rise to a right of self-defense. 

For context Article 2(4) of the UN Charter provides for all member States to refrain from the threat of or the actual use of force which may threaten the territorial integrity or political independence of any other state. This provision is regarded to have a jus cogens character, i.e., binding on all States as a non-derogable one. Each Member State also has the positive duty to refrain from the use of force against other  States under international law.

Pursuant to Article 51 of the UN Charter, States which face a use of force at the level of an ‘armed attack’ have the right to exercise self-defense. An armed attack is when this force is used on a relatively large scale, is of sufficient gravity, and has a substantial effect. Dinstein states that armed attack presupposes a use of force producing serious consequences, epitomized by territorial intrusions, or human casualties or considerable destruction of critical infrastructure.

Photo by Kyle Glenn on Unsplash. Copyrighted under Unsplash license.

MEMBER STATE’S RIGHT TO SELF DEFENSE

We need to be aware that this right of self-defense does not manifest at every instance of use of force against another State. In certain instances victim States can instead exercise ‘countermeasures’ against the belligerent State. However, when this right of self-defense does manifest, it must abide by the doctrines of necessity and proportionality.

These doctrines were initially laid down in the aftermath of the Caroline incident of 1837, which has inadvertently governed the rules of use of force for nearly two centuries. Herein, the doctrine of necessity posits that an armed attack can only be responded to when there is no other alternative means to seeking viable redressal. Necessity requires that military action should be used only as a last resort. Then, the doctrine of proportionality provides that the size and scope of an armed attack shall determine the overall objective of the defensive responses. This leads to the conclusion that such action will only be towards self-defense and not retaliatory in nature or have a punitive outlook against the aggressor. The counter attack cannot be unreasonable or excessive and can only be carried out to repel or prevent an attack.

Thus, if we were to literally interpret the law, the answer would be that a mere threat or even a use of force that is not of a level of an armed attack does not give rise to the right of self-defense. However, a look at how State practice has shaped this understanding might lead to a different conclusion.

EMERGING FAULTLINES AND EXPANSION OF LEGAL INTERPRETATION OF RIGHT OF SELF-DEFENSE

The United States, with their invasion of Afghanistan for harboring terrorists in 2001 and the subsequent invasion of Iraq in 2003 for allegedly procuring weapons of mass destruction have posited a changed landscape to the  right of self-defense. American actions of ‘self-defense’ completely subvert the legal interpretation of the right being unavailable against threats and conventional use of force. Furthermore, it has led to the emergence of an anticipatory right to self-defense.

At the outset, it is observed that the opinion on the legality of such acts that anticipate armed attacks from threats or other information is divided. Some scholars (usually the ones who have a favorable outlook towards American and/or the Israeli Government actions) argue that the right to anticipatory self-defense is not only in consonance with customary international law but also with article 51 of the U.N Charter.

However, an anticipatory right of self-defense would actually be contrary to the wording of Article 51, since an armed attack must ‘occur’. In any case, Article 51 must be interpreted narrowly containing a prohibition of anticipatory self-defense as one of the purposes of the Charter was to reduce to a minimum the unilateral use of force. At the very least, States claiming the right will have to prove that they face an imminent attack.. It is ideal to have a ‘clear and convincing’ evidence of the same to avoid situations like that of the invasion of Iraq, which was initiated based on extremely faulty intelligence

There are checks and balances enshrined within Article 51 itself to ensure that this does not become a practice. Key mechanisms include the requirement or duty to report immediately to the Security Council when such an act is undertaken, which can act as a limitation on the exercise of self-defense. However, even this duty does not have the power to stop the states exercising such ‘rights’ as reporting to the Security Council is a mere procedural matter, and nonfeasance cannot technically deprive a state of the substantive right of self-defense or invalidate it.

Therefore, it can be said that the scope of the right to self-defense despite fair legal objections may have already expanded to practically include threats or even conventional uses of force not amounting to an ‘armed attack’. What becomes important now is to see how this right of a sovereign state will shape in the future. Towards this, there are two important questions that need to be answered. Firstly, whether this right can be exercised against non-state actors and secondly, can this right be exercised against a cyber-operation?

When the right of self-defense towards non-state actors is considered, the legal position seems pretty clear. The International Court of Justice itself has expressed that the inherent right of self-defense in the case of armed attack by one state is available only against another state.

The general understanding is that Article 51 of the Charter is an exception to the prohibition on the use of force as enshrined in Article 2(4). Given that Article 2(4) refers only to a ‘state’, its exception must also deal with the same. However, some do argue that while Article 2(4) of the Charter, in proscribing the use of force, refers solely to state actors on both sides.  On the other hand, Article 51 mentions a member only as the potential target of an armed attack. This means that the perpetrator of that armed attack is not identified necessarily as a state, especially during these times where it is not just State but non-State entities like terrorists that pose the significant threats to national security concerns of States.

Moreover, regardless of what the law states or what the law should be, the tacit acknowledgement of the Security Council, NATO and EU towards the American invasion of Afghanistan to attack Al Qaeda has given credence to the understanding that self-defense is available against non-State actors. Thus, contemporary state practice (of the first world countries) shows that non-State actors can be behind ‘armed attacks’ which can give rise to self-defense. The ‘pro-democracy’ opinion now states that self-defense against a non-State actor can be justified when the territorial State has manifestly and persistently been unwilling or unable to prevent such attacks in other States, like invasion of Afghanistan on the pretext that if they are harbouring terrorists, they are as liable as the terrorists themselves.

Coming to the second question of whether cyber-operations against a state can give a right to self-defense to that State, it is imperative to determine whether a cyber-operation is an armed attack (as per the prevailing legal view as there is no contrary contemporary state practice yet).

An ‘armed attack’ may not strictly require the use of kinetic weapons, but may, in principle, also be conducted by computers used by hackers. In order to reach this very threshold, the consequences and effects of the cyber-operation in question, must be compared to that of conventional use of force. These operations cannot be isolated or random acts of cyber-attacks and exercising the right against these one-off incidents are excluded from the scope of right to self-defense. Thus, the bar to classify a cyber-operation as an armed attack exists against which a right to self-defense will also exist. However, this bar must be considerably high and will not trigger when hypothetically Indian college students hack a Pakistani bank’s website as a one-off incident.

CONCLUSION

The high standard set is important to ensure that self-defense is not ‘exercised’ in a ubiquitous manner. However, the first world tells us that if the standard is too high and is creating an obstacle towards their political interests, the standard will be disregarded or modified accordingly making an effective set of laws a Sisyphean task. This is what happened to non-State actors, to threats and simple uses of force and will most likely happen to cyber-operations as well. 

Self-defense will be heavily exercised if doing so aligns with the political ideology of the State regardless of what the law states. The law understandably does not allow a State to exercise the right to self-defense against mere threats or even conventional uses of force. However, as we understand from a third-world vantage point of international law, the law is what the first world will allow it to be.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 6: The Legality of Lethal Autonomous Weapons Systems (“LAWS”)

Drishti Kaushik*

About the Author: The author is a final year student at the National Law University, Delhi. She has previously been associated with CCG as part of its summer school in March 2020 and has also worked with the Centre as a Research Assistant between September 2020 and March 2021. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

When a machine has the ability to perform certain tasks which typically require human intelligence it is known as Artificial Intelligence (AI). AI is currently used in a variety of fields and disciplines. One such field is the military where AI is viewed as a means to reduce human casualties.

One such use case is the development and use of Lethal Autonomous Weapons Systems (LAWS) or “killer robots” which can make life and death decisions without human intervention. Though the technology behind LAWS and its application remains foggy, LAWS have become a central point of debate globally. Several countries seek a complete preemptive ban on its use and development, by highlighting that technology to achieve such outcomes already exists. Other countries have expressed their preference for a moratorium on its development till there are universal standards regarding its production and usage. 

This piece examines whether LAWS are legal/lawful under International Humanitarian Law (IHL) as per the principles of distinction, proportionality and precautions. LAWS are understood as fully autonomous weapon systems that once activated, have the ability to select and engage targets without any human involvement. The author argues that it is premature to conclude LAWS as legal or illegal by hypothetically determining their compliance with extant humanitarian principles. Additionally, they pose ethical considerations and legal reviews under IHL that must be satisfied to determine the legality of LAWS. 

What are LAWS?

There is presently no universal definition of LAWS since the term ‘autonomous’ is ambiguous. ‘Autonomous’ in AI refers to the ability of a machine to make decisions without human intervention. The US’ Department of Defense issued a 2012 directive which defines LAWS as weapon systems that can autonomously or independently “select and engage targets without any human intervention” once activated. This means LAWS leave humans “out of the loop”. The “lack of human intervention” element is also present in definitions proposed by Human Rights Watch, the International Committee of the Red Cross (ICRC)  and the UK Defence Ministry. 

While weapon systems that are completely autonomous currently do not exist, the technology to develop the same does. There are near-autonomous weapons systems like Israel’s Iron Dome and the American Terminal High Altitude Area Defense that can identify and engage with incoming rockets. These are defensive in nature and protect sovereign nations from external attacks. Conversely, LAWS are weapon systems having offensive capabilities of pursuing targets. Some scholars recommend incentivizing defensive autonomous systems within the international humanitarian framework.

Even though there is no singular definition, LAWS can be identified as machines or weapon systems which once activated or switched on by humans have the autonomy to select and search for targets as well as engage or attack them without any human involvement in the entire selection and attacking process. The offensive nature of LAWS as opposed to the use of automated systems for defensive purposes is an important distinguishing factor for identifying LAWS. An open letter by Future of Life Institute calls for a ban on “offensive autonomous weapons beyond meaningful human control” instead of complete ban on AI in the military sector. This distinction between offensive and defensive weapons in the definition of LAWS was also raised in the Group of Governmental Experts on LAWS 2017 meet.

Autonomy and offensive characteristics are primary grounds behind demands for a complete ban on LAWS. Countries like Zimbabwe are uncomfortable with a machine making life and death decisions and others like Pakistan are worried about military disparities with technologically superior nations leading to an unfair balance of power.

There remains considerable uncertainty surrounding LAWS and its legality as weapons to be used in armed conflicts. Governance of these weapons, accountability, criminal liability and product liability are specific avenues of concern.

Autonomous anti-air unit by Pascal. Licensed under CC0.

Legal Issues under IHL

The legality of LAWS under IHL is observable at two levels: (a) development, and (b) deployment/use. 

Legal Review of New Weapons

The Geneva Convention provides for Legal Review of any new weapons or means of warfare under Article 36 of Additional Protocol I (“AP 1”) to determine whether the development of new weapons is in compliance with the Geneva Convention and customary international law. The weapon must not have an “indiscriminate effect” or cause “superfluous injury” or “unnecessary suffering” like chemical weapons.

The conduct of LAWS must have ‘predictability’ and ‘reliability’ for them to be legally deployed in armed conflicts. If not possible then the conduct of LAWS in the midst of conflict  may lead to “indiscriminate effect or superfluous injury or unnecessary suffering”. 

Principles of Distinction, Proportionality & Precautions 

LAWS must uphold the basic rule of distinction. LAWS should differentiate between civilians and military objects; and between those injured and those active in combat. Often even deployed troops are unable to successfully determine this and thus, programming LAWS to uphold the principle of distinction remains a challenge.

Second, LAWS must uphold the principle of proportionality. Civilian casualties, injury and destruction must not be excessive in comparison to the military advantage gained by the attack. Making such value judgments in the middle of intense battles is difficult. Programmers who develop LAWS may struggle to comprehend the complexities around these circumstances. Even when deploying deep learning, as machines recognise patterns, there might be situations when it first has to gain experience and those growing pains in technological refinement may lead to violations of the proportionality principle. 

Finally, LAWS must adhere to the principle of precaution. This is the ability to recall or suspend an act when it is not proportionate or harms civilians as opposed to military adversaries. The ability to deactivate or recall a weapon once deployed is tricky. There is general consensus that LAWS will fail to comply with these principles and violate the laws of armed conflict.

Conversely others argue that its autonomous characteristics are not enough to prove that LAWS violate IHL. Existing principles are enough to restrict the use of LAWS to situations where IHL is not violated. Furthermore, autonomous weapons might be able to wait till they are fired upon to determine whether a person is civilian or military as their sense of ‘self-preservation’ will not be as strong as that of human troops thereby complying with the principle of distinction. Moreover, they might be employed in the navy or other areas not open to civilians, thereby affording LAWS a lower threshold for compliance with IHL principles. Supporters contend that LAWS might calculate and make last minute decisions without any human subjective emotions allowing them to choose the best possible plan of action thereby respecting the principles of proportionality and precautions. 

Marten’s Clause 

Article 1 of AP I to the Geneva Conventions states that if certain cases are not covered under the Convention, then the civilians and the combatants are protected under “Customary International Law, principles of Humanity and Dictates of Public Conscience”. This has also been reiterated in the preamble of AP II of the Geneva Conventions. This is referred to as Marten’s Clause and provides the basis for ethical and moral aspects to the law of armed conflict. Since LAWS are not directly covered by the Geneva Convention, their development and use must be guided by Marten’s clause. Therefore, LAWS may be prohibited due to noncompliance with customary international law or principles of humanity or dictates of public conscience

LAWS cannot be declared illegal under customary international law since there is no defined state practice; as they are still being developed. The principles of humanity require us to examine questions about whether machines should have the ability to make life or death decisions regarding humans. Moreover, recent data suggests that dictates of public conscience may be skewed against the use of  LAWS. 

It might be early to term LAWS, which do not currently exist, as legal or illegal on the basis of compliance with the Geneva Convention. However, any discussion regarding the same must keep these legal and ethical IHL-related considerations in mind.

Present Policy Situation 

The legal issues relating to LAWS are recognised by the UN Office of Disarmament.  Under the Convention of Certain Conventional Weapons (CCW), a Group of Governmental Experts was asked to address the issues regarding LAWS. This group is yet to provide a singular definition of the term. However, it has recommended 11 guiding principles which were adopted by the High Contracting Parties to the CCW in 2019.

The first principle states that IHL shall apply to all autonomous weapons systems including LAWS. The second principle addresses accountability through “human responsibility” during decision making relating to the use of these systems. Further, any degree of human-machine interaction at any stage of development or activation must be in compliance with IHL. Accountability for development, deployment and use of these weapons must be as per IHL by ensuring there is a “chain of human command and control”. States’ obligation of ensuring a legal review for any new weapons is also reiterated.

The guidelines also state that cyber and physical risks, and the  risk of proliferation and acquisition by terrorists must be considered while developing and acquiring such weapons. Risk assessment and mitigation must also be made a part of the design and development of such weapons. Consideration must be given to compliance with IHL and other international obligations while using LAWS. While crafting policy measures, emerging technologies in LAWS must not be “anthropomorphized”. Discussions on LAWS should not hinder peaceful civilian innovations. The principles finally highlight the importance of balancing military needs and human factors under the CCW framework. 

The CCW also highlights the need for ensuring “meaningful human control” over weapon systems but does not define relevant criteria for the same. Additionally, there are different stages such as development, activation and deployment of autonomous weapons. Only a human can develop and activate the autonomous systems. However, deployment is determined by the  autonomous weapon on its own as per its human programming. 

Therefore, the question arises – will that level of human control over the LAWS’ programming be enough to qualify as meaningful human control? If not, will an override human command which may or may not be exercised allow for “meaningful human control”? These questions require further deliberation on what qualifies as “meaningful human control” and whether this control will even be enough given how rapidly AI is being developed. There is also a need to ensure that no bias is programmed into these weapons. 

While these guiding principles are the first step towards an international framework, there is still no universal/comprehensive legal framework to ensure accountability on LAWS.

 Conclusion

The legal, ethical and international concerns regarding LAWS must be addressed at a global level. A pre-emptive and premature ban might stifle helpful civilian innovation. Moreover, a ban will not be possible without the support of leading States like the US, Russia, UK. Conversely,  if the development of LAWS is left unregulated then it will make it easier for countries with LAWS to go to war. Moreover, development and deployment of LAWS will create a significant imbalance between the technologically advanced and technologically disadvantaged nations. Furthermore, no regulation may lead to the proliferation and acquisition of LAWS by bad actors for malicious, immoral and/or illegal purposes.

Since LAWS disarmament is not an option, control on LAWS is recommended. The issues with LAWS must be addressed at the international level by creating a binding treaty which incorporates a comprehensive definition of LAWS. The limits of autonomy must also be clearly demarcated along with other legal and ethical considerations. The principles of IHL including legal reviews must also be implemented. Till then, defense research centers around the world should incorporate AI in more “defensive” and “non-lethal” military machineries. Such applications could include disarming bombs or surveillance drones or smart borders instead of offensive and lethal autonomous weapons systems without any overriding human control.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26th and 27th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bellothe principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.


*The views expressed in the blog are personal and should not be attributed to the institution.

CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020

The Centre for Communication Governance at the National Law University Delhi (CCG) is grateful to the National Security Council Secretariat for this opportunity to make meaningful contributions to its mandate of formulating a futuristic National Cyber Security Strategy 2020 (NCSS). In response to the Call for Comments CCG apart from the comments below, CCG has separately submitted detailed comments to the Office of the National Cyber Security Coordinator.

Our comments are a result of original and thorough legal and policy research which draws upon multiple primary sources of information, including applicable domestic and international law and precedents, and a comparative study of the cyber security strategy and policy documents of 16 other countries. Secondary sources such as news reports, statistics on cybercrime and malicious cyber activity compiled and released by various Government departments and agencies and data on budgetary allocations released by the Union Government have also been relied on.

This submission is presented in six parts, supplemented by three annexures that provide insight into our sources, analysis and research methodology.

Part I introduces the background in which this strategy is being formulated, and presents a principled approach to the formulation of cybersecurity policy, that is driven by a coherent strategic framework constructed under the NCSS to guide it.

Part II presents an analysis of the landscape of existing and emergent threats that pose a risk to the cybersecurity of the entire nation. We do so with the objective of identifying areas that need to be accorded a higher priority in the formulation of the NCSS.

Parts III, IV and V correspond to the three pillars of strategy identified in the Call for Comments. Part III deals with the horizontal dimension of strategy and unpacks the contents of the first pillar, i.e., “Secure”, wherein we present for the consideration of the Secretariat, an original three-tiered model of the ‘national cyberspace’ as a roadmap to cyber sovereignty. We submit for consideration for the Secretariat, the adoption of the principle of peaceful uses of cyberspace to align with the nation’s goals of sustainable economic development, while being mindful of the gradual militarization of cyberspace by both state and non-state actors.

Part IV deals with the “Strengthen” pillar in which CCG examines the existing architecture for cybersecurity to analyse the vertical dimensions of strategy. Herein, we propose measures to strengthen institutions, process and capabilities relevant for cyber security.

Part V deals with the third pillar, namely, “Synergise”, which explains how the horizontal and vertical dimensions of the strategy can be integrated in order to optimize levels of inherent friction that could hinder the achievement of strategic and policy goals. We propose that synergies need to be identified and/or created at three levels. First, at the inter-ministerial level, among the government departments and agencies. Second, at the national level, for enhanced cooperation and strategic partnerships between the public and private sectors. Third, at the international level for enhanced cooperation and strategic partnerships with like-minded nations, geared towards building stronger national defences in cyberspace. In this part, we take the Government’s inclination to treat data a “public good” or “societal commons” to its logical conclusion and accordingly, propose a principled, common-but-differentiated-responsibility model between multiple stakeholders in the cybersecurity ecosystem for grounding public private partnerships and pooling of financial resources.

Part VI concludes this submission and presents the major findings, suggestions and recommendations of this submission.

The full text of the comments is available here.

The Pegasus Hack: A Hark Back to the Wassenaar Arrangement

By Sharngan Aravindakshan

The world’s most popular messaging application, Whatsapp, recently revealed that a significant number of Indians were among the targets of Pegasus, a sophisticated spyware that operates by exploiting a vulnerability in Whatsapp’s video-calling feature. It has also come to light that Whatsapp, working with the University of Toronto’s Citizen Lab, an academic research organization with a focus on digital threats to civil society, has traced the source of the spyware to NSO Group, an Israeli company well known both for developing and selling hacking and surveillance technology to governments with a questionable record in human rights. Whatsapp’s lawsuit against NSO Group in a federal court in California also specifically alludes to NSO Group’s clients “which include but are not limited to government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities.” The complaint filed by Whatsapp against NSO Group can be accessed here.

In this context, we examine the shortcomings of international efforts in limiting or regulating the transfers or sale of advanced and sophisticated technology to governments that often use it to violate human rights, as well as highlight the often complex and blurred lines between the military and civil use of these technologies by the government.

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (WA) exists for this precise reason. Established in 1996 and voluntary / non-binding in nature[I], its stated mission is “to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.”[ii] Military advancements across the globe, significant among which were the Indian and Pakistani nuclear tests, rocket tests by India and South Korea and the use of chemical warfare during the Iran-Iraq war, were all catalysts in the formulation of this multilateral attempt to regulate the transfer of advanced technologies capable of being weaponized.[iii] With more and more incidents coming to light of authoritarian regimes utilizing advanced western technology to violate human rights, the WA was amended to bring within its ambit “intrusion software” and “IP network surveillance systems” as well. 

Wassenaar: A General Outline

With a current membership of 42 countries (India being the latest to join in late 2017), the WA is the successor to the cold war-era Coordinating Committee for Multilateral Export Controls (COCOM) which had been established by the Western Bloc in order to prevent weapons and technology exports to the Eastern Bloc or what was then known as the Soviet Union.[iv] However, unlike its predecessor, the WA does not target any nation-state, and its members cannot exercise any veto power over other member’s export decisions.[v] Notably, while Russia is a member, Israel and China are not.

The WA lists out the different technologies in the form of “Control Lists” primarily consisting of the “List of Dual-Use Goods and Technologies” or the Basic List, and the “Munitions List”.[vi] The term “dual-use technology” typically refers to technology that can be used for both civilian and military purposes.[vii] The Basic List consists of ten categories[viii]

  • Special Materials and Related Equipment (Category 1); 
  • Materials Processing (Category 2); 
  • Electronics (Category 3); 
  • Computers (Category 4); 
  • Telecommunications (Category 5, Part 1); 
  • Information Security (Category 5, Part 2); 
  • Sensors and Lasers (Category 6); 
  • Navigation and Avionics (Category 7); 
  • Marine (Category 8); 
  • Aerospace and Propulsion (Category 9). 

Additionally, the Basic List also has the Sensitive and Very Sensitive Lists which include technologies covering radiation, submarine technology, advanced radar, etc. 

An outline of the WA’s principles is provided in its Guidelines & Procedures, including the Initial Elements. Typically, participating countries enforce controls on transfer of the listed items by enacting domestic legislation requiring licenses for export of these items and are also expected to ensure that the exports “do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities.[ix]

While the Guidelines & Procedures document does not expressly proscribe the export of the specified items to non-WA countries, members are expected to notify other participants twice a year if a license under the Dual List is denied for export to any non-WA country.[x]

Amid concerns of violation of civil liberties

Unlike conventional weapons, cyberspace and information technology is one of those sectors where the government does not yet have a monopoly in expertise. In what can only be termed a “cyber-arms race”, it would be fair to say that most governments are even now busily acquiring technology from private companies to enhance their cyber-capacity, which includes surveillance technology for intelligence-gathering efforts. This, by itself, is plain real-politik.

However, amid this weaponization of the cyberspace, there were growing concerns that this technology was being purchased by authoritarian or repressive governments for use against their citizens. For instance, Eagle, monitoring technology owned by Amesys (a unit of the French firm Bull SA), Boeing Co.’s internet-filtering Narus, and China’s ZTE Corp. all contributed to the surveillance efforts by Col. Gaddafi’s regime in Libya. Surveillance technology equipment sold by Siemens AG and maintained by Nokia Siemens Networks were used against human rights activists in Bahrain. These instances, as part of a wider pattern that came to the spotlight, galvanized the WA countries in 2013 to include “intrusion software” and “IP network surveillance systems” in the Control List to attempt to limit the transfer of these technologies to known repressive regimes. 

Unexpected Consequences

The 2013 Amendment to the Control Lists was the subject of severe criticism by tech companies and civil society groups across the board. While the intention behind it was recognized as laudable, the terms “intrusion software” and “IP network surveillance system” were widely viewed as over-broad and having the unintended consequence of looping in both legitimate as well as illegitimate use of technology. The problems pointed out by cybersecurity experts are manifold and are a result of a misunderstanding of how cybersecurity works.

The inclusion of these terms, which was meant to regulate surveillance based on computer codes / programmes, also has the consequence of bringing within its ambit legitimate and often beneficial uses of these technologies, including even antivirus technology according to one view. Cybersecurity research and development often involves making use of “zero-day exploits” or vulnerabilities in the developed software, which when discovered and reported by any “bounty hunter”, is typically bought by the company owning the software. This helps the company immediately develop a “patch” for the reported vulnerability. These transactions are often necessarily cross-border. Experts complained that if directly transposed to domestic law, the changes would have a chilling effect on the vital exchange of information and research in this area, which was a major hurdle for advances in cybersecurity, making cyberspace globally less safer. A prime example is HewlettPackard’s (HP)  withdrawal from Pwn2Own—a computer hacking contest held annually at the PacSecWest security conference where contestants are challenged to hack into / exploit vulnerabilities on widely used software. HP, which sponsored the event, was forced to withdraw in 2015 citing the “complexity in obtaining real-time import /export licenses in countries that participate in the Wassenaar Arrangement”, among others. The member nation in this case was Japan.

After facing fierce opposition on its home soil, the United States decided to not implement the WA amendment and instead, decided to argue for a reversal at the next Plenary session of the WA, which failed. Other nations, including the EU and Japan have implemented the WA amendment export controls with varying degrees of success.

The Pegasus Hack, India and the Wassenaar

Considering many of the Indians identified as victims of the Pegasus hack were either journalists or human rights activists, with many of them being associated with the highly-contentious Bhima-Koregaon case, speculation is rife that the Indian government is among those purchasing and utilizing this kind of advanced surveillance technology to spy on its own citizens. Adding this to the NSO Group’s public statement that its “sole purpose” is to “provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime”, it appears there are credible allegations that the Indian government was involved in the hack. The government’s evasiveness in responding and insistence on so-called “standard operating procedures” having been followed are less than reassuring.

While India’s entry to the WA as its 42nd member in 2018 has certainly elevated its status in the international arms control regime by granting it access to three of the world’s four main arms-control regimes (the others being the Nuclear Suppliers’ Group / NSG, the Missile Technology Control Group / MTCR and the Australia Group), the Pegasus Hack incident and the apparent connection to the Indian government shows us that its commitment to the principles underlying the WA is doubtful. The purpose of the inclusion of “intrusion software” and “IP network surveillance system” in the WA’s Control Lists by way of the 2013 Amendment, no matter their unintended consequences for legitimate uses of such technology, was to prevent governmental purchases exactly like this one. Hence, even though the WA does not prohibit the purchase of any surveillance technology from a non-member, the Pegasus incident arguably, is still a serious detraction from India’s commitment to the WA, even if not an explicit violation.

Military Cyber-Capability Vs Law Enforcement Cyber-Capability

Given what we know so far, it appears that highly sophisticated surveillance technology has also come into the hands of local law enforcement agencies. Had it been disclosed that the Pegasus software was being utilized by a military wing against external enemies, by, say, even the newly created Defence Cyber Agency, it would have probably caused fewer ripples. In fact, it might even have come off as reassuring evidence of the country’s advanced cyber-capabilities. However, the idea of such advanced, sophisticated technologies at the easy disposal of local law enforcement agencies is cause for worry. This is because while traditionally the domain of the military is external, the domain of law enforcement agencies is internal, i.e., the citizenry. There is tremendous scope for misuse by such authorities, including increased targeting of minorities. The recent incident of police officials in Hyderabad randomly collecting biometric data including their fingerprints and clicking people’s pictures only exacerbates this point. Even abroad, there already exist on-going efforts to limit the use of surveillance technologies by local law enforcement such as the police.

The conflation of technology use by both military and civil agencies  is a problem that is created in part at least, by the complex and often dual-use nature of technology. While dual use technology is recognized by the WA, this problem is not one that it is able to solve. As explained above, dual use technology is technology that can be used for both civil and military purposes. The demands of real-politik, increase in cyber-terrorism and the manifold ways in which a nation’s security can be compromised in cyberspace necessitate any government in today’s world to increase and improve its cyber-military-capacity by acquiring such technology. After all, a government that acquires surveillance technology undoubtedly increases the effectiveness of its intelligence gathering and ergo, its security efforts. But at the same time, the government also acquires the power to simultaneously spy on its own citizens, which can easily cascade into more targeted violations. 

Governments must resist the impulse to turn such technology on its own citizens. In the Indian scenario, citizens have been granted a ring of protection by way of the Puttaswamy judgement, which explicitly recognizes their right to privacy as a fundamental right. Interception and surveillance by the government while currently limited by laid-down protocols, are not regulated by any dedicated law. While there are calls for urgent legislation on the subject, few deal with the technology procurement processes involved. It has also now emerged that Chhattisgarh’s State Government has set up a panel to look into allegations that that NSO officials had a meeting with the state police a few years ago. This raises questions of oversight in the relevant authorities’ public procurement processes, apart from their legal authority to actually carry out domestic surveillance by exploiting zero-day vulnerabilities.  It is now becoming evident that any law dealing with surveillance will need to ensure transparency and accountability in the procurement of and use of the different kinds of invasive technology adopted by Central or State authorities to carry out such surveillance. 


[i]A Guide to the Wassenaar Arrangement, Daryl Kimball, Arms Control Association, December 9, 2013, https://www.armscontrol.org/factsheets/wassenaar, last accessed on November 27, 2019.

[ii]Ibid.

[iii]Data, Interrupted: Regulating Digital Surveillance Exports, Tim Maurerand Jonathan Diamond, November 24, 2015, World Politics Review.

[iv]Wassenaar Arrangement: The Case of India’s Membership, Rajeswari P. Rajagopalan and Arka Biswas, , ORF Occasional Paper #92 p.3, OBSERVER RESEARCH FOUNDATION, May 5, 2016, http://www.orfonline.org/wp-content/uploads/2016/05/ORF-Occasional-Paper_92.pdf, last accessed on November 27, 2019.

[v]Ibid, p. 3

[vi]“List of Dual-Use Goods and Technologies And Munitions List,” The Wassenaar Arrangement, available at https://www.wassenaar.org/public-documents/, last accessed on November 27, 2019. 

[vii]Article 2(1), Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast), European Commission, September 28th, 2016, http://trade.ec.europa.eu/doclib/docs/2016/september/tradoc_154976.pdf, last accessed on November 27, 2019. 

[viii]supra note vi.

[ix]Guidelines & Procedures, including the Initial Elements, The Wassenaar Arrangement, December, 2016, http://www.wassenaar.org/wp- content/uploads/2016/12/Guidelines-and-procedures-including-the-Initial-Elements-2016.pdf, last accessed on November 27, 2019.

[x]Articles V(1) & (2), Guidelines & Procedures, including the Initial Elements, The Wassenaar Arrangement, December, 2016, https://www.wassenaar.org/public-documents/, last accessed on November 27, 2019.