The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week II of the Fifth Substantive Session

Sukanya Thapliyal

In Part I of the two-part blog series, we briefed our readers on the developments that took place in the first week of the Fifth Session of the Ad-Hoc Committee. In Part II of the series, we aim to capture the key discussion on provisions on (i) technical assistance, (ii) preventative measures, (iii) final provisions and (iv) the Preamble.

1. Provisions on Technical Assistance:

The Chapter on Technical Assistance listed down provisions including, general principles of technical assistance, and provision setting the scope of technical assistance (Training and technical assistance, exchange of information, and implementation of the Convention through economic development and technical assistance). The provisions listed under this Chapter highlight the importance of technical assistance and capacity building for developing countries. Further, the provisions also lay down obligations and responsibilities on the State Parties to initiate, develop and implement the widest measure of technical assistance and capacity-building that includes material support, training, mutual exchange of relevant experience and specialised knowledge, among others. 

All of the Member Countries and non-member Observer States were in agreement on the importance of the Chapter on technical assistance as an essential tool in combating and countering cybercrime. Technical assistance and capacity building helps in developing resources, institutional capacity, policies and programmes that help in mitigating and preventing cybercrime. A number of developing countries including, Iran, China, Nigeria, South Africa provided suggestions such as inclusion of “transfer of technology” and “technical assistance” to the existing text of the provisions in order to effectively broaden the scope of the chapter. 

On the other hand, several developed countries, including the United Kingdom, Germany, Japan, Norway, and Australia emphasised that provisions relating to technical assistance and capacity building should be voluntary in nature and should avoid an overly prescriptive approach. It should rather be based on mutual trust, be demand-driven, and correspond to nationally identified needs and priorities. These State Parties accordingly provided alternative provisions on similar lines for the said Chapter for the consideration of Member Countries and the Chair. 

The fifth session of the Ad-Hoc committee witnessed advanced discussions on technical assistance. Previously, technical assistance was discussed in the third session of the ad-hoc committee where discussions primarily revolved around the submission/ proposals from the Member Countries and non-member observer States. The CND presented ahead of the fifth session was well articulated and neatly organised into various provisions outlining the scope and mechanisms for technical assistance and capacity building to meet the objectives of the Convention.

2. Provisions on Preventative Measures: 

The provisions charted out under the Chapter on the Preventative Measures (Article 91 to 93 of CND) included general provisions on prevention, establishment of authorities responsible for preventing and combating cybercrime, and prevention and detection of transfers of proceeds of cybercrime. The chapter underscores the role of effective preventative measures and substantial impact of these measures in attaining the objectives of the proposed convention and reducing the immeasurable financial losses incurred by the States due to cybercrime. 

Majority of State Parties signalled their support on inclusion of the chapter on Preventative Measures. In addition, non-member observer States and the Member States including European Union, Netherlands, United Kingdom, Australia, New Zealand, Canada, United States of America made interesting proposals on building effective and coordinated policies for prevention of cybercrime. These Member Countries argued in favour of broadening the current understanding of the term “vulnerable groups”, inclusion of the reference of international human rights, and advocated for developing, facilitating and promoting programmes and activities to discourage persons at risk of committing cybercrime.  

There were interesting proposals aimed at strengthening cooperation between law enforcement agencies and relevant entities (private sector, academia, non-governmental organizations and general public) to counter gender-based violence and mitigate the dissemination of children sexual abuse and exploitation material online. The Member Countries also supported the proposal for Offender Prevention Programmes aimed at preventing (repeated) criminal behaviour among (potential) offenders of cyber-dependent crime.

Member Countries such as China submitted in favour of inclusion of classified tiered measures to provide multi-level protection schemes for cybersecurity. They also called for legislative and other measures to require service providers in their respective territory to take active preventive and technical measures. 

The discussions undertaken in the fifth session of the Ad-Hoc committee were based on the text provided under the CND in the form of concrete provisions wherein various participants provided their detailed submissions on the text. The session also witnessed new proposals on technical assistance such as multi-level protection schemes for cybersecurity, 24*7 network, preventive monitoring to timely detect, suppress and investigate crimes by different Member Countries.

3. Final Provisions

The Chapter on Final Provisions (Article 96-103 of the CND) listed crucial provisions namely, implementation of the Convention, relation with protocols, settlement of disputes concerning the interpretation or implementation of the Convention, and the signature, ratification, acceptance, approval and accession to the Convention. The CND also included provisions relating to the date of enforcement and procedure of amendment to the Convention. 

The Member States and non-members observer States unanimously recognised the importance of the provisions listed under the Chapter on Final Provisions. The non-member observer State and the Member Countries, including the United States of America, Singapore, European Union and others, emphasised that the provision listed under the CND should be in conformity with the existing legal instruments and other existing regional conventions. 

Member Countries such as China and Russia also recognised the importance of the existing legal frameworks. However, these countries further reminded the State Parties that comprehensiveness and universality are the twin goals of this Convention. Therefore, these countries stressed on the need for a “harmonious approach” or a “mutually reinforcing approach” regarding the same. 

Beside this, the Member States also showcased divergent opinions on the minimum number of ratification required for the Convention to come into force. Member Countries, including USA, Norway, New Zealand, Singapore and Canada, have opted for at least 90 ratifications. Member Countries, including Russia, Egypt, China, Brazil, India, and Nigeria, have supported thirty ratifications. Beside these, Japan, United Kingdom, European Union, Ghana and others have opted for forty to fifty ratifications as reasonable for the proposed Convention to come into force. 

The Member Countries supporting wider ratification have submitted that the support of a large number of Member States is indispensable for the success of the prospective Convention. On the other hand, the Member Countries supporting 30 ratifications have focused on the urgency of action in respect of cybercrime and therefore have supported a minimum number of ratifications to get the Convention up and running at the earliest.

Aside from this, Member Countries such as Mexico floated an interesting proposal to devise and incorporate Technical Annexes for ensuring that this Convention adapts and responds adequately to new and emerging challenges. The proposal garnered significant support from other State Parties. 

4. Preamble of the Convention

The CND tabled for the fifth session also featured the draft Preamble for the Convention. Member Countries and non-member observer States unanimously agreed on the inclusion of the Preamble to the prospective convention. The Member Countries maintained that the Preamble is an integral part of the convention and features the purpose and intention of the Convention. 

At the same time, several Member Countries stated that the draft Preamble provided under the CND can be improved further in order to bring more clarity. The Member Countries accordingly provided a wide range of suggestions regarding the same. 

Member Countries such as CARICOM, Norway, Dominican Republic, Kenya, Brazil, suggested that the Preamble should highlight the challenges and opportunities (negative economic and social implications) faced by the Countries with regard to information and communications technologies. Member States including Mexico, New Zealand, Singapore and others proposed the inclusion of – promotion of open, secure, stable, accessible and peaceful cyberspace, application of international law and human rights – in the Preamble of the CND. 

Additionally, Member States suggested the inclusion of denying safe havens to those who engage in cybercrime, prosecuting cybercrimes, international cooperation, collection and sharing of evidence, recovering and returning proceeds of cybercrime, technical assistance and capacity building as key objectives of the Convention. The Member States also recognised the seriousness of use of information and communications technologies violence against women and girls and children; consequently, they called for the inclusion of these concerns in the Preamble of the prospective Convention. 

Way Forward 

The intensive discussion between the Chair, Member States and non-member observer States on various agenda items culminated in the text of the CND being revised. The views expressed will be taken into consideration by the Chair in developing a more advanced draft text of the convention, in accordance with the road map and mode of work for the Committee, adopted at its first session (A/AC.291/7, annex II).

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Week I of the Fifth Substantive Session.

By Sukanya Thapliyal

Introduction

Last month from April 11-21, 2023, the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies (ICTs) for Criminal Purpose held its Fifth Session in Vienna. As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND).

The Fifth session of the Ad Hoc Committee was aimed at conducting the second reading of the provisions of the CND which are as follows – 1] international cooperation, 2] technical assistance, 3] preventative measures 4] mechanism of implementation 5] the final provisions, and 6] the preamble. Much like previous sessions, Member States, and non-member observer States were supported and facilitated by the Chair, the Secretariat and multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector.

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the Fifth substantive session of the Ad-hoc Committee. Part I of the blog captures the consultations and developments concerning the draft chapter on International Cooperation. In addition, we also attempt to familiarise readers with the emerging points of convergence and divergence of opinions among different Member States, non-member observer States and implications for the future negotiation process.

In part II of the blog series, we will be laying out the discussions and exchanges on (i) preventive measures, (ii) technical assistance, (iii) the final provisions; and (iv) the preamble.

Provisions on International Cooperation (Agenda Item 4)
The Chapter on International Cooperation provided under the CND lists 28 provisions subdivided into seven clusters that include a range of provisions such as – 1] general principles on international cooperation and personal data 2] provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceeding 3] general principles and procedure relating to mutual legal assistance 4] provisions relating to expedited preservation and sharing of data and 5] provisions on law enforcement cooperation

Some of our key observations from Week 1 on different draft provisions listed under Chapter on International Cooperation are as follows:

Cluster 1: General principles of international cooperation and protection of personal data

Cluster 1 provisions provided under the chapter on international cooperation listed two provisions namely: (i) General principles of international cooperation and (ii) Protection of personal data.

(i) The general principles of international cooperation: This is an overarching provision applicable to the chapter on international cooperation. The said provision mandates the State Parties to cooperate in matters relating to preventing, detecting, investigating, prosecuting and adjudicating cybercrime. The scope of international cooperation also includes collecting, obtaining, preserving and sharing evidence and is based on the principle of reciprocity and in accordance with the domestic laws of the State parties.

The Member States were broadly in consensus on inclusion of general principles on international cooperation. However there was some disagreement. Some states including European Union, Canada, New Zealand, Australia proposed for narrow application of the chapter extending only to the offences criminalised under the proposed Convention. On the other hand, member Countries including India, and Colombia, were in favour of broader application of the Convention extending to range of cybercrime.

Further, several State Parties including the European Union, United Kingdom, Australia and New Zealand also proposed for the mentioning of personal data protection, grounds for refusal of request for extradition or providing assistance within the provision on general principles.

(ii) Protection of Personal Data: The provision on protection of personal data obligates the State Parties to ensure that personal data transmitted on the basis of a request made in accordance with the Convention should only be used for stated purposes such as investigations or proceedings concerning criminal offences and should adhere to data minimisation and purpose limitation. The provision also mandates the State Parties to ensure that such data is protected against loss or accidental or unauthorised access, disclosure, alteration or destruction.

Majority of State Parties were in agreement on inclusion of provision on personal data protection. However, a few Member States including CARICOM, China, Iran, Singapore and the United States were not in agreement on inclusion of this provision stating lack of relevance of the provision to the Convention.

Non-member observer European Union proposed an alternate provision on protection of personal data. The said proposal included a more elaborate set of obligations for the State Parties relating to maintenance of accurate and complete personal data, periodic review of the need for the storage of personal data, requirement for publication of general notices to the persons whose personal data have been collected and provision for effective judicial and non-judicial remedies to provide redressal to affected person.

Cluster 2: Provisions relating to extradition, transfer of sentenced persons and transfer of criminal proceedings

The provision relating to extradition under Cluster 2 under the chapter on international cooperation deals in extradition of a person who is the subject of the request for extradition is present in the territory of the requested State Party. The provision requires that extradition is permissible where extradition sought is punishable under the domestic law of both the requesting State Party and the requested State Party.

A large number of Member States were in agreement on inclusion of the said provision. Additionally, Member States including Nicaragua proposed the addition of political offence and offences punishable with death penalty under domestic laws as grounds of refusal for request of extradition. Beside this, several new proposals regarding expedited extradition, temporary surrender, surrender of property were also placed by Member Countries including Armenia.

Cluster 4- General principles and procedures relating to mutual legal assistance

Cluster 4 of the chapter on international cooperation included provision relating to general principles and procedures relating to mutual legal assistance, establishment of electronic databases on mutual legal assistance requests, spontaneous information, emergency mutual legal assistance, and 24/7 network. The provision outlining general principles laid down the scope, general rules and grounds for refusal of mutual legal assistance. The provision relating to maintaining electronic databases aimed to facilitate access to statistics relating to incoming and outgoing requests for mutual legal assistance involving electronic evidence. Besides this, the provisions relating to spontaneous information, emergency mutual legal assistance, and 24/7 network were also included within the text of CND to set up an effective and efficient system in place.

The Member States were broadly in agreement on inclusion of these provisions within the text of the prospective Convention. In addition, Member States including the European Union, United Kingdom, New Zealand and others proposed some additional grounds for refusal of mutual legal assistance, namely: refusal of request wherein the person affected is in danger being subjected to the death penalty, a life sentence without possibility of parole, torture, inhuman or degrading treatment or where the offence is political in nature.

Cluster 5: Provision relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data and others

The cluster 5 provision placed under chapter on international cooperation listed provisions relating to mutual legal assistance in expedited preservation of data, stored computer data, expedited disclosure of preserved traffic data, accessing stored computer data, and cross-border access to stored data.

A large number of Member States were in agreement on inclusion of these provisions. In addition, there were new proposals relating to Mutual legal assistance in the expedited disclosure of preserved traffic data and expedited production of subscriber information and traffic data by Pakistan and India respectively. The said inclusion was opposed by the United States of America, the European Union, New Zealand, Canada and others.

Cluster 6- Provisions related to law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques

The provisions listed under Cluster 6 of the Chapter on international cooperation include obligations relating law enforcement cooperation, public-private partnership to enhance investigation of cybercrime, joint investigations and special investigative techniques, among others. The provision on law enforcement cooperation laid the obligation on the State Parties to cooperate closely to enhance the effectiveness of law enforcement action to combat cybercrime. The provision on public-private partnership assists their respective law enforcement agencies in developing appropriate guidelines and cooperating directly with relevant service providers to streamlining cooperation with industry. Further the CND also featured provisions on joint investigations, cooperation through special investigative techniques such as electronic or other forms of surveillance and undercover operations by its competent authorities to provide a lawful basis for collection of such evidence for use in investigations and prosecutions.

The provisions listed under cluster 6 enjoy support by multiple State Parties. However, some of the Member States including the European Union, the United States of America, Japan, Singapore, Canada, Norway, China and others have opposed the inclusion of provision Public-private partnerships to enhance the investigation of cybercrime.

Conclusion

Since the First Session of the Ad-Hoc Committee, the Member Countries have come a long way in arriving at a CND wherein the negotiations are now taking place in a more concrete and cohesive manner. Although Member Countries are still exhibiting diverse views on several provisions, the discussions have arrived at a crucial stage. The sixth session of the Ad-hoc committee is likely to be a watershed moment for the cybercrime convention in defining the finalised text of the convention that will be placed before the 78th session of the United Nation General Assembly in September 2023.

CCG-NLUD’s Statement on International Cooperation to the Fifth Session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes

Sukanya Thapliyal

As an accredited stakeholder to the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”), CCG-NLUD recently participated in the Fifth Session of this key process setting the stage for first universal and legally binding convention on cybercrime.

As we reported earlier, the negotiating process has reached a pivotal stage, wherein the Member Countries are negotiating on the basis of a Consolidated Negotiating Document (CND). The CND is prepared by the Chair of the Ad Hoc Committee and succinctly incorporates various views, proposals, and submissions made by the Member States at previous sessions of the Committee.

The previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and intense discussions on provisions relating to criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others.

The Fifth Session of the Ad hoc Committee is aimed to discuss the preamble, provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions. Besides the Member Countries, the multistakeholder group consisting of global and regional intergovernmental organisations, civil society organisations, academic institutions and the private sector are also weighing-in with their inputs to support and contribute to the process.

CCG-NLUD, welcomes the opportunity to submit its comments/ inputs on the present text of “Consolidated negotiating document on the preamble, the provisions on international cooperation, preventive measures, technical assistance and the mechanism of implementation and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.” CCG-NLUD presented the following statement on the “provision on international cooperation.”

The provisions on “international cooperation” are the crucial aspects of the Convention as it aims to encourage both formal and informal means of international cooperation for (i) investigation and prosecution of offences covered under this convention as well as (ii) collection of evidence in electronic form of a criminal offence. The CND also draws from common and well understood principles and standards in the areas of extradition, mutual legal assistance, transfer of criminal proceedings, and other effective measures, while being conversant with the divergent realities of participating member countries.

The CND text lays down general principles of international cooperation, specific provisions on extradition, transfer of sentenced persons and detailed provisions detailing mutual legal assistance amongst state legal enforcement agencies. The CND also recognises that the various provisions laid down under the chapter on international cooperation are aligned with the international human rights regime and ensure adequate protection to human rights and other fundamental freedoms.

The chapter aptly lays down the overarching principles in relation to international cooperation for it broadly outlines the scope and objective of international cooperation and recognises that power and procedure outlined under the Chapter are subject to conditions and safeguards pertaining to protection of human rights. The chapter also includes specific provisions relating to protection of personal data transmitted from one State to another and instils other important requirements such as purpose limitation and data minimisation to reduce harms manifesting to individuals.

CCG-NLUD is broadly in agreement with the above-mentioned provisions under the chapter on International Cooperation. However, we conveyed several reservations and concerns as explained below –

In light of the fact that the powers and procedures laid down in the chapter are highly intrusive and interfering, the scope of international cooperation should be restricted to a narrow set of cyber-dependent crimes that satisfy the criteria of “dual criminality”. Further, the chapter should expressly mention “applicable human rights instruments” and other necessary safeguards for protection of human rights and other fundamental freedoms. This will ensure that power and procedure laid out in this chapter are subject to adequate restrictions to protect against potential human rights abuses.

The provision on extradition should apply only in cases of “serious crimes” that include offences punishable by maximum deprivation of liberty of at least four years or a more serious penalty as defined under United Nations Convention Against Transnational Organized Crime (UNTOC). The Convention should enumerate sufficient evidentiary basis required for extradition and should also make specific references to the applicable international legal instruments such as International Covenant on Civil and Political Rights (UN ICCPR) and the UN Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment and ensure adequate protection to human rights and other fundamental freedoms.

The powers and procedures laid down under the Convention mandates the State Parties develop guidelines in relation to the format and duration of preservation of digital evidence and information for service providers. We note that such an authority should not result in data retention for indefinite periods and should not unnecessarily interfere with the data minimisation efforts of service providers. It is important that such guidelines incorporate ex-ante procedures that require independent judicial authorisation, provision for adequate and timely notice to users, measures that are strictly necessary and proportionate to stated aims and an efficient mechanism for redressal, appeal, and review.

Readers can learn more about our submission on international cooperation below:

oral_submission_agenda-item-4_international_cooperation_ccg-nlu-delhi_-to-the-fifth-session-of-ad-hoc-committee-on-cybercrime-1-1.docxDownload

Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session (Part II)

Sukanya Thapliyal

Introduction 

In Part I of this two-part blog series, we provided our readers a brief overview and observations from the discussions pertaining to the second reading of the provisions on criminalisation of offences under the proposed convention during the Fourth Session of the Ad-hoc Committee. In Part II of the series, we will be laying down our reflections and learnings from the discussions that were held in regard to: (i) General Provisions; and (ii) Provisions on Procedural Measures and Legal Enforcement. We also attempt to familiarise the reader with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process.

1. General Provisions 

Chapter 1 of the Consolidated Negotiating Document (CND) includes five articles: statement and purposes (article 1), use of terms (article 2), scope and application (article 3), the protection of sovereignty (article 4), and protection of human rights (article 5). In the first round of discussions on General Provisions, the Member Countries, the European Union, in its capacity as observer, and the observers for non-member States provided their preliminary views on different provisions so as to allow the Secretariat to identify provisions that enjoy broad support and others where participants held divergent views. 

Round 1 Discussions

1. Points of Agreement  (Advanced to Second Round of Discussions)

A majority of the participants held positive views on the provisions enlisted under the General Provisions. They sought to strengthen several of these provisions. For example: developing countries including Iran, Jamaica (on behalf of the Caribbean Community), South Africa, and Egypt were in favour of a more elaborate and strongly worded provision on technical assistance. Similarly, several countries including, European Union, Japan, USA, Switzerland, New Zealand, Canada, and others sought (i) strong safeguards for protection of human rights and other fundamental freedoms and (ii) mainstreaming of gender perspective and (iii) consideration of persons and groups vulnerable to cybercrime. 

2. Points of Disagreement  (Subject to Co-facilitated Informal Negotiations)

The discussion witnessed divergences in relation to Article 2 (Use of Terms) of the CND. Countries including India and Russia were in favour of usage of the term “ICT” over “cybercrime” as the former is wider in nature and has been used in UN General Assembly-Resolution 74/247 that established the mandate for the Ad-Hoc Committee. On the other hand, countries including the USA, Japan, Israel, and others were in favour of “cybercrime” for being more widely understood and recognised under the domestic legal framework of various countries and already employed under several international legal instruments. The chair, therefore, took up the decision to pursue the deliberation on the said provision in the co- facilitated informal consultations under the able leadership of Mr H.E. Mr. Rapulane Sydney Molekane, Ambassador and Permanent Representative of South Africa to the United Nations, Vienna, and Mr. Eric Do Val Lacerda Sogocio, Counsellor, Permanent Mission of Brazil to the United Nations, Vienna, and Vice-Chair of the Ad Hoc Committee.

3. Co-Facilitated Informal Consultations 

The co-facilitated informal consultations witnessed detailed deliberations on the use of terminologies to be defined under the draft Convention. The deliberations represented initial exchange of views without prejudice to the future informal discussion. They shall continue ahead of, during and beyond the 5th session to allow for a common understanding on key terms in order to facilitate consensus on several provisions throughout the text of the future convention.

Round 2 Discussions

Further, in the second round of discussion on provisions that enjoy wider support, the participants brainstormed on the final language of the provisions. Several Member Countries proposed terms/ phrases and even provisions that they considered more reflective of their needs and preferences. For instance: Member Countries including Russia, Tajikistan and India proposed the usage of “detect, prevent, suppress and investigate cybercrime/ use of ICTs for criminal use” in place of “prevent and combat cybercrime/ use of ICTs for criminal use.” In addition, India also proposed the usage of “the collection and sharing of electronic and digital information/evidence” in place of “collection of electronic evidence”. Further, countries including Malaysia, Honduras and Singapore proposed for “proper balance between the interests of law enforcement and the respect for fundamental human rights” to the provision detailing the Statement of Purpose for the Convention. Similar proposals were made on provisions relating to protection of sovereignty, respect for human rights and scope of the application respectively.

The discussions relating to General Provision at the Ad-Hoc Committee process do not suffer from irreconcilable differences.  Member Countries have showcased a growing sense of convergence on provisions relating to protection of human rights and other fundamental freedoms. There is also a broad support for mainstreaming the gender perspective within the convention. The Member Countries, however, have outstanding work in relation to definitions and use of terms under the proposed convention. 

II. Provisions on Procedural Measures and Legal Enforcement 

Chapter 3 of the CND laid out provisions for – a] investigation and prosecution of offences, b] collection and sharing of information and electronic evidence, c] conditions and safeguards highlighting the need for and importance of the protection of human rights and liberties, insertion of principles of proportionality, necessity and legality and d] the protection of privacy and personal data for the purposes of the convention. The chapter included 16 articles divided into the following six clusters:

1. Cluster 1: provisions on jurisdiction, scope of procedural measures and conditions and safeguards
2. Cluster 2: procedural measures for expedited preservation of stored data; expedited preservation and disclosure of traffic data, production order, search and seizure, real-time collection of traffic data, interception of content, among others.
3. Cluster 3: procedural measures relating to freezing, seizure and confiscation of assets, establishment of criminal records, protection of witnesses and victims, and compensation for damage suffered.

Round 1 Discussions 

1. Points of Agreement (Advanced to Second Round of Discussions)

In the first round of discussions, the Member Parties unanimously recognised the importance of the provisions on procedural measures and legal enforcement and their role in laying the solid foundation for the practical international cooperation and implementation of this convention. The first round of discussions witnessed a broad agreement on the majority of the provisions under Cluster 1, 2 and 3 of CND. 

Furthermore, several Member Parties, Observer States including the European Union, India, Japan, UK, Norway, Canada, Australia, Kenya, and Israel affirmed their support on the inclusion and further strengthening of Article 42 that lays out Conditions and Safeguards that ensure adequate protection of human rights and liberties, including rights and fundamental freedoms arising from obligations under applicable international human rights law. 

Several Participant Countries also highlighted the close correlation between Article 42 and Article 41 (Scope of Procedural Measures) as being inextricably linked to one another and stated that strong procedural measures must be accompanied by robust human rights safeguards. The participant Member Countries and Observer States were broadly in agreement on inclusion of Article 43 (Expedited Preservation of Stored Computer Data), Article 44 (Expedited Preservation and Partial Disclosure of Traffic Data), Article 45 (Production Order), Article 46 (Search and Seizure) and Cluster 3 provisions (Article 50-55) of the CND. 

2. Points of Disagreement (Subject to Co-facilitated Informal Negotiations)

There was disagreement on the inclusion of Article 40 (jurisdiction), Article 47 (Real Time Collection of Traffic Data), Article 48 (Interception of Content Data) and Article 49 (Admission of electronic/digital evidence) respectively. Member Countries and Observer States and other participants including Switzerland, Japan, USA, European Union, Australia, Norway, UK, Canada raised concerns on Article 40 that allowed for extraterritorial jurisdiction of State and jurisdiction over computer data/ digital or electronic information irrespective of place of storage, screening or processing. As per the participant countries and observer states, such a provision is not in consonance with the traditional understanding of jurisdiction and may not be in alignment with Article 4 (Protection of Sovereignty) enlisted in the CND. 

Further, Member States and Observer States including EU, UK, Japan, Australia, and Norway also raised concerns on inclusion of Article 47 and 48 as these significantly interfere with human rights and are considered to be extremely sensitive in nature.  Singapore, in particular, opposed the inclusion of these provisions and stated that its inclusion has a limited utility and is likely to deter states from signing the final convention. India along with USA, Malaysia, Jamaica on the behalf of Caribbean Community (CARICOM) were in favour of inclusion of these provisions. India, in particular, also requested for the definitional clarity on terms such as “traffic data”. Besides, the participant member countries and observer states were disputed on inclusion of Article 49 and stated that the convention on cybercrime is not appropriate to include issues pertaining to admissibility of electronic evidence and is to be dealt under State’s domestic law and judicial rulings. 

3. Co-Facilitated Informal Sessions 

The chair accordingly delegated the discussion on Article 40, 47, 48 and 49 for the co-facilitated informal negotiation process to be undertaken under the leadership of Mrs. Andrea Martin-Swaby (Jamaica) and Mr. Syed Noureddin Bin Syed Hassim (Singapore).

The co-facilitated informal negotiation process underwent detailed discussions amongst participant Member States, Observer States and multi-stakeholders. The co-facilitators informed the Chair of the various developments that took place during the informal negotiation and that the co-facilitators would conduct intersessional bilateral meetings with delegations and convene additional informal negotiations of the Committee at the 5th Session scheduled in April 2023.

Round 2 Discussions 

Subsequently, in the second round of discussions, several newer contributions were made in the context of provisions laying out Conditions and Safeguards. There was also a proposal for additional provision relating to Retention of Traffic Data and Metadata, and Retention of Electronic Information in CND. Further, additional provisions on Cooperation between national authorities and service providers were also proposed and introduced in the CND for further deliberation. 

The CND and deliberations at the Fourth Session of the Ad-Hoc Committee process crystallised a number of interesting submissions and proposals made by the Member Countries over past sessions. The CND enlisted provisions aimed to redress current challenges faced by the legal enforcement agencies by providing appropriate authority allowing for expedited preservation of Stored Computer Data, expedited preservation and partial disclosure of traffic data, search and seizure, real time collection of traffic data, interception of content data, among others. 

The process, however, also witnessed disagreement on provisions relating to the understanding of jurisdiction, cooperation between national investigating and prosecuting authorities and service providers – as evident from the developments that took place in previous sessions. It is likely that the Secretariat and Member Countries will be continuing these deliberations to build consensus over conflicting issues. 

The Way Forward The proceedings at the Ad-Hoc Committee process have arrived at a critical juncture wherein Member Countries have begun text-based negotiations spearheaded by the Chair and Secretariat. The Ad-Hoc Committee will organise the Fifth Session from 11 to 21 April 2023 in Vienna as an immediate next step. The session will conduct text-based negotiations based on CND on the preamble, the provisions on international cooperation, preventive measures, technical assistance, and the mechanism of implementation, and the final provisions of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes. The upcoming sessions would be crucial in determining whether and how Member Countries would draw consensus and build toward an effective cybercrime convention that caters to the needs and expectations of the wide variety of countries participating in the UN process.

The United Nations Ad-hoc Committee for Development of an International Cybercrime Convention: Overview and Key Observations from Fourth Substantive Session

Sukanya Thapliyal

1. Background/ Overview 

Last month, the Centre for Communication Governance at National Law University Delhi had the opportunity to participate as a stakeholder in the Fourth Session of the United Nations Ad-hoc Committee, tasked to elaborate a comprehensive international convention on countering the use of information and communications technologies (ICTs) for criminal purposes (“the Ad Hoc Committee”). 

The open-ended Ad-hoc Committee is an intergovernmental committee of experts representative of all regions.  It was established by the UN General Assembly-Resolution 74/247 under the Third Committee of the UN General Assembly. The committee was originally proposed by the Russian Federation and 17 co-sponsors in 2019. The UN Ad-hoc Committee is mandated to provide a draft of the convention to the General Assembly at its seventy-eighth session in 2023 (UNGA Resolution 75/282). 

The three previous sessions of the Ad Hoc Committee witnessed the exchange of general views of the Member States on the scope, and objectives of the comprehensive convention, and agreement on the structure of the convention. This was followed by themed discussions and a first reading of the provisions on criminalisation, procedural measures and legal enforcement, international cooperation, technical assistance, preventive measures, among others. (We had previously covered the proceedings from the First Session of the Ad-Hoc Committee here.)

The fourth session of the Ad Hoc Committee was marked by a significant development – the preparation of a Consolidated Negotiating Document (CND) to facilitate the remainder of the negotiation process. The CND was prepared by the Chair of the Ad Hoc Committee keeping in mind the various views, proposals, and submissions made by the Member States at previous sessions of the Committee. It is also based on existing international instruments and efforts at the national, regional, and international levels to combat the use of information and communications technologies (ICTs) for criminal purposes. 

As per the road map and mode of work for the Ad Hoc Committee approved at its first session (A/AC.291/7, annex II), the fourth session of the Ad Hoc Committee conducted the second reading of the provisions of the convention on criminalisation, the general provisions and the provisions on procedural measures and law enforcement. Therefore, the proceedings during the Fourth Session involved comprehensive and elaborate discussions around these provisions amongst the Chair, Member States, Observer States, and other multi-stakeholder groups. 

Over the two-part blog series, we aim to provide our readers with a brief overview and our observations from the discussions during the fourth substantive session of the Ad-hoc Committee. Part I of the blog (i) discusses the methodology employed by the Ad-Hoc Committee discussions and (ii) captures the consultations and developments from the second reading of the provisions on criminalisation of offences under the proposed convention. Furthermore, we also attempt to familiarise  readers with the emerging points of convergence and divergence of opinions among different Member States and implications for the future negotiation process. 

In part II of the blog series, we will be laying out the discussions and exchanges on (i) the general provisions and (ii) provisions on procedural measures and legal enforcement. 

2. Methodology used for Conducting the Fourth session of the Ad-Hoc Committee. 

The text-based negotiations at the Fourth Session proceeded in two rounds. 

Round 1: The first round of discussions allowed the participants to share concise, substantive comments and views. Provisions on which there was broad agreement proceeded to Round 2. Other provisions were subject to a co-facilitated informal negotiation process. Co-facilitators that spearheaded the informal negotiations reported orally to the Chair and the Secretariat. 

Round 2: Member Countries progressed through detailed deliberations on the wording of each of the provisions that enjoyed broad agreement. 

3. Provisions on Criminalization (Agenda Item 4)

The Chapter on “provisions on criminalization” included a wide range of criminal offences that are under consideration for inclusion under the Cybercrime Convention. Chapter 2 under the CND features 33 Articles grouped into 11 clusters as:

1. Cluster 1: offences against illegal access, illegal interference, interference with computer systems/ ICT systems, misuse of devices, that jeopardises the confidentiality, integrity and availability of system, data or information;
2. Cluster 2: offences that include computer or ICT-related forgery, fraud, theft and illicit use of electronic payment systems;
3. Cluster 3: offences related to violation of personal information
4. Cluster 4: infringement of copyright.
5. Cluster 5: offences related to online child sexual abuse or exploitation material
6. Cluster 6: offences related to Involvement of minors in the commission of illegal acts, and encouragement of or coercion to suicide
7. Cluster 7: offences related to sexual extortion and non-consensual dissemination of intimate images.
8. Cluster 8: offences related to incitement to subversive or armed activities and extremism-related offences
9. Cluster 9: terrorism related offences and offences related to the distribution of narcotic drugs and psychotropic substances, arms trafficking, distribution of counterfeit medicines.
10. Cluster 10: offences related to money laundering, obstruction of justice and other matters (based on the language of United Nation Convention against Corruption (UNCAC) and United Nation Convention against Transnational Organised Crime (UNTOC))
11. Cluster 11: provisions relating to liability of legal persons, prosecution, adjudication and sanctions. 

Round 1 Discussions 

1. Points of Agreement (taken to the second round) 

The first round of discussions on provisions related to criminalisation witnessed a broad agreement on inclusion of provisions falling under Cluster 1, 2, 5, 7, 10 and 11. Member States, Observer States and other parties including the EU, Austria, Jamaica (on the behalf of CARICOM), India, USA, Japan, Malaysia, and the UK strongly supported the inclusion of offences enlisted under Cluster 1 as these form part of core cybercrimes recognised and uniformly understood by a majority of countries. 

A large number of the participant member countries were also in favour of a narrow set of cyber-dependent offenses falling under Cluster 5 and 7. They contended that these offenses are of grave concern to the majority of countries and the involvement of computer systems significantly adds to the scale, scope and severity of such offenses. 

Several countries such as India, Jamaica (on behalf of CARICOM), Japan and Singapore broadly agreed on offences listed under clusters 10 and 11. These countries expressed some reservations concerning provisions on the liability of legal persons (Article 35). They contended that such provisions should be a part of the domestic laws of member countries. 

2. Points of Disagreement (subject to Co-facilitated Informal Negotiations)

There was strong disagreement on the inclusion of provisions falling under Cluster 3, 4, 6, 8 and 9. The EU along with Japan, Australia, USA, Jamaica (on the behalf of CARICOM), and others objected to the inclusion of these cyber-dependent crimes under the Convention. They stated that such offenses (i) lack adequate clarity and uniformity across countries(ii) pose a serious threat of misuse by the authorities, and (iii) present an insurmountable barrier to building consensus as Member Countries have exhibited divergent views on the same. Countries also stated that some of these provisions (Cluster 9: terrorism-related offenses) are already covered under other international instruments. Inclusion of these provisions risks mis-alignment with other international laws that are already employed to oversee those areas.

3. Co-Facilitated Informal Round

The Chair delegated the provisions falling under Cluster 3, 4, 6, 8 and 9 into two groups for the co-facilitated informal negotiations. Clusters 3, 4 and 6 were placed into group 1, under the leadership of Ms. Briony Daley Whitworth (Australia) and Ms. Platima Atthakor (Thailand). Clusters 8 and 9 were placed into group 2, under the leadership of Ambassador Mohamed Hamdy Elmolla (Egypt) and Ambassador Engelbert Theuermann (Austria). 

Group 1: During the informal sessions for cluster 3, 4 and 6, the co-facilitator encouraged  Member States to provide suggestions/views/ comments on provisions under consideration. The positions of Member States remained considerably divergent. Consequently, the co-facilitators decided to continue their work after the fourth session during the intersessional period with interested Member States.

Group 2: Similarly for cluster 8 and 9, the co-facilitators, along with interested Member States engaged in constructive discussions. Member States expressed divergent views on the provisions falling under cluster 8 and 9. These ranged from proposals for deletion to proposals for the strengthening and expansion of the provisions. Besides, additional proposals were made in favour of the following areas – provision enabling future Protocols to the Convention, inclusion of the concept of serious crimes and broad scope of cooperation that extends beyond the provisions criminalised under the convention. The co-facilitators emphasised the need for future work to forge a consensus and make progress towards finalisation of the convention. 

Round 2 Discussions: 

Subsequently, the second round of discussions witnessed intensive discussions and deliberation amongst the participating Member Countries and Observer States. The discussions explored the possibility of adding provisions on issues relating to the infringement of website design, unlawful interference with critical information infrastructure, theft with the use of information and communications technologies and dissemination of false information, among others. 

Conclusion:

Since the First Session of the Ad-Hoc Committee, the scope of the convention has remained an open-ended question. Member Countries have put forth a wide range of cyber-dependent and cyber-enabled offences for inclusion in the Convention.  Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (such as online child sexual abuse or exploitation material, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. Countries must agree on the scope of the Convention if they want to make headway in the negotiation process. 

(The Ad-Hoc committee is likely to take up these discussions forward in the sixth session of the Ad-Hoc Committee 21 August – 1 September 2023.) 

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 3):Confidence Building Measures, Capacity Building and Institutional Dialogue

Ananya Moncourt & Sidharth Deb

“Smoking Gun” by Claudio Rousselon is licensed under CC BY 4.0

• Introduction

In Part 1 this three-part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) we critiqued how the OEWG is incorporating the participation of non-governmental stakeholders within its process. In Part 2 we reflected on States’ (including India’s) participation on discussions under three main themes of the OEWG’s institutional mandate as detailed under para 1 of the December 2020 dated UN General Assembly (GA) Resolution 75/240.

This analysis revealed how lawfare and geopolitical tensions are resulting in substantive divides on matters relating to (a) the definition and identification of threats in cyberspace; (b) the future direction and role of cyber norms in international ICT security; and (c) the applicability of international law in cyberspace. In Part 3 our focus turns to discussions at the second session as it related to inter-State and institutional cooperation. Specifically, we examine confidence building measures, cyber capacity building, and regular institutional dialogue. The post concludes by offering some expectations on the way forward for ongoing international cybersecurity and cybercrime processes.

• Confidence Building Measures (CBMs)

Under CBMs, States focused on cooperation, collaboration, open dialogue, transparency and predictability. These included  proposals operationalising a directory of national point of  contacts (PoCs) at technical, policy, law enforcement and diplomatic levels. Several States suggested that CBMs would benefit from including non-governmental stakeholders and integrating with bilateral/regional arrangements like ASEAN, OSCE and OAS. States identified UNIDIR’s Cyber Policy Portal as a potential platform to advance transparency on national positions, institutional structures and best practices. South Korea, Malaysia and others proposed using the portal for early warning systems, new cyber norms discussions, vulnerability disclosures, and voluntary information sharing about national military capabilities in cyberspace. Other priority issues included (a) collaboration between CERTs to prevent, detect and respond to cybersecurity incidents; and (b) critical infrastructure protection.

CBMs were another site of substantive lawfare. Russia and its allies stressed on the need for objective dialogue to prevent misperceptions. They urged States to consider all technical aspects of cyber incidents to minimise escalatory risks of “false flag” cyber operations. As we have discussed earlier in Part 2, Iran and Cuba argued against States’ use of coercive measures (e.g. sanctions) which restrict/prevent access to crucial global ICT infrastructures. These States also highlighted challenges with online anonymity, hostile content, and the private sector’s (un)accountability.

India focused on cooperation between PoCs for technical (e.g. via a network of CERTs) and policy matters. They espoused the benefits of integrating CBM efforts with bilateral, regional and multilateral arrangements. Practical cooperation through tabletop exercises, workshops and conferences were proposed. Finally, India stressed on the importance of real-time information sharing on threats and operations targeting critical infrastructures. The latter is a likely reference to challenges States like India face vis-a-vis jurisdiction and MLAT frameworks.

• Capacity Building

Consistent with the first OEWG’s final report, States suggested that capacity building activities should be:

• sustainable,
• purpose and results focused,
• evidence-based,
• transparent,
• non-discriminatory,
• politically neutral,
• sovereignty respecting,
• universal, and
• facilitate access to ICTs.

States advocated international capacity building activities correspond with national needs/priorities and benchmarked against internationally determined baselines. The UK recommended Oxford’s Cybersecurity Capacity Maturity Model for national assessments.  States recommended harmonising capacity building programmes with bilateral and regional efforts. Iran and Singapore proposed fellowships, workshops, training programmes, education courses, etc as platforms for technical capacity building for State officials/experts. States suggested UNIDIR assume the role of mapping global and regional cyber capacity building efforts—spanning financial support and technical assistance—aimed at compiling a list of best practices. Disaster and climate resilience of ICT infrastructure was a shared concern among Member States.

Even under this theme Russia and their allies addressed unilateral issues like sanctions which limit universal access to crucial ICT environments and systems. Citing the principle of universality, Russia even proposed the OEWG contemplate regulation to control State actions in this regard. Iran built on this and proposed prohibiting States from blocking public access to country-specific apps, IP addresses and domain names.

India recommended capacity building targeting national technical and policy agencies. It proposed funnelling capacity building through regular institutional dialogue to ensure inclusivity, neutrality and trust. India proposed a forum of CERTs, under the UN, to facilitate tabletop exercises, critical infrastructure security, general cybersecurity awareness campaigns, and cyber threat preparedness. India proposed establishing an international counter task force comprising international experts in order to provide technical assistance and infrastructural support for cyber defences and cyber incident response against critical infrastructure threats. Member Sates requested India to elaborate on this proposal.

• Regular Institutional Dialogue

Several States like France, Egypt, Canada, Germany, Korea, Chile, Japan and Colombia identified a previously proposed Programme of Action (PoA) to facilitate coordinated cyber capacity building. France proposed the PoA assist States with the technical expertise for cyber incident response, national cybersecurity policies, and critical infrastructure protection. States also identified the PoA to maintain a trust fund for cyber capacity building projects, and serve as a platform to assist States identify national needs and track implementation of cyber norms. Prior to the third substantive session, co-sponsors are expected to share an updated version of its working paper with the OEWG secretariat. These States have also proposed that the PoA serve as a venue for structured involvement of non-governmental stakeholders.

In order to harmonise the mandates of the OEWG and the PoA, Canada proposed that the OEWG serve as the venue where core normative aspects are finalised, and the PoA works on international implementation. The Sino-Russian bloc and developing countries expressed concerns about the PoA as a forum for regular institutional dialogue. Iran suggested that the OEWG instead operate as an exclusive international forum on cybersecurity. Cuba and Russia maintained that a parallel PoA would undercut the OWEG’s centrality.

While India’s intervention recognises the importance of regular institutional dialogue, it insists that such interactions be intergovernmental. It recommends that States retain primary responsibility for issues in cyberspace relating to national security, public safety and the rule of law.

• Way Forward

The OEWG Chair aims to finalise a zero draft of its first annual progress report, for consultations and written inputs, approximately six weeks prior to the OEWG’s third substantive session in July 2022. It will be interesting to track how lawfare affects the report and other international processes.  

In this regard, it is crucial to juxtapose the OEWG against the UN’s ongoing ad-hoc committee in which States are negotiating a draft convention on cybercrime. Too often these conversations can be stuck in silos, however these two processes will collectively shape the broad contours of international regulation of cyberspace. Already, we observe India’s participation in the latter is shaped by its doctrinal underpinnings of the Information Technology Act—and it will be important to track how these discussions evolve.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

• existing and potential threats to “information security”.
• rules, norms and principles of responsible State behaviour i.e. cyber norms.
• international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5^th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6^th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

Analysing India’s Bilateral MOUs In the Field of Information and Communication Technologies (ICTs)

Sukanya Thapliyal

Introduction

As per the latest figures released by the International Telecommunication Union (ITU), post-COVID-19, the world witnessed a sharp rise in the number of internet users from 4.1 billion people (54% of the world population) in 2019 to 4.9 billion people (63% of the world population) in 2021. However, the same report states that some 2.9 billion people remain offline, 96%  of whom live in developing countries. These stark differences emanate from several barriers faced by the residents of the developing countries and include lack of access because of unaffordability of ICT services, lack of strong technological and industrial bases, inadequate R&D facilities, and deficient ICT operating skills. 

Countries are increasingly exploring different ways to partner with other countries through multilateral, bilateral, and other legal arrangements. The countries often forge bilateral cooperation with other countries through signing Memorandum of Understanding(MOUs), Memorandum of Cooperation (MOCs) and creating Joint Working Groups, and Joint Declarations of Intent, among others. These are informal legal instruments as compared to typical treaties or international agreements, and promote international cooperation in strategic interest areas. India has a detailed Standard Operating Procedure (SOP) with respect to MOUs/agreements with foreign countries. The SOP lays down the Indian legal practice on treaty formation and detailed guidelines in respect to the different international agreements that may be signed by the countries. 

India has executed several MOUs, MOCs, Joint Declaration of Intent, and Working Groups to identify common interests, priorities, policy dialogue, and the necessary tools for ICT collaboration. These include a broad range of areas,  including the development of IT software,  telecom software, IT-enabled services, E-commerce services & information security, electronic governance, IT and electronics hardware, Human Resource Development for IT education, IT-enabled education, Research and Development, strengthening the cooperation between private and public sector, collaboration in the field of emerging technologies, capacity building and technical assistance in the ICT sector. 

Aims and Objectives

This mapping exercise lists the numerous bilateral MOUs, Joint Declarations and other agreements signed between India and partner countries to locate the nature and extent of international collaborative efforts in the ICT sector. Furthermore, this mapping exercise aims to understand India’s strategic interests and priority areas in the sector and evaluate India’s unique positioning in South-South Cooperation. The said mapping exercise remains a work in progress and shall be updated at periodic intervals. 

Methodology

The mapping exercise includes an assessment of 36 MOUs and 5 other agreements subdivided into four categories: Fixed Term/ Renewed ICT MOUs (13), Open-Ended ICT MOUs (4), ICT MOUs with Pending Renewal/ Extension and Expired MOUs (19), and Joint Declaration and Proposals concerning ICT Sector (5). The relevant details of  such MOUs are derived from publicly available information provided by the Ministry of Electronics and Information Society (MeitY), Department of Telecommunication (DoT), Ministry of Communications (MOC) and the Indian Treaties Database by Ministry of External Affairs (MEA). The current analysis attempts to bring out the different MOUs, MOCs, and Joint Declarations of Intent executed by Indian authorities (MeitY, MOC and MEA), their duration of operation and the areas covered under the scope of such collaboration.   

Conclusion/Observations/Remarks:

Some of our key observations from the mapping exercise are as follows: 

• India has entered into MOUs/ Joint Declaration of Intent and other agreements with both developed and developing countries. These include Bangladesh, Bulgaria, Estonia, Israel, Japan, South Korea, Singapore, United Kingdom, among others. 
• Within India’s ICT cooperation and collaboration landscape, we have identified the following as priority areas: 

Building capacity of CERTs and law enforcement agencies	1. Cybersecurity technology cooperation relevant to CERT activities. 2. Exchange of information on prevalent cybersecurity policies and best practices. 3. CERT-to-CERT Cooperation. 4. Exchange of experiences regarding technical infrastructure of CERT.
Technical assistance and capacity building	1. Human resource development including  training of Govt. officials in e-governance. 2. Institutional cooperation among the academic and training institutions. 3. Strengthening collaboration in areas such as e-government, m-governance, smart infrastructure, e-health, among others.
Sharing of technology, standardization and certification	1. Cooperation in software development, rural telecommunication, manufacturing of telecom manufacturing and sharing of know-how technologies. 2. Cooperation in exchanging and developing technology. 3. Standardisation, testing and certification.
B2B cooperation and economic advancement	1. Enhancing B2B cooperation in cyber security. 2.Enable and strengthen industrial, technological and commercial cooperation between industry and research establishments. 3.Exploring third country markets. 4. Favourable environment for the business entities through various measures to facilitate trade and investment.

Key Priority Areas for India in ICT Sector

Mapping MOUs signed by India in the field of Information and Communication Technologies (ICT), created using https://www.mapchart.net/world.html

list-bilateral-agreements-in-the-field-of-ictDownload