Understanding the Anatomy of Cyber Enabled Crimes and their Governance

Sukanya Thapliyal

1. Introduction: 

Digital systems and Information Communication Technology (ICT) play an increasingly central role in our lives. Technological advancement has created new opportunities for cybercriminals to exploit vulnerabilities in digital systems and networks. The resulting cybercrimes can affect everyone, from government and multinational corporations to individuals. As technology continues to make deeper inroads into our lives, cybercriminals are finding unique ways to attack. The continuous evolution in technology has resulted in newer forms of cybercrimes such as Man-in-the-Middle-attack, Bluetooth Man-in-the-Middle attacks, and false data injection attacks, to name a few. This has resulted in a lack of agreement in defining and classifying threats and crimes associated with them. 

Although we lack a uniform and a neat understanding and approach towards addressing cybercrime, a few useful classification tools have been developed in this regard. One such classification tool was developed by Dr Mike McGuire and Samantha Dowling in 2013, wherein cybercrimes were divided into broad categories of “cyber-dependent” and “cyber-enabled” crimes. The cyber-dependent crimes are described as offences that can only be committed with the help of a computer, computer network or an ICT device. These include hacking, DDoS attacks, malware etc. The other category is of cyber-enabled crimes that are traditional crimes whose scope, scale and severity is greatly impacted by the use of computers, computer networks and other devices. Examples include: cyber fraud, cyberterrorism, online child sexual abuse or exploitation material, among others. 

The broad classification of cybercrime into cyber-dependent and cyber-enabled crimes is the central theme in the discussions carried out under the proceedings of the United Nations Ad-hoc Committee, which has been tasked to elaborate a comprehensive international convention on countering the use of ICTs for criminal purposes (“the Ad Hoc Committee”). The discussion around cyber-enabled and cyber-dependent crimes are crucial in setting the scope of the convention. Over four different sessions, the Ad-Hoc committee witnessed wide ranging proposals on inclusion of cyber-dependent and cyber-enabled crimes under the proposed convention. Cyber-dependent offences, along with a narrow set of cyber-enabled crimes (online child sexual abuse, sexual extortion, and non-consensual dissemination of intimate images), have garnered broad support. Other cyber-enabled crimes (terrorism-related offences, arms trafficking, distribution of counterfeit medicines, extremism-related offences) have witnessed divergences, and their inclusion is currently being discussed at length. 

This blog piece attempts to investigate the inclusion of cyber-enabled crimes as a specific choke point and why its regulations attract diverse views from the Member States and key stakeholders. The piece ends with specific recommendations and suggestions that may act as possible solutions for countering and combating cyber-enabled crimes. 

2. How Cyber-enabled Crimes have been included under other International Instruments:

Besides the UN Ad-Hoc Committee’s, several regional legal conventions, recommendations, and directives have already been developed in this regard. These have also been a reference point for the proposed convention. These include: African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention), The Council of Europe Convention on Cybercrime (Budapest Convention), League of Arab States Convention on Combating Information Technology Offences, and the Economic Community of West African States (ECOWAS) Directive on Fighting Cyber Crime. Besides, there is also the CARICOM Model Legislative Texts of Cybercrimes/ E-crimes and Electronic Evidences that targets the prevention and investigation of computer and network related crime. In addition, the UNODC Report on the meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime (2021) lays down Recommendations on best practices to address issues of cybercrime through the implementation of legislation and frameworks on effective criminalization, law enforcement and investigation, international cooperation, and prevention. 

International legal instruments (identified above) address an extensive range of cybercrime and criminalised both cyber-dependent and cyber-enabled crimes. The most common cyber-enabled crimes covered under these conventions include attack on computer systems, computerised data breaches, computer-related forgery, and computer-related fraud. The second set of cyber-enabled crimes covered include, offences related to child pornography, crimes that are racist or xenophobic in nature committed through computer systems. The third set of cyber-enabled crimes include offences against privacy, offences related to terrorism committed by means of information technology, and increasing punishment for traditional crimes when they are committed by means of information technology which are covered by a miniscule number of convention (such as League of Arab States Convention on Combating Information Technology Offences). 

3. Languishing Fate of Cyber-enabled crimes in Ad-Hoc Committee Process and Key Challenges in their Governance.

Although the cyber-enabled crimes are widely recognised at the international level, these have acquired only partial success in terms of their incorporation into the work of the Ad-Hoc Committee Process. 

Tracking the Ad-Hoc committee for four consecutive sessions has enabled us to identify the key challenges in incorporating and addressing a wide range of cyber-enabled crimes under the proposed convention. The cyber-enabled crimes such as terrorism-related offences, violation of personal information, extremism-related offences, or content-related crimes lack a common and clear understanding of what it constitutes due to the diverging political, cultural, and legal systems in the Member Countries. Further, these sets of crimes are largely traditional crimes that are often covered under existing international and domestic legislation and incidentally involve the usage of computer systems and ICTs. In the event that these crimes are also incorporated separately in the cybercrime convention, these can conflict with the legal instruments that are already in place. Moreover, content-related offences are broadly- worded, lack a uniform approach, and need more adequate safeguards to protect human rights and other fundamental freedoms. Therefore, binding international criminal instruments such as the Ad-Hoc Committee’s work is not an appropriate forum to address the issues emerging out of cyber-enabled crimes. Instead, these should be addressed via civil and non-legal instruments while ensuring balance with fundamental rights and freedoms. Some cyber-enabled crimes discussed under the Ad-Hoc committee, including extremism-related crimes and terrorist use of ICT technologies, are more umbrella terms that are extremely vague and subjective and pose a threat to widely recognised international human rights. Finally, the provisions related to privacy-related offences are troublesome as they criminalise a broad range of conduct without establishing a legitimate aim and providing sufficient exceptions in favour of students, journalists, cybersecurity researchers, and other public-spirited individuals. 

4. Way Forward and Suggested Solutions 

The vague and highly subjective nature of cyber-enabled crimes, their tense relationship with widely recognised international human rights and lack of sufficient exceptions can be attributed as primary obstructions that inhibit their inclusion in the Ad-Hoc Committee process. Nevertheless, these issues are of crucial importance for a large number of countries participating in the process. Member Countries, including India, Egypt, South Africa, Russia, and China, have repeatedly argued in favour of a broad cybercrime treaty and have also pushed for provisions enabling international cooperation, technical assistance, and capacity building. Lack of adequate procedural and technical competence amongst the state enforcement agencies is hampering them in their societal role, keeping citizens secure, and upholding the rule of law. In such a scenario where it is hard to build consensus in fractious issues as this, and urgency of action in respect of the threat faced by Member States, the pathway through binding international criminal instruments is less than ideal. The Member Countries, therefore, need to devise alternative pathways to address the cyber-enabled crimes though civil or non-legal instruments while keeping up the balance with international human rights and fundamental freedom. 

Another possible route to address cyber-enabled crimes is through Public-Private Leadership. The four sessions of the Ad-Hoc committee allowed us to uncover the growing mistrust and misalignment between the public and the private sector. These key stakeholders exhibit discord and opposing views of each other and are less than beneficial in addressing the critical challenges we face today due to rising cybercrime. Technology companies have latched on to their strong opinion that enforcement agencies cannot be trusted sufficiently with citizen data and digital communication. On the other hand, Member States also need to highlight the day-to-day challenges faced by legal enforcement agencies and promise adequate transparency in their actions. Some Member States have instead advocated in favour of strong obligations on the private sector to cooperate with national authorities. While public-private cooperation is imperative to address these crimes, both entities need to rethink their position, establish a cordial relationship and take up leadership roles that can then be translated into a better and more effective approach to addressing cyber-enabled crimes. 

Critiquing the Definition of Cyber Security under India’s Information Technology Act

Archit Lohani

“Security Measures” by Afsal CMK is licensed under CC BY 4.0

Introduction

As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.

This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).

Under Section 2(1)(nb) of the IT Act:

“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;

This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.

What is Cyber security under the IT Act?

The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008.  The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.

Critique of the IT Act definition

It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.

There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.

To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.

Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.

However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.

The following section examines a few other definitions to illustrate the shortcomings highlighted above.

Key elements of Cyber security

Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.

Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must address interdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.

An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.

When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions of cyberspace and cyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.

Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.

Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.

Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:

• technological solutions
• events
• strategies, processes, and methods
• human engagement; and
• referent objects.

These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.

Conclusion

Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.

Technology & National Security Reflection Series Paper 4: Redefining National Security

Animesh Chaudhary*

About the Author: The author is a 2021 graduate of National Law University, Delhi. He is currently working at Rural Electrification Corporation Limited.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

“National Security” is one of the foremost concerns of any nation state. However, the meaning of this term has acquired an overwhelmingly military character over time. This military approach to national security follows the assumption that the principal threat to security comes from other nations. While such an understanding was suitable a few decades ago health pandemics, climate change, technological changes etc. are challenging this notion today. This submission aims to identify the gaps in traditional understandings of national security and proposes redefining the concept. 

This piece is divided into three parts- Part I looks at the traditional military approach to “National security”. Part II analyses the need to update this traditional understanding. Part III identifies “Human Security” as a modern and suitable concept of national security.

Photo by MySecuritySign.com. Licensed via CC BY 2.0.

I.         Traditional Military approach to “National Security”

The traditional approach has been to view “National Security” from a military lens i.e. ‘securing the nation from military threat’. The policy measures of nation States and many strategists have followed this understanding.

Weber found a monopoly on violence, allowing to deal with internal or external military threats, as a crucial condition for the State. Similarly, James Baker notes that while no common definition of “national security” exists, the core issues which warrant national security treatment will primarily include nuclear attack, terrorist attacks and conventional attacks. “National Security” is also used to justify “the maintenance of armies, the development of new weapon systems, and the manufacture of armaments”.

In many ways, it can be easily understood how this understanding of National security developed. Wars in 18^th and 19^th century were generally short. The security strategy in the past was focused mainly on “external military threats”, which consequently required corresponding military responses.  However, in present times, such an understanding is inadequate.

II.                Need to update the definition of National Security

 i)  Nature of threats is changing

Today, for most nations, the threat of military aggression has reduced considerably. Instead, nations have to face “environmental pollution, depletion of ozone, [global] warming, and migrations of refugees“¹ among others. Health issues such as the Coronavirus pandemic, changes in technology, or spiralling economy as seen in many third-world countries are other threats to nations. 

One of the greatest enablers of this change is technology. It is difficult to place technological threats within the traditional military approach to national security, yet it is undeniable that technological disruptions present great danger to the security of nations.  The impact of technologies on the international security environment are all-encompassing.² These include both conventional changes like technological weapons, and non-conventional changes like cyber warfare.

ii)  Non-Military Threats can cause Military Conflict

Another reason for updating the present understanding of “National Security” is that a number of non-traditional threats can lead to military conflict. This makes it imperative for proactive policymakers to treat all such threats as National Security issues.

Scholars have studied resource conflicts, energy security, climate change and insecurity and tied them in with military conflicts. Some have found that “… water resource scarcity can be both the cause and the consequence of armed conflicts.” ³

Proactive policymaking demands recognising such threats before they acquire a military character.

iii)  Conventional understanding of ‘National Security’ is narrow and patriarchal

If National Security means the security of a nation, it is imperative to define ‘nation’ first. While it is difficult to come up with a precise definition of a ‘nation’, it is submitted that any definition, that does not take into account the people is narrow in scope. 

In this context, national security fails to include everyday experiences of a significant population. Further, the current definition is patriarchal and excludes the experiences of women.

J.Tickner finds that the traditional perspectives on security through a military point of view has marginalised or omitted women, which has resulted in a masculine and militaristic definition of National Security.⁴ Women, on the other hand, have defined security as “absence of violence whether it be military, economic, or sexual.”⁵ National Security, when understood as “absence of violence against people of the nation”, can then be extended to all other disempowered groups.

Similarly, the perception of security that many people of colour have in America, does not align with the dominant definition of national security in America. In the Indian context, crimes against underprivileged groups are not considered a national security threat. Understood in these terms, it is clear that the traditional understanding does not cover the security threats faced by disempowered groups in a nation. A definition that does not take into account is therefore severely lacking in scope, and needs to be updated.

III.          “Human Security”- A Modern understanding of National Security

Put forth in 1994 by the United Nations Development Program, ‘Human Security‘ very simply relates to the security of people. Erstwhile Prime Minister of Japan Obuchi Keizo called Human Security “the keyword to comprehensively seizing all of the menaces that threaten the survival, daily life, and dignity of human beings”

In essence, Human Security puts “people first” and recognises that the security of States does not necessarily translate to security of the people in it.  This has been borne out of the events of the 20^th century – world wars, multiple genocides, and the realisation that conventional notions of security need to be challenged when serious violations of rights occur.

The advantages of a human security understanding of national security are manifold:

i)   People first approach

The biggest advantage of this concept is that it puts people first in its definition of the ‘nation’. It recognises different forms of violence and threats that individuals face every day.  It brings into focus “structural violence” i.e. “the indirect violence done to individuals when unjust economic and political structures reduce their life expectancy through lack of access to basic material needs.”⁶

Understanding National Security as “absence of violence for people in a nation”, also allows us to recognise new unconventional threats that arise in the 21^st century.

ii)    Radically alters Public notions of Emergency and Urgency

There is normative value in recognising ‘Human Security’ as ‘National Security’. By recognising violence against individuals as national security threats, it sends a message that threats faced by individuals are the most important threats that any nation faces. It legitimises the security issues faced by groups that are not dominant in a nation.

“National Security” issues receive utmost urgency and importance in policy making. As Sachs notes, “Questions of “security” are often given pride of place before other potential policy concerns.”

This leads to a number of questions, why should emergency conditions and sense of urgency be reserved only for military threats? Why should crimes against women be considered any less urgent in a country which reports 87 rapes per day? Why shouldn’t crimes against Scheduled caste and Scheduled tribes be considered as urgent? How do nations issue national or local emergency in times of military conflict, but go on about in a routine manner when extreme gender, social and economic injustices exist?

By equating human security issues with national security threats, it is these questions that we can answer adequately. Crimes against minorities, women and other groups, poverty, lack of access to healthcare and education, and other social, economic and environmental ills that plague nations have become normalised to such an extent that all these issues have become routine. The concept of ‘Human Security’ challenges this status quo.

iii)   Leveraging Public Trust

National Security threats often generate public trust and public consensus swiftly. Public trust is an important part of a democratic system,⁷ while a lack of public trust is one the biggest obstacles in governance. By recognising “Human Security threats” as “National Security” threats, this public trust can be leveraged to improve governance.

As Lester Brown notes, while responding to a national security threat, “the ‘public good’ is much more easily defined; sacrifice can not only be asked but expected, it is easier to demonstrate that “business as usual” must give way to extraordinary measures.”

If such consensus and unity could be achieved with respect to “Human security”, it would allow governance to take place a lot more efficiently.

Conclusion

The traditional understanding of National Security in terms of military threats to the State is no longer adequate in the 21^st century. Today, ‘Human Security’ offers a more holistic understanding with its ‘people first’ approach. It recognises and legitimises the experiences of disempowered groups and challenges conventional notions of security.

Human Security offers multiple advantages as an analytical concept, and holds normative value by contesting the traditional understanding of a nation, urgency and emergency. The definition of Human Security is broad, but that acts as an advantage for it covers a wider range of threats, including the new threats caused by technology and climate.

This redefinition of ‘National Security’ does pose challenges relating to vagueness, increased powers of the executive, conceptual and funding issues, among others, but overall provides a strong base for policymakers to realign their priorities as per the requirements of today.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Kalevi J. Holsti, The State, War, and the State of War (1996), Pg. 15.
2. Group Captain Ajay Lele, “Technology and National Security” Indian Defence Review Issue Vol 24.1 Jan-Mar 2009.
3. Swain, A., 2015. “Water Wars”. In: International Encyclopaedia of the Social & Behavioural Sciences, 2nd edition, Vol 25. Oxford: Elsevier. pp. 443–447.
4. Tickner J. A. (1997b), “Re-visioning Security”, in: International Relations Theory Today, eds. K. Booth, S. Smith, Polity Press Cambridge.
5. Tickner, J. (1993). “Gender in International Relations: Feminist Perspectives on Achieving Global Security” Political Science Quarterly.
6. J. Ann Tickner, “Re-visioning Security,” International Relations Theory Today (Ken Booth and Steve Smith, eds., 1994), p. 180.
7. Beshi, T.D., Kaur, R. “Public Trust in Local Government: Explaining the Role of Good Governance Practices”. Public Organiz Rev 20, 337–350 (2020).

Cyber Security at the UN: Where Does India Stand? (Part 2)

This is the second post of a two-part series which examines India’s participation in UN-affiliated processes and debates on ICTs and international security.

The first part offered an overview of how ideological divisions are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In this post, the author evaluates India’s stated positions on ICTs and international security at forums affiliated with the UN.

Author: Sidharth Deb

Introduction

As our digital transformation story has accelerated, Indian authorities have proactively worked on domestic laws, regulations and policies to govern digital and ICT domains. Prominent examples include its net neutrality regime; the 2021 intermediary guidelines and digital media ethics regulations; a soon to be enacted data protection law; and the National Cyber Security Policy, 2013, which is undergoing an overhaul. When it comes to institutional responses, India has, inter alia, operationalised a nodal Computer Emergency Response Team (“CERT-In”), sector specific CERTs, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) to secure critical information infrastructures (“CIIs”), and the National Cyber Security Coordinator within the country’s National Security Council Secretariat.

Conversely, India’s participation at international cybersecurity processes like the United Nations’ Group of Governmental Experts (“GGEs”) and the Open-ended Working Groups (“OEWG”) remains less developed. It does not reflect its status as a digital deciding swing State in cyber norms processes. Some describe it as lacking cohesion, without substantive or long term commitment to advance an international agenda. They have further characterised India’s position as one of silence, ambiguity and prioritising immediate national interest. India has even shied away from supporting multistakeholder led norms packages on international cybersecurity such as the Paris Call for Trust and Security in Cyberspace. And this perceived positional ambiguity is further reinforced by the fact that it supported both Russia’s proposal for the first OEWG and the US’ proposal for the sixth GGE. India has also endorsed Russia’s proposal for an ad-hoc committee for a cybercrime convention under the United Nations General Assembly’s Third Committee on Social, Humanitarian and Cultural Issues.

Indian Statements on International Security and ICTs

Given that India has an opportunity to assume an internationally significant role in international cybersecurity and norms related debates under processes like the 2nd OEWG, this post attempts to extract and infer meaning from India’s seemingly inconsistent and ambiguous positions. This involves an analysis of publicly available evidence of India’s participation in working groups and other forums within the UN. Subsequent takeaways reflect a composite examination of:

1. India’s 2015 Comments to UNGA Resolution 70/237, which endorsed the GGE-developed international framework for responsible state behaviour in the cyberspace;
2. India’s statement at the June 2019 Organisational Session of the first OEWG;
3. India’s 2020 comments on the initial pre-draft of the OEWG’s report. These comments have been taken down from the OEWG website.
4. February 2021 comments/remarks and proposed edits (January 2021) by the Government of India on the zero draft of the OEWG’s final substantive report.
5. India’s statement at the UNSC Open Debate on international cybersecurity (June 2021).

While the Indian delegation participated in the first substantive session of the 2nd OEWG in December 2021, its interventions are, as of writing, unavailable on the OEWG’s website. Based on an overview of the aforementioned statements five key trends emerge.

First, the Indian Government appears to prefer state-led solutions over multistakeholderism to cybersecurity. While broadly highlighting the importance of multistakeholderism within internet governance, India’s 2015 submission at the UNGA has argued that governments play a primary role in cybersecurity since it falls within the umbrella of ‘national security’. India has also made explicit recommendations at the OEWG negotiations to remove references to “human-centric” approaches to replace them with terms like “peace and stability”. Such statements convey a top-down outlook to ICT and cybersecurity policy. India prefers stakeholders play a secondary role in cybersecurity policy as stated in its intervention at the UNSC. The Indian Foreign Secretary, at the UNSC, opined that stakeholders can play an important role in supporting international cooperation on cybersecurity.

Such positions are consistent with the Indian Government’s disposition that technology environments should adhere to the rule of law and policies framed by appropriate government authorities. Even so, domestically, the Indian government has demonstrated a willingness to participate in multistakeholder dialogue (at forums like India IGF) and seek stakeholder inputs on related policy matters.

Second, India aims to bring content, behaviour and speech over social media and the wider internet within the scope of international cyber security. When discussing the scope of cyber/information security, India has repeatedly referred to cyber terrorism, terrorist content, virulent propaganda, inciting speech, disinformation, terror financing and recruitment activities, and general misuse of social media. This is of course consistent with its domestic policy stance on stricter regulations for social media intermediaries under the 2021 intermediary guidelines and digital media ethics code. India has even called for international dialogue and cooperation to counter terror propaganda, remove content and real time support with investigations. It has called upon the international community to recognise cyber terrorism as a special class of cyber incident which requires stronger international cooperation. As discussed in Part 1 of this series, the OEWG may be receptive to broadening the scope of information security to include issues relating to online speech and social media. This is also evidenced by the fact that several States have raised similar issues during the first substantive session of the 2nd OEWG in December 2021.

Third, India appears to prefer an internationally binding rules-based framework on ICTs and cyberspace. This is evident from both India’s 2021 submission to the OEWG, and its 2021 intervention at the UNSC’s open debate on cybersecurity. These submissions confirm that India appears open to a treaty/convention-based pathway to international cybersecurity. At the same time, during the 2021 OEWG negotiations India categorically requested deleting a paragraph which refers to a 2015 proposal for international code of conduct for information security. The 2015 proposal was tabled by UN Member States who are also members of the Shanghai Cooperation Organisation (“SCO”). Notably, India joined the SCO a few months after the bloc tabled its 2015 proposal. The SCO’s proposal was largely steered under Russian and Chinese guidance.

Fourth, Indian interventions have laid heavy emphasis on supply chain security of ICT products and services. India’s interventions focus on two key aspects. First is an emphasis on cybersecurity resilience and hygiene among SMEs and children. The reference to SMEs can be considered an expression of its economic aspirations via digital transformation. Second, India has called for greater international cooperation on matters surrounding trusted ICT products and services, and trusted suppliers of such products and services. This includes mitigating the introduction of harmful hidden functions like backdoors within ICT products and services which can compromise essential networks. To this end, India has even called for the introduction of a new cyber norm relating to a standard for essential security in cyberspace. This position appears to align itself with recent mandatory testing and certification regulations for telecommunications equipment, and a more recent national security directive passed by Indian telecom authorities in response to growing concerns of Chinese presence in Indian telecom and ICT systems. Under this Directive, Indian telecom authorities have launched the ‘Trusted Telecom Portal’ which aims to ensure that Indian telecom networks only comprise equipment which are deemed to be ‘trusted products’ from ‘trusted sources’. Recent reports also reveal that the Indian Government is in the process of establishing a unified national cyber security task force which will set up a specialised sub department to focus on cyber threats in the telecom sector.

Lastly, on the applicability of international law to States’ use of ICTs—despite its participation in five out of six UN GGEs and the first OEWG—India has yet to substantively articulate an extensive position on this topic. Instead, it has made broader calls for non-binding, voluntary guidance from the international community on the application of key concepts within international humanitarian law like distinction, necessity, proportionality and humanity within the context of ICTs. India’s most animated interventions have pertained to jurisdiction and sovereignty. To be clear, it has not engaged on whether sovereignty is a principle or a rule of international law. Instead, it has called on the international community to reimagine sovereignty and jurisdiction—where a new technical basis (beyond territoriality) can allow States to effectively govern and secure cyberspace.

One such basis for sovereignty that India put forth before the OEWG relates to data ownership and sovereignty. It purports that such a philosophical underpinning would endorse people’s right to informational privacy online.  Yet, these positions reflect and seek to legitimise wider trends in digital and ICT policymaking in India. This includes proposals to restrict cross-border data flows for different purposes and its challenges with carrying out law enforcement investigations owing to lethargic international cooperation via the MLAT frameworks.

Conclusion

India’s current engagement with international cybersecurity issues serves as a mirror for India’s domestic political economy and immediate national interests. Given that it occupies a pivotal position as a digital swing state with the second largest internet user base in the world, India could have the geopolitical heft to steer the conversation away from ideological fault lines—and towards more substantive avenues.

However, in order to do this, it must adopt a more internationalised agenda while negotiating in these cyber norms processes. Since it is still early days when it comes to substantive discussions at the 2nd OEWG, and negotiations at other forthcoming processes are yet to commence, the time may be ripe for India to start formulating a more cohesive strategy in how it engages with international cyber norms processes.

To this end, Indian leadership could approach the forthcoming National Cyber Security Strategy as a jumping off point from via which it can refine the Government’s normative outlook to matters relating to international cybersecurity, international law and responsible state behaviour in the cyberspace. The forthcoming strategy could also help the Government of India define how it collaborates with other States and non-governmental stakeholders. Finally, it could help identify domestic laws, policies and institutions that require reform to keep pace with international developments.

India’s new Defence Cyber Agency

Recent developments in India’s space policy including Mission Shakti, India’s first anti-satellite weapon testing is indicative of the states growing concern into contemporary threats to the state; India is ranked among the 15 least cyber-secure countries in the world from the list of 60 countries. To this end, the Prime Minister announced the setting up of three new tri-service agencies, for Cyber Warfare, Space and Special Operations, at the Combined Commanders’ Conference in Jodhpur last year.

In this post we will mainly deal with the third tri-service agency, the Defence Cyber Agency, which is setup to work in conjunction with the National Cyber Security Advisor. Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1000 personnel from all three branches, the Army, Navy and the Airforce. Rear Admiral Mohit Gupta has been appointed to be the first head of the DCA.

Current Legal Framework

The current legal framework dealing with cyber-security is not centralized. Different agencies are responsible for various aspects of cyber-security. These can broadly be classified into agencies focusing on civilian cyber security, and those focusing on the military cyber security.

The National Cyber Security Policy was adopted by the Government of India in 2013 to ensure a secure and resilient cyberspace for citizens, businesses and the government. This policy was launched to integrate all the initiatives in the area of Cyber Security and to tackle the fast-changing nature of cybercrimes. Initiatives such as setting-up the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC), and creating sector specific Computer Emergency Response Teams (CERT) were implemented under the policy.

The Indian Computer Emergency Response Team (CERT) is an office within the Ministry of Electronics and Information Technology. It is the national nodal agency for responding to computer security incidents as and when they occur. It deals with mostly civilian threats by issuing guidelines, vulnerability notes, and whitepapers relating to security practices as well as providing a point of contact for reporting local problems.

Cyber-Security concerns in India

The 2019 Global Risk Report highlights India’s history of malicious cyber-attacks and lax cybersecurity protocols which led to massive breaches of personal information in 2018. It also specifically mentions the government ID database, Aadhaar, which has reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January that individuals were selling access to the database at a rate of 500 rupees for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.

The Digital India initiative has resulted in a boom in the internet usage in the country. However, due to the lack of proper security protocols in place, there have been an estimated 700 hacks into state and central governments websites, as was reported in Lok Sabha. Additionally, in January of 2017, the National Security Guard page was hacked by suspected Pakistan based operatives who then went on to post anti-India content on it. The need to prevent such attacks on Indian websites has been a matter of debate since 2016, following the hack of the IRCTC website.

While some aspects of cyber security are easy to classify, such as the breach of IRCTC being a civilian breach and hacking the website of the National Security Guard being a military breach, other potential cyber threats could fall within a grey area.

Defence Cyber Agency

The lacuna which the Defence Cyber Agency seeks to fill, exists in the realm of military cyber security. It is currently governed by the Defence Intelligence Agency (DIA) which operates under direct control of Ministry of Defence and focuses on the international offensive and defensive capabilities of the state. It is the nodal agency for all defence related intelligence.

The formation of the Defence Cyber Agency, is supposedly meant to combat the current threat of foreign hackers from nations such as China or Pakistan, who could attack India’s digital infrastructure using Cyber warfare. The new agency could potentially set up the roadmap for the future of India’s cyber security specifically, by combating threats made to military targets.

A common feature of many military agencies is the lack of legislative clarity; in the absence of a clear and coherent policy document or a parliamentary enactment to this effect, the parameters on which the domain of ‘military cyber security’ is demarcated remain unclear. The definition of ‘military’ in this case could potentially be based on the nature of the target (IRCTC hack vs. NSG hack) the origin of the threat (geographical location or the nationality of the perpetrator) or even the source of the threat (China/Pakistan or amateur domestic hackers). 

The Agency is expected to follow a decentralized structure where the bulk of the agency will be focused into smaller teams, spread around the country, with the command center in Delhi. It also aims at putting dedicated officers in major headquarters of the tri-forces to deal with emerging cyber security issues.

One of the main takeaways from the setting up of this agency is the inter-service cooperation between the Army, Navy and the Airforce. The move is also in keeping with the Joint Training Doctrine Indian Armed Forces, of 2017, which seeks to foster ‘Synergy’ and ‘Integration’ amongst the three Services and other stake-holders leading to an enhanced efficiency and optimum utilisation of resources.

Since the new agency will fall under the purview of the Ministry of Defence, the precise mandate and composition of the DCA are not clear at this point. After its formal inauguration, which is supposed to happen sometime this month, it is possible that people will have a better idea of the agency’s role and functions in maintaining India’s cyber defences.

A key issue, which has not been addressed so far remains the need to employ experts in the field of cyber-security. While the new agency is projected to employ over 1000 personnel from the three services, employing personnel with sufficient technical knowledge will be difficult, owing to a general lack of qualified personnel in this field. Additionally, with the boom in the cyber security market, the DCA would not only have to contend with private players in the domestic markets in attracting qualified talent, but also face stiff competition from international players in the scene.

In addition to setting up the DCA, it is also important that all three services take this opportunity to better train existing personnel in basic cyber security practices, including staff which is not specifically deployed to the DCA.

It is hoped that the formation of such an agency will not only improve India’s cyber security but also bolster its international reputation in terms of digital safety. The creation of this new agency highlights the weaponization of cyberspace as a tool of modern warfare, and also the importance of data and information sharing between the three services in order to better protect the nation.