Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

• existing and potential threats to “information security”.
• rules, norms and principles of responsible State behaviour i.e. cyber norms.
• international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5^th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6^th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Understanding CERT-In’s Cybersecurity Directions, 2022

Sukanya Thapliyal

“Cyber Specialists” by Khahn Tran is licensed under CC BY 4.0

INTRODUCTION

The Indian Government is set to initiate a widely discussed cybersecurity regulation later this month. On April 28, 2022, India’s national agency for computer incident response, also known as the Indian Computer Emergency Response Team (CERT-In), released Directions relating to information security practices, the procedure, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet. These Directions were introduced under section 70B(6) of India’s Information Technology Act, 2000 (IT Act). This provision allows CERT-In to call for information and issue Directions to carry out its obligations relating to:
1. facilitating the collection, analysis and dissemination of information related to cyber incidents,
2. releasing forecasts and alerts, and
3. taking emergency measures.

According to the IT Act, the new Directions are mandatory in nature, and non-compliance attracts criminal penalties which includes imprisonment of up to one year. The notification states that the Directions will become effective 60 days from the days of issuance i.e. on June 28, 2022. The Directions were later followed by a separate Frequently Asked Questions (FAQ) document, released as a response to stakeholder queries and concerns.

These Directions have been introduced in response to increasing instances of cyber security incidents which undermine national security, public order, essential government functions, economic development, and security threats against individuals operating through cyberspace. Further, recognizing that the private sector is a crucial component of the digital ecosystem, the Directions also push for closer cooperation between private organisations and government enforcement agencies. Consequently, the Directions have identified sharing of information for analysis, investigation, and coordination concerning the cyber security incidents as one of its prime objectives.

POLICY SIGNIFICANCE OF DIRECTIONS

Presently, Indian cybersecurity policy lacks a definite form. The National Cyber Security Policy (NCSP) was released in 2013 serves as an “umbrella framework for defining and guiding the actions related to security of cyberspace”. However, the policy has seen very limited implementation and has been mired in a multi-year reform which awaits completion. The new cybersecurity strategy is still in the works, and there is no single agency to oversee all relevant entities and hold them accountable.

Cybersecurity policymaking and governance are progressing through different government departments at national and state levels in silos and in a piecemeal manner. Several cybersecurity experts have also identified the lack of adequate technical skills and resource constraints as a significant challenge for government bodies. The Indian cybersecurity policy landscape needs to address these existing and emerging threats and challenges by instilling appropriate security standards, efficient implementation of modern technologies, framing of effective and laws and security policies, and adapting multi-stakeholder approaches within cybersecurity governance.

Industry associations and lobby groups such as US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA), and Information Technology Industry Council (ITI) have responded to the Directions with criticism. These organisations have stated that these Directions, in present format, would negatively impact Indian and global enterprises and undermine cybersecurity. Moreover, the Directions were released without any public consultations and therefore, lack necessary stakeholder inputs from across industry, civil society, academia and technologists.

The new CERT-In Directions mandate covered entities (service providers, intermediaries, data centers, body corporate and governmental organisations) to comply with prescriptive requirements that include time synchronisation of ICT clocks, excessive data retention requirements, 6 hr reporting requirement of cyber incidents, among others. The next section critically evaluates salient features of the Directions.

SALIENT FEATURES OF THE DIRECTIONS

Time Synchronisation: Clause (i) of the Directions mandates service providers, intermediaries, data centers, body corporate and governmental organisations to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. For organisations whose operations span multiple jurisdictions, the Directions allow relaxation by allowing them to use alternative servers. However, the time source of concerned servers should be the same as that of NPL or NIC. Several experts have raised that the requirement as extremely cumbersome, resource-intensive, and not in conformity with industry best practices. As per the established practice, companies often base their decision regarding NTP servers on practicability (lower latency) and technical efficiency. The experts have raised concerns over the technical and resource constraints with NIC and NPL servers in managing traffic volumes, and thus questioning the practical viability of the provision. .

Six-hour Reporting Requirement: Clause (ii) requires covered entities to mandatorily report cyber incidents within six hours of noticing such incidents or being notified about such incidents. The said Direction imposes a stricter requirement than what has been prescribed under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) that allows the covered entities to report the reportable cyber incident within “a reasonable time of occurrence or noticing the incident to have scope for timely action”. The six hour reporting requirement is also stricter than the established norms in other jurisdictions, including the USA, EU, UK, and Australia. Such reporting requirements normally range from 24 hours to 72 hours, depending upon the affected sector, type of cyber intrusion, and attack severity. The CERT-In Directions make no such distinctions in its reporting requirement. Further, the reportable cyber security incidents under Annexure 1 feature an expanded list of cyber incidents (compared to what are mentioned in the CERT-In Rules). These reportable cyber incidents are defined very broadly and range from unauthorised access to systems, identity theft, spoofing and phishing attacks to data branches and data theft. Considering that an average business entity with digital presence engages in multiple digital activities and there is no segregation on the basis of scale or severity of incident, the Direction may be impractical to achieve, and may create operational/compliance challenges for many smaller business entities covered under the Directions. Government agencies often require business entities to comply with incident/breach reporting requirements to understand macro cybersecurity trends, cross-cutting issues, and sectoral weaknesses. Therefore, governments must design cyber incident reporting requirements tailormade to sectors, severity, risk and scale of impact. Not making these distinctions can make reporting exercise resource-intensive and futile for both affected entities and government enforcement agencies.

Maintenance of logs for 180 days for all ICT systems within India: Clause (iv) mandates covered entities to maintain logs of all the ICT systems for a period of 180 days and to store the same within Indian jurisdiction. Such details may be provided to CERT-In while reporting a cyber incident or otherwise when directed. Several experts have raised concerns over a lack of clarity regarding scope of the provision. The term “all ICT systems” in its present form could include a huge trove of log information that may extend up to 1 Terabyte a day. It further requires the entities to retain log information for 180 days as opposed to the current industry practice (30 days). This Direction is not in line with the purpose limitation and the data minimisation principles recognized widely in several other jurisdictions including EU’s General Data Protection Regulation (GDPR) and does not provide adequate safeguard against indiscriminate data collection that may negatively impact the end users. Further, many experts have pointed out that the concerned Direction lacks transparency and is detrimental to the privacy of the users. As the log information often carries personally indefinable information (PII), the provision may conflict with users informational privacy rights. CERT-In’s Directions are not sufficiently clear on the safeguard measures to balance legal enforcement objectives with the fundamental rights.

Strict data retention requirements for VPN and Cloud Service Providers: Clause (v) requires “Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers” to register accurate and detailed information regarding subscribers or customers hiring the services for a period of 5 years or longer after any cancellation or withdrawal of the registration. Such information shall include the name, address, and contact details of subscribers/ customers hiring the services, their ownership pattern, the period of hire of such services, and e-mail ID, IP address, and time stamp used at the time of registration. Clause (vi) directs virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain all KYC records and details of all financial transactions for a five year period. These Directions are resource-intensive and would substantially increase the compliance cost for many companies. It is also important to note that bulk data retention for a longer time period also creates greater vulnerabilities and attack surfaces of private/sensitive/commercial ICT use. As India is still to enact its data protection law, and the Directions are silent on fundamental rights safeguards, it has also led to serious privacy concerns. Further, some entities covered under this direction, including VPS or VPN providers, are privacy and security advancing services that operate on a strict no-log policy. VPN services provide a secure channel for storing and sharing information by individuals and businesses. VPNs are readily used by the business and individuals to protect themselves on unsecured, public Wifi networks, prevent website tracking, protect themselves from malicious websites, against government surveillance, and for transferring sensitive and confidential information. While VPNs have come under fire for being used by cybercriminals and other malicious actors, a blanket requirement for maintaining logs and excessive data retention requirement goes against the very nature of the service and may render these services pointless (and even insecure) for many users. The Frequently Asked Questions (FAQs), released following the CERT-In Directions have absolved the Enterprise/Corporate VPNs from the said requirement. However, the Directions still stand for VPN Service providers that provide “Internet proxy like services” to general Internet subscribers/users. As a result, some of the largest VPN service providers including NordVPN, and PureVPN have indicated the possibility of pulling their servers out of India and quitting their operations in India.

In a separate provision [Clause (iii)], CERT-In has also directed the service providers, intermediaries, data centers, body corporate, and government organisations to designate a point of contact to interface with CERT-In. The Directions have also asked the covered entities to provide information or any other assistance that CERT-In may require as part of cyber security mitigation actions and enhanced cyber security situational awareness.

CONCLUSION

Our ever-growing dependence on digital technology and its proceeds has exposed us to several vulnerabilities. Therefore, the State plays a vital role in intervening through concrete and suitable policies, institutions and digital infrastructures to protect against future cyber threats and attacks. However, the task is too vast to be handled by the governments alone and requires active participation by the private sector, civil society, and academia. While the government has a broader perspective of potential threats through law enforcement and intelligence organisations and perceives cybersecurity concerns from a national security lens, the commercial and fundamental rights dimensions of cybersecurity would benefit from inputs from the wider stakeholder community across the cybersecurity ecosystem.

Although in recent years, India has shown some inclination of embracing multi-stakeholder governance within cybersecurity policymaking, the CERT-In Directions point in the opposite direction. Several of the directions mentioned by the CERT-In, such as the six-hour reporting requirement, excessive data retention requirements, synchronisation of ICT clocks indicate that the government appear to adopt a “command and control” approach which may not be the most beneficial way of approaching cybersecurity issues. Further, the Directions have also failed to address the core issue of capacity constraints, lack of skilled specialists and lack of awareness which could be achieved by establishing a more collaborative approach by partnering with the private sector, civil society and academia to achieve the shared goal of cybersecurity. The multi stakeholder approaches to policy making have stood the test of time and have been successfully applied in a range of policy space including climate change, health, food security, sustainable economic development, among others. In cybersecurity too, the need for effective cross-stakeholder collaboration is now recognised as a key to solving difficult and challenging policy issues and produce credible and workable solutions. The government, therefore, needs to affix institutions and policies that fully recognize the need and advantages of taking up multi stakeholder approaches without compromising accountability systems that give due consideration to security threats and safeguard citizen rights.

Second Substantive Session of UN OEWG on International Cybersecurity (Part 1): Analysing Developments on Stakeholder Participation

Ananya Moncourt & Sidharth Deb

“Cyber Attacks” by Christian Colen Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Introduction

On April 1st 2022, the United Nations General Assembly’s (UNGA’s) First Committee on Disarmament and International Security concluded the week-long second substantive session of the second Open-Ended Working Group (OEWG) on the security of and in the use of information and communication technologies (ICTs). This process is the UN’s second OEWG involving all 193 UN Member States on matters relating to international cybersecurity. There have also been six prior UN Group of Government Experts (GGEs) on similar issues.

This post is the first of a three-part series which analyses key developments at the OEWG’s second substantive session in the period between March 28 and April 01, 2022. This piece outlines discussions on a key issue – multistakeholder engagement within the OEWG process.

Readers can view it as a follow up to CCG’s two-part blog series from December 2021 which analysed major international cybersecurity discussions (including the international normative framework) at the UN and India’s participation in these processes. Part 1 begins by providing an overview of the scope of the OEWG’s institutional mandate, the geopolitical background in which the second substantive session was held, and analyses key organisational developments relating to the modalities of multistakeholder participation at the OEWG. It reveals geopolitical differences and where appropriate, spotlights India’s interventions on such issues.

Institutional Mandate

The second OEWG was established by UNGA Resolution 75/240 adopted on December 31, 2020. The resolution describes ICTs as “dual-use technologies” which can be used for both “… legitimate and malicious purposes”. This language within the resolution is curious since this would mean that dual-use technologies are capable of being used in lawful and unlawful scenarios. This is a departure from how “dual-use technologies” are traditionally defined as technologies which have both civilian and military applications and use cases.

Keeping this in mind, the resolution presciently expresses concern that some States are building up military ICT capabilities and that they could play active roles in future conflicts between States. Given their potential threat to national security, Resolution 75/240 establishes a new OEWG for the period between 2021 and 2025 which must act on a consensus basis. The second OEWG is expected to build on the aforementioned prior work of the GGEs and the first OEWG. The OEWG has been assigned a broad substantive mandate which includes:

1. Identifying existing and potential threats in the sphere of information security;
2. further developing the internationally agreed voluntary rules, norms and principles of responsible State behaviour in cyberspace. This entails identifying mechanisms for implementation and, if necessary, introducing and/or elaborating additional cyber norms;
3. developing an understanding of the manner in which international law applies to States’ use of ICTs;
4. capacity building and confidence-building measures on matters relating to international cybersecurity;
5. establishing mechanisms of regular institutional dialogue under the UN.

Resolution 75/240 specifies that aside from a final consensus report, the  OEWG must submit annual progress reports before the UNGA. Relevant to this post, the Resolution also grants the OEWG with the power to interact with non-governmental stakeholders. The OEWG’s Organisational Session in June 2021, States agreed to a total of eleven substantive sessions, the first of which was held in the period of December 13 to December 17, 2021.

Geopolitical Background to Second Substantive Session

At the second substantive session in the last week of March 2022 discussions were hindered by ongoing geopolitical tensions arising out of the international armed conflict owing to the Russian invasion of Ukraine. Cyberspace has played a strategic role within the conflict and has spanned several cyber incidents and operations. This includes strategic information campaigns and online influence operations. Moreover, the conflict has observed strategic incidents and operations which targeted government websites and extended to strategic measures critical information infrastructures across both public and private sectors. Key incidents prior to the session include a prominent attack on a satellite broadband network which affected internet availability for users across different parts of Europe.

The tensions have extended even to technical internet governance bodies like ICANN where for instance, Ukraine made unsuccessful requests to prevent Russian websites/domains from accessing the global internet. And as has been widely reported, the conflict has led to sanctions against Russian financial operators from executing cross-border transactions via globally interoperable ICT systems like the SWIFT network.

Such geopolitical realities mean that the OEWG’s progress which is rooted in consensus was adversely affected. Let us now consider a central organisational issue for the OEWG i.e. modalities of stakeholder participation.

Modalities of Stakeholder Participation

The value of rooting multistakeholderism into internet, ICT and cybersecurity governance is well documented. Most ICT systems are owned, controlled, used and/or managed by non-governmental stakeholders across the private sector and civil society. Field expertise is also largely situated outside of governments. However, under the UNGA First Committee, cybersecurity processes like the GGEs and the first OEWG have operated using state-centric, even exclusive, approaches.

UNGA Resolution 75/240 attempts to buck this trend and grants the OEWG the authority to interact with interested/relevant stakeholders from private sector, civil society and academia. For context, the first OEWG was the first cybersecurity discussion at the UN to involve some limited informal consultations between States and other stakeholders. The final substantive report, dated March 2021, even describes rich discussions and proposals from the multistakeholder community.

Despite this being an improvement upon the GGE model, experts contended that the first OEWG lacked direct or structured multistakeholder involvement. The first OEWG’s dialogue was described as ad-hoc, inconsistent and isolated. Similarly, consultation opportunities at the OEWG were largely limited to an exclusive class of accredited organisations at the UN’s Economic and Social Council (ECOSOC). Stakeholders expressed concern that a repeat of this approach would exclude discipline related field experts, private operators, and other relevant stakeholders. In lieu of this, certain States, regional organisations, non-governmental stakeholders, and individual experts have shared written inputs to the OEWG’s Chair calling for the adoption of modalities which facilitate transparent, structured and formal stakeholder involvement. The proposal put forth the additional option for non-accredited organisations to indirectly engage by sharing their views with the OEWG. To further inclusivity the proposal suggested that stakeholders be allowed to participate in both formal and informal consultations through a hybrid physical/virtual format.

Unfortunately, this issue was not resolved at either the OEWG’s Organisational Session in June 2021, nor its First Substantive Session in December 2021. At these discussions Member States like the EU, Canada, France, Australia, Brazil, Germany, the Netherlands, UK, USA and New Zealand advocated broader, structured, transparent and formal involvement of stakeholders. The transparency component was a point of emphasis for these jurisdictions. This proposal focused on making it widely known, the grounds on which certain States objected against the inclusion of stakeholders within the OEWG. In opposition, the Sino-Russian bloc including Cuba, Iran, Pakistan and Syria opposed extended multistakeholder participation since they believe the OEWG should preserve its government-led character. Russia has proposed formal multistakeholder involvement be restricted to granting consultative status to ECOSOC accredited institutions. These States insisted that informal consultations and written inputs are sufficient means of incorporating wider stakeholder views.

Although in favour of multistakeholder involvement, India’s interventions advocated that the OEWG follow the same modalities as the first OEWG which as described earlier has been criticised on grounds of inclusivity.

Developments on Modalities at Second Substantive Session

As the issue carried forward into the second substantive session, geopolitical tensions have escalated as a result of the Russia-Ukraine conflict. Statements by Australia, Canada, USA, UK, EU, France, Germany and others called upon Russia to stop using cyberattacks and disinformation campaigns. States from this bloc proposed that the OEWG’s programme of work not move forward without an agreement on stakeholder modalities. Iran contended that such a decision would undermine the legitimacy of the OEWG process. Other allies like China, Russia and Cuba argued that stakeholder participation should not come at the cost of substantial discussions. These countries cited Resolution 75/240 as not mandatorily requiring the OEWG to include stakeholders. However, the NATO and other allies of the US argued that delays to their inclusion would undercut stakeholders’ ability to meaningfully participate in the process.

Certain countries like France, Indonesia, Russia and Egypt supported an Indian proposal as a temporary workaround. India refined its earlier proposal and suggested that the OEWG continue the first OEWG’s system of informal consultations for the duration of one year while the issue of stakeholder participation was referred back to the UNGA for a final deliberation. No consensus was reached and consequently the Chair decided to suspend the issue of modalities and switched to issue-specific conversations via informal mode of discussion.

Conclusion: Final Modalities Yield Mixed Results

Three weeks after the conclusion of the second substantive session, the OEWG Chair shared a letter dated April 22, 2022 which declared consensus on the modalities of stakeholder participation at the second OEWG. These modalities will be formally adopted at the OEWG’s third substantive session in July 2022. They state that interested ECOSOC accredited NGOs can participate at the OEWG. Other interested stakeholders/organisations which are relevant to the OEWG’s mandate can apply for accreditation. They can formally participate provided Member States do not object. However, on the transparency front there appears to be a compromise. States must only share general reasons for their objection on a voluntary basis. The Chair will only share this received information with other Member States upon request. This prima facie means a stakeholder will not know why there was an objection against its participation in the OEWG process.

The actual stakeholder involvement will be carried out through two prongs. First, like the first OEWG the Chair will organise informal inter-sessional consultations between States and stakeholders. Second, accredited stakeholders can attend formal meetings of the OEWG, submit written inputs and make oral statements during a dedicated stakeholder session.

The modalities do not clarify if accredited stakeholders can participate virtually. This gap in communication is important since many stakeholders from developing/emerging countries often have limited resources and/or capacities to send contingents to these processes. While this development represents clear strides in terms of inclusivity from prior UN cybersecurity processes, as structured, the modalities could inadvertently exclude stakeholders from smaller countries who have an interest in maintaining a safe, secure and accessible cyberspace.

It remains to be seen if the international community will allocate resources in ensuring all interested stakeholders are present and active at these discussions. Moving forward, Parts 2 and 3 of this series focuses on key discussions which took place in informal mode at the Second Substantive Session of the OEWG. They describe how States (including India) view the substantial issues outlined in the OEWG’s institutional mandate. Part 3 concludes by charting out what to expect in the OEWG’s forthcoming draft of its first annual progress report for the UNGA.

Technology & National Security Reflection Series Paper 3: Technology and the Paradoxical Logic of Strategy

Manaswini Singh^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

In the present essay, the author reflects upon the following question: 

According to Luttwak, “The entire realm of strategy is pervaded by a paradoxical logic very different from the ordinary ‘linear’ logic by which we live in all other spheres of life” (at p. 2) Can you explain the relationship between technological developments and the conduct of war through the lens of this paradoxical logic?

Introducing Luttwak’s Paradoxical Logic of Strategy

While weakness invites the threat of attack, technologically advanced nations with substantial investment in better military technology and R&D that are capable of retaliation, have the power to persuade weaker nations engaged in war to disengage or face consequences. Initiating his discussion on the paradox of war, Luttwak mentions the famous roman maxim si vis pacem, para bellum which translates to – if you want peace, prepare war. Simply understood, readiness to fight can ensure peace. He takes the example of the Cold War to discuss the practicality of this paradoxical proposition. Countries that spend large resources in acquiring and maintaining nuclear weapons resolve to deter from first use. Readiness at all times, to retaliate against an attack is a good defensive stance as it showcases peaceful intent while discouraging attacks altogether. An act of developing anti-nuclear defensive technology – by which a nation waging war may be able to conduct a nuclear attack and defend itself upon retaliation – showcases provocativeness on its part.

The presence of nuclear weapons, which cause large scale destruction, have helped avoid any instance of global war since 1945. This is despite prolonged periods of tensions between many nations across the globe. Nuclear weapons are an important reason for the maintenance of international peace. This is observable with India and its border disputes with China and Pakistan where conflicts have been frequent and extremely tense leading to many deaths. Yet these issues have not escalated to large scale or a full-fledged war because of an awareness across all parties that the other has sufficient means to engage in war and shall be willing to use the means when push comes to shove. 

Using the example of standardisation of antiaircraft missiles, Luttwak points out that ‘‘in war a competent enemy will be able to identify the weapon’s equally homogeneous performance boundaries and then proceed to evade interception by transcending those boundaries… what is true of anti aircraft missiles is just as true of any other machine of war that must function in direct interaction with reacting enemy – that is, the vast majority of weapons.”

Image by VISHNU_KV. Licensed via CC0.

Luttwak’s Levels of Strategy

The five levels of strategy as traced by Luttwak are: 

1. Technical interplay of specific weapons and counter-weapons.
2. Tactical combat of the forces that employ those particular weapons.
3. Operational level that governs the consequences of what is done and not done tactically.
4. Higher level of theatre strategy, where the consequences of stand alone operations are felt in the overall conduct of offence and defence.
5. The highest level of grand strategy, where military activities take place within the broader context of international politics, domestic governance, economic activity, and related ancillaries.

These five levels of strategy create a defined hierarchy but outcomes are not simply imposed in a one-way transmission from top to bottom. These levels of strategy interact with one another in a two-way process. In this way, strategy has two dimensions: the vertical dimension and the horizontal dimension. The vertical dimension comprises of the different levels that interact with one another; and the horizontal dimension comprises of the dynamic logic that unfolds concurrently within each level.

Situating Technological Advancements Within Luttwak’s Levels of Strategy

In the application of paradoxical logic at the highest level of grand strategy, we observe that breakthrough technological developments only provide an incremental benefit for a short period of time. The problem with technological advancement giving advantage to one participant in war is that this advantage is only initial and short-lasting. In discussing the development of efficient technology, he gives an example of the use of Torpedo boats in warfare which was a narrow technological specialisation with high efficiency. Marginal technological advancement of pre-existing tech is commonplace occurrences in militaries. The torpedo naval ship was a highly specialised weapon i.e. a breakthrough technological development which was capable of causing more damage to larger battleships by attacking enemy ships with explosive spar torpedoes. The problem with such concentrated technology is that it is vulnerable to countermeasures. The torpedo boats were very effective in their early use but were quickly met with the countermeasure of torpedo beat destroyers designed specially to destroy torpedo boats. This initial efficiency and technical advantage and its ultimate vulnerability to countermeasures is the expression of paradoxical logic in its dynamic form. 

When the opponent uses narrowly incremental technology to cause damage to more expensive and larger costlier weapons, in the hopes of causing a surprise attack with the newly developed weapon, a reactionary increment in one’s weaponry is enough to neutralise the effects of such innovative technologically advanced weapon(s). The technological developments which have the effect of paradoxical conduct in surprising the opponent and finding them unprepared to respond in events of attacks, can be easily overcome due to their narrowly specialised nature themselves. Such narrowly specialised new tech are not equipped to accommodate broad counter-countermeasures and hence the element of surprise attached with such incremental technology can be nullified. These reciprocal force-development effects of acts against torpedo-like weapons make the responding party’s defence stronger by increasing their ability to fight and neutralise specialty weapons. Luttwak observed a similar response to the development of Anti-tank missiles which was countered by having infantry accompany tanks.

Conclusion

The aforementioned forces create a distinctly homogenous and cyclical process which span the development of technology for military purposes, and concomitant countermeasures. In the same breadth, one side’s reactionary measure also reaches a culmination point and can be vulnerable to newer technical advancement for executing surprise attacks. Resources get wasted in responding to a deliberate offensive action in which the offensive side may be aware of defensive capabilities and it is just aiming to drain resources and cause initial shock. This can initiate another cycle of the dynamic paradoxical strategy. Within the scheme of the grand strategy, what looks like deadly and cheap wonder weapons at the technical level; fails due to the existence of an active thinking opponent. These opponents can deploy their own will to engage in response strategies and that can serve as a dent to the initial strategic assumptions and logic.

In summary, a disadvantage at the technical level can sometimes also be overcome at the tactical level of grand strategy . Paradoxical logic is present in war and strategy, and use of technology in conduct of war also observes the dynamic interplay of paradoxical logic. Modern States have pursued technological advancements in ICT domains and this has increased their dependence on high-end cyber networks for communication, storage of information etc. Enemy States or third parties that may not be equipped with equally strong manpower or ammunition for effective adversarial action may adopt tactical methods of warfare by introducing malware into the network systems of a State’s critical infrastructure of intelligence, research facilities or stock markets which are vulnerable to cyber-attacks and where States’ inability in attribution of liability may pose additional problems.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Cyber Security at the UN: Where Does India Stand? (Part 2)

This is the second post of a two-part series which examines India’s participation in UN-affiliated processes and debates on ICTs and international security.

The first part offered an overview of how ideological divisions are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In this post, the author evaluates India’s stated positions on ICTs and international security at forums affiliated with the UN.

Author: Sidharth Deb

Introduction

As our digital transformation story has accelerated, Indian authorities have proactively worked on domestic laws, regulations and policies to govern digital and ICT domains. Prominent examples include its net neutrality regime; the 2021 intermediary guidelines and digital media ethics regulations; a soon to be enacted data protection law; and the National Cyber Security Policy, 2013, which is undergoing an overhaul. When it comes to institutional responses, India has, inter alia, operationalised a nodal Computer Emergency Response Team (“CERT-In”), sector specific CERTs, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) to secure critical information infrastructures (“CIIs”), and the National Cyber Security Coordinator within the country’s National Security Council Secretariat.

Conversely, India’s participation at international cybersecurity processes like the United Nations’ Group of Governmental Experts (“GGEs”) and the Open-ended Working Groups (“OEWG”) remains less developed. It does not reflect its status as a digital deciding swing State in cyber norms processes. Some describe it as lacking cohesion, without substantive or long term commitment to advance an international agenda. They have further characterised India’s position as one of silence, ambiguity and prioritising immediate national interest. India has even shied away from supporting multistakeholder led norms packages on international cybersecurity such as the Paris Call for Trust and Security in Cyberspace. And this perceived positional ambiguity is further reinforced by the fact that it supported both Russia’s proposal for the first OEWG and the US’ proposal for the sixth GGE. India has also endorsed Russia’s proposal for an ad-hoc committee for a cybercrime convention under the United Nations General Assembly’s Third Committee on Social, Humanitarian and Cultural Issues.

Indian Statements on International Security and ICTs

Given that India has an opportunity to assume an internationally significant role in international cybersecurity and norms related debates under processes like the 2nd OEWG, this post attempts to extract and infer meaning from India’s seemingly inconsistent and ambiguous positions. This involves an analysis of publicly available evidence of India’s participation in working groups and other forums within the UN. Subsequent takeaways reflect a composite examination of:

1. India’s 2015 Comments to UNGA Resolution 70/237, which endorsed the GGE-developed international framework for responsible state behaviour in the cyberspace;
2. India’s statement at the June 2019 Organisational Session of the first OEWG;
3. India’s 2020 comments on the initial pre-draft of the OEWG’s report. These comments have been taken down from the OEWG website.
4. February 2021 comments/remarks and proposed edits (January 2021) by the Government of India on the zero draft of the OEWG’s final substantive report.
5. India’s statement at the UNSC Open Debate on international cybersecurity (June 2021).

While the Indian delegation participated in the first substantive session of the 2nd OEWG in December 2021, its interventions are, as of writing, unavailable on the OEWG’s website. Based on an overview of the aforementioned statements five key trends emerge.

First, the Indian Government appears to prefer state-led solutions over multistakeholderism to cybersecurity. While broadly highlighting the importance of multistakeholderism within internet governance, India’s 2015 submission at the UNGA has argued that governments play a primary role in cybersecurity since it falls within the umbrella of ‘national security’. India has also made explicit recommendations at the OEWG negotiations to remove references to “human-centric” approaches to replace them with terms like “peace and stability”. Such statements convey a top-down outlook to ICT and cybersecurity policy. India prefers stakeholders play a secondary role in cybersecurity policy as stated in its intervention at the UNSC. The Indian Foreign Secretary, at the UNSC, opined that stakeholders can play an important role in supporting international cooperation on cybersecurity.

Such positions are consistent with the Indian Government’s disposition that technology environments should adhere to the rule of law and policies framed by appropriate government authorities. Even so, domestically, the Indian government has demonstrated a willingness to participate in multistakeholder dialogue (at forums like India IGF) and seek stakeholder inputs on related policy matters.

Second, India aims to bring content, behaviour and speech over social media and the wider internet within the scope of international cyber security. When discussing the scope of cyber/information security, India has repeatedly referred to cyber terrorism, terrorist content, virulent propaganda, inciting speech, disinformation, terror financing and recruitment activities, and general misuse of social media. This is of course consistent with its domestic policy stance on stricter regulations for social media intermediaries under the 2021 intermediary guidelines and digital media ethics code. India has even called for international dialogue and cooperation to counter terror propaganda, remove content and real time support with investigations. It has called upon the international community to recognise cyber terrorism as a special class of cyber incident which requires stronger international cooperation. As discussed in Part 1 of this series, the OEWG may be receptive to broadening the scope of information security to include issues relating to online speech and social media. This is also evidenced by the fact that several States have raised similar issues during the first substantive session of the 2nd OEWG in December 2021.

Third, India appears to prefer an internationally binding rules-based framework on ICTs and cyberspace. This is evident from both India’s 2021 submission to the OEWG, and its 2021 intervention at the UNSC’s open debate on cybersecurity. These submissions confirm that India appears open to a treaty/convention-based pathway to international cybersecurity. At the same time, during the 2021 OEWG negotiations India categorically requested deleting a paragraph which refers to a 2015 proposal for international code of conduct for information security. The 2015 proposal was tabled by UN Member States who are also members of the Shanghai Cooperation Organisation (“SCO”). Notably, India joined the SCO a few months after the bloc tabled its 2015 proposal. The SCO’s proposal was largely steered under Russian and Chinese guidance.

Fourth, Indian interventions have laid heavy emphasis on supply chain security of ICT products and services. India’s interventions focus on two key aspects. First is an emphasis on cybersecurity resilience and hygiene among SMEs and children. The reference to SMEs can be considered an expression of its economic aspirations via digital transformation. Second, India has called for greater international cooperation on matters surrounding trusted ICT products and services, and trusted suppliers of such products and services. This includes mitigating the introduction of harmful hidden functions like backdoors within ICT products and services which can compromise essential networks. To this end, India has even called for the introduction of a new cyber norm relating to a standard for essential security in cyberspace. This position appears to align itself with recent mandatory testing and certification regulations for telecommunications equipment, and a more recent national security directive passed by Indian telecom authorities in response to growing concerns of Chinese presence in Indian telecom and ICT systems. Under this Directive, Indian telecom authorities have launched the ‘Trusted Telecom Portal’ which aims to ensure that Indian telecom networks only comprise equipment which are deemed to be ‘trusted products’ from ‘trusted sources’. Recent reports also reveal that the Indian Government is in the process of establishing a unified national cyber security task force which will set up a specialised sub department to focus on cyber threats in the telecom sector.

Lastly, on the applicability of international law to States’ use of ICTs—despite its participation in five out of six UN GGEs and the first OEWG—India has yet to substantively articulate an extensive position on this topic. Instead, it has made broader calls for non-binding, voluntary guidance from the international community on the application of key concepts within international humanitarian law like distinction, necessity, proportionality and humanity within the context of ICTs. India’s most animated interventions have pertained to jurisdiction and sovereignty. To be clear, it has not engaged on whether sovereignty is a principle or a rule of international law. Instead, it has called on the international community to reimagine sovereignty and jurisdiction—where a new technical basis (beyond territoriality) can allow States to effectively govern and secure cyberspace.

One such basis for sovereignty that India put forth before the OEWG relates to data ownership and sovereignty. It purports that such a philosophical underpinning would endorse people’s right to informational privacy online.  Yet, these positions reflect and seek to legitimise wider trends in digital and ICT policymaking in India. This includes proposals to restrict cross-border data flows for different purposes and its challenges with carrying out law enforcement investigations owing to lethargic international cooperation via the MLAT frameworks.

Conclusion

India’s current engagement with international cybersecurity issues serves as a mirror for India’s domestic political economy and immediate national interests. Given that it occupies a pivotal position as a digital swing state with the second largest internet user base in the world, India could have the geopolitical heft to steer the conversation away from ideological fault lines—and towards more substantive avenues.

However, in order to do this, it must adopt a more internationalised agenda while negotiating in these cyber norms processes. Since it is still early days when it comes to substantive discussions at the 2nd OEWG, and negotiations at other forthcoming processes are yet to commence, the time may be ripe for India to start formulating a more cohesive strategy in how it engages with international cyber norms processes.

To this end, Indian leadership could approach the forthcoming National Cyber Security Strategy as a jumping off point from via which it can refine the Government’s normative outlook to matters relating to international cybersecurity, international law and responsible state behaviour in the cyberspace. The forthcoming strategy could also help the Government of India define how it collaborates with other States and non-governmental stakeholders. Finally, it could help identify domestic laws, policies and institutions that require reform to keep pace with international developments.

Cyber Security at the UN: Where Does India Stand? (Part 1)

Editorial Note: This is a two-part series, which examines India’s participation in UN-affiliated processes and debates on ICTs and international security. 

Part 1 provides an overview of the ideological divisions that are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In Part 2, the author will critique India’s stated positions on ICTs and international security at forums affiliated with the UN. 

Author: Sidharth Deb

Introduction: The International Character of Cyber Threats 

Earlier this month, the United Nations General Assembly’s (“UNGA”) First Committee on Disarmament and International Security (“First Committee”) convened Member-States for the first substantive session of its second Open-Ended Work Group (“OEWG”) on security of, and in the use of, information and communication technologies (“ICTs”). The 2nd OEWG serves as the latest working group under the aegis of the UNGA First Committee on themes relating to ICTs and international cybersecurity. It is notable that in that same week another major cyber vulnerability, in a widely used logging library—the Apache Log4j flaw—threatening global computer systems, came to light. This vulnerability has been described as a major software supply chain flaw which can be used to remotely compromise hundreds of millions of vulnerable devices globally.  

Experts are calling it a cyber pandemic and exploits are already targeting corporate networks globally. More concerning is the fact that nation State-backed hackers have reportedly begun experimenting and launching malicious operations to exploit the flaw. Along with recent incidents like WannaCry, NotPetya, SolarWinds, Colonial Pipeline and the Microsoft Exchange Server, such trends typify a rapidly evolving and increasingly scalable cyber threat landscape which emerge from heterogenous sources. These include States which use ICT capabilities to advance military or political objectives, States-sponsored hacking groups, mercenary technology vendors (developing tools like spyware), and other criminal and/or terrorist non-State actors. To combat these trends the international community must prioritise cyber diplomacy, international cooperation, assistance and baseline harmonisation of jurisdictional efforts as essential prerequisites.  

However, this is challenging since States often have diverging political, economic, developmental and military objectives. Therefore, in order to fulfil the core objective of a peaceful and stable cyberspace, international dialogue on ICT security must successfully navigate both peacetime and conflict paradigms. This includes working around innate complexities conferred via inter-State cyber conflicts. One such challenge relates to the operationalisation of the law of armed conflict within the cyberspace. Keeping these challenges in mind, this post presents an overview of ongoing cyber diplomacy efforts at the UN towards building an international legal and normative framework for responsible state behaviour in the cyberspace. It then evaluates how ideological divisions between countries pose challenges to international consensus and multilateralism. 

The UN, Cybersecurity and the Framework for Responsible State Behaviour 

Against the aforementioned backdrop, the second OEWG commences the next generation of deliberations on the States’ use of ICTs in the context of international peace and security. This Working Group was constituted in accordance with a UNGA resolution (75/240) dated December 31, 2020 and is set to run till 2025. It is open to participation from all 193 UN Member States, and the OEWG’s Chair is in the midst of determining the extent and mechanisms of multistakeholder participation. Both this and the first iteration of the OEWG involve more inclusive participation of the international community as compared to previous Groups of Governmental Experts (“GGEs”) on ICT security, which had only 15 to 25 participating States.  

Given the exponential innovation trajectories of ICT environments and the extended operational timelines, it will be tall order for the 2nd OEWG to fulfil its mandate to identify existing and potential threats to information security. Yet, it is not starting from scratch. Concerted prior work at the GGEs and OEWG, along with subsequent consensus at the UNGA has yielded an international framework for responsible state behaviour towards international cybersecurity. The framework comprises four distinct yet complementary pillars. These pillars include: 

1. International law, including the UN Charter along with existing principles of international law, as it applies to States’ use of ICTs. This was most recently elaborated in the May 2021 consensus report of the 6th GGE.; 

2. Politically determined cyber norms which entail voluntary and non-binding norms, rules and principles of responsible State behaviour during peacetime. The norms, inter alia, include interstate cooperation like exchange of information and threat intelligence; attribution of ICT incidents, respecting human rights; protecting critical infrastructures; securing ICT supply chains; enabling ICT vulnerability disclosures; preventing the misuse of ICTs for cybercrime and international wrongful acts; etc. Cyber norms are meant to promote cooperation and increase predictability, reduce risks of misperception and escalation in the cyberspace, and serve as a first step to the eventual formation of customary international law in the cyberspace. 

3. The other two pillars are confidence building measures and capacity building. These aim to enhance interstate transparency, international and institutional (technical and policy) cooperation, systematise international assistance to implement the voluntary cyber norms framework, and create a baseline of competence and response capabilities across Member States.  

Prima facie these pillars reflect a comprehensive approach in tackling the wide-ranging threats in cyberspace. Yet it does not reflect geopolitical divisions which are emerging within different country blocs. Since cybersecurity’s prominence within the broader scheme of international peace and security continues to increase, it is important to track this aspect of international cyberspace cooperation.  

Ideological Divisions in International Cybersecurity Processes 

Ideological divisions within international cybersecurity processes often reflect similar geographic groupings. One side comprises the US, UK, Estonia and other NATO allies. On the other end of the spectrum, we observe a Sino-Russian grouping which also includes countries like Cuba and Iran. This section highlights four main ways in which ideological divisions are shaping the international cyber diplomacy processes. 

1. Goal of Dialogue: Legally Binding Agreement or Voluntary Politically-determined Norms-based Framework? 

Differences begin at the most fundamental levels of implementation. Consider the means of operationalising the international framework for state responsibility in the use of ICTs. Since the late 90s, the Russian bloc has made multiple proposals for international work towards a binding treaty/convention on international cybersecurity and cybercrime. Such proposals advance Sino-Russian objectives of embedding core principles of internet sovereignty and state-primacy within a rule-based framework of international ICT policy. Interests around sovereignty may have also motivated the Russian proposal to set up the first UN OEWG on ICT Security, which opened up conversations in cybersecurity to all UN Member States. While the OEWG furthers openness, transparency and inclusivity towards norm formulation, the push for expansion in participation is perhaps motivated by an ability to bring more countries with similar ideological positions into the discussions.  

Among other things, their inclusion can create greater momentum to revisit, expand, or create new norms for State activities in cyberspace. The US and NATO bloc has strongly opposed the need for an international treaty based framework citing that such an approach could risk allowing States to negotiate and dilute core principles like openness, interoperability, multistakeholderism and respect for human rights. At a secondary level, it could also lead to greater fetters and regulation of international transnational ICT/internet corporations—which tend to be concentrated in certain jurisdictions.  

2. Disputes on Applicability of International Law 

A prominent example here is the failed negotiations at the 5th UN GGE in 2017. An important point of contention related to whether and how international law—especially international humanitarian law—applies to the cyberspace. In broad terms, NATO allies advocated that the principles of use of force, self-defence, and in situations of conflict, principles of international humanitarian law, should apply to the cyberspace. However, Cuba, serving as a front for the other bloc, opposed this. They argued that this would serve as a tacit endorsement of certain cyber operations and would incentivise escalation/militarisation in the cyberspace. This was the straw that broke the camel’s back, and it cost the international community consensus at the 5th GGE.  

3. Procedural Mechanisms and Modalities of Dialogue  

Since 2017, both the 1st OEWG and 6th GGE successfully adopted consensus reports in March and May 2021 respectively. While they build on prior GGE consensus reports especially the 2013 and 2015 reports, the aforementioned disputes demonstrate the fragility of consensus on international cybersecurity at the UN.  

Even in the run-up to the 2nd OEWG’s first substantive session (December 2021), States have had disagreements on the modalities of engagement. These include whether the OEWG should have broad conversations on all issues simultaneously between Member States, or if the Chair should set up issue-specific thematic subgroups for different aspects of international cybersecurity, etc.  

4. Definitional Scope of Key Concepts including “Information” Security 

Fundamental differences on key concepts like minimum identifiable standards of inter-State conduct, verification, evidence gathering, attribution and accountability among both State and non-State actors, threaten the international framework for peace and stability in cyberspace. A major point of contention which could emerge within the 2nd OEWG relates to its mandate on identifying existing and potential threats to information security. In contrast to the GGEs, the OEWG is increasing its focus on disinformation, defamation, incitement, propaganda, terrorist content, and other online speech/media. This can be discerned from the 1st OEWG’s final substantive report, the Chair’s Summary, and UNGA Res/75/240. The OEWG’s eventual scope of “information security” will also reveal to what extent international policymakers aim to securitise different infrastructure and online public spaces within ICT environments. Given the implications that this could have on principles like openness, interoperability, and people’s fundamental freedoms and human rights, dialogue on this front will be important to track.

Conclusion: The Importance of Digital Swing States 

Substantive fissures threaten multilateral international cooperation in cybersecurity. This risk manifested once with the operation of parallel processes at the 6th GGE and the 1st OEWG. Similar risks of fragmentation could emerge during the 2nd OEWG’s tenure—since there is already an adhoc committee on a cybercrime convention which will commence substantive discussions under the UNGA’s Third Committee in January 2022. States including France, Egypt and others have also made a proposal for an action oriented Programme of Action to advance responsible state behaviour in the cyberspace.  

Given these risks, commentators observe that the role of swing states is integral for international cyber diplomacy to steer the conversations towards more substantive pathways. One such swing State is India. The next post of this two part series will explore India’s engagement with UN-affiliated processes and debates on cybersecurity over time. Through this, we gain greater clarity on India’s definitional approach to cybersecurity, views on multistakeholderism vis-a-vis cybersecurity, supply chain security, and sovereignty in ICT environments.  

France’s Cyber Influence Warfare Doctrine (L2I)

By Ananya Moncourt

On 20^th October 2021, the French Minister of Defense released the French Armed Force’s Cyber Influence Warfare Doctrine (“Lutte Informatique d’influence” in French, abbreviated as L2I). The doctrine lays out a framework for “military operations conducted in the information layer of cyberspace to detect, characterize and counter attacks” and undertake “intelligence gathering or deception operations”. In this blogpost, I highlight and analyze key features of this new doctrine for the conduct of information warfare by the French military.  

Cyberspace in this context is comprised of three inseparable layers– a physical layer (equipment, computer systems, other materials), a logical layer (digital data, software, data exchange flows) and an information or semantic layer (information and social interactions). The applied misuse of the semantic layer can be seen at works in information influence operations that are used to sway public opinion ahead of key elections or on matters of national importance. France has experienced firsthand the perils of such operations in the Macaron Leaks in 2017. 

With the release of L2I ahead France’s presidential elections in April 2022, the legitimisation of  offensive influence operation conduct is consequential. Who is conducting these information influence operations, under what legal constraints, and the justification for doing so in terms of identified threat groups are questions that guide this assessment.

Over the last five years, there has been a gradual shift in France’s diplomatic standing from a defensive approach i.e., the use of force when necessary, to a more offensive and unhesitant preparedness to use force. The relocation of military strategy from a “peace-war-crisis continuum” to a “triptych of competition-contestation-confrontation” in L2I reflects this change clearly. With a guiding maxim to “win the war before the war”, L2I is one part of a three-pronged Strategic Vision, released in November 2021. More broadly, it is the final element of a conceptual framework put forth by the military for acting in the information field – the first was the LID, a defensive IT Policy (2018) and the second LIO, an offensive computer warfare doctrine (2019).  

Identifying Threats 

The root cause for identifying threats in the semantic layer stems from the possibility of information manipulation in cyberspace – a key component of hybrid warfare strategies today. In her speech presenting L2I to the world, Florence Parly (Minister of the Armed Forces) highlighted that “false, manipulated or subverted information is a weapon”. Threats that arise from such weaponisation of information form the subtext of the doctrine that references the authenticity with which modern technologies make it possible to create fake news (deep fakes of false remarks by soldiers in operations and false speeches by politicians for example). These developments are seen as direct threats to the legitimacy and capacities of the French military. 

Two points about the locus of action for influence operations in L2I are significant. One, that L2I operations takes place within a framework strictly limited to military operations outside France’s national territory. Two, that its “theatre of operations” is the information layer of cyberspace. The doctrine also explicitly identifies two threats to the French military – “organised armed groups” and “State actors”. The former includes terrorists’ groups and quasi-states (eg: ISIS/Daesh) who leverage the information layer of cyberspace to fund, recruit and co-ordinate violence. The latter refers to proto-states or State actors using intermediaries whose aim is to destabilize state structures and public opinion by promoting false narratives and undertaking informational attacks.  

The Theatre of the ‘War before the War”: Cyberspace as a Battleground 

L2I deems cyberspace a “fertile breeding ground” for information warfare, due to the ease with which legitimacy can be gained by any individual or group within their established networks online. What merits attention, and further research, is the doctrine’s perceptive articulation of a ‘cognitive dimension’ of the information layer of cyberspace. An outcome of human-computer interactions, it is the emotional, irrational, and legitimate stimulation of people who interact in an online information environment that characterises this ‘cognitive layer’. Under the grammar of the doctrine, susceptibility to disinformation thus becomes an obvious threat in cyberspace. Achieving technological superiority and developing offensive cyber capabilities of the armed forces is presented as a straightforward goal. The doctrine further lucidly presents six characteristics of the information or cognitive layer of cyberspace:  

1] A contraction of time and space: The immediacy of information today combined with its large-scale dissemination promotes interaction and connectivity. The geographic boundaries of information and its protracted transmission have faded away.  

2] Possibility of concealing sources of information: Mastery of related technologies makes it possible to conceal or falsify the origins of information. This anonymity makes the use of cyberspace conducive for purposes of influence by States or groups of individuals. 

3] Information persistence:  Information is difficult to erase in cyberspace because it can be duplicated easily or stored elsewhere. Information can therefore be reused outside of any verifiable context. 

4] Freedom of individuals: Anyone can produce and broadcast information, true or false, without any editorial control in cyberspace. This promotes an unbridled production of information.

5] Technological innovation: Continuous innovation in creation, storage and dissemination of information is a significant feature of cyberspace. 

6] A space modelled by Big Tech: Cyberspace is emerging with major digital operators who, de facto; impose their own regulations and terms. 

The characterization of cyberspace as a “deterritorialised” realm in the doctrine raises the question of whether information warfare can be governed through existing international law frameworks that are based on territorial sovereignty. Nevertheless, respect for international law in L2I is carved out in two distinct spheres. In peacetime, L2I is subject to the United Nations Charter and principles of non-interference, and during times of armed conflict International Humanitarian Law principles of necessity, proportionality, distinction and precaution are highlighted. Further, every operation carried out under L2I is subjected to political and legal constraints outlined by ROE (Rules of Operational Engagement), conceived of to define the circumstances and conditions of implementation.  

It is clear that an inherent contradiction lies in L2I’s recognition of a borderless cyberspace (that is diffusing the boundaries between peace and war times) and the subject of its operations to international laws that are distinct for peace and war times. While it is acknowledged that the functioning of cyberspace is premised on an “entanglement of boundaries” and application of legal provisions is complex, a lack of clarity on the line between a free reign of development of capabilities and the checks and balances necessary for use of these capabilities is evident. This begs the question of what can be considered peace and/ or war time in the information layer of cyberspace, and whether such a distinction is relevant at all. Moreover, determining how territorial sovereignty is defined with regard to state action in this particular layer of cyberspace is an important first step towards developing regulatory guidelines for information influence operations. 

New age combatants for new age threats? 

L2I further outlines a dedicated chain of command under the apex authority of the President followed by the Chief of Staff of the Armed Forces. The post of a General Commanding Officer has been created in recognition of cyber influence operations occurring at the confluence of offensive and defensive strategies. Further, in a multi-disciplinary approach to development of human resources, the doctrine recognises the need for highly specialised skills across disciplines and proposes investment in a cyberwarfare troop comprised of computer graphic designers, psychologists, sociologists, linguists and social media specialists.  

The pervasiveness of information in combination with the interconnectedness of our communication systems and increasingly sophisticated technology capabilities has led to evident potential for exploitation of information in cyberspace. In particular, social media has enabled nation-states to delve into the minds of people, communities and adversaries, to control and push certain narratives while marginalising other kinds of information and perspectives for power. The human mind, intertwined with open societies and networks, can be seen as an emerging battle-space of the future. 

Naturally, what groups are identified as threats and what national agencies are mandated to tackle them in cyberspace are critical. The degree of transparency with which these systemised influence operations, often covert, are sanctioned in a country’s legal framework also has significant geopolitical and human rights implications. This is especially important in democratic political systems where people’s trust in institutions depends on the degree of accountability and transparency built into institutions that undertake influence operations. 

Parallelly, in a major move in India in December 2020, the Ministry of Defense has created a new post of Director General of Information Warfare in light of hybrid warfare, social media realities and future battlefields. The scope of authority and areas of work the office will undertake have not been detailed. As India prepares to strengthen her bilateral defence and security partnership with France, clarity on information operation strategies will improve the quality of such cooperation. As such, what the ‘theatre of operations’ and identified threats groups will be for the Indian military are important questions that require articulation.