Tallinn Manual 1.0 – A Primer

By Shalini S

The Tallinn Manual[1], is an elaborate, academic body of work that examines the applicability of international law to cyber conflicts.  The Manual was prepared by an International Group of Experts (a group of independent international law scholars and practitioners) at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. The Centre tasked the group of experts with producing a ‘manual on the law governing cyber warfare’.

Object of Creation

Presumably, the basis for curating such a manual is a common understanding amongst scholars that international law as it exists, does undeniably apply to cyberspace.[2]  However, efforts must be directed towards determining precisely how it applies, a view also endorsed by UN Group of Government Experts (UNGGE) in the field of IT.[3] Recognizing cyberspace as a viable battlefield (with states developing cyber offensive capabilities), also presumes that computer network attacks may be governed by International Humanitarian Law in the same manner that traditional weapons are regulated.[4]

The primary objective of the authors of the manual was to identify laws of armed conflict that apply to cyberspace and delineate the limits and modalities of its application. The manual which is designed as a reference tools for policymakers to build on, principally focuses on jus ad bellum[5] and jus in bello in cyberspace.[6] The book is divided into black-letter rules, products of consensus and unanimity among the authors. It also contains accompanying commentary that indicate the rules’ legal basis, applicability in international and non-international armed conflicts, and normative content. Outlined also, are conflicting or differing positions among the Experts as to the rules’ scope or interpretation.[7]

The manual examines the proper conduct of hostilities in cyberspace to minimize unnecessary harm by assessing below-mentioned critical areas:[8]

“1. What constitutes direct participation in hostilities, thereby delineating what civilians can (and cannot do) with respect to military cyber operations;

  1. What types of cyber events can constitute “attacks,” including those affecting computer functionality;
  2. How the principle of neutrality applies to cyber operations;
  3. Whether and how entities deserving special protections under the LOAC, e.g., the Red Cross, must identify themselves in cyberspace;
  4. How to treat non-state actor cyber operations and incidents.”

While the manual itself only offers guidelines to append analogies from established international law principles to cyber conflicts, it has sometimes been understood (in the absence of an overriding caveat to the contrary effect) to encourage hostile or military use of information and communications technology – an invitation to cyber war.[9]

Criticism

The definition of cyber-attack as laid down in the manual has often been criticized for its narrow understanding.[10] While this is attributable to the high threshold to be met by an act to constitute ‘armed conflict’ in international law,[11] the manual fails to clarify the implications of attacks that cause consequential harm, impair functionality without causing physical damage and target physical infrastructure that relies on computer systems.[12] Questions abound on the relationship between cyber warfare operations and lawful self defence.[13] Understandably, scholars opine that cyber warfare poses unique challenges to contemporary jus ad bellum– the body of law governing legitimate use of force.[14] It is also difficult to ‘attribute’ wrongful acts commissioned by states in the existing framework of international law.[15] Uncertainty over applicability of decisions of landmark cases such as the Nicaragua case[16] that decided issues of attribution and state responsibility, to cyberspace is also a cause for concern.[17]

Further, the absence of an international cyberspace law or a cyber security treaty is the most evident limitation on achieving international regulation in cyber space. Consequently, the Tallinn manual which is a non-binding body of personal opinions has been criticized for being premature and undesirable when no universally acceptable cyber security norms exist.[18] Despite the criticism leveled against it, academic collaboration akin to the one that resulted in the publication of the Tallinn Manual is necessary alongside policy deliberations to consider the exact application of international law to conflicts in cyberspace.

Way Forward

The Tallinn Manual 1.0 attempted to “delineate the threshold dividing cyber war from cybercrime and formalize international rules of engagement in cyber space”.[19] It did so by laying down 95 ‘black-letter rules’, focused on codifying principles applicable to cyber-attacks that qualified as armed conflict, an effort that needs to be continued.  Thus, the second iteration to the Tallinn Manual, the Tallinn Manual 2.0, aims to explore peacetime principles[20] such as sovereignty, jurisdiction, state responsibility and intervention in the context of borderless cyberspace.

With the International Court of Justice confirming[21] that use of force provisions in the UN charter apply regardless of the weapon used,[22] customary international law assumes a prominent position in construction of a safer cyber landscape and must be deliberately studied. The NATO Cooperative Cyber Defence Centre of Excellence has in the past, specifically requested cooperation from India to counter growing cyber threats.[23] India must be invested in building international cyber security cooperation and participate in any future negotiations that seek to formulate cyber warfare regulations.

Read more:

  1. What constitutes “attack” in the cyberspace: http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (Page 35-37)
  2. Contextualizing Tallinn Manual’s definition of “attack”: http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace
  3. US policy on cyber warfare (though not related to the manual, makes for an informative read on how States employ International Law in cyberspace): http://www.state.gov/s/l/releases/remarks/197924.htm

[1] Michael N Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press) (2013)

[2] Jacques Hartmann, The Law of Armed Conflict: International Humanitarian Law in War, 80 Nordic Journal of International Law 121-123 (2011)

[3]International Telecommunication Union & World Federation of Scientists, The Quest For Cyber Confidence (2014), http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (last visited Aug 24, 2015)

[4] Knut Dörmann, Computer network attack and International Humanitarian Law, Cambridge Review of International Affairs (2001)

[5] The law governing the use of force comprises of the 1899 and 1907 Hague Conventions, the 4 Geneva Conventions supplemented by Additional Protocols of 1977, as well as customary law and State practice

[6]EJIL: Talk! – The Tallinn Manual on the International Law applicable to Cyber Warfare Ejiltalk.org, http://www.ejiltalk.org/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/ (last visited Aug 24, 2015)

[7]Id.

[8]A Call to Cyber Norms Discussions at the Harvard-MIT–University of Toronto Cyber Norms Workshops, 2O11 and 2O12, https://www.americanbar.org/content/dam/aba/uncategorized/GAO/2015apr14_acalltocybernorms.authcheckdam.pdf (last visited Aug 24, 2015)

[9] Supra N. 3

[10] Incoming: What Is a Cyber Attack? SIGNAL Magazine, http://www.afcea.org/content/?q=incoming-what-cyber-attack (last visited Aug 25, 2015)

[11]Kilovaty, Ido. “Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare.” National Security Law Brief 5, no. 1 (2014): 91-124.

[12] Michael J. Norris, The Law of Attack in Cyberspace: Considering the Tallinn Manual’s Definition of ‘Attack’ in the Digital Battlespace, 5 Student Pulse (2013), http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace (last visited Aug 25, 2015)

[13] Ibid.

[14]Reese Nguyen, Navigating Jus Ad Bellum in the Age of Cyber Warfare, 101 Cal. L. Rev. 1079 (2013). Available at: http://scholarship.law.berkeley.edu/californialawreview/vol101/iss4/4

[15] The Attribution Problem in Cyber Attacks – InfoSec Resources, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/ (last visited Aug 25, 2015)

[16] Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States of America); Merits, International Court of Justice (ICJ), 27 June 1986, available at: http://www.refworld.org/docid/4023a44d2.html [accessed 25 August 2015]

[17] Peter Margulies, Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility, 14 Melbourne Journal of International Law (2013), http://www.austlii.edu.au/au/journals/MelbJIL/2013/16.html (last visited Aug 25, 2015)

[18]Is The Tallinn Manual On The International Law Applicable To International Cyber Warfare Attacks And Defence | Centre Of Excellence For Cyber Security Research And Development In India (CECSRDI) Perry4law.org, http://perry4law.org/cecsrdi/?p=453 (last visited Aug 24, 2015)

[19] D. Fleck, Searching for International Rules Applicable to Cyber Warfare–A Critical First Assessment of the New Tallinn Manual, 18 Journal of Conflict and Security Law 331-351 (2013)

[20]Tallinn 2.0: cyberspace and the law Aspistrategist.org.au, http://www.aspistrategist.org.au/tallinn-2-0-cyberspace-and-the-law/ (last visited Aug 24, 2015)

[21] Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, I.C.J. Reports 1996, p. 226, International Court of Justice (ICJ), 8 July 1996, available at: http://www.refworld.org/docid/4b2913d62.html [accessed 25 August 2015]

[22] Michael Schmitt, Cyberspace and International Law: Penumbral Mist of Uncertainty, 126 Harvard Law Review (2012)

[23] The Hindustan Times, Help counter cyber threats from China: NATO to India, 2011, http://www.hindustantimes.com/world-news/help-counter-cyber-threats-from-china-nato-to-india/article1-743664.aspx (last visited Aug 24, 2015)

Wuzhen 2015: Evaluating China’s Competing Vision of the Internet

The 2nd World Internet Conference (WIC) was held in the town of Wuzhen in China from 16th-18th December, 2015. Organized by the Chinese government since 2014, the WIC is China’s attempt to present an alternate vision of internet governance, with its pitch for increased ‘cyber-sovereignty’. This is in contrast to the prevailing notion across the world that internet should be governed by a multistakeholder model. The WIC is part of China’s effort to establish a stronger presence in the internet governance sphere, with many in China likening Wuzhen to an ‘internet Davos’.

One of the ways the Chinese government is attempting to make its presence felt is by attracting high profile names to the WIC. The 2nd edition made news for the presence of Fadi Chehade, the ICANN CEO.  Chehade was also appointed to the High Level Advisory Committee of the WIC’s organizing Secretariat, a move that has come in for criticism from some quarters. He is among a list of appointees that include Jack Ma of the Alibaba group and Werner Zorn, the “father of the German Internet”. But the 2nd edition was notable for its absentees as much as it was for those who attended it. The resistance to an event like the WIC is based on China’s idea of cyber-sovereignty and fears of creating a walled internet that limits access to the internet based on jurisdiction.

In his speech at the opening ceremony of the WIC, Chinese President Xi Jinping- on whose account the conference was suddenly moved from October to December– reiterated China’s case for sovereign control of the internet. China has traditionally made the contested claim that the notion of sovereign control of the internet is based on the principle of sovereign equality, as enshrined in the UN Charter. This position is completely in opposition to the idea that all stakeholders should play an equal role in the governance of the internet given the historical role of the different stakeholders in the creation and development of the internet.

However, China’s claim to sovereignty over the internet is not without its supporters. For instance, the ITU Secretary General Zhao Houlin spoke at the WIC of the difference between internet governance which should involve all stakeholders and cybersecurity where states should play a dominant role. This is also consistent with ITU’s position as a multilateral institution which facilitates inter-state discussions on issues like cybersecurity.

On the issue of cybersecurity, China’s position is on firmer ground. The Outcome Document of the recently concluded WSIS 10-year review, points to the consensus among States of the ‘leading role’ played by States in cybersecurity matters. The High Level Meeting of the WSIS Review which happened at the same time as the WIC presented the best evidence of this position. Countries from across the board pushed for language that reiterated the central role of States in cybersecurity issues, rejecting suggestions for a more human rights compatible approach that took on board other stakeholders. Thus, the opposition to China’s push for greater prominence in the internet sphere is not based merely on its support of cyber-sovereignty.

Rather, the resistance stems from a deeper of mistrust of China based on the government’s domestic stranglehold over the internet. Activists have long protested China’s blocking of many popular services like Google, Facebook and Twitter which continue to remain unavailable in China. Ironically, it has been reported that international participants of the 2nd WIC were surreptitiously given access to these sites through special devices and ‘cheat codes’.

Yet, commentators are divided over whether the wider international community must engage with an event like the WIC. Some advocate a healthy scepticism towards China’s own policies, but point to the benefits of engaging directly with the Chinese government on what is meant to be an international platform for internet governance. Others argue that despite the marginal benefits of engaging with China, large scale attendance of the WIC would grant legitimacy to the arguably repressive policies Chinese government.

Criticism notwithstanding, China is committed to making WIC a platform where a competing vision of internet governance can gain traction. Whether this actually happens depends on 1) how open and accessible the next editions of the WIC are to the wider internet community; and 2) how willing the Chinese government is to engage in other internet governance fora that are more multistakeholder than multilateral. China has already succeeded in similar initiatives in other issue domains like trade where it hosts an annual trade fair that is widely attended. Appointing a High Level Advisory Board comprising of the CEO of a multistakeholder institution like ICANN and an internationally well regarded figure like Jack Ma (who is part of the coordination council of the NetMundial initiative) seems like a step in the right direction. It remains to be seen if this will lead to other such moves or if the WIC will be confined to a corner of the internet governance map.

Lessons from Busan: Report on the 1st Young ICT Leaders’s Forum

The author was one of 35 international participants selected by the ITU and the city of Busan to attend this event.

The three day Young ICT Leaders’ Forum jointly organised by the city of Busan, South Korea and the International Telecommunications Union came to a close on Friday, the 11th of December. The forum was attended by young professionals in the ICT Sector from over 30 countries. Pursuant to a commitment made by the city of Busan as the host of last year’s ITU Plenipotentiary conference, the event sought to inform the next generation of ICT policymakers from around the world. The first two days featured presentations by representatives of the Korean government and industry, and the ITU. Since the forum had a thematic focus on the Internet of Things(IoT), the third day involved field visits to IoT facilities around Busan.

Many of the Korean representatives made presentations of projects that were funded by the Creative Vitamins Project on Day 1. A joint initiative of the National Information Society Agency (NIA) and the Ministry of Science, ICT and Future Planning, the Creative Vitamins Project is funding upto 50 projects in the IoT space in the next 2 years. The projects presented (at various stages of completion) included smart cars, aerial drones that monitored illegal fishing, smart electric grids, healthcare IoT technologies and smart factories. The smart car presentation was particularly useful. As a technology that is close to being a commercial reality, the presentation of Su-Jin Kwag of KATECH was particularly useful in mapping the government, industry and policy inputs that went into the completion of this project.

Day 2 kicked off with a keynote address by Mr. Houlin Zhao, the Secretary General of the ITU. He noted the critical role IoT can play in the realisation of Sustainable Development Goals (SDGs). The day also featured presentations from other ITU representatives on ITU’s activities in the Asia-Pacific region. In the second half of the day, participants discussed ICT policy challenges in their respective countries. The author had the chance to rapporteur one of the breakout groups.

Though many of the participants worked in technical areas, they were acutely aware of the policy and governance challenges that affected their work. Access, human rights and government corruption were issues that came up repeatedly in these discussions. Ms. Xiaoya Yang led the interactive session and along with representatives of the Korean industry provided valuable feedback on the outcomes of the breakout session. Through their feedback, they asked participants to focus on short and medium term solutions that can improve access to ICTs while being aware of long term, structural issues like corruption. They stressed the need for innovative thinking to overcome many of the challenges encountered by policy makers in developing countries.

On day 3, participants were taken on field visits to two centers of IoT research within Pusan. The first was the IoT Centre at the Pusan National University, where participants had the chance to interact with researchers working on cutting edge IoT research in healthcare, smart grids among other technologies. The second was the Hyundai factory in Ulsan which is almost entirely automated. Many of the production processes at the factory incorporated IoT technologies.

In addition to the above, the Forum afforded participants a chance to immerse themselves in Busan with cultural programmes and other social activities.

Cybersecurity Cooperation – India’s Latest Bilateral Arrangements

By Shalini S

The current Indian Government has continually offered significant strategic thrust to cybersecurity and related issues. In November 2015 alone, India established multiple collaborative partnerships that for cooperation in cybersecurity with various countries. This is a welcome move for the sector which continually presents advanced security challenges. There is a demonstrated interest in addressing this serious contemporary concern. In addition, efforts are being made to establish extensive cybersecurity cooperation to ensure protected cyber networks. The latest bilateral ties established by India to boost cybersecurity cooperation are elucidated below.

India and UK signed a first of its kind joint statement that will enable them to collaborate and jointly educate and train its cybersecurity professionals. Together, the countries are also slated to establish a cybersecurity training centre to enable dialogue and exchange of expertise. Additionally, the UK will also help setup a new cybercrime unit in India. This joint statement released after Prime Minister Narendra Modi’s visit to the UK closely follows the visit of UK’s first cybersecurity delegation to India in October 2015.

For the first time, India and China have also decided to establish ministerial mechanisms to effectively tackle transnational crime and specifically delineated cybercrime cooperation as a measure to boost security cooperation between the countries. The new high-level mechanism will be established under the home ministries of both the countries and will result in information exchange, law enforcement and technical capacity building to jointly combat cybercriminal activity. An official bilateral document endorsing this new security collaboration is yet to be signed.

A joint statement from Prime Minister Narendra Modi and his Malaysian counterpart released this week, revealed that their delegation-level consultations between the countries had resulted in the signing of a Memorandum of Understanding (MoU) aimed at strengthening cooperation on cybersecurity. As this MoU was signed between Indian Computer Emergency Team (CERT-IN) and CyberSecurity Malaysia (national cybersecurity agency), closer cooperation in cyber-policy evolution, technological expertise exchange and incident management can be expected.

Later in the same week, a similar agreement for bilateral cooperation and collaboration in cybersecurity measures was signed between CERT-IN and SingCERT (Singapore’s Computer Emergency Response Team). The MoU which envisions research collaborations, in the sector, between the two countries, also agreed to setup appropriate mechanisms to facilitate future dialogue on prevalent policies, best practice, bilateral consultations and real-time exchange of information and has established a broader framework of cooperation between the countries.

India’s recently established and renewed bilateral ties with these countries hinges on mutual sharing of information and best-practices, both critical in constructing a shared response to conspicuous cyber incidents. As these collaborations also come in the wake of joint commitment of India and US to strengthen cooperation on a range of cyber issues, India’s serious commitment in fostering multiple bilateral dialogues and cooperation on cybersecurity and related issues is apparent and must be lauded.

ICTs at BRICS 2015 Summit

The VII BRICS Summit recently concluded with the release of the 2015 Ufa Declaration.The entire declaration can be found here and the relevant excerpts related to ICTs are provided below.

33. ICTs are emerging as an important medium to bridge the gap between developed and developing countries, as well as to foster professional and creative talents of people. We recognize the importance of ICTs as a tool for transition from information to a knowledge society and the fact that it is inseparably connected with human development. We support the inclusion of ICT-related issues in the post-2015 development agenda and greater access to ICTs to empower women as well as vulnerable groups to meet the objectives of the agenda.

We also recognize the potential of developing countries in the ICT ecosystem and acknowledge that they have an important role to play in addressing the ICT-related issues in the post-2015 development agenda.

We recognize the urgent need to further strengthen cooperation in the areas of ICTs, including Internet, which is in the interests of our countries. In that context, we decided to constitute a BRICS working group on ICT cooperation. We reiterate the inadmissibility of using ICTs and the Internet to violate human rights and fundamental freedoms, including the right to privacy, and reaffirm that the same rights that people have offline must also be protected online. A system ensuring confidentiality and protection of users’ personal data should be considered.

We consider that the Internet is a global resource and that states should participate on an equal footing in its evolution and functioning, taking into account the need to involve relevant stakeholders in their respective roles and responsibilities. We are in favour of an open, non-fragmented and secure Internet. We uphold the roles and responsibilities of national governments in regard to regulation and security of the network.

We acknowledge the need to promote, among others, the principles of multilateralism, democracy, transparency and mutual trust, and stand for the development of universally agreed rules of conduct with regard to the network. It is necessary to ensure that UN plays a facilitating role in setting up international public policies pertaining to the Internet.

We support the evolution of the Internet governance ecosystem, which should be based on an open and democratic process, free from the influence of any unilateral considerations.

34. Information and communications technologies provide citizens with new tools for the effective functioning of economy, society and state. ICTs enhance opportunities for the establishment of global partnerships for sustainable development, the strengthening of international peace and security and for the promotion and protection of human rights. In addition, we express our concern over the use of ICTs for purposes of transnational organized crime, of developing offensive tools, and conducting acts of terrorism. We agree that the use and development of ICTs through international cooperation and universally accepted norms and principles of international law is of paramount importance in order to ensure a peaceful, secure and open digital and Internet space. We reiterate our condemnation of mass electronic surveillance and data collection of individuals all over the world, as well as violation of the sovereignty of States and of human rights, in particular, the right to privacy. We recognize that states are not at the same level of development and capacity with regard to ICTs. We commit ourselves to focus on expanding universal access to all forms of digital communication and to improve awareness of people in this regard. We also stress the need to promote cooperation among our countries to combat the use of ICTs for criminal and terrorist purposes. We recognize the need for a universal regulatory binding instrument on combating the criminal use of ICTs under the UN auspices. Furthermore, we are concerned with the potential misuse of ICTs for purposes, which threaten international peace and security. We emphasize the central importance of the principles of international law enshrined in the UN Charter, particularly the political independence, territorial integrity and sovereign equality of states, non-interference in internal affairs of other states and respect for human rights and fundamental freedoms.

We reaffirm the general approach set forth in the e’Thekwini and Fortaleza Declarations on the importance of security in the use of ICTs and the key role of the UN in addressing these issues. We encourage the international community to focus its efforts on confidence-building measures, capacity-building, the non-use of force, and the prevention of conflicts in the use of ICTs. We will seek to develop practical cooperation with each other in order to address common security challenges in the use of ICTs. We will continue to consider the adoption of the rules, norms and principles of responsible behavior of States in this sphere.

In that context, the Working Group of Experts of the BRICS States on security in the use of ICTs will initiate cooperation in the following areas: sharing of information and best practices relating to security in the use of ICTs; effective coordination against cyber-crime; the establishment of nodal points in member-states; intra-BRICS cooperation using the existing Computer Security Incident Response Teams (CSIRT); joint research and development projects; capacity building; and the development of international norms, principles and standards.”

Stepping up to Cyberspace

The post originally appeared on the Hindu on 23rd June 2015.

Cyberspace desperately needs an international legal regime, and India is well poised to offer a ‘zero draft’

In 1960, the summer issue of the American Journal of International Law carried news from Delhi on the setting up of an institution to pursue foreign policy research: the Indian Society of International Law (ISIL). Prime Minister Jawaharlal Nehru would be the society’s patron, and V.K. Krishna Menon, then Defence Minister, its first president. The journal even reported minutes of ISIL’s first meeting, which dealt with unusual subjects for that time — international arbitration, the advisory jurisdiction of the International Court of Justice (ICJ), and maritime law. India was just finding its feet in the world, buffeted by an unstable neighbourhood. State-investor disputes were nowhere in the picture, and the UN Convention on the Law of the Sea was decades away. As for the ICJ, it would be years before the government warmed up to the institution.

THJVN_CYBER_2448382f

In promoting ISIL and its crystal gazing, the Indian establishment was tipping its hat to a rule-based international order: one that could be called on to address future challenges. Only a clutch of international organisations served as custodians of new treaties, and India, conscious of their growing relevance, invested considerable diplomatic resources in them. Multilateralism has come a long way since, with greater diversity in the topics on the table as well as the negotiators around it. India’s foreign policy institutions have, regrettably, failed to keep pace — ISIL today produces little cutting-edge research, while two key departments of the Ministry of External Affairs, Legal and Treaties, and Policy Planning and Research, have been largely sidelined. The next frontiers in foreign policy have appeared on the horizon, but the Indian state is far from ready to address them.

The government’s failure to adapt to changing circumstances is perhaps most pronounced in its approach towards Internet diplomacy. India’s negotiating line on cyberspace stems, correctly, from the view that the Internet is a “global commons” — analogous to outer space or the high seas, which are shared resources managed equally by all governments. However, the Internet’s “critical infrastructure”, which comprises the Domain Name System (DNS) and Internet Protocol (IP) addresses, is already governed through an elaborate arrangement. The current Internet governance model is U.S.-centric, and the Indian government has been calling for a radical overhaul of this model to a more “equitable” one. There is merit in this idea. Emerging economies like India are greatly invested in the security and commercial accessibility of cyberspace. It is not realistic, however, to expect the U.S. government to cede control of cyberspace overnight. Moreover, the biggest drivers of change and instability on the Internet are non-state actors and India’s statist approach to the problem, mooting a UN Committee to address Internet policies, does not find much appeal abroad.

Code of conduct in cyberspace

India may lack the technological firepower to pull its weight, but it can nevertheless play a leading role in cyberspace diplomacy. Rules of engagement on the Internet by governments and non-state actors are yet to be articulated. Chinese hackers today sit on troves of U.S. federal employees’ data, while the German Bundestag was recently attacked by Trojan viruses reportedly emanating from Russian agencies. Counter-measures mostly happen under the radar, because governments are not sure what constitutes a “proportional” response to a cyber attack. As a result, the strategic environment in cyberspace is highly volatile. Currently, the only source of international guidelines on “cyber warfare” is the Tallinn Manual, a document that was put together by Western experts under the aegis of NATO. The manual merely superimposes principles of international law onto cyberspace, and is not particularly sensitive to the difficulties in attributing a cyber attack to a state agency. Questions such as what constitutes an “attack” have been evaluated along the parameters set for conventional weapons, which are hardly comparable. For instance, the Tallinn Manual does not classify the gathering of information by hacking into a database as an attack, but as an act of “espionage”, although the damage could potentially be irreversible.

Given the dire need for a code of conduct in cyberspace, India can help steer the debate in three modest ways. First, New Delhi should host an international conference to build on, and replace, the Tallinn Manual with a binding treaty on the law of cyber warfare. Participating states should be encouraged to include technical experts, businesses, and academia in their delegations. Second, India must push for an international court to prosecute transnational cyber crimes, which would have the jurisdiction to try both state and non-state actors. The judicial process of unearthing evidence and the examination of witnesses and officials will be critical to building jurisprudence on the subject.

Last, the Indian government should promote attempts to create an international data protection law that facilitates quick information-sharing with multinational companies which do not host domestic servers. New Delhi has called for precisely such a treaty at the recently concluded annual session of the UN Commission on Science and Technology for Development in Geneva. India’s Internet diplomacy will be keenly watched. Cyberspace desperately needs an international legal regime, and India is well poised to offer a “zero draft” — diplomatic jargon for the starting text of any negotiation — that acknowledges both its burgeoning digital economy and its constitutional commitment to free speech and expression.

(Arun Mohan Sukumar is a Senior Fellow at the Centre)

The Deadly New Age War

The post originally appeared on the Hindu on 23rd June 2015.

By Saikat Datta

Without a single shot fired or a drop of blood spilled, an entire country can be crippled. That is cyber warfare, and the government must start working right away to combat the new enemy

In late 2006, the U.S Department of Defence detected a major breach in their computer systems leading them to believe that their $337 billion F-35 Joint Strike Fighter (JSF) programme had been compromised. Investigations that started at Pentagon, the department headquarters, revealed that the breach had taken place far away from HQ.

The JSF programme, claimed to be producing one the world’s most advanced combat aircraft, was primarily being developed by the private defence contractor Lockheed Martin, along with many sub-contractors. While the companies were busy meeting deadlines, no one had noticed a deliberate Computer Network Exploitation (CNE) attack that had taken place on their premises.

Unlike the spies of the Cold War era, when collaborators would provide access to secret documents to physically copy and photograph documents, the new age spies didn’t need any physical access. Working over the Internet thousands of miles away, they sucked out thousands of secret documents, jeopardising one of the most secret programmes under development by the U.S military.

NEED FOR STRENGTHENING: “Every sector that depends on computer networks has suddenly been left extremely vulnerable.” Picture shows a team competing in the CTF contest at DEFCON, one of the world’s largest annual hacker conventions, in Las Vegas. — PHOTO: NATE GRIGG, CC 2.0

NEED FOR STRENGTHENING: “Every sector that depends on computer networks has suddenly been left extremely vulnerable.” Picture shows a team competing in the CTF contest at DEFCON, one of the world’s largest annual hacker conventions, in Las Vegas. — PHOTO: NATE GRIGG, CC 2.0

Clearly, the nature of the new threat had established that the boundaries that needed to be defended were no longer housed within the walls of a seemingly secure government facility. Instead, they were now far beyond the government’s secure facilities and at places where such an attack was least expected.

In 2007, Estonia, a tiny former Soviet republic, faced one of the most debilitating attacks in modern times. No shots were fired and no tanks rolled across its border. Instead, anonymous hackers, suspected to be operating from Russia, launched a massive cyber-attack on its information systems and brought critical infrastructure sectors such as banking and power to a grinding halt. For three days, the country faced chaos. Systems refused to re-start and ATMs refused to dispense cash, as the financial architecture, based on millions of lines of code, had crashed. The attack, known as a Deliberate Denial of Service (DDoS), had proved what modern warfare could achieve without any blood being spilled.

The attack on Lockheed Martin and Estonia revealed the extent of vulnerability of the systems that operated some of the most critical sectors in a country. From defence to energy, power, aviation and law enforcement, every sector that depended on computer networks was suddenly left extremely vulnerable. This realisation led to the identification of several areas to be designated as “Critical Information Infrastructure” (CII) that would need a slew of measures to be strengthened against future threats.

India’s slow response

The last decade has witnessed a slow but steady realisation within the Indian government that the threats of the future will come from cyberspace. Unfortunately, while the realisation exists, the Indian security establishment has not been jolted into action in the manner in which the Kargil war or the 26/11 terrorist attack on Mumbai galvanised the nation to adopt a series of corrective measures. In 2008, when the Information Technology Act 2000 was amended, the introduction of Section 70A and 70B went largely unnoticed in policy circles.

Article 70A mandated the need for a special agency that would look at designated CIIs and evolve practices, policies and procedures to protect them from a cyber attack. But the then United Progressive Alliance government took another six years to create such an agency. On January 16, 2014, the Department of Information Technology (DIT) issued a notification announcing the creation of a specialised body to protect India’s CIIs. The National Critical Information Infrastructure Protection Centre (NCIIPC) was created and placed under the technical intelligence agency, the National Technical Research Organisation, to roll out counter-measures in cooperation with other security agencies and private corporate entities that man these critical sectors.

Unfortunately, since 2014, there seem to have been few moves to establish the mandate of the government’s 2014 notification. A “critical sector” has been defined under the notification as “sectors that are critical to the nation and whose incapacitation or destruction will have debilitating impact on national security, economy, public health or safety”.

The government has identified 12 sectors that fit the bill and can be covered under the NCIIPC project as mandated by Section 70A of the amended IT Act. These range from energy to power, law enforcement, aviation, banking, critical manufacturing, defence and space. While several of them are housed within the government, sectors such as energy and power are manned by the private sector. While the overarching guidelines for the protection of CIIs were issued by the government in May 2012, the sectors still lack specific guidelines that will address their peculiar challenges in cyberspace.

A joint responsibility

When the U.S government was grappling with its cyber security challenges, there was a clear realisation that it did not have the wherewithal or the scope to protect all the critical sectors. It realised that it needed to work closely with the private sector manning these sectors to establish a foolproof defence system. That was only possible if both sectors — government and private — agreed to come together and establish joint mechanisms to ward off future attacks. This was possible in principle, but in reality, it was a bigger challenge than what most people had anticipated.

The biggest issue on both sides was the lack of trust. The government was essentially a regulator, while the private companies sought as little control as possible. It took several years for both sides to evolve before they could work together, building trust and joint mechanisms to protect each other.

In India, there should be a proliferation of similar efforts at every level led by the NCIIPC. It needs to take the lead, as mandated by the DIT notification to assist in the “…development of appropriate plans, adoption of standards, sharing best practices, and refinement of procurement processes in respect of protection of Critical Information Infrastructure”. This will mean sitting together to conduct joint exercises, map vulnerabilities, build counter-measures and achieve a synergy that it is currently lacking. For a nation that seeks to achieve Prime Minister Narendra Modi’s vision of ‘Digital India’ and ‘Make in India’, the clock is already ticking away. Any delay now will only lead to disastrous consequences.

(Saikat Datta is a Senior Fellow at the Centre)