Prime Minister Narendra Modi concluded his fourth visit to the US recently, one in which he had significant discussions on cyber security cooperation with President Barack Obama. This was possibly the last such meeting before Obama demits office later this year. These discussions endorsed a factsheet that should result in the signing of the framework for the US-India cyber relationship in the next two months. Not that India and the US have not engaged on cyber issues in the past; they started after the historic meeting between Prime Minister Atal Bihari Vajpayee and President George W. Bush in November 2001. However, engagement over the last 15 years has remained confined to statements of intent and some exchange programmes, with meaningful success being achieved only on the sensitisation of Indian law enforcement to the American way of dealing with cyber issues. A so-called spying incident involving officials from both sides derailed the process in the early years, but real momentum was regained since the Modi government took office in May 2014.
While the US was definitely enthused about the announcement of the National Cyber Security Policy (NCSP) in May 2013 by India, nothing actually moved forward. Rather, nagging issues around the security of telecom equipments, mostly from that country, dogged the relationship then and India’s posture on internet governance mechanisms stood in the way of active engagement. When India proposed a 50-nation committee on Internet Related Policies for the management of cyberspace issues at the 66th session of UN General Assembly in October 2011, it came in direct opposition to a US-led effort that was aimed at fostering a multi-stakeholder approach.
Over the next couple of years, the primary engagement between India and the US remained focussed on how this divergent approach could be bridged. Even the Indian government was conscious of the realities of the fast emerging internet ecosystem: the inherent impact of the internet economy was closely addressed by the Modi government. Based on the recommendations of a committee of three senior cabinet ministers, India finally announced its support to the multi-stakeholder model in August 2015.
Coincidentally, in the same month, Indian and US officials also routinely met in Washington at the whole-of-government Cyber Dialogue to discuss enhanced cyber security information sharing, cyber incident management and cyber security cooperation in the context of ‘Make In India’. Talks also addressed internet governance issues and norms of state behaviour in cyberspace. This engagement more or less set the roadmap for further cooperation, which is being concluded via the framework that is to be signed.
Needless to say, India needs the US on many counts in order to build up an optimal cyberspace ecosystem, bolster cyber security across sectors and most importantly, build critical infrastructure. The NCSP listed 14 broad points to build up India’s cyber ecosystem but remained almost entirely unimplemented until the Modi government created the office of the national cyber coordinator and appointed him in April 2015. With the institutional framework in place, a roadmap with a budget has been made functional but there is lot to be done in order to reach an acceptable level. With the fast and steady pace of the Internet of Things regime, there will be a lot of catching up to do so. It is here that the US can help with capacity building in the areas of research and dealing with incidents as well as their mitigation. Similarly, cooperation on the law enforcement front has to be much more open and prompt.
Internet governance and cyber security
However, the bigger role for the US will be to carry India to the high table of all internet governance initiatives and cyber security leadership. As the global community at various levels strives to find a globally acceptable working model for internet governance and cyber security, India has to be on the right side of things.Notwithstanding India’s software prowess, the size of the the Indian economy and the page of digital growth within the country and that growth’s ability to enhance democracy make our country an important stakeholder. It was quite enigmatic that India was not included in the fourth Group of Governmental Experts (GGE) under the aegis of the UN, where 20 nations deliberated and laid out the ‘norms, rules and principles for the responsible behaviour of states’ after significantly contributing in the second and third GGE. Needless to say keeping a nation with the second largest population of Internet users in the world out of such a forum doesn’t help the cause of greater integration.
The larger realisation would be for both countries to strategically shape the management of cyberspace infrastructure and any other future issues. As the US plans to transition the management of the Internet Corporation for Assigned Names and Numbers in the next few months to the global community, it will be logical for India to be seen as active in the new ecosystem. As states, non-state actors and related vested interests up their game to destabilise the medium and push for its fragmentation, India and the US have to set the stage for more cohesive and open cyberspace engagement so that all tendencies for the Balkanisation of the internet are nullified.
Sooner than later, a decision will have to be taken on the applicability standards of international law to state conduct in cyberspace, and as there is currently no clear global understanding of this, it will be imperative to harmonise and agree to a common threshold. Extensive engagement has to be fostered to set and implement voluntary norms of responsible state behaviour in peacetime, including those envisaged by the fourth GGE. Engaging with China on cyber security, online espionage and theft of intellectual property will also be crucial to for both countries. Similarly, both need to engage with European institutions on data movement and protection.
As both countries move towards more engaging defence cooperation, much of the technology in focus will have dual use and hinge heavily on cyber technology. Already, the Defence Technology and Trade Initiative enshrines co-development and co-production of equipment, both of which involve technology that should be more easily available to Indian entities where absorption capacity is in place. The bilateral High Technology Cooperation Group should encompass much larger areas to facilitate more access to US technologies. At the same time, the right capacity building has to be initiated on the Indian side. If these two premises are indicators, the pace of progress has been slow and a smooth working relationship is yet to materialise. Clearly India’s track record in maintaining the sanctity of critical technologies can guide this process.
So while the intent exists to forge a strong partnership on cyberspace issues, there is much groundwork to do to actually build trust and move forward together. As the final touches are given to the framework, there is the wider scope to focus on the strengths of this relationship and implement shared principles in a time-bound manner.
Subimal Bhattacharjee is former country head of General Dynamics in India and currently a member of the Research Advisory Network (RAN) of the Global Commission on internet governance. The views expressed in this article are personal.