New Delhi: India has kicked off a process that will pick up the pieces from a set of decade-old United Nations cyber-warfare negotiations that failed earlier this year after several countries disagreed over the question of whether self-defence rights should be explicitly recognised when responding to state-sponsored cyber attacks.
According to people with direct knowledge of the matter, a committee has been formed under India’s National Security Council Secretariat (NSCS) to specifically “suggest policy and strategy for India for development and negotiating of cyber norms”.
Sources tell The Wire that the committee – which held its first meeting in the last week of August – will be headed and guided by Asoke Kumar Mukerji, India’s former permanent representative to the UN. The committee also multi-stakeholder representatives with former deputy national security advisor Arvind Gupta also participating.
UN GGE failure
Over the last 17 years, the cyber-oriented group of governmental experts (GGE) has, through various editions and rounds, deliberated on an international legal framework for governing cybersecurity while hashing out cyberspace norms for nation-states.
The 2016-2017 group was tasked by the UN general assembly to study “existing and potential threats in the sphere of information security”, with emphasis on the “norms, rules and principles of responsible behaviour of states”.
These talks broke down a few months ago, in June 2017, after countries such as Cuba (and reportedly Russia and China) vehemently opposed three major additions to a list of cyber-relevant legal principles and rules that had been agreed to by an earlier edition of the GGE in 2015.
The three contentious additions, to a certain extent, centre around how nation-states should respond to state-sponsored cyber-attacks. One, should countries have the right to respond to internationally wrongful acts (or in other words, countermeasures or counter responses)?
Addition number two deals with how international humanitarian law should apply to cyberspace. And contentious issue number three revolves around the right to self defense.
Cuba’s explanation for its opposition asserts that the GGE draft report’s text “aimed to establish equivalence between malicious use of ICTs and the concept of ‘armed attack’ as provided for in Article 51”.
Experts, however, write that these concerns stem from more cynical self-interests. For instance, China, Russia and others likely believe that a potential right to self defence will undermine “asymmetric advantages which states that do not enjoy conventional superiority over their adversaries may have in cyberspace”. Therefore, Russia may be concerned that its state-sponsored cyber attacks against the US could invite retaliation of the kind that would generally be reserved for a conventional armed attack.
As Exeter University professor Mike Schmitt put it, “Perhaps [for Russia, China and Cuba].., the answer is legal-operational in the sense that they want to deprive the west of a legal justification for responding to hostile cyber operations that they themselves launch.”
Multiple senior government officials told The Wire that it could be in the country’s best interest to acknowledge an express affirmation of a right to self-defense, giving way, as it would, for an option to respond to potential Pakistani or Chinese cyber hostilities through conventional means.
Over the 18 months, two officials say that a handful of agencies involved with cybersecurity operations have detected at least four significant cyberattacks that appear to have state-sponsored origins. The Wire could not independently confirm the nature of each attack but has learnt that one involved Indian entities in charge of regional security (reported by Reuters two weeks ago) while another was aimed at large Indian telecommunications company. None of the cyber-incidents resulted in significant damage and were swiftly taken care of.
“The question is how you translate knowledge of these attacks into diplomacy and work on it with the help of with other countries. Some attacks can merely originate in a third-party country and may or may not have been conducted with the knowledge of the foreign government in question. Cyber norms help here,” a senior CERT-In official told The Wire.
It’s unclear at this point whether the Mukerji-led study group – which includes representation from the defence and IT ministries as well as Indian industry – will focus on the divisive issues that resulted in the UN GGE not putting out an outcome report.
The government note circulated to committee numbers acknowledges that “state actors have outsourced activity relating to cyber attacks to non-state actors” and that the “last 10 big cyber attacks in the world reflect this position”.
However, it also makes it clear that India has a unique opportunity to reflect on the “development dimensions of cyber norms”, placing emphasis on how it could be India’s unique contribution to the debate on global cyber norms.
“What we have found is that in the global negotiations, while important, there are very few principles that help us with our own digital development platforms. India is currently building technology infrastructure that are very important to its growth interests. How will this be protected? These issues will be deliberated within a national security framework and hopefully we will see acceptable norms as an outcome of this in three months,” a group member, who declined to be identified, told The Wire.
One example of such a digital platform that would be examined, sources say, would be the Aadhaar biometric authentication system.
In the last few weeks, security concerns over the Unique Identification Authority of India (UIDAI)’s contractors have been raised by WikiLeaks. According to the whistleblowing organisation, US-based Cross Match Technologies – a provider of biometric identity solutions that had received certification for the UIDAI – was leaking information to American intelligence authorities.
Committee members The Wire spoke to however insisted that it’s still early days to talk about the norms that India may formulate and also emphasised that the country wasn’t planning on giving up what had been achieved in the GGE so far.
“It’s very much just the first day right now. What we want to make clear is that the workings of this study group don’t undermine what the GGE has come up with so far or that India will not participate if the GGE continues. But what we are working towards is to position India as a leader for the development of global cyber norm policy,” another committee member, who declined to be identified, told The Wire.