A quest for order amid cyber insecurity

A quest for order amid cyber insecurity

By, Syed Akbaruddin has served as India’s Permanent Representative at the United Nations

Cyber-attacks both by state and non-state actors

• Cyber-attacks amidst this pandemic has grown tremendously. In one week in April 2020, reportedly, there were over 18 million daily malware and phishing emails related to COVID-19 monitored by a single email provider, in addition to more than 240 million COVID-19-related daily spam messages.
• Twitter hackers collected $120,000 in full public gaze, while a “ransomware” target in California quietly paid 116.4 bitcoins or $1.14 million.
• There is also concern about the role of states.
• Australia mentioned of attacks by a state actor. China has been accused of hacking health-care institutions in the United States working on novel coronavirus treatment.
• The United Kingdom has warned of hackers backed by the Russian state targeting pharmaceutical companies conducting COVID-19 vaccine research.
• The ban on specified Chinese Apps, on grounds that they are “engaged in activities prejudicial to the sovereignty and integrity of India” adds another layer of complexity to the contestation in cyberspace.

New niche

• Like global public health, cybersecurity is a niche area, left to experts.
• A better understanding of the global cyberspace architecture is required.

No global commons

• Borderless cyberspace, as a part of the “global commons” does not exist.
• It is an illusion that connectivity across national boundaries nurtured.
• The Internet depends on physical infrastructure that is under national control, and hence is subject to border controls too.
• Each state applies its laws to national networks, consistent with its international commitments.
• States are responsible for cybersecurity, enforcement of laws and protection of public good.
• States are responsible for their actions, as well as for actions taken from within their sovereign territory.
• The infrastructure on which the Internet rests falls within jurisdictions of many states with differing approaches.
• Cyberspace has multiple stakeholders, not all of which are states. Non-state actors play key roles — some benign, some malignant.
• Many networks are private, with objectives differing from those of states.
• We are at an incipient stage of looking for “cyber norms” that can balance the competing demands of national sovereignty and transnational connectivity.

Gaps in current processes

• It was in 1998 that Russia inscribed the issue of information and communications technologies (ICTs) in international security on the UN agenda.
• Since then six Group of Governmental Experts (GGE) with two-year terms and limited membership have functioned — the most on any issue at the United Nations.
• In addition, an Open-Ended Working Group (OEWG) began last year with a broadly similar mandate, but open to all.
• The discussions are narrowly focused in line with the mandate of the forum that set it up.
• Issues such as Internet governance, development, espionage, and digital privacy are kept out.
• While terrorism and crime are acknowledged as important, discussion on these has not been focused on, as ostensibly best done in other UN bodies.
• The net result of the UN exercise has been an acceptance that international law and the UN Charter are applicable in cyberspace; a set of voluntary norms of responsible state behaviour was agreed to in 2015.
• UN Secretary General António Guterres’s recent report, “Roadmap for Digital Cooperation”, gently calls for action.
• A few confidence building measures may follow. However, short of a cataclysmic event, these processes do not hold much hope in the current geopolitical circumstances.

More engagement needed

• Generally the growth of technology is way ahead of the development of associated norms and institutions.
• Despite the digital divide, the next billion smart phone users will include a significant number from India.
• We have a very active nodal agency for cybersecurity in the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology.
• India has had representatives on five of the six GGEs.
• We participate actively at the OEWG.
• The Shanghai Cooperation Organisation, of which we are a member, voiced support for a code of conduct.
• India joined the Christchurch Call which brought together countries and companies in an effort to stop the use of social media for promoting terrorism and violent extremism.

Way ahead

• Domestically, we need the clarity that adoption of a data protection legislation will bring.
• Globally, we need to partake in shaping cybernorms.
• Acceding to the Budapest Convention, or Convention on Cybercrime of the Council of Europe (CETS No.185), which started as a European initiative but has attracted others, is an option that we should examine.
• We need to encourage our private sector to get involved more in industry-focused processes such as the Microsoft-initiated Cybersecurity Tech Accord and the Siemens-led Charter of Trust.
• Engagement in multi-stakeholder orientations such as the Paris Call (for trust and security in cyberspace) can help.