Bridging the gap: Addressing international barriers to climate action projects in the developing world

ORF, Issue Briefs and Special Reports, Dec 12, 2017

Original link is here

this report is part of the Observer Research Foundation’s “Financing Green Transitions” series which aims to find potential linkages between private capital, in all its forms, and climate action projects. The series will primarily examine domestic and international barriers to private capital entry for mitigation oriented climate projects, while also examining potential avenues for private capital flow entry towards adaptation and resilience projects.

Read the series: Financing Green Transitions

Introduction

The fight against climate change is at an inflection point. Despite a myriad of actors attempting to ensure that the world is not left in a ruinous state for future generations, linkages between the release of greenhouse gases and the rise in global temperatures are still ignored by certain stakeholders. The cavalier attitude of these important actors has had a detrimental impact on the state of financial flows towards climate action projects especially in the developing world.

Box 1: The politics of climate finance flows

As discussed in an earlier issue brief in ORF’s Financing Green Transitions series, the industrialised nations of the world made a pledge under the 2015 Paris Accords to provide $100 billion in annual funding for climate action projects in developing countries. The developed world has yet to live up to its commitment, however, with estimates showing current annual flows totalling $50 billion. The apparent lack of commitment towards climate finance flows is not the sole area of concern. The politics behind the calculation and categorisation of this estimate remains a point of contention in the developing world.

While the language pertaining to the $100 billion of funding within the Paris Agreement is vague, what was envisioned at the inception of the funding conversation was a supplementary stream of financial flows. Many developed countries, however, have simply reallocated the funds within their development aid budgets in order to meet their obligations. This has had a significant detrimental effect on the achievement of important sustainable development goals across the world.

In addition to their supplementary nature, the flows were also intended to be unconditional in their original form. A closer examination of the numbers, however, shows that 25 percent of the $50 billion that is being provided, comes in the form of loans from multilateral development banks. Given that loans, by their very nature, must be paid back with interest, certain parties have protested their categorisation as “assistance” for climate action efforts. The feeling amongst some in the third world is that the $50 billion estimate is an exaggeration, bolstered by creative accounting and wilful incongruity.

While a shortfall in the funding pledges made to the developing world through public financing seems inevitable, ^[i] there remain possible avenues to make up for this deficit through the mobilisation of private capital. Yet, despite repeated demonstrations of the sizeable returns that can be reaped by funding climate action projects, ^[ii] the institutions overseeing much of the world’s private capital have been wary of making such investments in developing economies.

An examination of certain domestic hurdles preventing private capital investments in the developing world, has been conducted in the first part of this series. It is important, however, to also examine the impediments on a global scale. This issue brief, part of Observer Research Foundation’s Financing Green Transitions series, will examine the main international barriers dissuading private capital investment in climate action projects — namely institutional investor practices, foreign exchange risk, and international financial regulations.

International institutional investor practices

Any conversation pertaining to private capital flows for climate action projects, must begin with institutional investors. Institutional investors (a catch-all term for large asset managers such as pension funds and insurance companies) control close to $100 trillion of the world’s wealth, ^[iii] and are in many ways the key to unlocking private capital flows for climate action projects.

Given the various stakeholders they must answer to, institutional investors tend to be conservative in their investment approaches, which acts as a deterrent when attempting to steer cash flows towards climate action projects. An example of this can be seen in the cautious approach taken by institutional investors with regards to illiquid investments. ^[iv]Most of the private capital in the world lies in the hands of pension funds and insurance companies, who are encumbered with large annual liabilities in the form of pension obligations and insurance pay-outs. This limits the amount of exposure that such asset owners are willing to have towards large projects involving heavy capital expenditure in PPE ^[v] which tend to be largely illiquid as an asset class. Investors prefer to put their funds towards instruments that can be converted into cash quickly, such as bonds and equities.

The cautious nature of institutional investors is further manifested in their project evaluation criteria. Traditionally, institutional investors do not evaluate investments on a case by case basis, preferring to apportion their funds to asset managers who have the capacity and expertise to carry out the necessary analysis and due diligence. In order to invest in climate action projects, institutional investors have to either build up sector-specific expertise internally or divert their funds towards specialists with existing capacity. Building up internal expertise is a time consuming and expensive process, and the global marketplace has a dearth of financial intermediaries who specialise in climate action projects. The evaluation of the performance of financial intermediaries is also problematic, given the absence of extensive track records in the nascent industry ^[vi].

The conservative risk management practices of institutional investors often act as a barrier against climate action investments, as well. In order to diversify their risk portfolios, pension funds and insurances companies tend to invest across a variety of asset classes, with set limits for the proportion that can be allocated towards each sector ^[vii]. Climate actions projects, and more specifically renewable energy projects, tend to be classified under the energy or infrastructure sector, and as such are often crowded out by more traditionally accessible investments that institutional investors are familiar with.

This problem is exacerbated by the orthodox perceptions and attitudes of institutional investors with regard to climate action project and developing economies. Pension funds and insurance companies tend to have outdated views with regards to climate action projects especially with regards to technology risks, payment risk, and returns. Institutional investors also rely heavily on risk ratings to inform their investment decisions, which is problematic due to the unreliable metrics and evaluation methodology used to evaluate many climate action projects. Risk ratings are also often constrained by the sovereign debt rating of a country – in many cases a climate action project rating cannot be higher than the rating of the country, regardless of the financial viability of the investment.

Foreign exchange rate

While internal factors play a part in hindering international institutional investor flows, there are also external factors that must be considered. Amongst the largest hurdles for any investor attempting to invest in the developing world is the risk associated with domestic currency fluctuation. Climate action projects can be affected by foreign exchange risk during any stage of the value chain, but are especially vulnerable to risk in the post construction phase. To illustrate how foreign exchange risk can affect investors, it is perhaps best to take the example of a solar plant project.

A solar project starts with the purchase of the land on which the plant will be built. Unfortunately, in many developing nations, the property acquisition procedure is time consuming, with costly delays that can take months or even years to be resolved ^[viii]. Unexpected upticks in the foreign exchange rate during the land acquisition period can lead to significant variance in investor expense, with cost increases potentially reaching millions.

The acquisition of land is usually followed by the procurement of materials — namely photovoltaic panels. China holds a near monopoly in the manufacturing of solar panels, ^[ix]which means that investors have to factor in the possibility of fluctuations in the Reminbi, as well as the local currency. Foreign exchange risk associated with the purchase of solar panels is not limited solely to developing nations. Recently, investors in a solar plant in Cambridgeshire County had to account for a $645,000-increase in the cost of Chinese based panels as a result of the unexpected depreciation of the Pound, following the United Kingdom’s vote to leave the European Union. ^[x]

Putting aside the procurement of land and solar panels, foreign exchange risk continues to exist during other phases of a solar project – payments to local contractors, transport fees, and government levies must all be made in the local currency. The largest exposure to foreign exchange risk for international investors, however, is in the post construction phase. Barring certain exceptions, power purchase agreements delineate payments in local currencies, which leaves investors susceptible to foreign exchange risk for the length of the contract. The possibility of currency fluctuations over a long time frame nullifies one of the key attractive characteristics of a solar energy project — guaranteed, predictable cash flows over a fifteen to twenty year period.

Box 2: Real world example – Brazil’s currency crisis

In late 2014, Brazil awarded nine contracts to developers for the construction of 900 MWs of solar power. A global downturn in oil prices caused the value of the Brazilian Real to drop dramatically over the next two years. As a result of the currency depreciation, the contracts that were signed in 2014 generated 36-percent less revenue for developers by 2016. Eight of the nine investors ended up dropping out of the agreements, citing a lack of continued financial viability for the projects.

The unpredictability of the revenue flows can lead to severe consequences that affect more than just the status of the investment. Given the sizeable capital needed for a solar project, investors often have to borrow up to 70 percent of the start-up costs from banks. If currency fluctuations are dramatic enough, investors can face the possibility of defaulting on loan or interest payments, ^[xi] which can lead to ripple effects for an investor’s entire portfolio. The starkest example of the consequences of changes in the foreign exchange rate can be illustrated by examining the case of Brazil.

While foreign exchange risk is problematic for investors, it is not a new phenomenon and affects a number of sectors. It is important to note, however, that the electricity sector is more susceptible to the effects of currency fluctuation — they cannot raise prices or renegotiate the rates dictated under the power purchase agreements to cover potential losses. Additionally, financial methods available for the mitigation of foreign exchange risks for other sectors are not necessarily applicable for renewable energy or other climate action projects. One simple solution employed in certain sectors, for example, is to use domestic banks to procure loans in the local currency. As has been pointed out, however, long-term debt for climate action projects is not available in many developing economies. Alternative financial strategies which can hedge against currency risk in other sectors, are also not always viable for developing economy climate action projects. The expenses associated with such instruments can raise the interest rates charged by international banks by six to seven percent, ^[xii] making previously profitable projects unattractive.

International banking regulations

While internal practices and foreign exchange risk play a role in limiting private capital flows for climate action projects, the largest hurdle for green investments in developing countries comes in the form of international banking regulations. Due to the large capital requirements for climate action projects, up to 70 percent of start-up costs usually originate from bank loans ^[xiii]. The credit crisis of 2007-2008 has led to stricter controls being imposed on bank loans, making it more difficult for investors to access the funding needed to get a project off the ground. The problems that the norms cause for renewable energy investments can be explained by examining two of the three ratios dictating the amount of cash or near cash assets a bank must keep on hand — the capital requirement ratio and the liquidity coverage ratio.

Box 3: A brief overview of the Basel norms

The Basel norms were initially conceived in 1988, by the Basel Committee on Banking Supervision (BCBS)[1] as a mechanism designed to prevent banks from insolvency issues caused by defaults of risky assets. The norms required banks to keep a certain percent of its overall investment portfolio on hand in order to prevent the bank from going out of business in the case of widespread failure of loans and investments. These requirements proved to be insufficient during the credit crisis in the mid 2000’s to late 2000’s, however, leading to a renewed examination of international banking regulations and the subsequent release of a new version of the Basel norms. The latest iteration of these macro prudential regulations, referred to as Basel III, were introduced in 2011 with subsequent amendments added in 2013 and 2014.

A holdover from the previous version of the Basel norms, the capital requirement ratio dictates the amount of cash that a bank must keep on hand, by factoring in how risky the investment practices of the institution are. Each investment made by the bank is assigned a risk weighted percentage, depending on its characteristics – certain government bonds for example are considered to have almost no risk associated with them and are thus assigned 0 percent. The value of each investment is then multiplied by its risk percentage, after which all the values are collated to produce the bank’s Risk Weighted Average (RWA). According to Basel III, banks must keep between six to ten percent of the value of their RWA on hand ^[xiv].

The core function of private banks, like any other business, is to make a profit and any cash that they have to keep on hand to meet the capital requirement ratio cannot be invested in revenue related activities. Banks, therefore, have two options — reduce the amount of cash they have to keep on hand by making investments that are considered less “risky” or ensure that the returns they get from the “risky” investments are high enough to justify the increased cash they will have to keep on hand.

While investors view the capital requirement ratio as a hindrance, it is the addition of Liquidity Coverage Ratio (LCR) in the Basel norms that has caused the largest amount of consternation amongst institutional actors. Intended to act as a counter measure against the factors that caused the credit crisis of 2008, the LCR forecasts how a bank’s business operations would be affected by a large scale financial crisis. The projection assumes that the amount of cash received from investments will drop during the “stressed period” while the amount of cash extracted by customers will increase. The extent to which cash receivables are meant to drop and cash withdrawals are expected to increase is dependent on certain characteristics – for example, 10 percent of deposits made by individuals and small businesses are expected to be withdrawn. Large financial institutions, on the other hand, are projected to withdraw 100 percent of their deposits in a stressed scenario ^[xv]. In order to fulfil the requirements of the liquidity coverage ratio, banks must keep on hand cash or assets that can be easily converted into cash (referred to as High Quality Liquid Assets) to meet all obligations that might occur during a 30 day “stress period.”

The inclusion of the leverage coverage ratio in Basel III has had two major effects on banking lending processes. First, banks have started to show a preference for the types of deposits that are expected to have less of an effect on cash outflows during a financial crisis, such as small businesses. Secondly, banks have moved away from lending to long term projects in favour of more short-term liquid assets in order to meet the requirements of the liquidity coverage ratio.

The capital requirement ratio and the liquidity coverage ratio are problematic for investors attempting to access debt for investments in either climate action projects or developing countries. The high risk profiles assigned to both types of projects by the majority of rating agencies lead to a higher capital requirement burden for banks who pass the cost on by asking for significantly higher interest rates for any debt provided to climate action projects in developing countries.

The long life span and illiquid nature of climate action projects also impacts the liquidity coverage ratios of banks, leading to significantly higher interest payments on loans made to finance said projects. The high cost of international debt financing, combined with the inability to access debt from domestic banks in most developing economies, has had a considerable negative impact on climate action projects with certain analyses showing a 40 percent drop in institutional investor flows as a result of the implementation of Basel III ^[xvi].

The way forward

The international issues that have been discussed in this brief play a significant role in hindering private capital flows towards developing economies. The conservative investment practices of international institutional investors create restrictive internal barriers that are difficult to overcome but can be done, over time, through capacity building measures. Foreign exchange risk can result in sizeable liabilities for certain types of climate action projects and while the risk cannot be hedged using traditional mechanisms, policies such as dollar denominated tariffs or government backed hedging facilities are possible ways to mitigate it. The restrictive controls that are placed on long tenured, risky projects such as renewable energy make it difficult to access international debt financing, but policies reclassifying the risk associated with such projects could make them more attractive for creditors.

The Observer Research Foundation over the next twelve months will release a set of reports as part of their Financing Green Transition series looking at potential methods to increase the flow of private capital investments for climate action projects in developing countries. The reports will include an examination of the risk perceptions of European Institutional Investors with regards to renewable energy projects; an econometric analysis of the benefits of credit enhancement mechanisms by Multilateral Development Banks; a methods report aimed at creating a transparent and publicly accessible ratings evaluation system; and a feasibility study examining the viability of greening “Basel” through alterations in their risk calculations.

^[i] Joe Ryan, “G-20 Poised to Signal Retreat From Climate-Change Funding Pledge,” Bloomberg.com, March 09, 2017, accessed July 01, 2017,

^[ii] Renewable Infrastructure Investment Handbook: A guide for Institutional Investors. December 2016. Accessed July 1, 2017.

^[iii] “Institutional Investors: The Unfulfilled $100 Trillion Promise” June 18, 2015. Accessed July 01, 2017.

^[iv] Nelson, David, and Brendan Pierpoint. The challenge of Institutional Investment in Renewable Energy. March 2013. Accessed July 1, 2017.

^[v] Plant, Property and Equipment

^[vi] Nelson, David, and Brendan Pierpoint. The challenge of Institutional Investment in Renewable Energy. March 2013. Accessed July 1, 2017.

^[vii] Nelson, David, and Brendan Pierpoint. The challenge of Institutional Investment in Renewable Energy. March 2013. Accessed July 1, 2017.

^[viii] India: Delays in Construction Projects. January 24, 2017. Accessed July 1, 2017.

^[ix] Fialka, John. “Why China Is Dominating the Solar Industry.” Scientific American. December 19, 2016. Accessed July 18, 2017.

^[x] “Currency Risk Is the Hidden Solar Project Deal Breaker.” Greentech Media. May 05, 2017. Accessed July 18, 2017.

^[xi] Reaching India’s Renewable Energy Targets Cost Effectively: A foreign exchange hedging facility. June 2015. Accessed July 19, 2017.

^[xii] Chawla, Kanika. Money Talks? Risks and Responses in India’s Solar Sector. June 2016. Accessed July 1, 2017.

^[xiii] Renewable Energy Project Financing. Accessed July 19, 2017.

^[xiv] Bank of International Settlements. Basel III: A global regulatory framework for more resilient banks and banking systems. December 2010. Accessed July 19, 2017.

^[xv] Bank of International Settlements. The Liquidity Coverage Ratio and liquidity risk monitoring tools. January 2013. Accessed July 19, 2017.

^[xvi] The empirics of enabling investment and innovation in renewable energy. May 24, 2017. Accessed July 19, 2017.

Uncategorized

Cyber (in)security: Looking back at 2017

Samir Saran

Cyber (in)security, 2017 has proven, is a great leveler. From the individual tweeting on her cellphone, to the corner storekeeper who relies on digital payments, to the multibillion-dollar corporation and the most technologically advanced nations — no stakeholder has been found immune from harm. The woes of the world may be the same, but India’s government, businesses and civil society cannot escape the reality that the country’s digital spaces are uniquely vulnerable.

India is at once a bustling digital democracy and a budding digital economy. The national imperative to keep its networks open while coming down on malicious actors is easier proclaimed than addressed. But if this unique, finely balanced model can be created and sustained, it will be a shining example for democracies and emerging markets alike. For what it is worth, 2017 illustrated the difficulties ahead for policy planners.

The potential of cyber space is a factor of the trust that it commands from users, businesses and governments. Unfortunately, malicious agents — both state and non-state — have shown themselves increasingly capable of disrupting core infrastructure and services, and undermining that trust. By some estimates, cyber crimes are expected to cost upwards of $2 trillion by 2019. The risks, however, cannot simply be measured financially. The loss of personal information, corporate reputation and national security are immeasurably more valuable.

2017 has been a tumultuous year for both technological advances as well as the means to disrupt them. Nations around the world are now waking up to the fact that ‘protection’ of their information systems is a national priority, both for their economies as well as their democratic institutions. For democracies attuned to the free flow of information — taking both the good and bad in their stride — this is a particularly vexing problem. Is information to be controlled and vetted?

Vulnerability within consumer devices, malicious bots, artificial intelligence and information warfare were some of the most important issues confronting cyber space in 2017. However, the cyber risk landscape is dynamic and responds rapidly to new technologies and new security measures. Considering that millions of new users are coming online every year, it is useful to take stock of this changing threat landscape and examine some developing trends which can benefit conversations on cyber security.

The promise of cyberspace is immense; can India’s security architecture keep up? | Photo: Kickstarter

One of the most promising developments in cyber space is the growing interconnectivity of digital networks, and with it, communities. The internet of things (IoT) — a network of physical devices and objects designed to collect and exchange data — is perhaps the fastest growing field of technology in the 21st century. Be it moisture sensors to help farmers water their crops, or blood pressure monitoring devices placed in pacemakers, IoT has the potential to revolutionise our daily lives. Their impending ubiquity, however, makes it difficult to measure the inherent risks. As we race towards 50 billion IoT devices by 2020, each of these devices will collect vast amounts of data on our daily habits, activities, and lives. With every new IoT device, our digital footprint is set to exponentially increase — creating an ever-expanding number of entry points for hackers and cyber criminals.

In July 2017, hackers attempted to steal sensitive data from a North American casino by hacking into its internet connected fish tank. The compromised tank was then used as a gateway into other systems in the casino. The device was an unsuspecting vulnerability in the casino’s system, and is representative of the larger risks the IoT ecosystem faces.

The Internet of things (IoT) — a network of physical devices and objects designed to collect and exchange data — is perhaps the fastest growing field of technology in the 21st century.. Their impending ubiquity, however, makes it difficult to measure the inherent risks.

A 2015 report by the United States Federal Trade Commission found that fewer than 10,000 households using home-automation services were generating 150 million discrete data points every day, i.e, one data point every six seconds. Worryingly, the data collected from these devices — from ‘smart’ wristbands to TVs — are not always secured. Most IoT manufacturers place little emphasis on device security, and very few industry standards have been developed so far to tackle this problem.

A team of researchers from Microsoft and the University of Michigan discovered multiple vulnerabilities in Samsung’s ‘smart home’ platform. The most noteworthy of which involved them taking control of smart locks and smoke detectors connected to the network. The significance of this cannot be overstated — if hijacked by malicious hackers or criminals, these technologies can catalyse man-made disasters and bring entire cities to their knees.

These unsecured devices can also be used in an aggregated manner to attack critical internet, or public, infrastructure. In October 2016, Dyn — a domain name management product suite — suffered a massive denial of service attack. Interestingly, criminals used over 100,000 seemingly innocuous devices, such as printers, cameras and baby monitors to rapidly scale the attack. They were coordinated through the ‘Mirai’ Botnet, a freely distributed malware, used to infect the IoT devices.

By some estimates, the market size for IoT products and services in India is expected to reach around $9 billion by 2020. Apart from consumer markets, much of this growth will be spurred on by government initiatives that intend to integrate IoT devices with the smart cities mission and other infrastructure initiatives. This puts New Delhi in a vulnerable position; without an adequate cyber security framework, cities become prime targets for malicious actors, considering the damage inflicted can be rapidly scaled in terms of intensity and scope.

If the risks inherent in the proliferation of an IoT ecosystem offer any lessons, it is that the ubiquity of networked systems brings with it multiple vulnerabilities. The future of cyber crime is likely to be characterised both by large data breaches or sophisticated network attacks, as well as digital ‘pick-pocketing’ — millions of small value transactions that can cause disproportionately serious damage without raising suspicion. A series of aggregated, relatively low-value and distributed cyber crimes may in fact present a substantially more difficult challenge to regulators and law enforcement agencies than a single, sophisticated cyber attack.

Advance fee fraud, which contributes to billions of dollars stolen every year, is the classic example of low-level activity that goes undetected and remains undeterred. Coupled with the fact that the average time to detect a breach or fraudulent activity can take several weeks, the financial costs of such crimes can be staggering. In 2016, a criminal gang called the ‘Lazarus Group’ developed a software to manipulate the SWIFT system — which is commonly used for international financial transfers. By targeting banks with lower security, the group successfully initiated fraudulent transfer requests across multiple jurisdictions. Reports indicate that US$ 81 million went unrecovered from the Bangladesh National Bank, $10 million was lost from a Ukrainian bank, and a bank in Ecuador suffered losses up to $12 million, among several other such incidents around the world.

Just in 2016, Tesco Bank in the United Kingdom reported that cyber criminals stole up to 2.5 million pounds from over 9,000 customers. In 2016, Indian banks suffered a financial breach that affected 3.2 million debit cards. These digital pickpockets are not only harder to identify but the damage caused is nearly impossible to restitute. A pattern of attacks is not readily apparent in these circumstances, wasting crucial response time necessary for responding to these breaches. Further, many countries still lack the resources to devote time to smaller crimes.

For developing countries like India that are coming online on a wave of cheap and unsecured mobile devices, the implications are grave. This assumes added significance in light of the Aadhaar platform that seeks to improve government services, foster financial inclusion and build a digital economy. While the data in transit might be secure, the infrastructure and application layer of the ecosystem—which includes mobile handsets and services such as PayTM — continue to remain vulnerable. This is compounded by the fact that India’s supply chains reside abroad, which makes it difficult to ensure system-wide compliance with security requirements.

Already, news reports have highlighted instances of personal data leaks and attempted unauthorised authentication. While the biometric database might continue to remain secure, a new wave of sophisticated digital pickpockets are likely to find vulnerabilities to use against individual low value targets that are more attractive compared to heavily secured ‘fat cats’. The most vulnerable are likely to be the poorest, whose relative lack of digital skills and access to law enforcement capacity make them susceptible to such attacks.

A commonality between the insecurity represented by IoT and digital pocketing is that the vulnerability resides not just in the technology, but also in the human beings operating them. From forgetting to change default passwords on their thermostats to leaving access codes on a post-it note, the stage at which humans interact with machines represents a lucrative point of intrusion.

Cyber crimes for financial gain, however, comprise only one side of the coin. Increasingly, more and more of our lives are lived online; our thoughts and actions affected by developments in the digital realm. The man-machine integration is near the cusp of completion, where every single action leaves a digital footprint. As Chief Justice Roberts of the US Supreme Court said, “modern cell phones… are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”

Technology is fast evolving from a mere tool to an extension of our own selves — when we communicate online and store our thoughts on the cloud, we are not mere chefs wielding knives, we are authors, scripting our own private biographies. Over the past decade, scientists have been exploring the possibility of linking the human brain to computers — converting neurological impulses into code. It is only now that technological businesses like Tesla are foraying into this space, attempting a convergence of ‘biological intelligence with technological intelligence’, hinting at the commercial value in the hitherto untapped human data.

Currently, the law sees individuals and the technologies they use as two distinct entities. However, if we erode protections for our technological tools, we also encroach upon the private spaces of individuals. As this becomes viable in the next decade, how will our legal institutions seek to build distinctions between what we think and what we store online? If legal warrants can compel the divulgence of the contents of our hard drives, can the same warrants be used to divulge our thoughts? When centuries worth of legal scholarship around privacy has been navigating us towards increased control over our information, the challenge of tomorrow will be to remain private and yet connected.

These same technologies will also pose constitutional challenges in India. For example, the Indian Constitution prohibits self-incrimination during criminal trial. Time and again the Supreme Court has interpreted this to protect the privacy of mental processes. Once these processes are ‘on the cloud’, will they be treated as private thoughts or merely records of thoughts to be used as documentary evidence?

Traditionally, Indian policy has been slow to evolve in the face of rapidly changing technology. The ill-fated National Encryption Policy of 2015, for example, unduly prioritised law enforcement imperatives against civil liberties and higher security standards. Once the line between the biological and technological blur, India will require new frameworks to ensure the integrity of such sensitive systems and protect the privacy and other fundamental rights of the individual.

Additionally, the direct threat from new technology is a fact that cannot be ignored. As artificial intelligence capabilities continue to grow in the near future, the likelihood of automated and autonomous attacks is on the rise. Data theft and network penetration represent only the least damaging scenarios. Former United States President Barack Obama has even gone on to say that a sophisticated machine learning algorithm could potentially steal nuclear codes.

The 2016 Dyn attack was orchestrated by real humans, who used bots to execute attacks when they saw fit. Many believe that we are inching closer to an AI powered botnet attack, which is likely to be even more devastating. The US’ Defence Advanced Research Projects Agency recently conducted a ‘Cyber Grand Challenge’, which pitted algorithms against each other to search for network vulnerabilities and patch them. Many have already warned that these techniques will be used to exploit vulnerabilities instead of fixing them.

According to Darktrace, a company which specialises in AI cyber security, countries like India are fertile testing ground for such attacks considering the lack of effective security architecture. In fact, the company reports that, already, a low-level attack took place in November 2017, which used malware that could learn as it was spreading, and altered its methods to stay in the system for as long as possible. Already, India struggles with conventional cyber attacks. The scale and intensity of new AI powered attacks could potentially cripple critical infrastructure and services.

It is unsurprising that Microsoft has called for a ‘Digital Geneva convention’ in order to establish the rules of the game when it comes to cyber space. Unfortunately, it is unclear if nation states have the necessary political will to undertake such actions. Previous attempts such as the United Nations Group of Governmental Experts on cyber norms for peaceful use of ICTs ended in a deadlock, with countries disagreeing on whether norms of non-interference would compromise their state sovereignty.

In the future, these questions can be rendered redundant with the advances in machine learning. A sophisticated automated system capable of propagating without human intervention raises a troubling question — who is in control? Already states are debating rules for ‘Lethal Autonomous Weapons Systems’ — AI systems that will be able to make life or death decisions in war.

This has raised complex questions around laws of war and human ethics. India, as chair of the Group of Governmental Experts Meeting on Autonomous Weapons, has already deliberated on many of these questions in November 2017. Where does the liability lie for machines that function outside human control? Which principles of international law provide protection against these attacks? These important questions beg resolution today; whether a consensus on the use and development of these weapons is possible, remains to be seen.

While many of these developments pose security challenges to individuals and businesses, the past year witnessed an event many thought was never attainable through technology — the subversion of democratic processes. Even today, the precise scope of Russia’s ‘influence operations’ on elections in the United States and Western Europe is unclear. What is certain, however, is that Russia deftly manipulated the electoral process and social media in some cases to achieve its desired outcomes.

Hacking into the US Democratic National Committee’s e-mail system was only the tip of the iceberg. The wave of leaks which followed damaged Hillary Clinton’s presidential prospects by throwing the Democratic Party into disarray and fueling the popular anti-establishment mood against her. Equally significant was Russia’s disruptive use of social media. The medium itself represents liberal values on and of the internet — an open and inclusive platform capable of bringing communities together. By inserting fake news and generating manipulated trends, Russia successfully undermined these values by polarising the American electorate.

For decades, Russia and other authoritarian regimes were haunted by the spectre of ‘colour revolutions’ at their doorstep. America’s creative use of information technology and civil society resistance towards the end of the 20th century represented ‘asymmetric operations’ against communist regimes. To Russia, an enfeebled economy, cyber operations represented the perfect counter force — difficult to anticipate and difficult to trace but easy to execute across oceans. The digital disruptions of tomorrow seem eerily similar to the colour revolutions of the past.

Although the interference with American presidential elections has gained the most attention, to Russia, this is not new. Over the past five years, it has perfected these techniques in Eastern Europe — in states like Ukraine, Georgia and even Germany. Most countries in the EU states are bracing for similar operations during their own elections — with France having successfully taken somewhat controversial countermeasures such as banning TV and creating phony email accounts and fake documents to misdirect Russian hackers.

Speaking at CyFy 2017 — Observer Research Foundation’s annual conference on technology, security and society — several panellists highlighted that Russian motivations are likely multifaceted. For one thing, they seek to undermine democratic processes in order to legitimise their own political systems. On the other hand, they also seek to disrupt the current forms of cyber governance, testing the limits to which conflict in cyber space is permissible.

India’s primary geopolitical rival, China, has already developed the tools necessary to carry out such operations. After years of perfecting cyber espionage and other such techniques, even against powerful countries such as the United States, the likelihood that China will attempt to influence India’s democratic institutions must not be dismissed. As a democracy, India will have to toe a fine line between preserving the free flow of information and preventing malicious actors from manipulating that information.

China, however, is not the only threat. Considering Pakistan’s weaker conventional military prowess, what is to stop it from using asymmetric methods of cyber warfare? The implications of these events are dire. For one thing, revisionist regimes now have a reliable template to emulate in other parts of the world. That such actions require limited financial and technical resources dramatically reduce the costs of destabilising perceived rivals. Our traditional political and military structures no longer seem capable of keeping up with the deluge of attacks that rely on misinformation and propaganda.

These methods are no longer constrained by traditional paradigms of power. In the 20^th century, military capability was determined by the size of a state’s army, navy or air force. That Russia, a one-and-a-half trillion-dollar faltering economy, subverted institutions in America, an eighteen trillion-dollar superpower, only goes to show how effective ‘influence operations’ can be.

A democracy thrives on trust in government institutions and even in media. By undermining the integrity of this relationship, Russia successfully fueled polarisation and disaffection amongst the American public, thereby subverting the very basis of democratic norms and values. By all accounts, this was its ultimate objective. That other liberal democracies in Europe are bracing for similar events only serves to highlight the efficacy of these malicious methods.

These developments have thrown up critical questions around managing this upheaval. What structures and institutions must we build and empower to tackle these threats? The idea that causing disruptions through ICT activities is not a resource intensive exercise is only half true. It is steeped in western presumptions of power — that the one with the money and the muscle wins the war. The truth though is that both cyber defence and cyber offence need significant allocation of resources — not just in the institutions that emerged as a result of the teetering post-Cold War stability.

For a country like India, which still does not possess a coherent national cyber security architecture, responding to new asymmetric threats such as influence operations will be a difficult challenge. Such operations rely on political, ethnic and religious faultiness — which are abundant in India — to polarise individuals. Already, ‘fake news’ spread through WhatsApp forwards and social media has led to real instances of violence along these very lines. This year alone, for example, fake rumours about violence against Hindus in Myanmar helped fuel anger against a wave of Rohingya Muslim refugees.

Sprawling cyber commands and advanced weaponry will not address the asymmetric capability of hundreds of internet trolls glued to computer screens with the single-minded aim of falsifying news, spreading propaganda and subverting democratic institutions. It can be contained by building capacity at the grassroots — by scripting and consolidating narratives to counter untruths and empowering communities to detect and disregard falsehoods.

Taken together, these risks exemplify the double-edged nature of cyber space. While the internet has emerged as a vehicle for transformation, its development has come with significant costs. Today, a wide array of malicious actors — be it states or rogue individuals — threaten to disrupt and dismantle the internet’s core infrastructure and values. Unfortunately, these threats are non-traditional, dynamic and dispersed, and large cyber defence institutions are limited in their ability to tackle them. Instead, the individual is likely to be front and centre in facing these challenges. We need to reimagine the role of the individual, who is at once a target and a trustee on the internet.

Accordingly, to tackle these threats, New Delhi will have to recalibrate its policy response. For one thing, building cyber capacity at the local law enforcement level is a must — a decentralised threat requires a decentralised response. Apart from building a new cadre of cyber security specialists, the Indian police force must build the capability to detect petty cyber crimes, and to analyse how these threats aggregate and cause systemic damage. Additionally, new institutional mechanisms must be put into place to build trust between individuals, businesses and the state. Victims of cyber crimes, especially low-value crimes, are currently reluctant to share information with the government. They must be able to have faith that the state will address their loss, and provide timely access to justice.

Second, new regulatory frameworks in India must incorporate ‘security by design’ amongst commercial products and services. A 2016 report by the Ministry of Finance on digital payments suggested a hierarchical approach to cyber security based on the systemic risk posed by different infrastructure layers and applications. This is a model that deserves replicating across networks — vulnerability must be addressed at its root. For example, some legislators in the United States have introduced a bill that will require devices to conform to specified industry standards and prohibits vendors from supplying devices that have default passwords or that possess known security vulnerabilities. India must be proactive in setting its own standards and norms for digital products, even as new platforms and networks continue developing in the market.

Third, India must invest in diplomacy. First, in areas like the UN GGE, as chair of the group on autonomous weapons, India is in a position to direct the conversation on norms, technologies and regimes to favour its interests. Simultaneously, India must also cultivate relationships with cyber powers like the United States, Israel and the EU, that can help in developing cyber security products and law enforcement training. And lastly, to reform international information sharing policies between countries and tech companies, considering that most Indian data is stored abroad.

Fourth, developing new technologies in India must be treated as a national security imperative. The government must fund research into emerging technologies, their impact on society and their implications for geopolitics. The new AI arms race between America and China is taking place in universities and think tanks, with generous aid from the government. Accordingly, these same powers will have the authority to shape how such innovations will reorganise society. To avoid being relegated in global politics, the effort to develop new technologies and to shape the norms which govern their use, must be catalysed by the Indian state.

Fifth, as a democracy, India must create institutions which are capable of bringing together local communities in order to create awareness about fake news and malicious propaganda. For example, the EU now has a ‘specialized strategic communications unit’, which brings to light influence operations by foreign actors. Additionally, the United States has recently listed election institutions as critical information infrastructure; a move which India should also consider in order to better prevent politically motivated hacking into party accounts and other such malicious efforts.

For a country that aspires to be a truly digital economy, India must internalise that the security of its ICT infrastructure is not a post facto consideration but a precondition for growth. At the same time, the over-securitisation of cyber governance can often lead to undermining rights which, in turn, negates the country’s values as a free and democratic nation. The right answer ultimately rests on a fine balance between an ambitious aspiration of what Digital India will be tomorrow and a realistic assessment of what India’s capabilities are today.

To read the full issue, click here.

This piece has been submitted to Seminar Magazine for publication in their 2017 Annual Edition.

Uncategorized

Democratic, innovative and secure: how India can shape the future of the internet

World Economic Forum, 12 December, 2017

Original link is here

Employees demonstrate the use of the newly-designed prototype of a touch-sensitive table at Microsoft India's Development Center in the Gachibowli IT district in Hyderabad, in the southern state of Andhra Pradesh March 6, 2012. Picture taken on March 6, 2012. REUTERS/Vivek Prakash (INDIA - Tags: BUSINESS SOCIETY EMPLOYMENT SCIENCE TECHNOLOGY) - GM1E8450XD101

‘India has both the capacity and the moral authority to shape a global digital economy’

ndia is fast becoming the indispensable nation of cyberspace. The Indian market could decide the future of many technology giants. As such, she can be seen as a policy pioneer.

In November, Ajit Pai, Chairman of the US Federal Communication Commission, announced the rollback of the Obama-era rules on net neutrality. As the historic architect of the internet and arbiter of its values of openness and freedom, the US appears to be ceding its normative influence over the medium.

Meanwhile, the EU’s misgivings about US technology corporations have driven it to enact a new data protection regime that sets its own highly restrictive standards on digital markets, content regulation and privacy. This is par for the course for a community that is looking increasingly inward, and no longer sees itself as a model for other countries.

Farther east, China has outright rejected the West’s open model for the internet and has outlined a vision to become a cyber superpower premised on state sovereignty and control.

Thanks to such developments, leadership in cyberspace is contested and a new global regime will follow the model that best balances several competing priorities. With a 450 million strong – and growing – online population, India is capable of exercising considerable heft in shaping the future of the internet. India’s multiple identities only add to this weight: as the world’s largest democracy, it commands the legitimacy to shape an open and free internet; while its role as a developing country ensures it will account for what matters to the global south, such as affordable access, local content generation and platform security.

Two recent events have further bolstered India’s leadership in cyberspace claim. The first was the Telecom Regulatory Authority of India’s (TRAI) recommendation that access to the internet must not be restricted by discriminatory measures from service providers. Even though some rough edges remain, such as the role of the proposed multi-stakeholder ‘advisory’ body and the regulation of Over the Top Services, the TRAI has done well to endorse the principle of net neutrality in its proposals to the Department of Telecommunications.

Despite increasing convergence with the US on information technology issues, New Delhi was not swayed by America’s deliberations. Instead, the TRAI chose to endorse a pragmatic model that would balance commercial imperatives against consumer interest. In this process, it has also given New Delhi the ability to claim moral leadership over the principles that define the internet.

The second development was the publication of the Ministry of Electronics and Information Technology’s consultation paper for a Data Protection Framework for India. Prompted by the Supreme Court’s verdict in the Puttaswamy case, the Indian government is now working to protect individual privacy in the digital world. While the final law will undoubtedly generate debate, the report notably makes it clear that India will balance civil liberties, security and data-led innovation.

No country has yet managed to strike a perfect balance. In countries like China, privacy has been subsumed in favour of national security. In democracies like the US, social media platforms have been left vulnerable to foreign influence; and in the EU, stringent data protection laws might stifle innovation. If India can fine-tune its own design for a data-driven economy while protecting the rights and security of its citizens, it will have created a prototype that is at once unique, and yet replicable.

Both these developments highlight something significant: India is carving out its own unique position in cyberspace, one that is likely to be emulated by emerging markets. With multiple institutions – from courts to political leadership to civil society – actively contributing to a diversity of opinion, the shape of an Indian consensus on cyberspace is slowly emerging. The Digital India initiative could culminate in a distinctive offering that will not only invigorate India’s economy but also serve as a model for other countries, including the industrialized West.

The internet is provoking new debate about the emerging social contract between citizens, businesses and the state. These debates will eventually find their way into international norms and regimes. To prevent the emergence of a “splinternet” and to preserve the democratic nature of cyberspace, India must proactively tell its own digital story.

India already has a rich history of safeguarding the global commons by blending idealism with pragmatism. Speaking at the Paris Conference in 2015, Prime Minister Modi recognized that more than 300 million Indians do not have access to energy. Despite this, India was determined to ensure that access does not come at the cost of the environment. This determination, said Modi, was “guided by our belief that people and planet are inseparable; that human well-being and nature are indivisible.”

India’s position on cyberspace is equally progressive. As things stand, India has both the capacity and the moral authority to shape a global digital economy. At the Global Conference on Cyber Space in New Delhi, Prime Minister Modi believed that the internet validates the ancient and inclusive Indian philosophy of “Vasudhaiva Kutumbakam” – the world is one family. “Through technology, we are able to give meaning to this expression, and indeed to the best of democratic values,” he continued.

A democratic, innovative and secure cyberspace is consistent with both India’s ancient moral values and its modern economic imperatives. India’s recent policy actions on net neutrality and data protection are a step in the right direction. New Delhi must now craft a narrative around India’s digital economy that appeals to the rest of the world.