Cyber Security

The Great 21st Century Data Rush

Lawfare, Tuesday, June 28, 2016, 12:26 PM

 

In the digital age, data is currency and information is the energy that drives the 21st century economy. Today, 46.1 percent of the world’s population is online. These 3.4 billion Internet users collectively generate a significant amount of commercial and personal data that can be stored, collated, and analyzed. This data is the lifeline that charts users’ online identities: it can also be monetized by Internet service providers, social media platforms, and end user applications. As a necessary corollary, control over data and the flow of information has become highly politicized. One who controls this data retains the power to shape the global geopolitical order.

Data is intrinsically valuable. Data grants access to an individual’s online activity, lifestyle choices, consumption patterns and so on. It is for this reason that states have been vying to gain access to vast amounts of data either through legal mechanisms or surreptitiously. It is also the backdrop for the evolving global norms around encryption. In many ways, this conversation is reminiscent of the adage of energy politics of the 20th century: he who controls the oil controls the world. There is, however, one central difference: today, every Internet user is the owner of an unending oil field and every Internet non-user is sitting on a potential reserve.

Despite of the Internet being touted as a great “equalizer,” these global conversations are often skewed in favor of the countries that generate data or possess the technological capability to access it. The encryption debate in countries with advanced technical capacities is very different from the countries without them. Until recently, countries with strong technical capabilities were also the most ardent advocates of encryption. This approach was fueled by the belief that the state’s interception capability would always outpace the individual’s encryption capability. Increasingly, this notion is proving to be false. Even the United States realizes that impenetrable encryption could wrest control of data from the hands of the state. It is this insecurity that is causing the pitched battle between Silicon Valley’s encryption evangelists and U.S. law enforcement officials. This insecurity, however, is not unique to the West. Governments in Asia and Africa also drive their own encryption debates out of a fear of losing control over the social order and their capability to monitor their citizens. At the same time, these issues’ importance is also accentuated by the looming threat that their countries’ data will be gathered, stored, and exploited across oceans in another continent.

Cyber diplomacy and geopolitics in these nations is therefore determined by the need to retain control over information emanating from within their countries and the anxiety of this data’s potential misuse by actors outside their borders. As with the conversations around the erstwhile frontier technologies in the nuclear and space domain, this too has a strategic dimension. Unfortunately, these strategic necessities are often responsible for constraining the development of privacy and data protection norms governing the Internet. States insist on perceiving the control of data as a zero sum game. Encryption is perhaps the centerpiece of the falsely dichotomous conversation around security and human rights. Encryption, however, must fundamentally be about human rights.

Encryption is an idea that is grounded in the principles of data integrity and data ownership. The right to encrypt communications is central to the autonomy that we offer all citizens over their own data and who can use, analyze, and access that data and under what conditions. This right automatically grants them the opportunity of determining who can commercially exploit their data. While most of us are comfortable exchanging our personal data for services over the Internet, this decision does not automatically nullify our right to choose how our personal data is used. Naturally, this autonomy must be subject to certain exceptions for law enforcement purposes. However, these exceptions must be considered, pragmatic, and mindful of the human rights imperative. They must not be driven by paranoia and the need for absolute control.

Another noteworthy dimension in this debate is the commercial opportunity that encryption presents. Encryption technology is big business. If data is the new currency then encryption solutions are the new Swiss banks and the market leaders in the tech space like Apple, Facebook and Google are all vying for recognition as “digital Swiss banks.” They are cognizant of the need to protect data, but equally conscious of its commercial value. While they refuse encrypted information to law enforcement agencies, apps and platforms in Google and Apple’s ecosystems innovate and thrive on the availability of big data. It is not public policy that is driving this harvest of data. It is, ironically, the “privacy policies” of major players. Across the pond, European regulators have failed to distinguish the false choice between public and private data with potentially negative consequences for innovation. Indeed, European Internet providers have themselves demanded that privacy norms reflect the need to innovate digitally.

All this is not to question the assumption that the state constantly seeks to monitor digital networks. But the growing trend towards protecting data from the prying eyes of the state poses another important question: is encryption the end of innovation? Increasing law enforcement requests for data retrieval and the myriad ways in which the state collects data en masse are leaving the private sector apprehensive of collecting big data that they may later be required to give up. While this may sound good prima facie, it has a serious downside. Without access to data, the private sector has no means to innovate and tailor their products to the market. The boom in the app economy was fueled largely by creating markets for products and services based on data analysis. Is it possible that the ubiquity of that very data is foretelling the collapse of the market that trades in information?

Ultimately, the debate on encryption must keep three vertices in focus: law enforcement, data privacy, and innovation. The legal standards around data protection and surveillance may vary across jurisdictions—as will the ability of start-ups to innovate—but any policy measures on encryption must arrive at a floating median between these three indicators.

A time to lead

Original link is here 

cyber-l

India must seek to deftly institutionalise an “India Exception” in cyberspace through bilateral deals with governments and institutions that manage the internet.

Today, Den Hague will be at the centre of the cyber world as over 100 delegations assemble for the Global Conference on Cyberspace (GCCS) hosted by the Dutch government. India’s participation at such forums must factor in two important realities of the digital space.

The first challenges the core of how India conducts its diplomacy, a structural bias that seems to repose too much faith in the UN framework. Despite being the principal multilateral institution, the UN represents a legacy arrangement, too slow to govern this dynamic and rapidly evolving medium. It is frequently outflanked by the private sector, bilateral agreements and smart mini-lateral groups pursuing independent agendas. Even in the real world, the UN has been bypassed in Syria, Yemen and Iran, merely agreeing to what formations like the P5+1 decide. On the internet,the  “code” is already the “law”, where every digital transaction and every user sign-up to a digital service is creating a de jure legal framework that is defining internet governance. Users and industry are determining and enforcing laws like never before, and at a speed that neither nation-states nor the UN is designed to cope with.

The second reality, however, underscores the role of the state in managing the digital commons. India’s government must play an active role in formulating the rules for the road, given its social responsibility to ensure equitable access to the one billion “unconnected” citizens for service and governance delivery. But this poses flexibility problems, as governments are incapable of being as nimble as industry or users, and government participation can be both polarising and burdensome. The poser, therefore, is how to retain agency with the government while leveraging the creative capacities outside.

These two factors must be part of any engagement calculus, and responding to them may require India to pursue a policy approach that must have four central features. First, India must seek to deftly institutionalise an “India Exception” in cyberspace through bilateral deals with governments and institutions that manage the internet. One example is how the India-US civil nuclear deal forced an acceptance of India’s exceptional status. Similarly, China’s bilateral climate deal with the US has ensured that the debate on Chinese baseline emissions has changed dramatically. Such bilateral deals are vital to the pursuit of national interest. They create direction and momentum, which other nations and institutions begin to respond to.

One attractive option for India is to work towards a bilateral “digital economy and security partnership” with the US, free from multilateral meddling and the resultant dilution of interests. Such an agreement creates the critical mass for shaping internet governance. It would bring together two large digital economies already bound by commerce. It would also signal a compact between an incumbent power and an emerging power, between developed and developing nations. If managed properly, this gain can then be socialised through smart mini-lateral arrangements with like-minded countries. This brings us to the second feature.

India should take the lead in setting up a group of experts from 15 to 20 countries in the digital sector to shape internet governance, a proverbial “D-20”. Such a forum would translate the key features of India’s bilateral agreements into global norms and bring it cyber heft. The chances of entering into effective agreements in line with core interests are far higher at this forum than with unproductive posturing at the UN, where India would have the same weight as, say, Tuvalu. The trick would be to find the correct size and composition with the correct entry parameters, open enough to allow others in as they become relevant.

Third, India should consolidate its leadership by creating ideation forums to shape the discourse, rather than opposing or reacting to others, such as the NetMundial initiative. This could take the shape of a major annual conference or summit, given critical weight by being chaired by the prime minister, and co-convened by the telecom and external affairs ministers. This would also complement the “Digital India” initiative of this administration. Such a platform must be diverse in order to present a more palatable multicolour debate, as opposed to a state-centric position.

Last, to bring all these Indian stakeholders on the same page, an Indian internet governance council must be established. Combining features of the Niti Aayog (digital economy) and a national security advisory board (cyber security), such a platform would bypass the multilateral versus multi-stakeholder debates by organising diverse Indian positions into a comprehensive whole. The government must learn to synthesise domestic opinion like a Swiss knife — common in purpose but different in deployment — so as to allow voices outside government to represent India equally effectively.

Ultimately, India must accept its own exceptionalism. It must thereafter understand how to establish it. India is in a position to shape cyberspace debates, but for that it will need to be flexible, propositional and present everywhere that internet governance is debated. Its strong and diverse contingent at The Hague is a good beginning.

The writers are at the Observer Research Foundation, Delhi

samirsaran_200


Securing digital terrain

Analysis, Observer Research Foundation , ORF Cyber Monitor , 17 March 2015

Original link is here

img-sonys_1426574357667

The Sony hack is a textbook example of the fog of cyberwar. The whole incident is a telling manifestation of the many aspects of cybersecurity: There is the allegation of a state-sponsored international incident by North Korea and the promise of a ‘proportional response’ by the United States of America. The Sony hack brings to mind the question of state behavior in cyberspace; the threat to business advancing public-private cooperation in combating such attacks; and the question of motive – an assault on the freedom of expression, as opposed to the more predictable motivations of theft, terrorism and war.

Other countries, including India, have observed the consequences with keen interest. This includes the disruptions in North Korea’s Internet connectivity that followed immediately after the attack was successfully attributed to the authoritarian North Korean state by the US. How does this episode play out against all the narratives built to understand and respond to cyber security threats?

At the outset, there are larger questions to consider.

The first is the fundamental understanding that access to the Internet is an essential feature of security; that without connectivity, the citizen is not plugged into the system, as he cannot engage digitally with either his fellow citizenry or the state. After all, security cannot be for security’s sake. It must be based on the premise that security infrastructure is to protect its people, its nation-state, its economic interests within its territory and globally. To this end, India’s ambitious ‘Digital India’ project, which has committed an investment of $21 billion with the stated ambition to secure lastmile connectivity and effective e-governance for every citizen, is only a partial response to the enormous challenges facing the Indian subcontinent in its digital endeavors.

The second question relates to the fundamental tension between development and security. This holds especially true for developing countries like India. They are witnessing rapid internet proliferation, a phenomenon that goes hand-in-hand with cheap devices with questionable security standards and a digitally naïve population susceptible to hackers, thieves and phishers alike. They will be susceptible to sophisticated attacks as well, as they build up their capacity. The inevitably linked trilemma of security, privacy and surveillance, in the face of complex challenges has raised many-layered problems in need of examination. Finding a balance between surveillance and privacy in order to secure citizens without infringing their rights is the order of the day. But countries are struggling to achieve this equilibrium.

Most recently, the UK – to the horror of privacy activists everywhere – has come out in favor of banning encryption to intercept communications so as to ensure security more effectively. There is also the need for accountability of state intelligence agencies. They can quite easily infringe on citizens’ personal communications in their zeal to catch the bad guys. Therefore a strong mechanism needs to be put in place to ensure they are encouraged to act responsibly.

There is also a need for governments, private sector companies and civil society, including those fighting for individuals’ rights, to cooperate in creating robust cyber security frameworks. Key questions on the quality of interconnectivity and appropriate mechanisms for securing critical infrastructure have to be addressed. What are the costs of cyber security and how will they be shared? Who will define and how will we all agree to what is the optimal level of security in cyberspace? What is the role of the private sector in this regard? Governments cannot begin to understand the range, frequency and severity of the attacks on their countries unless critical infrastructure operators and private enterprises share this information with them. In many countries confidence building measures are necessary to develop this relationship.

Thirdly, given that attacks do not only originate from criminals and terrorists, an understanding – ‘norms’ – of state behavior in cyberspace need to be fleshed out. This could be done by way of universal multilateral agreements (desirable but unlikely) or by consensus between like-minded states who wish to set rules of engagement (less inclusive but more efficient). Countries also need to examine what can best be described as ‘unintended consequences’ of state behaviour. For example, the Stuxnet virus, which exploited a weakness in the Microsoft operating system, affected 18 percent of computers in Indonesia and 8 percent in India, causing these countries great financial loss as they had to upgrade their systems to counter the virus.

At the same time, no conversation about cyber security can be complete without addressing online terror. Online terror networks, aided by the multiplicity of communication networks over the Internet, have become a common cause of concern for individuals and states alike. This growing threat cannot be countered unless solutions that enable real-time information sharing between countries are developed. These questions – and more – were at the core of the debates at CyFy 2014 – the India conference on Internet Governance and Cyber Security hosted by the Observer Research Foundation. India’s Deputy National Security Advisor emphasized the importance of international norm-building and central role of the UN Group of Governmental Experts. He stated that “the Indian position on these issues will continue to evolve?”, adding that this group of experts “is a useful forum, but it should be made more representative.” India’s Minister of Communications and Information Technology echoed a similar thought at CyFy – “?this unhindered growth of networks of infected computers across the world – how do we propose to address this problem in the absence of global cyberspace norms to regulate and guide responsible behaviour in cyberspace?”

Which brings us back to the incident involving Sony, North Korea and the United States. It shines the torch on cyber security, state behavior, damages, responses and attacks on freedom of expression. Do we have a blueprint or a road map to respond to such developments? Maybe not – and therefore 2015 will be a vital year for finding common ground to keep the digital world secure.

(The author is Vice President and Senior Fellow at Observer Research Foundation, Delhi. This article originally appeared in The Security Times, a special edition of the Atlantic Times for the Munich Security Conference, February 2015.)

Reframing the Cyber Governance Debate for India

Seminar Magazine, Monthly Symposium, March 2014

Original link is here

THE Snowden affair and the vocal debate on surveillance and cyber espionage have redefined the mostly benign and attractive imagination of the Internet. This medium, which has connected the world like never before, is now witnessing a growing contest among nations. If not addressed and managed, a divisive debate on the control and management of the digital global commons, could not only undermine the huge gains that have accrued from interconnectedness, but might well become a basis for conflict and instability in the real world.

The stakes are high. The idea of the ‘global village’, the efforts to create a global economy and emerging global digital marketplace, are all likely to be impacted if nations and communities do not find it within themselves to agree to norms and laws that would apply to this realm. The process of discovering the ‘rules for the road’ is highly contentious. Not only is an ‘international digital treaty’ unlikely in the near future, the world cannot even agree to who should be negotiating such an arrangement. Yet, this debate must take place with earnestness if common ground is to be discovered at the earliest.

It is crucial to strengthen such a debate, to bring together perspectives from a range of countries and sectors on key facets of the digital discourse – ranging from national priorities and strategies to international treaty frameworks, the role of the private sector to issues such as individual privacy and freedom of expression.

At the outset, we must ponder over some larger issues that are shaping the current global and domestic conversations and inquiries in the digital domain. These can be broadly captured within a few meta-narratives, also key to discerning how a digital India develops, how a vibrant digital society governs itself, and how India must seek to interact with the world in this digital century.

The first narrative is one of development and security. It is a debate on how we create policies and conditions that would allow for the rapid development and spread of cyber infrastructure in the country. On how we could develop tariff and cost regimes that would allow and encourage people to connect to and with it. On the variety of social and economic activities we seek to conduct over the medium and, therefore, the nature and form of regulation and security that must align these networks.

Our decisions on some of these would affect pricing and business models, the rate of penetration and growth of connectivity, our approach to intellectual property rights, and the nature of access available on the Internet to those residing in different economic and social classes. In a number of recent statements and policy pronouncements, the Government of India has indicated its preference to use the digital medium as a means of delivering governance and social services to its citizens. Cash transfers, correspondence and approvals, banking and insurance, health and education services, are all likely to ride on the digital last mile. Therefore, ‘digital access to all’ must be a national imperative.

India’s experience with the telecommunication sector tells us that ‘access’ closely follows ‘price of service’ and proliferation of the Internet and IT infrastructure would be dependent on ‘price points’ that are unprecedented. Connecting ‘another billion’ citizens to the Internet in the coming decade or two would, therefore, be influenced by business models, tariff regimes, content generation and entrepreneurship at the proverbial ‘bottom of the pyramid’.

India’s contemporary experience with Internet services also demonstrates that penetration growth is a function of services and content that is offered to the user. It is an open secret that pirated movies, music and entertainment content are significant drivers of Internet penetration. Alongside, applications that assist farmers and SMEs and offer health services and a variety of education and skills also encourage users to connect to the Internet. Content generation, for the potentially huge Indian user base, offers great opportunity with its unique price specificity.

This discussion invariably throws up some interesting posers. While it would be impossible to capture all of them, a few merit attention. The first must be the fundamental tension between the affordability of service and best in class technology and security. We need to achieve both, as business, governance and social security would ride on this medium. The other would be the approach to content generation and intellectual property rights. While India must seek to encourage low cost content creation that caters to its myriad needs, can this be done while it allows (though weak IPR regimes) pirated material that is so essential to rapid proliferation of the Internet? We must ask how much regulation and legislation is ideal before it encroaches on the fluid nature of the Internet, a feature that makes the medium attractive in the first instance. Finally, given the degree of global interconnectedness, would India be able to make these decisions independent of external pressures and global conventions?

This brings us to the second narrative – India’s engagement with the world on Internet governance and cyber security. This engagement will have a compelling impact on its domestic socio-economic development and on its ability to secure prosperity for its people from the digital marketplace.

India is one of the biggest beneficiaries of the IT and communications revolution with roughly 25% of India’s GDP growth over the past two decades having been created in the IT and ITES sector. There is little doubt that a larger share of India’s future growth will originate from or be dependent on this digital medium. Therefore, India must be at the Internet governance high table when agreement is reached on managing this most vital global commons. Would India shed the reticence, characteristic of its 20th century approach to multilateralism and reimagine itself as part of the ‘global management’ with attendant responsibility and rights? Or will the perceived virtuosity of nonalignment continue to see India lead the global outliers and minority stakeholders in this global governance debate?

How this unfolds will be crucial. Will India be oppositional, critiquing the major powers for their unilateralism and interest based approaches, or will India be propositional and articulate its own interests and negotiate the space and role that it must have, representing as it would (in the days ahead) the largest bloc of Internet users from a largely liberal and vibrantly democratic nation?

It must also be understood that while the world sees a significant role for India at this juncture on Internet governance and security, it will not wait beyond a point. The major powers – US, Russia, China and EU – are all engaging and negotiating the rules for the road with each other and with a larger group of nations. India is a party at some of these conversations and not at others. Trade talks, climate negotiations and other multilateral experiences tell us that ‘democracy’ within global governance is inefficient and overrated. The relative success of TRIPS and FTAs over a global trading arrangement and the predominance of the arms control architecture of the 20th century, devised between the US and Soviet Union, are all indicative of how a future Internet governance arrangement may emerge. Will it be an arrangement shaped by the conversations among the ’Big 3’ (Russia, China and the US), or will it be relatively more inclusive and take into account perspectives from a larger set of countries? Will there be a ‘gridlock’ or will these countries manage to agree to sets of norms that will allow the Internet to remain a global commons? Any which way India would need to find the means and resources to be an effective contributor to any new arrangement and find its place on the high table.

This discussion on global governance leads us to the third meta-narrative that engages most thinkers and practitioners today – who should engage on the subject and with whom? Unlike arms control treaties such as SALT and the NPT, trade treaties such as GATT and the WTO, or international treaties in force or being negotiated such as the space code and laws of the seas, the Internet involves and affects each one of us individually more than it does states. Each one of us is a contributor and beneficiary, and each one of our actions has the ability to influence the entire cyber sphere.

Therefore, the central question that arises is whether the ‘nation state’ is the most inclusive and efficient interlocutor on Internet governance and cyber security? This leads to discussions on the tension between multi-stakeholderism (the participation of individuals, academics, citizen groups and non-governmental organizations in the debate) against multilateralism (a largely state to state debate that characterized the architecture of the 20th century). Can they coexist? Can they be aligned constructively? And if so, how?

For instance, should a nation state conduct an internal debate within itself, create a domestic consensus, and (only) then represent this multi-stakeholder proposition at the global forums? Alternatively, should various stakeholders communicate with each other across national boundaries and at international arenas? The former is somewhat more ordered while the latter is far more cumbersome but also more democratic. This issue currently sees different treatment in different countries. More developed democracies see merit in letting their NGOs and corporations into the debate and are in fact clever in using these voices in order to secure national interest. Other countries including India are far more reluctant to include corporations and citizens in governance conversations. While we can debate how best to include views and voices from the private sector and the private citizen, there is no doubt that security and stability of the Internet would be largely dependent on the participation of all stakeholders, particularly the private sector that owns and operates cyber infrastructure.

This brings us to the fourth issue that must be debated in detail – the role of the private sector. On one hand they are the primary service providers and owners of much of the critical infrastructure; on the other they have a sizable vested interest. How may one give the private sector weight in Internet governance decisions without shifting the balance of the narrative away from the users and governments will be a central enquiry of our times.

Banks, for example, want a secure and heavily regulated Internet, which would allow them both reach of this medium and keep transactions safe and secure. Security companies would want to perpetuate a certain appreciation of the Internet architecture that maximizes their ability to leverage the Internet as a business opportunity. On the other hand a plethora of companies, start-ups and SMEs, that see immense opportunity in the fluidity and reach of the Internet, would like to see cyberspace remain loosely regulated, open and free.

What then is the private sector voice to heed? Indeed, should they be on the table or should we be guarded in our approach as we include them in the debate? Balancing private sector participation in governance decisions, while protecting the interests of small companies and individuals, will be a key consideration for most governments.

Engaging with these four ‘big issues’ is vital. It is even more important for countries like India where the infrastructure and business models are still being developed. There are no clear and globally acceptable positions and propositions that have emerged. And most questions still remain unanswered. Let us look at two sets of questions that would be most critical to any global and domestic policy arrangement.

First, how do we reconcile sovereign constitutional positions on issues such as freedom of expression, free speech, political jurisdiction and state capacity and intervention to arrive at a formulation that works across a medium that is not restricted by territoriality and borders? Is this achievable? And in the absence of such ‘universalism’, do we face the prospect of the world, as discussed earlier, being railroaded down a path decided by a few?

The second, more fundamental question emanates from the rapid evolution of the digital sphere. This is bringing into question traditional laws, norms, means of communication andmodes of trade and commerce. The fundamental assumptions of the previous era are being challenged and changed by the digital (dis)order. Would we now be required to develop legal frameworks sui generis to accommodate new realities? Will nations have to become far more tolerant of expression than their individual constitutions allow? Will notions of extraterritoriality, jurisdiction and sovereignty have to be radically re-imagined? Or will an obstinate defence of the old paradigm lead to a polarization of the web, in effect turning the world wide web into the world divide web, where traditions and ossified power structures lead to a balkanization of the cyber-whole? Then, will the future of the web be one of multiple gateways and access points?

This possibility already looms. The great firewall of China seems more or less effective. Despite some breaches it has succeeded in ‘islanding’ China and given authorities the ability to clamp down quickly and efficiently. Digital China, therefore, engages with the outside world on a ‘need to’ and ‘convenient to’ basis. Is that the future of the Internet then? Or can we recast some of the global assumptions that have defined the realist world of the 20th century to accommodate the digital world of the 21st century? Is a new United Nations of digital media possible? Who would be in its General Assembly and who in its Security Council? Or would the very use of the word ‘nation’ doom it to be stillborn?

This issue of Seminar does not offer all the answers, but it does raise a series of questions and provides analysis that will allow us all to engage more deeply with this most important element of our contemporary lives.

SAMIR SARAN

* Several papers in this issue were presented and discussed at ‘CyFy 2013’ – The India Conference on Cyber Security and Internet Governance’ – hosted by the Observer Research Foundation and Federation of Indian Chambers of Commerce and Industry.

CyFy 2013: THE INDIA CONFERENCE ON CYBER SECURITY & CYBER GOVERNANCE

OUTCOME STATEMENT

Original link

Cyberspace transcends boundaries to provide unprecedented levels of connectivity and empowerment to states, institutions and individuals across the globe. This fluidity of the cyber- spheres pawns ‘cyber-gangsters’, necessitating cyber-security on the one hand while raising the spectre of a ‘big brother’ state on the other, according to the Minister for Communications and Information Technology, Mr. Kapil Sibal. Inaugurating the 2-day workshop he emphasised cyber governance as something of an oxymoron and a re-imagined notion of sovereignty was essential to develop an effective cyber security paradigm. The Indian National Security Adviser, Mr. Shivshankar Menon, who delivered the keynote address, said that the Internet is also the government’s chosen platform for socio-economic empowerment schemes. This makes India uniquely dependent on the cyber-sphere for its development – while at the same time exposing it to heightened vulnerability.

If the past is any indication, India’s growth and economic prosperity will be inextricably and intricately tied to the digital sphere. Hence, India’s proactive engagement in the global norm making process is important. India can and must be a rule maker and ensure that global norms pertaining to the cyber-sphere align with the opportunities this space has to offer its people. Additionally, the boundlessness of the cyber-sphere must be protected, but not at the cost of pluralism or access. Policy objectives must aim to build infrastructure and provide security and must seamlessly align with the inexorable logic of providing greater access through enhanced penetration.

Consequently, the Internet, for India and many countries indeed, is a means and medium of greater freedom and democratisation. Therefore discovering the median between access and security becomes a global imperative. Given India’s democratic ethos and the sheer volume of cyber-sphere it does (and will) account for, India’s policy responses which will inevitably shape the future of cyberspace, its management and governance.

It was in this background that the inaugural and most comprehensive ‘India Conference on Cyber Security and Cyber Governance – CyFy 2013’ was held at New Delhi on 14th& 15th October, 2013. Supported and guided by the National Security Council Secretariat, Government of India, Raytheon and the Bombay Stock Exchange, the event saw two days of engrossing debate, capturing the perspectives of over 250 international experts, parliamentarians, academics, industry leaders, media practitioners and representatives of the civil society.

The following key conclusions emerged from the discussions:

• The tension between “multistakeholderism” and multilateralism should be resolved to further a cooperative framework in formulating cyber-security strategies. It is only with the participation of diverse stakeholders that refined, legitimate and nuanced policy shall emerge. A unilateral approach without systematic and periodic consultations with, and inputs of, these multiple sets of stakeholders will be deeply counterproductive and can undermine the democratic nature of the cyber-sphere. Multistakeholderism is the mantra for devising articulate policy pathways.

• International cooperation is a must in responding to cyber-security threats and governance challenges. Conventions and treaties ensure agreed definitions on security issues, acceptable set of norms, confidence building measures and will eventually shape an international framework to manage cyberspace.

• Cooperation is beneficial in managing inter-dependencies that are inherent while seeking cyber-security, for which regional and bilateral cooperative measures can also be devised successfully. For instance, Internet fraud and related crimes can be a potential area of cooperation given the minimal political underpinnings.

• It was emphasised that cooperation could be compromised by the national strategic interest of major powers and by viewing this space as a new ‘zero sum game’. The tensions between great powers can undermine a multilateral approach to cyber-security and will have an asymmetrically negative impact on lesser powers.

• Public and private sector partnership (PPP) in policymaking is essential as the bulk of communications and certain critical information infrastructure networks are managed by the private sector. An information sharing mechanism should be created to ensure timely responses.

• The bulk of cyber-security costs are currently being borne by the private sector. Like all issues related to national security, the government must take the lead, incentivise and guide developments in this sector, and allocate specific funding. This funding should be spent on awareness campaigns, education, stakeholder consultations and capacity building initiatives in the near to medium term. Similarly governments should invest in initiatives that improve cyber hygiene and data protection. A critical skills shortage exists and there should be an emphasis on training ‘cyber builders’ rather than ‘cyber warriors’. PPP models and certifications regimes should be rapidly introduced to ensure both quality and numbers.

Governments must standardise security measures, protocols and surveillance processes in order to ensure that they are neither sector-specific nor applicable only to individuals or companies. Greater transparency around security processes will also increase user confidence and allow greater vibrancy in spread and adoption of cyber platforms. This is important as the Government of India, like many other national governments, sees digital last mile connectivity as the most efficient mode for government-citizen interface in social and related sectors.

• There is today a collision of narratives on National Security and Individual Privacy. While this debate is important to have, the ideal for any security policy must be safeguarding the private space of individuals and their freedom of expression. Governments have been unable to define and agree to a universal definition of “privacy” and due to the borderless nature of the Internet there will be contests and hence there are concerns voiced by many stakeholders that need to be addressed.

• Additionally, collective security often gets an unfair advantage over individual privacy. Some questioned the efficacy of these security measures and if the gains from surveillance are worth the costs to privacy and whether there are alternatives to safeguarding national security while keeping privacy sacrosanct.

• It did appear from the discussions that privacy and national security concerns do not necessarily have to compete with one another. Concerns over security measures can be addressed by embedding privacy presets into surveillance mechanisms ab-initio. Targeted surveillance has proven effective, but too much surveillance is demonstrably counter- productive. More investment is needed to ensure privacy enhancing technologies along with sensitising the personnel who deal with the data while conducting surveillance.

• Certain core ideals must be preserved and propagated in respect of privacy. And creating a universal common and robust approach to privacy should be a key global objective to work towards. Such a definition would necessarily be the basis for any future rules based cyber- sphere governed by internationally accepted norms.

The issue of verifiable cyber-identity is also a contested one – on one hand being necessary to prevent crime but on the other being prone to abuse. The issue of identity is intricately linked to the notion of anonymity. A third party management of identity verification is a possible solution but one that requires extensive trust building between the various stakeholders.

• Transparency and accountability in formulating cyber policies, empowering NGOs as pressure groups, widespread consultation, research initiatives, public participation, and a robust media are all needed in order to help formulate effective cyber governance and security architecture. An international cyber management framework can establish best practices and norms. This framework can also analyse risks and create deterrence mechanisms and alliances.

To quote the Deputy National Security Adviser of India, Mr. Nehchal Sandhu, “India has a national cyber-security policy, not a national cyber-security strategy.”Policy is the route to building strategy but strategy is the articulation of an assessment of objectives, needs and aspirations of what citizens seek in a secure and democratic cyberspace. CyFy 2013 is a first step in this process. It has initiated a plural and honest attempt to discuss, contest and discover contours of a national cyber strategy by bringing together domestic and international stakeholders and specialists, initiating the right conversations and encouraging debates that are critical to the formation of an enlightened cyber strategy for India.

SAMIR SARAN
Vice President, Observer Research Foundation

VIRAT BHATIA
Chair, Communications and Digital Economy
Committee, FICCI

CYFY Conference Secretariat
20, Rouse Avenue, Institutional Area, New Delhi – 110032
Ph: +91-11-43520020 | E-mail: cyfy@orfonline.org

Finding a middle way : The Cyber Debate in India

The Security Times, November 2013, Berlin, Germany

India is uniquely dependent on the cybersphere – it being the chosen medium for the implementation of the country’s socio-economic schemes. But this also exposes the country to a higher probability of cyber- attack, according to National Security Adviser Shivshankar Menon.“Commitments to plurality and democracy in the cybersphere have to be tempered by security considerations,”. Discovering the golden mean is both an Indian and a global imperative. It was against this background that delegates met in New Delhi on Oct. 14 and 15 for CyFy 2013, the inaugural India Conference on Cyber Security and Cyber Governance.

Given the democratic nature of India and its sheer size, the solutions it chooses will have a seminal influence on the future of cyberspace. The underlying theme for most of the discussions was how to preserve the democratic nature of cyberspace while protecting it. An early consensus emerged that privacy and individual freedoms would have to be balanced against the question of security of society as a whole. Thus, the state will have to be empowered to some extent at least, to deal with the kind of social instabilities that can be generated in the real world through acts in the virtual domain.

The debate threw up some interesting nuances. Once conference participant said surveillance was like salt – good in moderation, unpalatable in excess. But it is clear there are many unre-solved issues, including the very definition of what privacy is, and what it is that we are trying to protect.
The debate on the concept and limits of sovereignty in cyberspace was also combative. The central question was how to regulate a domain that is international in its operation through the exercise of national sovereignty.“Cyber governance is something of an oxymoron” said Kapil Sibal, Indian Minister for Communications and Information Technology, “and a re-imagined notion of sovereignty is essential to develop an effective cybersecurity paradigm. The dilemma here is the inherent conflict between national security and the necessity of international cooperation, which is to some extend based on countries ceding sovereignty and working with each other.

Another overarching theme, and one on which there was much less disagreement, was the role of the private sector. There seemed to be general consensus that the government’s role was morphing from that of a regulator to a facilitator. Delegates emphasized the state’s role in setting security standards to ensure the resilience of the net. Contrary to romantic notions of the internet and social media destroying the existing state system, the reverse is true the state is empowered more dramatically than ever before. However the question of providing or generating sufficient cooperation between the government, private sector and civil society proved especially thorny given the issue of trust and surveillance especially with regards to privacy.

Jaak Avaiksoo, the Estonian Minister of Education flagged the issue of the Internet “not being a virtual domain.” There as physical aspects to it, he pointed out, and that means there are specific requirements in terms of how we build resilience into the system. He also raised the question of moral legitimacy required to create a culture of trust building between the government and the people because the whole question of state versus citizen has been a central theme in the evolution of the debate on cyber governance.

India’s own policy in terms of developing a layered approach was brought into focus – specifically the question of training large numbers of people to ensure that India’s planned cybersecurity policy can be implemented. Deputy National Security Adviser Shri Nehchal Sandhu admitted that “while India has a national cybersecurity policy it is still to develop a national cyber-security strategy.”

The sheer size of India’s cyber population makes its national deliberations critical to the global dialogue. They key discussions here revolved around whether to promote sovereignty on the net or even to seek a wholly sovereign internet. Are we doing to side with those who say information security is absolute, or those who say each government has the absolute freedom to do what it wants in its own territory?

That India is finding its own middle way was best reflected by the fact that, despite furious debate, there was little to no mention of PRISM or Snowden. Being pragmatic it would seem India and Indians, unlike the EU or Brazil, have chosen to forgo rhetoric and instead debate the core issues around privacy, anonymity, intellectual property and national territoriality.

One final question that came up was whether technological developments would allow states to dominate. This is a debate that has played out historically in every new medium that has emerged. As the international negotiations proceed in the coming years, the whole question of whether we are going to have an internet that is transcendental and collectively used across the world or is it going to be dominated by each country in its own little domain of influence.

The India conference was the start of a process – one that raised many questions and found some interesting and out-of-the-box answers. The complexity of the debate dictates that this will not be any easy path to navigate. The India Conference on Cyber Governance and Cyber Security will not and cannot be a one-off interaction among multi –stakeholders. It is the beginning of a strong forum that can debate India’s policies, help mould its strategy and simultaneously address global challenges.

Security times