Governance

CyFy 2013: THE INDIA CONFERENCE ON CYBER SECURITY & CYBER GOVERNANCE

OUTCOME STATEMENT

Original link

Cyberspace transcends boundaries to provide unprecedented levels of connectivity and empowerment to states, institutions and individuals across the globe. This fluidity of the cyber- spheres pawns ‘cyber-gangsters’, necessitating cyber-security on the one hand while raising the spectre of a ‘big brother’ state on the other, according to the Minister for Communications and Information Technology, Mr. Kapil Sibal. Inaugurating the 2-day workshop he emphasised cyber governance as something of an oxymoron and a re-imagined notion of sovereignty was essential to develop an effective cyber security paradigm. The Indian National Security Adviser, Mr. Shivshankar Menon, who delivered the keynote address, said that the Internet is also the government’s chosen platform for socio-economic empowerment schemes. This makes India uniquely dependent on the cyber-sphere for its development – while at the same time exposing it to heightened vulnerability.

If the past is any indication, India’s growth and economic prosperity will be inextricably and intricately tied to the digital sphere. Hence, India’s proactive engagement in the global norm making process is important. India can and must be a rule maker and ensure that global norms pertaining to the cyber-sphere align with the opportunities this space has to offer its people. Additionally, the boundlessness of the cyber-sphere must be protected, but not at the cost of pluralism or access. Policy objectives must aim to build infrastructure and provide security and must seamlessly align with the inexorable logic of providing greater access through enhanced penetration.

Consequently, the Internet, for India and many countries indeed, is a means and medium of greater freedom and democratisation. Therefore discovering the median between access and security becomes a global imperative. Given India’s democratic ethos and the sheer volume of cyber-sphere it does (and will) account for, India’s policy responses which will inevitably shape the future of cyberspace, its management and governance.

It was in this background that the inaugural and most comprehensive ‘India Conference on Cyber Security and Cyber Governance – CyFy 2013’ was held at New Delhi on 14th& 15th October, 2013. Supported and guided by the National Security Council Secretariat, Government of India, Raytheon and the Bombay Stock Exchange, the event saw two days of engrossing debate, capturing the perspectives of over 250 international experts, parliamentarians, academics, industry leaders, media practitioners and representatives of the civil society.

The following key conclusions emerged from the discussions:

• The tension between “multistakeholderism” and multilateralism should be resolved to further a cooperative framework in formulating cyber-security strategies. It is only with the participation of diverse stakeholders that refined, legitimate and nuanced policy shall emerge. A unilateral approach without systematic and periodic consultations with, and inputs of, these multiple sets of stakeholders will be deeply counterproductive and can undermine the democratic nature of the cyber-sphere. Multistakeholderism is the mantra for devising articulate policy pathways.

• International cooperation is a must in responding to cyber-security threats and governance challenges. Conventions and treaties ensure agreed definitions on security issues, acceptable set of norms, confidence building measures and will eventually shape an international framework to manage cyberspace.

• Cooperation is beneficial in managing inter-dependencies that are inherent while seeking cyber-security, for which regional and bilateral cooperative measures can also be devised successfully. For instance, Internet fraud and related crimes can be a potential area of cooperation given the minimal political underpinnings.

• It was emphasised that cooperation could be compromised by the national strategic interest of major powers and by viewing this space as a new ‘zero sum game’. The tensions between great powers can undermine a multilateral approach to cyber-security and will have an asymmetrically negative impact on lesser powers.

• Public and private sector partnership (PPP) in policymaking is essential as the bulk of communications and certain critical information infrastructure networks are managed by the private sector. An information sharing mechanism should be created to ensure timely responses.

• The bulk of cyber-security costs are currently being borne by the private sector. Like all issues related to national security, the government must take the lead, incentivise and guide developments in this sector, and allocate specific funding. This funding should be spent on awareness campaigns, education, stakeholder consultations and capacity building initiatives in the near to medium term. Similarly governments should invest in initiatives that improve cyber hygiene and data protection. A critical skills shortage exists and there should be an emphasis on training ‘cyber builders’ rather than ‘cyber warriors’. PPP models and certifications regimes should be rapidly introduced to ensure both quality and numbers.

Governments must standardise security measures, protocols and surveillance processes in order to ensure that they are neither sector-specific nor applicable only to individuals or companies. Greater transparency around security processes will also increase user confidence and allow greater vibrancy in spread and adoption of cyber platforms. This is important as the Government of India, like many other national governments, sees digital last mile connectivity as the most efficient mode for government-citizen interface in social and related sectors.

• There is today a collision of narratives on National Security and Individual Privacy. While this debate is important to have, the ideal for any security policy must be safeguarding the private space of individuals and their freedom of expression. Governments have been unable to define and agree to a universal definition of “privacy” and due to the borderless nature of the Internet there will be contests and hence there are concerns voiced by many stakeholders that need to be addressed.

• Additionally, collective security often gets an unfair advantage over individual privacy. Some questioned the efficacy of these security measures and if the gains from surveillance are worth the costs to privacy and whether there are alternatives to safeguarding national security while keeping privacy sacrosanct.

• It did appear from the discussions that privacy and national security concerns do not necessarily have to compete with one another. Concerns over security measures can be addressed by embedding privacy presets into surveillance mechanisms ab-initio. Targeted surveillance has proven effective, but too much surveillance is demonstrably counter- productive. More investment is needed to ensure privacy enhancing technologies along with sensitising the personnel who deal with the data while conducting surveillance.

• Certain core ideals must be preserved and propagated in respect of privacy. And creating a universal common and robust approach to privacy should be a key global objective to work towards. Such a definition would necessarily be the basis for any future rules based cyber- sphere governed by internationally accepted norms.

The issue of verifiable cyber-identity is also a contested one – on one hand being necessary to prevent crime but on the other being prone to abuse. The issue of identity is intricately linked to the notion of anonymity. A third party management of identity verification is a possible solution but one that requires extensive trust building between the various stakeholders.

• Transparency and accountability in formulating cyber policies, empowering NGOs as pressure groups, widespread consultation, research initiatives, public participation, and a robust media are all needed in order to help formulate effective cyber governance and security architecture. An international cyber management framework can establish best practices and norms. This framework can also analyse risks and create deterrence mechanisms and alliances.

To quote the Deputy National Security Adviser of India, Mr. Nehchal Sandhu, “India has a national cyber-security policy, not a national cyber-security strategy.”Policy is the route to building strategy but strategy is the articulation of an assessment of objectives, needs and aspirations of what citizens seek in a secure and democratic cyberspace. CyFy 2013 is a first step in this process. It has initiated a plural and honest attempt to discuss, contest and discover contours of a national cyber strategy by bringing together domestic and international stakeholders and specialists, initiating the right conversations and encouraging debates that are critical to the formation of an enlightened cyber strategy for India.

SAMIR SARAN
Vice President, Observer Research Foundation

VIRAT BHATIA
Chair, Communications and Digital Economy
Committee, FICCI

CYFY Conference Secretariat
20, Rouse Avenue, Institutional Area, New Delhi – 110032
Ph: +91-11-43520020 | E-mail: cyfy@orfonline.org

Less corporate, more social

Published: August 10, 2013 01:08 IST | Updated: August 10, 2013 16:55 IST

New Pic.jpeg

CSR principles enshrined in the Companies Bill 2012 offer businesses a chance to transform their poor record in community participation and development

Original link is here

Finally we are seeing some signs of life in the business of legislation. Not surprisingly, one of the early beneficiaries is the Companies Bill (2012) which shall replace a six decade-old antiquated law after Presidential assent. The Bill, which was passed in the Upper House this week, was earlier approved by the Lok Sabha in December 2012 and reflects a number of amendments to the Companies Bill, 2011, based on the recommendations of the Parliamentary Standing Committee on Finance. It encompasses important areas for the effective governance of companies including clauses on mergers, audit and auditors, appointment of company directors, aside from providing for constitution of a National Company Law Tribunal and a National Company Law Appellate Tribunal to fast-track company law cases and corporate structuring.
Crucial
Perhaps, the most important new element introduced in Clause 135 of the Bill is the notion of mandatory Corporate Social Responsibility (CSR). Colloquially referred to as the “2 per cent clause,” it has the potential to transform the landscape of CSR in India. Indian businesses have been loath to go beyond the “glorified worker towns” syndrome or providing employee services and benefits passed off as social interventions. Indeed, “Corporate India” has fared rather poorly when it comes to affirmative action in employment, environmental responsibility and in resource efficiency and revitalisation over the years. Therefore, a scheme that potentially transfers profits towards social causes, environmental management and inclusive development could be the much needed medicine for a nation with such deep socio-economic cleavages. This provision in the new bill must be welcomed and its efficient implementation must be ensured.
It is important that Clause 135 is complemented and supplemented with regulatory and institutional mechanisms to ensure that it actually results in a new paradigm of “stakeholder responsibility” and does not become another scheme where a paternalistic government is able to create another framework of patronage that the politician-businessperson nexus finds favourable for its dealings. This hypothesis needs to be carefully examined, particularly in the context of the upcoming general election, when political masters are at once beholden to corporates for election funding, and where constituency-level CSR commitments could be politically useful.
However, beyond the “profit for patronage” issue, there are some other aspects that must be discussed. The new law will make it incumbent for companies having a net worth of Rs.500 crore or more, or a turnover of Rs.1,000 crore or more or a net profit of Rs.5 crore or more, during any financial year, to spend at least two per cent of net profits towards CSR activities. While this seems uncomplicated, the efficacy in implementation may be in doubt for more than one reason.
The whole concept of CSR must, by its very definition, be a product of the fundamental need to price services, infrastructure and resources that societies provide businesses located in their proximity. By mandating a plain vanilla formula for allocation of two per cent of net profits towards CSR, the law will create a locational distortion, delinking CSR from community responsibility. Businesses must be responsible for proximate communities first, rather than being able to choose the destination of this commitment to society.
There is also a temporal distortion in the construct of CSR as spelt out by the Bill. Paragraph 5 of Clause 135 states that two per cent of the average net profit over three immediately preceding years must be allocated for CSR activities. In the case of most large companies of the sort that would be mandated to allocate net profits, business operations would have had a run-off effect on societies and would have fed off communities for more than three years. Therefore, must not the commitment to these communities and geographies reflect the impact of these businesses over their operation periods? And is there not a case for ensuring sustained “plough back” by the company in these geographies before diverting their commitments elsewhere?
Implementation
Even as we begin to debate how best to address these “time-place” distortions, it is certain that the CSR mandate must be made more robust, ensuring that at the very least it stands up to some simple tests of reasonableness and fairness. There are a number of ways to achieve this baseline objective.
First, voluntary policies that ensure a stakeholder approach to CSR is followed by corporates already exist and must be strengthened. The National Voluntary Guidelines on Social, Environmental and Economic Responsibilities of Business (NVGs) suggest nine core principles which businesses should follow. Principle 8 for instance, directly alludes to coherent, social impact measures and assuring “appropriate resettlement and rehabilitation of communities who have been displaced owing to their business operations.” Integration of NVGs, initiated by the Ministry of Corporate Affairs, in the form of more constructive guidelines for deploying corporate CSR policies, is a viable option.
Second, CSR policies must be determined organically, through demand-driven consensus. Instead of being the mandate of high-level committees, company specific CSR policies should flow from a transparent interface between community stakeholders and corporates. The process must be devolved below the level of the corporation, to the level of the business unit. Corporate leaders and civil servants in the national capital must not determine community engagement strategies. Community stakeholders and the business units concerned must. Allocations must also be made on the basis of how much different stakeholders can absorb.
Employee benefits
Concomitantly, employee benefits must not be passed off as CSR. Such tricks are already used by the banking sector, wherein mandated priority sector lending targets are often met through incredibly convoluted means, including issuance of no-frills/general credit cards for their own contracted workers. A “tick-the-box” approach is simply not legitimate.
The third suggestion also follows from this. A demand-driven process for articulating company specific CSR policies must be instituted at the district level. Consultations can be steered by public officials such as district magistrates, involving village and town leaders and representatives. Decisions could be made through majority outcomes, and the process must be recorded and filed. This sort of a process has the potential to create a public accountability framework for delivery of CSR far superior to legal provisions that we fail to enforce.
Audit
Fourth, as this culture evolves over time, CSR allocations must not remain consigned to bottom line (profits) commitments. Obligations to community stakeholders must be placed alongside the top line (receivables and debt) and must be considered seriously as the next step as CSR must not be an afterthought to profit accumulation. It must be embedded within the very fabric of large businesses.
Finally, there are multiple concerns around the audit of CSR and a discomfort with the lack of audit and oversight required for CSR activities. “Comply or explain” simply has not worked in the case of other existing regulatory frameworks that deal with corporate governance issues. It is time to realise that in India, only a few are in a position to ask, while nobody is in any hurry to explain.

(Samir Saran is vice-president and Vivan Sharan, an associate fellow at the Observer Research Foundation, a New Delhi-based public policy think tank.)