Context: COVID-19 made us realise the role of the global public health infrastructure and need to abide by agreed rules. Similarly, a better understanding of the global cyberspace architecture is required as cyber Insecurity of individuals, organisations and states is expanding amidst COVID-19.
- Expanding digital market: Apple, Amazon and Microsoft have added more than a trillion dollars in market value, since the start of 2020.
- Increasing cyberattacks: In one week in April 2020, reportedly, there were over 18 million daily malware and phishing emails related to COVID-19 monitored by a single email provider, in addition to more than 240 million COVID-19-related daily spam messages.
- Attacks by a state actor: China has been accused of hacking health-care institutions in the United States working on novel coronavirus treatment.
- The ban on specified Chinese Apps, on grounds that they are “engaged in activities prejudicial to the sovereignty and integrity of India” adds another layer of complexity to the contestation in cyberspace.
International efforts for cybersecurity:
- In 1998 Russia inscribed the issue of information and communications technologies (ICTs) in international security on the UN agenda.
- Since then six Group of Governmental Experts (GGE) with two-year terms and limited membership have functioned.
- The net result of the UN exercise has been an acceptance that international law and the UN Charter are applicable in cyberspace; a set of following voluntary norms of responsible state behaviour was agreed to in 2015.
- Limiting norms:
- States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
- States should not conduct or knowingly support ICT activity that intentionally damages critical infrastructure;
- States should take steps to ensure supply chain security, and should seek to prevent the proliferation of malicious ICT and the use of harmful hidden functions;
- States should not conduct or knowingly support activity to harm the information systems of another state’s emergency response teams (CERT/CSIRTS) and should not use their own teams for malicious international activity;
- States should respect the UN resolutions that are linked to human rights on the internet and to the right to privacy in the digital age.2
- Good practices and positive duties:
- States should cooperate to increase stability and security in the use of ICTs and to prevent harmful practices;
- States should consider all relevant information in case of ICT incidents;
- States should consider how best to cooperate to exchange information, to assist each other, and to prosecute terrorist and criminal use of ICTs;
- States should take appropriate measures to protect their critical infrastructure;
- States should respond to appropriate requests for assistance by other states whose critical infrastructure is subject to malicious ICT acts;
Concerns with cybersecurity norms:
- Ignoring vital concerns: What aspects of international law and in what circumstances will be applicable remains to be addressed.
- Issues such as Internet governance, development, espionage, and digital privacy are kept out. While terrorism and crime are acknowledged as important, discussion on these has not been focused on.
- UN Secretary General António Guterres’s recent report, “Roadmap for Digital Cooperation”, gently calls for action do not hold much hope in the current geopolitical circumstances.
- Unawareness among the public: While we are embracing new ways of digital interaction and more of our critical infrastructure is going digital, like global public health, cybersecurity is a niche area, left to experts.
- No global commons: Borderless cyberspace, as a part of the “global commons” does not exist. The Internet depends on physical infrastructure that is under national control, and hence is subject to border controls too. Each state applies its laws to national networks, consistent with its international commitments.
- No international authority: There is no equivalent of a World Health Organization which can monitor, assess, advise and inform about fulfilment of state commitments, in however limited or unsatisfactory a manner.
- Non state actors: Cyberspace has multiple stakeholders, not all of which are states. Non-state actors play key roles — some benign, some malignant. Many networks are private, with objectives different from those of states.
- Cybertools are dual use, cheap and make attribution and verification of actions quite a task.
- Lack of strong cyber norms: Generally the growth of technology is way ahead of the development of associated norms and institutions. We are at an incipient stage of looking for “cyber norms” that can balance the competing demands of national sovereignty and transnational connectivity.
Need for cybersecurity in India:
- It provides countries such as ours some time and space to evolve our approach, in tune with the relevance of cyberspace to India’s future economic, social and political objectives.
- Despite the digital divide, the next billion smartphone users will include a significant number from India. As India’s cyber footprint expands, so will space for conflicts and crimes (both of a private and inter-state nature).
India’s role in global cybersecurity:
- Govt. initiatives: We have a very active nodal agency for cybersecurity in the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology.
- India has had representatives on five of the six GGEs.
- We participate actively at the OEWG.
- The Shanghai Cooperation Organisation, of which we are a member, voiced support for a code of conduct.
- India joined the Christchurch Call which brought together countries and companies in an effort to stop the use of social media for promoting terrorism and violent extremism.
- Domestically, we need the clarity that adoption of a data protection legislation will bring. Globally, we need to partake in shaping cyber norms.
- According to the Budapest Convention, or Convention on Cybercrime of the Council of Europe (CETS No.185), which started as a European initiative but has attracted others, is an option that we should examine.
- We need to encourage our private sector to get involved more in industry-focused processes such as the Microsoft-initiated Cybersecurity Tech Accord and the Siemens-led Charter of Trust.
- Engagement in multi-stakeholder orientations such as the Paris Call (for trust and security in cyberspace) can help.
In preparation for the larger role that cyberspace will inevitably play in Indian lives, we need a deeper public understanding of its various dimensions. Cyberspace is too important to be left only to the experts.
Image Source: The Hindu
About Budapest Convention on cybercrime: It provides for
- The criminalisation of conduct, ranging from illegal access, data and systems interference to computer-related fraud and child pornography;
- Procedural law tools to make the investigation of cybercrime and the securing of e-evidence in relation to any crime more effective and
- International police and judicial cooperation on cybercrime and e-evidence.
Members: 67 states — together with 10 international organisations (such as the Commonwealth Secretariat, INTERPOL, International Telecommunication Union and the UN Office on Drugs and Crime) participate as members or observers in the Cybercrime Convention Committee.
- India did not participate in the negotiation of the Convention and did not sign it.