With or without us: Bilateralism and India’s cybersecurity policies

by Anja Kovacs

While India has become a staunch supporter of multistakeholderism in Internet Governance, it has also stuck by its stance that cybersecurity should remain primarily the responsibility of governments. In the past quarter of 2015, there has been a flurry of bilateral negotiations between India and other countries on cybersecurity. What did these negotiations address, and would multistakeholder involvement really not have contributed additional value? We explore.

At the very end of 2015, India’s Prime Minister and his Russian counterpart announced their decision to step up bilateral cooperation in the field of ICTs. The various commitments they made included cooperation among relevant agencies and an intention to work towards a Russian-Indian intergovernmental agreement on cooperation in the field of international information security”1

Though this aspect of the India-Russia Joint Statement did not receive much media attention, the use of the term information security” here is noteworthy: it is widely recognised to go beyond cybersecurity issues as traditionally understood, to also include the control of content online.

So far, Russia has mostly found support for this approach in the context of the Shanghai Cooperation Organisation (SCO), for which India formally applied for full membership in July 2015. Attempts to also get acceptance of this doctrine at the global level – through an SCO proposal for an International Code of Conduct for Information Security submitted to the UN in 2011, and then again, in updated format, in 2015 – have found little success, however. Following India’s application for full SCO membership earlier this year, the India-Russia Joint Statement once again raises questions about India’s own stance on this issue crucial to user rights.2

Finding out the details won’t be easy, however: in contrast to the open approach of most Internet governance, which at least formally allows all stakeholders to participate as they see fit, bilateral negotiations are traditionally closed to all those except the invited. Where security conversations are concerned, human rights experts or organisations that defend Internet users’ rights are rarely among those.

The bilateral talks between India and Russia do not sit in isolation, however, but are among a flurry of bilateral activity on cybersecurity in the last quarter of this year, following the India-US Cyber Dialogue in August 2015. And many of these had far more concrete outcomes than the recent engagement between India and Russia.

For example, on the occasion of Prime Minister Modi’s visit to Malaysia, on 23 November, a Memorandum of Understanding (MoU) on Cyber Security was signed between the Indian Computer Emergency Response Team (CERT-IN) and Cyber Security, Malaysia, to promote closer cooperation and the exchange of information pertaining to cyber security incident management, technology cooperation, cyber attacks, prevalent policies and best practices and mutual response to cyber security incidents.”3

The following day, when the Prime Minister was in Singapore, a similar MoU was formalised between CERT-IN and the Singapore Computer Emergency Response Team (SingCERT). The MoU establishes, among other things a broader framework for future dialogue; exchange of information on cyber-attacks; research collaboration in smart technologies; exchange of information on prevalent cyber security policies and best practices as well as professional exchanges.”4

In addition, the two Prime Ministers agreed to the establishment of mechanisms for the exchange of real time information between the relevant agencies in India and Singapore” on cyber issues.5

Around the same time, during an official visit of Home Minister Rajnath Singh to Beijing from 18 to 23 November, China and India agreed to set up a mechanism at the Home Minster Level, to strengthen collaboration on, among other things, cybercrime. The mechanism will be complemented by exchange visits by experts in related fields and the strengthening of exchange and collaboration were law enforcement and law enforcement capacity building is concerned.6

Finally, and perhaps most prominently, when earlier that month, on 12 and 13 November, Prime Minister Modi visited his counterpart in the UK, Mr. Cameroon, cybersecurity was an integral part of the Defence and International Security Partnership that the countries inked. This followed the India-UK Cyber Dialogue, which had taken place in early October. As part of the new Partnership, it was agreed by the two countries, among other things, to set up a Cyber Security Training Centre of Excellence, and to step up collaboration on cross-border cyber crime and online child sexual exploitation. The UK will also provide advice on the setting up of the new Indian Cyber Crime Coordination Centre, and expert-level links will be developed between practitioners and policy makers in this field.”7

As cyber security is emerging as a priority for the government, the bilateral route is clearly taking shape as an important avenue to address related concerns.

For Internet governance watchers, this should not come as a surprise. To be fair to the Government, it has always been clear that it considered cybersecurity as a domain in which the primary role would be the government’s, and said as much when it first announced its decision to embrace the multistakeholder approach to Internet governance, in June 2015 – as well as repeatedly since then.8 Moreover, many of the initiatives announced over the past few months might well really contribute to cybersecurity in ways from which we all stand to benefit.

Yet, it remains difficult to not feel a sense of unease about cybersecurity being ensconced even further as a bilateral, or multilateral, issue, with other stakeholders having access to the conversation only when they are invited to do so. The implications for citizens’s rights of the many security initiatives announced should be subject to a much broader assessment than merely against security considerations. Questions such as whether India should embrace the doctrine of information security, or how to best address online sexual exploitation of children, should be the topic of wide debate, and involve human rights experts, organisations that fight online child sexual abuse, and others in civil society and academia who work closely on related topics, amongst others.

For them, at the moment, the question remains, however, where their point of entry in these conversations will be – and when. By the time they are invited to get involved, will the contours of the debate already have been set in such a way that important space for empowerment of users will already have been lost? And what about those who would have important and valuable contributions to make, but are not currently on the government’s radar, and so unlikely to ever be invited at all?

That governments around the world seek to retain a certain secrecy where security related policies are involved should not be a surprise, and need not necessarily be an issue. But what is crucial is that at the very least, the larger frameworks in which any concrete initiatives are embedded have the support of all. Moreover, where users are impacted by a policy or initiative directly, governments stand to gain from having them involved from the very beginning. This was illustrated most poignantly in recent times by the debacle with India’s draft encryption policy in September 2015, when the draft policy had to be withdrawn within days because of a public backlash, leaving the government red-faced.9 On some issues and at some stages of a negotiating process, a broad-based involvement from all stakeholders is, thus, indeed needed, even where cybersecurity is concerned. We hope governments from around the world, including our own, will take heed.