Introduction #

India’s stances in global Internet governance debates have often been noted, and criticised, for their strong preference for multilateral models of engagements, as different from the multistakeholder approaches that are so well-established in the field.

This was perhaps the case most notably when it proposed, in 2011, to set up within the United Nations (UN) a Committee for Internet-related Policies (CIRP) as a new institutional mechanism to deal with big, global public policy questions in Internet governance. The CIRP would comprise 50 member-states, based on equitable geographic representation. Although it would take inputs from the Internet Governance Forum (IGF), and although the proposal mentioned multistakeholder representation for good measure, this was a classic multilateral approach.¹

Critics welcomed, therefore, the announcement by Union Minister for Communications and Information Technology, Mr. Ravi Shankar Prasad, in June 2015, of a change in India’s official policy to support for a multistakeholder approach.² But even then, Mr. Prasad made clear, India would continue to advocate for a dominant role of the state in security-related matters.

This was also reflected in a subsequent domestic controversy, when the government released the draft National Encryption Policy in September 2015. The draft policy included clauses seeking to direct over-the-top applications like WhatsApp to store all communication logs for over 90 days, to be made available in simple text format when sought by the government.³ A major public outcry forced the government to withdraw the policy, but it was clear that India would continue to voice unilateral policies on Internet-related subjects when it came to security.

Why is the government predisposed towards unilateral government policy making that has far reaching implications on the daily applications of technology? In a pointed speech at the Hindustan Times Summit in New Delhi, in November 2014, India’s current National Security Advisor (NSA), Mr. AK Doval, provided some important pointers to the unique confluence of themes that have shaped India’s stances on technology-related issues and that contextualise its international positions in particular.

Why is the government predisposed towards unilateral government policy making that has far reaching implications on the daily applications of technology? In a pointed speech at the Hindustan Times Summit in New Delhi, in November 2014, India’s current National Security Advisor (NSA), Mr. AK Doval, provided some important pointers to the unique confluence of themes that have shaped India’s stances on technology-related issues and that contextualise its international positions in particular.

Mr. Doval, a former career intelligence officer who had served the government with great distinction earlier, had taken over as the NSA after the Bharatiya Janata Party (BJP)-led National Democratic Alliance (NDA) government came to power.⁴ The NDA won an absolute majority in the 2014 general national elections – a first since 1984 – under the leadership of the BJP’s Narendra Damodardas Modi, who had taken to social media sites such as Twitter and Facebook to create a major surge of support for himself and his party. After taking oath on 26 May, 2014, Mr. Modi appointed Mr. Doval as his NSA.

Speaking at the summit,⁵ Mr. Doval noted, among other things, that technology, while playing a major role in uplifting India, would at the same time serve as a major security challenge, which India would have to grapple with in the years to come. ​‘Another set of threats will be technology’, he said, ​‘and those technologies will include cyber, threats over cyberspace, which is a global common. We will have high tech wars, contact-less wars’.

Mr. Doval also pointed out that ​‘technologies will influence threats like terrorism – they will increasingly depend upon modern means of communication, transferring money ’, and India’s security establishment will ​‘have to prepare for that’.

In addition to the role played by non-state actors like terrorists, Mr. Doval identified the dominance of certain big corporations on the Internet today as a major security challenge. ​‘One of the problems we have is that technologically we have lost out in certain areas where the root servers are all under control of countries that are not under our control’, he said. ​‘A lot of these control systems are with the West mainly the US […]. They are helpful to us in some areas, but not always helpful, particularly in the corporate world. There are corporations which are very powerful, and they use it. I don’t want to name them, but they are very powerful’.⁶

Mr. Doval further made the point that India needed to make up for lost ground in a technology that has emerged as one of the most critical sectors to profoundly impact India’s global position as an emerging super power and a premier market. He closed his speech with a special reference to the economy: ​‘A country which has a vast economic potential, will have great clout. A strong economy is the surest way to secure a country’, he said.

As this paper will argue, the various themes that Mr. Doval drew upon to illustrate his view of India’s economic and security challenges and their intersection are an extension of India’s foreign policy and its historical contextual framework.

Emerging out of its colonial past in 1947, India sought to create a space for itself in the emerging global order, while battling severe lack of resources and a shattered economy. In many ways, the emerging India took to modern tools of engineering to set right the imbalance between its past and its aspirations as an independent nation.⁷ The idea of engineers, and therefore technology, helping shape a modern India began to take root, and has served as the cornerstone of India’s hopes and aspirations as a leader of the modern world. This is the context, then, that has, for decades, broadly shaped India’s positions on issues of technology and its foreign policy postures: keeping one eye on its colonial past and another on the aspirations to use technology to arrive as a first among equals.

And as this paper will show, this basic construct also serves as the defining context that has shaped India’s positions on Internet governance and cybersecurity in the last decade or so.

To better understand how this construct plays out in this particular field, this paper will map the economic, political and historical antecedents of India’s evolving positions on Internet governance as they are shaped by its concerns on cybersecurity, by its domestic context and by its overall influence on global events as they unfold.

In particular, this paper will argue that India’s positions on cybersecurity and Internet governance have to be traced from four broad and interconnected perspectives that have shaped India’s positions in the post-Independence period and which intersect at different points in time. These four perspectives are:

1. The evolution of a part-socialist, part- government-controlled capitalist economy to a more liberal economy post-1990, which would closely interact with domestic politics.

2. India’s post-Independence / post-colonial foreign policy, in particular following the ‑post 1990 economic realignment.

3. A history of technology denial, especially of dual use technologies in a security framework.

4. The challenges posed by terrorism and their impact on India’s foreign policy. These four broad factors, as this paper argues, are endemic to understanding India’s current positions on global issues related to cybersecurity and Internet governance.

In the remainder of this paper, I will thus investigate in detail how each of these perspectives has contributed to shaping India’s positions at the global level in this area. In addition, in a final section, I will assess the role that the domestic framework plays in addressing these concerns. Through this analysis, this paper hopes to contribute to a greater understanding of both India’s cybersecurity concerns and of the ways in which it approaches global Internet governance as it has emerged as one possible venue to address these pressing issues.

A good start will be to look at India’s evolution of a part-socialist, part-government-controlled capitalist economy to a more liberal economy post-1990, and the interaction of this with domestic politics.

The Economic Moorings of India’s Foreign Policy on Technology #

Emerging out of its colonial past in 1947, India sought to create a space for itself in the emerging global order, while battling severe lack of resources and a shattered economy. To shape its presence in international affairs, India chose to adopt a policy of bringing together nations that had also emerged from their colonial past in the same era. This would primarily mean India seeking multilateral platforms to engage with the rest of the world, even going to the extent of creating platforms such as the Non Aligned Movement (NAM) in the hope that greater numbers would accord India a leadership position in the developing world.

But just like India’s foreign policy was deeply influenced by nearly 200 years of colonial rule, it also shaped its embracing a socialist and planned economy based on five-year-plans that had been formulated by the Congress party over a decade before Independence. As India’s first Prime Minister, Jawaharlal Nehru adopted a statist and centrally planned economy, the emerging India in many ways took to modern tools of engineering to set right the imbalance between its past and its aspirations as an independent nation.⁸ The idea of engineers, and therefore technology, helping shape a modern India began to take root, and has served as the cornerstone of India’s hopes and aspirations as a leader of the modern world. As the first Indian Institute of Technology went up at Kharagpur,⁹ a small town near Kolkata, the capital of the state of West Bengal, the idea of technology was rooted as a great equaliser and an enabler. Addressing the first convocation, Nehru called the institution a ​‘fine monument of India, representing India’s urges, India’s future in the making. This picture seems to me symbolical of the changes that are coming to India’.¹⁰

Nehru’s daughter, Mrs. Indira Gandhi, as the Prime Minister of the Congress (I) government, continued with his approach, taking it further to a populist model, and coining the election slogan ​‘garibi hatao’ (eradicate hunger).¹¹ This is the period that saw several multinational companies being eased out, while banks were nationalised with ​‘14 banks controlling 70% of the country’s deposits’.¹²

The politics of nationalism would continue to the government that succeeded Mrs. Gandhi’s government. Led by a former colleague, Mr. Moraji Desai, the Janata Party government was a ramshackle coalition of parties with varying ideologies, hastily cobbled together to oppose the Congress (I). The Janata Party government was short-lived, but its tenure saw the exit of two high profile multi-national corporations: the then Industries minister and a known labour leader, George Fernandes, ensured the exit of soft drinks manufacturer Coca Cola and IBM.¹³

The road to IBM’s exit started a few years earlier with the setting up of the Dandekar Committee on automation.¹⁴ The Committee, headed by the noted economist V M Dandekar, recommended in 1972 controls on the introduction of computers in India, due to fears that these could have a detrimental effect on employment opportunities. Faced with a large unskilled labour force desperate for employment, the Dandekar Committee set in motion the movement that would eventually end in IBM’s ouster. In and around the same time, however, there were also debates that banked on the evidence collated by the Bhabha Committee in 1963¹⁵ to reiterate the need for an indigenous computer industry.

When IBM finally left, this was an important moment: IBM’s departure would create an opportunity for Indian technology companies to step in, and as noted, ​‘several companies emerged over the next few years to fill the hardware and software vacuum left by IBM’s departure – and three of them (Tata Consultancy Services or TCS, Wipro and Hindustan Computers Ltd or HCL) were to be at the vanguard of the 1990s information technology (IT) revolution in India’.¹⁶ The departure of these companies had a twin impact: it gave the local industry reason to start looking at IT as a new area of business and entrepreneurship, while at the same time addressing India’s emerging cybersecurity concerns as domestic companies in this field emerged and evolved.

Many of these security concerns had, in fact, first emerged at the beginning of the decade, when war broke out between India and Pakistan in December 1971. Pakistan had moved into the United States of America (US) orbit by becoming a signatory to the Central Treaty Organisation (CENTO) in 1955.¹⁷ Even though the alliance did not prove to be successful, it ensured that US sympathies would continue to side with Pakistan. In the aftermath of the 1971 war, the Nixon administration immediately placed sanctions on India, which included ensuring an embargo on the import of electronics and computers from the US.¹⁸ This, in turn, underscored the vulnerability of India’s defence sector, which needed computers and electronics for its radars and weapon systems.

By 1980, when Mrs. Gandhi returned to power, things had begun to change. Her realisation that the earlier statist models of the economy would no longer work helped create a paradigm shift. She began with a ​‘modest liberalisation of the economy’.¹⁹ This ensured that at least some sections of society were beginning to get an opportunity to set up industries and push forward the rate of growth by creating an alliance of sorts between the government and private industry. As economists have noted, Mrs. Gandhi concentrated on a three-point formula: ​‘prioritisation of economic growth as a state goal; supporting big business to achieve this goal; and taming labour as a necessary aspect of this strategy’.

This ​‘modest liberalisation’ would create the fertile ground that would be exploited by her son, Mr.Rajiv Gandhi, who would also bring in what has been termed India’s first telecommunication revolution, as well as extensive computerisation. As a case in point, the extensive computerisation of the railway passenger reservation service, a major exercise in itself, was in some ways, the first great step in creating online networks and ushering in the first tentative steps to grapple with cybersecurity.

The Countrywide Network for Computerised Enhanced Reservation Ticketing (CONCERT) was started in 1987 from Delhi and made available at 700 locations initially, using 3000 computer terminals. The sites were networked and allowed passengers to book their tickets at railway counters in real time, as railway officials had visibility into the availability of tickets. Interestingly, the Indian Railways was one of the first government organisations to go in for large scale computerisation, with most of the work being carried out by the Centre for Railway Information Services (CRIS) that was created in 1986.²⁰

Clearly, economic concerns profoundly impacted India’s slow but steady approach to first rejecting and then embracing computers – first viewing it as a threat to the economy that was predicated towards protecting jobs, but also accepting subsequently that it was an economic enabler and could provide exciting opportunities for growth. Starting in the late 1970s, a combination of largely economic, and at times seemingly contradictory, factors that grew out of the political ideologies of that time, thus had begun to come together to forge a new destiny for India’s tryst with the Internet and the possibilities it offers. By the time the Rajiv Gandhi-led government came to power in 1984, these new philosophical constructs were already beginning to take shape and could be seen in what can be termed as a more ​‘assertive’ India. Once again, it was established in the Indian economic and political consciousness that technology is an enabler and would be able to provide substantial solutions to India’s long suffering economy.

Living with Technology Denial #

While India was building its indigenous IT capabilities, it was also grappling with a range of international technology denial regimes that would leave a major impact on its foreign policy posture in the future.

The fear of a US intervention during the 1971 war had led to worries about India’s sovereignty being under threat by Big Power intervention.²¹ This had added further impetus to India’s nuclear programme that was both peaceful and military. When in 1974, India’s tests of a nuclear device led to immediate sanctions, this caused major suspicions about denial of technology among Indian policymakers.

Future events proved that this was not without reason. A case in point was the major kerfuffle over the denial of cryogenic rocket engines that India had sought for its space programme in the 1980s. The entire episode of technology denial and India’s reaction to it at that point explains the deep-rooted suspicions that are firmly embedded into India’s foreign policy to this day. As we will see, this event from the 1980s would deeply influence India’s belief in a multilateral world order decades later, when it began to wrestle with the challenges of Internet governance.

Hampering the Development of India’s Space Program #

What happened? Around 1986 – 87, the Indian space programme was in the midst of developing a massive rocket to launch satellites into a 24-hour orbit.²² The Indian Space Research Organisation (ISRO) first held discussions to develop or buy cryogenic engines with Japan but ​‘nothing came of it’.²³ ISRO was also approached by a US company, General Dynamics Corporation, offering an American engine.²⁴ But the costs were prohibitive, and an offer from the European multinational corporation, Arianespace also proved to be too costly.

A third offer materialised from the Soviet Union, which offered two engines as well as a transfer of technology for a deal that would amount to USD 200 million. ISRO immediately agreed to the proposal and on January 18, 1991, inked an agreement with the Russian space agency Glavkosmos. The deal included a transfer of cryogenic technology.

However, the Soviet Union was in chaos and Mikhail Gorbachev soon announced its dissolution, forcing a major economic and political crisis. The newborn Russian federation immediately came under considerable pressure from the US, which forced the Russians to renege on the deal for the engines and the technology transfer.

Glavkosmos and ISRO immediately began to work on an alternate plan to outsource the cryogenic engines²⁵ to a Kerala-based unit known as ​‘Kerala Hi-tech Industries Limited’ (KELTEC). The arrangement was designed to get around the provisions of the Missile Technology Control Régime (MTCR),²⁶ a broad coalition of 34 countries that imposed restrictions on the proliferation of unmanned delivery systems (missiles) capable of carrying weapons of mass destruction. However, the new arrangement once again faced tremendous pressure from the US and the then President George Bush described it as a violation of the MTCR. In May 1992 the US imposed sanctions on both the space agencies, ISRO and Glavkosmos. Despite strong objections from New Delhi, the deal had to be scrapped.

On several occasions, India’s Foreign Service officers pointed out to their US counterparts that they had not raised any objections when General Dynamics approached them with a proposal to sell the engines and the technology. The US had also never raised any objections between 1988 and 1992, when the Indian and Russian space agencies were working out a deal for a transfer of technology. Moreover, India had explained that the ​‘high-powered hydrogen-fuelled upper stages, which took a long time to prepare, were of little military value’ and could not be adapted for military applications.²⁷

Finally, a revised Indo-Russian agreement was drawn up in January 1994 that agreed to transfer seven fully assembled KVD‑1 engines, without the technology. Under pressure from the US a clause was inserted that India would ​‘agree to use the equipment purely for peaceful purposes, not to re-export it or modernise it without Russia’s consent’.²⁸

Even then, for India, its leveraging of its bilateral relationship with Russia to by-pass a multilateral agreement without becoming a signatory or adhering to its restrictive clauses had been a success.

Opposition to India’s Nuclear Tests #

If the denial of cryogenic engines is instructive, it is not the only occasion on which India has had to face an international technology-denial régime. In May 1998, as soon as India announced a series of successful nuclear tests, sanctions were imposed by the United States.²⁹ The sanctions were supported by several major European countries and led to a sudden denial of several high-technology transfers that were in the pipeline.

The sanctions also resulted in an immediate stop to several security and defence-related projects that had been on the anvil. This also delayed the indigenous light combat aircraft programme and grounded the Indian Navy ​’s Sea King helicopters.³⁰ This grounded India’s entire anti-submarine warfare capabilities, and the sanctions would hurt Indian security needs even more the next year when the Kargil war commenced. The war in Kargil, though primarily a localised land battle between the Indian and Pakistani armies, also saw a heightened deployment of the air and naval assets. The Indian Navy was severely hampered during its combat deployment during the war as a result of the sanctions.

The sanctions were supported by the G‑7 countries, which also ensured that there was no non-humanitarian lending by various monetary bodies, such as the World Bank and the International Monetary Fund.³¹ By then, however, seeking inclusion in technology denial regimes through multilateral diplomatic effort had become the hallmark of India’s approach to such regimes – be it the Non Proliferation Treaty (NPT), the Comprehensive Test Ban Treaty (CTBT), or the MTCR.

Like the MTCR, the NPT and the CTBT were regimes created to impose restrictions on technology that enabled the proliferation of weapons of mass destruction or systems that could deliver them. India had never signed on to the CTBT³² and was opposed to the NPT for decades. In fact, when Prime Minister Narasimha Rao’s government began plans to carry out nuclear tests, the US immediately commenced a major exercise to persuade him not to do so,³³ which raised Indian suspicions.

On each of these international agreements New Delhi’s consistent position has been to label them as ​‘discriminatory’, and each has repeatedly been described by India as an ​‘unequal treaty’.³⁴ India viewed these regimes with suspicion, as Big Power attempts to use technology to create a world of haves and have-nots. With its history of taking leadership roles in setting up the Non Aligned Movement as a power bloc to resist Big Power hegemony, these regimes were clearly unacceptable for India in particular.³⁵

And so, when in May 1998, Prime Minister Atal Behari Vajpayee’s government would carry out the nuclear tests that were shelved by Prime Minister Rao under US pressure, and the tests would lead to immediate sanctions and a dip in bilateral relations with the US, India did not merely accept the status-quo. In the wake of the sanctions imposed in the late nineties, a series of secret back-channel talks³⁶ between the then Minister for External Affairs, Jaswant Singh, and the US Deputy Secretary for State, Strobe Talbott, took place, which India used to raise its concerns and achieve its objectives with regards to these multilateral arrangements. As it had done with Russia earlier, India leveraged its bilateral relationship with the US in an attempt to change its status-quo vis‑à-vis multilateral regimes like the NPT (or the CTBT), even without becoming a signatory to any of these treaties.³⁷

The Threat Posed by the Wassenaar Arrangement #

It is in this contextual framework then that India’s consistent opposition to technology regimes that came up in the mid-1990s, such as the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, has to be seen.

The Wassenaar Arrangement was initially brought in by the North Atlantic Treaty Organisation (NATO) countries in July 1996.³⁸ At that time the Arrangement was signed by 41 countries, who met again in December 1996 and issued a detailed list of items that would be placed under control.³⁹ This list was further expanded in 2013 after the United States’ Department of Commerce, Bureau of Industry and Standards, proposed a new category covering ​‘intrusion software’,⁴⁰ following a plenary held at Vienna in December 2013 in the wake of the Snowden revelations.⁴¹

When the announcement of the expansion of the list was made, Indian officials stated:

These changes could have severe impact on India’s cybersecurity programme – both software and hardware – as these would come under export control régime, the entire inventory of high-end cybertechnology is with the Western countries like the US and they may deny products to Indian organisation.⁴²

Officials also argued that the 41 signatories to the Wassenaar Arrangement included the countries that have produced many of the technologies that were now being included under the régime. This would create, Indian officials and policy wonks argued, a global division between the technology haves and have-nots,⁴³ therefore denying them the fruits of development that the West has traditionally enjoyed.

They also argued that the changes and the new inclusions would deny developing nations like India, still grappling with the cusp of major technological challenges, the ability to carry out research, impacting the emerging digital economy.⁴⁴ This would also adversely impact India’s cybersecurity, since India would be deprived of the learnings of developed nations.

India’s reaction to the latest proposal under the Wassenaar Arrangement was swift and forceful, consistent with its earlier position on technology denial regimes.⁴⁵ New Delhi felt that the inclusion of cyber-related items under the Wassenaar Arrangement was an attempt to continue keeping India out of the high technology stakes. It would also ensure, New Delhi feared, that India would be kept away from the high table where key decisions are taken.⁴⁶ India reacted, in 2013, by taking pre-emptive action, buying critical technologies that could possibly come under the Wassenaar Arrangement once the updated list had been accepted by the signatories.

At the same time, however, New Delhi renewed its multilateral diplomatic effort with the aim of changing the multilateral paradigm and thus, making the earlier need for inclusion in this régime completely redundant. As the Wassenaar Arrangement was expanded, in 2013, to include an ever-growing list of technologies, India’s then Foreign Secretary, Rajan Mathai ruled out accepting the legitimacy of these regimes as long as India was not at the decision-making table, and reiterated India’s demand to be treated as an equal, which was not the case in the existing international multilateral regimes that had imposed such restrictions in the past.⁴⁷ New Delhi argued that it had an excellent track record of enforcing a ​‘legally based domestic export control system that would fortify the commitment to act in accordance with the guidelines’ of such technology denial regimes.⁴⁸ Mr. Mathai also pointed out that:

India has a longstanding commitment to complete, universal, non- discriminatory and verifiable elimination of nuclear weapons in a time-bound manner – a vision that was set forth in the Rajiv Gandhi Action Plan. We remain committed to a voluntary and unilateral moratorium on nuclear explosive testing.⁴⁹

Clearly, in New Delhi’s view, leveraging relationships with other States to attain its objectives in multilateral forums was likely to pay the highest dividend where such discriminatory treaties were concerned. With technology-denial constructs emerging after India’s attempts to harness nuclear energy for a weaponisation programme in 1974, India’s opposition to any treaty or international coalitions that it deemed ​‘unequal’ had become the norm for its foreign policy since the events of 1991, as India grappled with several economic and foreign policy crises. New Delhi consistently leveraged its equation with other governments, to engage and influence multilateral regimes. The partial success that came New Delhi’s way reinforced its belief in using such an approach, especially when it came to addressing its security-related issues.

As the economic and foreign policy crises of the 90s gave further impetus to this approach, these will be examined in further detail next.

Charting a New Course in Foreign Policy #

India’s economic evolution continued to shape the country ​’s positions on cybersecurity and Internet governance in the 1990s. As India entered the final decade of the last millennium, it came close to an economic meltdown, leading to a major reconstruction of its economic policies and the establishment of a more liberalised régime. This impacted the traditional economy, as India began the inexorable move towards a more services-oriented economy, paving the way for a greater role of computers and information technology⁵⁰ as the harbingers of great change. As the Indian economy began to grow, the Internet began to take root, slowly but steadily, thus giving birth to a new awakening to concerns about cyber security. As we will see, in addition to the uprising in Jammu and Kashmir, this also played a major role in strengthening the ​‘sovereignty’ philosophy of India’s foreign policy, while at the same time leading to India reaching out to the world, seeking new allies and shifts.

Economic Crisis, Political Change #

In 1991, India was facing one of its worst economic crises.⁵¹ The Gulf War in 1990 had a cascading effect on world oil prices, which in turn precipitated the crisis of the Indian economy, a year later. As investor confidence in India eroded, this created a balance of payments deficit, sending shockwaves through the Indian economic system.⁵²

As the Narasimha Rao-led Congress coalition government moved quickly to stem the rapidly spreading economic shock, it brought in an Oxford-educated economist with a World Bank background to helm the economy. Dr. Manmohan Singh would become part of the cabinet and bring about a historic liberalisation of the Indian economy that went along with the major changes that Prime Minister Narasimha Rao was planning for replacing a moribund foreign policy.

With India seeking funds and support from various Western entities to revive its economy, Prime Minister Narasimha Rao began to radically change India’s earlier foreign policy biases. While India had always remained committed to Western political values,⁵³ it had emerged as an opponent to the Western world view on many occasions. But with India’s staunch ally, the Soviet Union, dissolving, Prime Minister Rao began to look at a more pragmatic policy approach. He broke new ground by establishing diplomatic relations with Israel, ushering a new level of cooperation on security issues, while also seeking a closer equation with the United States.⁵⁴

The new equation that began to emerge between India and the United States would further lead to a renewed sense of engagement that could break from the past. Two major impediments in the Indo-US relationship had begun to dissipate: the Soviet Union, a traditional ally to India, had ceased to exist, and the war in Afghanistan, supported by the US through India’s traditional enemy Pakistan, was winding down after Russian troops withdrew. Clearly, there were possibilities that could be explored on both sides. A pragmatic Narasimha Rao-government was already moving ahead with many far reaching changes, and this adaptation would set the stage for a deeper engagement a decade later, that in turn, would have a major and defining impact on India’s cybersecurity posturing.

The year 1990 had also witnessed a major outbreak of a popular uprising against India’s rule in the Muslim-majority state of Jammu and Kashmir. The uprising was the legacy of the two-nation theory that had separated British India into two countries in 1947, based on their religious composition. Independent states like Jammu and Kashmir were given the choice to join India or Pakistan. The ruler of Jammu and Kashmir, a Dogra Rajput Hindu, threw in his lot with India, a decision that immediately led to the first Indo-Pakistan war.⁵⁵

In many ways, the 1990 uprising in Jammu and Kashmir also played a major role in influencing India’s foreign policy. The uprising led to active diplomatic and material support from Pakistan to the militancy movement, impacting India’s traditional foreign policy significantly.⁵⁶

While India was tackling the rising insurgency in Jammu and Kashmir, India and Pakistan began trading charges of human rights abuses. In many ways this single event has continued to leave a deep impact on India’s foreign policy ever since. This change has been away from the ​‘internationalism’ that was practised since independence in 1947 and instead, shifted to a new language of sovereignty.⁵⁷ India’s interventions are now based on the principle that ​‘a call for human rights must not lead to interference in internal affairs’, underscoring the theme that it will not brook any intervention in its internal affairs on any ground.

This shift, in turn, would also influence its subsequent positions on adopting a multilateral framework on various international issues such as Internet governance.⁵⁸

India and the US: Stepping Up Bilateral Engagement #

Despite the sanctions imposed by the US post the May 1998 nuclear tests, conducted by the short-lived Atal Behari Vajpayee-led minority government, there were back-channel bilateral talks that explored the possibility of a new relationship. President Bill Clinton tasked Strobe Talbott to engage the Indians in a series of secret parleys that would shape the next decade.⁵⁹

The result of these secret bilateral talks was revealed in February 2000, when the US and India agreed to a slew of measures to improve their bilateral relationship.

One of the first moves was to establish a Joint Working Group on Counter-Terrorism that would establish commonalities in goals and find new areas of cooperation. A year later, when Prime Minister Vajpayee visited the US on his first major trip abroad, this agreement would lead to the establishment of a major bilateral security dialogue.⁶⁰ During the trip both governments made a significant addition to the Joint Working Group on Counter Terrorism by creating a sub-group for cybersecurity.⁶¹

The new forum clearly ​‘grew out of’ the bilateral ​‘counterterrorism dialogue’ and was ​‘dedicated to protecting the critical infrastructure of the knowledge-based economy’. The forum included ​‘government agencies and private sector participants from India and the United States’, identifying ​‘risks and common concerns in cybersecurity’ aimed at crafting ​‘an action- oriented work plan on securing networked information systems’.⁶²

The new forum was also tasked with creating a comprehensive dialogue and cooperation on ​‘cyber-security, cyber-forensics and related research and works towards enhancing co-operation among law enforcement agencies on both sides in dealing with cyber-crime’. By January 2004, India’s Computer Emergency Response Team (CERT-IN) was also active,⁶³ modelling itself on its US counterpart. This, too, was a result of the 2001 agreement framework to ​‘share expertise in artefact analysis, network traffic analysis, and exchange of information’.⁶⁴

The path-breaking bilateral dialogue of 2000 – 2001 would, thus, redefine India’s relationship with the US and reinforce its belief in using a bilateral relationship to achieve outcomes that could change the paradigm in multilateral settings. In many ways, India’s strongest relationship on cybersecurity had now emerged from a bilateral approach with the US, which would influence its positions when dealing with various multilateral forums and regimes.

The Impact of Terrorism #

The fact that a bilateral cybersecurity dialogue between India and the US was added as a sub-set of the Joint Working Group on Terrorism is a major indicator of how New Delhi coupled technology with terrorism, thus making the latter the overarching paradigm. It also amplified New Delhi’s preference for government-to- government forums to achieve its stated foreign policy objectives. While the role of terrorism in shaping India’s cybersecurity and Internet governance positions is discussed in detail in section four of this paper, it is important to understand here the basics of how it became such an overarching priority.

Post-1990, after the emergence of Pakistan- sponsored terrorism in the Kashmir Valley, India was pitted against its neighbour on global forums in a bid to establish its narrative of the conflict. As the two regional neighbours sparred on various forums, each sought to build coalitions in multilateral platforms to build their case. The fall-out of this global sparring would inevitably shape the foreign policies of both nations.

This was visible when India would work hard towards de-hyphenating some of its most important bilateral relationships from Pakistan. Much of the post-Vajpayee era engagement with the US would see India’s Foreign Service officers make a case that India should not be equated to Pakistan, and instead, be treated as an emerging global power since it already had a much bigger economy and was the world’s largest democracy, unlike Pakistan. Seen in the light of India’s discernible shift in foreign policy since 1991 which we examined earlier,⁶⁵ this created an added emphasis on ​‘sovereignty’ as a major driver of New Delhi’s international outreach. It would also further set India’s foreign policy on to the path of using its bilateral or multilateral diplomatic clout to address bigger multilateral regimes.

Ironically, Pakistan’s foreign policy would try and drag in India on most of its foreign policy postures on multilateral forums, such as the UN or the Organisation of Islamic Countries (OIC), with a mandatory mention of Kashmir and/​or attempts to use India’s gains – such as the nuclear deal with the US – to try and get similar bilateral deals.

The renewed engagements between India and the US were also partially influenced by the views that New Delhi and Washington shared on the Al Qaeda attack of ⁹⁄₁₁. Since 1990, when New Delhi had combated terror attacks in Jammu and Kashmir, it had sought Washington’s active role in reigning in what it perceived to be Pakistan’s involvement in sponsoring acts of terror. This was a consistent theme that would be reflected repeatedly by subsequent Indian regimes, even though they emerged from different political dispensations.⁶⁶ But after ⁹⁄₁₁, this relationship would undergo a significant change as terrorism became a common concern, leading to greater synergy on issues such as intelligence-sharing, and more aligned views on terrorism.

From Bilateral Engagements to Multilateral Gains? #

A significant fall-out of the 2000 and 2001 agreements would be repeated assurances from the US government that it would support India’s membership in previously restrictive technology-denial regimes like the Wassenaar Arrangement. In November 2010, the US Deputy National Security Advisor for International Economic Measures, Michael Froman, accompanying President Barrack Obama on a bilateral visit, stated that he was ready to support India’s inclusion in the Wassenaar Arrangement.⁶⁷ He clearly stated:

the United States will support India’s full membership in the four multilateral export control regimes. These are the Nuclear Suppliers Group (NSG); the MTCR; the Australia Group; and the Wassenaar Arrangement.

This position has since been repeated, with New Delhi viewing Washington DC’s cooperation as a key stepping stone to joining multilateral regimes. On a bilateral visit to the US, Prime Minister Modi and President Obama once again reiterated their intention to cooperate in getting India on board multilateral regimes such as the MTCR and Wassenaar Arrangement⁶⁸ and even on India’s long-standing demand to be included as a permanent member of the UN Security Council.

What the above highlights once again is how India has consistently aimed to leverage its bilateral relationship with the US to gain admittance into other multilateral regimes. New Delhi’s calculation is hinged on building a robust bilateral relationship with the US, which, in turn, will use its clout to get it to the global high table. Washington DC’s public endorsement of New Delhi’s stance helps greatly in that sense. Yet, at times contradictory and confounding, India would both oppose and engage with the US at the same time. In creating this arrangement, it drew upon the pragmatic argument that if India needed to gain a foothold in the international Internet governance debates, it needed the US on its side, without diluting the traditional suspicions that India harboured.

Beyond its bilateral relationships, India has also been leveraging multilateral bodies that it has helped create to influence issues related to technology and security. This is reflected in India’s keenness to use IBSA (a grouping of India, Brazil and South Africa – a reduced version of BRICS without China and Russia) to issue joint statements on ​‘enhanced cooperation’ that will enable ​‘governments on an equal footing’.⁶⁹ Indeed, New Delhi continues to emphasise ​‘the need for global cooperation to ensure that [the] Internet continues to be a free and secure medium for the whole world’.⁷⁰

This is also visible from the fact that India’s ​‘sovereignty’ emphasis in its post-1991 foreign policy closely matches that of its BRICS partners, Russia and China. So far, Internet governance has seen a ​‘commitment to the rule of law (domestically and internationally), even to the point of considering a conditional view of sovereignty, along with a multilateral cooperation of the states’.⁷¹ However, Russia, China and India have, based on their historical antecedents, agreed in the past on an emphasis on ​‘great power privilege in the operation of the international system’.⁷² Their view ​‘entails a strong rather than conditional interpretation of sovereignty’ and is ​‘based on hierarchical state-society relations and limited or non-existent stakeholder consultation’.⁷³ As has been pointed out earlier, India has traditionally identified with less consultation and a more central role being attributed to the state, and even though it has now declared formal support for the multistakeholder approach in Internet governance, this doesn’t seem to have affected this belief that it shares with its BRICS partners – at least not where cybersecurity is concerned.⁷⁴

The fact that India has tried, in various ways, to gain membership but has failed⁷⁵ has not dampened its resolve for a seat at the multilateral forums that matter to its security concerns and ambitions. Naturally, therefore, New Delhi has always responded positively to pronouncements such as those by Mr. Froman or President Obama, mentioned above, and has consistently welcomed them.⁷⁶

In the next section, the intersection between terrorism and India’s cybersecurity concerns is examined in more detailed.

Terrorism, Law and Order as Drivers of the Debate on Cybersecurity #

In 2012, a United Nations report on ​‘The Use of the Internet for Terrorist Purposes’⁷⁷ noted that:

the benefits of Internet technology are numerous, starting with its unique suitability for sharing information and ideas, which is recognised as a fundamental human right. It must also be recognised, however, that the same technology that facilitates such communication can also be exploited for the purposes of terrorism. The use of the Internet for terrorist purposes creates both challenges and opportunities in the fight against terrorism.

For India, the Internet has indeed been at once a major opportunity as well as a security nightmare. As explained earlier,⁷⁸ terrorism has in fact become the overarching paradigm for India’s cybersecurity concerns.

Law and Order, Terrorism and Technology in India #

India’s concerns about the intersection of technology and terrorism have been accentuated with the proliferation of communication tools by terrorists using Internet-based platforms. The attack on Mumbai by Lashkar-e-Taiba (LeT) on November 26, 2008 illustrated how the terrorist-handlers based out of Karachi, Pakistan, used Voice over Internet Protocol (VoIP)⁷⁹ to direct the attack on key targets in Mumbai.

India’s Law Enforcement Agencies (LEAs) have repeatedly cited the advent of the Internet and specifically social media, as one of the key challenges for dealing with law and order issues. In September 2013, when communal riots broke out in the district of Muzaffarnagar in India’s most populous state of Uttar Pradesh (UP), the state police immediately blamed social media for ​‘inflaming hatred between the warring communities’.⁸⁰ A senior state police officer named ​‘Facebook, WhatsApp, Twitter’ at a press conference just after the riots broke out. ​‘Fear and distrust between communities’ he said, was being spread ​‘using’ social media. He also pointed out that

one specific video (being used to promote violence) which is very popular on social media, is not related to any incident in western UP and was uploaded on YouTube. [We believe] it belongs from an incident that took place outside India.

At the annual conference of all police chiefs in India, a month later, the UP state police made a detailed presentation to their counter-parts pointing out how social media was being ​‘abused’, and repeated letters to corporations like Google and Facebook did not yield any results. In some ways, the current NSA, Mr. Ajit Doval would reflect the same views, as detailed in the introduction to this paper.

While India has combatted terrorism through the 1980s in various forms, it faced a major challenge after the local population in the Kashmir Valley began violent protests after a large scale rigging of the local state elections was discovered just before the start of 1990. The state of Jammu and Kashmir has remained a major flash point between India and Pakistan since Independence, leading to four major wars. India has argued throughout that Pakistan has consistently used asymmetric forces against India by covertly supporting terrorist groups. The challenge posed by terrorism post-1990 meant that India also had to begin to grapple with various kinds of security challenges largely centred on secure communication technologies used by these terrorist groups.

The first major use of Internet-based communication tools by terrorists was discovered by Indian security agencies in 2006, after a little-known outfit going by the name of the Indian Mujahideen (IM)⁸¹ carried out a series of bomb attacks across several prominent Indian cities, including Delhi and Mumbai. The investigations into the IM terror attacks revealed that attacks had been planned over secure online communication channels.⁸² This case was unique for investigators when they began to track the messages that had been sent by the IM. The tracing of the IP addresses led them to an open Wi-Fi network, which had been used by the terrorists to send their messages and ensure that they couldn’t be tracked.

Subsequently, the IM improvised when they learnt that their MS Word documents could be traced. Instead, they began to send their documents as PDFs, a clear indication that the group was learning to hide its tracks between attacks.⁸³ Investigations would later reveal that the group was also using encrypted email accounts that would be deleted if they weren’t accessed every 24 hours. This ensured that investigators had a difficult time accessing online content or metadata to anticipate attacks. The terrorists also used proxy servers extensively to ​‘camouflage their geographical locations’.⁸⁴

Extracts from the interrogation report⁸⁵ of one of the prominent leaders of the IM, Mohammed Ahmed Sidibapa Mohammed Zarar, better known as Yasin Bhatkal, also shows a new breed of Indian terrorists using the Internet for planning attacks around 2007.⁸⁶

According to Bhatkal, specific Internet-related tasks were given to other members of the sleeper cell designated ​‘Bhatkal Group’. One person was designated to prepare ​‘claim emails’, taking credit for the bomb attacks that would ensue, while another would look after finding open Wi-Fi networks that would be used to transmit the emails.⁸⁷ Bhatkal also discussed how fake passports were made to help him travel anonymously; a copy of the fake document was sent on Wikisend. In addition, www​.fake​mail​gen​er​a​tor​.com was used ​‘for creation of fake email ids’.⁸⁸ Bhatkal refers to a plethora of email identities that he used frequently for planning attacks.

The document then goes on to explain how the group used secure and encrypted online chat applications to avoid being identified by security and intelligence agencies before and after terrorist attacks had been carried out.

The terrorist attack on Mumbai on 26 November, 2008, would again prove to be a major challenge for Indian security agencies. The attack, carried out by members of the Pakistan-based terrorist group LeT would last for three days before Indian commandos cleared the attackers from three different sites. Over three days, Indian security agencies would intercept communication between the terrorists and their handlers, believed to be based out of Karachi, Pakistan. The initial delay in being able to identify where the terrorists were calling from would lead to a major setback in the counter-terrorism operations, but the VoIP logs would be a critical part of the evidence.⁸⁹

The recent revelations from the Snowden- documents show that the British techint agency, Government Communications Headquarters (GCHQ) was monitoring the computer of the LeT’s Zarar Shah, but did not inform its Indian intelligence counterparts.⁹⁰ This raised suspicions among Indian security officials that the West was not sympathetic to India’s concerns on terrorism.⁹¹ A news report, based on the Snowden revelations, stated that ​‘United States spy agencies also alerted their British counterparts, according to a senior American intelligence official. It is unclear if the warnings led to the targeting of Mr. Shah’s communications, but by the fall of 2008, the British had found a way to monitor Lashkar’s digital networks. So had the Indians. But until the attacks, one Indian official said, there was no communication between the two countries on the matter’.⁹²

Multilateralism the Way Forward? #

India has tried to address the challenges that its security agencies are faced with in the areas of law and order and terrorism in a variety of ways. In 2011, a petition was filed by Yahoo! India Pvt Ltd. against the Union of India in the Delhi High Court.⁹³ The petition records repeated demands for access to IP addresses and email content by the government, citing demands from the Intelligence Bureau (IB),⁹⁴ India’s premier internal intelligence organisation. The petition records how the IB sought this data under section 28 of the Information Technology Act 2000, through the offices of the Controller of Certifying Authority (CCA) under the Department of Information Technology, Government of India.

More important for this paper, however, is that instances such as those detailed above have also sharpened India’s approach favouring a multilateral approach to cybersecurity at the global level. In fact, for New Delhi, building a broad global coalition on security issues, both from an approach and treaty perspective, has been the corner stone of its foreign policy, especially when it impinges on its global security concerns, for almost two decades now. Thus, in September 1997, India became one of the early signatories to the International Convention for

Suppression of Terrorist Bombings.⁹⁵ A year earlier, India had tabled a draft Comprehensive Convention on Terrorism, which it revised and resubmitted during the 55^th UN General Assembly in 2000⁹⁶ and it has continued to press for it over the years.⁹⁷

It is against this background then, that Minister Prasad’s insistence, highlighted in the introduction to this paper, that security-related issues would continue to see a dominant role by the State as far as India is concerned, has to be understood. Mr. Prasad made this amply clear in the same message in which he announced India’s change in policy to embrace multistakeholder approaches to Internet governance.⁹⁸ Security concerns have resulted in India grappling to have a greater say in the Internet governance space in the belief that it will have a more forceful voice using the multilateral approach.

In many cases, those concerns are centred around issues of online jurisdiction. For instance, if an online crime were to occur beyond India’s territorial boundaries, but the evidence was present in servers in India, would the laws of other nations be applicable here? This is also complicated by the fact that Indian security officials frequently complain that getting data under the Mutual Legal Assistance Treaty (MLAT) has been a huge challenge. These issues are a recurring theme and a major reason for India’s opposition to the Council of Europe’s Convention on Cybercrime, better known as the Budapest Convention.

The Budapest Convention came into being on November 23, 2001 as a first multilateral effort by member signatories to address jurisdictional issues. Intended to create a ​‘common criminal policy aimed at the protection of society against cybercrime’,⁹⁹ the convention also set the gold standard for cybersecurity – confidentiality, integrity and availability (CIA) of computer systems.

For India, the agreement, though beneficial at many levels, was, however, unacceptable. Taking a cue from Russia that the Convention was fatally flawed and could jeopardise issues of sovereignty,¹⁰⁰ India along with China and Brazil argued that a treaty negotiated by Europeans for themselves was clearly unacceptable to their aspirations and sovereignty.¹⁰¹ While India generally opposes treaties that it has not been party to during the negotiation on the clauses, it was particularly opposed to the implications of clause 32 (b) of the Convention, which it deemed to be discriminatory. The clause refers to ​‘trans-border access to stored computer data with consent or where publicly available’ and specifically states that a Party may, without the authorisation of another Party, ​‘access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system’.

While echoing the worry that most servers are situated in the US as a reason for India’s decision to not sign the convention,¹⁰² India instead has consistently sought US involvement in pushing for establishing a root server in India¹⁰³ in the belief that it will give it much greater say and control over the Internet.¹⁰⁴ India has also tried to find redressal for its concerns by submitting a proposal in 2014 in the United Nations’ International Telecommunications Union (ITU) to develop a ​‘public telecom network architecture that keeps traffic originating and terminating in the country/​region and meant for the country/​region, as well as address resolution relating to such traffic’ local.¹⁰⁵ In this same draft resolution, India also requested the ITU Secretary-General to ​‘work with all other stakeholders, including international organisations, to make changes so that it is possible to discern the country location of a particular IP address’.¹⁰⁶ The proposal, despite being presented twice with modifications, did not find much support.

As mentioned in the introduction, in 2011, India had already proposed the establishment of a UN Committee on Internet-related Policies (CIRP). This proposal, too, did not receive much support.

While India had, thus, been pushing for a more multilateral approach to governing the Internet through new treaties and frameworks internationally, on the domestic front, it, however, continued to lack abysmally where cybersecurity was concerned. This, in turn, would also shape India’s foreign policy posturing, as it sought to balance its internal inadequacies with a rapidly changing international environment deeply impacted by emerging Internet-based technologies.

Cybersecurity: National Policy, Statutes and Critical Information Infrastructure #

In his seminal 2010 paper on ​‘Cyber Power’,¹⁰⁷ Joseph Nye, a scholar with the Belfer Center for Science and International Affairs at the Harvard Kennedy School, pointed to the use of cyberspace to attain national objectives. Cyber power, he noted, can be used to ​‘produce preferred outcomes within cyberspace’ and it can be used ​‘to produce preferred outcomes in other domains outside cyberspace’. This construct fits exactly with the vision that Indian policy makers have espoused and aspired for historically, as is evident from the previous sections of this paper. The fact that India will be one of the largest online markets in the world, and is the world’s biggest democracy, work in its favour and can substantially buttress Nye’s point about ​‘cyber power’.

However, to attain ​‘cyber power’ a nation needs to overcome a series of challenges that are caused by either a lack of capacity, or by a set of legacy issues. Some of these apply to India. In 1978, an Indian economist, Professor Raj Krishna, coined the term ​‘Hindu rate of growth’¹⁰⁸ to describe the low rate of economic growth against the back drop of a predominantly socialist economy. This theory continues to be used to understand the lack of progress on most issues in India, despite its post-1990 economic liberalisation that has witnessed a surge in its aspirations, individually and collectively. Thus, the road to developing a framework for cybersecurity in India has been a similarly slow and torturous process.

This slow pace of evolution in India’s Information and Communications Technology (ICT) framework has impacted its policies abroad. While India lacked the wherewithal to address the domestic issue, it sought to make up internationally by exercising its political clout and building up alliances as discussed earlier.

Till the specific and statutory role of government agencies was spelt out in section 70 (A) and 70 (B) of the IT Act (Amended 2008), the bulk of the India’s cybersecurity concerns were the responsibility of one single agency: the Computer Emergency Response Team – India (CERT-IN). Set up in 2004,¹⁰⁹ it mapped India’s cybersecurity posture and was the sole point of contact for expertise on these matters to the government. Post its statutory role prescribed in the IT Act, it continues to play a dominant role in the cybersecurity space and serves as the single point of contact for international cooperation with other CERTS.

In more recent times, additional building blocks have been added to the domestic ecosystem. Three initiatives require attention in particular.

The IT Act #

While the Information Technology Act, 2000¹¹⁰ had rudimentary clauses for protecting data, there was no comprehensive clause that looked at cybersecurity per se from a statutory perspective. This is because India was still at a nascent stage of its journey of embracing the Internet, and the computerisation of large government networks and processes was just beginning. The IT Act initially was actually drawn up to protect the business interests of the IT-enabled services (ITES)¹¹¹ industry. But clearly, the initial version of the IT Act failed to fully appreciate the power of technology and its impact in the years to come.

The fact that the original IT Act failed to mention cybersecurity is an indication of the inability of Indian law makers to fully grapple with the sudden growth of the IT and ITES industries. The original IT Act of 2000 has a rudimentary framework to address computer-related issues and appointed the CCA¹¹² as the major point-person for most data security related procedures and functions, emphasising data security, rather than cybersecurity. In fact, the Act did not mention cybersecurity even once, and had limited scope in looking at the issue of security. However, the Act did refer to ​‘hacking’, defining it

as an intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack.¹¹³

The following years, however, showed that cyber risks rose dramatically as more systems began to be included in the ICT framework. As data¹¹⁴ shows, the increase in threats and attacks grew in quantum leaps:

Table 1. Growth in select cybersecurity threats, 2006 – 2007 to 2014 – 2015

Event	2006 – 2007	2014 — 2015
Security Incidents Handled	552	130338
Security Alerts Issued	48	13
Advisories Published	50	69
Vulnerability Notes Published	138	290
Indian Websites Defaced	5211	25037
Open Proxy Servers Tracked	1837	2408
Bot Infected Systems	No Data Generated	7728408

This deeply impacted the national cybersecurity policy framework. In recognition of the rise in cyber vulnerabilities, threats and attacks and the emergence of new threats, the statutory framework was reworked with significant additions to the Act in 2008, with the aim of establishing a national cybersecurity policy framework. The Act now defined ​‘critical information infrastructure’ (CII), through an amendment to section 70, as

those facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.

In addition, sections 70A and 70B envisaged the creation of particular agencies with clearly- defined roles for implementing cybersecurity measures. While section 70B designated the existing CERT-IN, section 70A laid down the mandate for the creation of a new agency to protect sectors designated as CII. The new agency was the National Critical Information Infrastructure Protection Centre (NCIIPC) and would be created through an official gazette notification issued by the Government of India.

NCIIPC #

Although the IT Act was amended in 2008, the Gazette Notification that established the NCIIPC only came on 16 January 2014, almost six years later. NCIIPC’s mission is

to take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction, through coherent coordination, synergy and raising information security awareness among all stakeholders and with a vision ​‘to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors in the country.¹¹⁵

Though the establishment of NCIIPC as such is a positive step forward, several shortcomings continue to mark its implementation.

First, the sectors that have been designated as coming under NCIIPC’s purview include defence; the banking and financial sector; ICT and telecommunication; transportation; power; energy; and the Ministries of Home Affairs, External Affairs, Heavy Industries and Niti Ayog (the erstwhile Planning Commission). These were chosen on the basis¹¹⁶ of a combination of factors, including functionality; criticality of scale; degree of complementarities; political, economic, social and strategic value; and time duration – with the understanding that the list would be revised periodically.

However, as argued elsewhere, the method used to determine the criticality rating of each sector is severely lacking.¹¹⁷ Rather than drawing on a comprehensive risk assessment that also factors in intent, capability and timing of an intended attack, the criticality rating of each sector at the moment solely depends on the number of interdependencies that a sector has.¹¹⁸ Using this interdependency map, NCIIPC designated the power sector as the most critical. But other sectors, though with less interdependencies, might be more critical depending on the circumstances.

For instance, in the event of a war, a forward air force base may still be able to function without power supply, using backup generators using conventional fuel. However, a cyberattack on its mission computers and radar coverage could have a far more debilitating effect, even though, as a sector, it has a far smaller number of interdependencies than the power sector. In fact, sectors such as defence will remain prime targets of attacks, as has been amply demonstrated in the past.¹¹⁹

Another major deficiency in the current CII framework is the absence of sector-specific guidelines and standard operating procedures (SoPs) in the event of a cyberthreat or attack. The creation of sector-specific plans (SPP) ensures the development of ​‘a trusted relationship and true partnership between the government and the industry’,¹²⁰ by setting several goals for industry and government to be achieved within a time-bound framework. While general guidelines have laid down a preliminary road map, the sectors identified by it are yet to evolve their specific charters. This creates a major vulnerability that is yet to be addressed.¹²¹

Currently, NCIIPC follows a framework of conducting a ​‘vulnerability/​threat/​risk’ analysis (V/T/R analysis) for mapping the level of vulnerability of each designated sector during ​‘steady state operations’, or the routine operations of an installation that follow a regular schedule.¹²² Based on the V/T/R analysis, NCIIPC carries out a control configuration audit and brings in change management to mitigate any vulnerabilities.

The audit maps the various controlling nodes of the sector’s ​‘operational technology’ (OT) or ​‘supervisory control data acquisition’ (SCADA) systems that are critical to running automated plant operations in large-scale industrial plants. This audit of the control systems helps NCIIPC to map out various vulnerabilities, such as the logical and physical separation of OT/SCADA systems from the Internet and other information security measures that can significantly reduce risks and the threat of cyberattacks. While NCIIPC has so far approached the banking and power sectors for its initial projects, it is yet to look at the other sectors at this time.

It is clear, then, that India’s CII protection framework continues to be a work in progress. Indeed, the NCIIPC guidelines acknowledge that ​‘time duration’ is critical to mapping CIIs, and contain a stated aim to review each sector periodically. For the moment, however, the 2013 Guidelines continue to hold true.¹²³ Interestingly, the Gazette notification for NCIIPC came in January 2014, much after the NCIIPC guidelines had been created. In other words, the guidelines were developed when NCIIPC was yet to be born. Perhaps, a reason for the gaps in the evolution of a national CII framework could be attributed to the delay between legislation and implementation.

Finally, a comment on NCIIPC’s command and control structure. The NCIIPC was placed under the National Technical Research Organisation (NTRO), a technical intelligence agency created as a part of India’s security architecture reforms in the aftermath of the Kargil war with Pakistan.¹²⁴ The NTRO sought to incorporate and consolidate all the technical intelligence capabilities under one roof and deploy them for defensive and offensive operations.

While it has not been clearly explained why the task of protecting CII fell upon an intelligence agency, it was speculated that since cyberspace fell within NTRO’s charter, the agency was deemed fit to oversee NCIIPC’s functioning. However, protecting CII is a shared responsibility, with a major role for the private sector. This means that there is a need to create joint structures and SoPs to effectively deal with threats and exigencies, as and when they occur. A designated intelligence agency will have several issues with sharing of its SoPs or of information that could jeopardise its other ongoing operations, and therefore, it could be restricted in effectively carrying out its CII tasks. The same challenges also prevent the agency from naturally taking a full-fledged multistakeholder route, the need for which is inherent in a CII framework since many of the designated critical sectors lie in the private domain. In other countries, the protection of critical information infrastructure is situated with a civilian agency that works openly and without the restrictions natural to an intelligence organisation. In the US the responsibility lies with the Department of Homeland Security, along with sector-specific departments.

It has to be recognised, however, that NCIIPC does acknowledge the role of others stakeholders, with the draft framework stating that ​‘protection of CII involves a multi stakeholder approach’.¹²⁵ The draft guidelines under preparation recognises five principle stakeholders:

1. The CII owner
2. Service providers to the CII 3. NCIIPC
4. CERT-IN
5. Law enforcement agencies

Although this may still fall short of the commonly accepted norm of a multistakeholder approach, it does indicate a gradual recognition of the new realities of Internet governance, despite India’s traditional emphasis on a multilateral approach, especially with regard to security issues.

National Cyber Security Policy 2013 #

The National Cyber Security Policy, promulgated in June 2013, built a cybersecurity framework that goes beyond CII. Its stated objectives included a mission to ​‘generate adequate trust and confidence in IT systems’¹²⁶ and to create a workforce of ​‘500,000 professionals skilled in cybersecurity in the next 5 years’.¹²⁷

Among the strategies that the National Cyber Security Policy 2013 describes to achieve its objectives are:

1. Creating a secure cyber eco-system

2. Creating an assurance framework

3. Encouraging open standards

4. Strengthening the regulatory framework

5. Creating early warning systems, vulnerability management and response to security threats

6. Securing e‑governance spaces

7. Protection and resilience of CII

8. Promotion and research & development of CII

9. Reducing supply chain risks

10. Human resource development

11. Creating cybersecurity awareness

12. Developing effective public-private partnerships

13. Information sharing and cooperation

14. Prioritised approach for implementation

15. Operationalisation of the policy

Where the National Cyber Security Policy falls short is to understand the nature of next- generation-threats, which are complex and resemble ​‘Black Swan’ events – disconnected at some levels, and yet connected enough to create critical failures.

Understanding of these has been necessitated by the rise of Next Generation Networks (NGN), packet-based networks, which are ​‘able to provide services including telecommunication services and able to use multiple broadband, quality of service-enabled transport technologies and in which service-related functions are independent from underlying transport-related technologies’.¹²⁸ These have been recognised as a major vulnerability by the Government of India.¹²⁹

The arrival of NGNs and technologies has also given concomitant rise to the birth of ​‘Next Generation Security Threats’ that are at times orchestrated, or at times driven by faulty algorithms. For instance, the 2008 assault on the Baku-Tbilsi-Ceyhan pipeline in Eastern Turkey was initially believed to be a traditional physical terror attack by security agencies. However, subsequent investigations have established it as an act of ​‘cyberwar’.¹³⁰ Although information about the attack in the open domain is still sketchy, these investigations revealed that vulnerabilities in the software running the IP-based security cameras were exploited by hackers who ​‘super-pressurised the crude oil in the line’¹³¹ to cause a series of devastating explosions.

Clearly, such complex attacks have been enabled by the emergence of cyberspace. Yet, despite the creation of a national policy, these have failed to attract the urgency from Indian policy makers that they deserve.

Analysts and intelligence officials also see the emergence of the militant outfit from the Syrian civil war, the ISIS (a.k.a. Dae’sh, Islamic State, etc.), and its use of social media as a fascinating case study of a ​‘Next Generation Security Threat’¹³² which, although traditional at one level, has grown in complexity, reach and ability due to the rise of NGNs.¹³³

Too little, too late? #

The fact that India took aggressive international positions because it lacked the domestic wherewithal is demonstrated in the official address by Arun Shourie, the then Minister for Telecom and Information Technology, at the World Summit on the Information Society (WSIS) in Geneva, in 2003. Shourie was clear that the rapidly modernising economies would increasingly depend on greater computerisation, which meant that they would be increasingly vulnerable to ​‘information technology’ being used to ​‘disrupt’¹³⁴ these new integrated systems. The national cybersecurity policy and the national critical information infrastructure mandate emerged more than a decade after Shourie’s impassioned speech for greater sensitivity to technology that could ​‘disrupt’ systems, and therefore economies and even then, as this sections shows, is suffering from considerable shortcomings.

Conclusion #

India today stands at the cusp of a major opportunity. As has been brought out in this paper, India has always viewed technology as a means to not only make up for lost time on economic and political progress, but also to arrive on the world stage as a major power. However, the disconnect between India’s aspirations and the actual capacity, be it technological or otherwise, has prevented it from achieving its true potential.

This is a framework that plays out consistently. If the Bhabha Committee recommends rapid computerisation and automation in 1963, the Dandekar Committee recommends the opposite a decade later. Even as mass computerisation is recognised as a successful means of delivery of public services (such as the computerisation of the railways) in the 1980s, it takes more than a decade to give information technology a statutory framework. Even then, there is a gap in recognising security as a major concern and it takes another eight years before a comprehensive legal framework for cybersecurity emerges. Obviously, such gaps not only delay processes, they also defeat the stated aspiration of harnessing technology as a means to achieve great power status.

This is starkly evident as India continues to search for options on its evolving position on Internet governance. It has been deeply influenced by the overarching footprint of its security concerns. This precludes its economic well-being on one hand, as well as its position in the current global order, which it intends to influence using technology and diplomacy.

As has been articulated in this paper, there are historical reasons for India’s predilection towards using a government-to-government approach (both bilateral and multilateral), as opposed to a multistakeholder approach. Even though India has formally adopted a multistakeholder approach, it is unlikely that this will be applied to the security concerns that drive the Internet governance debate in India. At best, India will look at the private sector for advice or capacity-building. But the chances that academia or civil society stakeholders will also be involved in these debates remain limited.

However, this could change significantly as India builds more capacity as a producer of the Internet rather than just a consumer. As e‑commerce and e‑governance takes root in India, it is also enhancing connectivity and bringing in more people into the Internet every day. This is creating a volume of stakeholders who are vocal and have the ability to use their digital footprint to impact public policy in a major way. This was clearly visible in the recent debates on net neutrality and the campaign against Facebook’s Inter​net​.Org (a.k.a. Free Basics) as well as differential pricing and zero rating. These debates saw millions of online submissions being made by stakeholders on both sides to the Telecom Regulatory Authority of India (TRAI) in a bid to press home their point of view in support of either side. This is a clear indication that there is a silent majority that is beginning to speak up and make an impact. Clearly, they will shape the future and in turn, ensure that the multistakeholder approach to Internet governance is here to stay. It is just a matter of time.

The Way Forward #

Many of these gaps can be quickly addressed, if the government, as the pre-dominant player and the trusted arbitrator, recognises the role of multiple stakeholders who can help India achieve its true potential. To start with, there are several stakeholders within the government who need to work far more closely than their current protocol allows.

This means all stakeholders within the government – be it the Prime Minister’s Office, the National Security Council and its Secretariat, the Ministry of Communications and Information Technology, the Ministries of Law and Home Affairs, the security agencies, etc. – establish institutional mechanisms to work with each other rather than at cross-purposes. This seems to have been addressed to an extent but there remains a vast scope for improvement.

That said, there is a much bigger set of stakeholders who reside outside the government. They wield varying degrees of influence and capacity, but are all critical for meeting India’s true potential to play a leading role on the global stage. In many ways, if the collapse of the Soviet Union created a new world order, then the advent of the World Wide Web has now, once again, ushered in a completely new framework for the next world order.

This means that India needs to harness every stakeholder at its disposal to achieve its true potential, while this new global framework is still evolving. These stakeholders – the private sector, civil society, academia and the technical community – are all waiting to be tapped and used to bring about a new paradigm that has enormous benefits for India. For a number of historical reasons, as documented in detail in this paper, these groups of stakeholders continue to be outside the realm of policy making in India, which works to its disadvantage. If this great set of resources/​stakeholders can be harnessed in a meaningful manner, then India’s stated objective to emerge as a global power can be achieved.