ISSN (Online) - 2349-8846
-A A +A

Governing the Internet

Need for Effective Cybersecurity Policy, Law, and Institutional Frameworks

Balraj K Sidhu (bksidhu@rgsoipl.iitkgp.ernet.in)teaches at Rajiv Gandhi School of Intellectual Property Law, Indian Institute of Technology, Kharagpur.

Internet technologies have become a major part of our daily lives. Although the Internet began in the United States as part of a defence project, it has become much more now. There is no sole owner of the Internet and no single government or other entity has exclusive power over its functioning. The Internet was not originally designed with security in mind; however, it is now a concern that many countries have become vulnerable to cyberattacks. India must establish a concrete cybersecurity strategy that takes into account the views of central government departments, universities, industries, international allies and partners, and state and local governments.

The author acknowledges with thanks the comments and valuable suggestions provided in the preparation of this article by Bharat H Desai, Chairperson, Centre for International Legal Studies, School of International Studies, Jawaharlal Nehru University, New Delhi.

We are increasingly being surrounded by internet technologies and have become dependent on them in our daily activities. Initially conceptualised as a United States (US) defence project, the Internet has become a “network of networks” spanning the globe, which links many groups of interconnected computers and devices located across several jurisdictions. Since the network relies on a combination of public and private components, there is no single owner of the Internet as a whole. As it crosses multiple national borders, no single government or any other entity has exclusive power over its functioning.

Threats to Cyberspace

In the past few years, cybersecurity has emerged as a security regime concerned mainly with protecting critical information infrastructure (CII) and networks. Accidental failures and attempts to deliberately subvert or destroy these information infrastructures may pose threats to international and national security. The recent WannaCry ransomware attack (May 2017), which infected more than 2,30,000 computers in over 150 countries, brought the compelling need for cybersecurity policies and laws into sharp focus. On the one hand, the government claims that the attack had no serious impact on India, with only isolated incidents reported across the country. On the other, cybersecurity experts claim that the malware infected at least 48,000 computer systems across various organisations in India. This raises doubts as to whether potential ransomware attacks would even be properly understood and reported in India. In another cyberattack in May 2017, hackers were able to swindle about $170 million from the dollar account of the Union Bank of India. Such incidents have raised concerns about the nature and extent of cyberattacks in India and the need for appropriate policy, legal, and security responses.

In a series of recent events, a number of countries have witnessed serious incidents wherein outside agencies have attempted to hack networks during general elections and turn cyberspace to a certain strategic advantage or tip election results in favour of a particular party or candidate. It is widely believed that the 2016 US presidential election was an easy target for Russian cyberespionage, which tilted the balance in favour of Donald Trump. A year later, the French presidential election in April 2017 also saw a similar cyberattack, in which hackers attempted to sabotage the election chances of the presidential candidate, Emmanuel Macron. The New York Times succinctly described cyber-power when it called it the “perfect weapon: cheap, hard to see coming, hard to trace” (Lipton et al 2016). In a recent report, the Pentagon reiterated its concerns about cyber-spying, saying that US government-owned computers were targeted by China-based intrusions in 2016 (Hindu 2017).

Challenge of Security and Privacy

In this new context, countries are expected to leverage cyber-power to gather strategic intelligence from remote locations, often without being noticed. Even a developing country like China has emerged an important player by using its cyber-capabilities for intelligence collection. Given the fragility and vulnerability of the cybersecurity systems of a large number of states, it will not be surprising if in future election campaigns, all major parties explicitly pitch for enhanced cybersecurity policies in their manifestos.1 Thus, governments around the world are grappling with the risks associated with the potential misuse of cyberspace and have raised concerns about the possible effects of cyber (in)security.

The high rate of success of cyberattacks raises questions about the legal, technical, and societal implications of such attacks. With no reduction in the volume of cyberattacks estimated to occur in the near future, countries must develop and implement a cyber-deterrence strategy—a comprehensive cyber-policy that could improve their capacity to defend vital national assets and interests in the event of well-calibrated cyberattacks. Will future wars also be fought in cyberspace? It will not be surprising if powerful states, rogue states, or even non-state actors, use cyberweapons to wreak havoc on targeted installations, cities, and nuclear and missile assets, or cause mayhem in vital communication networks.

The Snowden leak (2013) has brought into focus the extent of the mass unwarranted cyber surveillance by a single country, that is, the US. It has raised serious concerns regarding the sovereignty and security of nation states and the extent of violation of basic human rights such as the right to privacy. Evidence suggests that several countries are developing similar mass surveillance capabilities to monitor internet use in response to or in the name of cybersecurity and potential terrorist attacks. The Internet now has the potential to affect the geopolitics of states as well as their geoeconomics. The issue has become so critical that there is additional pressure on sovereign states to develop effective cybersecurity at the national level as well as to engage in internet diplomacy to protect their interests in the transnational digital realm.

The Indian Scenario

In the context of these developments, this article takes a closer look at the Indian regulatory scenario. It mainly comprises of the National Cyber Security Policy (NCSP), 2013 and the Information Technology Act (IT Act), 2000.

(i) National Cybersecurity Policy: Cyber-policies provide an overview of the measures required to effectively protect information, information systems, and networks. They also provide insight into the government’s strategy for protecting cyberspace and outline how key players can work collaboratively in public and private to safeguard the country’s information and information systems.

For governmental and non-governmental bodies to understand the impact of the exponential growth of the Internet, it is necessary to create a suitable cybersecurity ecosystem. The need to protect critical information infrastructure against cyberattacks has propelled the Government of India (GoI) to establish the NCSP, 2013. This policy aims to ensure a secure and resilient cyberspace for citizens, businesses, and the government. Its mission envisions a multipronged strategy to “protect information as well as information infrastructure, reduce vulnerabilities, build capabilities to prevent and respond to cyber threats and minimise damage from cyber incidents” (Ministry of Electronics and Information Technology 2013).

The NCSP offers a 14-point strategy to establish a secure cyber-ecosystem and assurance framework. It centres on product, process/technology, and the personnel that form the basic building blocks of any cybersecurity system. It seeks to promote global best practices in information security (IS) and compliance through standards and guidelines—the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 2001 is the best known standard in the family providing requirements for an information security management system (ISMS)—it includes IS system audits, penetration testing and vulnerability assessments, formal risk assessments and risk management processes, as well as a cyber-crisis management plan for all entities within the government and critical sectors.

The document envisioned the creation of a 5,00,000-person workforce (cyber-warriors) skilled in cybersecurity within five years. However, there appears to be a glaring skill gap in the cybersecurity industry, and to compound the problem, cybersecurity professionals are in great demand in the public as well as private sectors. Moreover, there are very few academic programmes on cybersecurity at the university level, and existing curricula do not address emerging trends and challenges. The NCSP needs an overhaul to grapple with new technological innovations and, in turn, challenges in the field.

(ii) The Information Technology Act: The IT Act, 2000 was designed in response to the increasing risk of cyberattacks. It seeks to reduce the digital divide to bring about societal transformation. The IT Act is an umbrella legislation that primarily aims to regulate electronic commerce as well as to gradually promote a culture of e-governance in India. It seeks to effectuate the 1997 United Nations Commission on International Trade Law (UNCITRAL) Model Law on E-Commerce and refers to it in its preamble. An amendment to the act widened the definition of cybersecurity to include “protecting information, equipment, devices, computer, computer resources, communication device, and information stored therein from unauthorised access, use, disclosure, disruption, modification, or destruction” (see the IT Amendment Act 2008: Section 2). The law seems to make a reasonable effort to tackle two areas of policy in need of reform: cybersecurity and data privacy. However, it lacks detailed architecture to establish an effective cybersecurity system. As such, it calls for a comprehensive cybersecurity legislation to address growing threats to information infrastructure systems and networks and suggests a new specialised professional institutional structure to meet the cybersecurity challenge.

Special Cybersecurity Legislations

As the world increasingly goes digital, there is a greater likelihood of cyberattacks causing dire damage. Cyberattacks pose an acute threat to countries’ strategic assets, economies, and even to the privacy of citizens. It has spurred countries to create specialised laws on cybersecurity. For instance, on 25 July 2015, a new German law, which aims to improve the security of IT systems, came into effect (see the German Cybersecurity Act 2015: 1324; Gabel and Schuba 2015). Moreover, the German Cybersecurity Act seeks to make security standards more robust for its critical infrastructure in compliance with the minimum standards for IT security and mandates that significant IT security incidents are reported to the Federal Office for Information Security (BSI); in addition, it imposes a heavy penalty (of up to€100,000) on website operators and service providers who fail to comply with legal requirements.

Similarly, in order to exercise jurisdictional control over the cross-border flow of data, China has a new cybersecurity law, which came into effect on 1 June 2017 (Ramsey and Wootliff 2017). It mandates that network operators store select data within China and allow Chinese authorities to conduct spot-checks on a company’s network operations. The United Kingdom’s (UK) Investigatory Powers Act, 2016 is another piece of legislation that supports data localisation and legalises the “interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal data sets, and other information.” In a way, this shows that countries are becoming sensitive to cybersecurity and will not hesitate to take extreme steps to defend national sovereignty.

New Approaches to Cybersecurity

Currently, cybersecurity relies mainly on new and innovative tools. These tools need to be integrated into the existing framework of governmental structures and the private sector. In this context, the GoI has taken the policy recommendations of the NCSP seriously. The government has appointed Gulshan Rai as the national cybersecurity coordinator (NCSC) (2015); he is based out of the Prime Minister’s Office. The NCSP suggests creating a national nodal agency to coordinate all matters relating to cybersecurity and a National Critical Information Infrastructure Protection Centre (NCIIPC) to safeguard critical infrastructure and key resources. It is of utmost importance to secure the critical information infrastructure and the networks that form the backbone of the country, especially in view of threats emanating from different sources, ranging from criminal hackers to foreign and domestic actors.

In a world where fiction suddenly becomes reality, the modern-day warfront is not a remote jungle or desert, but a suburban office park. A dystopic world is emerging, where cyberweapons may be used to cripple water supplies, power plants, banks, and the very infrastructure that once seemed impregnable to attacks. In 2010, the first digital weapon, Stuxnet—a 500 kb computer worm—infected the software of at least 14 industrial sites in Iran and subverted its uranium-enrichment operations. This incident was reminiscent of a Hollywood thriller and reportedly the product of a highly classified US–Israeli intelligence programme. In effect, it demonstrated how a computer code could be weaponised to generate a lethal political effect. It sparked fears that cyberweapons may fall into the hands of non-state actors, including terror groups, or may trigger an interstate cyber-arms race (Craig and Valeriano 2016).

Sovereign states are now becoming more dependent on cyber activities and there is a creeping militarisation of global its to acquire strategic national advantage. Interestingly, even as there is increasing temptation to exploit cyberspace, equally determined efforts are underway to safeguard cyber infrastructure. In line with this goal, the GoI established the NCIIPC in 2014. The NCIIPC acts as a nodal agency for all measures to protect critical information infrastructure (CII), defined in the IT Act (2000) as “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health, or safety.”

In fact, defining CII is the first step in the process to secure and protect critical assets; and the NCIIPC carries out this crucial task. An increase in the volume and scale of cyberattacks on defence infrastructure has heightened the need for cybersecurity. A proposal is already pending before the Ministry of Defence to set up a dedicated tri-service command with the Indian Air Force, army and navy for cybersecurity. It is time to enhance cyber capabilities so that the defence forces can deploy both defensive and offensive cyber operations to protect vital national interests.

Meanwhile, to handle emergency situations and ensure crisis management, another institution—the Computer Emergency Response Team-India (CERT-In)—has been created. It operates 24/7 to help users respond to cybersecurity incidents. It has been issuing regular alerts on cybersecurity threats and advises on countermeasures to prevent attacks. CERT-In has established links with international CERTs and security agencies to facilitate the exchange of information on the latest cybersecurity threats and international best practices.

Going beyond ICANN

The advent of new technologies has provided the impetus for governmental and non-governmental players to launch cyberattacks and employ armed drones and robots, including autonomous weapons.

The Internet started as a defence project of the US government, but has now assumed a unique role and adds another dimension to the politics of the modern world. In his famous “Declaration of the Independence of Cyberspace,” American cyber-libertarian political activist, John Perry Barlow, observed that “[the Internet] is inherently extra national, inherently anti sovereign, and your [states’] sovereignty cannot apply to us. We’ve got to figure things out ourselves” (Barlow 1996; Greenberg 2016). In the early 1990s, the so-called domain name system (DNS) war brought new players into the picture: international organisations and nation states. It ended with the establishment of a new organisation—the Internet Corporation for Assigned Names and Numbers (ICANN)2—that has become the coordinator of the main internet technical resources, following a contract with the US government. ICANN has become the focus of many intense debates on the future of internet governance.

Even as the Internet has become part of global infrastructure, many nation states feel alienated from the decisions being made about the usage and governance of the Internet. Given the US government’s dominance over Internet resources through ICANN, many countries—especially in the global South—are toying with the idea of creating an alternative international organisation to govern the Internet. The obvious choice would be the United Nations (UN) and its specialised agency—the International Telecommunication Union (ITU). In fact, the ITU previously managed global communication resources. However, it found itself increasingly sidelined in the new international communication framework promoted by industrialised countries through ICANN and the World Trade Organization.

The issue of governing the Internet has assumed importance for BRICS (Brazil, Russia, India, China, and South Africa) countries, as they have a huge user base and a rapidly growing internet industry. Thus, the BRICS position on internet governance assumes significance vis-à-vis the US, which is trying to maintain the status quo. The Chinese President, Xi Jinping, described cyber sovereignty (at the 2015 World Internet Conference) as “the right of individual countries to independently choose their own path of cyber development, model of cyber regulation and Internet public policies, and participate in international cyberspace governance on an equal footing” (Jinping 2015).

Towards a Multi-stakeholder Approach

India has now become an important player in the evolution of digital policy. It hosted the 57th meeting of ICANN from 3–9 November 2016 in Hyderabad. However, India’s position has hovered between a multilateral approach and a multi-stakeholder approach. While a multilateral approach emphasises national sovereignty, a multi-stakeholder approach includes larger participation of not only governments but also the private sector, international technical institutions, and civil society. It balances the need for internet freedom vis-à-vis internet sovereignty.

Current debates on the future of internet governance centre on whether to be multi-stakeholder (typically promoting internet freedom) or multilateral (potentially favouring internet sovereignty). International law seeks to provide solutions to contemporary problems and help in shaping regulatory frameworks to govern issues and provide a roadmap for a robust future. Compared to traditional approaches that favour centralisation, where sovereign states are treated as an exclusive group of actors, a multi-stakeholder approach promises greater efficiency, flexibility, and precision, and fair, transparent, and democratic architecture in the international regulatory framework for governing the Internet.

The Internet was not originally designed with security in mind. It was to be an open system to allow scientists and researchers to quickly send data to one another. It is now a matter of concern that many countries have become vulnerable to cyberattacks; there is now a global need for substantive investments in cybersecurity and cyber defences. It is high time that India gears up to establish a concrete cybersecurity strategy that emphasises deterrence as a vital element for cyber governance. The generation of a cyber-workforce that would work decisively to mitigate anticipated risks through enhanced cyber capabilities should be given priority. A cybersecurity strategy could be arrived at through wider consultations within the Indian university system, including Indian Institutes of Technology (IITs), Indian Institutes of Management (IIMs), International Institutes of Information Technology (IIITs), and other institutions engaged in teaching and research on IT. An effective cybersecurity regime will require close collaboration between central government departments, industries, international allies and partners, and state and local governments. The pursuit of cybersecurity requires a whole-of-government and international approach due to the number and variety of stakeholders in the domain, the flow of information across international borders, and the distribution of responsibilities, authorities, and capabilities across governments and the private sector. One hopes that India will provide the leadership to grapple with this challenge. As a corollary, the knowledge sector—especially universities and premier technology institutions such as IITs—needs to conduct cutting-edge research that measures up to the best in the world.

Notes

1 In the recent United Kingdom (UK) elections, the Conservative Party manifesto included a section on the “Prosperity and Security in Digital Age” underlining the need for strengthening cybersecurity standards. Although the country is gearing up post-Brexit, the party document pitched for the implementation of the European Union (EU) General Data Protection Regulation (GDPR) that comprises significant changes to data privacy regulation, available at http://www.eugdpr.org/(pp 75–83).

2 For information on Internet Corporation for Assigned Names and Numbers (ICANN), see https://www.icann.org/.

References

Barlow, John Perry (1996): “A Declaration of the Independence of Cyberspace,” Electronic Frontier Foundation, 8 February, https://www.eff.org/cyberspace-independence.

Craig, A and B Valeriano (2016): “Conceptualising Cyber Arms Races,” paper presented at the Eighth International Conference on Cyber Conflict (CyCon), 31 May–3 June, Tallinn, Estonia, pp 141–58.

Gabel, Detlev and Marc Schuba (2015): “Germany Rolls Out IT Security Act,” White & Case, 18 August, .

German Federal Law Gazette (2015): “The German Cybersecurity Act 2015” (zur Erhöhung der Sicherheit informationstechnischer Syste; IT-Sicherheitsgesetz) German Federal Law Gazette 2015, Part I, No 31, p 1324, https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzei ger_BGBl&start=//*%255B@attr_id=%27bgbl 115s1324.pdf%27%255D#__bgbl__%2F%2F* %5B%40attr_id%3D%27bgbl115s1324.pdf%27 %5D__1496869598570.

Greenberg, Andy (2016): “It’s Been 20 Years Since This Man Declared Cyberspace Independence,” Wired, 2 August, https://www.wired.com/2016 /02/its-been-20-years-since-this-man-declared-cyberspace-independence/.

Hindu (2017): “China Likely to Set Up Military Base in Pakistan, Says Pentagon Report,” Hindu, 7 June, .

Jinping, Xi HE (2015): “Remarks by HE Xi Jinping President of the People’s Republic of China At the Opening Ceremony of the Second World Internet Conference,” Beijing, China: Ministry of Foreign Affairs of the People’s Republic of China, .

Lipton, Eric, David E Sanger, and Scott Shane (2016): “The Perfect Weapon: How Russian Cyberpower Invaded the US,” The New York Times, 13 December, https://www.nytimes.com/2016 /12/13/us/politics/russia-hack-election-dnc.html.

Ministry of Electronics and Information Technology (2013): National Cyber Security Policy, New Delhi: Government of India, http://meity.gov.in/sites/upload_files/dit/files/National% 20Cyber%20Security%20Policy%20%281%29.pdf.

Ministry of Law and Justice (2009): “The Information Technology (Amendment) Act 2008,” The Gazette of India, 5 February, Section 2, http://meity.gov.in/writereaddata/files/itact2000/it _ amendment_act2008.pdf.

Ministry of Law, Justice and Company Affairs (2000): “The Information Technology Act 2000,” The Gazette of India, 9 June, http://www.dot.gov.in/sites/default/files/itbill2000 _0.pdf.

Ramsey, Carly and Ben Wootliff (2017): “China’s Cyber Security Law: The Impossibility Of Compliance?,” Forbes, 29 May, https://www.forbes.com/sites/riskmap/2017/05/29/chinas-cyber-security-law-the-impossibility-of-compliance/ #175b24ef471c.

Stevens, Tim (2016): Cyber Security and the Politics of Time, UK: Cambridge University Press.

The United Nations General Assembly (1997): “Model Law on Electronic Commerce Adopted by the United Nations Commission on International Trade Law,” 51st Session, Agenda Item 148, 30 January, UN General Assembly, .

United Kingdom Government (2016): “Investigatory Powers Act 2016,” London: United Kingdom Government, http://www.legislation.gov.uk/ukpga/2016/25/introduction/enacted.

Updated On : 30th Nov, 2017

Comments

(-) Hide

EPW looks forward to your comments. Please note that comments are moderated as per our comments policy. They may take some time to appear. A comment, if suitable, may be selected for publication in the Letters pages of EPW.

Back to Top