The post originally appeared on the Hindu on 23rd June 2015.
Cyberspace desperately needs an international legal regime, and India is well poised to offer a ‘zero draft’
In 1960, the summer issue of the American Journal of International Law carried news from Delhi on the setting up of an institution to pursue foreign policy research: the Indian Society of International Law (ISIL). Prime Minister Jawaharlal Nehru would be the society’s patron, and V.K. Krishna Menon, then Defence Minister, its first president. The journal even reported minutes of ISIL’s first meeting, which dealt with unusual subjects for that time — international arbitration, the advisory jurisdiction of the International Court of Justice (ICJ), and maritime law. India was just finding its feet in the world, buffeted by an unstable neighbourhood. State-investor disputes were nowhere in the picture, and the UN Convention on the Law of the Sea was decades away. As for the ICJ, it would be years before the government warmed up to the institution.
In promoting ISIL and its crystal gazing, the Indian establishment was tipping its hat to a rule-based international order: one that could be called on to address future challenges. Only a clutch of international organisations served as custodians of new treaties, and India, conscious of their growing relevance, invested considerable diplomatic resources in them. Multilateralism has come a long way since, with greater diversity in the topics on the table as well as the negotiators around it. India’s foreign policy institutions have, regrettably, failed to keep pace — ISIL today produces little cutting-edge research, while two key departments of the Ministry of External Affairs, Legal and Treaties, and Policy Planning and Research, have been largely sidelined. The next frontiers in foreign policy have appeared on the horizon, but the Indian state is far from ready to address them.
The government’s failure to adapt to changing circumstances is perhaps most pronounced in its approach towards Internet diplomacy. India’s negotiating line on cyberspace stems, correctly, from the view that the Internet is a “global commons” — analogous to outer space or the high seas, which are shared resources managed equally by all governments. However, the Internet’s “critical infrastructure”, which comprises the Domain Name System (DNS) and Internet Protocol (IP) addresses, is already governed through an elaborate arrangement. The current Internet governance model is U.S.-centric, and the Indian government has been calling for a radical overhaul of this model to a more “equitable” one. There is merit in this idea. Emerging economies like India are greatly invested in the security and commercial accessibility of cyberspace. It is not realistic, however, to expect the U.S. government to cede control of cyberspace overnight. Moreover, the biggest drivers of change and instability on the Internet are non-state actors and India’s statist approach to the problem, mooting a UN Committee to address Internet policies, does not find much appeal abroad.
Code of conduct in cyberspace
India may lack the technological firepower to pull its weight, but it can nevertheless play a leading role in cyberspace diplomacy. Rules of engagement on the Internet by governments and non-state actors are yet to be articulated. Chinese hackers today sit on troves of U.S. federal employees’ data, while the German Bundestag was recently attacked by Trojan viruses reportedly emanating from Russian agencies. Counter-measures mostly happen under the radar, because governments are not sure what constitutes a “proportional” response to a cyber attack. As a result, the strategic environment in cyberspace is highly volatile. Currently, the only source of international guidelines on “cyber warfare” is the Tallinn Manual, a document that was put together by Western experts under the aegis of NATO. The manual merely superimposes principles of international law onto cyberspace, and is not particularly sensitive to the difficulties in attributing a cyber attack to a state agency. Questions such as what constitutes an “attack” have been evaluated along the parameters set for conventional weapons, which are hardly comparable. For instance, the Tallinn Manual does not classify the gathering of information by hacking into a database as an attack, but as an act of “espionage”, although the damage could potentially be irreversible.
Given the dire need for a code of conduct in cyberspace, India can help steer the debate in three modest ways. First, New Delhi should host an international conference to build on, and replace, the Tallinn Manual with a binding treaty on the law of cyber warfare. Participating states should be encouraged to include technical experts, businesses, and academia in their delegations. Second, India must push for an international court to prosecute transnational cyber crimes, which would have the jurisdiction to try both state and non-state actors. The judicial process of unearthing evidence and the examination of witnesses and officials will be critical to building jurisprudence on the subject.
Last, the Indian government should promote attempts to create an international data protection law that facilitates quick information-sharing with multinational companies which do not host domestic servers. New Delhi has called for precisely such a treaty at the recently concluded annual session of the UN Commission on Science and Technology for Development in Geneva. India’s Internet diplomacy will be keenly watched. Cyberspace desperately needs an international legal regime, and India is well poised to offer a “zero draft” — diplomatic jargon for the starting text of any negotiation — that acknowledges both its burgeoning digital economy and its constitutional commitment to free speech and expression.
(Arun Mohan Sukumar is a Senior Fellow at the Centre)