Obama's Visit: Cybersecurity on Agenda?Collaboration Has Potential to Improve Bilateral Ties
In advance of U.S. President Barack Obama's visit to India as the chief guest at the Indian Republic Day parade on January 26, observers suggest that cybersecurity cooperation may an area of discussion between the two countries.
Such cooperation may be inevitable, considering that the two democracies share common values and face similar cybersecurity challenges, especially in the face of China's potential emergence as a cyber superpower. Meanwhile, India is poised to take up a leadership role in cyberspace and become one of the largest digital economies in the world, fueled by its potential user base and its proven expertise in services and software technology. Obama's visit may be a good place to start a meaningful bilateral dialogue on cybersecurity (see A Boost for Indo-U.S. Cyber Cooperation).
Dr. Cherian Samuel, associate fellow at the Institute for Defense Studies and Analyses in New Delhi, notes that earlier attempts at cybersecurity cooperation foundered on the twin rocks of distrust and neglect. "If anything, global mistrust on cybersecurity cooperation has only increased with the Snowden revelations," he says.
Security experts, however, say that given most major Internet and technology companies are American, and much of the Internet infrastructure is located in the U.S., there are still many areas where meaningful cooperation is possible - particularly in law enforcement, technology and information sharing.
"Collaboration in cybersecurity has the potential to enhance the bilateral partnership, while addressing an issue of strategic importance to both states," says Jennifer McArdle, research associate at the Arlington, Va.-based Potomac Institute for Policy Studies.
Basis for Cyber Cooperation
The benefits of collaboration are mutual. While the U.S. can benefit from India's dynamic human enterprise and scientific talent pool, India can benefit from U.S. cutting-edge science in cybersecurity, potential lessons learned from the development of a central cyber command, and established processes and norms, particularly with regard to hardware and supply chain security.
The ability to ensure "trust" in the microelectronics that underlie critical infrastructure and military systems is of utmost importance, experts say. Samir Saran, senior fellow and vice president at the Observer Research Foundation, a Delhi-based think-tank, says India's hardware and supply chain depend on "dubious" sources, which may carry engineered backdoors and weaknesses, and this will continue in order to fulfill increasing demand in the digital age.
"The U.S. needs to help India build capacity through technology transfer in fabrication, semi-conductors, etc., or U.S. interests may be at risk as well, given its close ties to India's digital economy - soon to be one of the largest in the world," Saran says.
Dr. Ashwini Sharma, managing director of the National Institute of Electronics and Information Technology, the HRD arm of the Department of Electronics and Information Technology, says that with the present government's emphasis on "Digital India" and "Make in India," it is imperative that India enlist U.S. help in better understanding the challenges faced, "especially capacity building of citizens, financial institutions and technical institutions in cybersecurity."
Existing Indo-U.S. Arrangements
At first glance, it may seem that India and the U.S. have the beginnings of a robust cyber engagement. In June 2013, during the 4th Indo-U.S. strategic dialogue between U.S. Secretary of State John Kerry and India's former Minister of External Affairs Salman Khurshid, both parties emphasized the need to develop stronger cybersecurity partnerships through the next iteration of consultations, cyber policy dialogue and joint working groups.
India and the U.S. had signed a memorandum of understanding on cybersecurity in July 2011 as a part of the Homeland Security Dialogue. The memorandum established best practices for the exchange of critical cybersecurity information and expertise among the respective governments, CERTs, broader cybersecurity communities and their counterparts on a range of technical and operational cyber issues.
An Indo-U.S. Cyber Security Forum was set up as early as 2002. The motivation on the U.S. side was to safeguard the interests of U.S. companies outsourcing to India. On the Indian side, the emphasis was on capacity building, research and development, Samuel says. "Five working groups were established under the aegis of the Forum," he says. "Since then, cooperation has been spotty and episodic."
CERT-In and U.S.-CERT currently have monthly operational meetings to address cyber issues, andperiodic meetings are held between collaborative groups such as the ICT and other joint working groups. More recently, Christopher Painter, U.S. Coordinator for Cyber Issues, traveled to New Delhi in October 2014 to meet with officials from the National Security Council and other ministries.
PIPS' McArdle says that despite these and other measures, the Indo-U.S. cyber engagement lacks substantive progress. "There is a need to build trust, develop capacity and better align interests in the two capitals."
Potential Action Items
Many lessons can be learned from studying U.S. cybersecurity programs, experts say. The scope of cybersecurity today entails broader issues, such as access, jurisdiction, e-commerce, entrepreneurship, information sharing, capacity building and enforcement. "There is scope for cooperation in each of these areas, but the devil is in the details," Samuel says.
ORF's Saran agrees there is a need for a much wider conversation than just between the information security institutions of the two countries. "Indo-U.S. cooperation in cybersecurity must entail addressing issues around Internet governance framework and the safeguarding of national strategic interests in cyberspace," he says.
India's interests need to be taken into account at engagements of multilateral, multistakeholder organizations, such as the GGE, ICANN, ITU and similar forums. Indo-U.S. cooperation at each of these forums must be enhanced, and joint working groups and other touch-points need to be strengthened.
The weaponization of cyberspace is another important concern, Saran says.
"With nation-states resorting to strategic cyberweapons without attribution, to further national interests, friendly countries like the U.S. and India need to formulate norms around the usage of these weapons," he says.
Saran warns against the danger of digital/cyber non-proliferation agreements developing between key players, such as China and the U.S., similar to the arms control arrangements between U.S. and USSR in the 20th century. India may be left as a bystander if it does not get involved.
A cybersecurity program that focuses on scientific and technical engagement could reap enormous benefits for both India and the U.S.
"Designing a program that transcends rigidly delineated government-to-government programs, and builds public-private cybersecurity cooperative initiatives with academia, labs and industry could help build trust," says PIPS' McArdle. While India has wanted deeper scientific and technical cooperation in cybersecurity, no such program currently exists.
The current mechanisms for sourcing information are archaic and out-of-sync with the requirements of law enforcement agencies today, Samuel says. Bilateral mechanisms to enable information sharing for law enforcement purposes should be pushed from an Indian perspective.
"While the mantra of an open, global and secure cyberspace is still repeated ad infinitum, it seems like these are all mutually exclusive goals," he says. Insecurity abounds, with a plethora of actors engaging in unchecked malicious activity. The big picture should be to work on bilateral norms to secure a borderless cyberspace, he says.