May 02, 2010

Prospects for India-US Cyber-Security Cooperation


March 26, 2010

http://www.idsa.in/event/ProspectsforIndiaUSCyberSecurityCooperation_csamuel

Dr. Cherian Samuel notes that cyber security is a significant domain for policy makers in India to formulate a hands-on approach, as there is clear evidence over the past decade of an increase of cyber threats worldwide. In his paper, he searches for scope for cooperation between India and the United States in the area of cyber security, continuing from the 2002 efforts of the India-US Cyber Security Forum aimed at strengthening cooperation on national security issues between the two countries.

The structure of the paper encompasses the approaches to cyber security in both countries and studies the sectoral approaches to cyber security i.e., the IT security perspective, the economic perspective, the law enforcement perspective and a national security perspective. Dr. Samuel argues that understanding sectoral approaches is essential since harmonizing these perspectives to create a holistic policy on cyber security is required through the inclusion of all these sectors. In the United States, one finds that policy on cyber security is dominated by the national security perspective, which has been encouraged under President Obama as well. While there are practical problems relating to harmonizing aspects of privacy and security, the United States, unlike India, has formulated a clear policy towards cyber security as seen in its various declassified goals as well. In India, while there has been a boom of cyberspace in the past decade, the focus of policy makers has been economic rather than national security oriented, as seen in the Information Technology Act of 2000 which concentrates mainly on e-commerce. Following the 26/11 Mumbai attacks, there have been efforts to introduce amendments in this bill, which, however, continues to lack a clear focus in its goal and is often noted to be an ‘Omnibus Bill’ covering too many issues.

In the context of cyber security cooperation between the India and the United States, Dr. Samuel notes that the interests of both countries can be fulfilled. For India, capacity building and research development has been cited as a clear objective through this cooperation, while the United States may feel the need to safeguard its interests given the large number of US companies engaged in outsourcing in India. An asymmetry in the technical capacities of the two countries may have been a reason for the India-US Cyber Security Forum of 2002 not being successful, along with the lack of a multilateral treaty or body like the United Nations to coordinate and oversee activities and cooperation. The working groups established under the aegis of this Forum - Legal Cooperation and Law enforcement, Research and development, Critical Information Infrastructure, Defence Cooperation and Standards and Software assurance - have been used by Dr. Samuel as a template for his analysis in searching for areas for cooperation and road-blocks on cyber security between the two countries in the future.

In the area of Legal Cooperation and Law Enforcement, the lack of an international legal framework has undoubtedly impacted the avenues for Indo-US bilateral cooperation on this issue. The UN’s Internet Governing Forum (IGF) has proved to be an inadequate mechanism for generating such a framework. On issues relating to Research and Development, cooperation remains limited since US agencies like the highly secretive National Security Agency (NSA) remains disinterested in sharing technologies that remain its strategic assets.Defence Cooperation in cyberspace encompasses unique issues, which need to addressed by both countries individually before agreeing on cooperation, wherein the policy of the state towards cyber crime or cyber terrorism are to be formulated. The US military has only recently begun to conceive cyberspace as a war-fighting domain and India is still far behind on this issue. NATO, of which the United States is a member, however has presented an advanced cyberspace cooperation mechanism and may even become a “hub” of coordinating responses to global threats to cyber security. The scope for cooperation between India and the United States, according to Dr. Samuel, lies mainly in the field of Critical Information Infrastructure Protection. This forms the focus of the US interest in cyber security partnership with India and this objective resulted in the setting up of the Computer Emergency Response Team (CERT-In) and the National Skills Registry in 2005 to authenticate individuals working in the IT industry. However, to increase Indo-US cooperation in this field there are gaps that need to plugged in by India, which has been found to have the highest cyber security regulation but the lowest security adoption rates.

Therefore cooperation between the United States and India in this sphere is conceivable only when they are both equal in their understanding and responses to threats in cyber space. There is a pressing urge in India to approach this issue holistically, while taking into account the interests of the various sectors with stakes in cyberspace. The inability of the Indo-US Cyber Security Forum to take off points to the need for a multilateral cooperation framework along with the presence of a legislation covering legal, technical and national security objectives to regulate India’s policies on cyber security to pave the way for bilateral and international cooperation on this issue.

Points of Discussion

  1. Failure of the Indo-US Cyber Security Forum provides a valuable lesson in strengthening such cooperation in the future. Cooperation with other countries (such as Russia and South Korea) and multi-dimensional cooperation should also be made a priority by India.
  2. In order to have equal footing with a world leader like the United States, India needs the presence of an overarching supervisory authority with over-sight mechanism along with a role for the United Nations. Issues relating to trust and coordination between the parties can be fulfilled through this, and these terms need to be clarified before embarking on bilateral cooperation. Also, creating any arrangement without India’s priorities clearly demarcated will remain asymmetrical and therefore non-beneficial for India
  3. Security testing and reliability testing of hardware is essential to ensure that crucial hardware components sourced from third countries is not compromised. A third party auditing organization and the creation of a Cyber Security Fund are areas which need to be flagged for Indo-US cyber security cooperation since both countries have increasing stakes in this domain.
  4. There are definite benefits for all sectors with stakes in cyber security in the fructification of Indo-US bilateral cooperation on this issue. India should try to base cooperation on research and development and capacity building to equalize such a partnership
  5. The Indian government should also issue directives on cyber security like the US government in order to sensitise Indian private enterprises about data security and dangers from cyber espionage.
  6. Proposed initiatives such as the National Institute of Cryptology Research should be brought on-stream at the earliest.

Report prepared by Saba Joshi, Intern, IDSA.


No comments: