Cyber has been one of the key discussion items during both Prime Minister Modi’s just concluded visit to the United States and President Xi Jinping’s visit to the US some nine months back. After Xi’s visit, China and the US signed a Cyber Agreement in October 2015. India and the US will ink a cyber agreement in the next sixty days. Notwithstanding these similarities, the intent of and expectations from these two agreements are fundamentally different; the former is an attempt to manage insecurity and the latter is a quest for security.
An analysis of the joint statements issued at the end of the Modi and Xi visits to the US highlights the contrasting differences in India and China’s bilateral ties with the United States in the cyber realm. Xi Jinping’s state visit to the US took place in the shadow of a massive cyber-attack on the Office of Personnel Management which compromised fingerprint records of 5.6 million people and Social Security numbers and addresses of around 21 million former and current government employees. The US has been accusing China of theft of intellectual property targeted against its defence industries, private sector and key governmental functions; amounting to economic espionage. Accusations in this regard go back to 2004, when a series of coordinated attacks – dubbed as Titan Rain – targeted the computer networks of Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. Cyber espionage featured in every high-level talk and security report. The issue became more complex when the US Department of Justice indicted five officers of the Peoples Liberation Army (PLA) on the charges of hacking and economic espionage directed at US entities in the nuclear power, metals, and solar products sectors. This was the first time that the US judicial system had accused state actors of hacking and hurting the national interest in the cyber domain. When Obama and Xi met, the two countries already had a history of a decade and a half of cyber confrontation, accusing each other of hacking and cyber-attacks. Moreover, the discord in approach towards Internet governance is also distinctly visible at the Internet Corporation for Assigned Names and Numbers (ICANN), where China is contesting the US stand on multistakeholderism, which China believes to be an encroachment upon its cyber sovereignty, and instead advocating multilateralism.
The states’ role is supreme in China’s notion of multilateralism, while multistakeholderism professes equal role for businesses, civil society, governments, research institutions and non-government organizations. Cyber sovereignty for China encapsulates the right to censor and restrict information2 as well as maintain control over infrastructure, while the US advocates internet freedom.
Given all this, the China-US Cyber agreement is better seen in the context of conflict management or risk mitigation, although the two nations accepting cyber as a key security issue between them is noteworthy. The US desperately wants China to put an end to industrial or economic espionage, carried out at the behest of the PLA, and the agreement was precisely intended to do that. Following the agreement, in principle, the US and China have agreed to refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property.
In contrast, India-US cybersecurity cooperation dates back to almost the same time as the beginning of China-US cyber confrontation. The India-US Cyber Security Forum was established in 2002. After slack activity for a decade, the dialogue on cyber between India and the US has gained considerable pace. The Fourth US-India Cyber Dialogue was held in August 2015, led by the US Cyber security Coordinator and Special Assistant to the President Michael Daniel and India’s Deputy National Security Advisor Arvind Gupta, encompassing a range of cyber issues including cyber threats, enhanced cyber security information sharing, efforts to combat cybercrime, Internet governance issues, and norms of state behaviour in cyberspace.3 These efforts have been further strengthened during Modi’s just concluded US visit when cyber was placed high on the agenda.
For India and the US, the security of cyberspace emanates from a common threat perception, democratic values and growing dependence. Both have reaffirmed their commitment to an open, interoperable, secure, and reliable Internet, underpinned by the multistakeholder model of Internet governance. There are numerous non-government agencies in both countries that are working to support this cause.
And the governments deem private sector to be a key partner in the governance and security endeavour primarily because most of the technology underpinning the Internet and critical information infrastructure, such as energy, transportation and financial services, lies in private hands. The private sector manufactures Information and Communication Technologies; designs, develops and deploys Information Technology solutions for governments as well; provides services such as Internet and Telecommunications and leads the research in cyber security. Therefore, India and the US reiterate the role of the private sector in Internet governance and cyber security, in contrast to China where the state retains control on critical information and Internet infrastructure. Similar to the US, the Indian defence establishment and the ministries or agencies dealing with border security and foreign affairs have been key targets of hacking attempts originating from China. The emails of several high-ranking officials from the Ministry of External Affairs, Ministry of Home Affairs, Defence Research and Development Organisation (DRDO), and the Indo-Tibetan Border Police (ITBP) were hacked into in 2013.
India was a prime target of Ghostnet – a Chinese cyber espionage operation – unveiled in 2009. Cyber espionage operations and attacks of Chinese origin, aimed at India and the US, have been frequently termed as Advanced Persistent Threats, placing them high on the common threat perception, in addition to terrorism. India and the US have been at persistent risk from terrorist attacks and the growing capabilities of terrorist outfits to conduct an array of operations in cyberspace, such as recruitment, fund raising, communication and coordination.
This has given impetus for the two countries to share information and simultaneously persuade major players like Twitter, WhatsApp and Facebook to swiftly respond to requests from Indian security agencies. As per the transparency reports from the second half of 2015, compliance with respect to information requests from Indian law enforcement agencies was only 42 per cent in the case of Twitter6 and 50.87 per cent for Facebook.7 And for the first half of 2015, Apple complied with only 19 per cent of device requests,8 one of the lowest in the world. As cooperation matures further, India would expect an increase in compliance from tech firms based in the US for legal information requests and prompt response to security related cases.
As the framework for Cyber security awaits formal inking, both India and the US have some wrinkles to iron out. The US would want India to join the Budapest convention, the legally binding mechanism to address cybercrime and develop norms for quick response. But India has some apprehensions in this regard especially given that it was not a part of the drawing process of the treaty. India, with the second largest Internet user base in the world, would certainly seek a larger role at ICANN. Moreover, given the American emphasis on military aspects of cyber, India and the US might not be on the same page on the question of applicability of international law to state conduct in cyberspace. Certainly, China would be watching this closely, as India and the US come forward in the cyber realm to address key security issues, discuss governance modalities, and forge cooperation over terrorism and crime counter-measures. China might learn that cooperation rests on trust, and trust would not fructify if it continues to intrude into other countries’ networks for espionage on economic and security issues.