With brutal military conflict raging in Europe and the Middle East, little global attention has been paid to multilateral meetings of the United Nations Open-Ended Working Group on cybersecurity norms. Despite their relative obscurity, however, the discussions taking place at this forum – aiming to lay down rules and norms for a safe and trustworthy cyberspace – are vital today.
Offensive cyber operations are increasingly being deployed against essential digital infrastructure during war and peacetime alike. Yet, the UN processes that were designed to establish rules of the road for cyberspace have been stymied for decades, in large part, due to ideological polarisation between the United States, the European Union, and their allies, often referred to as the “liberal” camp, pitted against China, Russia, and the “authoritarian” camp.
Given this stalemate, India has often been regarded as a crucial “digital decider” that could decisively tilt the ideological debate either in the favor of an “open” internet with limited state control and robust fundamental rights protection or a centralised state-controlled internet modeled on Sino-Russian lines.
How India negotiates cybersecurity
However, thus far, India has refrained from making active overtures toward either block. India’s strategy in the working group has been to selectively acknowledge all perspectives on contentious issues without going into their nuances. While refusing to take a position on those matters, India has actively engaged on specific non-controversial issues that are closely tied to its strategic interests.
For example, India has voted for contradictory resolutions sponsored by both Russia and the US on the format of negotiations and core ideological principles. In its official submissions to the UN processes, it has acknowledged the combative views of both the “liberal” block and “authoritarian” block on whether international law applies to cyberspace. This question has been a long-running dispute as Russia and China want to evolve new rules for cyberspace because they believe that existing international law is both outdated and Western-centric.
While India has accepted that extant international law applies to cyberspace, it has shied away from articulating a detailed statement on how precisely this would operate, as several other states have done. Furthermore, while being vocal on questions of “data sovereignty” – a broad idea that supports the assertion of sovereign writ over data generated in a nation’s territory – in domestic political discourse, India has refrained from doubling down on the sovereignty debate at the UN. India’s views on sovereignty have been limited to affirming positions that have already garnered consensus among other states.
On the other hand, India has been much more vocal and consistent on securing supply chains and protecting critical infrastructure, and has delved into the nuances of capacity-building for cybersecurity.
In particular, India has been a consistent advocate for the development of a Global Cybersecurity Cooperation Portal. This portal would act as a readily available repository and platform for information exchange, archiving relevant documents, and collating dates for relevant seminars and workshops. India has explicitly stated that this portal will especially help developing countries, in keeping with New Delhi’s aim of representing the concerns of the Global South.
What are the factors undergirding this approach to cybersecurity negotiations? India’s approach to other multilateral forums has often been labelled “prickly,” “unreliable,” or “confrontational.” However, as recent empirical research by scholar Karthik Nachiappan suggests, these generalisations “conceal as much as they reveal”.
Nachiappan argues that India’s approach to each forum or governance issue should be evaluated through a context-specific empirical assessment of three factors: strategic interests, bureaucratic capacity and cohesion within the government, and multi-stakeholder participation and influence asserted by each stakeholder group.
Let us evaluate India’s approach to cybersecurity multilateralism using each criterion. Cybersecurity is certainly a core strategic interest for India. Recent reports suggest that India is on the receiving end of the largest number of state-sponsored cyber attacks in the world. In the past three years alone, India has been subject to cyber operations impacting electricity grids, health-care systems, and nuclear plants. However, it is unlikely that the non-binding norms emerging from the UN will tangibly boost India’s cyber defenses or place meaningful restraints on cyber attacks from geopolitical adversaries.
Consequently, India does not see normative outcomes at the UN as a priority. Instead, the focus has been on shoring up cyber defenses through bilateral agreements with several partners as well as through “minilateral” coalitions such as the Quadrilateral Security Dialogue or the Counter Ransomware Initiative. Rather than being dragged into an ideological spat at the UN, India has chosen to focus on more immediate tangible outcomes such as conducting cybersecurity exercises or ensuring mechanisms for cooperation among nodal cyber agencies like the Computer Emergency Response Team – CERT.
Regarding the second criteria, institutions dealing with cybersecurity in India are aplenty. While the Ministry of External Affairs naturally fronts India’s contributions at multilateral settings, insights from the Ministry of Electronics and Information Technology and the Prime Minister’s Office are regularly taken into account when framing India’s stances. However, given the low strategic priority of cyber norms negotiations, there has been little effort invested in developing a unique common narrative or coordinating domestic policy movements with statements made internationally. Contrast this with India’s approach to cross-border data flows.
As New Delhi gears up to host the 18th #G20 Heads of State and Government Summit, delegates and dignitaries will get to experience use of Digital Public Infrastructure for Ease of Living at the *Digital India Experience Zone* at Hall 4, Pragati Maidan. Here’s a look !#G20India… pic.twitter.com/hEQrTZ46zZ
— Digital India (@_DigitalIndia) September 5, 2023
Legal mandates across sectors domestically have been justified and defended across international forums such as the World Trade Organization and G20 by officials in the Ministry of Commerce, Ministry of External Affairs, Ministry of Electronics and Information Technology, and the Prime Minister’s Office, often with references to the overarching “data sovereignty” narrative.
Finally, the vibrant multi-stakeholder technology policy ecosystem comprising civil society, academia, media, and the private sector has remained relatively passive when it comes to influencing India’s stance on cybersecurity discussions. There has been limited public engagement from either of these stakeholders.
Advocacy groups have, perhaps rightfully, devoted their time and resources toward shaping pressing domestic legislation that has immediate implications for fundamental rights. Similarly, both Indian and foreign technology companies have focussed on policy issues that have immediate business implications for them such as telecom regulation, data protection, and the cultivation of domestic frameworks for cyber security.
Given the lack of public attention from the government or influential voices in industry and civil society, media organizations have largely refrained from providing concerted coverage of the discussions at the UN. The multi-stakeholder ecosystem enables the government’s passive stance as there is no impetus to respond to the divergent interests of various domestic constituencies.
As a point of comparison, India’s approach to global digital trade debates has been very different. India has actively articulated its stances on several critical issues at the World Trade Organization because outcomes there are legally binding and have real-time legal and policy implications. Consequently, all stakeholders have actively sought to shape India’s position at trade negotiations in a manner that suits their business interests or ideological preferences.
Future of cybersecurity multilateralism
India’s relative passivity at cybersecurity negotiations opens up significant room for the country to maneuver when making policy decisions. For example, the decision to restrict Chinese vendors from participating in India’s 5G trials took a decisive turn after the physical conflict at Galwan Valley in 2020.
Until then, Chinese vendors were entrenched in India’s telecom space because they often provided cheaper gear than European counterparts. The 5G decision was driven by a pragmatic real assessment of economic and security interests rather than an ideological commitment either to China or the West.
Of course, ideological passivity also means that India eschews the opportunity to shape global normative agendas on the internet – something that should arguably be on the agenda as part of India’s global leadership aspirations. India views its leadership role differently.
Thus far, India has demonstrated leadership by exporting what the government considers successful domestic best practices, such as “Digital Public Infrastructure”, which took center stage throughout India’s recently concluded G20 Presidency. Advocacy for the aforementioned Global Cybersecurity Portal is consistent with this approach—propose actionable models rather than opine on more abstract and controversial normative questions.
This has important implications for countries looking to partner with India on cybersecurity or strategic technology. Evaluating or predicting India’s approach to cyber governance through sweeping labels or deciphering India’s doctrinal position on cyberspace is a futile quest. India’s ideologically agnostic approach has also been adopted by other so-called “digital deciders” like Indonesia.
Rather than imposing external ideological constructs onto these fast-evolving economies, underpinned by unique domestic political fabrics, it is vital to better appreciate processes, issues, or outcomes that actually matter for these countries, which consequently drive decision-making. It pays to identify tangible issues or technical solutions that are of immediate interest to India and evaluate optimal modes of cooperation – which may not necessarily be through multilateral settings.
Growing ideological agnosticism does not sound the death-knell for cybersecurity multilateralism. On the contrary, a focus on tangible outcomes makes multilateralism retain relevance amidst growing geopolitical polarization. Even in the absence of legally binding outcomes, multilateral settings remain the ideal venue to exchange best practices, air grievances, and clarify understandings, especially in light of the rapid pace of technological and geopolitical advancements.
These conversations and contact points matter specifically for developing countries managing nascent but rapidly growing digital economies. Crucially, India’s approach to cybersecurity norms may not apply to how India sees other global forums, each of which would have their unique implications and impact on India’s interests, institutions, and broader political ecosystem.
Winning ideological battles and demonstrating consistency might be critical for leaders of geopolitical blocs and their allies. However, complex geopolitical equations incentivise a critical mass of countries, like India, to evangelize immediate and concrete outcomes rather than fight or win the long, good fight.
Arindrajit Basu is a PhD candidate at the Leiden University Faculty of Governance and Global Affairs. This article draws from two book chapters published in 2023. They can be accessed here and here.
This article was first published on India in Transition, a publication of the Center for the Advanced Study of India, University of Pennsylvania.