Anurag Dwivedi writes: Cyber Security incidents have become like the Common Flu. Everyone more or less expects to be hit by a virus couple of times every year, some cost is incurred on treatment, organisations lose a few man days and life goes on. The WannaCry attack was the latest example.
There are other similarities too. Analysts decoded the WannaCry DNA (ie how it operates) and also discovered an antidote to cure the infection, but nobody is sure of its origins. We know it is a mutant of American NSA tools that escaped into the environment but we are not sure where it mutated. Some analysts say it happened in North Korea, some say China or Russia – nothing conclusive. The problem with this state of affairs is that cyber-attacks are getting deadlier and infections are turning into epidemics often bringing entire organisations or critical infrastructure to a grinding halt.
If it were a real virus that was unleashed in this manner, it would be deemed a biological terror attack. A massive global manhunt would possibly be launched and countries would cooperate under established frameworks and treaties to identify and bring the perpetrators to exemplary punishment. The victim nations would also consider attacking and destroying those who were aiding, abetting and hiding the terrorists.
Very little of this cooperation is evident when it comes to cyberspace. There are no globally accepted cyber norms or treaties and there are also no clear protocols and procedures to investigate and deal with incidents. Efforts to evolve consensus have failed and the reason is not technically infeasibility but because nation states are using cyber weapons as non-lethal equivalents of biological weapons. Intelligence gathering and espionage are other major offshoots that enjoy government patronage. Countries do not want to surrender this asymmetric advantage by subjecting themselves to treaties, norms and enforcement frameworks. Cyber criminals are having a free run in the absence of such consensus and the underground cyber-crime economy is now worth billions of dollars.
The obvious question is that if no global consensus is emerging, is there a scope for bilateral or multi-national cooperation in cyberspace? The simplest type of such cooperation is creating national Cyber Emergency Response Teams (CERTs) that can detect and mitigate cyber-attacks in mutual cooperation. These already exist. The second type of alliance is in the realm of cyber intelligence gathering / sharing such as the one that the USA has put in place with some close allies (though this has not prevented partner countries from snooping on each other). Such cooperation helps in countering shared threats like terrorism.
An interesting third type of cooperation involves public-private partnerships like the one being proposed by The Heritage Foundation (an American think tank) for the forthcoming bilateral summit between Prime Minister Narendra Modi and President Donald Trump. Some potential areas of cooperation highlighted are:-
• Sharing of cyber-security information between governments and private sector
• Awareness, education and training in the realm of cyber security
• Joint development of cyber-security products
• Create a Joint Working Group to explore actions against nation-state backed hackers seeking to steal intellectual property or undermine political institutions
• Creating a cyber-insurance framework (somewhat similar to healthcare)
• Create a bilateral system of audits and safety rankings for cyber security products
• Extending the US Support Antiterrorism by Fostering Effective Technologies (SAFETY) Act to cover cybersecurity products
• Clarify boundaries and standards for cyber self-defence by private entities without usurping the authority of the government
• Extend the process to include other friendly countries (viz Israel)
Of the above, cooperation in the realm of information sharing is obviously a win-win situation and should be welcomed. Firms in both US and India would be able to develop (and maintain) more robust IT products and services if governmental support towards cyber-security is enhanced. Likewise joint development of cyber security products, awareness and training are very much feasible and Indian IT firms can contribute in equal magnitude to the mutual benefit of partnering nations. Joint Working Groups are also desirable but expected outcomes and timeframes must be defined in advance.
Creation of a cyber-insurance framework and bilateral system of audits and ratings is a more difficult challenge. Since the costs will mostly be borne by private enterprise, there has to be an incentive to migrate to such a framework across the demand and supply chain and diverse markets. One option might be to put the framework into a larger bilateral trade agreement in IT products and services. It requires greater deliberation and consultation with stakeholders. Likewise allowing private entities to resort to active (offensive) measures against cyber threats opens a Pandora’s Box of scenarios with legal connotations. A cyber equivalent of the US Second Amendment (right to bear arms) has the potential of triggering private cyber wars and letting cyber criminals run amok in the garb of self-defence. Extending the US SAFETY Act to cover cyber-security products is an unclear agenda. Ideally applying a domestic US anti-terrorism act to cyber-security products should form part of a larger intelligence sharing cooperation and not a standalone measure.
Two other underlying aspects need highlighting. Firstly there is increasing conflict between ICT enterprises and governments in the realm of privacy and encryption. Whereas ICT firms are being forced to look at better user privacy and strong encryption to retain customers who are increasingly sensitive to breach of personal information; the governments look at encryption and privacy as a hindrance to law enforcement. There is a converse grudge from ICT enterprises that governments are hoarding zero day exploits for cyber warfare purposes whereas they should ideally be alerting the firms about any discovered vulnerabilities. These conflicting interests are hard to resolve and such bilateral agreements therefore must not be entered into without consultation with all stakeholders. It has to be a win-win model otherwise it will only create additional liabilities and regulatory burdens for private industry.
Secondly, there is a defence procurement angle to it. India is one of the largest importer of Arms primarily from Russia, Israel, France and now increasingly USA. Embedded software is integral to most modern systems and these are increasingly prone to cyber-electronic attacks as well as backdoors / kill switches. Cyber-security assurances may therefore be worth including in any bi-lateral cooperation, particularly for purchase of high-tech weapon systems. Exporters willing to offer such assurances (or cooperate) should perhaps deserve higher ratings / preference. This also applies to other high-tech imports like nuclear reactors. The issue is again a tricky one on account of proprietary technology and IPR.
To summarise, there is little progress towards evolving global cyber norms and it makes some sense to explore bilateral cyber-security agreements with countries with whom we share a large import/export footprint in ICT / IT enabled services or with whom we have a strategic defence partnership. Since participation of private industry will be vital to success of any such cooperation, it would be prudent to invite views from the IT industry to help formulate an agenda. Another reason warranting broad based consultation is that bilateral cyber agreements have the potential of triggering amendments to domestic laws like the IT Act and the proposed Personal Data Protection Act. This is difficult to do country-wise. A test bed in some very specific area / project can therefore be the starting point and will help the partnering countries understand the issue from the theoretical as well as functional perspective.