India’s Strategic Interests in the Norms Setting Process in Cyberspace Presentation by Ambassador Asoke Kumar Mukerji Former Permanent Representative of India to the United Nations to The Centre for Internet and Society, 31 August 2018, India Habitat Centre, New Delhi Email : 1955pram@gmail.com

India’s Location in Current Infrastructure for Cyber Data Flows

Cyber Norms Formulation and International Law 1. Technical Norms (i) Norms for effective Technical/Technological infrastructure of Cyberspace (ii) Norms for Policy at the national and international level to ensure security/integrity of data flows 2. Policy Norms (i) Norms for Securing Critical National Infrastructure (ii) Norms for Accelerating and Empowering Sustainable Development (iii) Norms for effective and equitable International Cooperation 3. International Cooperation Norms National and International Law Cyber Norms Formulation and International Law @Mukerji2018

India’s Strategic National Interests in Cyberspace Governance: Digital India and Aadhar as the main platforms for the national transformation of India through inclusive socio-economic development and empowerment. Norms to secure these platforms. Defence: In a technologically driven world, constructing and maintaining effective cyber capacity in defence is top priority, so that expensive weapons systems do not become vulnerable to malicious cyber- activity. Norms for State Behaviour. Economic: Symbolized by India’s Software Services Exports which generate $120 billion annually. Norms to secure the human and material resources for this expanding revenue. Trade: Impact on India as an emerging power in E- Commerce, including in the manufacture of Goods and delivery of Services under Make in India programme. Norms for domestic e-commerce. @Mukerji2018

India’s approach to Cyber Norms Multi-stakeholder in nature, to reflect interests of all 4 major stakeholders (Government, Business, Academia, Civil Society) Evolving process for setting Cyber Norms to keep pace with changes in cyber technologies and national/international situation Cyberspace for Citizen-centric Development to bridge Digital Divide Awareness of vulnerabilities of Cyberspace requires all-of- nation approach, beginning with primary education syllabi and in English/all major Indian languages – Digital Literacy Equality in Decision-making : Current International Dominance in Cyber Infrastructure requires sustained dialogue to ensure equality in decision-making, including on Securing Cyberspace @Mukerji2018

International Law in Cyberspace: the process in the United Nations The United Nations Governmental Group of Experts (GGE) and Cyber Norms 2004-2017 (Security of Cyberspace) The United Nations Tunis Agenda 2005 + Review 2015 (Information Society) The United Nations Agenda 2030 for Sustainable Development @Mukerji2018

Cyberspace: Priorities of the United Nations General Assembly (2002) Raising awareness Responsibility Response Ethics Democracy Risk assessment Security design and implementation Security management Reassessment @Mukerji2018

The Negotiations on Norms for Securing Cyberspace in the United Nations 1st Committee (Disarmament) Narrow scope of mandate – international security. Omits development dimension of UNGA discussions. Trigger of action is UN Security Council. However, until UNSC is reformed as mandated by UNGA in 2005 Summit, how effective will its decisions be on the ground? Role of India - nominated member of GGE since 2004 till 2017, except in 2015 when UNGGE Norms were formulated. India not permanently in UNSC and cannot influence its decisions. @Mukerji2018

Ensuring a stable and secure cyberspace Attribution of cyber-attacks Responsibility of states not to let their territory be used for cyber- attacks Cooperation between states on exchanging information on terrorist and criminal use of cyber technologies Respect for human rights in cyberspace Inviolability of cyber infrastructure for public services Protection of critical national infrastructure Cooperation between states to counter malicious operations in cyberspace Maintaining the integrity of the supply chain Reporting of vulnerabilities in cyberspace Sanctity of national computer emergency response teams or CERTs. The 11 UN GGE Cyber Norms (2015): Are these valid for all time, or need regular review? @Mukerji2018

The UN’s Tunis Agenda mandate (2015) needs negotiations on Cyber Norms Use of cyberspace and technologies to create knowledge/information societies Use cyber technologies to bridge the digital divides Equitable access to cyberspace Creation of an enabling cyberspace environment for development Public-private partnerships in financing the growth of cyberspace Protection of human rights online including the freedom of expression and privacy Management of the internet as a “multilateral, transparent, democratic and multi-stakeholder” process Extend Internet Governance Forum as multi-stakeholder platform to raise and address challenges to cyberspace @Mukerji2018

The UN’s Sustainable Development Agenda 2030 needs negotiations on Cyber Norms

A “Digital Geneva Convention”: Microsoft Norms proposed by Business @Mukerji2018

Norms for Cyberspace: Multi-stakeholder obligations and responsibilities Technical Norms: Currently, out of 13 Root Servers, 10 are in USA. Hundreds of Mirror Servers across globe. Who sets the norms? Market Access Norms: The bulk of data generated is by the Big Five companies, all headquartered in USA: Amazon, Apple, Facebook, Microsoft, Alphabet/Google. Who sets the norms for companies? State Norms: Governments must secure cyberspace, and build or licence cyber infrastructure and set Cyber Policies. Who sets these norms? Non-State Actors: Actions to disrupt cyberspace for exposing vulnerabilities or for malicious purpose. Are norms viable and applicable for such actors? @Mukerji2018

The issue of Data Generation and Storage, and Cyber Norms “there is a digital divide as internet penetration in the developing world averages around 41 percent compared with 81 percent in the developed world” Digital India is designed to bridge India’s digital divides (within country and between genders) in three directions which are all citizen-centric: Infrastructure as a utility for every citizen Governance and Services on demand Digital Empowerment of citizens Affordability of devices as well as ICT services is directly linked to the standards and interoperability, including of data, with the citizen as its focus @Mukerji2018

Cross-Border Data Flows Issues for Norms-setting Digital Divide/s, Connectivity and Data Flows: Access to Data and Application of Data Privacy of Data : EU GDPR, India Supreme Court Rulings etc. Commercial application of Data: Net Neutrality Issues following US FCC decision. Impact on small/medium enterprises? Big Data/Cloud Computing/Privacy and Data Flows: Role of Emerging Technologies on Data Flows. Impact on small/medium enterprises? For Governments and Businesses: Need for International Cooperation to ensure flow and integrity of Data @Mukerji2018

India and Digital Privacy August 2017 – Indian Supreme Court rules Right to Privacy is part of the fundamental rights of Indian citizens under Article 21 of the Constitution, as it is intrinsic to life and liberty. 2018 multi-stakeholder Study Group recommendation that global flows and exchange of data must be encouraged and enabled, while protecting personal and collective ownerships over data, including applicable intellectual property rights, and ensuring that regulatory and other kinds of legal access is available to authorities of the country of origin. UN General Assembly resolutions 68/167 and 69/166 supported by India on the right to privacy in the digital age India and Digital Privacy @Mukerji2018

An International Convention on Cyberspace Scope: Will include cyberspace issues, both technical as well as policy-related, raised in discussions in the United Nations GGE, UNGA’s Agenda 2030 and Tunis Agenda, as well as Global Conferences on Cyber Space and Microsoft Digital Convention proposal Objective: Will provide predictability and stability based on transparent technical and legal principles and provisions Enforcement: Will be enforceable through an innovative dispute settlement mechanism, combining the structure and practice of dispute settlement in the UNCLOS (1982) with that of the World Trade Organization (1995), which has been adjudicating disputes, including on technology-related issues, involving governments and businesses An International Convention on Cyberspace @Mukerji2018

How to achieve an International Convention on Cyberspace? Table the issue on the agenda of the UN General Assembly (UNGA) (time frame is September 2019). When the agenda item is adopted, prepare to table a draft Resolution for UNGA to adopt setting out the proposed Structure of the International Convention. After approval of UNGA, initiate discussions on this item on all areas mandated by the Resolution. This should be a multi- stakeholder process as in Sustainable Development and Tunis Agenda processes. Gather 2/3 majority of countries (128) in the UNGA to adopt an outcome Resolution from the discussions mandating negotiations for an International Convention. Negotiations should be a multi-stakeholder process. Target adoption of a Resolution containing the International Convention by UN’s 80th anniversary in 2025. @Mukerji2018

Thank You