13 minute read
CYBERSPACE
DEMYSTIFYING CYBER SOVEREIGNTY
Defining cyber sovereignty, in the context of the Westphalian concept of state sovereignty, is an extremely complex exercise that requires global deliberation.
Advertisement
SYNERGIA FOUNDATION
RESEARCH TEAM
This article is based on the 114th Synergia Forum titled ‘Demystifying Cyberspace Sovereignty’.
The concept of state sovereignty, which can be traced back to the Westphalian Peace Treaty of 1648, is an unequivocal principle in international law. Each State has exclusive sovereignty over its territory, a space that includes its geographical territory, its citizens and national assets. The Treaty has not only established the territorial delimitation of state authority, but also the principle of non-intervention.
The UN Charter is itself based on the principle of sovereignty as guaranteed in Article 21, which speaks of the States and the sovereign, as well as equality and freedom from intervention by other States (articles 2, 4 and 7). However, as human civilisation has evolved from one stage to another - agriculture, industrial and information - the disruptions have been so profound that the entire connotation of national sovereignty had undergone transformation.
When mankind transitioned to the Industrial Age from the Agricultural era, human enterprise had extended beyond terrestrial zones to the sea and aerospace. Accordingly, the concept of territorial waters, exclusive economic zones and national airspace were recognised and ratified by international bodies. With the dawn of the Information Age, however, it became clear that the cyber world did not occupy any specific physical space, making it difficult to delineate the sovereignty of nations. However, most nations extended the principle of sovereign equality to cyberspace, as per the UN Charter.
Fast forward to the 21st century, and today we have some interesting interpretations of sovereignty It applies to not only physical territory and people, but in some ways to body politics too and can be linked to terms like autonomy, absolute power over a particular space, resisting/constraining external influences etc. Cyber sovereignty is a strong, yet nebulous concept, usually referring to the assertion of state control in the digital realm. However, without a very clearcut definition, many questions abound around the concept and practice of sovereignty in cyberspace.
THE SPECTRUM OF CYBERSPACE
“Cyberspace is a superset of interconnected information and communication technology, hardware, software processes, services, data and systems. You can view cyberspace from different angles,” says Lt. Gen. Rajesh Pant (Retd), Na-
Latha Reddy is the Co-Chair of the Global Commission on the Stability of Cyberspace and a former Deputy National Security Adviser of India
“Digital wealth seems to be concentrated in the hands of a few U.S. and China-based platforms. This narrative has created two polarising concepts - Digital Colonialism and Digital Sovereignty. As emerging economies in Asia and Africa participate in norm making processes and express their priorities, it is important to discuss ”these ideas and the misconceptions that often prevail.
tional Cybersecurity Coordinator, National Security Council of India. “If you view it from the lens of layers, we see the physical, the logical information and the social layers. If you view it from the lens of assets and the functions performed, then you find that there is infrastructure, data, digital entities and services,” he elaborates.
There is no doubt, therefore, that it is the most critical asset of our national power. It includes everything - data centres, utilities, the operational technology aspects, industrial IoT, etc. From the physical or the infrastructure layer point of view, the concept of sovereignty can easily be extended to include cyberspace. A nation must, therefore, be able to identify its internet egress points. This can be done for, say, the undersea cables, where a boundary can be drawn for the physical infrastructure. But the tricky question is what happens to data, both personal and non-personal, which are stored on-shore and offshore. In other words, what is the territory of cyberspace? Is it a global common like the environment, climate etc.?
THE GREY ZONE OF CYBERSPACE
Col KPM, Das (Retd), National Cyber Security Officer at Cisco, exposes the inherent contradictions in our understanding of cyberspace sovereignty by raising four questions; a) Can the concept of sovereignty as we understand with regard to land, sea and air be extended to cyberspace and can ideas of ingress/ egress as understood in land/air/ sea be applied in cyberspace? b) If yes, then what would be the boundaries/ thresholds of national digital space, which, if violated, could be considered as an assault on its sovereignty? c) While we have a law of armed conflict defining the behaviour of combatants in conflict over the known dimensions of warfare, how will it apply in an emerging world where geopolitics and cyberspace are all-pervasive and in perpetuity, as far as the time dimension is concerned? d) Lastly, how can the increasing interplay between nations, non-state actors, proxies and private parties in cyber conflicts be governed? spots around the world. The most prominent is the developing faceoff between NATO and Russia in Ukraine and other parts of Eastern Europe, where there is as much activity in cyberspace as on the ground.
EXISTING GLOBAL LEGAL STRUCTURE
The first UN Group of Governmental Experts (UNGGE) had convened in 2002, but it was only last year that the eleven norms of responsible behaviour by states were accepted by the 25 nations of the UNGGE. But these UNGGE norms are non-binding, rendering implementation difficult. In the Indian context, as per Lt. Gen. Rajesh Pant (Retd), the concerned agencies are interacting with a number of regional forums and other agencies on how to implement these norms.
The UN Group of Governmental Experts (UNGGE) on promoting responsible behaviour of states in cyberspace has been convening since 2004. It has discussed state sovereignty and international norms and principles that flow from sovereignty, applicable in relation to ICT activities and infrastructure. It has also discussed, how in their use of ICT, states must adhere to principles of sovereignty, sovereign equality, settlement of disputes by peaceful means, and non-intervention in the internal affairs of other states. However, this was only adopted by members of the UNGGE. While it has been endorsed by a number of regional groups and countries that are outside of the GGE, it has not been universally accepted.
As per Ms. Latha Reddy, former Deputy National Security Advisor, Government of India, “The principle of state sovereignty in effect encapsulates the supreme authority of a state to its territorial integrity, sovereign equality, and political independence within its territory. No interference in another state is permitted.”
In the West, traditionally, there are two different schools of thought. The first is that non-intervention does apply to certain State-sponsored cyber activity, but below a defined threshold, it will not be a breach of international law. The other is that all such cyber operations
Lt. Gen. R.S. Panwar is Distinguished Fellow at the United Services Institution of India, with four decades of military experience in technology-based warfare.
“Physical effects such as making electoral cyber infrastructure nonfunctional or even slowing down electoral computers is not the only type of intervention possible in the cyberspace. Cognitive effects like the proliferation of malicious propaganda on social media platforms, which affects electoral outcomes, can also amount to interference.”
Lt. Gen. Raj Shukla is the current General Officer Commanding-in-Chief Army Training Command (GOC-in-C ARTRAC).
““If today strategic ascendancy is primarily in the gray zone, which is a hypothetical space between peace and war, there is no other space which lends itself so much to the grey zone as the cyberspace, because it is essentially non-kinetic in nature.”
are unlawful. This is the approach taken by the Tallinn Manual 2.0 on the application of sovereignty and the intervention rules to operations in cyberspace. This raises the question, is there a ‘De minimis’ rule? According to the legal definition, cyberattacks on critical information infrastructure, malware intrusions, surveillance are usually remote attacks. It is not necessary for the perpetrators to be in the same country where attacks are targeted. Therefore, conventional ideas of jurisprudence and jurisdiction would not apply here. But they do have a territorial dimension, and attackers do violate sovereignty.
CYBER COLONIALISM FEARS
Applying traditional concepts of sovereignty in cyberspace has been confounded further by the architecture of the overall ecosystem. Mankind had hoped that the digital revolution would usher in a techno-utopian era with few boundaries and barricades. Nothing could be further from reality as we continue to argue over an exaggerated sense of asymmetries of access to and control over data, information infrastructure, intellectual property, as well as financial and human capital.
Then there is a clash between digital sovereignty and ‘digital colonialism’. Digital wealth seems to be concentrated in the hands of a few U.S. and China-based digital platforms. This awareness is only getting more acute, as emerging economies in Asia and Africa participate actively in international norm-making processes and express their own priorities. The UNGGE, when it had formulated its two specific definitions on the applicability of international law and sovereignty in cyberspace, had a very poor representation of the developing world - Africa was totally absent and Asia was represented by only India and Malaysia.
As cyberspace emerged as a crucial element of individual expression, economic growth and national security, these geographies are also now working on building block-style norms and legislations, both at a national and at a regional level. This would have a symbiotic relationship with the two clashing narratives of digital colonialism and cyber sovereignty. At the February 2020 meeting of the Open-Ended Working Group (OEWG), a group of States did specifically call for the inclusion of stronger statements on state sovereignty and sovereign equality. Russia and China were notably vocal on this front, and similar concerns were raised by India, South Africa, Syria and the Philippines.
OVERCOMING SOVEREIGNTY ISSUES
As a start, states are looking at re-housing data within their borders through localisation and enhancement of domestic agencies. Many countries have also signed on to regional agreements like the ASEAN Framework on Digital Data Governance. India, unfortunately, is not specifically part of such large regional groupings.
Cyber sovereignty can have a positive connotation, when it implies taking back control from technology giants. However, there is also a negative one, wherein the State alone dictates the definition of digital rights and duties. In the latter case, any overreach can take the form of internet shutdown, great firewalls and surveillance. This dual connotation lends itself to confusion, as some analysts say that when you accept the concept of cyber sovereignty, in effect, you endorse the authoritarian China model.
Incidentally, the China model predates and will outlast any development of the cyber sovereignty narrative. We have already seen a shift in perception by Western countries, many of whom had initially insisted that the cyberspace was outside the control of nations. Now, they are arguing for more regulation by states. However, it must be remembered that a country’s stance on cyber issues is determined by a complex interplay of economic, social and political factors. Amplifying this, Ms. Reddy says, “I think the varied ways in which we are using the term cyber sovereignty, particularly in developing countries within Asia and Africa, implies that not every aspect of cyber norms falls under the U.S.-China dichotomy. So I would urge that we have a more global understanding about what is cyber sovereignty, and when it is deemed to have been violated under international law”.
Mr. Aaron Shull, CEO, Centre for International Governance Innovation, Canada, opines that the concept of sovereignty has already been extended to cyberspace. This is obvious from the manner in which there is censorship of contents, restrictions on the Internet, regulation and laws related to the Internet content takedown, blocking and removal of data, localisation of storage in the context of connected devices etc. Governments are using data surveillance devices within their jurisdiction, and some also outside their borders. Countries like Vietnam, Kazakhstan, Indonesia and Iran are reportedly exerting greater control over the content, circumventing virtual private networks.
MILITARY’S ROLE IN CYBERSPACE SOVEREIGNTY
It is imperative to understand the potency of cyberattacks, lest we club all of them as a breach of cyberspace sovereignty. While a large percentage of them falls under the category of cybercrime, there are an increasing number of instances where they impinge on national security through cyber espionage, cyber terrorism, or attacks on critical infrastructure.
Aaron Shull is the Managing Director and General Counsel at The Centre for International Governance Innovation (CIGI), Canada.
“Can the concept of sovereignty be extended to cyberspace? Well, the short answer is that it already has. Today, we are increasingly seeing censorship of content, restrictions on the Internet, the enactment of laws and regulations relating to content take down, blocking and removal of data, localisation and storage in the context of connected devices. If this is not sovereignty, I don’t know what it is. When it comes down to the cybersecurity dimensions of sovereignty, one only needs to look at the U.S. government’s position on this, especially as it relates to critical infrastructure. According to it, if someone comes after its critical infrastructure with a cyber weapon, everything is on the table, including a kinetic response. So again, if this is not an exercise of sovereign jurisdiction over one’s territory in cyberspace, it would be unclear to me what is.”
with cyberspace becoming an important warfi ghting dimension in a fi ve-dimensional battlespace. It is essential that countries develop adequate capabilities for full spectrum offensive cyber operations. “The armed forces need to play a pivotal role in cyber confl icts. If you look at other countries, the U.S. Cyber Command and the National Cyber Force of UK, the Strategic Cyber Force of China, all have already taken on such charters, and they should perhaps be given an exclusive charter for off ensive cyber operations,” advocates Lt Gen RS Panwar (Retd).
India has formed its Defence Cyber Agency, a tri-service organisation tasked with handling cyber security threats. As of 2021, DCA is fully operational with the Army, Air Force, and Navy establishing their respective Cyber Emergency Response Teams (CERT). Says Lt Gen Rajesh Pant (Retd), National Cybersecurity Coordinator, National Security Council of India, “The physical, logical, information and social layers of cyberspace are all aff ected by sovereignty. And in fact, within our national cyberspace, we take sovereignty as a rule. We feel that any adversarial activity that threatens our national sovereign cyberspace impinges on our national sovereignty, triggering the right to defence under Article 51 of the UN Charter.”
In the traditional domain, since the consequences of violating any red lines are far graver, there is a perception that one can get away with lesser consequences in the cyberspace. Therefore, the cyberspace is one domain where India must really bolster her deterrence posture. All major countries are already making huge strides towards strengthening their deterrence capacities in cyberspace. Military commanders worldwide are talking of projecting power into the cyberspace, because only on acquiring such power can they enforce responsible behavior in this space. Adding a word of caution, Lt Gen Raj Shukla says, “Theatre commands can wait; cyber command cannot.”
However, to prevent a turf war from erupting, there need to be clear cut direction from the government as to who will be responsible for off ensive cyber operations - intelligence agencies, law enforcement or the armed forces.
MISSION STRENGTHEN DATA ECOSYSTEM | HARMONISE LEGAL AND REGULATORY FRAMEWORKS | FOSTER DATA INNOVATION
STRATEGIC PRIORITIES
DATA LIFE CYCLE & ECOSYSTEM
OUTCOMES
l Data governance through the data lifecycle (e.g., collection, use, access, storage) l Adequate protection for different types of data
INITIATIVE l ASEAN Data Classifi cation
Framework
CROSS BORDER DATA FLOWS
OUTCOMES
l Business certainty on cross border data flows l No unnecessary restrictions on data flows
INITIATIVE l ASEAN Cross Border Data
Flows Mechanism
DIGITALISATION AND EMERGING TECHNOLOGIES
OUTCOMES
l Data capacity (infrastructure and skills) l Leveraging new technologies
INITIATIVE l ASEAN Digital innovation
Forum
LEGAL, REGULATORY AND POLICY
OUTCOMES
l Harmonised legal and regulatory landscapes in
ASEAN (including personal data protection) l Development and adoption of best practices
INITIATIVE
l ASEAN Data Protection and Privacy Forum