Compare
Compare
Thanks to its regulatory powers, robust digital economy, and active foreign and security policy, the European Union is one of the key players in cyberspace. The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions. On a bilateral level, the EU has established cyber dialogues with strategic partners to reinforce the exchange of good practices, lessons learnt and further the idea of responsible state behaviour in cyberspace.
India and the European Union share many values and principles, such as inclusiveness, democracy, and multilateralism. With 1.4 billion people, India is the largest democracy in the world and considers itself as a leader among the Global South. India and the EU share common visions of a rules-based global order and are aligned on their commitment to an open, free, secure, stable, peaceful, and accessible cyberspace, enabling economic growth and innovation. In light of India’s rapid digitization and connectivity, the EU-India Strategic Partnership & Roadmap to 2025 includes commitments to cooperate on new and emerging technologies, norms and regulatory frameworks, and international standards.
Internet penetration in Montenegro stands at 83%, while analysis indicates that internet usage increased by 10,000 users (+2%) from 2021 to 2022. [x] As an EU candidate country, Montenegro has strived to align itself with the EU’s cyber priorities and recent strategic documents like the 2018-2021 Cybersecurity Strategy and its 2013-2017 predecessor represent a firm indication of this ambition. In the past five years, however, the Montenegrin government and media outlets have increasingly seen themselves sitting at the bullseye of numerous malicious cyberattacks, suggesting “synchronised action” on the part of several state and non-state actors. [x] A 2022 digital maturity assessment commissioned by the European Bank for Reconstruction and Development and conducted by e-Governance Academy found Montenegro to have only a “basic” level of digital maturity in seven dimensions, including “financing digitalisation, level of digital skill, and access to services”. The same assessment found that the “right conditions” had been generated for the purposes of digitalisation, but implementation fell short. These conditions included “political will and support, the legal framework, digital infrastructure and interoperability, digital identity/signature and security”. Montenegrin policymakers now perceive an increased need to transform their stated strategic goals into concrete action.
Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues. As a member of the 2015 UNGGE group, India accepts that international law and specifically the UN Charter applies in its entirety in the cyber domain. India has noted the need to develop common understandings as to how international law should be interpreted, especially on the issues of what constitutes force and/or an armed attack in cyberspace and what the threshold of cyber-attacks should be to invoke Article 51 of the UN Charter.
In statements at the UN General Assembly, India has also specifically called for further elaboration on peacetime rules of international law, the law concerning the right of self-defence and international humanitarian law.
Apart from these calls for clarification and elaboration, however, India’s stance on specific aspects of international law and their interpretation remains unclear. This seems consistent with India’s recent reorientation of its foreign policy; since 2019, India’s wider approach has been marked by a shift from traditional non-alignment to issue-based ‘multi-alignment’ that reflects national priorities and interests. Recalling its EU candidate status, the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE) saw Montenegro aligning itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Montenegro has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues. As a member of the 2015 UNGGE group, India accepts that international law and specifically the UN Charter applies in its entirety in the cyber domain. India has noted the need to develop common understandings as to how international law should be interpreted, especially on the issues of what constitutes force and/or an armed attack in cyberspace and what the threshold of cyber-attacks should be to invoke Article 51 of the UN Charter.
In statements at the UN General Assembly, India has also specifically called for further elaboration on peacetime rules of international law, the law concerning the right of self-defence and international humanitarian law.
Apart from these calls for clarification and elaboration, however, India’s stance on specific aspects of international law and their interpretation remains unclear. This seems consistent with India’s recent reorientation of its foreign policy; since 2019, India’s wider approach has been marked by a shift from traditional non-alignment to issue-based ‘multi-alignment’ that reflects national priorities and interests. Recalling its EU candidate status, the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE) saw Montenegro aligning itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Montenegro has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29.
Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures. India has assumed a stance of strategic ambiguity on the proliferation of norms for responsible state behaviour in cyberspace, positioning itself as a ‘bridge builder’ between the two camps that have emerged during multilateral cyber norm negotiations.
Its insistence on an enhanced role for intergovernmental institutions (such as the ITU) and its oscillating allegiance to the two polarised factions largely reflect the country’s long-standing focus on Westphalian sovereignty and the consequent belief in the primacy of the state as an actor in international affairs. This brings India to a certain degree of alignment with sovereignty-focused countries like China and Russia in the context of norm-building debates.
At the second substantive session of the Open-Ended Working Group (OEWG), India argued that voluntary norms do not necessarily increase the predictability of state behaviour within the ICT environment, but was not openly against the adoption of new voluntary norms; for instance, the country proposed the adoption of a new norm on refraining from weaponisation and offensive uses of ICTs along with countries like Iran, Cuba, and Nigeria. At the first substantive session of the 2021-2025 UNGGE, Montenegro aligned itself with the EU’s position that the “previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x].
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures. India has assumed a stance of strategic ambiguity on the proliferation of norms for responsible state behaviour in cyberspace, positioning itself as a ‘bridge builder’ between the two camps that have emerged during multilateral cyber norm negotiations.
Its insistence on an enhanced role for intergovernmental institutions (such as the ITU) and its oscillating allegiance to the two polarised factions largely reflect the country’s long-standing focus on Westphalian sovereignty and the consequent belief in the primacy of the state as an actor in international affairs. This brings India to a certain degree of alignment with sovereignty-focused countries like China and Russia in the context of norm-building debates.
At the second substantive session of the Open-Ended Working Group (OEWG), India argued that voluntary norms do not necessarily increase the predictability of state behaviour within the ICT environment, but was not openly against the adoption of new voluntary norms; for instance, the country proposed the adoption of a new norm on refraining from weaponisation and offensive uses of ICTs along with countries like Iran, Cuba, and Nigeria. At the first substantive session of the 2021-2025 UNGGE, Montenegro aligned itself with the EU’s position that the “previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x].
The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution. In matters related to cyber resilience, India has proven to be an active proponent of bilateralism. It has initiated cyber dialogues with actors like the US, the UK, Russia, Malaysia, the EU, and ASEAN, all of which include capacity-building elements. Internationally, the country has also been especially vocal on the need to establish cooperative mechanisms for developing and implementing bilateral, regional, and global confidence-building measures (CBMs).
In the context of multilateral fora, India has many a time reiterated that the issue of supply chain protection enjoys particular significance for them, especially in relation to ‘trust and trusted sources’ when it comes to preferring suppliers of ICT products and systems. It has also noted that capacity building actually goes beyond what is being dealt with under international security and is inherently tied to discussions on international legal instruments on cyberspace, where all states are equal and have the capacity to discuss legitimate matters under the auspices of the UN. The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution. In matters related to cyber resilience, India has proven to be an active proponent of bilateralism. It has initiated cyber dialogues with actors like the US, the UK, Russia, Malaysia, the EU, and ASEAN, all of which include capacity-building elements. Internationally, the country has also been especially vocal on the need to establish cooperative mechanisms for developing and implementing bilateral, regional, and global confidence-building measures (CBMs).
In the context of multilateral fora, India has many a time reiterated that the issue of supply chain protection enjoys particular significance for them, especially in relation to ‘trust and trusted sources’ when it comes to preferring suppliers of ICT products and systems. It has also noted that capacity building actually goes beyond what is being dealt with under international security and is inherently tied to discussions on international legal instruments on cyberspace, where all states are equal and have the capacity to discuss legitimate matters under the auspices of the UN. The new Cybersecurity Strategy 2022-2026 aims to improve effective mechanism for responding to cyber incidents and response to cybercrime. The new strategy recognises the establishment of a new body Cyber Security Agency which will be umbrella institution when it comes to cyber security. The CIRT team will be transferred to the new Agency. The 2018-2021 Cybersecurity Strategy explicitly establishes a “reliance” on European and Euro-Atlantic conceptualisations of cybersecurity and resilience. The Strategy points to the EU’s 2016 NIS Directive as the primary source of inspiration, notably in its requirements for the adoption of a national cybersecurity strategy, the definition of relevant authorities, and the creation of a Computer Incident Response Team (CIRT). Indeed, since 2012, the Montenegrin CIRT represents “a central point for coordinating prevention and protection against computer security incidents on the Internet and other IT security risk for the area of Montenegro”. The Strategy also features a dedicated section on cyber defence, highlighting the country’s alignment with NATO targets (E 6202 N). In expanding cyber defence capabilities, the document notes that “special attention will be paid to harmonisation with regard to the standardisation of concepts, methods, policies, and procedures in line with the accepted European and international standards”. It also pledges the country to a set of goals: (1) definition and protection of critical information infrastructure; (2) strengthening the resilience of information systems to incidents; and (3) performing analysis of threats to IT infrastructure. Montenegro completed a bilateral ICT cooperation agreement with Thailand in 2013, while it is also a member of the CAMP initiative, the platform where members “prepare themselves with collective actions to keep cyberspace safe” through training, joint exercises, and dialogues.
The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency. Under the auspices of the OEWG, India has highlighted the need for “real-time cooperation between government agencies” in combatting cybercrime, cyberterrorism, and cyber threats more widely. To date, however, India has not signed any international cybercrime agreement. It voted in favour of a Russia-sponsored UNGA Resolution calling for the establishment of a separate cybercrime treaty.
Despite having brought its legal framework largely in alignment with the Budapest Convention, India remains a non-party because the document was drafted without the country’s participation, thus rending the treaty discriminatory. Another big objection has been raised on the basis of section 32.b, which gives intelligence agencies trans-border access to data for the purposes of criminal investigations with lawful and voluntary consent - a concern shared by Russia.
It has also been argued that the Mutual Legal Assistance (MLA) regime under Budapest is not effective, as it does not commit states to a firm promise of cooperation; from the perspective of the Indians, it would be preferable to replace this regime with a UN-driven process. Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]
Many thanks to Ms Ana Minevski for her valuable comments.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency. Under the auspices of the OEWG, India has highlighted the need for “real-time cooperation between government agencies” in combatting cybercrime, cyberterrorism, and cyber threats more widely. To date, however, India has not signed any international cybercrime agreement. It voted in favour of a Russia-sponsored UNGA Resolution calling for the establishment of a separate cybercrime treaty.
Despite having brought its legal framework largely in alignment with the Budapest Convention, India remains a non-party because the document was drafted without the country’s participation, thus rending the treaty discriminatory. Another big objection has been raised on the basis of section 32.b, which gives intelligence agencies trans-border access to data for the purposes of criminal investigations with lawful and voluntary consent - a concern shared by Russia.
It has also been argued that the Mutual Legal Assistance (MLA) regime under Budapest is not effective, as it does not commit states to a firm promise of cooperation; from the perspective of the Indians, it would be preferable to replace this regime with a UN-driven process. Montenegro is a party to the Council of Europe-sponsored Budapest Convention, ratifying it in 2010. In February 2013, Montenegro signed the regional Declaration on Strategic Priorities against Cybercrime, which “identified strategic priorities” that largely reflect the spirit and content of the Budapest provisions. [x] The 2018-2021 Strategy lists several developments that have contributed towards strengthening the capabilities of law enforcement authorities in dealing with cybercrime: these include the establishment of a dedicated High-Tech Crime Group within the Ministry of Interior, while the National Security Agency is making “significant efforts aimed at creating normative and operational mechanisms for fighting against cybercrime and espionage”. [x]
Many thanks to Ms Ana Minevski for her valuable comments.
