Cyber Resilience and Diplomacy in India
by Hannes Ebert, Kate Saslow and Thorsten Wetzling
Technology has consistently played a key role in the modernization and nation-building project of independent India’s state and society, and information and communications technology (ICT) became a centrepiece of its post-liberalization economic growth trajectory. Since the 1990s, India has developed a strategic edge in cyberspace, building one of the most competitive ICT industries and workforces and becoming a frontrunner in using ICT for e-government and public service delivery. In the past decade, internet access grew exponentially and at a faster rate than in any other large economy, making India’s online population the second largest after China. The pace and scale of India’s digital transformation have exposed its society and state to mounting cybersecurity threats, and India became a chief source and target of cyberattacks. Drawing on a comprehensive collection of primary sources on cyber incidents and policies in India, this Digital Dialogue paper illustrates how successive Indian governments have sought to balance economic, political and security imperatives linked to the digital transformation. It traces the evolution of India’s legal, strategic and institutional cyber resilience landscape, and demonstrates how this evolving landscape has shaped its cyber diplomacy in bilateral, multilateral and multistakeholder fora in general as well as the scope of cooperation with the European Union (EU) in this field in particular.
- Passing the IT Act in 2000, India became one of the world’s first countries to enact cyber law, and has since developed a wide-ranging legislative and regulatory internet governance ecosystem. Following the IT (Amendment) Act, 2008, India’s cyber policy broadened from a focus on commerce to increasingly covering threats to national security related to the use of ICT. In 2013, the Indian government promulgated a National Cybersecurity Strategy, and committed to publish a revised version in 2020. Yet, a gap between legislation and implementation persisted, and reported cybersecurity incidents increased from 23 in 2004 to more than 200,000 in 2018. The breach of India’s largest nuclear power plant’s external network in September 2019 and proliferating cybercrime and disinformation campaigns in the country during the COVID-19 pandemic in 2020 highlighted the urgent need to enhance cyber resilience in critical infrastructures and across society.
- India established the position of the National Cybersecurity Coordinator in 2013 and the National Cyber Coordination Centre in 2016. Nevertheless, institutional overlaps and a lack of coordination within and between the civilian and military cyber architectures and public and private sectors continued to undermine the effectiveness of India’s cybersecurity policy.
- New Delhi recognized that protecting its domestic digital transformation requires proactive cyber diplomacy in bilateral, multilateral and multistakeholder fora. In global internet governance and cybersecurity debates, India sought to position itself as a bridge builder between entrenched positions, but civil society actors criticized its hedging diplmacy for its lack of coherence and siding with authoritarian regimes on issues such as Internet control.
- India and the European Union, strategic partners engaged in a Joint ICT Working Group since 2000 and a Cyber Dialogue since 2011, share a mutual interest in further linking the Digital India initiative and the EU’s Digital Single Market by deepening cooperation on issues such as ICT standardisation, Internet of Things, Internet governance and the exchange of best practices in cybersecurity. Brussels and New Delhi also benefit from promoting an international framework for responsible state behaviour through cybersecurity norms, confidence-building measures and capacity building. To jointly pursue these interests, both sides can build on a web of existing bilateral cybersecurity arrangements between India and EU member states as well as on operational cooperation between their computer emergency response teams (CERTs).