Nikhil Sud on cybersecurity in India

Read the original article via Forbes India here

Another day. Another cyberattack. And one worse than the day before. This is happening everywhere, including in India. India’s ambitions to remain and grow as a global innovation hub are at stake. More fundamentally, so is its citizens’ ability to lead their daily lives. India is commendably developing a National Cyber Security Strategy to counter this increasingly debilitating scourge. But as the country develops and eventually implements its policy, it must in parallel look to international law—because international law already offers robust protection against cyberattacks; is a good supplement to any eventual domestic cybersecurity policy or law given the cyber world’s inherently global nature; and can offer lessons India can imbibe for its upcoming cybersecurity policy.

India can look to international law in at least a couple of different ways. One is to engage with the United Nations. The UN’s Group of Governmental Experts (GGE) and Open-ended Working Group (OEWG) have discussed the matter but with limited success. A new UN forum being developed, called the Programme of Action for advancing responsible state behaviour in cyberspace, may offer more potential—and India should engage meaningfully. But separately from the UN, India should engage in what has quickly become a critically important and immensely successful forum: the Oxford Process on International Law Protections in Cyberspace.

The Oxford Process—an initiative organised under the auspices of Oxford University beginning in May 2020—regularly brings together (among others) leading international lawyers from around the world. It holds convenings and issues Statements identifying countries’ cybersecurity duties under international law. For countries looking to international law for cybersecurity, the Oxford Process has become the go-to forum. Why? Several reasons:

Norms are great but the law is better
UN processes have focussed on cybersecurity norms, such as norms designed to protect supply chains and critical infrastructure. Norms are extremely useful—they help create expectations and nudge countries to behave a certain way. But they aren’t binding. The law is. And the Oxford Process focusses on the law.

Answering the how
There is widespread agreement that international law applies to cyberspace. Even the GGE and OEWG say so. But that’s essentially all they say. And that doesn’t take us very far. Nor does merely repeating it, as too many around the world seem content to do. The next—and critical—step is figuring out how international law applies to cyberspace. That’s the step the Oxford Process is taking. The Oxford Statements articulate actionable negative and positive obligations (things countries must not do and things they must). For example, one Oxford Statement notes that international law prohibits cyber operations by States that have serious adverse consequences for essential medical services in other States. It also notes that international human rights law requires States to respect and to ensure the right to life and the right to health of all persons within their jurisdiction, including through taking measures to prevent third parties from interfering with these rights by cyber means.

Addressing specific urgent needs
Too many international discussions about law and policy operate in a vacuum, untethered to reality. The Oxford Process doesn’t. Like the law of armed conflict, the Oxford Process starts with things that must be protected and then says how international law applies. Put differently, it identifies—and then tackles—specific, real-world, and highly time-sensitive needs. For example, it has produced Statements articulating how international law provides cybersecurity protections for the health care sector and vaccine research, given devastating cyberattacks targeted at a world already devastated by Covid-19. It has also produced Statements addressing foreign electoral interference and information operations; is discussing supply chains and ransomware; and plans to explore additional topics.

Extraordinary consensus
Lawyers rarely agree (except on the fact that lawyers rarely agree). By focusing on commonalities rather than just on differences, and by fostering regular deep dialogue, the Oxford Process has helped foster extraordinary consensus. Each Oxford Statement so far, despite involving strikingly complex issues, has been endorsed by more than 100 leading international lawyers from around the world. The Process and Statements, therefore, carry enormous credibility and are also a case study in consensus-building.

Governments are paying attention
Not only has the Oxford Process attracted lawyers from around the world, various governments (and their lawyers) too are paying attention, often observing Oxford Process convenings and referring to it in their discussions, such as this discussion by the international legal adviser at Australia’s Department of Foreign Affairs and Trade, which observes that the GGE and OEWG reports are silent on how exactly cyber operations against healthcare could violate international law and that Oxford Statements contain legal conclusions addressing that key question. The Oxford Process was also featured in discussions at UN Security Council Arria-Formula meetings. Notably, the Oxford Process’s May 2020 convenings examining the interplay between Covid-19 and cyber operations were co-sponsored by the government of Japan. As part of the recent Quad Leaders' Summit in Washington, D.C., Indian leaders met with leaders from both Japan and Australia (and U.S. leaders) and commendably expressed their joint and firm commitment to cybersecurity. This expression creates a good foundation for India (and others) to engage meaningfully in the Oxford Process

A multi-stakeholder approach
The Oxford Process welcomes involvement from participants across government, industry, and civil society. It recognises that cybersecurity is a multi-stakeholder issue—every perspective is important.

So what exactly should India do to engage in the Oxford Process? Simple. Indian international lawyers —both government and non-government, Indian cybersecurity policymakers, and Indian representatives from industry and civil society should attend Oxford Process convenings (virtual so far) and help develop, and understand, Oxford Statements. Notably, attending does not require speaking; attendees are free to merely listen, though participating is of course ideal. Further, they should help socialise Oxford Statements within India to garner as much understanding and support as possible. They should also do so outside India among allied countries.

Importantly—within the Oxford Process (in its convenings or in relation to its Statements) and outside it—Indian government representatives should articulate their views on how they believe international law applies to cyberspace. This will help international law crystallise and therefore help protect Indian citizens from potentially devastating cyberattacks.

Disclosure: Nikhil Sud is a lawyer by training and specialises in legal and policy issues related to technology. He serves as Regulatory Affairs Specialist at the Albright Stonebridge Group (ASG), which has advised on the Oxford Process. Views expressed are personal and do not constitute legal advice.