Special Address by Ambassador Vijaya Latha Reddy, Formerly Dy. National Security Adviser and Secretary (East), Ministry of External Affairs, Government of India The Role of International Cooperation in Cyber Security This conference has given me a unique opportunity where I can discuss two of my passions- India-ASEAN relations and Cyber Security! May I express my grateful thanks to RIS and to Ambassador Shyam Saran for inviting me to this conference. My commitment to India-ASEAN relations began when I was posted as Ambassador to Thailand during the 18 month chairmanship of ASEAN by Thailand. Then, while I was serving as Secretary (East) in the Ministry of External Affairs and dealing with ASEAN and the EAS I did my best to promote India- ASEAN relations. We finalized the 2010-2015 Plan of Action then and are now finalizing the new five year plan to be adopted. I am delighted that we have moved from Looking to Engaging to Acting East! In 2012 we held the first ever India- ASEAN Commemorative Summit and that Summit and the allied activities have been a high point in India-ASEAN relations. I am also happy that we have appointed Ambassador Suresh Reddy as our Ambassador to ASEAN, as he was our first Joint Secretary exclusively dealing with ASEAN in the Foreign Ministry. We must move actively now on concrete issues such as Cyber Security cooperation. Let me begin by saying a few words on the nature of international cooperation in Cyber Security. Such cooperation can be bilateral, regional or multilateral. In all these cases, trust is essential between the countries involved. Trust on cyber issues has, however, been severely affected by revelations of large scale espionage and surveillance, especially after the Snowden revelations. As Professor Joseph Nye says: Trust will now have to be rebuilt bottom up, with new software technologies and procedures for inspection of hardware supply chains. Some argue that low trust will be a persistent condition and will exacerbate a fragmenting trend towards greater control by sovereign states. 1
However, I believe that trust does indeed exist between ASEAN countries and India, and we therefore begin with a major advantage when we discuss Cyber Security cooperation between ourselves. On Cyber Security itself, during my posting as the Deputy NSA, I was involved in evolving several measures to strengthen India s cyber security infrastructure, which included the followings: a) We formulated and published our Cyber Security Policy in 2013 (one of the very few countries to do so) b) We created an Architecture and Infrastructure for coordination and responsibilities within government (to deal with silos, overlaps, gaps). c) We did promote international cooperation through bilateral discussions with individual countries such as the US and Singapore, and in UN fora such as the UNGGE. d) We worked specifically on strengthening cyber security for the Critical Information Infrastructure or CII protection we have published identification of CII sectors, and the setting up of the NCIIPC e) A JWG was set up for PPP or for the Government and private sector to work together on cyber security f) A proposal to set up a National Cyber Coordination Centre was approved. g) The creation of an R&D Fund to encourage innovation in cyber security. h) Emphasis was laid on Capacity Building and setting up of Centres of Excellence We will need to consult on these and other issues on a regular and ongoing basis and in real time. We need to be actively present and vocal at UN-led meetings such as UNGGE and ITU or at all major track 1.5 and 2 global meetings. We need to consult before, during and post these meetings and evolve common positions where possible. I have been struck when I speak at various fora by the preponderance of US and European representatives and the absence of ASEAN countries and representatives. In contrast the OECD, the WEF, and other groups play a very prominent role. 2
It would also be important to have an ASEAN representative - as opposed to individual country representation -at all these important meetings on cyber security both Track I, Track 1.5 and Track II. As Deputy NSA Arvind Gupta mentioned we do need specific mechanisms between India and ASEAN. We can have CERT to CERT cooperation, R&D cooperation, cooperation on Cyber Crime and Cyber Terrorism, LEA-LEA contacts, Intelligence sharing, Social Media Analysis, Sharing of Best Practices,Capacity Building and Training, coordinating our positions at meetings such as the UNGGE and the ITU as well as at Track II meetings such as the IGF, Technical Institutional Cooperation in agencies such as ISOC, ITEF, ICANN issues. We also need to discuss the so-called Rules of Road particularly on Cyber Warfare and Cyber weapons. Can we think of setting up the followings in terms of specific outcomes to grow our cooperation in cyber security? a) A JWG (either Track 1 or 1.5) between India and ASEAN on Cyber Cooperation. b) Specific projects under the new 5 year POA. c) A Regular Review of progress at India-ASEAN SOMS, Ministerial and HTG/HOS Summits d) We need to create India-ASEAN PPP models to encourage a multi-pronged approach to cyber security cooperation e) Can we use the deliberations and recommendations of the CSCAP (Council for Security Cooperation in Asia Pacific) where most ASEAN countries are part of the study group on Cyber Security including Indonesia, Malaysia, Philippines, Singapore, Thailand, Cambodia, Vietnam What the CSCAP essentially recommends is that each State creates a holistic domestic cyber security system and simultaneously common collective measures of cooperation should create a strategy to enhance Cyber Security to mutual benefit of all states. While the recommendations were drawn up for the ARF, they are equally applicable to India-ASEAN cooperation. In brief they advocate a holistic Cyber Security strategy, more Cyber Security awareness and education within the 3
government, private sector and society in general, more effective PPP cooperation, creation of a legal framework, regional consultations and enforcement capabilities, and the need to establish CERT to CERT cooperation. For Regional Cooperation CSCAP recommends setting up mechanisms for information sharing and experiences of cyber threats detection, containment and mitigation measures coordinated responses and real time information sharing. Also we need to implement capacity building and technical assistance measures to strengthen crisis management of all states, especially those with weaker infrastructures. We need to work on legal harmonization first an inventory of international conventions on cyber security and eventually harmonization of laws to combat cyber crime. CSCAP also recommends that we establish a Regional Cyber Security Action Task Force (CSATF) to review all cyber-related activities of other regional or global organizations (UN, ITU, APEC, OECD) to assess what role our countries can play in supporting such solutions. The important point is that in our unity lies strength. If ASEAN efforts to coordinate between its members can be bolstered in any way by India s participation, while I can no longer speak for the government officially, I remain confident that India stands ready to assist in any way possible. As I mentioned, we face the same problems in forging our regional cooperation as exist in international cooperation: (a) (b) (c) Deficit of Trust Varying Capabilities Allegiances to multi-stakeholder model or to multilateral model Why is international cooperation such a complex and controversial issue? Firstly, the regime complex that currently governs various aspects of cyber space and internet governance is a huge interlocking and overlapping group of mechanisms and organizations. Those who advocate the multi-stakeholder model of internet governance and those who advocate the multilateral model are obviously at 4
loggerheads. Most of us fall somewhere between these two extremes. This is why we need to be actively present in deliberations of all these organizations which relate to cyber security and internet governance issues we need to be there as governments and as think-tanks and experts. There is also a certain confusion about various areas that affect cyber security including internet governance issues, critical information infrastructure, cyber warfare and cyber weapons, cyber espionage, cyber crime and terrorism. Each of them is elaborate and complex issue but they tend to be linked together. The issue of Cyber Security can become even more complex as threats can be transnational in various ways between States, Businesses, and Non-State Actors in various permutations and combinations. We must regularly consult on all these areas and cooperate to strengthen our individual and collective Cyber Security capabilities. To conclude therefore let me reiterate the way forward for enhanced cooperation between ASEAN and India. 1. Create a JWG with two ASEAN and Indian co-chairs to meet regularly (Track 1.5 preferably) to pursue ASEAN-INDIA Cyber Security Cooperation. 2. Ensure regular review of the progress in this area by ASEAN-INDIA SOM/Ministerial./Summit meetings. 3. Enhance institutional level dialogues between think tanks, academic R&D institutes as well as CERTS. 4. Enhance LEA cooperation in real time to deal with cyber crime and terrorism. 5. Synergize our strengths in software and hardware and set up joint testing labs. 6. Capacity building and skill development cooperation. 7. Set up specific projects under the ASEAN-India Plan of Action 2015-2020. 8. Study the CSCAP Study Group Recommendations and see whether they can be used as a template for India-ASEAN cooperation. 9. Actively participate in all important Track I, 1.5 and 2 international meetings and actively consult on an ongoing basis to coordinate our positions wherever possible. 5
Hopefully, I have managed to draw up a possible road map and way forward for our future cooperation in specific areas on the critical and vital subject of cyber security as well as on internet governance. Once again I thank RIS and Ambassador Shyam Saran for organizing this timely conference and giving me the proverbial last word today! 6