As an economic power and pivotal regional player in Asia, India is home to the second-highest number of internet users of any country in the world. Its role in establishing norms in cyberspace, as well as how it approaches securing networks, could have a lasting impact on the security and freedom of the global internet for the years to come. The Cipher Brief spoke with Jonathan Reiber, a Senior Fellow at Berkeley's Center for Long-Term Cybersecurity and former Chief Strategy Officer for Cyber Policy in the Office of the Secretary of Defense under former Secretary Ashton B. Carter, about the status of India’s efforts to secure its digital networks and the cooperative relationship the United States and India are forging in this critical space.
The Cipher Brief: How has India become more digitally connected in the last few years?
Jonathan Reiber: Let’s start with some context. Last year, India surpassed the United States in the total number of people online, second only to China. While China was upwards of 720 million internet users, India jumped past the United States to something like 460 million in 2016. But the interesting thing is that the United States is at essentially 90 percent user penetration, and by the end of 2015, China and India were only at about 51 percent and 36 percent penetration, respectively. So if you consider that India’s population is now second-largest in the world, but only at about 36 percent internet penetration, then there is a massive number of users who still can come online in that economy.
Currently, the Indian government and private sector seek to expand India’s digital access through an initiative known as Digital India and other economic initiatives like Start Up India and Make in India, as a broader foreign direct investment push. There are multiple streams of access, some of which include free Wi-Fi at train stations, or, further down the line, Google’s Project Loon, broadcasting the internet into rural areas that are off the grid. India’s own venture capitalist culture has developed in the information technology industry, along with multinationals, to spur growth in the sector.
TCB: What kinds of vulnerabilities does this create? Are threats primarily from cybercrime or foreign government activity?
JR: Beyond strategic threats, India faces a lot of cybercrime. Ransomware is a huge problem and a major concern for the Indian government as people often have their passwords stolen and control of their devices held by criminals. From a national defense standpoint, India is only beginning now to enter into real, in-depth, private-public conversations about major institutions and critical infrastructure. The formal structures for doing so – those the India government has organized – are beginning to take off now. So there will be a lot of growth in Indian cybersecurity policy in the next few years.
Compared to the United States – which has a number of potential nation-state adversaries that strategically compete or threaten it in cyberspace – India has a fewer number of hostile states that would do that. Certainly Pakistan and China are the two biggest areas of concern, with China’s capabilities being greater than Pakistan’s, but Pakistan having an apparently higher degree of hostile intent, given the geopolitical relationship.
Countries ultimately engage with other countries in cyberspace in a manner similar to the real world. Meaning, if there are high degrees of mutual suspicion, or if there are significant intelligence purposes to be gained, states will pursue either their strategic or intelligence interests in relation to that country in cyberspace. So for future conflicts, it is not a question of if, but when, governments will try to use cyber capabilities against each other. It is a safe assumption that if countries are hostile towards one another and have network capabilities, they are going to use cyber capabilities against one another. So it helps to start with the political and then lay some of the more technical questions regarding cyberspace questions on top of it.
TCB: What role does India play in establishing international norms in cyberspace? Are they a bridge between the East and the West?
JR: India is a country of laws and democracy, and they share similar values and views of the world with the United States. Regarding norms of cyberspace operations, India largely follows the law of armed conflict. The United States does too, and the United States sensibly wants to partner with India on an entire range of strategic issues that impact both countries. Separately, when looking at internet governance, India has articulated a desire to follow a multi-stakeholder governance model, similar to the Internet Corporation for Assigned Names and Numbers (ICANN) model that has been in place for a long time. Given these values, India could also play a useful long-term counter to China in regional and international forums.
TCB: Could you expand on the cybersecurity cooperation between the United States an India?
JR: This bilateral cooperation should be viewed through the broader contours of the U.S.-India relationship, and the two countries have deepened their formal and informal mechanisms of cooperation in the last few years. For example, the Obama Administration led a Strategic and Economic Dialogue with India, and cooperation on cyberspace was a part of that, which included deliberations on cybercrime, norms, and resiliency planning. The two countries also agreed on a Framework Agreement for cyberspace, which is a terrific step.
The defense relationship deepened significantly under former Secretary of Defense Carter. When he launched the Department of Defense Cyber Strategy, it included India within it because the Administration made the overall partnership so important. So while the two countries do not have a deep military-to-military cyber defense relationship currently, there is an appetite for expanding the relationship more broadly, which bodes well.
There are also longstanding private-to-private partnerships between companies in the two countries. India’s modernization and entry into the global market in the late 1980s and ‘90s, allowed for a telecommunications boom. During the Y2K crisis of 2000 in the United States, there weren’t enough engineers to change all the computer clocks in order to avoid catastrophe, so the United States and others hired Indian engineers to help. They were a huge reason for why Y2K did not become a disaster as they acted as a major force augmentation. That paved the way for India’s further growth as a hub of information technology.
TCB: What is the relationship between the Indian government and the private sector, specifically in regards to critical infrastructure?
JR: The Indian Parliament passed laws requiring the assessment of critical infrastructure. There are also information-sharing arrangements between the sectors of the Indian economy and the government, some of which are more mature than others. Unsurprisingly, the financial sector has relatively mature information-sharing organizations.
Ultimately, every economy in the world has a ways to go in terms of securing its critical infrastructure, and that includes India. The United States’ security framework that was developed by the National Institute of Standards and Technology (NIST) was very helpful for countries all over the world, including India, as they began to think about a framework for critical infrastructure protection.
The Indian government is growing its capabilities for engaging the private sector, and even though there has not been a tremendous amount of progress over the last few years in building a partnership between the government and private sector, we will see more in the future. They understand as well as anybody else what needs to be done. For every society, the problem is one of implementation. They’ll get there; we all need to.
