#62 Apple Alerts Sow Seeds of Doubt In India's Digital Safety
Alerts, Breaches and Alerts About Breaches: Is India's Digitalisation Safe?, Terrible Tariff Tales, Unbridled Techno-Optimism - A Marc of Hubris?
Today, we will be discussing India’s need to build a responsible and resilient mechanism for cyber-governance.
Also This Week:
The need to rationalise India’s ICT Tariffs
Decoding Marc Andreessen's "Techno-Optimist" Manifesto
CybperPolitik 1: Alerts, Breaches and Alerts About Breaches: Is India's Digitalisation Safe?
— Anushka Saxena
As the Indian Computer Emergency Response Teams (CERT-In) celebrated the Cyber Jagrookta Diwas on November 1, 2023, phones of Apple users beeped with an alert that cautioned them about a "state-sponsored attacker" attempting to target their digital devices. Even though a lot of holes were poked in Apple's warnings, with Indian Minister for Electronics and IT Ashwini Vaishnaw claiming that its information "seems vague and non-specific in nature," the announcements were enough to spark uproar among political elites surrounding India's unsafe path to rapid digitalisation.
To add on, just a few days ago, on October 15, US firm Resecurity claimed in its blog that the Aadhaar database of the Indian government had experienced a breach, and the data of 8.15 crore Indian users was leaked on the dark web. The threat vector, going by the alias 'pwn0001', published this data under the title '[815 million] Indian Citizen Aadhaar and Passport Database 2023' in a CSV ZIP file 90 GB in size. The breach of biometric data from one of the largest databases on the planet in the world's largest democracy indicates just how vulnerable India's critical information infrastructure is to cyber threats.
India's Domestic Cyber Policy Apparatus
As a rapidly digitalising country, India is home to over 800 million internet users and 1.2 billion mobile users. Naturally, with such a large chunk of the population engaged in activities in the cyber domain, cybersecurity remains a cause of concern for citizens, governments (union and states), and businesses. Hence, both domestically and internationally, India needs to emphasise cooperation between stakeholders to further cyber governance and Information Technology security.
India does not have a national policy governing the threats described above; however, some cybersecurity laws and regulations exist to determine liability for breaches of responsible cyber behaviour. The most prominent of such legislation is the Information Technology Act (2000). Article 43 (Chapter X) and Articles 66 and 67 (Chapter XI) of the IT Act provide the basis for prosecuting crimes such as identity theft, hacking, denial of services, phishing, network tampering, and even 'cyber-terrorism'. Some of these crimes, such as phishing, are not explicitly mentioned in the legislation but are covered under the broader crimes that invite liability under the Act, such as "Punishment for dishonestly receiving stolen computer resource or communication device" (Article 66 B).
In 2013, India experimented with a National Cybersecurity Policy, a 9-page document that set out a 14-point strategy to build a secure and resilient cyberspace for citizens, businesses and governments. However, it does not have a binding effect, and most of its actionable elements are much too broad to encourage targeted policy action. However, progress has been made on some of the strategies outlined in the document, such as the operation of a 24x7 National Critical Information Infrastructure Protection Centre for reporting cybersecurity-related incidents and the establishment of a regulatory framework governing 'Critical Information Infrastructure' (CII). Because the NPIIPC has continued to define more and more government systems as 'protected' under the 'CII' category, any cyber attacks conducted against them are liable to be prosecuted as acts of 'cyber-terrorism', punishable under Article 66F of the amended IT Act with imprisonment for life.
Domestic Policy at the International Stage
As part of major United Nations-led mechanisms on cybersecurity, namely the two UN Open-Ended Working Group on Security of and in the Use of ICTs (2019-21 and 2021-25), as well as the Six UN Groups of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (GGE), India has made use diplomacy to advocate responsible State behaviour in cyberspace. India has also supported multilateral consensus on how the existing body of international law can apply to cyberspace and ICT. This was iterated by Ministry of External Affairs Joint Secretary Atul Gotsurve at the first substantive session of the 2021-25 OEWG, where he argued that the purpose of an elaborate discussion on how specific aspects of the existing international law apply to the ICT should be to "arrive at a universal approach to this matter under the UN auspices."
India's emphasis on cybersecurity at the global stage also reflects a lot of its domestic priorities. For example, it is evident from Indian Foreign Secretary Harsh Vardhan Shringla's speech at the UN Security Council Open Debate on "Maintenance of International Peace and Security: Cyber Security" (June 2021) that a critical pillar of Indian diplomatic approach to cybersecurity is countering cyber-terrorism. As a victim of cross-border terrorism emanating from its northwestern neighbour, Pakistan, India accords crucial value to the issue of terrorism in cyberspace. Even its contributions to the first draft of the Annual Progress Report of the OEWG adopted in July 2022, India supported the inclusion of a provision to "strengthen law enforcement cooperation to prevent the use of cyberspace for terrorist purposes." India also aims to further capacity-building across its key national ICT security stakeholders – namely, CERT-Ins (Indian Computer Emergency Response Teams) and the Telecom-Cyber Security Incident Response Team (T-CSIRT) – through global cooperation.
Multistakeholder-ism: A Missing Link
Apple's case study, as well as the warning infrastructure created by Resecurity, tells us that given the highly privatised nature of CII and ICT, governments cannot act alone in building governance and resilience for responsible cyber behaviour. A multistakeholder mechanism is essential to support India's diplomatic priorities. So far, because of India's top-down, government-led approach to responsible cyber governance, its stance on engaging the private sector and civil society has been lackadaisical.
Since 2021, India has made some progress by organising an annual multistakeholder consultative conference called the 'Internet Governance Forum' (IGF). Moreover, in his June 2021 speech, Gotsurve indicated a significant shift in India's stance by offering to break the deadlock between states on multistakeholder participation. He proposed to do so by calling on States to voluntarily declare reasons for their denial of the participation of NGOs/multistakeholder entities in cybersecurity-related multilateral deliberations. Moving forward, as India builds a resilient cyber and ICT security policy, including in the form of the upcoming National Cybersecurity Strategy, engaging private sector firms, NGOs, think tanks and civil society will become pertinent. Such a multistakeholder dynamic domestically will reflect automatically in India's diplomatic approach.
Cyberpolitik 2: Terrible Tariff Tales
— Bharath Reddy
The recent report by the Indian Cellular and Electronics Association examines the impact of India's import tariffs on India's mobile phone manufacturing sector. It finds that India's tariffs are higher than those of other leading electronics exporting countries, undermining its manufacturing competitiveness. The higher tariffs are intended to reduce imports and promote domestic production. But intentions don't matter; outcomes do. Tariffs are leading to higher costs without meaningfully shifting production to India. This situation effectively undermines other initiatives, such as the Production-Linked Incentive (PLI) schemes, reducing the competitiveness of Indian goods.
The report compares India with countries like China, Mexico, Thailand, and Vietnam, which have risen from having negligible exports to being among the top electronics exporting nations. Industrial policies promoting domestic manufacturing in critical sectors have become the norm in these countries competing for a share of the global manufacturing value chain. India's own production-linked incentives scheme for mobile phone manufacturing is an example. It offers 4-6% incentives for incremental sales over a period of five years.
The main factor that sets India apart from other countries with similar manufacturing incentives is its tariff rates. India imposes higher import duties compared to its competitors, which increases the production cost of finished products. This makes Indian goods less competitive in the global market. The report suggests that if India were to match its tariffs to Vietnam's lower rates, the competitiveness of Indian mobile phones could improve by approximately 4%. The tariffs are essentially cancelling out the cost benefits that the Production-Linked Incentive (PLI) schemes are supposed to offer.
Gulzar Natarajan explains in his blog that "Make in India" and "Make for India" are distinct concepts. Making in India requires manufacturing goods to meet global standards and for export, while Making for India requires producing for the domestic market, and these two markets might have little overlap. He observes that the high-consumption class in India, consisting of about 10% of the population, is limited. The domestic market will likely be small for products that meet international standards. Therefore, he argues that for Indian manufacturers to succeed, they must be plugged into global supply chains, targeting consumers beyond the domestic market.
The report focuses on the mobile phone manufacturing industry, but the lessons can be extrapolated to other sectors as well. Indian tariffs must be rationalised and made competitive with other manufacturing economies to integrate into global value chains.
Cyberpolitik 3: Unbridled Techno-Optimism - A Marc of Hubris?
— Bharat Sharma
Marc Andreessen — a Silicon Valley venture capitalist — recently published a "techno-optimist" manifesto. Anderssen begins by discussing a primary narrative of how we think about technology. Technology today — he mentions — is believed to play a role in high unemployment rates, low wages, health and environmental security. That makes us "angry, bitter, and resentful about technology", making us pessimistic about technology and its uses for us, including our future with it.
In the manifesto, Andreessen tries to disabuse us of this notion. Technology is undeniable to civilisation and its processes. He reminds us that civilisation is "built" on technology and has always been so in the past. At the heart of Anderssen's manifesto is technology's connection to our drive to advance human values. These values are truth, human progress, and abundance, among others.
Let me discuss two values: growth and intelligence.
First, Andreessen makes a connection between technology and growth. The other two factors of growth, according to Andreessen — population growth and natural resource utilisation — are not sustainable for our future. Population growth is shrinking, and natural resource utilisation for growth is limited — technology is our only way towards human progress. The most crucial material solutions for problems of darkness (electric lighting), starvation (Green Revolution), cold (indoor heating), heat (air conditioning), and pandemic (vaccines) have come from technology. So, it is an undeniable part of our material lives.
Second, Anderssen discusses intelligence and how it "makes everything better" and its importance for society. He links the need for expanding intelligence for society to artificial intelligence (AI). AI can be a "universal problem solver" — from medicine to car crashes to pandemics — and, therefore, "...any deceleration of AI will cost lives".
Finally, he discusses "techno-optimism" and what meaning it carries. Techno-optimism is a philosophy, Anderssen reminds us, of our material conditions — a "material philosophy" — not a political one. This means that his focus on technology is material in nature: technology for Andreessen aims to "open the aperture on how we may choose to live amid material abundance". Material abundance does many things: it opens the space for religion, politics, and ideas for living socially and individually.
Finally, technology is also "liberatory of human potential". It expands what it means to be free for us — even though it may seem like freedom is being taken away from us as we increasingly hand over decision-making to machines.
As Nitin Pai writes in an Op-Ed discussing this manifesto, Andreessen's thinking is guided primarily by business models, including the increasing global regulatory attention towards technology. Moreover, being optimistic about technology does not mean we can excuse being cautious about technology: one could be a techno-optimist but also be sensitive to constitutional values and societal obligations.
What We're Reading (or Listening to)
[Opinion] The Quad needs to work with other groups. ASEAN is the place to start, by Bharat Sharma
[All Things Policy Podcast] Energy Access and Community Development, ft. Akansha Saklani and Satya Sahu
[Video Essay] The End of American Lithography by Asianometry