Declaring cyber-neutrality

India must face ground realities. We have a huge digital infrastructure but lack of cyber security measures and little to no spending on digital awareness have ensured that we are vulnerable should a cyberwar break out against us. This would be a major disaster as so far we do not have the financial muscle to initiate a disaster recovering mechanism in place.

The only option then in the case of a cyberwar, which is becoming increasingly likely given recent events, is for India to take the pragmatic option and declare itself as a ‘cyber-neutral’ state. What does a cyber-neutral state mean? A cyber-neutral state is a country which declares that it will not participate in a cyberwar, nor take sides with participating countries, nor allow its IT infrastructure to participate as attack points or ‘Zombies’. This gives us a tremendous strategic advantage by securing and saving our IT infrastructure, and in case we are attacked, world protect us as per existing warfare rules. India can be the ‘Switzerland’ of kinetic war.

India needs to consider these options very carefully, as already developed nations have hinted at possibilities of unleashing a cyberwar. The country accounts for about 67 per cent of the global outsourcing market and the number of internet users in India is expected to reach 500 million by June 2018. Thanks to the government’s Digital India initiative, the data centre market in India is expected to touch $4.5 billion mark by 2018. But the threat to IT operations increases by the day. Statistics show that already over 22,000 Indian websites, including 114 government portals, were hacked between April 2017 and January 2018, and as per CISCO, Indian companies lost $500,000 to cyber attacks in the last one-and-a-half years. These attacks are all the more serious as, thanks to Digital India, an increased allocation of funds — Rs 3,073 crore — has been set aside for the 2018-19 fiscal, further promoting e-governance. Coupled with this, the number of transactions over mobile wallets in India is expected to reach a mark of Rs 1 trillion in 2018. It is no exaggeration to say that a well-targeted cyber attack could cripple us economically.

Once we have accepted the premise of cyber neutrality, we must stop and think about just what form and shape it would take. According to Sections 5 and 13 of the Hague Convention of 1907: ‘A neutral country in a particular war is a sovereign state which officially declares itself to be neutral towards the belligerents. The law of neutrality regulates the relationship between the parties to an international conflict and states that they are not party to the conflict. One of its key purposes is to protect parties to a conflict against action or inaction on the part of neutral States that benefits their enemies.’

This declaration of neutrality is something that should govern a state. In this regard, laws have to be framed to ensure that cyber infrastructure, located within the territory of a neutral state, is considered neutral in character. As the Tallinn Manual, an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare, points out, ‘neutral cyber infrastructure’ means public or private infrastructure located within neutral territory. This includes civilian cyber infrastructure owned by a party to the conflict or that has the nationality of a neutral State (and is located outside of the enemy’s territory). This not only safeguards India but the first world as well. India’s declaration as a cyber-neutral state ensures the protection of data centres and outsourced operations of first world countries in the country. Another advantage of cyber-neutrality is India could receive comparative advantage over China, as no one could conceive of Beijing being a cyber-neutral state.

There are still issues though. The caution here is when a State involved in an armed conflict uses the cyber capabilities of a neutral State to gather information that is used to attack its opponent, and that attack causes injury to people and property, the aggrieved State can target the neutral State’s cyber capabilities with cyber-attacks. Though the LOAC (Law Of Armed Conflict) protects neutral countries in a war, there are limitations. For instance, if the neutral State is found to have “actual” or “constructive knowledge” of the cyber war activity and is “unwilling” or “unable” to take timely action to rectify the matter, such an attack could be seen to be justified under international law.

India needs to fortify its cyber space and exhibit the same to the world. India also needs to have its own local DNS resolution so if required it can shut off the outside world and go into a cyber cocoon of its own. This ensures that no outward connections are possible and thus no compromise of its cyber infrastructure until the cyberwar settles.

Declaring ourselves a cyber-neutral state may seem a naïve idea to some at the moment, but it is the only means to save ourselves from a costly cyberwar which we cannot afford to fight. Any loss in a cyberwar will dent the country’s image as a global IT outsourcing hub and will render losses to civic and banking infrastructure which heavily relies on the Internet. The nascent startup industry and the Digital India initiative will be completely jeopardised. Thus, in the absence of any International cyber treaty, India should take the lead and declare its cyber neutrality to safeguard itself.

The author is an international Cyber Lawyer and Cyber Thought leader. Views are personal