Where Are US-India Cyber Relations Headed?

By Arun M. Sukumar
Tuesday, May 24, 2016, 11:02 AM

The US-India cyber relationship is as much a marker of global governance of common digital spaces as it is about core bilateral economic and security engagements. In 2015, India signaled its willingness to accept rules of the road as set forth by the United States by making an unqualified endorsement of “multi-stakeholder” internet governance. Having defended this position at the 2015 BRICS heads of state summit in Ufa, Russia and, more recently, at the foreign ministers meeting of the Russia-India-China trilateral, New Delhi demonstrated that this political commitment can weather diplomatic headwinds.

If India and the US are able to transform their convergence in policy positions into tangible cooperation in cyber security and the digital economy, this would send a clear message to developing countries. It would mean that digital spaces can be effectively secured while accounting for the freedoms of expression and commerce on the internet. And for many economies in Asia, Africa and Latin America that are struggling to protect their digital networks, it would be worth replicating a successful model of cooperation between India-US.

Regulators across the world—most notably in the European Union—are contemplating data localization as the answer to increased cyber vulnerabilities. Without a comprehensive digital trade regime, emerging economies have little incentive to calibrate market regulations that promote innovation and also support local language content. The consequence would be a fragmentation of the internet, not of its infrastructure, but along political and economic fault lines. While India-US cooperation is not the solution to all these problems, it is a first step in demonstrating that comprehensive cyber engagement between emerging and advanced digital economies is possible.

Of course, this is by no means an easy task. The US-India relationship has its own set of weighty concerns to tackle and could benefit from sustained engagement on both sides. The bilateral cybersecurity dialogue was intended to occur annually, but has been convened twice in four years—indeed it has only truly picked up steam since 2014. The US-India Working Group on Information and Communication Technologies (WG-ICT) has met since 2005, but is in need of a fresh and forward-looking agenda to address the future of private sector cooperation.

The first high-level multi-stakeholder platform organized after India’s policy shift on internet governance—the Track 1.5 Cyber Dialogue—made it clear that the scale and intensity of bilateral engagement needs to be stepped up. The first leg of the Track 1.5 dialogue, convened by the Council on Foreign Relations and the Observer Research Foundation in Washington DC, saw the top cyber coordinators of both countries candidly engage the private sector, academia and civil society on issues ranging from market regulations to data protection standards and cyber crime. That this relationship is also an area of priority for the US Congress was evident by the presence of Ed Royce, chairman of the House Foreign Affairs Committee.

If anything, the Track 1.5 underlined the need for multi-stakeholder conversations even on core cybersecurity concerns. Take, for example, data requests and MLATs, which officials often cite as the number one issue in the India-US cyber relationship. There is near unanimous agreement that the current DoJ-led system governing data-sharing must be streamlined and become more responsive to the legitimate law enforcement concerns of other governments. To encourage that process, the United States needs to modify its Electronic Communications Privacy Act and determine which requests involving non-US citizens can be directly provided by US companies without a warrant. Although this is primarily a domestic conversation, the actors involved—privacy activists, law enforcement officials and Congressional representatives—also need to be convinced that the country requesting such data will not misuse the MLAT process. Human rights lawyers and civil liberties activists in India must articulate to their US interlocutors that while its privacy standards may not be comparable to the First Amendment, India’s constitutional guarantees on free speech and expression are subject to rigorous judicial review. Companies based in the United States but playing a key role in the Indian digital economy must be convinced that data requests will be subject to clearly defined rules, blessed by both governments. These exchanges can only take place in a multi-stakeholder environment.

Several proposals to improve the MLAT process have already been offered by US experts, and both governments should explore how those proposals fit the US-India context. An effective MLAT arrangement will go a long way in weakening India’s regulatory impulse to localize data, which in turn would send a positive signal to emerging digital economies across the world.

India and the United States have some distance to cover before their market regulations on the digital economy can converge. India’s digital marketplaces are driven by the imperative to promote local language content, offer affordable connectivity, and render the latest software accessible to first generation users at accessible prices. As a result, both countries are likely to see differing standards in investment regulations, intellectual property norms, and consumer protection guidelines. New Delhi has nevertheless demonstrated a bipartisan commitment to build on its commitments at the WTO; its ratification of the Trade Facilitation Agreement, a domestically contentious decision, demonstrates this commitment.

Given the great disparity in the nature of Indian and US digital economies, the cyber relationship should not spend all its energies trying to harmonize market regulations. On the other hand, technical standards and licensing regimes for cross-border sale and use of technology should be brought closer. Indian companies and users stand to benefit from cutting-edge products and services offered by US operators, and there is no reason why both countries can’t collaborate in the development of testing criteria and technical protocols. If security reasons have compelled India—whose electronic supply chain relies almost entirely on foreign products—to develop unique standards, there is also room to re-examine them. The conversation on standards is both a bilateral and plurilateral one. As the International Telecommunications Union has lent itself to government participation at the exclusion of other stakeholders, multi-stakeholder bodies like the Internet Engineering Task Force need to make their platforms accessible to private sector from India and other emerging economies. Joint efforts by India and the United States to make standard-setting bodies more inclusive to all stakeholders will go a long way in streamlining supply chain norms in Asia and Africa.

The pace of progress on key issues may not always be satisfying, but it is important that India and the US set the terms of their cyber engagement. Digital spaces are likely to be characterized by differing legal standards and developmental imperatives. And if two powerful digital markets are able to cooperate on economic and security concerns through their stated regulatory differences, that would indicate to other actors that the benefits of engagement far outweigh the costs of fragmented internet governance.