Prospects and Perils for EU-India Cybersecurity Cooperation

On December 16, the European Union published its new Cybersecurity Strategy. In the document, it recognizes the need to “strengthen and expand its cyber dialogues with third countries to promote its values and vision for cyberspace, sharing best practices, and seeking to cooperate more effectively.” Over the past decade, the European External Action Service has established cyber dialogues with several of the EU’s strategic partners. In fact, two days prior to the publication of the strategy, delegations from the EU and India led by foreign-policy officials convened online for the Sixth EU-India Cyber Dialogue. During the coronavirus pandemic, a dramatic uptick of malicious cyber activity in Europe and India underscored the need to further develop tools that help prevent escalation of cyber conflict.

In light of the strategy’s proposition to strengthen the existing cyber dialogues, three priority areas are likely to shape the cooperation between the EU and India in the field of cyber conflict prevention in 2021: international law and cyber norms, diplomatic measures, and capacity building. These three areas were discussed at the Track 1.5 EU-India Cyber Consultations on Managing Crisis in Cyberspace, jointly hosted by the EU Cyber Direct project, of which the German Marshall Fund is an implementing partner, and the Observer Research Foundation, from 27–28 October.

International Law and Norms in Cyberspace

First, the EU and India will work toward successful multilateral negotiations on how international law applies to cyberspace and which norms, principles, and rules should be promoted to advance responsible state behavior. Two processes at the United Nations dealing with this topic, a Group of Governmental Experts (GGE) and an Open-Ended Working Group (OEWG), are in the last stages of negotiating their final report. Several EU member states and India participate in both processes and they should lead efforts to clarify and operationalize the existing acquis, examine add-ons such as the protection of the public core of the internet, electoral processes and the health sector, and further its acceptance. Yet, the UN has increasingly become an arena of political struggle rather than of problem-solving, as reflected in the EU’s cybersecurity strategy, which observes a “deterioration of an effective multilateral debate on international security in cyberspace.” Participants in the consultations recommended that the EU and India leverage their diplomatic clout with like-minded and other parties in the GGE and OEWG to achieve compromise on controversial issues, and consider developing cyber conflict arbitration mirroring conflict-resolution mechanisms of other multilateral institutions and support multi-stakeholder initiatives to promote cyber norms.

In addition, building on the publication of national views on the issue by several member states, the Cybersecurity Strategy also noted that the EU will develop its own position. The Indian government has announced that it will publish its updated cybersecurity strategy soon (both sides had published first iterations in 2013), which will be an opportunity to systemically compare approaches to increase transparency.

Diplomatic Tools to Prevent and Manage Cyber Conflict

Second, the EU and India should exchange best practices on developing and employing diplomatic tools to prevent and manage malicious cyber activities. In its new strategy, the EU reinforces its Cyber Diplomacy Toolbox by establishing an EU cyber intelligence working group to advance strategic intelligence cooperation on cyber threats and activities, to further develop its cyber deterrence posture, to examine additional measures, and to lower the hurdles to imposing sanctions. Once India publishes its new strategy, both sides should compare their understanding and use of such diplomatic tools and assess the potential for coordinated measures.

Among these tools, confidence-building measures (CBMs) constitute one of the three pillars of the global framework for responsible state behavior in cyberspace. Primarily driven by regional organizations such as the Organization for Security and Co-operation in Europe and the ASEAN Regional Forum, they comprise practical transparency, cooperation, and stability measures to avoid inadvertent conflict escalation caused by misperceptions. The consultations expressed the concern that their operationalization is still insufficient to effectively build confidence. The EU and India should exchange best practices on how to tailor the implementation of CBMs to the specific regional or sub-regional contexts, including via interregional dialogue. Both sides should further clarify the links between regional and global CBM efforts and how the much-discussed global repository of CBMs and registry of political and technical points of contact can be maintained sustainably. The institutionalized EU-India Cyber Dialogue is a CBM in itself and should be used to further enhance transparency on capabilities and doctrines.

The consultations also addressed the impact of cyber sanctions. The EU adopted a cyber sanctions regime in 2019 and imposed such sanctions for the first time in July and October. The Indian government has yet not yet disclosed its position on the use of such targeted restrictive measures. Future EU-India cyber dialogue should address persistent concerns with regard to the effectiveness of imposing restrictive measures against a more powerful adversary and the need for sanctions to be backed by the UN Security Council.

Building Cybersecurity Capacity

Finally, the adherence to cyber norms and the effectiveness of preventive measures depends on adequate capacities, from basic awareness to the ability to attribute incidents and enforce consequences. The consultations highlighted the urgency of increased investment in cyber capacity building, which needs to be a global and multi-stakeholder exercise. It was suggested that the EU and India could jointly step up efforts to help third countries build their capacities in multilateral and multi-stakeholder initiatives such as the Global Forum on Cyber Expertise.

The EU-India cyber dialogue in 2021 can build on an established track record. Apart from the Track 1 Cyber Dialogue itself, both sides discuss issues relevant for conflict prevention at their summit, foreign policy and security consultations, and ICT Working Group, their computer emergency response teams (EU-CERT and CERT-IN) cooperate at the operational level, and India maintains bilateral cybersecurity arrangements with several EU member states. The Sixth EU-India Dialogue and the Track 1.5 consultations also covered related issues on cybercrime, disinformation, internet governance, and new emerging cyber-related technologies. At the former, the EU and India reaffirmed their commitment to an open, free, accessible, secure, stable, and peaceful cyberspace. While international law and norms, diplomatic tools, and capacity building will be priority areas to build a secure, stable, and peaceful domain, future EU-India cyber dialogues will need to combine these with joint efforts to defend openness, freedom, and accessibility in a post-pandemic order.