Bringing Capacity Building In Cybersecurity To The Fore – Analysis
By Manohar Parrikar Institute for Defence Studies and Analyses (MP-IDSA)
By Cherian Samuel*
The quest to create norms in cyberspace has again gathered steam, more than a year after the United Nations Group of Governmental Experts (UNGGE) process proved unable to arrive at a consensus report. This time around, two simultaneous mechanisms have been set in motion: a UN Group of Governmental Experts (UNGGE), like earlier, spearheaded by the United States and the Western allies; and, an Open-Ended Working Group (OEWG) led by Russia and China, and supported by a number of other countries. In the absence of any serious introspection on the part of governments over why the previous UN-led process failed, coupled with the fact that the new initiatives are likely to be competitive rather than complementary, it is hard to be optimistic that norms in cyberspace will materialise anytime soon.
The focus of the state-centric mechanisms such as the UNGGE has been on two tracks: confidence building and capacity building. Both come with their own legacy issues which indirectly impact their use in these mechanisms. Confidence building finds its origins in the Cold War era, when such measures were deemed necessary to reduce the possibilities of conflict between the two nuclear armed blocs. Much of the same discourse, terminology and presumptions have therefore seeped into confidence building measures a propos cyberspace and led to it being viewed through the same prism of conflict. One of the reasons for the collapse of the UNGGE process could be said to be its excessive focus on the security component in the deliberations and in the draft report. Whilst the goal was to arrive at confidence building measures, the existing atmosphere of suspicion and distrust meant that issues such as the rights of states in responding to cyber attacks and taking appropriate countermeasures were viewed by some countries as mechanisms to legitimise “unilateral punitive force actions” and covert attempts to “convert cyberspace into a theatre of military operations.”
Capacity building, on the other hand, has largely been associated with aid programmes and couched in the language of development. Discussions on capacity building have often revolved around issues of the responsibilities of “donor’’ and recipient’’ countries, the ability of recipient countries to absorb and utilise technical knowhow, finding sustainable sources of funding for capacity building efforts, and so on. The spending of resources to build up capacities in other countries has been justified on the grounds that this has considerable spin-off benefits in areas ranging from migration to security. Whilst this has largely been a one way flow in most areas, with the developed countries identifying successful policies, practices and ideas, and then adapting and sharing them with the less developed countries, it is a more equitable process in cybersecurity where no one country can claim to be truly secure. At the same time many of the dilemmas that have hobbled traditional capacity building can also be seen to be at play here, the foremost being that ‘donor” countries have their own priorities and perceptions of what they should pass on to recipient countries which might be completely irrelevant to the needs of latter. Consequently, like confidence building, capacity building has also been viewed with suspicion, seen by some as a tool of foreign policy, a means to advocate a particular model of governance, create market access for domestic companies, or promote specific technical standards.
The mandate of successive UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security has been to deliver consensus reports and recommendations to the First Committee of the United Nations which deals with disarmament and international security issues. Given these antecedents, it is but only natural for the UNGGE to concentrate on issues of security and to consider capacity building as an adjunct to confidence building. This is also reflected in the outcome reports of various UNGGEs. Whilst the 2015 Report expressed the “vital importance” of capacity building as a means to “bridge the divide in the security of ICTs and their use,” the preceding 2013 Report described capacity building as a key pillar in global efforts to “reduce risk and enhance security [and to] promote a peaceful, secure, open, and cooperative ICT environment.” Cyber -related issues have also been brought before the UN’s Third Committee, which deals with social, humanitarian and cultural issues. Most recently, Russia initiated a resolution on cybercrime, which was passed with 88 votes in favour, 55 against and 29 abstentions. Essentially, shifting cyber issues to another committee will not make the faultiness go away or shift focus to less contentious issues.
It goes without saying that for a global build-up of cybersecurity, capacity building needs to be given much more importance than it has received till date. The history of benign neglect of capacity building seems to be changing with a number of new initiatives coming to the fore, chief among them being the Global Forum of Cyber Expertise initiated by the Dutch Government under the London Process, which is possibly the first intergovernmental initiative solely dedicated to cybersecurity capacity building. Other initiatives have included the Global Cyber Security Capacity Centre in Oxford, which was set up by the British Government after the first Global Conference on Cyber Space (GCCS). Such initiatives allow countries to share experiences and expertise, an example being India’s Cyber Surakshit Bharat Initiative which has been shared with the GFCE.
Within the rubric of capacity building, the two most useful components are: 1) Maturity Assessments of various countries and even various sectors across countries; and, 2) Simulation Exercises of likely scenarios requiring emergency response. Maturity Assessments serve a variety of purposes; they enable benchmarking of capabilities, and allow policy makers to assess gaps in capabilities and decide priorities. While such exercises are being continually carried out by organisations at the global level, carrying out similar exercises at the regional level would enable countries at a largely similar level of maturity to assess requirements more realistically. Regional initiatives also have the advantage of avoiding any ideological creep and policy advocacy that are implicit in many of the global initiatives on capacity building.
The second component of capacity building, which is a natural corollary of Maturity Assessments, are simulation exercises of likely scenarios requiring emergency response. Again, more associated with confidence building rather than capacity building, it is a useful way to gauge available expertise, inefficiencies in information sharing, and other processes, and ultimately speed up cyber capacity building in countries since it would include cyber security response teams, national critical infrastructure and government agencies, and other stakeholders. It is also a useful bridge between policy makers and practitioners, taking a complex subject out of the conference room and into the operational arena, and enabling each to understand the other’s perspectives and constraints. When used across countries, it becomes both a confidence building as well as a capacity building mechanism with the added addition of enabling networking amongst networks and feeding into the global conversation on cybersecurity.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.
*About the author: Cherian Samuel is Research Fellow at Institute for Defence Studies and Analyses, New Delhi
Source: This article was published by IDSA