By Shilpa Rao

When the security advisors of BRICS countries met in New Delhi on September 15, 2016, they emphasised the need to improve cooperation in cybersecurity to combat cybercrime. They also agreed to enhance cybersecurity efforts through information sharing and improving cooperation between technical and law enforcement agencies. This follows from steady and increasingly successful measures to promote co-operation in cyberspace over recent years.

BRICS nations have contributed to agreements relating to cyberspace at bilateral, regional and multilateral forums. In pursuing their interest in internet communication technologies (“ICTs”), These nations have actively engaged with international processes targeted at norm development in cyberspace, such as the UN Group of Governmental Experts (“UN GGE”).The first meeting of the 5th UN GGE recently concluded on September 2, 2016 in New York, with a final report to be published in 2017. This post attempts to track the positions and contributions of BRICS nations to this process, including points of convergence and differences.

The BRICS at the UN GGE

The beginning of BRICS countries’ engagement with questions of information security at the UN can be traced to Russia’s draft resolution on “Developments in the field of information and telecommunications in the context of international security”. This was introduced before the First Committee of the UN General Assembly in 1998, and the resolution was adopted without a vote.

Later, in 2001, Russia proposed the establishment of a GGE on information security in a report to the UN Secretary General. The group was to review potential and existing threats to information security, examine possible measures of cooperation between member States, and conduct a study of international information security issues. In this context, the US emphasised on the need to concentrate on the nature of cybersecurity attacks- with special focus on non-state actors such as individual hackers, terrorists, and organised criminals.

When the first GGE convened in 2004, Russia, China and Brazil had called for state sovereignty over information security. The US had opposed such calls for state control of information, considering the move to be politically, culturally and socially disruptive. In addition to a lack of consensus on the issue of state control over information security, the group could not agree on the threats caused by the military use of information and communication technologies (ICTs) either. The first GGE, therefore, failed to arrive at a consensus.

After major cyber-attacks on Estonia, Georgia and Lithuania between 2007 and 2008, the second GGE successfully released a report in 2009. While the report was relatively vague, it endorsed dialogues on norms for States’ use of ICTs to reduce risk and protect critical infrastructure.  It also recommended risk reduction methods, including the use of ICTs during conflict. It is at this time that other countries (notably, China) became increasing aligned with Russia, under the Shanghai Co-operation Association. This led to the discussion on information security becoming increasingly polarised, with the US on one side and Russia and China on the other.

This is not to suggest, however, that there are no divides between BRICS countries over questions of cybersecurity. The contrast in the political systems of the BRICS nations have been most amply reflected in how they define the key concepts of cybersecurity and information security. China and Russia sought to define information security as the absence of threats to a state’s sovereignty caused by the distribution of information. India, Brazil and South Africa, however, defined information security as preserving an individual’s freedom of expression.

In September 2011, India, Brazil and South Africa (“IBSA”) called for the creation of a new global body within the UN system that would develop and establish international public policies for the Internet. The countries stressed on internet governance as a key strategic area and called for cooperation. They also recommended the establishment of an IBSA Internet Governance and Development Observatory, the proposal for which was not accepted.

In parallel, China and Russia had introduced the ‘International Code of Conduct for Information Security’ which proposed that the UN Secretary General should regulate cyber norms and governance. It highlighted China’s broader strategy of increasing its participation in internet policy. As the Code raised important concerns with regards to human rights, serious efforts to generate a consensus around it are still underway.

The third GGE came together in 2013, and, despite deep differences between countries, agreed on some defining aspects in their report. This was a landmark report– as GGE member countries agreed to the application of international law to cyberspace and the use of ICTs. Russia and the US reached a compromise allowing for the negotiation of new legal norms for cyberspace while acknowledging the capacities of existing legal frameworks.

The report encouraged bilateral, regional and multilateral initiatives on cyber issues. It supported the participation of civil society, businesses and other private participants in cyber-related discussions. Additionally, the report also recommended capacity building measures to combat the use of ICTs for criminal or terrorist purposes. This was especially relevant to developing countries which have been reported to be most vulnerable to cyber-attacks.

The Snowden effect

In October 2013, India and Brazil came together and expressed concerns over the surveillance programme of the US’ National Security Agency. The two countries were concerned over the unauthorised interception of communications and data, by the US, from citizens, businesses and members of governments, which could compromise both national sovereignty as well as individual rights. In November 2015, India and Brazil issued a statement highlighting the importance of strengthening joint efforts on combating cybercrime, and improving cooperation between States’ technical, law enforcement, cyber R&D, and capacity building institutions.

The UN GGE was constituted for a fourth time in August 2015. The 2015 report was considered a breakthrough by the US government, as the Group adopted a series of norms proposed by the US. The norms required that States could not knowingly damage each other’s critical infrastructure with cyber attacks. They were not to target each other’s cyber emergency responders. The norms also required that in the case of a cyber attack launched from one’s soil, the host nation would have to provide the targeted nation with investigation assistance.

The report also marked a significant shift in China and Russia’s stance. The two countries had previously blocked all attempts to tie the applicability of humanitarian law to activities in cyberspace. But this was accepted as part of the 2015 report.

Going forward: Multistakeholderism and BRICS

Ahead of the fifth UN GGE to be held over 2016-2017, BRICS leaders came together in Ufa, Russia, in 2015. The 2015 Ufa Declaration, released subsequent to the Seventh BRICS summit, acknowledged the instrumental role of internet communication technologies (“ICTs”) in the transition to a global knowledge society, as well as a developmental tool. Recent meetings between BRICs countries have spurred a lot of discussion on the question of multistakeholderism. Our recent report on multistakeholderism looks at the way Indian stakeholders have engaged with global internet governance institutions over the last 5 years.

The Ufa declaration was notable as it signaled support to the multilateral governance of the internet. Our post on the Ufa Declaration discusses this in greater detail. Russia and China reinforced this stance on Internet governance during the World Internet Conference in December 2015. China reiterated its proposal to give every government veto rights over technical protocols that unite the global Internet. Our previous post on the Wuzhen initiative discusses China’s competing vision of the Internet.

The same idea was also discussed during the trilateral meet between India, Russia and China. The trilateral meet also agreed to ensure transparency with multi-stakeholders. While this is still far from completely accepting the participation of non-governmental stakeholders in Internet governance and cybersecurity policy, it a step forward towards global co-operation.

Conclusions

According to a study by McAfee Security in 2014, BRICS economies were found to be amongst the largest victims of cybercrime. This was mainly attributed to relatively high connectivity but low awareness of cybercrime and cybersecurity. Moreover, the countries’ weak laws for cybercrime, sophisticated hacker communities and poor intellectual property protection make them easy targets for cybercrime.

Additionally, BRICS nations have historically been concerned by the US’ monopolistic hold over the Internet, and have often suggested that the United Nations should play a larger role in the development of the norms of cyberspace. The necessity of state control over the internet has also often been reiterated.

As long as deep divides persist between the countries on questions of information security may be problematic to consider the BRICS a viable negotiating bloc with regard to cyberspace. However, given the increasing dialogue between BRICS countries in the recent past on these issues, it seems plausible that grounds for deeper co-operation may be found, and the BRICS nations may be able to affect the tenor of the cyberspace debate.