Balancing The Priorities Of National Security And A Digital Economy
Today, just about every consumer product contains a computer or a service that uses a computer. As a result, increasing perceived cybersecurity threats.
Speaking at the launch of his new book, the Minister of External Affairs Dr. S. Jaishankar shared his views on India’s place in a dynamic world. Importantly, the Minister spoke about the change in the nature of power, which now lies in trade and technology. This shift is illustrated by the digitalization of the global economy. According to the United Nations, e-commerce sales reached 25 trillion dollars in 2018, making it equivalent to 30 percent of global gross domestic product (GDP) that year.
That said, cross-border e-commerce, or digital trade, has also engendered national security risks and threat perceptions. These are exemplified in concerns of surveillance by bad actors in telecom, which led to limitations or bans on Chinese companies that provide 5G equipment in the US, UK, Canada, Australia, and New Zealand.
The datafication of the global and Indian economy has exacerbated these concerns. Today, just about every consumer product contains a computer or a service that uses a computer. As a result, increasing perceived cybersecurity threats. A lot of data in digital markets is personal, linked to individuals and their identities, and protected in several countries by privacy laws.
The Supreme Court of India has also recognized privacy, including information or data privacy, as a fundamental right. The Personal Data Protection Bill, 2019 therefore seeks to provide a statutory framework for the same. This includes rules on cross-border transfers of data. Similarly, privacy is now an important part of international discussions on commerce, between advanced jurisdictions in particular. For instance, the EU-US Privacy Shield is a framework which regulates exchanges of personal data for commercial purposes between the two. This Shield was recently declared invalid by the European Court of Justice in July 2020. The Court made this decision on the basis that the Privacy Shield did not adequately safeguard EU citizens from US surveillance, in an illustration of the growing links between national security assessments and privacy. The future of digital trade will therefore rest on nations’ ability to agree on common frameworks for national security.
Digital trade will grow only if national security concerns don’t stymie markets. As per a study by the Harvard Business Review, in the past 20 years, more than 31 countries have taken regulatory actions over perceived security concerns. A significant portion of such action has occurred in the past five years. Such events risk creating an uncertain business environment for Indian and global players alike. More importantly, they create a domino effect and evoke retaliation by trading partners.
India can leverage its soft power to drive global consensus on the ways and means to address national security concerns in the digital economy. For instance, the country recently banned close to 200 Chinese applications based on national security concerns. While there is no denying the potential security threats from Chinese applications, the Ministry of Electronics and Information Technology (MeitY) may have to devise a nuanced, interoperable and graded framework to foster digital trade in the future.
A framework based on common standards can enhance security by facilitating interoperability and systems integration, and simultaneously improve cyber-defense. While the existing Sensitive Personal Data (SPD) Rules under India’s two-decade-old Information Technology (IT) Act, 2000 recognize an international standard (IS/ISO/IEC 27001) for data security, compliance rates are sub-optimal. India can consider adopting ISO/IEC 27701, a recent international standard that deals with the glaring problem of data privacy. It helps an organization in establishing a framework for the protection of privacy, provides guidance on how institutions should handle sensitive personal data, and also helps in demonstrating compliance with different privacy regulations across the world. It also specifies a Privacy Information Management System (PIMS) and provides a framework for managing Personally Identifiable Information (PII).
The use of the Common Criteria Certification Scheme is another alternative, widely adopted in jurisdictions such as the US, Singapore, and the EU. The Common Criteria for Technology Security Evaluation is based on an international standard (ISO/IEC 15408), providing a holistic framework for testing and evaluation of common IT systems. Participating organizations can specify functional and assurance requirements, businesses can develop and claim specific product qualities, and testing facilities can examine products to determine whether they meet those claims.
There is a need for a renewed vigor towards the adoption and enforcement of international standards. Domestic regulators such as the Securities and Exchange Board of India have already embraced the Common Criteria Scheme, and it’s time for the MeitY to consider a similar approach for public-facing common IT systems such as mobile apps. An advantage of mandating Common Criteria or other international Certifications in the event of a national security linked threat perception is the relative ease in rolling out such obligations. This is because the MeitY has already established the Indian Common Criteria Certification Scheme (IC3S). The Scheme evaluates and certifies IT Security Products and Protection Profiles against the requirements of Common Criteria Standards.
Organizations can simply get their IT systems evaluated and certified either by government-owned Standardisation Testing and Quality Certification (STQC) labs or private labs across India and the world. Since India is already a member of a mutual recognition arrangement for this certification, of which over 30 countries are apart, the certification will be mutually recognized globally. The country is taking the right steps towards ensuring data privacy through the Personal Data Protection legislation. It’s time to ensure that associated national security considerations are comprehensively addressed in an internationally acceptable transparent and standardized manner, to foster digital trade and mutual trust among nations.