Formal and informal regional organisations play an increasing role in shaping global debates about cybersecurity. Although countries in the Indo-Pacific region have varied levels of cyber maturity, they share similar cybersecurity challenges and needs. It is not surprising, therefore, that existing cooperation platforms – like the Colombo Security Conclave – increasingly also include a cybersecurity dimension. India’s role in this field is particularly relevant – both in terms of the leadership on cyber and digital issues it can offer to other countries in the region and the competition it creates for other big players, notably China.
Revival of the Colombo Security Conclave
India’s growing strategic security concerns have prompted New Delhi to revive the Colombo Security Conclave – a formation comprising India, Sri Lanka, Maldives, Mauritius, Seychelles and Bangladesh created in 2011. The decision was taken by the National Security Advisors of India, Sri Lanka and Maldives in November 2020 with the aim to forge closer cooperation on maritime and security matters among the three Indian Ocean countries. This NSA (National Security Adviser) level meeting identified four pillars of cooperation: maritime security, terrorism and radicalisation, trafficking and organised crime, and cybersecurity. Concrete areas for cooperation identified at the meeting include holding regular interaction, joint exercises, capacity building and training activities.
Cybersecurity cooperation in the Indian Ocean
The first meeting of the Colombo Security Conclave at the level of Deputy National Security Advisers was hosted virtually in by Sri Lanka in August 2021. The agenda was dominated by maritime issues such as a the MV Express Pearl disaster in Sri Lanka and the 2019 terrorist Easter Sunday attacks in Colombo. What stood out, however, was the newly forged pillar for cybersecurity cooperation amongst the three nations.
This is not surprising, given that region is increasingly becoming a target of malicious cyber operations. India alone was subjected to many cyberattacks in 2021, emerging last year as the third-most affected nation in Asia in terms of vulnerabilities due to cyberattacks and breaches. Sri Lanka has suffered from seasonal, low-intensity cyberattacks especially around its Independence Day. The most notable recent such attack was the 2021 LK Domain Registry hack which compromised the island nation’s top-level domain (.lk). The most impactful cyberattack in Maldives was the 2017 DDoS attack that left its telco services in disarray as it disrupted internet service across Maldives for over a week. While each of the participants in the Colombo Security Conclave has faced a different degree of risk due to cybersecurity threats, this is the first time that this regional-level cooperation framework has been put forward.
Cybersecurity pillar activated first
The first virtual workshop devoted specifically to cybersecurity was held in January 2022. It was hosted by the National Security Council Secretariat (NSCS) of India in association with the National Forensic Science University in Gandhinagar (Gujarat) and the Secretariat of the Colombo Security Conclave. The meeting addressed such challenges as deep web and darknet investigation and challenges; digital forensics; cyber threat intelligence; and defensive operations in the cyber domain. The choice of issues indicates a defensive cyber focus within the Conclave, with a focus on post-incident response and digital forensics. The group also agreed to identify key deliverables for the cybersecurity workstream of the Colombo Security Conclave.
Based on the subjects of discussion, it’s clear that the Colombo Security Conclave will, for the moment, focus on strengthening capacity building and academic cooperation. No concrete call to action was made regarding the creation of a common platform for cyber intelligence sharing or a technical merger in terms of a common SOC (security operations centre).
Why is this collection of nations with varied cybersecurity rankings pursuing cooperation? The Global Cybersecurity Index (GCI) ranks India as number 10 with Sri Lanka and Maldives in positions 83 and 177, respectively. Given India’s higher level of maturity, it is plausible to assume that it will assume leadership within this three-nation setup. India’s much-touted state-sponsored ‘Digital India’ program has accelerated her into a global ICT player. India may now want to ‘project’ some of this new cyber prowess for geopolitical advances, including by providing the lead in the Colombo Conclave as a centre of excellence to train and develop other nation’s cybersecurity capacity building exercises.
At the same time, Sri Lanka’s ratification of the Budapest Convention on Cybercrime gave a boost to its cybercrime capacities, potentially positioning it as a leader in the region. Maldives has already indicated its willingness to explore ratification by participating in workshops organised by Sri Lanka to raise awareness on the Convention. India has remained non-committal due to its ideological and geopolitical stance on the Convention. Therefore, although ratification of the Budapest Convention would ideally give Sri Lanka an advantage by signalling a more mature legal framework on cybercrime, India is likely to shape the conversation towards more regional cooperation outside the Convention’s mechanisms.
India looking to blunt China’s growing influence
It is an open secret that there has been an intense rivalry between India and China focused on gaining strategic advantages in Sri Lanka and Maldives. Although the Indian Ocean region is traditionally considered within India’s sphere of influence, the mounting Chinese presence has driven India to take proactive measures in the region. In April 2021, Chinese National Defense Minister Wei Fenghe held talks with Sri Lankan President Gotabaya Rajapaksa and Prime Minister Mahinda Rajapaksa on enhanced defence cooperation. This package purportedly included cybersecurity trainings for Sri Lankan armed forces. India, for its part, has been more active in engaging in e-government and digitisation activities in Sri Lanka, with its latest being an effort to facilitate technology transfer of the Unitary Digital Identity Framework (UDIF), commonly known as Aadhaar. India has been successful in bringing Maldives fully into its sphere of influence by signing a defence pact in 2021. It included a $50 million line of credit to enhance security collaboration with a focus on combating terrorism in ‘all its forms and manifestations’, including in cyberspace.
Sri Lanka in particular, with its recent economic and debt crisis, is now more dependent on Indian credit lines and assistance for its survival. Against this backdrop, Sri Lanka is more likely to be more accommodative of an Indian geopolitical stance on cybersecurity and the part it will play in the larger regional security setup. Together with having Maldives in its sphere of influence, this puts India in a more commanding position, from which it will be able to use the Colombo Conclave to further its own vision of cybersecurity regionally.
Recently, Indian IT minister Ashwini Vaishnaw noted that India must become a thought leader, product leader and market leader in cybersecurity, viewing it as a key policy tool for asserting its dominance over the safety and security of the internet and thereby leading to the expansion of its digital economy. It’s likely that this ethos will drive the thinking behind the Colombo Conclave, as India looks to extend the ‘Digital India’ philosophy into a regional cooperation philosophy.
Sri Lanka has previously received support from EU projects focused on technical assistance in drafting its National Cyber Security Strategy and in countering cybercrime through the Glacy+ Programme implemented by the Council of Europe. India taking the lead regionally on creating a mutually beneficial cybersecurity working group bodes well for smaller nations like Sri Lanka and Maldives. If India manages to provide astute leadership to this cybersecurity partnership, the benefits to India itself and regional peers will be self-evident.
About the Author
Asela Waidyalankara is a prominent personality in the sphere of cybersecurity, with over a decade of experience in progressive technology and digital strategy. Garnering extensive qualifications in both the legal and technical arenas, Asela is a pioneer trailblazer and avant-garde in the information security marketplace.