The recently-concluded Quad summit in Washington has put cybersecurity cooperation at the forefront of the grouping’s agenda. The post-summit statement noted that the Quad will make efforts to bolster the resilience of critical infrastructure against cyber threats by bringing together expertise from the four nations. This cybersecurity cooperation finds its origin in the Critical and Emerging Technology Working Group, set up after the virtual Quad Summit in March 2021.
This cooperation builds on an already robust bilateral cyber collaboration between the grouping’s members. In 2016, India signed the first detailed agreement for cooperation with the U.S.—the Framework for the U.S.-India Cyber Relationship. Last year, India signed similar agreements with Australia and Japan: the agreement with Australia focuses on cyber-enabled critical technologies, while with Japan it looks at 5G technology and critical infrastructure. So, the Quad’s cooperation on cybersecurity and critical infrastructure is a natural corollary of these bilateral partnerships.
On the cybersecurity front, the Quad nations have witnessed China’s increased assertiveness. Beijing has pursued an offensive cyber agenda through proxies like the nationalistic hackers’ groups and hired cybercriminal syndicates. They have primarily targeted and continue to target facilities for critical infrastructure in the Quad countries and other democracies. These attacks have resulted in the theft of trade secrets, intellectual property and other sensitive information, as well as the disruption of critical services. In July, the U.S. accused China’s Ministry of State Security for cyberattacks on its computer networks and critical infrastructure. China-linked hacker groups have also been blamed for attacking India’s power sector and pharmaceutical companies.
A related dimension is the cybersecurity of the financial sector, which has faced persistent attacks from cybercriminal syndicates like Lazarus, supported by North Korea. This group has executed multiple malware attacks targeting banks and financial institutions worldwide. For example, Bangladesh Bank’s account at the Federal Reserve Bank in 2016 and India’s Cosmos Bank in 2018 were both hacked by Lazarus. Both banks suffered significant financial damage in these attacks: Bangladesh Bank lost $63 million while Cosmos Bank lost `94 crore.
These developments provide a strong rationale for the Quad to cooperate on cybersecurity amongst themselves and in the Indo-Pacific. As leading cyber powers with strong digital economies, the Quad countries can contribute to the vision of the free and open Indo-Pacific and curb China from dominating the region, digitally. Moreover, the grouping has financial heft, talent and markets to create a trusted and cyber-secure ecosystem.
The latest Quad leaders’ joint statement proposed the launch of a Senior Cyber Group, which will work on adopting and implementing cyber standards, developing secure software, and building workforce along with talent. It must also add two related action areas: promoting non-Chinese hardware and strengthening cyber resilience.
A core element of cybersecurity is secure digital infrastructure based on reliable hardware. The Quad and other like-minded countries have national security and espionage concerns about Chinese hardware, which dominates the global market.
The first action in stepping away from China is to encourage the use of non-Chinese hardware. Cost considerations are important, but security concerns will ultimately prevail in addressing the use of Chinese hardware and systems. To ensure that countries make the right choice, the Quad can consider using its financial and market might to promote the best available non-Chinese hardware.
The grouping must also strengthen cyber resilience in the financial sector. For this, it can undertake joint exercises (on the lines of Malabar naval exercise) to simulate a sustained targeting of the financial sector. This will help develop a response to persistent, offensive cyber operations and data breaches and identify areas which require capacity strengthening.
Another way to build resilience is through common data protection standards. Currently, data protection regulations and technical standards are fragmented across countries. This provides an opportunity for Quad to conceptualise and promote common data protection standards anchored in the principles of transparency, security, accountability, individual control and rights.
A critical dimension of this potential collaboration will be the engagement with businesses and the private sector. They must be encouraged by their respective governments to play a significant role in Quad interactions. The hope is that the Quad Senior Cyber Group will engage industry experts.
Collaborations of this nature come with various challenges. While the Quad countries have shared cyber threat perceptions, there still remain significant differences. For instance, India’s preference for data localisation runs contrary to the preference of other Quad countries—as expressed through their support for the Osaka Track for global data governance at the G20 Summit in 2019. These differences are minor when viewed against China’s unhinged assertiveness, threatening Quad countries and the Indo-Pacific region. Countering it requires a long-term, strategic response based on Quad’s shared democratic values. Collaboration on cybersecurity harnessing Quad countries’ economic and technological competencies offers one such template for cooperation.
This article was first published in The Financial Express.
Sameer Patil is Fellow, International Security Studies Programme, Gateway House.