By Sergey Sebekin
Information security has long been one of the central topics on the BRICS agenda. The first brief mention of the need to ensure international information security and of the fight against cybercrime was made in a declaration made at the 3rd BRICS summit held on April 14, 2011 in Sanya, China. The BRICS approach to information security and cybercrime was then fleshed out more fully in the Fortaleza Declaration adopted at the 6th BRICS summit held on June 2014 in Brazil. The reason for the greater focus on the subject included Edward Snowden's disclosures, which prompted the BRICS nations to take the issue of information security more seriously and to condemn "acts of mass electronic surveillance".
Commitment to the principles of national sovereignty, noninterference, and unacceptability of mass electronic surveillance were reiterated in the Declaration of Ufa adopted at the 7th BRICS summit held on July 9, 2015 in Ufa, Russia. That declaration contained the first specific list of areas of cooperation on international information security among the BRICS nations, which included: sharing information and best practices on IT security; coordination of measures against cybercrime; cooperation between the BRICS nations using the existing outfits charged with responding to computer security incidents (the CSIRT groups); capacity-building programs; development of international norms, principles, and standards; and other areas. The need for cooperation on information security and rules of responsible conduct in cyberspace was further reflected in the Declaration of Brasilia adopted at the 11th BRICS summit on November 14, 2019. That declaration also highlighted "the importance of UN-recognized norms, rules, and principles of responsible conduct of states in the area of information and computer technologies".
In 2015, BRICS also established an Expert Working Group on IT security. In 2017, the BRICS nations adopted the "Roadmap of practical BRICS cooperation on IT security", which specifies areas of cooperation at the international level. At present, efforts are under way to build a legislative framework for cooperation between the BRICS states on information security, as well as to develop a BRICS intergovernmental agreement on information security cooperation.
On November 17, 2020, the XII BRICS Summit, held under the motto "BRICS Partnership for Global Stability, Common Security and Innovative Growth", ended. In the aftermath of this summit the Moscow Declaration was adopted, which further reflected the provisions on the need for further cooperation on ensuring the security of ICT both under the auspices of the UN, and within the framework of BRICS and the Working Group of Experts established within the organization. The Declaration also recognizes the need for intergovernmental cooperation in bilateral and multilateral formats for the implementation of the Roadmap for Practical Cooperation of the BRICS countries in ensuring security in the use of ICT. Following the results of the summit, the EWG was instructed to develop a Roadmap for the development of cooperation in this area, which should be adopted already in 2021 and should include specific measures to strengthen collective security, develop joint actions of the BRICS member countries in the field of information security, as well as issues of legal regulation of the problem of children's information security on the Internet.
In addition, on September 17, 2020, the X annual Meeting of High Representatives of the BRICS countries was held, which made a significant contribution to the deepening of cooperation within the organization on information security issues.
The 13th BRICS summit is expected to further deepen and broaden the ongoing dialogue on information security between the member states.
Clearly, the accession of new members would be an opportunity for Russia to increase the number of countries that share its approaches to international information security, even if only one or two new members are admitted to the BRICS club.
For the potential BRICS membership candidates, accession would mean not only accepting the club's "rules of the game", but also making use of new opportunities, such as:
1) Mutual assistance in strengthening the cyber potential and eliminating the technological gap
2) Rendering assistance (upon request) to the BRICS states that have become victims of cyberattacks in the detection and investigation of such attacks, identification of the perpetrators, studying the malware used in these attacks, eliminating their consequences, etc. We already have some experience of such cooperation with Indonesia: Group-IB, an international Russian-based company that specializes in the prevention and investigation of cybercrimes, provided assistance to the Indonesian cyber police in catching cybercriminals who infected hundreds of e-commerce outfits around the world with malware.
3) Effective coordination of measures against cybercrime and cyber terrorism
4) Sharing information and best practices on information security, including the identification of information threats
5) Cooperation in identifying opportunities for joint action to address shared information security challenges
6) R&D cooperation in the area of information security.
Argentina's cyber potential has much room for improvement. It ranks 94th with a score of 0.407 in the 2018 Global Cybersecurity Index. This is the lowest ranking among all the BRICS membership candidates considered in this report, or indeed among the existing BRICS members. The country adopted its first national security strategy that addressed the challenge of cyber threats only in 2019. At the same time, Argentina ranks 43rd in the world in terms of exposure to cyber threats with a CEI index of 0.514 – it belongs to the "middle group" for CEI 2020.
At the UN General Assembly, Argentina backed both the US and the Russian draft resolutions. Russia and Argentina have also undertaken attempts at cooperation on information security in the past. In 2018, they worked on a draft bilateral agreement on that issue – but the current state of that draft is unclear. Argentina is not represented on the UN GGE, but it has been involved in the work of the OWG and submitted comments on the preliminary report of that group. In an encouraging sign, those comments included a proposal on the recognition of "the efforts and initiatives developed by regional organizations".
Nevertheless, in view of Argentina's lowest information security rating among all the BRICS membership candidates, we believe the country would not make any tangible contribution to the development of cooperation on information security issues in the BRICS framework, so from that particular point of view, its admission to BRICS would not be productive.
In the 2018 Global Cybersecurity Index, Mexico ranks 63rd with a score of 0.629. As such, it is classed as a "middle-ranking" country. As for the CEI indicator, the country ranks 41st in the world with a score of 0.48 and is included in the group of countries with an average level of exposure to cyber threats. In this regard, the country, along with Turkey, is the least vulnerable to such threats among potential candidates for joining the BRICS.
Like Argentina, Mexico voted for both the Russian and the US drafts at the UN General Assembly. But unlike Argentina, Mexico participates in the OWG and the GGE. At the OWG, the country has submitted comments and proposals on the work of that outfit.
We believe that Mexico's accession to BRICS would not be justified in terms of the joint provision of information security. There are two main reasons for that.
First, Mexico does not have a sufficient cybersecurity potential. Obvious gaps in that area include the inadequacy if its legislative and regulatory framework in that area; poor financing; insufficient cooperation on the matter between the various government agencies; and a general lack of respect for the rule of law. Mexico is unable to mount an effective response to the challenge of cybercrime; as a result, the country has become a safe haven for stolen personal data.
Second, Mexico maintains close economic and political ties with the United States, which accounts for 36% of all investment in the Mexican economy. Owing to the country's strong economic dependence on its big northern neighbor, it would hardly be able to pursue an independent course on issues of cybersecurity. It is quite obvious that as far as information security is concerned, Mexico will follow the US lead.
In the 2018 GCI Index, Turkey ranks 20th with a score of 0.853, making it a "high-ranking" state in terms of cybersecurity. In fact, Turkey is the highest-ranking nation on cybersecurity among all the BRICS membership candidates considered in this report. As for the indicator of exposure to cyber threats, according to the CEI 2020, the country shares 41 places with Mexico with an index of 0.483 and is also included in the "middle" group. In this regard, the country, along with Mexico, is the least vulnerable to such threats among potential candidates for joining the BRICS. It also shares Russian approaches to national control of cyberspace within the national borders.
But Turkey is also a NATO member, which significantly compli - cates any dialogue on joint security arrangements of any kind, including information security. What is more, Turkey abstained during the vote on the Russian draft at the UN General Assembly, and chose to back the US draft instead (in fact, it was one of the co-authors of that draft).
We therefore believe that any attempts to offer BRICS membership to Turkey would be a dangerous experiment. Such a step would bring a strong element of discord in the bloc's coordinated policy on the security of information and computer technologies. At this point in time, Turkey does not share many of the approaches pursued by Russia and China, the two most influential BRICS members, on international information security.
One consideration strongly in Iran's favor is that at the 73rd UN General Assembly, the country backed the Russian draft resolution and opposed the US draft. It is also represented on the OWG, though not on the GGE. Iran shares the Russian and Chinese position on national sovereignty in cyberspace. Officially, Iran also advocates the establishment of international and regional institutions to spearhead international efforts against cyber terrorism and cyber fraud (including in the SCO and UN frameworks).
In the 2018 Global Cybersecurity Index, Iran ranks 60th with a score of 0.641, making it a "middle-ranking" state. Nevertheless, the country has a formidable cyber potential. Amid its ongoing confrontation with the United States and Israel, Iran invests a lot of resources in strengthening its cyber capacity, which offers it an asymmetric advantage. Cybersecurity became an especially relevant concern for Iran after the country's uranium enrichment facility in Natanz was attacked with the US-Israeli Stuxnet malware in 2010. That attack triggered the launch of a national cybersecurity program led by the Islamic Revolutionary Guards Corps (IRGC). In 2012, Iran also set up the Supreme Council on Cyberspace.
One of the obvious drawbacks of Iran as a BRICS membership candidate is that the country is strongly hostile to the United States and some of the Middle Eastern states. That hostility also spreads to cyberspace. Tehran is actively involved in cyber espionage and destructive cyberattacks against the government agencies and businesses of the United States, Israel, the Gulf monarchies, and several European states. Iran's admission to BRICS would not only compromise the bloc's image on the international arena but also jeopardize its prospects for cooperation with the other Middle Eastern states. That is why offering Iran membership would hold back the joint BRICS effort on information security and many other areas.
Egypt is one of the African continent's leaders in terms of cybersecurity, ranking second to Mauritius and fourth among the Arab nations. In the 2018 Global Cybersecurity Index, it ranks a global 23rd with a score of 0.842 points, the highest score among all the BRICS membership candidates except Turkey, and is categorized as a "high-ranking" country. According to the CEI indicator for 2020, Egypt is also classified as a country with a middle level of exposure to cyber threats, ranking 48th with an index of 0.548. In 2014 the country set up the Supreme Council for Cybersecurity. Cairo has also hosted one of the Arab world's largest cybersecurity conferences, headlined "Cybersecurity in an Era of Digital Transformation", on an annual basis since 2017.
As for international cooperation, Egypt voted against the US draft and supported the Russian draft resolution on international information security at the 73rd Session of the UN General Assembly, which means that the country shares Russian and Chinese approaches to global information security. Also, after the dissolution of the UN GGE on IT advances in the context of international security in 2017 and its later reconstitution in accordance with a US resolution, Egypt did not resume its participation in that body – but it has been actively involved in the work of the OWG.
In March 2019, a delegation of Russian IT companies led by Konstantin Noskov, Russian minister for digital development and communications, paid an official visit to Cairo, where it generated much local interest in Russian cybersecurity products. In our opinion, Egypt's accession to BRICS would significantly strengthen the combined potential of the bloc in the area of information security. Egypt is clearly ready for cooperation on information security in the BRICS framework.
At the 73rd UN General Assembly, Indonesia backed both the Russian and the US draft resolutions on international information security. In 2017, Russia and Indonesia conducted a bilateral cyber dialogue. Also in 2017, Indonesia signed a memorandum of mutual understanding on cybersecurity with India. In 2020, Russia and Indonesia plan to sign an agreement on cybersecurity cooperation. An agreement to that effect was reached during Russian-Indonesian consultations during which the parties discussed specific areas of cooperation, including the implementation of joint responses to cyber threats, efforts to foster an information security culture, cooperation on information sharing, etc. They also discussed regulations governing the work of the UN Open Working Group and the UN Group of Governmental Experts. It is important to note at this point that of all the BRICS membership candidates discussed in this paper, Indonesia and Mexico are the only countries that participate in both the OWG and the GGE. It is therefore safe to conclude that Indonesia is fully ready to back Russian initiatives on information security at the UN, and is already actively contributing to international efforts on information security. In the 2018 GCI rating, Indonesia ranks 41st with a score of 0.776, making it a "high-ranking" country. Nevertheless, the Indonesian cybersecurity system is still in the process of formation. The country set up its National Agency on Cybersecurity and Cryptography as recently as 2017.
In 2018, it adopted the National Cybersecurity Strategy. It has yet to put in place a proper legislative and regulatory cybersecurity framework, which could be an obstacle to its accession to BRICS. Due to the above-mentioned reasons, the country belongs to the group with a high risk of exposure to cyber threats according to CEI 2020, ranking 59th with an index of 0.617. According to this indicator, Indonesia is too far behind other candidate countries to join the BRICS.
In our view, the most promising candidate for BRICS membership is Indonesia. Unlike the rest of the candidates, the potential areas of cooperation between Indonesia and Russia, which is one of the key BRICS members, have already been identified. These areas could be replicated in the BRICS format. Another candidate that can make a major positive contribution to the bloc's efforts is Egypt.
Egypt's and/or Indonesia's accession to BRICS could be an indicator of the bloc's ability to integrate new members and engage them in multilateral cooperation on information security.
As demonstrated in this paper, Egypt would bolster the overall BRICS potential on information security, whereas Indonesia would help to promote a shared BRICS approach to information security on the international arena. That would be fully in line with the Declaration of Ufa, which states that the BRICS members recognize "the potential of the developing states in the area of information and computer technologies, as well as the important role of those states in addressing the issues related to information and computer technologies in the framework of the Development Agenda from 2015 onwards".
Sergey Sebekin - instructor at Irkutsk State University.
(To be continued)