Cyber Confidence Building Measures (CBMs) between Pakistan and India


Confidence Building Measures (CBMs) are time honored diplomatic tools meant to lessen tension and prevent crises that can lead up to wars. Most modern CBMs are the legacy of the Cold War. Over the years Pakistan and India have also devised a regime of CBMs. This includes a number of military (conventional as well as nuclear) and non-military measures to prevent hikes in tension.

Pak India CBMs have been successful in preventing wars and restraining the two countries from crossing the nuclear threshold. A new area of cyber rivalry can add to the incendiary mix of uncertainties that bedevil Pakistan-India relations.

This paper suggests a range of CBMs that can make cyber space an area of cooperation instead of conflict. It posits that the best policy would be to begin from areas, which are non-controversial and more liable for reaching an understanding and cooperation. Relevant lessons have been drawn from existing models of cyber cooperation to advocate CBMs in South Asia.

Tags: Cyber security, South Asia.   

*The author is a retired Brigadier and is currently the Associate Dean Center for International Peace and Stability (CIPS), National University of Sciences and Technology (NUST), Islamabad, Pakistan.

Introduction to CBMs

The peace treaty of Hudaybiyah (628 CE) signed between the Muslim pilgrims from Medina and the tribesmen of Quraiysh on the outskirts of Mecca is the earliest documented CBM in Islamic history.  Prima facie, some clauses of the pact, appeared highly unfavorable for the Muslims but it in the final analysis it gave them enough time to establish their state and spread their religion in Arabia.[1]

The tradition of CBMs continues in modern times. In pre-World War I Europe, it was customary to invite observers from different states (friendly and not so friendly) to witness annual military maneuvers as a means to instill confidence and trust among nations.[2] After Worrld War II, CBMs were used extensively to stabilize the East-West relationship within the context of the Cold War.[3]

The first hotline between the White House and the Kremlin was established after the 1962 Cuban Missile Crisis “to reduce the danger of an accident, miscalculation or a surprise attack, and especially an incident that might trigger a nuclear war.”[4] Initially only teletypewriters were deployed at both terminals. In the 1970s, the hotline was upgraded to a telephonic link.[5]  Presently there is a direct digital link between Moscow and Washington DC. The current arrangement has been functioning through the Nuclear Risk Reduction Centers (NRRC) operating since April 1, 1988. This direct government-to-government communications link (GGCL) is a round the clock watch center staffed by members of various government agencies. Its expanded role includes the operation of additional international communications links, which allows the US to implement 13 different nuclear, chemical, and conventional arms control treaties and security-building agreements.[6]

The hotline was supplemented by various CBMs including arms control talsks in the 1960s. These CBMs between the US and the former USSR were codified in the Helsinki Final Act of 1975.[7] The CBMs recommended by the Final Act were meant to: eliminate tensions, promote confidence, contribute to stability and security and to reduce the danger of armed conflict arising from misunderstanding or miscalculation.

The concept of CBMs was formalized through UN Resolution 33/91 B of December 16, 1978.[8] The UN Comprehensive Study on CBMs declares that the main purpose of these measures is to “eliminate the sources of tension by peaceful means and thereby to contribute to the strengthening of peace and security in the world.” The study recognized that “Confidence, like security, is a result of many factors, both military and non-military.” It further stated that “the final objective of CBMs is to strengthen international peace and security and to contribute to the development of confidence, better understanding and more stable relations between nations, thereby creating and improving the conditions for fruitful international cooperation.”[9] 

The primary tools for managing successful CBMs are “communication, constraint, transparency, and verification measures.” Together these make the behavior of states more predictable.[10] Transparency, Information Exchange Measures, Observation and Verification Measures, and Constraint Measures form the crux of the CBMs.[11] In the early 1980s, the UNDC developed a set of guidelines for CBMs, which was presented at a special UNGA session devoted to disarmament.[12]

Most military CBMs include: communication links like hotlines and regional communication centers; mechanisms to ease border tensions; exchange of military data like troop locations, movements and exercises, military budgets, weapon systems (conventional, nuclear, chemical and biological);weapon test notifications; demilitarized or thin-out zones and goodwill visits etc.[13] Non-military CBMs cover political, economic, environmental, social and cultural fields.[14]

History of India-Pakistan CBMs

Despite deep rooted mistrust, India and Pakistan have concluded a number of agreements to keep the affairs of the state moving in a mutually beneficial direction. These efforts to seek peaceful solutions to pressing problems make up for a set of practical CBMs. Some of the early agreements between India and Pakistan included matters such as transfer of official assets (1948), prevention of exodus of refugees (1948), protection of right of minorities (1950), maintenance of places of worship (1953 and 1955) and resolution of some unsettled territorial claims (1958, 1959, 1960 and 1963).[15] A major source of friction has been the supply of water from the upper (India) to the lower riparian (Pakistan). Tensions mounted in 1950 and 1951, when India blocked Pakistan’s share of water, resulting in military mobilization. Three successive agreements were made to allow unimpeded water supply to Pakistan till 1957, and from 1959 to 1960.[16] In September 1960, the World Bank brokered Indus Waters Treaty was concluded.[17]

Pakistan and India formally ended wars through the Karachi Agreement (1949),[18] Tashkent agreement (1966),[19] and the Simla Agreement (1972).[20] The Rann of Kutch territorial dispute that preceded the 1965 War was resolved through a UN sponsored Boundary Tribunal in 1968. Both states had pre-agreed to accept its recommendations and the border was demarcated accordingly.[21] They also twice accepted UN intervention to monitor the ceasefire along the LOC. The UN Military Observer Group in India and Pakistan (UNMOGIP) still has a presence in the disputed territory of Jammu and Kashmir.[22]

Although India and Pakistan have maintained diplomatic relations even during times of war, both sides realize the importance of direct communication between civil and military officials. In November 1990 it was agreed to establish a hotline between the offices of the two prime ministers.[23] During the Kargil war Prime Ministers Nawaz Sharif and Vajpayee spoke on the telephone but this conversation only served to heighten the predicament.[24] Indian external affairs secretary J.N. Dixit recalls talking to his Pakistani counterpart Shaharyar M. Khan over the telephone in March 1993.[25] Instead of using the ministry’s phone Pakistani foreign minister Sartaj Aziz flew to New Delhi in an abortive attempt to defuse the situation, during the 1999 Kargil crisis.[26] In 2004 there were reports that India and Pakistan had agreed to set up a hotline between their foreign ministries to reduce the threat of accidental nuclear war but since then there has been little to indicate that this channel has been operationalized.[27] A proposed counter terrorism hotline between the interior ministries is also on the cards.[28] Telephonic conversation has its limitations and diplomats prefer to directly talk to one another or communicate through carefully formal diplomatic communiqués and non-papers. After the infamous call by the Indian foreign minister threatening the President of Pakistan with dire consequences,[29] there is a requirement for additional identification filters and protocols.

One of the most dependable communication links India and Pakistan is the DGMO hotline. This direct link was established after the 1971 war and is now routinely used every week.[30] Flag meetings between Sector Commanders at battalion and brigade level are organized to sort out problems locally through prior arrangements.[31] As of 2004, there is a system of biannual meetings between the heads of the Indian border security forces and Pakistani Rangers. The Indian Coast Guard (ICG) and the Pakistan Maritime Security Agency (MSA) have a hotline since 2006.[32]

To begin with military CBMs were mainly about maintaining peace along the LOC and reducing the chances of a conventional war. After Exercise brasstacks in 1987, a new set of CBMs was crafted to prevent a nuclear war. The first nuclear CBM titled, the Prohibition of Attack against Nuclear Facilities. This bilateral agreement was signed on December 31, 1988, ratified in 1991 and implemented in January 1992.[33] To make the process more transparent, both parties are required to annually exchange lists of the location of all their nuclear-related facilities. This ritual is being faithfully complied with, despite periods of tension. Since 1991, there has been an agreement to send advance notices of military exercises and maneuvers and prevent airspace violations.[34]

India and Pakistan are both signatories to the Chemical Weapon Convention (CWC).[35] On August 19, 1992 the two countries also signed a bilateral agreement on chemical weapons (CW).[36] After the nuclear tests of 1998, both countries placed a voluntary moratorium on further nuclear testing.[37] In the September 1998 session of the UNGA the prime ministers of India and Pakistan pledged abstinence from further testing.[38] In February 1999, they met in Lahore, Pakistan, and agreed to: a Joint Statement by the Prime Ministers; a Memorandum of Understanding (MOU) by the Foreign Secretaries; and the Lahore Declaration itself. The major concerns identified in Lahore were about nuclear safety and security. In the joint statement by the prime ministers it was recognized that: “the nuclear dimension of the security environment of the two countries added to their responsibility of the avoidance of conflict between the two countries.” The MOU aimed at nuclear risk reduction and improving nuclear security and prevent an accidental nuclear exchange. It called for the creation of communication mechanisms similar in some aspects to those required by the Convention on Early Notification of a Nuclear Accident. Specifically, the two sides committed to exchange information on their nuclear doctrines and security concepts; prevent accidental nuclear crises; work on measures to improve control over their nuclear weapons; review existing CBMs and emergency communications (hotlines) arrangements; and strengthen unilateral moratoriums on nuclear testing by making their commitments binding, barring of course extraordinary events jeopardizing supreme national interests.[39]

In November 2005 Pakistan and India signed the ballistic missile advance notification agreement.[40] Under this accord, the country’s defense ministries are obligated to provide their counterparts at least 72 hours of notice before conducting a ballistic missile flight test. They are not to allow trajectories of tested missiles to approach or land close either to their accepted borders or the LOC. They are not to allow tested missiles to fly closer than 40 kilometers from these boundaries or land closer than 70 kilometers away. This warning does not extend to cruise missiles.[41]

There are several phases in the lifecycle of a CBM. In the preparatory phase, the parties concerned prepare grounds for the negotiations by seeking commonality of interests. The negotiation phase is a very delicate one and requires tact and patience from all concerned. Once the differences have been ironed out and broad consensus obtained on substantial issues, the next phase is that of implementation. If CBMs successfully survive this phase, the next one is to improve, strengthen and possibly upgrade these to the status of treaties and formal accords.

The success and failure of CBMs depends on the seriousness of purpose displayed by the stakeholders, the quality of negotiations, and the sincerity with which these are implemented. The chances of a CBM negotiation succeeding depends in the first instance upon the commitment and sincerity of the governments; the charisma of the leadership and the negotiating skills of the interlocutors to steer through road bumps and hurdles. Openness to new ideas and an attitude of give and take is always helpful in nudging things forward. Having subject specialists with specific skill sets on the negotiating teams is always helpful in fine tuning a CBM. The domestic media may help by building a favorable public opinion and by desisting from creating a hype and raising unrealistic expectations. CBMs on delicate issues are best negotiated out of media glare. The failed Agra summit between India and Pakistan is just one example.[42] Finally, the chances of CBMs surviving and standing the test of time, is based on the premise that these are realistic in approach, simple and practical to enforce and easy to monitor and verify. Prolonged periods of non-use can render even the most promising of CBMs ineffective.

Cyber CBMs

Cyber security CBMs were first discussed at the 2005 World Summit on the Information Society (WSIS) hosted by the International Telcommunication Union (ITU) in Tunis. Participants agreed to strengthen trust in issues such as information and network security, authentication, privacy and consumer protection. This was considered necessary for developing the Information Society and to build “confidence among users of ICTs.” [43] In order to do so it was considered appropriate that a global culture of cyber-security should be promoted through “cooperation with all stakeholders and international expert bodies.”[44] It was understood that developing a cyber-security culture would require “the protection of data and privacy, while enhancing access and trade.”[45] These conflicting requirements would require taking into account the unequal level of social and economic development of each country and “respect the development-oriented aspects of the Information Society.”[46] The WSIS resolved to support the activities of the UN to:

[P]revent the potential use of ICTs for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security. It is necessary to prevent the use of information resources and technologies for criminal and terrorist purposes, while respecting human rights.[47]

It was recognized spam as “a significant and growing problem for users, networks and the Internet as a whole,” and therefore it needed to be dealt with at “appropriate national and international levels.”[48] Last but not least the WSIS emphasized that confidence and security were “among the main pillars of the Information Society.”[49]

Pre-requisites for Cyber CBMs

A necessary precondition for developing cyber CBMs is to have good national cybersecurity policies and practices, particularly for the protection of critical infrastructure.[50] Since all countries and most businesses are digitally linked to each other, their mutual interdependence has increased manifold. Axiomatically, therefore, the national cyber practices and policies have regional and international implications. Poor national cybersecurity practices will most likely weaken collective cyber defenses. In this regard it is in the interest of governments, businesses as well as individual users with greater capacity to assist governments, business and users in countries with lesser capacity. Such measures will improve the confidence and trust among nations and will also strengthen global cybersecurity. Shoring up the cyber defenses cannot be done by governments alone and expertise available in the private sector, as well as in the academic circles, civil society and users can be helpful. This mutual collaboration requires:

Capacity Building. As discussed earlier, a lot of guidance is available on cyber capacity building in form of the UN resolutions on the Creation of a Global Culture of Cybersecurity (57/239, 58/199, 64/211) and the Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks. Useful inputs have also been provided by the ITU, government agencies, businesses and non‐governmental bodies.

The key characteristics of this exercise includes stocktaking of the public key infrastructure (PKI);[51] investigating threats and vulnerabilities; identifying stakeholders and their responsibilities; raising national awareness; developing public and private cooperation; putting in place national policies and strategies, developing appropriate organizational structures; developing appropriate legal frameworks especially to facilitate law enforcement cooperation across jurisdictions on cybercrime; and perhaps most importantly developing a national incident response and management capacity. In each of these fields international cooperation, linkages and networks are important. Clearly, the plan to develop capacity building mechanisms has to be seen through from basic design questions to the implementation stage.[52]

Creating Awareness. Many governments are ignorant about emerging cyber threats. The first step, therefore, is to raise awareness among official quarters regarding this sensitive topic. Policymakers need to understand how dependent their countries have become on ICTs and the vulnerabilities this reliance has created. This ignorance void can be covered through dialogue between states at the diplomatic, operational and technical levels, and between the public and private sectors on cyber security issues. This can be supplemented by launching initiatives to raise awareness among businesses and individual users to create good online security practices. This can be done for instance by observing annual Cyber Security Awareness Days.[53] This event can help promote secure online practices. Effective partnerships can be established with the industry to address cybersecurity issues through the development and promotion of good practices guidelines. National Cyber Security Awareness Weeks can also be observed to help users and small businesses to understand cybersecurity risks, and develop effective cyber security practices.

Developing Policies and Structures. Countries without robust cyber security structures are the weak links in the international system. Therefore, it is important to develop sound national cybersecurity policies. The policies would be based on available cyber ideologies and the prevailing cyber philosophy of the country. This will help form cyber crisis management responses. A well-defined strategy would help the government to streamline and coordinate cyber security approaches. Improved coordination within governments on cybersecurity issues is a key ingredient in managing coordinated responses. Improved government coordination on cybersecurity issues would strengthen its capacity to prevent, manage and react to cyber crises. This is also important to harmonize crisis communications measures with other governments. Improved government cyber activity is thus critical in the development of a number of measures between governments.

Establishing Incident Management and Response Systems. A key element of national cybersecurity strategy is the creation of national capacity to manage and respond to incidents. A crisis management plan and cyber exercises to test the plan are critical corollaries, vital for improving the national cyber security potential. The plan would be based on a cyber-defense design taking into account the data security standards; the mechanism for Cyber Event Detection; Incident Response; Internal Investigation; Third-party Forensic Investigation; Law Enforcement; Customer Notification; and a Containment and Remediation Plan.[54] National incident response capacity is an essential part of the international incident response network. Countries also need to think about their capacity to protect and defend key government networks. The national cyber incident response system requires two bodies i.e. national and organizational CERTs and a Cyber Security Operations Centre for protecting the Government’s critical infrastructure.

Holding Cyber Security Incident Response Workshops.[55] Workshops aimed at developing the national and organizational capacities to respond to cyber emergencies can be useful. The objectives of such workshops could include topics such as the essentials elements of national cyber defenses; information sharing methods in case of an incident; identifying best practice; and prioritizing capacity building activities for those countries with less mature frameworks and mechanisms. A number of practical scenarios can be discussed at such forums based on the level of willingness of the countries. One challenge could indeed be the information sharing mechanism before an incident occurs, and to improve preparedness and prevention. Such workshops can become important platforms to understand the capabilities and responsibilities of the countries through face to face discussions in an atmosphere of confidence and trust.

Improving Policies. Developing good cybersecurity is an ongoing process. These policies and practices need to be constantly improved and capabilities of the CERTs and Cyber Security Operations Centre should be upgraded to stand up to emerging challenges. In this respect, it would be worthwhile, to encourage the governments to issue Cyberspace White Paper laying down a framework for maximizing opportunities and minimizing the risks of the digital age.[56] The policies outlined in the White Paper should support the development of long‐term trust and confidence in the online world and contribute to the development of international norms of behavior in cyberspace.

Crafting Cyber Security Work Plan. Last but not least there is a need to develop national cybersecurity work plans. These work plans should not only provide users a guideline to enforce cyber security measures in government and organizations’ offices,[57] but also seriously consider ways and means for peaceful collaboration with other nations in cyberspace.

Suggested Cyber CBMs

Keeping in mind the basic building blocks of CBMs i.e. communication, constraint, verification and monitoring, countries genuinely interested in establishing confidence and trust in information space should consider the following:

  1. Information Sharing. Sharing information can go a long way in reducing suspicion and mistrust. Non-classified portions of the national cyber security policies; national organizations, programs, or relevant cyber security strategies and standard cyber terminology; emergency response SOPs; and methods of communicating cyber incidents can be conveniently exchanged. A still better way of sharing information can be with regards best practices. This can be done by organizing regional seminars and exchanging visits of experts.
  2. Joint Emergency Response Systems. Battling cyber threats jointly can increase the sense of participation in a common cause. A number of countries are already pooling their expertise and resources in regional CERTs and developing joint strategies to respond to ICT emergencies. Emergency drills could be organized to sharpen the skills of first responders.
  3. Restraint Agreements. A path-breaking form of cyber security CBM can be an agreement enjoining upon parties involved to refrain from directing malicious cyber activities against national critical infrastructure vital for running the daily affairs of the common man, such as telecommunications, energy, transport and financial systems. Experts are of the opinion that adversaries like the “US and China are both increasingly vulnerable to each other in strategic domains – nuclear, space, and cyberspace – where great harm can be done.”[58] Commonsense therefore demands that countries should exercise mutual restraint in these fields.
  4. Means of Recognition and Respect. Cyber bullying has become a common phenomenon in modern societies.[59] Online hate crime is rife.[60] Cyber intimidation and coercion is now considered part of cyber-terrorism.[61] Such obnoxious behavior can only be controlled by developing an acceptable code of conduct in cyberspace. Unwarranted propaganda and hacktivism can increase mistrust and sour relations. One way to improve trust and confidence is to enter into agreements to recognize and respect national cyber jurisdictions.[62]
  5. Defining Responsibilities. If governments are held responsible for cyber misdeeds of companies and organizations located on their sovereign territories, a lot of irresponsible activity can be curtailed. This can in the long run engender trust. It is therefore important to lay down precisely the responsibilities of the governments and their national organizations to behave in cyber-space in accordance with the international and national legislations.[63]
  6. Means of Attribution. One major problem associated with cyber-attacks is that of ‘attribution.’ It is very difficult to assign responsibility to the perpetrator of a malicious activity either technically or at a human level.[64] Yet it is not entirely impossible to investigate cyber-attacks forensically and assign responsibility.[65] One way of making attribution easier is by declaring the geographic location of Internet Protocol (IP) addresses. Exchanging such information on regular basis can become the bedrock of cyber security CBMs.

India and Pakistan Cyber CBMs

Given their wide experience in negotiating and practicing CBMs India and Pakistan can find areas of building trust in the cyber space as well. Following can be considered possible CBMs:

  1. Bilateral Agreements. Pakistan and India can choose from a host of bilateral agreements on cyber security, some of which are fairly benign.
  2. Agreement on Cybercrime Laws. Cybercrime is one area, where both countries can collaborate without agitating the domestic hawks. An agreement to jointly tackle cybercrime can cover broad range of issues like harmonizing laws covering cybercrime like online theft. Social issues like child pornography and human trafficking already find mention in law manuals.[66] An international conference was held in Vienna in September-October 1999, where it was agreed to show zero tolerance towards child pornography on the Internet and to criminalize this activity at the worldwide level.[67] An Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography (OP-CRC-CPC) was enacted by the UN in 2000.[68] The two countries can expand on the existing statutes and develop laws to curb this nefarious activity, involving regional and international rings.   
  3. Agreement on Not to Attack Essential Services. Drawing inspiration from the IHL, Rule 80 of the Tallinn Manual recommends that:

In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber-attacks against works and installations containing dangerous forces, namely dams, dykes, and nuclear electrical generating stations, as well as installations located in their vicinity.[69]

This humanitarian tenet was actually practiced in the South Asian wars fought between 1947 and 1971, where India and Pakistan both avoided bombing essential services like dams, dykes and electrical works. This spirit can be extended into the cyberspace. The essential services not to be subjected to cyber-attacks could be expanded to include financial institutions, industrial units, water and sewerage systems, nuclear power plants, health and emergency services. The critical C2 systems can in fact be declared as a cyber-attack exclusive zone.[70]

  • Agreement on Not Targeting National Command Authorities. Cyber-attacks against national/nuclear command authorities (NCAs) can leave individual commanders and weapon handlers with no choice but to make independent decisions with regards conventional as well as nuclear weapons. Such a worst case scenario could have apocalyptic consequences. Fortunately both countries have a CBM, pledging not to attack each other’s facilities. Article 1 (i) of this 1988 agreement can be amended by including the cyber dimension through an amendment or an Additional Protocol.
  • Agreement to Refrain from Hostile Propaganda. Social media has made the spreading of rumors and fanning hatred much easier than through state controlled media. The governments of Pakistan and India need to seriously study this issue and come up with imaginative ways of curbing uncontrolled activity in this domain. Hostile media effect is a subject of serious study. Case studies indicate that perception management by media can aggravate an already tense situation.[71] There have been agreements between Pakistan and India in the past to cease hostile propaganda against each other e.g. in the fall of 1974, the foreign secretaries of India and Pakistan had exchanged letters agreeing to a cessation of hostile propaganda through radio broadcasts. This agreement came into force on October 21, 1974.[72] Although this was never followed in letter and spirit, this concept can be extended to the social media, to avoid toxic fallouts from instances like a potentially damaging video clip going viral.
  • Joint Emergency Teams. Both India and Pakistan can become part of joint teams to handle computer emergencies and monitor criminal and terrorist activity in cyberspace. This can be done at the bilateral level or within the framework of regional organizations like the SAARC or SCO. Both countries are members of the SAARC and have observer status in the SCO. Whereas, SAARC has become a moribund organization, a victim of irreconcilable issues between India and Pakistan, SCO is not only very active in security and counter terrorism issues; it is the only regional association which has an agreement on cyber security. Creating a joint CERT within SCO and SAARC is worth exploring.
  • Joint Monitoring &Policing. The two countries can set up a joint cell to monitor illicit activity in cyber space and share vital information.  Forming a cyber-police force on the pattern of Interpol, Europol and Aseanopol can be possible cyber CBM.
  • Training. There is a lot of scope in building trust by sharing common experiences at professional forums. Regional seminars and meets of technical people and cyber security experts can be organized to share best practices and common experiences in dealing with computer emergencies.[73] Exchanging IT students for fellowships or regular degrees can be another way of reducing mistrust.
  • Cyber Hotline. Hotlines between the national computer emergency response centers will not only enhance reaction times to respond to emergencies but also strengthen the belief in each other’s dependability.

These and other meaningful suggestions can be considered in creating a credible cyber security CBM regime between India and Pakistan.


According UN policy guidelines, the ultimate goal of CBMs is to strengthen international peace and security.[74] Peace in cyberspace can be greatly facilitated by instituting internationally recognized cyber code of conduct. This will help reduce tensions, enhance transparency and make state behavior predictable.[75] Imaginative CBMs can precede complex negotiations on treaty agreements and longwinded ratification procedures. CBMs can be installed unilaterally but a mutually acceptable package of CBMs has the potential of setting into motion a genuine peace process.

Most activities in cyberspace take place amidst a deep feeling of distrust and high level of operational secrecy. Disparity of views, insufficient research on important regulatory issues and lack of a common vision about the future of cyberspace makes cooperation in this area a complicated issue. Differences exist on common definitions on cyber warfare, lack of agreement on what constitutes an armed attack or what responses would be justified, and what should be the rules of engagement in cyberspace. It will take a long time before these basic issues are resolved.

At the present there is no movement either on the part of India or Pakistan to broach the subject of cybersecurity. The issue of collaborating or building cyber CBMs is nowhere on the horizon. Once the governments recognize that there is a need to include this on the negotiation agenda, the process will start and then problems of structure and content will follow. Contributions from outside, including state parties, international and regional organizations, academic community and dedicated NGOs would help shape the proceedings. Local experts can contribute by taking stock of the existing situation and making independent assessment of how new ideas can be incorporated. For the moment this project may sound ambitious but then this may just be the right time to initiate it before things begin to heat up. Clearly, only genuine negotiations based on common interests will help carry forward the process.[76] Professional groups can help set the agenda for the negotiation, by pressing for more transparency in the official doctrines and recommending better mechanisms of international cooperation and crisis management. UN urges cooperation among governments on the subject of cyber security and the USG is willing to “build and sustain an environment in which norms of responsible behavior guide states’ actions, sustain partnerships, and sustain the law of cyberspace.”[77] Well-reflected inputs from published material like the Tallinn Manual on the applicability of international law in cyber warfare will prove useful.

Preliminary regional endeavors are already under way, and their dynamics should be used. If a regional approach prevails, some coordinating mechanism should be developed to avoid contrasting or setting contradictory standards. A new forum for cyber security can also be considered outside the existing ones.[78] The political implications and acceptance potential of any of these options have to be weighed carefully, and international experts could be invited to provide their inputs.


Preliminary Issues

Before earnest negotiations are undertaken, there is a requirement that the two governments start cooperating by building awareness at public and private levels on the necessity and virtues of cyber-security. Simultaneously there is a need to craft robust domestic cyber laws and wholesome cybersecurity policies. The suggested approach for establishing sustainable cyber-contacts should progress through a carefully calibrated process from informal to formal stages.  It is reiterated that unnecessary media hype and undue publicity can be fatal for any meaningful dialogue in South Asia and hence should be avoided. The following roadmap is suggested:

Phase I (Informal Contacts and Capacity Building)

  1. Contacts between Technical Societies. The first step in initiating cyber-contacts should be between technical societies working on cyber security issues. These societies should be encouraged to form a regional hub to set semi-official cyber ground rules in South Asia. The governments could patronize these societies and offer them guidance by arranging local and international workshops. The Institute of Electrical and Electronics Engineers (IEEE) is one international forum with presence both in India and Pakistan. In Pakistan IEEE sections are located in Islamabad, Lahore and Karachi.[79] Peshawar subsection also appears in the IEEE map. The Islamabad section has a Computer Society Chapter.[80] The IEEE regularly organizes international technical conferences through its computer society.[81] A SAARC IEEE could have a meaningful cyber presence in the region.
  2. Contacts between Academic Communities /Universities. Another informal forum for exchange on cyber information could be the universities. In this regard it would be useful to organize regional seminars to share best practices and showcase the latest trends in cyber security. Universities can play an important role in building capacities through cross pollination of ideas i.e. through exchange of students and by developing courses that could be useful for cyber security professionals. NUST School of Electrical Engineering & Computer Sciences (SEECS)[82] and Military College of Signals (MCS)[83] are two world class schools of computer sciences in Pakistan with the potential of contributing towards developing a common cyber security culture in South Asia.
  3. Capacity Building. Professional organizations can help build national capacities in drafting cyber laws, improving quality of cyber policing through improved cyber forensics, investigation and prosecution methods. The national parliamentary training services,[84] bar associations,[85] police training academies,[86] and judicial academies[87] can provide good forums for cyber capacity building. The telecommunication authorities of both countries also need to be trained to handle emergencies like politically motivated unrest spread through rumor mongering on the social media. So far the telecom agencies in South Asia namely, the Telecommunication Regulatory Authority of India,[88] and Pakistan Telecommunication Authority (PTA),[89] have both reacted to inflammatory texting or objectionable video clips by shutting down mobile texting services, laying down restrictions on the content of the text,[90] and banning video sharing and social media sites.[91]

Phase II (Non Military CBMs)

  1. Police Collaboration to Combat Transnational Cybercrime. Collaboration between the police forces can be an ideal way of creating CBMs at the official level. Cybercrime is a trans-border phenomenon. Regional and international police forces are collaborating to fight it and have successfully established joint monitoring and reporting centers. Collaborations among Interpol, Europol and Aseanopol can provide useful examples of joint cyber policing in South Asia.[92]
  2. Legal Collaboration to Frame Cyber Laws. Neither Pakistan nor India is a signatory to the CEC. They can accede to this agreement and also come up with bilateral agreements to harmonize local laws to jointly prosecute transnational cybercrime. The two countries can mutually organize seminars and training sessions to build capacities for lawyers and legislators to frame cyber laws.
  3. Joint CERTs. Pakistan and India can combine forces to respond to computer emergencies by forming joint CERTs bilaterally or within the forum of SAARC or the SCO. A joint CERT would be an excellent CBM. 

Phase III (Military Cyber CBMs)

  1. Define Redlines. Military information space CBMs can be a hard sell. One way to proceed in this regard could be by setting redlines, which could prompt a response. One way to do so can be by identifying n-go areas, where no cyber operations should be permitted.
  2. Decide Upon De-Escalatory Measures. Keeping various scenarios in mind necessary de-escalatory measures could be worked out in advance before a situation gets out of control.
  3. Establish Cyber Hotline. A dedicated hotline linking professionals and policy planners would help first responders to react immediately and the political leadership to undertake de-escalatory measures quickly.

PHASE IV (Cyber Cooperation through Treaties)

  1. Bilateral Treaties on Cybercrime. The next step to CBMs is concluding regular treaties. Bilateral treaties criminalizing cybercrime would help both countries to efficiently combat cybercrime and increase trust in each other.
  2. Bilateral Military Treaties. Areas can be selected, where the two countries would find it agreeable to collaborate.  Binding agreements not to attack each other’s national C2 centers could be a major coup, if it can be brokered.


Since cyberspace is becoming dangerous by the day, there is a dire need to institute international and regional measures to create a healthy respect for national sovereignty in cyberspace. Developing cyber CBMs can be one way of doing it. CBMs between India and Pakistan have a checkered history. Yet in times of crises these have proven extremely useful in preventing wars and facilitating conflict resolution. The first step towards conflict resolution is removal of mistrust and suspicion. Only then, can the dialogue process begin. It is a hard task to popularize the concept of CBMs between the two countries without removing suspicions and misunderstanding among people about the implied objectives and application of such measures.

In order to institutionalize the process of information based CBMs, it is necessary to create basic awareness among governments, organizations and the common man to embrace this concept. Currently, there is little knowledge at policy making circles about the vulnerabilities associated with ICT tools used for governance and management. This awareness can be created with the assistance of international organizations and local NGOs. Workshops, seminars, track II and track III efforts will help.

Multiple factors should be kept in mind, while formulating cyber CBMs. First, the process should be kept out of media glare. Second, it should begin informally and should steadily progress upto official levels.  Thirdly, a regional approach may help and facilitate India and Pakistan move out of the vicious circle of bilateral animosity. SAARC needs to be resuscitated. It can draw some inspiration from ASEAN by constructively keeping a low-key approach to contentious issues.[93] Balance between military and non-military CBMs is essential for creating conditions for peace. Non-military CBMs such as collaboration between the police forces, the legal, technical and academic communities can certainly make things easier for sustaining the dialogue process between the antagonistic parties.

Leave a Reply