The Global Stack: A Manifesto

In 1941, soon after he had secured an unprecedented third term as President of the United States, Franklin D. Roosevelt mobilised the US Congress to pass the Lend-Lease Act. Its context and history are storied. British Prime Minister Winston Churchill famously wrote to FDR requesting material assistance from the United States to fight Nazi Germany — “the moment approaches when we shall no longer be able to pay [to fight the war]”. FDR knew he would not get the American public’s approval to send troops to the War (Pearl Harbor was still a few months away). But the importance of securing the world’s shipping lanes, chokepoints, manufacturing hubs and urban megalopolises was not lost on the US President. Thus, the Lend-Lease Act took form, resulting in the supply of “every conceivable” material from the US to Britain and eventually, the Allied Powers: “military hardware, aircraft, ships, tanks, small arms, machine tools, equipment for building roads and airstrips, industrial chemicals, and communications equipment.” US Secretary of War Henry Stimson defended the Act eloquently in Congress. “We are buying…not lending. We are buying our own security while we prepare,” Stimson declared.

The analogy is not perfect, but FDR’s Lend-Lease Act offers important lessons for 21st century India’s digital economy. Our networks are open; our public, electronic platforms are free and accessible to global corporations and start-ups; our digital infrastructure is largely imported; and — pending policy shifts — we believe in the free flow of information across territorial borders. India has made no attempt, and is unlikely in the future, to wall off its internet from the rest of the world, or to develop technical protocols that splinter its cyberspace away from the Domain Names System (DNS). While we have benefited immensely from the open, global internet, what is India doing to secure and nourish far-flung networks and digital platforms? The Land-Lease Act was not just about guns and tanks; a quarter of all American aid under the programme comprised agricultural products and foodstuff, including vitamin supplements for children. The United States knew it needed to help struggling markets in order to build a global supply chain that would serve its own economic and strategic interests. Indeed, this was the very essence of the Marshall Plan that followed a few years later.

In fact, India’s digital success story itself is a creation of global demand. When the Y2K crisis hit American and European shores, Indian companies stepped up to the plate and offered COBOL-correction ‘fixes’ at competitive rates. In the process, Western businesses saved billions of dollars — and Y2K made computing ubiquitous in India, which in turn, added great value to the country’s GDP. 

Therefore, there are both security-related concerns and economic consequences that should prompt India to develop “digital public goods” for economies across Asia, Europe and Africa. Can India help develop an identity stack for Nigeria — a major source of global cyberattacks — that helps Abuja mitigate threats directed at India’s own networks? Can we develop platforms for the financial inclusion of millions of undocumented refugees across South and Southeast Asia, that in turn reduces economic and political stress on India and her neighbours when confronted with major humanitarian crises? Can we build “consent architecture” into technology platforms developed for markets abroad that currently have no data protection laws? Can we nurture the creation of an open, interoperable and multilateral banking platform that replaces the restrictive, post-9/11, capital controls system of today with a more liberal regime — thus spurring financial support for startups across India and Asia? Can India — like Estonia — offer digital citizenship at scale, luring investors and entrepreneurs who want to build for the next billion, but do not have access to Indian infrastructure, markets and data? These are the questions that should animate policy planners and digital evangelists in India. 

The Indian establishment is not unmindful of the possibilities: in 2018, Singapore and India signed a high-level agreement to “internationalise” the India Stack. The agreement has been followed up with the creation of an India-Singapore Joint Working Group on fintech, with a view towards developing API-based platforms for the ASEAN region. As is now widely known, a number of countries spanning regions and continents have also approached India with requests to help build their own digital identity architecture. 

But the time has come to elevate piecemeal or isolated efforts at digital cooperation to a more coordinated, all-of-government approach promoting India’s platform advancements abroad. The final form of such coordination may look like an inter-ministerial working group on digital public goods, or a division in the Ministry of External Affairs devoted exclusively to this mission. Whatever the agency, structure or coalition looks like within government, its working should be underpinned by a political philosophy that appreciates the strategic and economic value accrued to India from setting up a “Global Stack”. In 1951, India was able to successfully tweak the goals of the Colombo Plan — which was floated as a British idea to retain its political supremacy within the Commonwealth — to meet its economic needs. Working together with our South Asian partners and like-minded Western states like Canada, we were able to harvest technology and foreign expertise for a number of sectors including animal husbandry, transportation and health services. India was also able, on account of skilful diplomacy, to work around Cold War-era restrictions on the export of sensitive technologies to gain access to them.

That diplomacy is now the need of the hour. The world today increasingly resembles FDR’s United States, with very little appetite to forge multilateral bonds, liberal institutions, or rules to create effective instruments of global governance. It took tact and a great deal of internal politicking from Roosevelt to pry open the US’ closed fist and extend it to European allies through the Lend-Lease Act. India, similarly, will need to convince its neighbours in South Asia of the need to create platforms at scale that can address socio-economic problems common to the entire region. This cannot be done by a solitary bureaucrat working away from some corner of South Block. New Delhi needs to bring to bear the full weight of its political and diplomatic capital behind a “Global Stack”. It must endeavour to create centripetal digital highways, placing India at the centre not only of wealth creation but also global governance in the 21st century.

The blog post is authored by Arun Mohan Sukumar, PhD Candidate at The Fletcher School at Tufts University, and currently associated with Observer Research Foundation. An edited version of this post appeared as an op-ed in the Hindustan Times on October 21, 2019.

Data Empowerment and Protection Architecture Explained – Video

More commonly known as the ‘Consent Layer of the India Stack’, Data Empowerment and Protection Architecture (DEPA) is a new approach, a paradigm shift in personal data management and processing that transforms the currently prevalent organization-centric system to a human-centric system. By giving people the power to decide how their data can be used, DEPA enables the collection and use of personal data in ways that empower people to access better financial, healthcare, and other socio-economically important services in a safe, secure, and privacy-preserving manner.

It gives every Indian control over their data, democratizes access and enables the portability of trusted data between service providers. This architecture will help Indians in accessing better financial services, healthcare services, and other socio-economically important services.The rollout of DEPA for financial data and telecom data is already taking place through Account Aggregators that are licensed by RBI. It covers all asset data, liabilities data, and telecom data.

We, at iSPIRT, organised a learning session on the 18th of May, to give relevant and interested stakeholders a detailed primer on DEPA. We had 60-odd very animated and engaging people in the audience. The purpose of the session was to understand the technological, institutional, market and regulatory architecture of DEPA, it impacts on existing data consuming businesses and how people could contribute to this new data sharing infrastructure that’s being built in India.

The session was anchored by Siddarth Shetty, Data Empowerment And Protection Architecture Lead & Fellow, iSPIRT Foundation (Email – sid@ispirt.in). Please feel free to reach out to him for any queries regarding DEPA.

For other queries, please write to [email protected].

Preferred Market Access Policy for Indian CyberSecurity Products

The government of India had announced a Preferred Market Access (PMA) policy for Cyber Security products through an order notifying the Public Procurement (Preference to Make in India).

MeitY shall be the nodal Ministry to monitor and administer this PMA policy.

The policy announcement is given at link given here.  Public Procurement (Preference to Make in India) Order 2017- Notifying Cyber Security Products in furtherance of the Order

iSPIRT has been pursuing with MietY, application of PMA for all Indian Software Products to promote the Indian Software product industry and it is heartening to note that at least one important sub-sector of Cybersecurity has caught the Government’s attention.

iSPIRT organised a PolicyHacks session to understand this policy announcement with Ashish Tandon Founder & CEO of Indusface and Mohan Gandhi of Entersoftsecurity.

Ashish has been following the policy announcement and has earlier published a blog at https://pn.ispirt.in/cybersecurityproductsprocurement/

You can watch the discussion with Ashish and Mohan at below given YouTube video, in a question and answer format with Sudhir Singh.

What are the essential features of this Policy?

Ashish described the main features stating that this is a policy that is going to help boost Cybersecurity products in India. Govt. of India identified areas that require boosting ‘make in India’ products for the sensitive areas of cybersecurity.

Is there a way product companies can register or Government is going to keep a registry of ‘made in India’ products?

Ashish explains the policy has provided for the formation of a committee that will further provide for a process for empanelment of Indian Cybersecurity products and Indian Cybersecurity product companies with some defined key aspects that would qualify for empanelment.

Ashish further explained that as the empanelment aspects are decided there may also come up with a process for testing and meeting standards and quality norms etc.

Are there are enough product companies in ‘Cyber Security’ space for empanelment?

Mohan Gandhi answered that there are several product companies, but this policy should further strengthen the ‘make in India’ aspect and companies based out of India with deep tech product can look at getting this advantage of this policy.

Whether the Policy will be applicable to “productized services”?

Ashish answered, that this policy is applicable to the only product and at best give preference to made in India products in turnkey projects wherein a large project cybersecurity product is involved.

How will this policy help Start-up companies in Indian Market?

Mohan mentioned, that one interesting thing about this policy is that, it clearly talks about intellectual property. There is a need to register and prove that the IP belongs to India. It will encourage small companies to register the IP and leverage the Indian IP even when they are selling abroad.

Is there enough clarity exist on process and enplanement etc.?

Ashish feels the policy has already prescribed setting up of an empowered committee who will look at these aspects and it is MeitY that will be responsible for doing this.

Ashish further also elaborated that this Policy will get further push once some companies start getting empanelled and processes and rules are framed under MeitY by the empowered committee.

In concluding remarks, both Ashish and Mohan felt that Cybersecurity ecosystem will get a boost by this policy as the policy is furthering the cause by advising Government departments for preferring Indian products. With Digital economy on anvil, there should be a huge demand in Government and Public sector enterprises for cybersecurity. Cybersecurity product market is today dominated by players from the US, Europe and Israel.

The policy has to be pushed hard to further encourage and coupled with StartupIndia policy, there should be all-out effort to promote the Indian Cybersecurity product companies.