Why Haven’t India and Indonesia Signed Up For Anti-Spyware Dialogue?

Why have India and Indonesia yet to sign up to global governance mechanisms on commercial cyber intrusion capabilities – and how can proponents of the Pall Mall Process persuade them to do so?

The Summit for Democracy in Seoul ended last month with a joint statement on countering the proliferation and misuse of commercial spyware. The statement, which had originally been announced in March 2023, has now been signed by several countries, including the US, Japan, South Korea and Finland – all of whom are also members of the ‘Pall Mall Process’.

Kicked off by the UK and France in February 2024, is a separate multi-stakeholder dialogue also designed to combat the misuse and sale of commercial surveillance tools. The process emerged in response to growing concerns about the misuse of commercial spyware, like the Pegasus spyware tool developed by Israel’s NSO Group. India and Indonesia – the world’s first and fourth largest democracies – were notably absent from both the Pall Mall Process and the joint statement.

Revelations about Pegasus and other misuses of commercial spyware kicked off a frenzy of responses from government and industry, including through the Pall Mall Process. To date, the process includes representation from the African Union, Australia, the Gulf Cooperation Council, Malaysia, Japan, Singapore, the US and Switzerland.

Despite the mixed group of countries involved, neither India nor Indonesia have joined the process or commented on its existence. Their absence speaks to some of the broader similarities in the domestic politics and global identities of both actors. Both India and Indonesia prize sovereignty – that is, strategic autonomy in the conduct of foreign and domestic policy – as a cardinal tenet. The preservation of domestic ‘policy space' to pursue security, economic and developmental goals is a crucial objective of their diplomatic endeavours. While both countries engage with formal and informal governance mechanisms in the cyber and critical tech domains, their acquiescence is not automatic but is instead based on context-specific domestic and geopolitical concerns. Both countries have the global stature and materialistic wherewithal to resist pressure to join governance mechanisms from allies and adversaries alike. Consequently, staying away from the Pall Mall Process and related spyware diplomacy could be premised on three factors.

First, signing onto the Pall Mall Process may not be an immediate diplomatic priority or fit for either country. Combating spyware is certainly not high on Indonesia’s diplomatic agenda. In the past few years, Indonesia’s cyber diplomacy have largely centred on combatting terrorism online, advocating tech neutrality and data sovereignty, and calling for more support for cyber capacity-building in the Global South. While cyber surveillance has emerged as a national security concern since the 2013 Edward Snowden revelations, the issue has not featured prominently on the country’s diplomatic agenda in cyberspace.

For India, the answer could lie in mundane procedural matters. India has historically been reluctant to sign onto agreements that it has had no say in negotiating. Notable examples include India’s continued opposition to the Budapest Convention which was brokered only by the Council of Europe, and its decision not to sign onto the Paris Call for Trust and Security in Cyberspace, which was brokered jointly by Microsoft and the French government. India has always been a stickler for appropriate diplomatic procedures and very rarely joins or endorses any process without ticking all the right boxes first.

The Pall Mall Process comes at a critical juncture in the domestic political history of both countries

Moving to more substantive reasons, both India and Indonesia may be using spyware both in domestic and international cyber operations. Consequently, they might not want to adopt a clear position on restricting commercial intrusion capabilities just yet. Recent reports indicate that India-affiliated hackers have used spyware to target actors based in Pakistan. Further, there are allegations that India bought the Pegasus spyware from Israel’s NSO group and used it against journalists and opposition leaders. Indonesian authorities have also been suspected of using commercial spyware to spy on opposition leaders and activists.

Third, in terms of morals, neither country views surveillance in the interests of national security as illegitimate state action. India’s data protection legislation grants broad exemptions to government agencies acting in the interests of national security. Further, the Snowden revelations, which revealed that India was a major target of NSA snooping, were a major wake-up call for India to build its own surveillance capabilities, although no Indian government has publicly disclosed such capabilities. Meanwhile, Indonesia also prioritises development or internal security concerns over countering surveillance, which explains China’s continued presence in Indonesia’s technological perimeter despite strategic distrust between the two states.

So, how should proponents of the Pall Mall Process and adjacent diplomatic initiatives engage with crucial non-Western democracies like India and Indonesia? Would India and Indonesia ever consider signing up?

First, bilateral channels help. India signed the US-brokered Artemis Accords after conversations between the security establishments of both countries during Prime Minister Narendra Modi’s well publicised visit to the US in 2023. Tapping into Indonesian sensitivities about the use of surveillance tools by foreign actors could also help. After all, Indonesian entities, including commercial firms, are likely to emerge as much bigger targets of cyber-espionage by foreign states seeking political and economic gain.

Second, India and Indonesia’s moral agnosticism on the privacy impacts of surveillance stems from a deep-rooted conviction that Western liberal democracies wax eloquent about surveillance while reaping its benefits, albeit using different tools and techniques. While combating spyware is an important piece of the puzzle, meaningful dialogue on the impacts of surveillance writ large is the need of the hour, including introspection on the Five Eyes’ own surveillance practices. Global moral clarity would nudge India and Indonesia to sign onto portraying themselves as responsible cyber actors, even if actual domestic practices diverge.

Given that they are not formal alliance partners of the US, India and Indonesia will never be default ratifiers of any cyber initiative. However, as has been demonstrated by both India and Indonesia’s proactive engagement with several US-led initiatives like the Quad and the Indo-Pacific Economic Framework, they can sign on when interests converge.

The Pall Mall Process comes at a critical juncture in the domestic political history of both countries. Amid allegations of growing executive control and the abrogation of institutions, a gamut of other challenges have rightfully captured the media and political limelight. Yet, India and Indonesia are both critical stakeholders in the global governance of cyberspace, which is increasingly resorting to informal mechanisms like the Pall Mall Process. Therefore, engaging with Indonesia and India effectively is critical to the success of these initiatives and the stability of cyberspace as a whole.

The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.


Dr Gatra Priyandita

GP-RCB Work Stream co-lead for the Indo-Pacific

View profile

Arindrajit Basu

View profile


Explore our related content