‘Beyond the immediate, we are facing a future where security challenges will be less predictable; situations will evolve and change swiftly; and, technological changes will make responses more difficult to keep pace with. The threats may be known, but the enemy may be invisible. Domination of cyberspace will become increasingly important. Control of space may become as critical as that of land, air and sea. Full-scale wars may become rare, but force will remain an instrument of deterrence and influencing behaviour, and the duration of conflicts will be shorter.”
Prime Minister Narendra Modi, at Combined Commanders’ Conference in October 2014 Prime Minister Narendra Modi’s clear and categorical directions to the Combined Commanders of the armed forces is indicative of future threats and challenges to national security. The security challenges for the nation can no longer be defined and definite, as these are varied, conducted in many battle spaces by multiple means driven by a collective ideology, plausibly without any direct attribution and without any overt physical military application of combat power ab-initio.
“Domination of cyberspace will become increasingly important”, is a direction of the Prime Minister, unfortunately we as a nation and the armed forces have not done enough to translate the directions to capabilities. Globally, the second Cold War is widely believed to have started in 2014, however, contours are very different this time. Apart from media and social media, the most exploited arena in this Cold War is the cyber domain.
The Russians are widely believed to be involved in hackings and leaks which had an alleged effect on the US presidential elections. The cyber war however goes much beyond the US and Russia with other nations like Israel, North Korea, Pakistan and China being active participants. Georgia, Iran and Estonia have faced crippling cyberattacks which are thought to be state-sponsored and have proved the power of cyber warfare to shift focus from the conventional to the virtual domain.
India has been the target of nearly 1,852 attacks every minute in 2019 as per a report published by Indian cybersecurity research and software firm Quick Heal. Easy access to the Internet and readily available cyber tools enable ‘lone wolfs’ and ‘non-state actors’ to launch cyberattacks. The advantages of deniability are exploited to the hilt in the cyber domain. There are no traditional and physical boundaries in cyber warfare and it is characterised by anonymity, ambiguity, speed, no warning or indicators and lack of posturing.
In conventional warfare surprise is a critical element and cyberattacks achieve this almost every time. India and especially its armed forces need to be aware of these cyber realities and incorporate appropriate concepts into their warfare strategy. Future wars will be multi-domain multi- dimensional wars waged in many battle spaces across the full spectrum of conflict. Cyber will be the critical factor and the nation with asymmetry in cyberspace will be vulnerable to this low-cost high affect warfare.
CYBER THREATS: INDIAN CONTEXT
As far as India is concerned, our two adversaries, China and Pakistan, pose major challenges in cyberspace, though the cyber threat is all pervasive and can manifest from any source, state and non-state. China has set aside $90 billion for information war in the cyber domain. It is believed that the PLA’s strategic cyber command is integral to the PLA’s Strategic Forces Command, structured to integrate all strategic domains available to the state and directly controlled by the Central Military Commission. It has approximately 1,30,000 personnel on its rolls and pool of additional 2.5 million people who have the basic education and skills in cyber warfare, hacking, espionage, spying and sabotage.
The role of Chinese PLA Unit 61398 and the National Security Agency in launching sophisticated cyber espionage activities is well known and is in open domain. In May 2008, Chinese hackers allegedly broke into India’s Ministry of External Affairs. Chinese hackers are known to have used social networking sites to break into computer networks of the Indian defence establishment like the National Security Council Secretariat, 21 Mountain Artillery Brigade, Air Force Station Delhi, etc. It is also rumoured that the major power grid failure in north India followed by Eastern parts of India in July 2012 including Delhi was a cyberattack engineered by China possibly to check the capabilities.
During the recent Doklam standoff Chinese cyber activities were directed towards India as part of its information warfare, an important component of the three-warfare strategy of PLA. Blackouts in our regional electricity grids and other cyberattacks have been caused by China in the past. It is a matter of concern that almost 80% of our telecommunication equipment is Chinese. They have more than 100 companies manufacturing electronic and telecom products in India. There must be on overhaul of existing rules and regulations with the aim to eliminate Chinese products from critical areas. At present it is near impossible to procure any ICT equipment which is not sourced from China. It is common knowledge that all such equipment has embedded security risks.
The threat from Pakistan is again significant, though their technology prowess is less than China, the motivation levels against their ‘eternal enemy’, India, may be much more. Pakistan has been defacing Indian websites through hacker groups like Pakistan Hackers Club, GForce, etc, in the past. These groups are of the firm belief that they are working for the cause of Kashmir. Lately some groups have taken to social media to discredit the army and cause unrest in the rank and file.
There is a concerted effort by Pakistan for employment of social engineering in cyberspace with special reference to social media. Lone Wolf and non- state actors also pose significant threats. The lack of cyber expertise with such actors is often made up by hiring cyber criminals though the Dark Net for a specified fee. The anonymity factor makes these actors more adventurous as the risk of getting caught or compromised is minimal especially if working from another country.
NATIONAL CYBER SECURITY
Twenty-seven ministries in the Government of India are presently dealing in cyber with varying priorities and funding. Rajeev Bhutani in a CENJOWS paper on A Comprehensive National Cyber Force Structure For India, writes: “India’s response to cyber threats so far has been reactive and fragmented. India’s Department of Electronics and Information Technology (DEITy), under the Ministry of Communication and Information Technology (MCIT) released the country’s first ever National Cyber Security Policy (NCSP) on 2 July 2013.
As regards cyber infrastructure, there are as many as six agencies at the apex level, which are dealing with cyber security management: National Information Board (NIB), National Security Council Secretariat (NSCS), National Crisis Management Committee (NCMC), National Disaster Management Authority (NDMA), National Cyber Response Centre (NCRC), and National Technical Research Organization (NTRO).” India needs to create formal structures and organisations to ensure optimal cyber usage and security.
With new technologies like Internet of Everything, Big Data Analytics, Artificial Intelligence, Machine Learning, Blockchain, Robotics/Autonomous vehicles are all driven by Cyber space, the key question is are we as a nation future ready. We have over 400 million internet users but lack in critical infrastructure, legal provisions and regulations, security consciousness, secure and sovereign data farms. We have multiple cyber threats which are all encompassing and can target all our sectors from defence to financial, government, transportation, power, media and industry etc.
There is a need to evolve an allencompassing comprehensive national cyber strategy, which defines national objectives, and addresses the security concerns and threats to the nation and in particular the defence forces and operational preparedness and plans. This Strategy should dictate capability building and enhance existing capacities for an effective cyber defence of the armed forces. An effective cyber defence policy and organisation will have to function in concert with all other government departments and organisations under the overall policy framework of the NCA.
Defending the territorial integrity of India in land, sea and air and safeguarding the national interests and assets is the constitutional mandate of the Armed forces. As present and future security threats are multidimensional and multi domain including the all critical cyberspace, the armed forces will have to ensure a secure cyberspace and exploit it as a tool for deterrence. There is imperative that we create structures and systems which enable a secure cyberspace and exploitation to ensure a modern and prosperous India.
PM Modi’s national initiative of DIGITAL INDIA can only take shape if we have the requisite cyber security and cyber technology structures. India needs to create a National Cyber Agency (NCA) by an act of parliament which will be an autonomous body with the requisite authority and funds to govern and administer all aspects of cyber. The NCA should be self-funded, even at an additional one rupee per internet user per month there will be adequate funding for this agency. The NCA will be responsible for cyber security in all its domains and also for creating critical infrastructure and self-reliance in the mid to long term.
It will be much more than a mere regulatory body. On similar lines the states too could create their respective State Cyber Agency which should follow the guidelines and instructions off the NCA. In affect the National Disaster Management Authority model exists and can be replicated with suitable modifications to meet the national cyber security needs. The three critical aspects of cyber security are people, process and technology. There is a continuous effort to plug gaps in these critical aspects through continuous technological upgradation, advisories, guidelines, training and audits.
There is a profusion of armed forces agencies dealing with cyber issues ranging from the Corps of Signals to CERT-Army/Navy/Air Force, the IT departments of various headquarters and the Integrated Defence Staff. The Defence Cyber Agency created in 2019, has been designated as the nodal agency mandated to deal with all cyber security related issues of the Tri Services and Ministry of Defence. These agencies work as per guidelines laid down, in coordination with CERT-In which was created in 2004.
These agencies are mandated for safeguarding the cyber system by creating appropriate standards/ guidelines, rapid emergency response, audits and advice. The processes and guidelines followed are iterative with accountability and responsibilities earmarked. However, the present organisation fall short of meeting even the present-day needs leave aside the future threats and challenges.
CHALLANGES FOR THE ARMED FORCES
The cyber domain is huge and there are going to be 500 million Internet connected devices by 2020 in India. Cyber capabilities are also a major factor of deterrence much like a nation’s nuclear and conventional military capabilities. The Internet has also become a weapon for political, military and economic espionage. The dependence of cyberspace by the military makes it a vulnerable domain for attack by inimical elements.
Attacks can be physically on the facilities where the hardware of command, control, communications, computers, intelligence, information, surveillance and reconnaissance (C4I2SR) systems are located, or they can be on the software by distorting the programs which operate the C4I2SR systems. Each service of the Indian armed forces has its own set up for cyber security of critical military assets. This in effect means that the Army, Navy and the Air Force are working in silos and there is hardly any inter communication with respect to this critical aspect.
Actually, the inherent secretive nature of the armed forces does preclude jointness. HQ Integrated Defence Staff has tried to bring in some jointness in this regard but the existing structures may not allow much exchange of cyber information. May be with the raising of the Defence Cyber Agency security will improve and procedures will be streamlined. The Indian armed forces have their own air-gapped networks which give it a high degree of security.
However, we do have a history of cases like the Stuxnet virus, which prove that air gapping alone does not guarantee cyber security. The army’s network is built up on imported hardware and updating of the same often requires connecting machines to the internet which may render the network vulnerable. The low threshold of education and technical knowledge of soldiers remains a cause of concern. Training such a large military on cyber aspects is a problem area.
Also, the inherent fast pace of technology in the cyber domain necessitates re-training periodically which is difficult administratively and we need to come up with new training methods which enable on the job training without compromise on standards. The infrastructure for such training needs should be put in place. The other challenges faced by the defence forces are supply chain dependence on imports especially Chinese, targeted attacks (spear phishing) on machines, lack of adequate structures, low technical HR development in the country, lack of trust in hardware due to poor in house chip manufacturing base in the country, etc.
WAY AHEAD
The Joint Doctrine of the Indian armed forces was released in April 2017. This doctrine is a revised version of the first document which was released in 2006 and addresses the current realities. The Doctrine recognizes the five domains of modern warfare, ie land, sea, air, space and cyberspace. It lays due emphasis on establishment of the Defence Cyber Agency with both offensive and defensive cyber warfare capabilities.
The nucleus is already in place and is functioning under the HQ Integrated Defence Staff. With the cyber arena now recognized as a new domain of warfare, setting up an optimal force competent to achieve the dual objectives of defending the country from cyberattacks in war and securing the military’s network operations in peace requires deep and pragmatic thought. Most mega armed forces like United States, Russia and China have raised cyber commands with a huge number of cyber warriors who are both professionals and possess an unmatched passion for cyber war fighting.
Most Western countries like the UK, Germany and the Netherlands have also entrusted this responsibility to their defence forces. There is an urgent need to establish a tri-service Cyber Command as envisaged by the Naresh Chandra Task force and the Shekatkar Committee, which should function directly under the Chief of Defence Staff who will be a single point of contact to Cabinet Committee on Security (CCS). It should be headed by a three-star general (CinC) from Army/AF/Navy. HQ Cyber Command will have a real- time coordination with NCA and all other organisations.
It will be responsible for both Cyber Defence and Offence. Just as defending the territorial integrity of India is the sole responsibility of the armed forces, they should also be responsible for defending the national interests in cyberspace. The US and China had established their cyber commands in 2010 and their cyber work forces are gaining expertise to forge ahead in cyber war fighting. There is an urgent need to establish a tri services cyber command which should function under the upcoming Chief of Defence Staff who would be answerable to the Cabinet Committee on Security.
It would also help in real time information sharing and coordination with other government cyber agencies like CERT-In. The dedicated mission teams could be adequately decentralised to, say, Division levels and be given specific tasks of cyberattack, cyber defence, support, etc. Deterrence cyber capabilities are not discussed in open domain, but it goes without saying that this aspect should be the mandate of Defence Cyber Agency, as a purely defensive approach is a recipe for disaster. However, to be effective we also need a dedicated and trained workforce, build a cyber culture in the armed forces and have lateral partnerships with other cyber agencies, industry, academia and experts including foreign ones.
The student community must get into cyber mode with passion to ensure that national security is not outsourced in the future. We need to start cyber security and awareness through courses, funded by the IT sector, in schools and colleges. There is a need to change old mindsets in our country and develop in house technology to match the future cyber challenges posed by China and other adversaries. The development of niche expertise within the armed forces and participation of other agencies, including the PPP model also needs deliberation.
The future digitised battlefield will operate in a hostile cyber environment. Disruptions and loss of data and information will be felt at the operational and tactical level. Inadequate cyber warfare capability/cyber security will inflict considerable damage to the Indian defence forces and be detrimental to national security. India’s strategic challenge in cyberspace emanates not just from external threats but is exacerbated by its rapidly increasing digital ecosystem.
A comprehensive National Cyber Force Structure with Cyber Command at the apex will not only allow the Indian armed forces to gear up for cyber war fighting and win a Net-centric war but will also enable synergy with other national agencies/organisations using the cyberspace thereby providing holistic cyber security to the national assets.
Lt Gen Vinod Bhatia (retd) is the former Director General Military Operations, Indian Army, and currently the Director at the Centre for Joint Warfare Studies (CENJOWS).