The need for National Cyber Strategy is acutely being felt to provide a sense of direction to all stakeholders, particularly when the information networks and core national interests are threatened by states or non-state actors supported by them. The strategy would also define the goals in a given situation for all stakeholders. Strategic planning is a tool that is useful for guiding decisions and even for evaluating progress and changing approaches when moving forward to deal with serious challenges.
Besides, it would convey the resolve of the country to respond to a severe cyber-attack in a manner that would inflict unacceptable damage to the adversary and their supporters and thereby deter the adversaries from harming our interests. The activities of others using cyberspace shape the current cyber environment. The risks and challenges depend upon the actions and intents of others. The threats in this domain are assuming each day new worrisome dimensions. New methods are being adopted to achieve the objectives of cyber attackers.
We are going to face more destructive attacks rather than disruptive attacks in the coming period. And cyber-attacks on our critical infrastructures have the potentials to damage national security severely. Given the above, several countries are preparing themselves for offensive operations. A US report suggests that about 30 nations are building cyber warfare capabilities, and more than 130 nations are acquiring “cyber weapons”.
While these capabilities and weapons would change with time, the use of artificial intelligence could significantly upgrade their destructive power. China, which is now using AI in the cyber domain, perceives that the warfare would shift from “Informatised” to “Intelligentised” warfare. This would not only change the nature of conflict in the future but also demand structural changes in the armed forces. There is no doubt that the AI-based cyber weapons would be far more deceptive and destructive.
The cyberspace has become a new frontier of warfare. As we have to deal with the unique challenges, we need a strategy both for countering the threats and deter our adversaries from launching the attacks because of the penalty that would be imposed on them. In essence, we need a cyber-strategy to neutralise the risks from cyberspace. To formulate a national cyber strategy, it would be necessary to assess our security environment, which is shaped by the capabilities and intents of other nations.
Most advanced countries have developed cyber strategies based on offensive operations for which they have created specialised units. We would need to counter them when the situation arises. Not doing so on the plea that we are not the US, China or Russia would keep us weak and an easy victim of coercion. We should not hesitate to adopt the best practices of others — though taking in view our peculiar conditions. The reasons for other countries to adopt offensive cyber strategies are not far to seek. Three factors are responsible for this.
First, as cyberspace is largely owned and operated by the private sector, controlling cyberspace becomes very difficult. Second, early warnings, like in the physical world, are not possible in cyberspace. Hence it is easier to go in for offensive ops than defensive ops. Third, cyber threats are seen as international attacks on national interests. A study of the national cyber strategies of the US, China, Russia, and the UK points out certain common elements in their strategy.
Three factors are common to the strategy of the countries mentioned above. First, the cybersecurity is perceived as a part of national security and all are accepting the possibilities of cyber-wars. They have listed in their cyber strategies or doctrines several steps like enhancing capabilities to defend the critical infrastructure, information data and network; enhancing capabilities to respond to the cyber-attacks in real-time; developing abilities to identify the sources of attacks; integrating it with armed forces operations; preparing for both defensive and offensive operations, and having an empowered body (involving top policymakers) to prioritise operations and ensuring that various stakeholders to act as one force.
The US’s National Cyber Security Strategy states that the security of cyberspace is fundamental for national security and prosperity of its people. China considers that national security is closely linked with cybersecurity. “No national security without cybersecurity,” said Chinese President Xi Jinping to the state-run news agency Xinhua in April 2014. The establishment of the National Security Commission (NSC) and Central Network Security (CNS) and the Informatization Leading Small Group, with Xi as their head, also bear testimony to this line of thinking. The Russian cybersecurity strategy identifies cyber-security, privacy, and information security as vital to the national interests of Russia.
The UK’s cybersecurity strategy aims at making the UK as one of the most secure nations to do business. The second is the use of cyber capabilities to deter adversaries. Cyber operations are not merely seen as supplementing military operations but are also used as a deterrent. The US has tasked the Department of Defence to “contribute to the development and implementation of a comprehensive cyber deterrence strategy to deter key states and non-state actors from conducting cyberattacks against US interests”.
The US National Security Strategy announced in 2018 makes it clear that the US would respond offensively and defensively when attacked in cyberspace in areas ranging from critical infrastructure to space exploration to intellectual property protection. In China’s concept, the deterrence of cyber operations could serve the same purpose as nuclear deterrence in an international environment. The overall Chinese strategy hinges on several military and nonmilitary capabilities including nuclear, conventional, space and information warfare, economic, diplomatic, scientific and technological.
It also depends on the collective will of the nation. They all constitute essential components of a credible “integrated strategic deterrent”. The Russian strategy stresses the need to have the ability to counter cyber threats and considers cyber operations as a part of hybrid wars. In the UK’s cyber strategy, which is available only in statements of officials, deterrence occupies a key position. The Defence Secretary explaining the UK’s offensive cyber operations in his speech at Cyber 2017 Chatham House Conference (in June 2017) stated that “the UK’s National Offensive Cyber Planning allowed it to integrate cyber into all their military operations”.
And the third element is that in all the countries mentioned above, there is a higher thrust on developing domestic capabilities to produce necessary IT products. They are doing away with their reliance on foreign equipment and systems. India needs an efficient national cybersecurity strategy keeping the evolving cybersecurity environment in its calculus. The recent trends, which have changed the nature of threats in cyberspace, need attention. Strategic deterrence now incorporates a well-defined role for cyber that is likely to expand in the future, and strategic deterrence has begun to play a role in cyber deterrence strategy.
Experts opine that it is logically more stable and potentially peaceful to have a system of deterrence that is structured mutually across major powers, giving no one state the ability to disrupt cyber equilibrium. Therefore, our national cyber strategy has to be based on the above three elements. The severe threats are originating from principal adversaries, who could use non-state actors. Hence the need would remain to deal with the principal adversaries, and therefore our national cybersecurity strategy must relate to our national security strategy.
This requires not only an effective cybersecurity strategy but the adequate capability to quickly pinpoint the source of an attack and specialised force to undertake offensive operations to neutralise the source of threats. Fortunately, India has initiated steps to form the Defence Cyber Agency — a tri-service agency — which would fight wars in the cyber domain and formulate doctrine for cyber warfare. It was a much need step. The government should ensure that this agency is given full support to achieve the objectives.
The use of cyberspace for military operations would also infuse jointness among the three Services. The appointment of CDS would further help in integrating the operations of Air Force, Navy and Army. Though attribution remains a problem, a declaratory strategy with an emphasis on deterrence can dissuade the principal adversaries and groups supported by them from launching attacks on our critical infrastructure or on our core national interests.
The National Cyber Security Strategy should indicate in clear terms that any breach of India’s cyberspace from foreign actor would be treated at par with violations of our sovereign territory, airspace or territorial waters. We could indicate that our cyber strategy would be based on “Forward Active Defence”, i.e. could take steps to neutralise the source and could use any means at our disposal to inflict unacceptable damage on the attacker.
We can maintain ambiguity on the actual triggers, and such decisions can be taken later when a severe attack takes place. Simultaneously, we have to encourage research in having the capabilities to pinpoint the source of attacks. With improved investigative techniques and equipment, it should be possible. It may also be mentioned that serious attacks come from the interface of humans and human computers, and therefore, an efficient counter-intelligence system could help in pointing the adversary state.
An overarching national cyber strategy also demands a highpowered organisation to take decisions to deter principal adversary, to launch operations, if required, to neutralise the source of threat for the protection of national critical infrastructure and core national interests, to task different entities both government and private and ensure their compliance of directions. It is heartening to note that India may soon have a single authority or agency responsible for covering the entire spectrum of defensive cyber operations in the country for better command and control.
It would help in ensuring an integrated approach towards cyberattacks and achieve synergy between different entities. And lastly, we should also avoid reliance on the imported equipment and systems as they could have backdoor surveillance tools that could provide critical information to foreign countries. The Parliamentary Standing Committee on Information Technology 2015-2016 had recommended that necessary incentives should be given to domestic companies to manufacture appropriate IT products indigenously. In a timebound manner, all the organisations and companies should start using indigenous products. This should be given a more significant push now.
S.D. Pradhan is the former Deputy National Security Advisor and Chairman, Joint Intelligence Committee, National Security Council Secretariat.