Sections

Introduction

Cyberspace: A Warfighting Domain

Our National Cyberspace: A Notional Model

Strategic Cyber Threats

Cyber Defence Strategies

References

Introduction

Over the last decade or so, cyberspace has emerged as a new arena of conflict amongst nations, with cyberwarfare growing in intensity with every passing year. In order to address this challenge, the more agile nations have brought about transformative changes in their cyber defence organisations, most notably the United States, China, UK, Australia and Russia. As a consequence of the unique characteristics of threats which are manifest in this virtual domain of warfare and differing threat perceptions, the cyberspace governance models adopted by these countries vary in the role allocated to the armed forces vis-à-vis agencies responsible for internal security, law and order as also the intelligence agencies.

In India, the two main agencies tasked with the defence of our National Cyberspace are the National Critical Information Infrastructure Protection Centre (NCIIPC), which functions under the PMO/ NTRO, and the Computer Emergency Response Team – India (CERT-In)/ National Cyber Coordination Centre (NCCC) combination, which functions under MeitY. It needs to be analysed whether or not such an arrangement, under the coordination of the National Security Advisor (NSA), is the right apex structure for the defence of our cyberspace.

This three-part series analyses the important issue of cyber governance in India. In this first part, a notional model of our National Cyberspace is first presented. It then identifies the different types of cyber threats from the perspective of organising for cyberspace defence and discusses several cyber defence strategies which are relevant in our context.

Subsequent parts review global practices for protecting national cyberspaces, take a look at our existing cyberspace governance architecture, analyse its shortcomings and recommend transformative changes aimed at addressing the emerging challenges in cyberspace in 21st Century warfare.

Cyberspace: A Warfighting Domain

From ‘Battlefield’ to ‘Battlespace’

With the heavy dependence on networks in the 21st Century, cyberspace is emerging as an increasingly contested domain, with critical importance for the projection of military force. In fact, cyberspace has been formally designated by many nations in their respective military doctrines as the fifth domain of warfare. This emergence is arguably the most important and fundamental change in the nature of warfare over the past several decades. Networks are emerging as future battlefields, where cyber weapons attack and defend at electronic speeds, using strategies and tactics which are still evolving. Thus, the traditional physical ‘battlefield’ is gradually metamorphosing into a ‘battlespace’ with physical, information and cognitive dimensions [1].

Cyberspace: The Fifth Domain of Warfare

Nations across the world are gradually incorporating cyberspace as an operational domain of warfare in their doctrinal literature. The US, in its Strategy for Operating in Cyberspace of 2011 [2], stated almost a decade ago that “DoD must ensure that it has the necessary capabilities to operate effectively in all domains – air, land, maritime, space, and cyberspace.” Its doctrine on Cyberspace Operations of 2013 also states that “Cyberspace … is one of five interdependent domains, the others being the physical domains of air, land, maritime, and space [3].” India too, in its Joint Services Doctrine – 2017, refers to cyberspace as an operational domain [4]. Although the current military doctrines of other major global players, such as China and Russia, are not readily available, it is evident from the resources and capabilities being developed by them that they regard cyberspace as an operational domain.

Cyberspace vis-à-vis Infospace

It is interesting to note that while it is the more comprehensive concept of Information Warfare (IW) which took root in the 1990s and matured remarkably well after the turn of the century, it is cyberspace which has found its place alongside the traditional domains of land, sea and air and then space, in a multi-dimensional battlespace. This incongruity may perhaps be attributed to the unique characteristics of cyberspace, which allows cyber-conflicts of various hues to occur during peace as well, without fear of escalation. The term cyber itself eludes precise definition, with one view stating that it has lost all meaning. In its most generic interpretation, cyber is in fact a synonym for information. Elsewhere the author has argued that there is a strong case for replacing cyberspace with infospace as a warfighting domain, covering all the three primary IW components of cyber warfare, electronic warfare and psychological warfare. In this work, the term cyberspace will be used in the sense of infospace [5].

Our National Cyberspace: A Notional Model

Cyberspace: A Nebulous Domain

A formal definition of the term cyberspace apparently does not exist in any military doctrine, nor is there any globally accepted definition of this term, perhaps because of its intangible and dynamically changing characteristics. However, its meaning may be inferred from the US DOD Joint Publication 3-12 of 2013, which states that cyberspace operations (CO) rely on “an interdependent network of IT infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers, and the content that flows across and through these components [6].

Cyberspace Sovereignty

One of the important aspects which governs the notion of national sovereignty is territorial boundary. In terms of the traditional physical warfighting domains of land, sea and air, territorial boundaries are fairly well demarcated in geographical terms, and although numerous boundary disputes exist globally, the modalities for how such boundaries should be drawn are well established. The space domain is considered to be a global commons as per the Outer Space Treaty [7], and hence national sovereignty with respect to the space domain loses relevance in a territorial sense. Having said that, protection of space based assets is nevertheless a matter of national security.

Cyberspace per se lies in the information realm, although it is created on infrastructure which is constructed in the four physical domains. Because of its nebulous nature together with its strong association with the Internet, which de facto is considered to be a global commons, it may not be so easy to set-up barriers around national cyberspace based on territorial parameters. Nevertheless, the Great Firewall of China is an example of attempting to do just that.

The Supreme Court of India has ruled that freedom of usage of the Internet for expressing of opinions and carrying out trade or business is protected under the Constitution [8]. Such rights associated with the free flow of information in cyberspace are also an important concern while attempting to draw secure boundaries around our National Cyberspace.

National Cyberspace: A Working Definition

Keeping the above considerations in mind, one possible formulation of a working definition for our National Cyberspace (used synonymously with the term National Information Infrastructure (NII) in this work) is as follows: the collection of all information systems and intranets [9] (infostructure) owned by our Nation, including the information which resides within this infostructure. Here, “Nation” is not restricted to the State, and includes every Indian citizen as well as all national entities. It is also important to note that there may be infostructure existing within our territorial boundaries which is owned by foreign entities, and hence would not form part of our National Cyberspace. Similarly, there may be infostructure outside our territorial boundaries which may be owned by us, which therefore would be included in our National Cyberspace.

National Cyberspace Sub-Structure: CII, DII and NCII

Having defined what constitutes National Cyberspace/ NII from the perspective of national security, it is also necessary to model its internal structure. Simply stated, the NII may be visualised as being comprised of three components: Critical Information Infrastructure (CII), Defence Information Infrastructure (DII) and Non-Critical Information Infrastructure (NCII, ie, NII less CII & DII). Vide IT Rules 2013 promulgated under Section 70 (c) of the IT Act 2000, it has been stated that CII would be as notified by the GoI from time to time except those notified by the MoD [10]. These have been broadly identified as networks which fall in the following six categories: Government, Transport, Telecom, Power & Energy, Banking, Financial Services & Insurance, and Strategic & Public Enterprises [11]. DII (Defence Cyberspace) would include all infostructure being owned and used by the Indian Armed Forces.

National Cyberspace: Notional Structure

There are some other features of our National Cyberspace which need to be pointed out before attempting to analyse the threats vectors in this domain, as under:-

• Unlike the three traditional warfighting domains of land, sea and air, wherein sovereign territory may be demarcated in unambiguous terms, the notion of National Cyberspace is not amenable to such demarcation, for reasons indicated above.
• In general, the physical domains are all enclosed within an outer boundary, a frontier ‘red line’ within which lies sovereign national territory. Further, one can talk in terms of border areas and the hinterland, with the former linked to external threats and the latter to internal security. In contrast, with the Internet being considered as a global commons and for other reasons as well, the boundary demarcation between the External Cyberspace and National Cyberspace geographically manifests itself deep inside the hinterland.
• Next, this boundary between the External Cyberspace and National Cyberspace is not a single enclosed area, but a collection of National Cyberspace islands interspersed within a cloud of Global Cyberspace, with each such island needing to be defended independently. In fact, the shape of each island logically resembles a doughnut, with its outer and inner boundaries representing the network and user interfaces respectively, both of which are required to be protected against cyber adversaries.
• Finally, some NII islands may be air-gapped from Global Cyberspace, the Defence Cyberspace being a notable example. These islands, however, are amenable to external threats via the user interface. Even the network interfaces of air-gapped networks are vulnerable to attack by a determined adversary, by using techniques which are beyond the scope of this work.

Given the above features of our National Cyberspace, its representative structure may be depicted as shown below:-

National Cyberspace: Cyber Islands Dispersed within Global Cyberspace

• In the above diagram, solid lines enclosing an island indicate an interface to an air-gap, while a dotted line indicates a network interface.
• The Defence Cyberspace had been shown as a single blob, because that is how the defence networks are currently structured, completely air-gapped from the GII.
• The CII and the NCII are shown as isolated islands, either independently interfaced with the GII via network interfaces or suitably air-gapped (the latter kind are exceptions).

Strategic Cyber Threats

Types of Cyber-Attacks

Although there are many different ways in which cyber-attacks may be classified, a categorization which is relevant to the current discussion is one based on the intention behind the cyber-attack, which also suggests the agency which should guard against the attack. As per this criteria, cyber-attacks and their corresponding perpetrators may be classified under five heads, as under [12]:-

• Cyber-Crime. This is carried out by Cyber-thieves, individuals who engage in illegal cyber-attacks for monetary gain, eg, hacking of credit cards or financial accounts. Cyber-thieves could be individuals or organized cyber-crime groups.
• Cyber-Hactivism. Attacks under this category are carried out by Cyber-activists, who perform cyber-attacks for pleasure, philosophical, political, or other non-monetary reasons. Examples include someone who attacks a system as a personal challenge (a “classic” hacker), or a “hacktivist” such as a member of the cyber-group Anonymous undertaking attacks for political reasons. The activities of such individuals or groups can range from nuisance-value attacks such as website defacement, to disrupting government functioning and private corporation business processes.
• Cyber-Espionage. Such cyber-attacks are carried out by Cyber-spies, who steal classified or proprietary information used by governments or private corporations to gain a competitive strategic, security, financial, or political advantage. These individuals often work at the behest of adversary government entities. Cyber espionage carried out for profiteering by private enterprises may be termed as industrial cyber-espionage, while espionage carried out with strategic objectives (including stealing strategic industrial secrets) may be termed as strategic cyber-espionage.
• Cyber-Terrorism. Cyber-terrorists are either state-sponsored or non-state actors who engage in acts of terrorism in and through cyberspace to pursue their objectives. Terrorist organizations and insurgents alike may use the Internet as a tool for planning attacks, radicalization & recruitment, propaganda, and such other disruptive purposes. Cyber-terrorists may also exploit vulnerabilities in critical and other infrastructure to carry out physical destruction of cyber-physical systems.
• Cyberwar. Cyberwar is a term which is often used in a generic sense to refer to all types of cyber-attacks. However, in its more precise usage (as in this work), it refers to attacks carried out by Cyber-warriors of a state in support of a country’s strategic objectives. These cyber-warriors could belong to the state’s military organisation, state-backed militia, or hacker groups which act at the behest of the state in order to deny attributability.

Strategic Cyber Attacks

Out of the types of threats listed above, strategic cyber-espionage, state sponsored cyber-terrorism and cyberwar may be classified as strategic cyber-attacks. Depending on its intensity, cyber-hactivism may also sometimes have strategic ramifications.

Strategic Cyber Targets

By definition, all cyber assets which make up the DII and CII would classify as strategic targets within our National Cyberspace.

Cyber Defence Strategies

A defence strategy which is based purely on passive defence can never be successful. This is as true for cyber defence as it is for conventional warfare. A detailed treatment of strategic cyber defence approaches is beyond the scope of this work. However, some aspects of cyber defence which have a bearing on cyber governance at the national level are briefly discussed below.

Defence-in-Depth

The Indian Army network is topologically structured as a three-level hierarchy: at the highest level, the entire network is air-gapped from global cyberspace; at the next level there are zonal access networks, with zones roughly corresponding to stations; and at the lowest level are networks serving individual headquarters/ units/ establishments. Protection measures are implemented at each level of hierarchy. In contrast, in the civilian cyberspace for CIIs and NCIIs alike, network architecture is usually structured as a single level hierarchy, usually not air-gapped, and protected at the perimeter with firewalls, etc. In other words, each CII/ NCII is a cyber ‘island’ responsible for its own defence. Furthermore, the maturing of cloud services has resulted in the blurring of perimeters, making the task of perimeter defence more difficult. In order to reap the advantages of defence-in-depth for our CIIs, there appears to be a case for implementing a multi-tiered network security architecture supported by secure cloud services, which is controlled by a central authority.

Cyber Deterrence

In defence strategies, deterrence precedes protection, resilience and response. In the light of the ‘non-attributable’ and ‘asymmetric’ characteristics of cyber-attacks, deterrence in the cyber domain takes on a different flavour. Specifically, a cyber deterrence strategy may prove to be effective against nation states but not so effective against non-state actors. However, it is fairly evident that it may not be feasible to work out an effective cyber defence strategy based purely on a protection/ resilience/ response paradigm. It is essential, therefore, to incorporate cyber deterrence in our national cyber security strategy and develop capabilities accordingly.

Active Defence

In military operations it is often stated that offence is the best form of defence. Although both “Deterrence” as well as “Active Defence” (also referred to as “offensive defence”) need offensive capabilities, there is a difference in the two concepts, in that the former implies a “force in being” while the latter involves the actual employment of offensive capabilities once conflict breaks out (and cyber-conflicts are an ongoing phenomena!). Both involve the possession and employment of offensive cyber capabilities, which therefore need to be developed and operationalized [13].

National Firewall

In a previous section, the conflicting requirements of national security on the one hand, and international norms and constitutional dictates related to free flow of information over the Internet on the other, has been discussed. It has also been brought out that the Great Firewall of China is an example of national security taking precedence over free flow of information. There may be a case, therefore, for considering the setting up of a suitable architecture for firewalling our entire NII (sometimes referred to as an Internet kill-switch), to be activated in times of national emergencies. If accepted, such a firewall can be implemented only by a duly authorized national authority.

Conclusion

In the above write-up, a notional model of our National Cyberspace has been presented, and different types of cyber threats discussed from the perspective of organising for cyberspace defence. Finally, several cyber defence strategies which are relevant in our context and which have a bearing on cyberspace governance are briefly outlined.

The next part takes a look at our existing cyberspace governance architecture, and analyses its shortcomings. It then reviews organisational structures which have been adopted by major world players for protecting their respective national cyberspaces, with a view to recommending suitable modifications to our cyberspace set-up.

References

(1)     Lt Gen (Dr) R S Panwar, 21st Century Warfare: From “Battlefield” to “Battlespace”, Future Wars, 06 Oct 2017, Accessed 25 Apr 2020.

(2)     DOD Strategy for Operating in Cyberspace, US DOD, July 2011, Accessed 21 Apr 2020, pp. 5.

(3)     US DOD Joint Publication 3-12 (R), Cyberspace Operations, Feb 2013, Accessed 21 Apr 2020, pp. I-2.

(4)     The Joint Indian Armed Forces Doctrine, Chairman Chiefs of Staff Committee, New Delhi, 18 Apr 2017, Accessed 21 Apr 2020, pp. 12.

(5)     Lt Gen (Dr) R S Panwar, IW Structures for the Indian Armed Forces – Part I, Future Wars Website, 31 Mar 2020, Accessed 22 Apr 2020, https://futurewars.rspanwar.net/iw-structures-for-the-indian-armed-forces-part-i/.

(6)     US DOD Joint Publication 3-12 (R), Cyberspace Operations…, pp. I-2.

(7)     Global Commons, Wikipedia, Accessed 22 Apr 2020.

(8)     Arpan Chaturvedi, Kashmir Internet Shutdown: Supreme Court Says Freedom Of Speech, Business On Internet A Fundamental Right, Bloomberg, 10 Jan 2020, Accessed 25 Apr 2020.

(9)     Intranets are private networks (owned by government, public & private enterprises or individuals) which may or may not have interfaces to the global Internet.

(10)   Information Technology (NCIIPC and Manner of Performing Functions & Duties) Rules 2013, GOI Gazette Notification GSR 19(E), 16 Jan 2014, Accessed 22 Apr 2020.

(11)   NCIIPC Home Page, NCIIPC Website, Accessed 22 Apr 2020.

(12)   Theohary CA & Rollins JW, Cyberwarfare and Cyber-Terrorism: In Brief, Congressional Research Service, Mar 2015, Accessed 22 Apr 2020, pp. 2.

(13)   Lt Gen (Dr) R S Panwar, Strategic Thinking for Cyber Security: Defending the National Cyberspace – Part I, Data Security Council of India Blog, 24 Jan 2018, Accessed 22 Apr 2020.