Sections

Introduction

Cyberspace Governance: Existing Set-Up

National Cyberspace Protection: Global Practices

References

Introduction

With cyberspace having emerged as a new arena of conflict between nations, the more agile nations have brought about transformative changes in their cyber defence organisations. This three-part series analyses the important issue of cyber governance in India. The first part presented a notional model of our National Cyberspace, identified the different types of cyber threats from the perspective of organising for cyberspace defence, and discussed several cyber defence strategies which are relevant in the Indian context.

This part first takes a look at our existing cyberspace governance architecture and analyses its shortcomings. It then reviews global practices for protecting national cyberspaces with a view to proposing suitable modifications for best addressing the national security challenges which we are being confronted with as a consequence of ever increasing conflicts in cyberspace.

Cyberspace Governance: Existing Set-Up

Stakeholders in Government

Before attempting to analyse the existing cyber governance architecture and proposing changes to the same, it is pertinent to first identify agencies which by virtue of their current charter may be called upon to play a role in securing our NII (over and above the protection of their own cyberspace) from a national security perspective. These are as under:-

• Ministry of Defence (MoD). As brought out above, military conflicts in the 21st Century are being fought within a multi-domain battlespace, with cyberspace as the newest fifth domain. The traditional role of our Armed Forces has been to defend the Nation’s territorial integrity over land, sea and air. Therefore, defending assets in the two new domains of space and cyberspace becomes a natural extension of this charter.
• Ministry of Home Affairs (MHA). From the perspective of national security, the MHA is responsible for all matters pertaining to Internal Security (IS), except in certain special scenarios such as the situation in J&K. Thus, defence against cyber-terrorism and in some cases cyber-hactivism would fall under the preview of the MHA. It merits mention here that although cyber-crime is also a mandate of the MHA, this type of cyber threat does not have a direct bearing on national security.
• Ministry of Electronics and Information Technology (MeitY). MeitY is responsible for the policy, provisioning, monitoring and regulation of the entire IT infrastructure in the country, and is hence a significant player involved in the securing of our National Cyberspace.
• Intelligence Agencies. In addition to the intelligence set-ups within the MoD and MHA, external intelligence agencies such as Research and Analysis Wing (RAW) are also involved in strategic cyber operations as a natural consequence of their mandate.

Cybersecurity Establishments

The various establishments which have been set-up for defence of our National Cyberspace are as under:-

• National Critical Information Infrastructure Protection Centre (NCIIPC). The NCIIPC is an organisation of the Government of India created in 2014 under Section 70A of the Information Technology Act, 2000 (amended 2008). It is designated as the National Nodal Agency for CII Protection. The NCIIPC is a unit of the National Technical Research Organisation (NTRO), and functions directly under the PMO. Its charter includes identification of CII, providing strategic leadership in cyber threat response, assisting in the development of standards and protection strategies, issuing advisories on vulnerabilities and cyber audit, supporting development of relevant cyber technology, organizing training, and coordinating with other cyber agencies including international cooperation. However, its charter clearly states that the basic responsibility for protecting the CII lies with the agency running the CII [1].
• Indian Computer Emergency Response Team (CERT-In). CERT-In is an organization under MeitY with the mission of enhancing the security of our NII through proactive action and collaboration. Headed by the National Cyber Security Coordinator (NCSC), its role includes dissemination of information and alerts on cyber incidents, emergency coordination and handling of such incidents, and issuing guidelines and advisories. Broadly speaking, CERT-In looks after the cyber security issues related to the NCII, while NCIIPC focuses on the CII [2].
• National Cyber Coordination Centre (NCCC). The NCCC is a classified project of the Indian Government, which works as an operational cyber security and e-surveillance agency in India. The first phase of the NCCC, set-up under CERT-In in 2017, handles cyber security intelligence and mitigates online threats [3].
• Defence Cyber Agency (DCA). Originally established as the Defence Information Warfare Agency (DIWA) and subsequently re-christened to Defence Information Assurance and Research Agency (DIARA), the DCA has now been established as a tri-services organisation headquartered in Delhi. Approval was accorded in 2017 to upgrade DIARA to the DCA, which is a whittled down version of the Cyber Command, establishment of which was proposed by the three Services as early as 2012. From the limited literature available in the open domain, it is assessed that the charter of the DCA is restricted to providing cyber operations support to the Indian Armed Forces. The DCA is expected to have a decentralized structure, where the bulk of the Agency will be split into smaller teams embedded within operational forces in the tri-service commands, with the command centre in Delhi. It also aims at putting dedicated officers in major headquarters of the three Services to deal with emerging cyber warfare issues [4].
• Cyber and Information Security (C&IS) Division, MHA. The C&IS Division of the MHA deals with matters relating to cyber security, cyber-crime, and implementation of the National Information Security Policy & Guidelines (NISPG) prepared by it. It has established an Indian Cyber Crime Coordination Centre (I4C) under it to tackle cyber-crime [5].

Apex Level Coordination

The National Security Advisor (NSA), who heads the National Security Council Secretariat (NSCS), is the apex appointment responsible for national security. The NSA is in charge of the NTRO, with the NCIIPC under it. The NCSC is the nodal officer at the apex level for issues related to cybersecurity, and functions under the PMO alongside the NSCS to coordinate with different agencies like CERT-In at the national level [6].

Absence of Suitable HRD Policies and Cyber Cadre

Cybersecurity expertise is a specialisation within the computer science discipline, and offensive cyber expertise is a further super-specialisation within the realm of cybersecurity. Importantly, extensive experience, acquired against the backdrop of sound theoretical knowledge, is essential for acquiring cyber expertise. Finally, passion and persistence are vital pre-requisites for carrying out offensive cyber warfare. All these factors dictate that cyber capabilities can only be developed by raising a dedicated cyber cadre and implementing well thought out HRD policies based on the principle of specialisation. As of now, it is only the Armed Forces, notably the Army Corps of Signals, which has a dedicated cadre and training infrastructure with requisite grounding in computer science so essential for the development of cyber expertise. That stated, it is also important to note that although enough job opportunities are available within the Army for acquiring cyber defence experience, this is hindered by existing HRD policies which do not support a culture of specialisation.

Other agencies within the Armed Forces, including its intelligence verticals, possess neither personnel with requisite computer science background nor the training infrastructure nor even enough cyber assignments, all of which are essential for the creation and development of a cyber cadre. The same is true for civilian intelligence and other cyber agencies. Private organisations, both CIIs and NCIIs, have cyber security professionals on board, but in general these are small in number and are cyber defence oriented, consequent to the lack of mandate with private organisations for carrying out offensive cyber operations.

Analysis

Defence of National Cyberspace: Non-Strategic Character. Although perfunctorily declared in our defence doctrines as a fifth domain of warfare, the treatment of cyberspace in doctrinal thought and operational planning is far from being at par with the physical domains. As an example, while it is undisputed that in the traditional land, sea and air domains the Defence Forces have the primary mandate to protect every inch of national territory (and not merely defence assets in these domains), in the case of cyberspace the current mind-set is that the role of the Defence Forces is restricted to protecting only the Defence Cyberspace, and does not cover the defence of our National Cyberspace. This thinking is clearly evident in the governance architecture currently in existence, where the Defence Forces have no role in the protection of even our CIIs (leave alone NCIIs), which is the charter of the NCIIPC (an offshoot of a civilian intelligence agency) across the entire spectrum of conflict. Similarly CERT-In, the only other apex agency tasked with the defence of National Cyberspace, is under MeitY. Even the mandate for cyber-offensive appears to rest predominantly with civilian agencies, with only a limited mandate only recently given (reluctantly?) to the Armed Forces. It appears that the current strategy is guided more by considerations of tackling cyber-crime and carrying out and countering cyber-espionage. Thus, the imperative of addressing strategic threats in cyberspace, which loom large as part of ongoing multi-domain state-sponsored conflicts, does not seem to have dictated the structuring of the current cyberspace governance set-up.

CIIs & NCIIs: Fighting Isolated Cyber-Battles. In the present governance architecture, there is no central cyber force which has been made responsible for the defence of our National Cyberspace. Both the NCIIPC and the CERT-In are advisory bodies with no accountability for the protection of CIIs and NCIIs respectively. They do look for vulnerabilities, issue alerts and advisories, lay down audit guidelines and carry out training, but are not to be held accountable for any breaches in security. Agencies running CIIs and NCIIs are solely responsible for the protection of their respective cyber assets.

DIIs: Centralized Approach and Air-Gapped. Although the Defence Forces do not have a fully centralized strategy for the protection of the Defence Cyberspace, nevertheless single point responsibility does exist to a large extent within each of the three Services for protection of their respective networks. For instance, the responsibility for the defence of Army Cyberspace de facto rests with the Corps of Signals, although there are a number of major shortcomings in the existing cyber governance strategy of the Indian Army (discussion of these is beyond the scope of this work). The fact that Defence Cyberspace is fully air-gapped from the GII considerably reduces its vulnerability to cyber-attacks through the GII, but does not eliminate them, as many mistakenly believe. Also, the strategy of Defence-in-Depth has been operationalized more effectively by the Armed Forces as compared to the CIIs/ NCIIs. However, this strategy too needs to be extensively upgraded.

Defensive Approach: A Severe Limitation. Perhaps the weakest link in the current approach adopted by us for protecting our National Cyberspace is its predominantly defensive character. We do not have a declared Cyber Deterrence Policy. The proposal for the raising of a Cyber Command, mooted as early as in 2012, two years after such a step was taken by the United States and three years before China’s Special Support Force (SSF) came into being, has been whittled down to a weakly structured DCA (which is not yet fully operational), with a limited mandate for offensive actions in cyberspace. There is no concrete and determined effort to transform our HRD models for facilitating the churning out of a highly super-specialist cadre so essential for carrying out offensive cyber warfare (as part of a Deterrence/ Active Defence strategy). In short, existing offensive capabilities within civilian and defence establishments do not match up to the operational imperatives dictated by our security environment.

National Cyberspace Protection: Global Practices

Describing the cyber governance architectures of major world players in detail is beyond the scope of this work. However, a brief overview is as given out in succeeding paragraphs.

United States

The cyber governance architecture adopted by the United States strikes a synergetic balance amongst its three primary cyber operations agencies, namely, the US Cyber Command (USCYBERCOM), the National Security Agency (NSA) and the newly established Cybersecurity and Infrastructure Security Agency (CISA) under its Department of Homeland Security (DHS) [7]. It is fairly evident that the US Cyber Command is tasked with tackling strategic (external) threats in cyberspace, while the CISA focuses on threats from the perspective of internal security. It is worth noting that the 13 Cyber Mission Teams under USCYBERCOM, each manned by 64 individuals, are meant specifically for the protection of CII, with 25 Support Teams (49 individuals each) providing analytical support [8]. However, it is the DHS which is in the lead for protection of CII, and the USCYBERCOM can act only when directed to do so. Further, the authority for the conduct of offensive operations in cyberspace appears to be vested solely with the Department of Defence (DOD), including deterring adversary cyber-attacks such as influencing US presidential elections and other democratic processes [9, 10].

United Kingdom

Another cyber defence architecture to take note of is the recent establishment by the United Kingdom of the National Cyber Security Centre (NCSC) under the Government Communication Headquarters (GCHQ). GCHQ is the Intelligence agency which provides signal intelligence support to the Government and the Armed Forces. The NCSC subsumed the functions of its erstwhile Centre for the Protection of National Infrastructure (CPNI), CERT-UK (Computer Emergency Response Team, UK) and the Centre for Cyber Assessment (CCA). At the same time, its structure enables it to exploit the capabilities of its Communications-Electronics Security Group (CESG).

It is clear from UK’s National Cyber Security Strategy 2016-21 that active defence is central to protection of their national cyberspace. Also, although the GCHQ/ NCSC function under the Ministry of External Affairs, historically GCHQ has a symbiotic relationship with the Defence Forces, and in fact was originally established post World War I using personnel from the Defence Forces [11]. The active defence strategy of NCSC focuses on cyber-crime. For providing cyber deterrence capability at the strategic level, however, a new National Cyber Force (NCF) is in the final stages of establishment, sometime this year.

The NCF is a joint venture between the Ministry of Defence and GCHQ and will work alongside NCSC, with its primary charter being offensive cyber warfare directed against external state initiated/ sponsored threats in cyberspace [12]. Another new cyber force which the British Army has launched just this year is the 6th Division, re-structured from its earlier avatar of Force Troops Command. This is the largest of UK’s three divisions, tailored to fight hybrid wars, and is organized to focus on cyber, electronic warfare, intelligence, information operations and unconventional warfare. The main motivation for its raising was to address unconventional threats posed by Russia and ISIS in today’s complex cyber dominated battlespace [13]. In May 2019, UK’s Defence Secretary stated that the UK MoD was committing £22m funding for the British Army to set up new cyber operations centres across the country. The centres are expected to draw heavily on 77 Brigade, a combined reserve and active unit under its 6th Division (which specializes in information warfare), as well as have contact with joint and other national security organisations.

Australia

The defence of Australia’s national cyberspace at the apex level is the charter of the Australian Signals Directorate (ASD). As recently as 2013, this Directorate was known as the Defence Signals Directorate, and has its roots in the Australian Defence Forces going back to World War II. The expansion of its charter was carried out to reflect its whole-of-government role in support of Australia’s national security. In November 2014, Australia’s erstwhile Cyber Security Operations Centre evolved into the Australian Cyber Security Centre (ACSC) under the ASD as the next evolution of Australia’s cyber security capability. CSOC was a Defence-based capability that hosted liaison staff from other government agencies. The establishment of the ACSC saw the co-location of all contributing agencies’ cyber security capabilities. On 01 Jul 2018, the ASD was designated as a statutory agency under the Defence portfolio [14].

China

China, our primary adversary, is now very well structured to defend its NII. The recent raising of the Strategic Support Force signifies the operationalizing of its well-developed concept of Integrated Network Electronic Warfare (INEW) as well as the Three Warfares concept. This transformative re-organisation has resulted in integration of not only cyber-attack and exploit capabilities but also of cyber, electronic and psychological warfare capabilities under the PLA, thus considerably enhancing China’s capabilities as a dominant power in cyberspace [15, 16].

Russia

While details of the cyber governance architecture put in place by Russia are not readily available in the open domain, the strategic nature of its preparedness in cyberspace may be gauged by its infamous information warfare campaigns conducted across the globe in recent years, which have served as a wake-up call for the United States, the European Union and even China [17]. It has also been established almost beyond doubt that the GRU, the Main Intelligence Directorate of the Russian military, has been behind the cyber-attack on Ukraine’s electricity grid in 2015, the devastating 2017 NotPetya cyberattack which affected businesses across the globe, the interference in US Presidential elections in 2016, the hacking of the French election in 2017, the cyber-attack on the 2018 Winter Olympics, and the most recent attacks on the Georgian Government on 28 Oct 2019 [18, 19, 20]. These attacks are mostly attributed to Sandworm, a hacking team under the control of the GRU.

Conclusion

In the above write-up, our existing cyberspace governance architecture has been analysed, and its shortcomings highlighted. Thereafter, organisational structures which have been adopted by major world players for protecting their respective national cyberspaces have been briefly reviewed.

The concluding part of this three part series proposes several transformative changes to our own organisational structures and HRD policies, which must be implemented if we are to adequately mitigate imminent strategic threats to our National Cyberspace.

References

(1)     Information Technology (NCIIPC and Manner of Performing Functions & Duties) Rules 2013, GOI Gazette Notification GSR 19(E), 16 Jan 2014, Accessed 22 Apr 2020.

(2)     Information Technology (Indian Computer Emergence Response Team and Manner of Performing Functions & Duties) Rules 2013, GOI Gazette Notification GSR 19(E), 16 Jan 2014, Accessed 22 Apr 2020.

(3)     National Cyber Coordination Centre, Wikipedia, Accessed 22 Apr 2020.

(4)     Nidhi Singh, India’s New Defence Cyber Agency, Centre for Communication Governance at NLU Delhi Blog, Accessed 20 Dec 2019.

(5)     Cyber & Information Security Division, C&IS Web Page, MHA Website, Accessed 22 Apr 2020.

(6)     Comments to the NSCS on the National Cyber Security Strategy 2020, Centre for Communication Governance, National Law University, New Delhi, Accessed 22 Apr 2020.

(7)     Cybersecurity, CISA Website, Accessed 22 Apr 2020.

(8)     Mark Pomerleau, Here’s how DoD Organizes its Cyber Warriors, Fifth Domain, 25 Jul 2017, Accessed 22 Apr 2020.

(9)     Defence Primer: Cyberspace Operations, Congressional Research Service, 14 Jan 2020, Accessed 22 Apr 2020.

(10)   Catherine A. Theohary & John W. Rollins, Cyberwarfare and Cyberterrorism: In Brief, Congressional Research Service, 27 Mar 2015, Accessed 22 Apr 2020.

(11)   National Cyber Security Strategy 2016-21, HM Government, Accessed 22 Apr 2020.

(12)   Dan Sabbagh, UK to Launch Specialist Cyber Force able to Target Terror Groups, The Guardian, 27 Feb 2020, Accessed 23 Apr 2020.

(13)   Liam, Specialist Brigades Group to Deliver Cutting-Edge Capability, Warfare.Today, 01 Aug 2019, Accessed 24 Apr 2020.

(14)   History, Australian Signals Directorate Website, Accessed 24 Apr 2020.

(15)   John Costello and Joe McReynolds, China’s Strategic Support Force: A Force for a New Era, Washington, National Defence University Press, China Strategic Perspectives, No 13, Oct 2018, pp. 11-12.

(16)   Lt Gen (Dr) R S Panwar, IW Structures for the Indian Armed Forces – Part III, Future Wars, 14 Apr 2020, Accessed 22 Apr 2020.

(17)   Michael Connell and Sarah Vogel, Russia’s Approach to Cyber Warfare, CNA Occasional Paper, Mar 2017.

(18)   Andy Greenberg, Here’s the Evidence That Links Russia’s Most Brazen Cyberattacks, Wired, 15 Nov 2019, Accessed 24 Apr 2020.

(19)   Danny Bradbury, US and UK call out Russian Hackers for Georgia Attacks, Naked Security, 21 Feb 2020, Accessed 24 Apr 2020.

(20)   Abigail Abrams, Here’s What We Know So Far About Russia’s 2016 Meddling, Time, 18 Apr 2019, Accessed 19 May 2020.