Sections

Introduction

Role of Armed Forces

Role of Other Government Agencies

Analysis of the Proposed Architecture

Introduction

This three part series on cyberspace governance in India seeks to analyse whether our existing organisational structures are adequately optimised to address the new challenges emerging in cyberspace, which is fast proving to be a daunting new domain of conflict amongst nations. In the first part, a notional model of our National Cyberspace was presented, different types of cyber threats were identified, and cyber defence strategies relevant to the Indian context briefly discussed. Part II of this series analysed our existing cyberspace governance architecture, identified certain shortcomings, and then went on to review global practices which have been adopted by the more agile nations for protecting their respective national cyberspaces.

This concluding part proposes several transformative changes to our cyberspace organisational structures as well as to our HRD policies. It is felt that these changes must be implemented on priority if we are to shield ourselves from strategic threats which are imminent in cyberspace in this era of modern warfare.

Role of Armed Forces

From the discussion carried out so far, it emerges that India’s existing cyber governance architecture is far from adequate to match up to the challenges of 21st Century strategic conflicts in cyberspace. In order to remedy this situation, an alternative governance model is proposed here, one which envisages a central role for our Armed Forces in cyberspace defence, much in line with their role in the physical domains of conflict. This involves bringing about a significant change in our doctrinal thought as well as operational capabilities in cyberspace.

Offensive Cyber Capabilities

At a doctrinal level, our National Cyberspace needs to be recognised to be as important a sovereign territory, albeit virtual, as our physical territorial assets.

Further, the mandate for handling the full spectrum of strategic cyber conflicts must rest with the Armed Forces/ MoD. Such a charter would cover state-on-state cyber-attacks, which may be restricted to cyberspace alone or be part of a full blown multi-domain conflict, as also strategic cyber-terrorism and strategic cyber-espionage.

Most importantly, our Armed Forces are recommended to be exclusively tasked with developing and operationalizing national cyber-deterrence/ cyber-attack capabilities. These capabilities would be put to use not only at the national strategic level, but also at military strategic/ operational/ tactical levels across the spectrum of conflict.

Cyber Command: A National Imperative

For our Armed Forces to take on this responsibility, it is imperative that the Defence Cyber Agency (DCA) be upgraded to a full-fledged Cyber Command at the earliest, with commensurate transformative changes in HRD and cadre management policies of the three Services. Also, relevant expertise within the DRDO must be placed in support of, and directly accountable to, the Cyber Command for developing suitable cyber weapons and technologies.

Role of Other Government Agencies

Protection of CII: New Para Cyber Force under MHA

The current arrangement of the NCIIPC, functioning directly under the PMO/ NTRO, appears to be weakly structured for the cyber defence of our CII, for several reasons: NCIIPC in its current form holds no responsibility and is largely an advisory body; the fact that it has its roots in an intelligence agency has its own drawbacks; and, protection of CII, being an IS matter, must logically be brought under the aegis of the MHA. Broad modalities for organising CII protection under the MHA are recommended to be as under:-

• Just like the CISF under the MHA provides physical security to critical infrastructure (CI), a new Para Cyber Force (PCF) is proposed to be raised for providing cyber protection to the CII, which would function under a new CII Protection (CIIP) Department of the MHA.
• A National Cyber Security Operations Centre (SOC) needs to be established under the CIIP Department, manned by the PCF, which would subsume the responsibilities of the current NCIIPC as well as CERT-In.
• For government and public sector CII (railways, nuclear installations, defence PSUs, etc), the PCF would be mandated to provide all echelons of cyber protection.
• However, in the case of CIIs owned by the private sector (private power generation, banks and financial institutions, etc), the PCF would work in close conjunction with the Chief Information Security Officers (CISOs) of the private enterprises for provision of additional tiers of security firewalls, as also carry out external audit and monitoring by adopting measures such as ethical hacking and red-teaming. The PCH would need to be given the mandate to enforce remedial action for any identified vulnerabilities.
• Cyber-terrorism incidents would be handled by the National Cyber SOC.
• The alerts and advisories issued by the National Cyber SOC would benefit the NCII and the general public as well, but incident reporting and response by this Centre would be restricted to the CII.
• Most importantly, if at any stage the imminent threat to one or more of our CIIs attains strategic dimensions, the control of CII protection mechanisms would be handed over to the Armed Forces. This could be done, eg, by placing the National Cyber SOC under the Cyber Command.

Cyber-Crime and Cyber Hactivism: MHA’s Charter

Cyber-crime would continue to be handled by the MHA, which would also deal with all cases of cyber hactivism which do not have strategic ramifications. The incident response support provided by the CS&IS Division of the MHA would cater for the requirements of the NCII and the general public.

Cyber Espionage/ Counter Espionage

Intelligence agencies such as RAW and NTRO would continue to carry out cyber-espionage and counter cyber-espionage in conformance with their traditional mandate.

Analysis of the Proposed Architecture

The structural changes in cyber governance suggested above are clearly transformative in nature and would result in a paradigm shift in the manner in which we as a Nation view the defence of our National Cyberspace. For the same reason, there is bound to be stiff resistance to change from several quarters. Aspects highlighted in the succeeding paragraphs provide rationale for justifying such significant re-structuring.

Cyberspace Governance in India: Proposed Architecture

Role and Structure

The proposed architecture is based on the conviction that defence of our National Cyberspace must be viewed from a national strategic perspective, and any limited view, for instance through the prism of cyber-crime, is bound to result in decisions which are detrimental to our national security.

This architecture is an attempt to bring coherence within the overall national security architecture spanning multiple domains of conflict, notwithstanding the special characteristics of cyberspace.

The role visualized for the MoD/ Armed Forces is in line with their charter vis-à-vis national security in the traditional/ physical territorial battlespace, while that for the MHA corresponds to their traditional role in ensuring internal security and maintaining law and order. The role of intelligence agencies such as NTRO is restricted to intelligence gathering in the proposed architecture.

The proposed architecture is founded on the principle that for any cyber defence strategy to be successful, deterrence and active defence need to be a central to the strategy, both of which are based on cyber offensive capabilities being part of our arsenal. The proposed architecture allocates the role of offensive cyber operations to our Armed Forces, in tune with their charter in traditional warfighting domains.

The thought process underlying the proposed architecture places cyberspace attacks on the same pedestal as transgressions into our sovereign physical territory. Our national boundaries, whether physical or virtual, deserve to be treated with the same sanctity, and any transgressions of these boundaries should be viewed with the same seriousness and warrant similar responses.

Against the above backdrop, the existing governance model, where the State’s involvement in cyber defence of critical infrastructure through its cyber security establishments such as NCIIPC and CERT-In is restricted to coordination, issuing of alerts and advisories and training of personnel, is considered to be highly inadequate. There is a need for the State’s national security apparatus to shoulder responsibility and be accountable for the defence of our National Cyberspace. The proposed architecture does this through the twin mechanism of making the Armed Forces responsible for addressing the full spectrum of strategic cyber threats, and creating the PCF with the specific mandate of defending our CII as part of their overall mandate for internal security.

Finally, there may be a need to enlist the services of existing hacker groups, in order to leverage the advantage of plausible deniability where needed (as is being done even now), or even facilitate the creation of cyber militias with state backing. This, however, would be part of covert operations to be conducted by agencies as permissible under existing provisions.

Human Resource Development

It is pertinent to highlight here that the Armed Forces are well structured to take on the enhanced role proposed for them, provided a Cyber Command is raised, and the HRD policies are upgraded to nurture much higher levels of specialisation than existing today.

The same, however, cannot be stated for the MHA, where much greater effort would need to be garnered if it is to play its proposed enhanced role in cyberspace. Major steps which need to be taken by the MHA include the raising of a new Para Cyber Force, setting up the National Cyber SOC, and creating fresh training infrastructure for specialist cyber disciplines. As per the proposed architecture, the CIIP Division has been entrusted with the responsibility of actually securing the government owned CII, and not just issuing advisories. Needless to say, such a major change would involve significant time, effort and finances, as also the will to transform.

Conclusion

In 21st Century conflict scenarios, cyberspace has emerged as a formidable new domain of warfare only recently over the last decade or so. In order to grapple with this new form of warfare, while several global players have been agile enough to bring about the necessary transformative changes in their defence organizations, others have lagged behind on this front. India falls in the latter category, although some incremental initiatives are being rolled out.

This work has analysed India’s cyber governance architecture from a perspective which considers conflicts in cyberspace as part of integrated multi-domain warfare. It draws lessons from cyber defence strategies adopted by other nations, and presents a governance model which envisages considerable re-structuring of our cyber organisations. The model seeks to enhance our cyber operations posture by incorporating strategies of deterrence and active defense, recommends a much higher involvement of the State in the protection of our National Cyberspace, and aligns cyber defence responsibilities of our multifarious national security organizations with their traditional charters.

Given that the threats from our adversaries in cyberspace are already manifest and will rapidly intensify in the coming years, it is imperative that, as opposed to an incremental approach, the recommended transformative changes to our cyber governance architecture be undertaken as a national priority.