CYBERSPACE OPERATIONS: NATIONAL STRATEGY AND DOCTRINE
Sections
Introduction
Existing National Policy and Governance Architecture
Role of Armed Forces
Doctrine and Operational Concepts
References
Introduction
In an earlier two-part write-up, Cyberspace: The Fifth Dimension, it was brought out how, in the 21st Century, Cyberspace has emerged as the fifth dimension of warfare, the other four being land, sea, air and space. It was also highlighted that Cyberwar can no longer be brushed off as fantasy or “hype” and is very much a phenomenon in the realm of reality. Indeed, several instances of cyber-attacks were referred to which have already taken place and which lend themselves to be classified as acts of cyberwar at the national strategic level. Equally significantly, developments in cyberspace have taken place and are continuing to do so at a breathtaking pace. Thus, it is imperative that necessary steps be taken to secure our national cyberspace on a war footing, even as initiatives to usher in Digital India are being taken forward in right earnest.
The main players involved in securing our national cyberspace are the government; the defence forces, the industry; the academia and finally the citizen at large. In any discussion related to attacks in cyberspace, there is a need to get the context right in relation to the different types of cyber-attacks, which may be broadly classified under the heads of cyber warfare, espionage (political or industrial), terrorism, crime and hactivism. The top targets of strategic significance are government and defence infostructures as well as designated Critical Information Infrastructures (CIIs). While cyber-attacks may be carried out at the nation-state level, be state sponsored, or be carried out at group or individual levels, only attacks which are launched either by a nation-state or are state-sponsored are of concern at the strategic level. Amongst the types of attacks, cyber-warfare, espionage and terrorism are likely to have state backing.
The five-dimensional construct of the modern day battlespace has relevance mainly with reference to state-on-state conflicts. Yet, at least in the Indian context, there is hardly any discussion on cyber security vis-à-vis such conflicts, which in cyberspace translate to cyber warfare and which are essentially the charter of the Ministry of Defence. It would not be far off the mark to state that the focus so far in India has been on cyber-crime, hactivism and industrial cyber espionage, while state-level cyber warfare, offensive and defensive, has not received the consideration it deserves. There is an urgent need, therefore, to conceptualizing the right strategy and doctrine for defending our national cyberspace. This piece attempts to discuss this critical issue at some length.
Existing National Policy and Governance Architecture
National Initiatives: A Sense of Complacency
The Information Technology Act was promulgated in 2000 [1], the IT Amendment Act in 2008 [2], and the National Cyber Security Policy in 2013 [3]. The Indian Computer Emergency Response Team (CERT-In) was established in 2004, and based on Sec 70A of the IT Act (Amendment) 2008, the National Critical Information Infrastructure Protection Centre (NCIIPC) came into existence in 2014, while the NCCC (first phase) was established this year. Both CERT-In and NCIIPC are primarily advisory in nature [4,5], with limited response capabilities. Approval for establishment of a limited Defence Cyber Agency, instead of a full-fledged Cyber Command, has been given this year [6], which too is expected to take at least a few years to set-up.
The above cyber security milestones in India do not appear to reflect the urgency which is dictated by the emergence of cyberspace as an active domain of conflict in the global warfighting arena. Although the general awareness on cyber security at all levels is improving, in the absence of serious cyber-attacks directly affecting individual stakeholders (government, defence, CII, industry), a sense of complacency appears to be prevalent in most quarters. This needs to change.
Unlike the US [7], UK [8], Australia [9], Japan [10], even Estonia [11], and almost certainly China and Russia, we do not yet have a National Cyber Security Strategy. It is time to move beyond policy, guidelines and advisories and come up with such a strategy, which clearly lays down the approach, objectives and a time-bound plan for adequately securing our national cyberspace.
Cyberspace Governance Architecture: Need for a Review
Presently, at the national level we have the CERT-In (with the National Cyber Coordination Centre (NCCC) under it) and the NCIIPC in place for protecting our cyber assets, with the former functioning under Ministry of Electronics and Information Technology (MeitY) and the latter under the NTRO/ PMO. A Cyber Security Operations Centre (Cyber SOC) under MeitY is also expected to come up soon [12]. This current organizational architecture for cyber governance at the national level perhaps needs a review. Specifically, there appears to be a case for a permanent apex authority which coordinates, and better still subsumes, the functioning of CERT-In as well as NCIIPC, similar perhaps to the recently established National Cyber Security Centre of the UK [13].
Centralized Management of CII Protection
The NCIIPC has been designated as the national nodal agency for all measures to protect nation’s CII. Although its stated objectives include delivering advice that aims to reduce the vulnerabilities of critical information infrastructure, identification of critical information infrastructure elements, providing strategic leadership to respond to cyber security threats, etc, it is also clearly stated in its charter that the basic responsibility for protecting the CII system shall lie with the agency running that CII [14]. Given the large number of government and private agencies involved in the management of CII, there appears to be a strong case for a more centralized control/ authority/ responsibility for protecting our national critical cyberspace.
Role of Armed Forces
Global Practices
Countries like the United States (as also China and UK, amongst others) perceive cyber threats from the lens of national security, and thus their cyber threat management strategy is military-centric, handled by the US Cyber Command, which till recently functioned under the US STRATCOM/ DoD, and has now been elevated to the status of a Unified Combatant Command in Aug 2017. The US formally declared Cyberspace as an operational domain of warfare as early as the year 2011. Subsequently, many other countries, including India, have followed suit. The European Union and some other countries, on the other hand, view vulnerabilities in cyberspace primarily as a threat for commerce and data integrity, leaving their management to mostly civilian authorities [15].
The Indian Context: Evolving the Right Model
In India, the NCIIPC functions under PMO/ RAW/ NTRO while the NCCC functions under MeitY. It needs to be deliberated upon whether or not the CERT-In/ NCIIPC combination functioning under the coordination of the National Security Advisor (NSA) is the right apex structure to tackle state-on-state cyber conflict as part of multi-domain war, which should logically be the charter of the Ministry of Defence. This question warrants further elaboration.
In any multi-domain conflict, in addition to military targets, civilian infrastructure may also be targeted, either because it supports military effort or as a result of collateral damage. The same is true with respect to the cyber domain as well. Conventionally, it is the armed forces which are chartered to guard a nation’s assets against external aggression in a multi-dimensional battlespace. Extrapolating from here, it might appear logical to conclude that protection of the entire national cyberspace, and not just the defence infostructure, against external cyber-attacks should be the charter of the defence forces.
However, there may be a case for looking at cyberspace defence differently, due to its special characteristics. Specifically, due to undefined boundaries in cyberspace and the “non-attributable” character of cyber-attacks, it is feasible to carry out major attacks in cyberspace without crossing the threshold which would warrant a full-scale multi-domain conflict. Therefore, one can envisage roles for both civilian as well as military organisations in the defence of national cyberspace. Several different models, with varying degrees of authority/ responsibility distributed between civilian and military agencies, can be thought of. Nonetheless, it would be sensible to assume that, no matter which model is adopted, in order to be effective during a full-scale conflict the Armed Forces need to be given full control in all domains, including in cyberspace.
In view of the above, the division of authority/ responsibility between military and civil authorities as regards protection of our national cyberspace needs to be deliberated upon at length and spelt out in unambiguous terms.
Doctrine and Operational Concepts
Doctrine
There have been several known cases where state-sponsored offensive cyber operations have been undertaken in the past, although none of these have been acknowledged by the conducting states. In addition to the well-known Stuxnet attack, presumably conducted by the US in conjunction with Israel, cyber-attacks by Russia on Estonia in 2007, and on Georgia preceding the Russo-Georgian War in 2008, are also well documented [16]. North Korean attacks on Sony in 2014 to which the US responded with economic sanctions and the more recent Wannacry ransomware attack, also attributed to North Korea, are other examples of state level involvement in cyber-attacks. The US Joint Publication on Cyberspace Operations 2013 clearly defines Offensive Cyberspace Operations as operations “intended to project power by the application of force in and through cyberspace [17].” Other major players too have formal doctrines on offensive cyberspace operations.
India, on the other hand, is still shy of promulgating such a doctrine, even as some capability exists with us in this realm. It is time for India to promulgate a comprehensive doctrine on Cyberspace Operations, encompassing offensive (including destructive/ disruptive and exploitative aspects) as well as defensive operations.
The hesitation on the part of nations to formally promulgate doctrine on offensive capabilities is based on the apprehension that it may not find global acceptability from an ethical perspective. However, with the exponential increase in the frequency of cyber-attacks in global cyberspace, this thinking is fast undergoing a change, and formal declaration by major players on the possession of offensive cyber capabilities is now happening, as has been indicated above. It is also pertinent to emphasize here that possession of offensive capabilities does not necessarily mean offensive intent, but is also an essential pre-requisite for conflict prevention and effective defence, as is captured in the concepts of Cyber Deterrence and Offensive/ Active Defence.
Cyber Deterrence
It is often said that, in defence strategies, deterrence precedes protection, resilience and response. Nuclear deterrence has largely been responsible for a reduction in large-scale conventional conflicts after World War II. Conventional military capabilities also have significant deterrence value. Given the ‘non-attributable’ as well as ‘asymmetric’ characteristics of cyber-attacks, the concept of deterrence in the cyber domain takes on a different flavour, making it a current subject of study by the major players in cyberspace. However, it is fairly evident that there can be no effective cyber defence strategy based purely on a protection/ resilience/ response paradigm. Therefore, India too needs to incorporate cyber deterrence in its national cyber security strategy and develop capabilities accordingly. Specifically, the various connotations and inter-se importance of Deterrence-by-Denial vis-à-vis Deterrence-by-Retaliation in the cyber domain need to be studied, and steps taken to operationalize the concept of Cyber Deterrence [18].
Offensive Defence
Sometimes termed “Active Defence,” in military operations it is often stated that offence is the best form of defence. Although both “Deterrence” as well as “Active Defence” need offensive capabilities, there is a difference in the two concepts, in that the former implies a “force in being” while the latter involves the actual employment of offensive capabilities after a conflict breaks out. Both involve the possession and employment of offensive cyber capabilities, which therefore need to be developed and used to advantage towards protecting our national cyberspace.
Conclusion
The transformation of cyberspace as a strategic domain of conflict amongst nations is taking place at a breathtaking pace. Major world powers have recognized this and are working at a feverish pace to develop requisite capabilities and establish their dominance in this new Information Age dimension of a multi-dimensional battlespace. India, as an emerging world power, needs to take urgent steps to keep pace with these developments. In this write-up, the important issues of development of a national strategy and doctrine for cyberspace operations has been dwelt upon. In particular, the need to change our perspective on defence of national cyberspace from a peace-time approach to viewing it as an integral part of national defence in a multi-domain conflict has been highlighted. Finally, the imperative to move from a defensive to an offensive mindset has been emphasized.
References
(1) The Information Technology Act 2000, Ministry of Law, Justice and Company Affairs (Legislative Department), Govt of India, 09 Jun 2000.
(2) The Information Technology (Amendment) Act 2008, Ministry of Law, Justice and Company Affairs (Legislative Department), Govt of India, 05 Feb 2009.
(3) National Cyber Security Policy 2013, File No 2(35)/2011-CERT-In dt 02 Jul 2013, Ministry of Communications and Information Technology, Govt of India.
(4) Roles and Functions, Indian Computer Emergency Response Team Website, http://www.cert-in.org.in/, downloaded 23 Jan 2018.
(5) Vision, Mission, Functions & Duties, National Critical Information Infrastructure Protection Centre, http://nciipc.gov.in, downloaded 11 Nov 2017.
(6) Singh, Sushant, Coming Soon: Ministry of Defence’s Cyber, Space, Special Operations Divisions, The Indian Express, 16 Oct 2017.
(7) The DoD Cyber Strategy, US Department of Defence, Apr 2015.
(8) National Cyber Security Strategy 2016-21, Cabinet Office, Govt of UK, 01 Nov 2016.
(9) Australia’s Cyber Security Strategy, Australian Government, 21 Apr 2016.
(10) Cybersecurity Strategy, The Govt of Japan, 04 Sep 2015.
(11) Cyber Security Strategy 2014-2017, Ministry of Economic Affairs and Communication, Govt of Estonia, 2014.
(12) Govt to soon set up Cyber Security Operations Centre: Prasad, http://www.deccanchronicle.com/business/in-other-news/190117/govt-to-soon-set-up-cyber-security-operations-centre-prasad.html, Deccan Chronicle E-paper, 19 Jan 2017.
(13) National Cyber Security Strategy 2016-21, Cabinet Office, Govt of UK, 01 Nov 2016, pp. 29.
(14) Vision, Mission, Functions & Duties, National Critical Information Infrastructure Protection Centre, http://nciipc.gov.in, downloaded 11 Nov 2017.
(15) Sukumar, AM & Sharma, Col RK, The Cyber Command: Upgrading India’s National Cyber Security Architecture, ORF Special Report Mar 2016, pp. 3.
(16) Connell, Michael & Vogler, Sarah, Russia’s Approach to Cyber Warfare, CNA Occasional Paper, March 2017.
(17) Cyberspace Operations, US DoD Joint Publication 3-12 (R), 05 Feb 2013.
(18) Libicki, Martin C, Cyberdeterrence and Cyberwar, RAND Corporation, 2009.
Being relevant to the National Cyber Security Strategy currently under formulation, this post was forwarded to the NCSC for due consideration.