Sections

Introduction

Cyberspace: A Warfighting Domain

Modelling our National Cyberspace

Strategic Cyber Threats and Targets

Cyber Defence Strategies

Cyberspace Governance: Existing Set-Up

Current Strategy for Protection of National Cyberspace

National Cyberspace Protection: Global Practices

Transformative Restructuring

[The following is the script of a keynote address which was delivered at the virtual ‘National Summit on Cyber Security 2021’ conducted by Institute of Technology and Science, Ghaziabad, India on 20 Mar 2021. The audience comprised of faculty, students, and industry participants from India and abroad.]

Introduction

Over the last decade or so, cyberspace has emerged as a new arena of conflict amongst nations, with cyberwarfare growing in intensity with every passing year. To address this challenge, the more agile nations have brought about transformative changes in their cyber defence organisations, most notably the United States, China, UK, Russia, and Australia. The cyberspace governance models adopted by these countries vary in the role allocated to the armed forces vis-à-vis agencies responsible for internal security, law & order as also the intelligence agencies.

In India, the two main agencies tasked with the defence of our National Cyberspace are the National Critical Information Infrastructure Protection Centre (NCIIPC), which is a unit of the National Technical Research Organisation, and the Indian Computer Emergency Response Team (CERT-In) which functions under MeitY. It needs to be analysed whether such an arrangement, under the coordination of the National Security Advisor (NSA) and the National Cyber Security Coordinator, is the right apex structure for the defence of our cyberspace.

During my talk I shall attempt to tackle the subject of cybersecurity from a national strategic perspective. In the process, I shall be giving out my views on the importance of treating cyberspace as a warfighting domain and the special role which our Armed Forces need to play in securing this new frontier of warfare.

One might ask, how does a talk centred on warfare relate to cybersecurity concerns of the Industry? I would respond as follows: firstly, the Industry is deeply involved in provision of our critical infrastructure, and cyber defence of our critical information infrastructure is an important segment of my talk; and secondly; it is always good to know the cyber security environment in which one functions, the extent to which one can expect the state to safeguard one’s interests, which in turn would dictate measures which the Industry needs to take to defend itself.

With that introduction, let me plunge into the subject of my talk.

Cyberspace: A Warfighting Domain

From ‘Battlefield’ to ‘Battlespace’

What is the rationale for the Armed Forces to get involved in the defence of cyberspace? With the heavy dependence on networks in the 21st Century, cyberspace is proving to be of critical importance for the projection of military force, and has been formally designated by many nations in their respective military doctrines as the fifth domain of warfare, the other four domains being land, sea, air and space. This emergence is arguably the most fundamental change in warfare in the past half century. Networks are emerging as future battlefields, where cyber weapons attack and defend at electronic speeds, using strategies and tactics which are still evolving. Thus, the traditional physical ‘battlefield’ is gradually metamorphosing into a ‘battlespace’ with physical, information and cognitive dimensions.

Cyberspace: Formal Recognition as a Domain of Warfare

The US, vide its Strategy for Operating in Cyberspace of 2011 as well as its doctrine on Cyberspace Operations of 2013, was the first to formally recognise cyberspace as a domain of warfare. India too, in its Joint Services Doctrine of 2017, refers to cyberspace as an operational domain. Although the current military doctrines of other major global players, such as China and Russia, are not readily available, it is evident from the resources and capabilities being developed by them that they regard cyberspace as a warfighting domain.

Modelling Our National Cyberspace

At this point, let me attempt to sketch the contours of a notional model for our National Cyberspace.

Cyberspace: A Nebulous Domain

A formal definition of the term cyberspace apparently does not exist in any military doctrine, nor is there any globally accepted definition of this term. However, a US DOD document appropriately captures the essence of cyberspace, by describing it as an interdependent network of IT infrastructures, including the Internet, telecommunications networks and computer systems, and the content that flows across and through these components.

Cyberspace Sovereignty vis-à-vis Cyberspace as ‘Global Commons’

While attempting to arrive at a suitable cyber governance architecture, it is important to formulate a national view on the contentious issue of cyber sovereignty.

The idea of national sovereignty is intimately tied to the sanctity of territorial integrity. In terms of the traditional physical warfighting domains of land, sea and air, territorial boundaries are, in general, well demarcated. Space, also a physical domain, is a ‘global commons’ as per the Outer Space Treaty of 1967, and hence the idea of national sovereignty cannot be extended to this domain.

Cyberspace, in contrast to the other four domains, is a virtual domain which lies in the information realm. Because of its nebulous nature and its (perhaps inaccurate) identification with the Internet which is perceived as a ‘global commons’, it may not be so easy to set-up barriers around national cyberspace. Nevertheless, the Great Firewall of China is an example of attempting to do just that.

The Supreme Court of India has ruled that freedom of usage of the Internet is protected under the Constitution. Such rights associated with the free flow of information in cyberspace are an important concern while attempting to draw secure boundaries around our national cyberspace.

Nevertheless, given the increasing intensity of cyberattacks being mounted by all types of actors, many of which have strategic connotations, there is a need to have a national strategy to defend our cyberspace. In other words, the concept of cyber sovereignty and how we wish to define cyber boundaries needs to be deliberated upon and crystallised from a national security perspective.

National Cyberspace: A Notional Model

Keeping the above considerations in mind, one possible conceptualisation of National Cyberspace (or National Information Infrastructure) is as follows: the collection of all individual computer systems and intranets and the information residing on them, which are owned by our Nation, ie, by all Indian citizens and national entities. In this model, all networking links internal to an entity, ie, not routed over the Internet, are considered as part of respective intranets. Importantly, the Internet is taken to be a ‘global commons’ and not included within the logical expanse of National Cyberspace.

National Cyberspace Sub-Structure: CII, DII and NCII

The collection of all these computer systems and intranets may be grouped into three components: Critical Information Infrastructure (CII), Defence Information Infrastructure (DII or Defence Cyberspace) and Non-Critical Information Infrastructure (NCII). CII have broadly been identified by the GoI as intranets which fall in the following six categories: Government; Transport; Telecom; Power & Energy; Banking, Financial Services & Insurance; and Strategic & Public Enterprises. Defence Cyberspace would include all infostructure – a term which I use here synonymously with ‘information infrastructure’ and ‘intranet’ – which are owned and used by the Indian Armed Forces. Lastly, National Cyberspace less the Defence and Critical Information Infrastructures would classify as NCII.

With such a conceptualisation of National Cyberspace, individual computer systems may be visualized as point elements and each intranet as a blob, with these elements and blobs plugged into the Global Cyberspace, ie, the Internet. In other words, in this model National Cyberspace is scattered in bits and pieces within the logical expanse of Global Cyberspace. Importantly, each such element or blob needs to be individually protected from attacks launched from anywhere in Global Cyberspace.

On the other hand, if the entire wide area network and information systems within the country are modelled to be part of National Cyberspace, inclusive of the Internet links interconnecting them, then the gateways which connect this National Cyberspace to the global Internet would constitute the boundary between National and Global Cyberspaces, and suitable protection measures put in place there. Such a model would correspond to the Great Firewall of China, which as we know is frowned upon by the liberal, democratic world. Unless I specifically state otherwise, the first model, which considers the Internet as a ‘global commons’, would be presumed by me for the balance of this talk.

Strategic Cyber Threats and Targets

I shall now briefly dwell on strategic cyber threat vectors and targets.

Broadly speaking, cyberattacks may be classified under five heads, namely, cyber-crime, cyber-hactivism, cyber-espionage, cyber-terrorism, and cyber-war. Cyber-espionage may be of two kinds, namely, industrial cyber-espionage and strategic cyber-espionage. Cyberwar here refers to cyberattacks carried out by a state either through state owned cyber capabilities such as a cyber command, or sponsored through non-state actors, both with the intention of achieving strategic objectives. Out of these categories, strategic cyber-espionage, state sponsored cyber-terrorism and cyberwar may be classified as strategic cyberattacks. Also, all cyber assets which make up the DII and CII are strategic cyber targets within our National Cyberspace.

Cyber Defence Strategies

What strategy would be most appropriate to defend against strategic attacks on our sovereign National Cyberspace? It is often said that “offence is the best form of defence”. Let me, therefore, highlight the main elements of a cyber defense strategy based on the principle of ‘offensive defense’, sometimes also referred to as ‘active defence’.

Defence-in-Depth

Presently the Defence Cyberspace is topologically structured as a three-level hierarchy: at the highest level, the entire network is air-gapped from global cyberspace; at the next level there are station access networks, and at the lowest level are networks serving individual establishments. Protection measures are implemented at each level of hierarchy. This is an example of a ‘defence-in-depth’ strategy.

In contrast, for CIIs and NCIIs alike, network architecture is usually structured as a single level hierarchy and is not air gapped. For reaping the advantages of defence-in-depth at least for our CIIs, there appears to be a case for implementing a multi-tiered network security architecture in conjunction with secure cloud services.

Cyber Deterrence

In defence strategies, deterrence precedes protection, resilience, and response. A robust defence-in-depth strategy by itself has deterrence value, referred to as ‘deterrence by denial’. In addition, ‘Deterrence by retaliation’ is another potent deterrence strategy, which leverages the fear of retaliation induced by the declared possession of offensive cyber capabilities.

Active Defence

‘Deterrence by retaliation’ is quite different from ‘offensive defence’, in that the former implies a “force in being” while the latter involves the actual employment of offensive capabilities. Both need to be incorporated into an effective cyber defence strategy.

National Firewall

I have stated earlier that the Great Firewall of China, which is an example of national security taking precedence over free flow of information, is almost universally derided by the liberal, democratic world. However, with the increasing intensity of cyberattacks with significant strategic effects, this view is gradually undergoing a change, with the notion of ‘cyber sovereignty’ gaining ground over the current predominant view that cyberspace should remain a ‘global commons’. Thus, there is a need to consider setting up of a suitable architecture for firewalling our entire National Cyberspace, sometimes referred to as an Internet kill-switch, to be activated in times of national emergencies.

Cyberspace Governance: Existing Set-Up

Let us now look at organizational aspects by first reviewing the existing governance setup in India.

Cybersecurity Establishments

Presently, the following establishments are tasked with defence of our National Cyberspace.

• The National Critical Information Infrastructure Protection Centre (NCIIPC) functions directly under the PMO and is designated as the National Nodal Agency for CII Protection. Its charter includes identification of CII, development of protection strategies and issuance of cyber advisories. However, it does not have any accountability, and its charter states that the responsibility for protecting the CII lies with the agency running the CII.
• The Indian Computer Emergency Response Team (CERT-In), under MeitY, issues advisories and responds to cyber incidents. Here again, its charter shies away from accountability. Broadly speaking, CERT-In caters for the NCII, while the NCIIPC focuses on the CII.
• The Defence Cyber Agency (DCA) has been recently established for providing cyber operations support to the Indian Armed Forces. It is a whittled down version of the Cyber Command, establishment which was proposed as early as 2012.
• The Cyber and Information Security Division of the MHA deals with matters relating to cyber security and cyber-crime from an Internal Security perspective.

Apex Level Coordination

The National Security Council Secretariat, headed by the National Security Advisor, is the apex body responsible for national security. The National Cyber Security Coordinator, functioning under this Secretariat, coordinates with different agencies at the national level for cyber security matters.

Current Strategy for Protection of National Cyberspace

Our currently strategy for the protection of our National Cyberspace can briefly be summarised as follows: Our existing cyberspace governance architecture appears to be premised on cyberspace being a ‘global commons’ and not on the notion of cyber sovereignty.

We do not yet have a National Cyber Security Strategy, and while one is expected shortly, it is not expected to adopt the philosophy of ‘deterrence through retaliation’. This reflects our essentially passive defensive approach towards protection of our National Cyberspace. This mindset is also manifest in the fact that we possess limited offensive cyber capabilities.

In my view, we need to reorient our strategy and enhance our offensive cyber capabilities for engaging in cyberspace conflicts at the strategic level.

National Cyberspace Protection: Global Practices

Before attempting to recommend a suitable governance model, let us review the stance adopted by some of the major global players towards protection of their respective NIIs.

United States

The cyber governance architecture adopted by the United States strikes a synergetic balance amongst the US Cyber Command, the National Security Agency and the recently established Cybersecurity and Infrastructure Security Agency under its Department of Homeland Security. The US Cyber Command is tasked with tackling external strategic threats in cyberspace, while the Department of Homeland Security focuses on cyber threats from the perspective of internal security. It is worth noting, though, that 13 Cyber Mission Teams of the US Cyber Command are meant specifically for the protection of CII. Further, the authority for the conduct of offensive operations in cyberspace appears to be vested solely with the DOD.

United Kingdom

The UK established the National Cyber Security Centre (NCSC) in 2016 under the Government Communication Headquarters (GCHQ), an Intelligence agency which provides signal intelligence support to the Government and Armed Forces. The NCSC subsumed the functions of UK’s erstwhile Centre for Protection of National Infrastructure as well as CERT-UK. The British Army launched a new cyber force in 2020, namely the 6th Division, which is the largest of UK’s three divisions, and is organized to focus on cyber, electronic warfare, intelligence, information operations and unconventional warfare.

It is clear from UK’s National Cyber Security Strategy 2016-21 that active defence is central to protection of their national cyberspace. The NCSC focuses on cyber-crime. For providing cyber operations support at the strategic level, a new National Cyber Force was established in Nov 2020, as a partnership between the Armed Forces and the GCHQ, with its primary charter being offensive cyber warfare directed against external threats in cyberspace.

China

China, our primary adversary, is now very well structured to defend its NII. The recent raising of the PLA Strategic Support Force signifies the operationalizing of its well-developed concept of Integrated Network Electronic Warfare as well as the Three Warfares concept. This transformative reorganisation has resulted in integration of not only cyber-attack and exploit capabilities but also of cyber, electronic, and psychological warfare capabilities under the PLA, thus considerably enhancing China’s capabilities as a dominant power in cyberspace.

Russia

Although details of the cyber governance architecture of Russia are not readily available in the open domain, the strategic nature of its preparedness in cyberspace may be gauged by its infamous information warfare campaigns conducted by it across the globe in recent years, which have served as a wake-up call for the United States, the European Union and even China. It has also been established almost beyond doubt that the GRU, the Main Intelligence Directorate of the Russian military, was behind the cyberattack on Ukraine’s electricity grid in 2015, the devastating 2017 NotPetya cyberattack which affected businesses across the globe, the interference in US Presidential elections in 2016, and the hacking of the French election in 2017, amongst others.

Transformative Restructuring

Finally, I would like to present my views on the transformative restructuring which India needs to undertake for addressing strategic threats in cyberspace.

Role of Armed Forces

The governance model which I am proposing here envisages a central role for our Armed Forces in cyberspace defence, much in line with their role in the physical domains of conflict. This involves bringing about a significant change in our doctrinal thought as well as operational capabilities in cyberspace.

Offensive Cyber Capabilities. At a doctrinal level, our National Cyberspace needs to be recognised to be as important a sovereign asset, albeit virtual, as our physical territorial assets. Further, the mandate for handling the full spectrum of strategic cyber conflicts must rest with the Armed Forces. Such a charter would cover state-on-state cyberattacks, separately or as part of multi-domain operations, as also strategic cyber-terrorism, and strategic cyber-espionage. Most importantly, development and operationalizing offensive cyber capabilities at the strategic level must be the exclusive domain of the Armed Forces.

Cyber Command. For our Armed Forces to take on this responsibility, it is imperative that the recently created Defence Cyber Agency be upgraded to a full-fledged Cyber Command at the earliest, with commensurate transformative changes in HRD and cadre management policies. Also, cyber expertise within the DRDO must be placed at the disposal of the Cyber Command for developing suitable cyber weapons and technologies.

Role of Other Government Agencies

With the Armed Forces under the MoD given a pivotal role for the defence of our national cyberspace, what would be the charter of other agencies? The proposed restructuring envisages an enhanced role for the MHA, while at the same time limiting the charter of intelligence agencies.

MHA: Protection of CII. Protection of CII, being an IS matter, must logically be brought under the aegis of the MHA, in the following manner:-

• Just like the CISF under the MHA provides physical security to critical infrastructure, a new Para Cyber Force should be raised for providing cyber protection to the CII.
• For government and public sector CII, ie, railways, nuclear installations, defence PSUs, etc, the PCF would be mandated to provide all echelons of cyber protection.
• However, in the case of CIIs owned by the private sector, ie, private power generation, banks and financial institutions, etc, the PCF would work in close conjunction with the Chief Information Security Officers of the private enterprises for provision of additional tiers of security firewalls, as also carry out external audit by adopting measures such as ethical hacking and red-teaming.
• A National Cyber Security Operations Centre, or Cyber SOC, needs to be established under the MHA, manned by the PCF, which would subsume the responsibilities of the current NCIIPC as well as CERT-In. The alerts and advisories issued by this Centre would benefit the NCII including individual citizens. While incident reporting and response by this Centre would mostly be restricted to the CII, in case of major incidents this support could be extended to NCII as well.
• Most importantly, if at any stage the imminent threat to one or more of our CIIs attains strategic dimensions, the task of CII protection would be handed over to the Armed Forces. This could be done, eg, by placing the National Cyber SOC under the Cyber Command.
• Cyber-crime would continue to be handled by the MHA as hither-to-fore.

Intelligence Agencies: Strategic Cyber Espionage/ Counter Espionage. Intelligence agencies such as RAW and NTRO would continue to carry out cyber-espionage and counterespionage in conformance with their traditional mandate.

Non-State Actors. Finally, there may be a need to enlist the services of existing hacker groups, in order to leverage the advantage of plausible deniability where needed, as in all probability is being done even now, or even facilitate the creation of cyber militias with state backing. This, however, would be part of covert operations to be conducted by agencies as permissible under existing provisions.

Human Resource Development

It is pertinent to highlight here that the Armed Forces are well geared up to take on the enhanced role proposed for them, by that I mean they can quickly upscale to carry out this role, provided a Cyber Command is raised, and the HRD policies are upgraded to nurture much higher levels of specialisation than existing today. The same, however, cannot be stated for the MHA, where much greater effort would need to be mustered if it is to play its enhanced role in cyberspace.

Conclusion

I would like to conclude by saying that in 21st Century conflict scenarios, cyberspace has emerged as a formidable new domain of warfare only over the last decade or so. Given that the threats from our adversaries in cyberspace are already manifest and will rapidly intensify in the coming years, it is imperative that, as opposed to an incremental approach, the recommended transformative changes to our cyber governance architecture be undertaken as a national priority and on a war footing.