Cyber Warfare, Security and India- A Work in Progress

Cyber security comprises of four major areas which include application security primarily those applications which have a large database and is used for various purposes such as online banking, citizenship rolls such as National Population Register (NPR) or human resource management software of the military personnel in sensitive positions. The second critical area of importance is information security which means the information which is passed through the virtual domain such as emails or related transmitting devices are secure and encrypted. The third aspect which comes to the fore is disaster recovery so that there are effective measures (both technical and structural) in place to protect and also make fast recovery in case of any cyber-attack. The last element is network security and therefore many industries and sensitive installations have secure firewalls to prevent any breach or sabotage of the network itself. 

Now, when one looks into the cyber targets while personal computers comprise the outer layer, the computer networks managing the information systems or the service providers for businesses, financial institutions etc. are the second inner layer. However the most important core is the critical infrastructure which includes vital assets of a nation, controlled under certain regulations and clear-cut guidelines. This critical infrastructure might be in the form of control panel of a dam, large repository of banking data, financial transactions in the share market or command and control of the navigation system of a missile regiment.                             

Cyber warfare is complicated as it can be timed, deferred or use of activated bots to help in search for information on a particular subject. It can also be in the form of Trojan attacks and even remotely controlling the computer of the targeted person or institutions. Most of the countries use bots or latent Trojans to sneak into the cyber activity of a particular institution, and thereby collect information related to specific subject matter. This kind of an attack will not qualify as a cyber-warfare but will meet the requirements of the attacking party. Further, many countries across the world have developed comprehensive cyber defence systems as well as cyber warfare units. The attack on the Sony systems by North Korea, and similar such attacks undertaken by Chinese cyber army in the past, signify that the cyber warfare would be the next area where wars will be fought.

There are different facets of the cyber warfare which includes recognizing cyberspace as the fifth domain of warfare. The warfare might include very specific virus attacks such as Stuxnet; Ddos (distributed denial of service) which is multiple connected online devices which use botnets to attack a website with fake traffic. Another feature is Advanced Persistent Threat (APT) under which an intruder mines data repository to get relevant information. The problem in the cyber warfare domain is to define the effect of weapons, right of self defence in terms of proportionality, the cyber military market, and ontological ambiguity in defining attacks and damage.  

Cyber warfare is also enlisted as an element of asymmetric warfare. The critical aspect which needs to be addressed is that in the case of cyber warfare is that it is a low-cost measure with minimal personnel deployment and a very effective way to cripple the command and control system of a country, if it is network based. The cyber warfare has also been increasingly a threat because of the command and control systems being increasingly integrated in the form of a network such as the navigation system on board a missile system; integrated with the global positioning system and a guidance chip which might be integrated with low orbit satellites of the country.

Countries across the world have taken this threat very seriously and have developed encrypted communication systems with secure platforms so that the data and the communication are secure. They further explore the vulnerabilities of the enemy to breach into their communications and networks. Therefore, many countries have developed their specific internet systems for military communications and collecting data which is kept in a highly secure vault. Advanced countries have developed their specific intranet systems for military communications and collecting data which is kept in a highly secure vault.

Countries do not acknowledge that they have committed an act of warfare in cyber domain as it is conducted through non-state actors or individuals who might be directly or indirectly sponsored by the state. Therefore, this field is a two way system where the attacking side opens the right for the targeted country to repulse the attack, and launch counter-attacks. Of course, there are multiple nations which have created their cyber armies to launch the attacks when it is required. Data breach and hacking are seen as a medium to explore the vulnerabilities of the network and applications.                                 

The cyber-attacks might been also other forms which might be giving better advantage to the country concerned such as cyber reconnaissance, exploitation and the potential for attacks against government interests. Also state actors have been using cyber espionage to steal critical information. For example, a specific country would like to know what would be India’s response in case voting for inclusion of Taiwan in UN comes for voting. Another example could be internal communication between Prime Minister‘s office and National Security Advisers email communication report about the disengagement of the troops from Galwan Valley.

The massive attacks which were launched against Estonia in 2007 was one of the manifestations of comprehensive cyber-attack on the country. Following this the Tallinn manual was created to address this issue of armed conflict in cyber domain. The Tallinn manual 2.0 deals with different aspects of cyber operations which are encapsulated in and out of armed conflict. It also highlights the international law related to the cyber operations and how it will be seen in future.

The military alliances such as NATO have their Cooperative Cyber Defence Centre of Excellence which was instituted in 2011 to cater to growing need for cyber defensive capabilities. There are two applicable international law related to cyber warfare which includes addressing the critical flaws in the cyber warfare through UN Charter (Jus ad Bellum) and under Geneva Convention (Jus in Bello). Also, many countries as well as regional organizations such as SCO have worked on regional organizations specific protocols and safeguards.                             

India has been rather slow in developing capacities and capabilities related to the cyber defence as well as offensive capabilities. There are departments which deal with this challenge such as cyber and information security division in Ministry of Home affairs; Defence Cyber Agency (DCA), which is a tri-service command of the Indian armed forces and reports to Chief of Defence Staff (CDS)Gen. Bipin Rawat, cyber division in National Security Council Secretariat and National Cyber Security Initiative. India has promulgated and adopted notification (2014) related to the information technology which includes critical information infrastructure protection centre and manner of performing functions and duties under the rules. Also there are guidelines to evaluate if there is a need for cyber security act to launch offensive action in case of a cyber-attack. There are other agencies which are working in this field which includes national cyber security coordinator and the Indian computer emergency response team which is known as CERT-IN.

The national cyber security strategy policy was expected to be released in 2020 and it is seen as a blueprint for building cyber defence and offensive capabilities of the nation.

The first line of defence in any cyber architecture is the network and the security of the computer systems or servers. The critical element in any network is the router and most of us use very cheap routers which are most vulnerable for cyber-attacks. In government departments cyber and security audit of each of the computers has been made mandatory so as to protect them from cyber-attacks. Many government departments have been using pirated software and also the employees have been seen visiting unwonted sites during their office time. This kind of activity in cyber domain makes the system as well as the network vulnerable.

In fact one of the areas which was addressed in the annual cyber audit in the office of a sensitive government department was to remove all the Chinese apps and software‘s from the computer systems. It was also suggested that cheap routers, cables and distribution networks should be replaced with verified systems. In this context the low cost vendor was not entertained and the technical specifications were of utmost importance. The licensed version of software and applications has been stressed upon with online technical support.

In pursuit of cyber security, data protection laws will be critical given the fact the government is promoting a digital banking, e-commerce and also creating digital vault system for keeping important documents, data and property papers in one account. Also now when most of the property registry as well as defining the urban plans are in digital mode, therefore data protection laws gain salience in near future. However, these need to be complemented with effective changes in the legal provisions as well as addressing damages which have been incurred by the person concerned in virtual domain. Data security therefore needs more technical evaluation rather than bureaucratic interventions.

From national security point of view the data which is in Aadhaar database is critical for national security point of view. Also data related to financial matters, banking institutional network, clearing houses of the banks are all important from national security point. The biggest issue which crops up  every now and then us is to differentiate between defence domain of data security and civilian domain related to data. This differentiation is critical for understanding it from the viewpoint of citizenship, society and national defence. India needs active recruitment process of personnel as well as time bound task forces to further minutely study the data protection as well as data security laws which is India specific.                  

Data protection is evolving as a big industry in India and there are specific data protected vaults which are operating in different parts of India. A more effective data protection laws will fulfill the obligations on the part of government, and also compel industries and private sector to make commitment on the part of installing secure firewalls and encryption devices. For example, a simple breach in any of the major banking systems in India would spill over to the streets and would create a major law and order situation in a particular area. However if the same data breach happens simultaneously across India then it will be a major national security problem.

In this context, data sovereignty is another critical issue especially when India is emerging as a major data centre and an important digital power. Initiatives like Startup India, Digital India need data sovereignty given the fact that a large volume of data can be used for commercial and other purposes if the data is easily accessible in the global market. The issue of data sovereignty has been a major cause of differences between India and US as well as many Western countries. The citizens’ data or even banking data should remain in the country and can only be shared with the international community if there are valid reasons to share it. This also gains relevance with the coming of major e-commerce websites such as Alibaba,  and other such agencies. Data protection is also the right of the citizen so that he knows that the data that he shares with the government or any institution is protected, and is not shared without his knowledge

As it is known that in the digital world data is power and it helps in understanding the demographics as well as population density in a specific area. Also it helps in taking plans and devising distribution networks of electricity, ration and other aspects of social developments such as roads and irrigation networks. It helps in better plan implementation and reduction in corruption at all levels.  

In India, innovation is not as rewarding as in the West or in China. Many innovators have found refuge in the US and European countries because there is no fund crunch and selective discrimination in these sectors. Even though Startup India and Digital India have got generous fund support but continuous financial support is required to build an ecosystem of digital innovation and technical support structures. It has been seen in the past that how the services sector got support and thrived into major cities such as Bangalore (Bangaluru) and Hyderabad. The need of the hour is to create such ecosystems across the India so that the digital innovation and the networks can be created. The government needs to be highly proactive in supporting this and it needs long gestation period as well as protection from cheap imports. In the end one can easily say that technology and innovation would be the important element of defining new power configuration at international level.  

Pic Courtsey-Dlanor s at unsplash.com

(The views expressed are personal)