The imperative of operationalizing the concepts of Cyber Deterrence and Active Defence for defending our national cyberspace was highlighted in the first part of this blog. It was further brought out that both these concepts are contingent upon possession of requisite offensive cyber capabilities. These capabilities are also an essential component of military power, given the multi-dimensional nature of today’s battlespace. Thus, there is a need to evolve doctrine, raise and nurture offensive cyber organisations, as also make a concerted effort at the national level to develop cutting R&D infrastructure and expertise in this field. These issues are briefly discussed below.
Offensive Cyber Capabilities
Doctrine and Capabilities
There have been several known cases where state-sponsored offensive cyber operations have been undertaken in the past, although none of these have been acknowledged by the conducting states. In addition to the well-known Stuxnet attack, presumably conducted by the US in conjunction with Israel, cyber-attacks by Russia on Estonia in 2007, and on Georgia preceding the Russo-Georgian War in 2008, are also well documented. North Korean attacks on Sony in 2014 to which the US responded with economic sanctions and the more recent Wannacry ransomware attack, also attributed to North Korea, are other examples of state level involvement in cyber-attacks. The US Joint Publication on Cyberspace Operations 2013 clearly defines Offensive Cyberspace Operations as operations “intended to project power by the application of force in and through cyberspace.” Other major players too have formal doctrines on offensive cyberspace operations.
India, on the other hand, is still shy of promulgating such a doctrine, although some capability exists with us in this realm. It is time for India to promulgate a comprehensive doctrine on Cyberspace Operations, encompassing offensive (including destructive/ disruptive and exploitative aspects) as well as defensive capabilities, which are needed to be developed.
Development of offensive cyber capabilities, both in terms of R&D expertise as well as a highly specialist cadre, is a challenge which is not easily addressed. Existing expertise on offensive cyber operations is distributed at present amongst civilian government establishments like NTRO, defence establishments and individual hackers/ hacker groups. These need to be synergized and built upon to achieve a formidable offensive cyber capability at the national level.
The US Cyber Command achieved initial operational capability in 2010. It is mandated to have 133 Cyber Mission Teams with a total strength of 6200 personnel, over 5000 of which were already on staff last year and the balance are expected to be made up by next year. A good proportion of these teams are distributed amongst the geographical commands to be deployed at operational and tactical levels. In Aug this year, the Cyber Command has been upgraded to the status of a unified combatant command by the Trump administration.
China’s PLA Strategic Support Force, as per one report, is estimated to have over a lakh personnel. Russia too is known to be very active on the cyber operations front, under the aegis of FSB. The UK, in its National Cyber Security Strategy 2016-21, has clearly enunciated the need to develop offensive cyber capabilities.
Against this backdrop, Indian initiatives to come up with a matching capability have been rather weak. An Indian Cyber Command was proposed by the defence forces in 2012. Five years later, clearance has been given only this year by the MoD to raise a toned down version, the Defence Cyber Agency (DCA), consisting of a 1000 personnel distributed amongst the three services; actual operational capability would no doubt take at least a few years more. Given the increasingly active global cyber threat landscape, such a low-key response is inadequate to meet the challenges that we are faced with as a nation.
Presently, all indications are that the DCA would be located and deployed centrally, under the presumption that it is not advisable to deploy offensive cyber capabilities in a decentralized manner. If a full-scale multi-domain war is to be fought by us, especially with an adversary like China, such an organizational architecture may not be suitable to meet operational requirements for carrying out integrated multi-domain operations at all levels of warfare, i.e., strategic/ operational/ tactical. This issue needs to be deliberated upon in all seriousness.
In the US, dual-hatting of the two apex appointments, i.e., head of the US Cyber Command and the US NSA, achieves synergy in cyber operations between the defence and government intelligence agencies at the national level. In addition, the Cyber Command is also mandated to support the Department of Homeland Security (DHS) in the event of escalated threats. A suitable solution needs to be found to achieve a similar synergy in the Indian context.
R&D: Need for Cutting Edge Research
Most defence encryption algorithms are developed by the DRDO/ PSUs with requisite security clearance, and evaluated by DRDO’s SAG before being implemented in various equipment. In the civil, however, a number of globally accepted open domain encryption algorithms are in use (IPSEC, SSL/ HTTPS), on the premise that security lies in the key. However, there is always the lurking suspicion that some of these may have been compromised, e.g., by the US NSA. Thus, development of a national strategy on development and use of encryption algorithms with respect to our CIIs is an imperative.
Further, in the defence forces, encryption at the physical layer is the mainstay for ensuring confidentiality, whereas in the Internet/ civilian WAN architectures, security is mostly implemented at the Network Layer and above. It needs to be explored whether or not use of bulk encryption devices by our telecom operators on long-haul links would contribute significantly towards securing our national cyberspace, and if so, bring out regulations towards achieving such an objective.
AI in Cyber Operations
Legal, ethical and moral issues related to autonomous weapon systems are currently under serious discussion globally, with the UN deliberating over the last three years on the best form of regulating them. A Group of Government Experts (GGE) has been established for the purpose, the first meeting of which was held in mid-Nov this year, chaired by the Indian permanent representative to the UN Convention of Certain Conventional Weapons (CCW). Autonomous Cyber Weapons, which presently utilise narrow/ weak AI technology, are also a significant part of this discussion and would be a reality soon, if they have not already been operationalized. There is a need to promote research effort on this front in India, and the government, industry and academia need to synergize their efforts in this direction.
Development of Offensive Capabilities
As has been already brought out above, in order to conduct effective offensive cyber operations as a nation, an essential pre-requisite is the development of highly sophisticated cyber weapons, and existing expertise within the country and outside needs to be tapped to achieve results in this area on priority.
This blog has so far discussed several facets of cyber security which are relevant to the defense of our national cyberspace, covering governance, operational aspects and development of offensive cyber capabilities.
The concluding part will address the challenges associated with the creation of a highly specialized cadre of cyber warriors, as also the important issue of enforcing cyber discipline across any modern nation’s extended CII cyberspace.