The Modi government seems rightly intent on building foundational digital infrastructure. This push must be backed by a solid cyber-defence strategy.
India desperately needs to create a operations manual for cyber-warfare. Credit: Reuters
Over 3 years ago, the actions of whistleblower Edward Snowden changed our world forever. We woke up to a new reality and nothing has been the same since. In both war and peacetime, technological advancements play a significant role in arrangements between nations and their power sharing. Electronic breakthroughs impacted both World War II and the Cold War. As the cycle of innovation moves to the Internet and beyond and the world graduates from an era of Cold War to one of Code War, cyber skirmishes will become the new normal and a part of diplomatic parlance.
On the face of it there is nothing common between the Warsaw stock exchange, a steel mill in Germany, the French TV outlet TV5Monde and a Ukranian power plant (other than that they are in Europe). Yet in recent times they have been victims of cyber attacks, carried out allegedly by foreign intelligence with the aim of causing material damage and destruction.
Cyber is fait accompli and nations are ill prepared. To drive home the point, NY Magazine ran an imaginative piece visualising a cyber heist on New York city – cars drove into walls, airports shut down and local hospital systems froze. While fictional, the story’s message is real – our dependencies on digital infrastructure rises every year and there needs to be greater debate around acceptable norms of cyber conduct, sufficient preparedness and if push comes to shove a principles driven approach to counter attack.
Hundred years ago
The first recorded incident of hacking dates back to 1903 when the inventor Nevil Maskelyne disrupted a secure wireless telegraphy between John Ambrose Fleming and Guglielmo Marconi. However, it still took a while for the notion of cyber threats to percolate the academic and policy circles. US policy adviser, Willis Ware, wrote in 1967 the first paper on cyber security threats, and in 1983 Ronald Reagan had helped create the first (US) national security policy directive on information systems security.
While some of the attacks can be classified as cyber-crime, other due to the political motives have to be classified as cyber-warfare. Many state actors including reportedly Israel, Russia and China and some non-state actors including ISIS are proactively using cyber as one of the means to conduct war. Today, the cost of cyber-attacks stands at $400 billion a year and the cyber-security market is projected to grow to $175 billion by 2020.
A cyber offensive is not limited to leaking information or spreading disinformation. The attacks can be more tangible causing damage to physical or digital infrastructure. This includes a country’s water system or electric grid. Cyber tentacles can spread to political parties, universities and private businesses and Citizens. Stylistic examples of recent and potentially worrisome cyber incidents include interference in political affairs, leaks and espionage and the compromising of critical national infrastructure.
As nations stand
In 2013, the UK became the first country to openly acknowledge development of cyber defence capabilities. Then defence secretary, Philip Hammond stated that his government was developing “military cyber capability, including a strike capability”. While several countries are assumed to have capability (and some hint at it off the record) this was the first time a nation made such a public declaration.
In November 2016, the British government further announced a £1.9 billion national cyber security programme. This was in part due to a hack of Britains largest telecom operator (in October of the same year ) by a 16 year old exposing 1.2 million IDs and 21,000 bank account numbers. US for its part plans to spend more than $19 billion for cybersecurity as part of the President’s Cybersecurity National Action Plan (CNAP). These are early days but most advanced nations are putting together cohesive plans and budgets towards this space.
Building global norms has to be the first step towards a framework for regulation. In 2011, President Obama released the “The International Strategy for Cyberspace”. The document goes on to elaborate the basis of norms in cyberspace and includes ‘Upholding Fundamental Freedoms’, ‘Respect for Property’ and a ‘Right of Self-Defence’. Additionally, since 2009, a NATO centre has been involved in exploring the applicability of ‘International Law to Cyber Warfare’.
On the other hand, nations are also beginning to prepare for the inevitability of cyber war. Most countries are developing cyber-defence strategies – in 2011, the US secretary of defence officially declared ‘cyber’ a domain of warfare and Obama declared that America’s digital infrastructure would be be a national asset.
In 2015, the United Nations Group of Governmental Experts on Information Security (GGE) authored a “breakthrough” document to guide state activity incCyberspace. It was significant because first it includes principles of humanitarian law (counter-intuitive but some claim this would legitimise a cyber arms conflict). Secondly, it stresses the need for protocol in naming and shaming of state-sponsored activity and third it recommends inter-state assistance.
These make it irrefutable that cyber is the brand new arena of war games and foreign affairs.
What about closer home?
In 2013 India framed for the first time a cyber-oriented national security policy . The change was in part prompted by media reporting of US NSA hacks to our strategic interests. India has a chance to play a leadership role not only for its sake but for the sake of international order. In cyber terms, 2016 marked a watershed year for India – she was included at the big table in the top UN cyber body (GGE) and the Dutch have handed over the leadership of Global Conference on Cyber Space (GCCS) over to the Indian government. Yet in the eyes of many India remains a “reluctant digital power” and it’s time to step up.
We are the world’s second largest digital nation – more than 350 million Indians are online and millions more will be getting connected in the years to come. There is a push towards greater digital dependence– with demonetisation a cashless system is being propagated, with Aadhaar, an entire India Stack is being built and the wider platforms such Digital India and Smart Cities will push things further along.
We are keen to capitalise on the enormous economic opportunity, but we need to be prepared for potential cyber onslaughts. Eventually our systems, our people and our devices will all be connected that is when modern war games will start being played. We’ve already received a few unwanted pokes: allegedly, Chinese or otherwise hostile hackers have targeted the offices of the Dalai Lama, our embassies and government departments. In 2013, the DoT blocked the import of Huawei equipment on grounds of potential breach of security.
More recently in the beginning of 2017, the newly launched Bharat Interface for Money application (BHIM app) reportedly faced spam threats.
India should take certain steps to safeguard itself. Indeed, our country’s approach to this will be pivotal. The recent appointment of a national cyber security coordinator in the PMO is a step in the right direction. That said a lot more will need to be done in the days ahead:
- While cyber war should be avoided at all costs, India still needs to be prepared for it. Thus preparing for the offensive, and drafting a cyber war manual is essential.
- A robust ecosystem must be built to secure India from acts of state and non-state actors, including protocol for grievance redressal in international forums.
- Better capabilities must be built to detect and deflect attacks.
- The computer emergency response team (CERT) must be strengthened and aligned with military and foreign affairs operations.
- Building a joint task force between the government and key technology players will be crucial.
- The government’s cyber security policy can be revisited and more importantly implemented in mission mode.
- Key areas of cyber importance, such as the banking system, India Stack, various government infrastructure, should be identified. –
- The government should push for the creation of a global charter of digital human rights.
- A national gold standard should be created, which ensures that Indian hardware and software companies adhere to the highest safety protocols.
Changing nature of conflict
Klaus Schwab, founder of the World Economic Forum, feels technology will radically alter the nature of conflicts. He considers cyber-attacks “one of the most serious threats of our time”. If everything from our social media to our mobile phones now have an impact on international security, cyber as an arena of war needs to enter mainstream discussion and the gap between policy and technical experts needs to narrow. The Internet is fast becoming humanity;s lifeline. Therefore the stakes are high and thus ripe ground for conflict.
While a ‘Code War’ will likely never replace conventional modes of conflict, it will with time become a relevant part of any state’s arsenal. With increased dependence on digital infrastructures, acts of war on those assets are inevitable – in some cases such actions could also lead to material damage to life and property. Moreover, nation states should be prepared for conventional retaliation to a cyber attack and vice versa. Lastly, cyber, like all security, is a public good and nations will have to determine the level of safety it must provide to its average citizens and small businesses (beyond securing critical infrastructure).
There is a real impact for India. The digital revolution presents once in a generation opportunity for our country, but it also leaves us exposed and open to attack. While we climb the inevitable ladder of technological progress one eye must be kept on the potential perils. The government is in the process of building deep digital infrastructure, from payments to ID.
A few weeks ago, Saudi Arabia issued a cyber-defence alert (emanating from Iran) compelling talks of a gulf cyber bomb. These are new environments and India and the world needs prompt re-calibration. Foreign relations tend to follow Kissinger’s framework of cold pragmatism and it doesn’t seem to go well with the “do no evil” ethos of the Internet world.
Vinayakk Dalmia is an entrepreneur @AMBER (www.hiamber.com) and runs an NGO in Rajashthan (Dalmia Trust).