Dr. Arvind Gupta, Director VIF’s Remarks
Cyber deterrence: How feasible?
Cyber deterrence is a contested concept. The terminology borrows heavily from the theory and practice of nuclear deterrence in Cold War years. However, cyber space is fundamentally different from the physical domain of warfare in which nuclear weapons can be used.
In the case of nuclear deterrence, the weapon, its delivery vehicle and the circumstances of its use or generally well-known. There is also a fairly well-developed practice of confidence building measures, nuclear signaling et cetera which helps lend credence to nuclear deterrence. In the case of cyber space and cyber deterrence, these attributes are missing. In the case of nuclear weapons, these remain in the possession of a few actors. There is an international watchdog in the shape of International Atomic Energy Agency to track the development of nuclear weapons, spread of nuclear technologies and nuclear materials. These attributes are absent in the case of cyber weapons.
Theoreticians have talked about deterrence by denial and deterrence by punishment. These are the fundamental pillars of deterrence. Deterrence implies imposing higher costs for the attacker so that he does not attack, or by raising one’s own defences to such a level that the attacker gets no benefit in attacking. The attacker would also be deterred to launch an attack if he is sure that retaliation in cyber space will be assured and heavy. This is essentially transposing the concept of nuclear deterrence to cyber space and cyber deterrence. However, the situation in cyber space is very different. The most important element in deterrence is to identify the attacker and attack him in retaliation. In cyber space, attribution as to who attacked is extremely difficult. The problem of attribution is the fundamental weakness of cyber deterrence concept.
Cyber attacks tend to be silent, anonymous and they appear to work over long periods. Often, the victim is not even aware for a long time of having been attacked. This also fundamental problem of defining what a cyber attack is. The networks of every country, including that of India, are being attacked by several means almost on a daily basis. Do these attacks tantamount to cyber attacks meriting cyber retaliation?
Joseph Nye has defined nuclear deterrence in a broad framework of activities which cover punishment, denial, entanglements and normative taboos. He feels that mutual dependencies or effector contributing towards deterrence. This may not be always true. Despite the high degree of interdependence between US and China, both sides have accused each other of cyber attacks.
Cyber attacks are a common occurrence. Some of these relate to cyber espionage, others are about stealing state secrets, intellectual knowledge, disrupting critical information infrastructure, stealing money et cetera. However, network attacks against Estonia and Georgia networks in 2007 and 2008 respectively and the ‘Stuxnet’ attack on Iran in 2010 are widely regarded as examples of cyber attacks and cyber warfare.
Many countries have come to the view that the response to cyber attacks need not be in the cyber domain itself. The responses could come in other domains including economic, military, diplomatic and technological. With so much looseness in the concept, cyber deterrence becomes a weak concept. In the cyber domain, controlling proliferation is extremely difficult and well-nigh impossible. Software programs can be easily tweaked as cyber weapons. With the emergence of technologies like artificial intelligence, cyber weapons can be manufactured by intelligent software.
Deterrence by denial seems to be more effective than deterrence by punishment. However the position might change in the future when attribution technologies are developed and cyber weapons evolve. There is also a disconnect between the evolution of cyber technologies and cyber laws. In the case of nuclear weapons, Nuclear Non-Proliferation Treaty was evolved. In the case of cyber technologies, the progress in evolving norms has been slow. Cyber Weapons Convention is nowhere in sight.
Non-state actors are a big factor that makes application of cyber deterrence difficult. Nuclear weapons have been mostly in the hands of the states. On the other hand, almost anyone can have access to a software program which can be used as cyber weapon. Non-state actors are also being used by the state actors as proxies and cyber mercenaries for the purposes of denial. Further, most of technological development in cyberspace takes place with the private actors. There are no norms for non-state actors or for private sector. Deterring non-state actors, supported by the states or otherwise, is a difficult and arduous task.
Cyber Warfare
Theoretical concepts apart, the states with capabilities in cyber domain seems to be going ahead with the development of cyber weapons and implementing the concept of cyber deterrence irrespective of the fact whether cyber deterrence by punishment or by denial is workable or not. The evidence shows that cyber attacks are increasing exponentially including against the states which have huge cyber capabilities. Therefore, whether or not cyber deterrence works, the countries are going ahead building their defensive and offensive capabilities.
Global practices show that many states, including the US, the UK, Australia and others are incorporating cyber deterrence as a part of their national security strategies and doctrines. This implies that the offensive aspect of cyber deterrence is being given a lot of attention.
India
As far as India is concerned, it has to properly assess the emerging scenario. It needs to develop the capabilities to defend itself against the attackers by developed developing deterrence by denial. At the same time it has to take note of the concepts like active cyber defence and deterrence by punishment, and take appropriate actions. It cannot remain immune to the use of cyber technologies for offensive purposes as indicated in the national security doctrines of several countries.
While technology development must go apace, cyber diplomacy is also important. India must play an active role in the development of norms and rules of behaviour in cyberspace.
Cyber deterrence may not be a fully evolved concept. However, many countries are practising it in some form of the other. India cannot ignore that. Strong research, synergy amongst institutions, clear policies and strategies in the arena of national security, particularly cyber security, are needed. India has the requisite institutions. Some more need to be set up. India should give due consideration to the idea of setting up a cyber command which would help India address the questions of cyber warfare.
Post new comment