Preamble
This is the information age and therefore like all lucrative assets of the past ages, information assets must be an object of competition and conflict – and in extreme cases, warfare. This conflict is being played out in a new domain: the cyber-space. With increasing dependency on the cyber domain for every aspect of human endeavours, it is obvious that like all national assets, India’s cyber-space has to be secured against all forms of espionage, subversion, sabotage and attack.
In this article, it is proposed to discuss the theology of cyber security and the fundamental considerations that might lead to its effective implementation in the Indian context.
Civil and Military Functions of Cyber Security
There are five domains in which the civil as well as military functions of national security have to be performed, viz, land, sea, air, space and cyber- space. In reference to the last named, it is a common supposition that there is singular convergence of civil and military functions. The misconception is reflected in the use of undefined terminologies and loose semantics which lead to confusing juxtaposition of concepts that govern the issue of cyber security. Factually though, the said convergence is no more prominent than it is in the context of civil-military interplay in all of the other domains of inter-state competition and conflict. In order to make the best use of our resources in achieving a fair degree of cyber security therefore, it is important to promote clarity and consistency in ruling definitions and concepts in the Indian context.
We understand that every nation nurtures its own set of specific aspirations in consonance with a given set of geo-political, social and natural assets. These aspirations go to define the path for national prosperity which are then sought to be protected by the triumvirate of national power, viz, socio-political, economic and military security. The first two of these aspects of security are civil functions whereas the third takes recourse to warfare to perform its role. The distinction to note here is that the civil functions of socio-political and economic security of a nation is bound by inter-state ideological differences, geo-political adversities, competition for resources and business rivalries - all aimed at extracting more and more self-advantages. This is a continuous process. Military security, on the other hand, is an extreme step that is performed as a last resort to force the adversary to desist from his unbearable animosity either by threatening to, or by actually inflicting physical punishment on him. For the intervening periods of no-war, the purpose of the military institution is to prepare for that extreme eventuality called ‘war’. This distinction between the civil and military functions of national security influences the domain of the cyber-space just as it does in others domains of competition and conflict; it has universal applicability.
Appreciation of the afore-stated distinction is more relevant in the Indian context. This is so because in the Indian dispensation, military power is not seen as a fulcrum of nationhood as it is in the case of America or China and a host of other countries. Recognition of the distinction would obviate emergence of discrepancies between the civil and military functions that is caused by use of undefined phraseology like ‘cyber security’, ‘cyber-attack’, ‘cyber warfare’ etc.; our cyber policies must clearly convey as to what is intended to be accomplished.
Cyber Security and Cyber Warfare
In general, civil functions of national security involve fierce inter-state machinations that are marred by economic usurpation, industrial espionage, technology denial, geo-political ganging etc. – all carried out under a façade of civility. These machinations, vicious as these may be, are yet not described as ‘warfare’ simply because there is no element of force-imposition here. In the civil domain therefore, cyber-intrusions, disablers, corrupters, theft, sabotage etc., and the counter-measures against these, may not be termed as cyber warfare. Conversely, ‘cyber warfare’ is a military function and its prosecution is but a military operation, to be conducted in the spirit of extreme measures - just as it is in the case of conventional, sub-conventional or nuclear warfare. Notably however, when it comes to cyber security skills and resources, there is near-total commonality between the civil and military domains. In view of these subtle-yet-salient distinctions, formal apportionment between the civil functions of ‘cyber security’ from its military counterpart, ‘cyber warfare’, is obligatory to obviate emergence of policy irrationalities.
Civil Functions of Cyber Security
Civil functions over the cyber-space have four denominators :-
The burden of cyber security is driven by inter-state political and ideological differences, competition for resources including ‘knowledge’ itself, business rivalries and even terrorism. Accordingly, civil functions of cyber security aim at securing the cyber-space in a manner as to prevent inimical acts of the following kinds :-
Cyber-threat in civil domain may emanate from foreign or domestic sources, both adversarial or friendly. These sources could be state intelligence agencies, economic and technological competitors, foreign military establishments as part of their war preparedness, and lastly, rogue non-state elements perpetrating acts of cyber-terrorism. The threats are characterised as follows:-
Notably, in the matter of cyber security, only a thin line separates the passive and defensive measures with the active and offensive ones. Therefore, there must be a strong pro-active as well as reactive element of offensive built into the civil functions of cyber security. However, in instituting these measures, the problems of role-overlap and mix-up of organisations would arise. It would therefore be necessary to formally define the civil functions of cyber security activities to distinguish these from their more intense and destructive military counterpart, and so obviate defocus and redundancy. This end could be met through promulgation of a comprehensive ‘National Cyber Security Protocol’ (NCSP), a part of which may remain confidential.
Cyber Security Mechanisms
Considering India’s policy orientations, protection of the cyber-space from manipulations and intrusions from inimical parties would mostly be sought to be achieved through passive measures; execution of pro-active disabling actions seems to be rather farfetched in our context. Accordingly, the civil functions of cyber security in our context would involve the following mechanisms:-
It will be noticed that first of the three mechanisms involves adoption of pre-emptive and retaliatory counter-measures. The problem, however, is that in the cyber domain, defensive actions come the cropper unless coupled with pre-planned, debilitating cyber-intrusions. Therefore, notwithstanding any reluctance over policy endorsement, the mechanism must have an element of pro-active offensive to be able to warn and respond to an impending cyber-attack. The other two mechanisms are skill, process and resource intensive in nature. Obviously, all three mechanisms have to be operative at full gear at all times.
For judicious and overarching control over these complex and widespread mechanisms, India will have to go beyond just promulgating rhetorical cyber security policies. Indeed, formal enunciation of an elaborate NCSP would meet that end. Further, to implement and control the NCSP, it would be sensible to construct an organisation, duly empowered in terms of authority over policy direction, coordination, legal scrutiny and enforcement across the public as well as private sectors.
Cyber Warfare in the Military Domain
In the military domain, operations that are undertaken to gain information superiority fall under the ambit of ‘Information Warfare’ (IW). Within that ambit, offensive and defensive ‘Information Operations’ (IO) are waged by means of weaponised intervention, electronic warfare etc., ‘cyber warfare’ being one such mean that is prosecuted in the cyber-space. Cyber warfare therefore is truly a ‘military operations of war’, to be conducted as an element of offensive and defensive IO, and waged in the same spirit of ultimate measures. It is distinguished by predominance of offensive content and is to be prosecuted through military-dedicated IT-based satellites, data warehouses, maps, communication net-works, GPS, UAV, AWACs, PGM etc. However, while civil functions are to be operational at all times, the military function during peace-time is to prepare and test continuously, letting go at war-time to disable the opponent’s military, quasi-military and civil infrastructure. Herein lies the distinction between the civil and military functions of cyber security. Conversely, there are many commonalities between the two functions with respect to the above discussed civil cyber security mechanisms as well as the software skills, hardware and processes.
Objectives of Cyber Warfare
The purpose of cyber warfare is to degrade the adversary’s surveillance, reconnaissance, command, control, communication and intelligence systems through cyber-attacks on his operational nerve centres. These are ‘disabling’ attacks which must be complemented with ‘disorienting’ attacks which are aimed at registration of false information to the enemy and make him 'see' non-existent battle groups, missiles, bridges, etc, thus inducing him into irrelevant committal of his forces. The combined result is expected to lead to disruption and dislocation of the enemy’s orchestration for war.
As an element of IO in defensive as well as offensive modes, cyber warfare would focus upon the following aspects: -
The Regime of Cyber Security
Most advanced countries have instituted robust mechanisms to protect their cyber domain. In this respect, USA enjoys overwhelming superiority even if she takes care to keep her elaborate activities under wraps. Besides passive measures, she secures her cyber-space by technology driven barrage of highly complex cyber-intrusions and backs it up with deliberate enticement of cyber-attacks from adversaries and friends alike to break into their algorithm. To do so, civil and military functions of cyber security are seamlessly enmeshed to produce the best results, cyber- attacks like ‘Gauss’, ‘Stuxnet’, ‘Duqu’, ‘Flame’ etc. being a few known ones. China, on the other hand, depends upon her innovative mass of cyber operatives, reportedly two million strong, to support her cyber security regime, much of which is committed on internal surveillance and the rest being devoted to intrusive hacking. The score for the European nations stands even despite many reported hacking attacks from China and Russia, not to speak of their all-weather ally, the US. In any case, not being at the centre-stage of global circus, the European stakes are mainly limited to economic cyber-assets.
India is a novice in comparison, even if there have been some tentative attempts made to venture into the realm of cyber security. These attempts are however, more or less confined just to work-station access-denials, blocks against hacking and back-up storage. Whereas the private sector has taken few baby-steps to maintain a facade of security of its IT-based assets, the state, nonplussed as it seems to be in the matter, is not motivated enough to proceed beyond promulgating a policy-outline that cries out for more serious substance. Of course, certain laudable efforts have been made in the Government’s intelligence set up and the ‘Department of Electronics and Information Technology’, but these are individual rather than institutional initiatives, and therefore confined just to specific bands of the threat-spectrum.
A Structure for Cyber Security
Having discussed the functions of civil cyber security and military cyber warfare and the differences as well as commonalities between the two, it becomes apparent that: One, there would have to be a substantial degree of congruence of resources and efforts in protecting the Indian cyber-space; and Two, when it comes to prosecution of cyber warfare, it would have to be a purely military venture. Thus appears the necessity for an apex body to coordinate these primary and secondary functions at the national level. Accordingly, we may conclude the discussion with a brief look at some of the measures that might afford the desired level of protection to the indigenous cyber-space. These measures could be:-
Conclusion
The stage when creation of cyber-assets becomes contingent upon its robust protection has arrived in India. It is time therefore to accord high priority to cyber security even if it means some compromise with proliferation of the nation’s cyber domain. The foremost consideration in seeking that end is that if our cyber security has to remain inviolable, the security measures have to be tailored to Indian conditions and devised by native genius. This consideration further reinforces the cause of formal apportionment of roles and responsibilities between the civil and military functions of cyber security.
Links:
[1] https://www.vifindia.org/article/2014/february/07/dimensions-of-cyber-security-in-india
[2] https://www.vifindia.org/author/lt-gen-retd-gautam-banerjee
[3] http://1.bp.blogspot.com
[4] http://www.facebook.com/sharer.php?title=Dimensions of Cyber Security in India&desc=&images=https://www.vifindia.org/sites/default/files/DRDO-developing-IndianOS-to-Harden-Cyber-Security.jpg&u=https://www.vifindia.org/article/2014/february/07/dimensions-of-cyber-security-in-india
[5] http://twitter.com/share?text=Dimensions of Cyber Security in India&url=https://www.vifindia.org/article/2014/february/07/dimensions-of-cyber-security-in-india&via=Azure Power
[6] whatsapp://send?text=https://www.vifindia.org/article/2014/february/07/dimensions-of-cyber-security-in-india
[7] https://telegram.me/share/url?text=Dimensions of Cyber Security in India&url=https://www.vifindia.org/article/2014/february/07/dimensions-of-cyber-security-in-india