The US-Russian meeting in Geneva on 15 June signified an attempt by both sides to arrest the pace of a worsening relationship. The US, as the aggrieved party, accused the Russians of cyberattacks. US President Joe Biden handed over a list of 16 ‘critical infrastructure’ entities and warned that if they were attacked, the US will respond in a ‘cyber way’. Russian President Vladimir Putin denied culpability for any attacks and held the US responsible for several malicious cyber campaigns in Russia. Both parties have, however, agreed to the creation of working groups for urgent arms control and cyber issues.
Cyber now sits alongside nuclear threats, and it is definitely a promotion in the value chain of strategic affairs. The US is concerned and there are good reasons for it. India should be too.
On 23 March 2021, in response to a question in the Lok Sabha on cyberattacks, the Narendra Modi government, replied that the Indian Computer Emergency Response Team (CERT-In)had reported and tracked 3,94,499 and 11,58,208 cyber security incidents during 2019 and 2020 respectively. But without an accepted definition of ‘cyber incident’, it is impossible to discern the scale and nature of the attacks.
Offence is the best defence
Dependency in strategic affairs is a vulnerability that adversaries can exploit. The US’ dependency on cyberspace as an enabler of most of its critical functions is also its vulnerability. It is not surprising that its major adversaries, Russia and China, are attempting to exploit this. On the other hand, both Russia and China have the same dependency and therefore there is mutual vulnerability. Yet cyberattacks continue on a daily basis across the globe. Primarily, because it has deniability and cyberspace is largely ungoverned. Deniability pervades the nature of cyber activity and cannot be wished away. International governance of cyberspace, which is also linked to satellites, seems to be doomed to remain beyond the pale of regulation by international law. Even then, regulated compliance cannot be monitored or verified due to the potential of deniability. The promotion of cyberspace is highly beneficial to all nations. India is no exception and for a developing power like us, it is inescapable.
Cyberattacks on India’s Critical Infrastructure (CI) have been on the rise. Though no official figures are available, many reports indicate that with the intensifying China-India border tensions, there has been a surge in cyberattacks. On 12 October 2020, a month and a half after India surprised China by occupying the Kailash Ranges in Ladakh, a major power outage occurred in Mumbai. In March 2021, Maharashtra Energy Minister Anil Deshmukh confirmed that the state cyber agency investigations revealed that insertion of malware caused the cyberattack. He also affirmed reports of China being responsible. However, the Union Minister in charge of Power R.K. Singh while admitting that cyberattacks on three grids were thwarted, attributed the Mumbai outage to human error. Subsequently, reports indicated that cyberattacks had been attempted on at least ten assets that included power generation and ports. The Union minister’s obfuscation could have implications for the messaging regarding India’s political will, and weakens deterrence. The perpetrator could study India’s reaction and play the next round accordingly, which may be just a matter of time.
Cyberattacks are actions that target computer information systems/infrastructure/computer networks/personal computer devices, using various methods to steal, alter or destroy data or information systems. By conflating the complete spectrum of inimical cyber actions that could range from minor to major, irrelevant to lethal, criminal to political, the figures given by the minister in the Lok Sabha, conceal from the public the ones that could be of serious national security concern. Two issues emerge here.
First, it appears that India has built quite a capability for early warning of cyberattacks. This increases the possibility to undertake counteractions to mitigate the impact. But essentially, cyber defence is a challenge that cannot possibly keep up with the potential of cyber offence. In a democracy, the odds are further skewed. In India, the sheer numbers involved, and profusion of computer device usage are coupled with weak cyber security hygiene to make formulating an effective cyber defence a challenge. And a cyber offensive enjoys formidable advantages. It can be undertaken by teams that can range from individuals to organisations that are backed and resourced by the State. It is also far cheaper to build offensive capability. The nature of the cyber environment favours the offensive and that is unlikely to change. The major point that emerges is that in cyberspace, offence is the best defence.
The second issue is that retaliation requires intelligence on who is the perpetrator, which may not be easy to identify except when the attack has political objectives and is undertaken by State or non-State actors. The Mumbai cyber-attack and other attempts during the period of border tensions with China makes identification of the perpetrator somewhat easier even though the possibility of providing proof may be minimal. In any case, internationally, cyberspace remains ungoverned, so the requirement of providing proof does not arise. Politically, once culpability for an attack is known, the question is what action the State takes, and that requires a strategic approach. It is feasible that India has retaliated through cyber means and the ‘policy’ dictates that deniability be maintained. Such an approach is understandable and acceptable. The policy provides space for the government to either react or not, also whether to publicise the reaction or not. Reaction primarily depends on answers to the question that must be posed following an attack – so what?
Given the existing state of affairs, what could have been intent of the Mumbai cyberattack? It could have been to create a psychological impact by exposing India’s vulnerability in cyber space. It could have been to remind India’s political leadership that China has the potential to cause more harm. It could be part of China’s larger psychological game that pushes the narrative – “I am the strongest and therefore subordination is inevitable.” India will never know for sure, but it must consider the matter not as a standalone issue but work out how it fits into the existing dynamics of the larger China-India relationship.
A weak image
The important point to note is that cyber power has to be a team player among other instruments of statecraft, if coercion is being attempted. By itself, it is limited in scope. Mumbai and other cyberattacks on critical infrastructure may harbour a strategic message but may also serve to strengthen cyber security through lessons learnt. Even in the military context, if China launches a cyberattack on military systems in Ladakh, it can profit only if it is followed up and accompanied by military actions that occupy territory and thereafter hold it with infantry that has to dig down and protect themselves in defensive positions. More importantly, such cyberattacks must be compatible with advancement of political objectives.
Deterrence in cyberspace, like in other domains, is based on projection of image. India’s image as a cyber power seems to be in need of an urgent makeover. Harvard Kennedy School’s ‘National Cyber Power Index 2020’ assesses the capabilities and intent of 30 countries expressing ambitions to acquire and project ‘cyber power’. India was ranked 21. The US and China ranked first and second. Israel’s low ranking is certainly an anomaly and India’s ranking too has been questioned. It is ironic that India has not been able to catalyse its considerable capabilities in information technology towards strengthening its defensive and offensive capability and projecting an image that strengthens cyber deterrence. Capabilities probably exists, but New Delhi needs to improve its strategic communications. Although a cyber security policy was publicised in 2013, the follow-up looks tardy.
A National Cyber Strategy has been in the works for several years, but there is still no sign of it. Perhaps it is awaiting the finalisation of the National Security Strategy, since it must flow from it. Hopefully, the national strategy will privilege the offensive cyber capabilities and back it with a doctrine for retaliation. Currently, it seems that the doctrine prefers the ‘Ostrich’ approach – ‘nothing has happened’. This approach sounds increasingly familiar in the context of China-India relations and runs parallel to the patently misleading statements regarding the loss of territory.
India cannot afford to delay the formulation of its cyber strategy and doctrinal guidance towards enhancing its cyberspace capabilities. The image of weakness that prevails now is an open invitation for exploitation by our adversaries. It is a serious national security risk.
Lt Gen Prakash Menon (retd) is Director, Strategic Studies Programme, Takshashila Institution, and former military adviser, National Security Council Secretariat. He tweets @prakashmenon51. Views are personal.