Two things set aside India’s digital spaces from that of major powers such as the United States and China: design and density. India is a net information exporter. Its information highways point west, carrying with them the data of millions of Indians. This is not a design flaw, but simply reflects the popularity of social media platforms and the lack of any serious effort by the Indian government to restrict the flow of data. Equally important is the density of India’s cyberspace. Nearly 500 million Indians use the Internet today, but they do not access the Internet from the same devices. Apple’s market share in the U.S., for instance, is 44 per cent, but iPhones account for less than 1 per cent in India. The massive gap between the security offered by the cheapest phone in the Indian market and a high-end smartphone makes it impossible for regulators to set legal and technical standards for data protection.
With little control over the hardware used by Indian Internet users as well as the information that is carried through them, India’s national security architecture faces a difficult task in cyberspace. India’s infrastructure is susceptible to four kinds of digital intrusions: espionage, which involves intruding into systems to steal information of strategic or commercial value; cybercrime, referring to electronic fraud or other acts of serious criminal consequence; attacks, intended at disrupting services or systems for a temporary period; and war, caused by a large-scale and systematic digital assault on India’s critical installations.
Indian authorities have spent the lion’s share of their resources tackling localised cybercrime while responding to major attacks on a case-by-case basis. Recognising the strategic dimensions of cyberspace, the Prime Minister’s Office (PMO) created the position of the National Cyber Security Coordinator in 2014, a welcome first step. There is, however, no national security architecture today that can assess the nature of cyber threats and respond to them effectively. India’s civilian institutions have their own firefighting agencies, and the armed forces have their own insulated platforms to counter cyber attacks.
Unlike nuclear energy, a neat division between civilian and military use of cyberspace is difficult. Just as the Indian Army may face serious cyber attacks from non-state actors in Pakistan, the digital assets of a major Indian conglomerate — say, the Oil and Natural Gas Corporation — may be taken down by a military. The asymmetric character of digital warfare requires a multi-agency organisation that is technically equipped, but also bases its decision on sound strategy and regular policy inputs.
What could such an agency look like? The first requirement is to house it with permanent and semi-permanent staff that is technically proficient in cyber operations, both defensive and offensive. India faces a shortage of officers trained in creating and breaking encrypted platforms as well as using digital networks for intelligence gathering. Were such a National Cyber Security Agency (NCSA) to be created, it should have a functional “nucleus” or secretariat. The second requirement is to coordinate the agency’s policy functions and operations. The current cybersecurity policy, articulated in 2013 by the Ministry of Communications and Information Technology, is basically a statement of first principles. The NCSA should be guided by a document outlining India’s cyber strategy, much like its nuclear doctrine.
India currently has a top layer of agencies performing cyber operations — the National Technical Research Organisation, the National Intelligence Grid, and the National Information Board, to name a few — but there is also an additional layer of ministries performing governance functions. The Ministries of Defence, Home, External Affairs and IT should be part of a policy wing that provides their assessments of local and regional developments. India’s intelligence agencies should separately provide their consolidated inputs to aid the operations of the NCSA.
Last, India should not hesitate to build its offensive cyber capabilities. This would involve the development of software designed to intrude, intercept and exploit digital networks. The deployment of cyber weapons is not a low-cost affair, as the digital trail allows adversaries to track and possibly predict the development of future technologies. Nevertheless, a cyber arsenal serves the key function of strategic deterrence. India’s cyber command should be the primary agency responsible for the creation and deployment of such weapons.
Given the power entrusted in such an agency — as with India’s nuclear command, it would report to the PMO — it should have political or parliamentary oversight. In particular, the use of its capabilities against Indian citizens or domestic networks must be guided and supervised by a legal framework.
A fully operational cyber command will take years to complete. It is the need of the hour, given that India’s digital capabilities lag significantly behind regional and global players. Whatever final form India’s cyber command takes, the government would do well to pursue a two-pronged strategy in the interim. First, advocate restraint in cyberspace as a global norm. India is an active participant in discussions around the Tallinn Manual, which is a set of non-governmental guidelines for engagement during war. A group of government experts will convene later this year under the aegis of the UN — India is expected to be at the table — to discuss norms that trigger cyber war. At these forums, India should underline the basic premise that it is impossible to thwart all cyber attacks, and therefore encourage nation-states to restrain from deploying cyber weapons. Second, the government should draft recruitment guidelines to hire and train a cadre of cyber specialists. Attracting such officers may require high pay scales and other benefits — a model the U.S. has aggressively pursued — but they would bring in India’s best minds. If India’s cyberspace has built-in vulnerabilities, it also has a highly skilled IT workforce, which should be harnessed by the government for strategic use.
(Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi.)