Recent developments in India’s space policy including Mission Shakti, India’s first anti-satellite weapon testing is indicative of the states growing concern into contemporary threats to the state; India is ranked among the 15 least cyber-secure countries in the world from the list of 60 countries. To this end, the Prime Minister announced the setting up of three new tri-service agencies, for Cyber Warfare, Space and Special Operations, at the Combined Commanders’ Conference in Jodhpur last year.
In this post we will mainly deal with the third tri-service agency, the Defence Cyber Agency, which is setup to work in conjunction with the National Cyber Security Advisor. Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1000 personnel from all three branches, the Army, Navy and the Airforce. Rear Admiral Mohit Gupta has been appointed to be the first head of the DCA.
Current Legal Framework
The current legal framework dealing with cyber-security is not centralized. Different agencies are responsible for various aspects of cyber-security. These can broadly be classified into agencies focusing on civilian cyber security, and those focusing on the military cyber security.
The National Cyber Security Policy was adopted by the Government of India in 2013 to ensure a secure and resilient cyberspace for citizens, businesses and the government. This policy was launched to integrate all the initiatives in the area of Cyber Security and to tackle the fast-changing nature of cybercrimes. Initiatives such as setting-up the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC), and creating sector specific Computer Emergency Response Teams (CERT) were implemented under the policy.
The Indian Computer Emergency Response Team (CERT) is an office within the Ministry of Electronics and Information Technology. It is the national nodal agency for responding to computer security incidents as and when they occur. It deals with mostly civilian threats by issuing guidelines, vulnerability notes, and whitepapers relating to security practices as well as providing a point of contact for reporting local problems.
Cyber-Security concerns in India
The 2019 Global Risk Report highlights India’s history of malicious cyber-attacks and lax cybersecurity protocols which led to massive breaches of personal information in 2018. It also specifically mentions the government ID database, Aadhaar, which has reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January that individuals were selling access to the database at a rate of 500 rupees for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.
The Digital India initiative has resulted in a boom in the internet usage in the country. However, due to the lack of proper security protocols in place, there have been an estimated 700 hacks into state and central governments websites, as was reported in Lok Sabha. Additionally, in January of 2017, the National Security Guard page was hacked by suspected Pakistan based operatives who then went on to post anti-India content on it. The need to prevent such attacks on Indian websites has been a matter of debate since 2016, following the hack of the IRCTC website.
While some aspects of cyber security are easy to classify, such as the breach of IRCTC being a civilian breach and hacking the website of the National Security Guard being a military breach, other potential cyber threats could fall within a grey area.
Defence Cyber Agency
The lacuna which the Defence Cyber Agency seeks to fill, exists in the realm of military cyber security. It is currently governed by the Defence Intelligence Agency (DIA) which operates under direct control of Ministry of Defence and focuses on the international offensive and defensive capabilities of the state. It is the nodal agency for all defence related intelligence.
The formation of the Defence Cyber Agency, is supposedly meant to combat the current threat of foreign hackers from nations such as China or Pakistan, who could attack India’s digital infrastructure using Cyber warfare. The new agency could potentially set up the roadmap for the future of India’s cyber security specifically, by combating threats made to military targets.
A common feature of many military agencies is the lack of legislative clarity; in the absence of a clear and coherent policy document or a parliamentary enactment to this effect, the parameters on which the domain of ‘military cyber security’ is demarcated remain unclear. The definition of ‘military’ in this case could potentially be based on the nature of the target (IRCTC hack vs. NSG hack) the origin of the threat (geographical location or the nationality of the perpetrator) or even the source of the threat (China/Pakistan or amateur domestic hackers).
The Agency is expected to follow a decentralized structure where the bulk of the agency will be focused into smaller teams, spread around the country, with the command center in Delhi. It also aims at putting dedicated officers in major headquarters of the tri-forces to deal with emerging cyber security issues.
One of the main takeaways from the setting up of this agency is the inter-service cooperation between the Army, Navy and the Airforce. The move is also in keeping with the Joint Training Doctrine Indian Armed Forces, of 2017, which seeks to foster ‘Synergy’ and ‘Integration’ amongst the three Services and other stake-holders leading to an enhanced efficiency and optimum utilisation of resources.
Since the new agency will fall under the purview of the Ministry of Defence, the precise mandate and composition of the DCA are not clear at this point. After its formal inauguration, which is supposed to happen sometime this month, it is possible that people will have a better idea of the agency’s role and functions in maintaining India’s cyber defences.
A key issue, which has not been addressed so far remains the need to employ experts in the field of cyber-security. While the new agency is projected to employ over 1000 personnel from the three services, employing personnel with sufficient technical knowledge will be difficult, owing to a general lack of qualified personnel in this field. Additionally, with the boom in the cyber security market, the DCA would not only have to contend with private players in the domestic markets in attracting qualified talent, but also face stiff competition from international players in the scene.
In addition to setting up the DCA, it is also important that all three services take this opportunity to better train existing personnel in basic cyber security practices, including staff which is not specifically deployed to the DCA.
It is hoped that the formation of such an agency will not only improve India’s cyber security but also bolster its international reputation in terms of digital safety. The creation of this new agency highlights the weaponization of cyberspace as a tool of modern warfare, and also the importance of data and information sharing between the three services in order to better protect the nation.