On 28 July 2020, the Ministry of Defence (‘MoD’) uploaded the second draft of the Defence Procurement Procedure 2020 (‘DPP 2020’), now renamed as the ‘Defence Acquisition Procedure 2020’ (‘DAP 2020’) on its website, inviting comments and suggestions from interested stakeholders and the general public.
CCG submitted its comments on the DAP 2020 underscoring its key concerns with this latest iteration of the MoD’s policy for capital acquisitions. The comments were authored by Gunjan Chawla, with inputs and research from Sharngan Aravindakshan and Vagisha Srivastava.
Our comments to the MoD are aimed at:
(1) Highlighting certain points in law and procedure to refine the DAP 2020 and facilitate the building of a more robust regulatory framework for defence acquisitions that contribute to the building of an Aatmanirbhar Bharat (self-reliant India).
(2) Presenting certain legal tools and frameworks that remain at the Ministry’s disposal in this endeavour geared towards a thorough preparation for the defence of India, in tandem with the envisioned goal of the National Cybersecurity Strategy 2020-2025 [currently being formulated by the office of the National Cybersecurity Coordinator (‘NCSC’)] to build a cyber secure nation.
Other than this broader objective of formulating a clear, coherent and comprehensive policy for acquisition of critical technologies to strengthen India’s national security posture, our comments are intended to contribute meaningfully to the building of legal frameworks that enable enhancing the state of cybersecurity in India generally, and the defence establishment and defence industrial base ecosystem specifically.
The comments are divided into five parts.
Part I introduces the scope and ambit of this document. These comments are not a granular evaluation of the merits and demerits of every procedural step to be followed in various categories of defence acquisitions. Here, we broadly trace the evolution of the structure, objectives and salient features of India’s defence procurement and acquisition policies in recent years. The scope of the comments are restricted to those features of the DAP that are most closely related with or have implications for the cybersecurity of the defence establishment. In this regard, we note the omission of Chapter X on ‘Simplified Capital Expenditure Procedure’ from the text of the draft DAP document as a serious error that ought to be rectified at the earliest opportunity.
Part II deals with the cybersecurity and information security in the acquisitions process generally, as this is a concern that must be addressed irrespective of the procedural categorisation of a particular acquisition. The inherently sensitive and strategic nature of defence acquisitions demands that processes and procedures be formulated in a manner that prevents any unwarranted leakage of information at premature stages in the acquisition process. Herein, we recommend that:
- The DAP 2020 should carefully distinguish between the terms ‘information security’ and ‘cyber security’, and refrain from using them interchangeably in policy documents.
- Demand a full disclosure of the history of cyber-attacks, breaches and incidents suffered by the vendor company (and related corporate entities) prior to the signing of the acquisition contract. This should be supplemented with a good faith disclosure of incidents where the cyber infrastructure or assets of the vendor company may have been used, with or without proper authorization, in the conduct of a cyber breach or other incident including attacks or exploits or other violations of digital privacy and human rights.
As discussed in the comments, this line of inquiry would further India’s adherence to at least three of eleven voluntary, non-binding norms on responsible state behaviour in cyberspace articulated in the 2015 Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the context of International Security.
- Designation of online procurement portals as ‘Critical Information Infrastructure’ and/or ‘Protected Systems’ within the meaning of Sections 70 and 70A of the Information Technology Act, 2000.
Part III of the comments focuses on issues in the acquisition of information and communications technologies (ICT) and cyber systems. All suggestions and comments included in this Part are aimed towards ensuring that our vision of Aatmanirbhar Bharat (self-reliant India) is also a sustainable one.
Key recommendations presented in this part include:
- Clearly defining the terminologies used with regard to the ‘cyber domain’ in Chapter VIII, such as ICTs/cyber systems in order to bring more clarity to the procurement process, as well the scope and ambit of the DAP document.
- In these definitions and classification, distinguishing both ‘cyber weapons’ and ‘cyber physical weapons’ from cyber systems for command and control or C4I2SR, as well as ‘cybersecurity products and services’, which are essential to protect the confidentiality and integrity of sensitive government data across various ministries from external threats.
- The MoD should clarify the scope and ambit of the DAP and the DPM and the extent to which they apply to various categories of IT, ICT and cyber systems.
- The defence budget dataset should be re-assessed to evaluate the ratio of revenue expenditures to capital expenditure alongside an assessment of the contribution of capital expenditures incurred over the years to capital assets owned by the armed forces and that portion of capital expenditure that is diverted towards maintenance, upkeep and life cycle costs of equipment as per the CBRP model.
Further building on the issues that have been highlighted in the previous sections, Part IV delves into the broader legal and Constitutional framework applicable to procurements generally, and defence acquisitions specifically.
Herein, we propose opening up a discussion on opportunities and challenges in strengthening Parliamentary oversight over the defence acquisitions. Given the huge sums of public funds that are involved in defence acquisitions, ensuring accountability and integrity in these processes is of paramount importance.
We note that the Defence Acquisition Procedure as well as the Defence Procurement Manual are internal guidelines issued by the Ministry of Defence as policy directives to be followed as matter of the Executive’s internal administration and so far, do not enjoy legislative backing through an Act of Parliament. Accordingly, this section presents a brief overview of current processes and mechanisms in this regard, and recommends that:
- This defect in the DAP ought to be remedied on a priority basis, drawing on the Constitutional authority vested in Parliament pursuant to Article 246 read with Schedule VII, List I Entry 1 to enact laws ‘for the preparation of defence of India’.
Part V concludes the major findings and recommendations of this submission.
The comments can be accessed here on CCG’s Blog.