Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

  1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.1 However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.
  1. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

  1. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

  1. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 


*Views expressed in the blog are personal and should not be attributed to the institution.

References:

  1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26th and 27th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bellothe principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.


*The views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 4: Redefining National Security

Animesh Chaudhary*

About the Author: The author is a 2021 graduate of National Law University, Delhi. He is currently working at Rural Electrification Corporation Limited.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

“National Security” is one of the foremost concerns of any nation state. However, the meaning of this term has acquired an overwhelmingly military character over time. This military approach to national security follows the assumption that the principal threat to security comes from other nations. While such an understanding was suitable a few decades ago health pandemics, climate change, technological changes etc. are challenging this notion today. This submission aims to identify the gaps in traditional understandings of national security and proposes redefining the concept. 

This piece is divided into three parts- Part I looks at the traditional military approach to “National security”. Part II analyses the need to update this traditional understanding. Part III identifies “Human Security” as a modern and suitable concept of national security.

Photo by MySecuritySign.com. Licensed via CC BY 2.0.

I.         Traditional Military approach to “National Security”

The traditional approach has been to view “National Security” from a military lens i.e. ‘securing the nation from military threat’. The policy measures of nation States and many strategists have followed this understanding.

Weber found a monopoly on violence, allowing to deal with internal or external military threats, as a crucial condition for the State. Similarly, James Baker notes that while no common definition of “national security” exists, the core issues which warrant national security treatment will primarily include nuclear attack, terrorist attacks and conventional attacks. “National Security” is also used to justify “the maintenance of armies, the development of new weapon systems, and the manufacture of armaments”.

In many ways, it can be easily understood how this understanding of National security developed. Wars in 18th and 19th century were generally short. The security strategy in the past was focused mainly on “external military threats”, which consequently required corresponding military responses.  However, in present times, such an understanding is inadequate.

II.                Need to update the definition of National Security

 i)  Nature of threats is changing

Today, for most nations, the threat of military aggression has reduced considerably. Instead, nations have to face “environmental pollution, depletion of ozone, [global] warming, and migrations of refugees1 among others. Health issues such as the Coronavirus pandemic, changes in technology, or spiralling economy as seen in many third-world countries are other threats to nations. 

One of the greatest enablers of this change is technology. It is difficult to place technological threats within the traditional military approach to national security, yet it is undeniable that technological disruptions present great danger to the security of nations.  The impact of technologies on the international security environment are all-encompassing.2 These include both conventional changes like technological weapons, and non-conventional changes like cyber warfare.

ii)  Non-Military Threats can cause Military Conflict

Another reason for updating the present understanding of “National Security” is that a number of non-traditional threats can lead to military conflict. This makes it imperative for proactive policymakers to treat all such threats as National Security issues.

Scholars have studied resource conflicts, energy security, climate change and insecurity and tied them in with military conflicts. Some have found that “… water resource scarcity can be both the cause and the consequence of armed conflicts.” 3

Proactive policymaking demands recognising such threats before they acquire a military character.

iii)  Conventional understanding of ‘National Security’ is narrow and patriarchal

If National Security means the security of a nation, it is imperative to define ‘nation’ first. While it is difficult to come up with a precise definition of a ‘nation’, it is submitted that any definition, that does not take into account the people is narrow in scope. 

In this context, national security fails to include everyday experiences of a significant population. Further, the current definition is patriarchal and excludes the experiences of women.

J.Tickner finds that the traditional perspectives on security through a military point of view has marginalised or omitted women, which has resulted in a masculine and militaristic definition of National Security.4 Women, on the other hand, have defined security as “absence of violence whether it be military, economic, or sexual.5 National Security, when understood as “absence of violence against people of the nation”, can then be extended to all other disempowered groups.

Similarly, the perception of security that many people of colour have in America, does not align with the dominant definition of national security in America. In the Indian context, crimes against underprivileged groups are not considered a national security threat. Understood in these terms, it is clear that the traditional understanding does not cover the security threats faced by disempowered groups in a nation. A definition that does not take into account is therefore severely lacking in scope, and needs to be updated.

III.          “Human Security”- A Modern understanding of National Security

Put forth in 1994 by the United Nations Development Program, ‘Human Security‘ very simply relates to the security of people. Erstwhile Prime Minister of Japan Obuchi Keizo called Human Security “the keyword to comprehensively seizing all of the menaces that threaten the survival, daily life, and dignity of human beings

In essence, Human Security puts “people first” and recognises that the security of States does not necessarily translate to security of the people in it.  This has been borne out of the events of the 20th century – world wars, multiple genocides, and the realisation that conventional notions of security need to be challenged when serious violations of rights occur.

The advantages of a human security understanding of national security are manifold:

i)   People first approach

The biggest advantage of this concept is that it puts people first in its definition of the ‘nation’. It recognises different forms of violence and threats that individuals face every day.  It brings into focus “structural violence” i.e. “the indirect violence done to individuals when unjust economic and political structures reduce their life expectancy through lack of access to basic material needs.”6

Understanding National Security as “absence of violence for people in a nation”, also allows us to recognise new unconventional threats that arise in the 21st century.

ii)    Radically alters Public notions of Emergency and Urgency

There is normative value in recognising ‘Human Security’ as ‘National Security’. By recognising violence against individuals as national security threats, it sends a message that threats faced by individuals are the most important threats that any nation faces. It legitimises the security issues faced by groups that are not dominant in a nation.

“National Security” issues receive utmost urgency and importance in policy making. As Sachs notes, “Questions of “security” are often given pride of place before other potential policy concerns.”

This leads to a number of questions, why should emergency conditions and sense of urgency be reserved only for military threats? Why should crimes against women be considered any less urgent in a country which reports 87 rapes per day? Why shouldn’t crimes against Scheduled caste and Scheduled tribes be considered as urgent? How do nations issue national or local emergency in times of military conflict, but go on about in a routine manner when extreme gender, social and economic injustices exist?

By equating human security issues with national security threats, it is these questions that we can answer adequately. Crimes against minorities, women and other groups, poverty, lack of access to healthcare and education, and other social, economic and environmental ills that plague nations have become normalised to such an extent that all these issues have become routine. The concept of ‘Human Security’ challenges this status quo.

iii)   Leveraging Public Trust

National Security threats often generate public trust and public consensus swiftly. Public trust is an important part of a democratic system,7 while a lack of public trust is one the biggest obstacles in governance. By recognising “Human Security threats” as “National Security” threats, this public trust can be leveraged to improve governance.

As Lester Brown notes, while responding to a national security threat, “the ‘public good’ is much more easily defined; sacrifice can not only be asked but expected, it is easier to demonstrate that “business as usual” must give way to extraordinary measures.”

If such consensus and unity could be achieved with respect to “Human security”, it would allow governance to take place a lot more efficiently.

Conclusion

The traditional understanding of National Security in terms of military threats to the State is no longer adequate in the 21st century. Today, ‘Human Security’ offers a more holistic understanding with its ‘people first’ approach. It recognises and legitimises the experiences of disempowered groups and challenges conventional notions of security.

Human Security offers multiple advantages as an analytical concept, and holds normative value by contesting the traditional understanding of a nation, urgency and emergency. The definition of Human Security is broad, but that acts as an advantage for it covers a wider range of threats, including the new threats caused by technology and climate.

This redefinition of ‘National Security’ does pose challenges relating to vagueness, increased powers of the executive, conceptual and funding issues, among others, but overall provides a strong base for policymakers to realign their priorities as per the requirements of today.


*Views expressed in the blog are personal and should not be attributed to the institution.

References:

  1. Kalevi J. Holsti, The State, War, and the State of War (1996), Pg. 15.
  2. Group Captain Ajay Lele, “Technology and National Security” Indian Defence Review Issue Vol 24.1 Jan-Mar 2009.
  3. Swain, A., 2015. “Water Wars”. In: International Encyclopaedia of the Social & Behavioural Sciences, 2nd edition, Vol 25. Oxford: Elsevier. pp. 443–447.
  4. Tickner J. A. (1997b), “Re-visioning Security”, in: International Relations Theory Today, eds. K. Booth, S. Smith, Polity Press Cambridge.
  5. Tickner, J. (1993). “Gender in International Relations: Feminist Perspectives on Achieving Global Security” Political Science Quarterly.
  6. J. Ann Tickner, “Re-visioning Security,” International Relations Theory Today (Ken Booth and Steve Smith, eds., 1994), p. 180.
  7. Beshi, T.D., Kaur, R. “Public Trust in Local Government: Explaining the Role of Good Governance Practices”. Public Organiz Rev 20, 337–350 (2020).

Technology & National Security Reflection Series Paper 3: Technology and the Paradoxical Logic of Strategy

Manaswini Singh*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

In the present essay, the author reflects upon the following question: 

According to Luttwak, “The entire realm of strategy is pervaded by a paradoxical logic very different from the ordinary ‘linear’ logic by which we live in all other spheres of life” (at p. 2) Can you explain the relationship between technological developments and the conduct of war through the lens of this paradoxical logic?

Introducing Luttwak’s Paradoxical Logic of Strategy

While weakness invites the threat of attack, technologically advanced nations with substantial investment in better military technology and R&D that are capable of retaliation, have the power to persuade weaker nations engaged in war to disengage or face consequences. Initiating his discussion on the paradox of war, Luttwak mentions the famous roman maxim si vis pacem, para bellum which translates to – if you want peace, prepare war. Simply understood, readiness to fight can ensure peace. He takes the example of the Cold War to discuss the practicality of this paradoxical proposition. Countries that spend large resources in acquiring and maintaining nuclear weapons resolve to deter from first use. Readiness at all times, to retaliate against an attack is a good defensive stance as it showcases peaceful intent while discouraging attacks altogether. An act of developing anti-nuclear defensive technology – by which a nation waging war may be able to conduct a nuclear attack and defend itself upon retaliation – showcases provocativeness on its part.

The presence of nuclear weapons, which cause large scale destruction, have helped avoid any instance of global war since 1945. This is despite prolonged periods of tensions between many nations across the globe. Nuclear weapons are an important reason for the maintenance of international peace. This is observable with India and its border disputes with China and Pakistan where conflicts have been frequent and extremely tense leading to many deaths. Yet these issues have not escalated to large scale or a full-fledged war because of an awareness across all parties that the other has sufficient means to engage in war and shall be willing to use the means when push comes to shove. 

Using the example of standardisation of antiaircraft missiles, Luttwak points out that ‘‘in war a competent enemy will be able to identify the weapon’s equally homogeneous performance boundaries and then proceed to evade interception by transcending those boundaries… what is true of anti aircraft missiles is just as true of any other machine of war that must function in direct interaction with reacting enemy – that is, the vast majority of weapons.”

Image by VISHNU_KV. Licensed via CC0.

Luttwak’s Levels of Strategy

The five levels of strategy as traced by Luttwak are: 

  1. Technical interplay of specific weapons and counter-weapons.
  2. Tactical combat of the forces that employ those particular weapons.
  3. Operational level that governs the consequences of what is done and not done tactically.
  4. Higher level of theatre strategy, where the consequences of stand alone operations are felt in the overall conduct of offence and defence.
  5. The highest level of grand strategy, where military activities take place within the broader context of international politics, domestic governance, economic activity, and related ancillaries.

These five levels of strategy create a defined hierarchy but outcomes are not simply imposed in a one-way transmission from top to bottom. These levels of strategy interact with one another in a two-way process. In this way, strategy has two dimensions: the vertical dimension and the horizontal dimension. The vertical dimension comprises of the different levels that interact with one another; and the horizontal dimension comprises of the dynamic logic that unfolds concurrently within each level.

Situating Technological Advancements Within Luttwak’s Levels of Strategy

In the application of paradoxical logic at the highest level of grand strategy, we observe that breakthrough technological developments only provide an incremental benefit for a short period of time. The problem with technological advancement giving advantage to one participant in war is that this advantage is only initial and short-lasting. In discussing the development of efficient technology, he gives an example of the use of Torpedo boats in warfare which was a narrow technological specialisation with high efficiency. Marginal technological advancement of pre-existing tech is commonplace occurrences in militaries. The torpedo naval ship was a highly specialised weapon i.e. a breakthrough technological development which was capable of causing more damage to larger battleships by attacking enemy ships with explosive spar torpedoes. The problem with such concentrated technology is that it is vulnerable to countermeasures. The torpedo boats were very effective in their early use but were quickly met with the countermeasure of torpedo beat destroyers designed specially to destroy torpedo boats. This initial efficiency and technical advantage and its ultimate vulnerability to countermeasures is the expression of paradoxical logic in its dynamic form. 

When the opponent uses narrowly incremental technology to cause damage to more expensive and larger costlier weapons, in the hopes of causing a surprise attack with the newly developed weapon, a reactionary increment in one’s weaponry is enough to neutralise the effects of such innovative technologically advanced weapon(s). The technological developments which have the effect of paradoxical conduct in surprising the opponent and finding them unprepared to respond in events of attacks, can be easily overcome due to their narrowly specialised nature themselves. Such narrowly specialised new tech are not equipped to accommodate broad counter-countermeasures and hence the element of surprise attached with such incremental technology can be nullified. These reciprocal force-development effects of acts against torpedo-like weapons make the responding party’s defence stronger by increasing their ability to fight and neutralise specialty weapons. Luttwak observed a similar response to the development of Anti-tank missiles which was countered by having infantry accompany tanks.

Conclusion

The aforementioned forces create a distinctly homogenous and cyclical process which span the development of technology for military purposes, and concomitant countermeasures. In the same breadth, one side’s reactionary measure also reaches a culmination point and can be vulnerable to newer technical advancement for executing surprise attacks. Resources get wasted in responding to a deliberate offensive action in which the offensive side may be aware of defensive capabilities and it is just aiming to drain resources and cause initial shock. This can initiate another cycle of the dynamic paradoxical strategy. Within the scheme of the grand strategy, what looks like deadly and cheap wonder weapons at the technical level; fails due to the existence of an active thinking opponent. These opponents can deploy their own will to engage in response strategies and that can serve as a dent to the initial strategic assumptions and logic.

In summary, a disadvantage at the technical level can sometimes also be overcome at the tactical level of grand strategy . Paradoxical logic is present in war and strategy, and use of technology in conduct of war also observes the dynamic interplay of paradoxical logic. Modern States have pursued technological advancements in ICT domains and this has increased their dependence on high-end cyber networks for communication, storage of information etc. Enemy States or third parties that may not be equipped with equally strong manpower or ammunition for effective adversarial action may adopt tactical methods of warfare by introducing malware into the network systems of a State’s critical infrastructure of intelligence, research facilities or stock markets which are vulnerable to cyber-attacks and where States’ inability in attribution of liability may pose additional problems.


*Views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 2: Sun Tzu’s Art of War: Strategy or Stratagems?

Manaswini Singh*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question:

Edward Luttwak critiques Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of ‘strategy’. Do you agree with this assessment? Why/ why not?

Introduction to Luttwak

Edward Luttwak in his book Strategy: The Logic of War and Peace discusses the conscious use of paradox versus the use of linear logical and straightforward military tactics as means of strategy of war. According to Luttwak, strategy unfolds in two dimensions i.e. the vertical and the horizontal dimensions. 

The vertical dimension of strategy deals with the different levels of conflict. Among others his work considers the technical aspect, the operational aspects, the tactical as well as strategic ones. The horizontal dimension of strategy is the one involving dealing with an adversary i.e. the opponent whose moves we seek to reverse and deflect. 

A grand strategy is a confluence of the military interactions that flow up and down level by level, forming strategy’s vertical dimension, with the varied external relations among states forming strategy’s horizontal dimension.      

While discussing the paradoxes inherent in war, he mentions the famous Latin maxim si vis pacem, para bellum which translates to – if you want peace, prepare for war. Simply understood, readiness to fight can ensure peace (Emphasis added). He says that situations of conflict tend to reward paradoxical logic of strategy which leads to lethal damage sometimes in defying straightforward logical action.

Art of War” by Nuno Barreto. Licensed under CC BY-SA 2.0

Critiquing Luttwak’s Assessment of Sun Tzu’s Art of War

Sun Tzu’s military treatise the Art of War comprises of chapter-wise lessons and basic principles discussing key war subject matters like laying plans, logistics of waging war, importance of a military general, the requirement of deception in war, resources, surprise attack, attack by stratagem, tactical dispositions, knowing the strength of one’s army in opposition to the other and attacking accordingly, preparedness for surprise, political non-interference in war chain of command, defense, quick and decisive attack, seeking victory as opposed to battle, use of energy to one’s advantage, managing the army, strengths and weaknesses, arrival on battle ground, opponent’s weakness, significance of secrecy and identifying weak places and attacking those. Secrecy and deception are crucial tactics of war for Sun Tzu who on one hand goes so far as to say that all war is based on deception. 

Luttwak, on the other hand, finds deception and secrecy to be costly plans in armed conflicts. He discusses the Normandy Surprise attack and Pearl Harbor raid. The diversion created to mislead the opponent involves costs and diverts valuable resources when engaging in paradoxical action and maintaining secrecy of the actual plan of action but he fails to acknowledge the success of these operations. Luttwak also fails to provide alternatives to those strategies which showcase a desirable end achievable by other better replaceable means, especially when deceptions proved effective.

In the example of the 1943 battle of Kursk, Luttwak himself negates his earlier claims of high-risk uncertain war tactics being more harmful than useful, by highlighting Stalin’s trust in the intelligence information received about the German attack. The Soviet leader, on deliberation, decided to take a defensive stance in the battle, giving the German forces an initial offensive advantage. But this defensive measure was taken to draw the Germans into a trap and to destroy their armors creating conditions for an effective counteroffensive by the Soviet army. The Chinese general’s principles of knowing one’s enemy favored the Russian leader immensely. Having a well-equipped and robust army, he ordered his men to surround and attack the Germans, giving effect to Sun Tzu’s principles. Luttwak seems stuck on the strategy of surprise attacking the weakest zone of the opponent while forgoing other lessons from Sun Tzu’s work on intelligence, importance of spies and knowing one’s enemies as well as we know ourselves.

In Luttwak’s view, operational risks and the incidence of friction will ultimately affect the combat by reducing effectiveness of manpower or resources. But when parties waging war are not on an equal footing of resources and manpower and combat risk is already high, operational risks may prove to be better chosen risks as compared to combat risks when outnumbered by the enemy’s weaponry and manpower. Meeting an opponent with equal strength and resources may be more common nowadays than it was in ancient times, and here is where Sun Tzu’s principles lose some contemporary application. But a dismissal of his principles as cheap tricks remains extreme. 

The Role of Diplomatic Engagement: A Blind Spot in the Art of War?

Luttwak emphasizes on strategy involving the existence of an adversary and recognizing the existence of another in one’s plan of war and postulates that the Chinese system now or historically does not engage in this. Chinese do not look into the enemy and decide their own actions in isolation. He alleges lack of diplomacy in its historical events due to the geography which minimized interaction between kingdoms. His argument is that the Art of War was composed in the backdrop of Chinese culture that flourished with jungles to the south, protected by the sea towards east, thinly populated areas and of Tibet to its west and an empty northern border which was the entryway for infrequent invasions. 

According to Luttwak, intra-cultural conflict between kingdoms in this isolated culture hindered the advent of diplomacy in Chinese culture. Conversely in Europe where arguably the interaction between sovereign states made strategies and elaborate planning a necessity. Adversarial logic is important for him in strategizing and in his opinion this was not present due to lack of third party intervention in China unlike Europe. He says Sun Tzu’s tactics work best intra-culturally because in dealing with foreigners, prediction becomes a more tedious and a less accurate task. But Sun Tzu himself stresses the knowledge of the enemy’s tactics to be an important aspect of strategy building by a general preparing for war. He has recognized the existence of an adversary and penned down military tactics that constitute the Art of War accordingly. The term ‘enemy’ in his treatise cannot be assumed to be exclusive of an enemy sovereign state.

Relevance of the Art of War in Modern Times

To Luttwak, Chinese geography did not facilitate diplomacy. But the researcher argues, geography plays an important role in strategizing as acting in accordance with terrain and natural forces is specific to the places. Sun Tzu’s ideas of utilizing the heaven (weather) and earth (terrain) to one’s advantage places importance on the geographical terrain and weather conditions in one’s favor. Principles cannot be dismissed as cheap tricks just because they were not formulated in the era of modern warfare between nation-states that are enabled by high technology, especially when these wars involve the existence of nuclear weapons and other high-tech means of warfare rather than mere low-tech close contact combat more prevalent in former times. Modern strategy promotes economic war rather than military wars. This may be the contextual limitation to the strict application of Sun Tzu’s principles in modern contexts. But reliance on infantry as a method of warfare is also resorted to in armed conflict and Sun Tzu’s writings cannot be held obsolete in this regard.

Sun Tzu promoted non-interference of the sovereign in the General’s command of war, so as to prevent confusion in the minds of troops with regard to the chain of command. Contemporary developments in international politics create a heavy political and bureaucratic influence on military strategy; and war and politics are intertwined so deeply in the relations of States that this aspect of Sun Tzu’s principles seems irrelevant. But to the extent that we are concerned with the ground level operational chain of command, it must still be vested in the capable hands of military strategists and commanders of forces with minimal interference by members of political parties even when in power. 

The nature of national armed forces of sovereign states is such that the commanders are individuals of authority whose commands derive authority from their military ranks and because of their expertise in the ground realities of conflict. An established chain of command headed by experienced high ranking officials of a state’s military is pivotal for effective execution of war strategy.

Sun Tzu gave importance to secrecy and spying as important methods of maintaining information awareness in warfare. Modern day nation-states are diverting heavy funding to national intelligence agencies and keep the gathered information out of the general public’s knowledge. For example in India, as per section 24 of the Right to Information Act of 2005 the Intelligence Bureau and National Security Guard of the Ministry of Home Affairs of India are few of the intelligence and security organizations that  are exempted from the state’s duty to divulge information to the public. Military secrets and secret missions today are still as relevant as they were in Sun Tzu’s time or even during the World Wars. 

Final Conclusion

Luttwak agrees that actions based on paradoxical logic have always been a prevalent military tactic and will still remain to exist in the most competent military tactics even when straightforward logical tactics that avoid operational risks are favored for parties with great strength, power and number. He gives the example of Israeli armed forces whose actions became predictable and were intercepted by opponents appropriately. But Sun Tzu’s work provides for the use of a more direct attack when one is stronger than the opponent. He stressed the importance of non-repetition of surprise tactics so as to not make the enemy aware of such patterns that become predictable. Even in the case of deceptive attacks of a strong Israeli force, a straightforward logical attack was a digression from its common strategy of attacking weak points and can be taken to be an unanticipated move digressing from Israel’s general tactics.

A paradoxical action is not synonymous to an illogical action. In many strategies like that of the Viet Cong, a paradoxical action as opposed to a straightforward linear act is most suited to ascertain or increase the probability of winning.1 In current times, the Art of War acts as an inspiration. It gives broader strategic principles rather than clever tricks, with its own set of limitations due to technological development and political relevance within war i.e. due to increased friction at vertical level due to variables (factors that were either unknown or avoidable in ancient times but are relevant now). Luttwak’s dismissal of the ancient text as clever tricks may be motivated because of the text being ancient or because of prejudice against eastern political systems by the west as barbaric but that certainly does not completely delete the influence of the Art of War as an important text on war and strategy.


* The views expressed in the blog are personal and should not be attributed to the institution.

References

  1.  Luttwak, Edward N., Strategy, The Logic of War and Peace, The Belknap Press of Harvard University Press, 2001, pp. 13-15.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

  1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
  2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

  1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21st century.

  1. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

  1. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.

Cyber Security at the UN: Where Does India Stand? (Part 2)

This is the second post of a two-part series which examines India’s participation in UN-affiliated processes and debates on ICTs and international security.

The first part offered an overview of how ideological divisions are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In this post, the author evaluates India’s stated positions on ICTs and international security at forums affiliated with the UN.

Author: Sidharth Deb

Introduction

As our digital transformation story has accelerated, Indian authorities have proactively worked on domestic laws, regulations and policies to govern digital and ICT domains. Prominent examples include its net neutrality regime; the 2021 intermediary guidelines and digital media ethics regulations; a soon to be enacted data protection law; and the National Cyber Security Policy, 2013, which is undergoing an overhaul. When it comes to institutional responses, India has, inter alia, operationalised a nodal Computer Emergency Response Team (“CERT-In”), sector specific CERTs, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) to secure critical information infrastructures (“CIIs”), and the National Cyber Security Coordinator within the country’s National Security Council Secretariat.

Conversely, India’s participation at international cybersecurity processes like the United Nations’ Group of Governmental Experts (“GGEs”) and the Open-ended Working Groups (“OEWG”) remains less developed. It does not reflect its status as a digital deciding swing State in cyber norms processes. Some describe it as lacking cohesion, without substantive or long term commitment to advance an international agenda. They have further characterised India’s position as one of silence, ambiguity and prioritising immediate national interest. India has even shied away from supporting multistakeholder led norms packages on international cybersecurity such as the Paris Call for Trust and Security in Cyberspace. And this perceived positional ambiguity is further reinforced by the fact that it supported both Russia’s proposal for the first OEWG and the US’ proposal for the sixth GGE. India has also endorsed Russia’s proposal for an ad-hoc committee for a cybercrime convention under the United Nations General Assembly’s Third Committee on Social, Humanitarian and Cultural Issues.

Indian Statements on International Security and ICTs

Given that India has an opportunity to assume an internationally significant role in international cybersecurity and norms related debates under processes like the 2nd OEWG, this post attempts to extract and infer meaning from India’s seemingly inconsistent and ambiguous positions. This involves an analysis of publicly available evidence of India’s participation in working groups and other forums within the UN. Subsequent takeaways reflect a composite examination of:

  1. India’s 2015 Comments to UNGA Resolution 70/237, which endorsed the GGE-developed international framework for responsible state behaviour in the cyberspace;
  2. India’s statement at the June 2019 Organisational Session of the first OEWG;
  3. India’s 2020 comments on the initial pre-draft of the OEWG’s report. These comments have been taken down from the OEWG website.
  4. February 2021 comments/remarks and proposed edits (January 2021) by the Government of India on the zero draft of the OEWG’s final substantive report.
  5. India’s statement at the UNSC Open Debate on international cybersecurity (June 2021).

While the Indian delegation participated in the first substantive session of the 2nd OEWG in December 2021, its interventions are, as of writing, unavailable on the OEWG’s website. Based on an overview of the aforementioned statements five key trends emerge.

First, the Indian Government appears to prefer state-led solutions over multistakeholderism to cybersecurity. While broadly highlighting the importance of multistakeholderism within internet governance, India’s 2015 submission at the UNGA has argued that governments play a primary role in cybersecurity since it falls within the umbrella of ‘national security’. India has also made explicit recommendations at the OEWG negotiations to remove references to “human-centric” approaches to replace them with terms like “peace and stability”. Such statements convey a top-down outlook to ICT and cybersecurity policy. India prefers stakeholders play a secondary role in cybersecurity policy as stated in its intervention at the UNSC. The Indian Foreign Secretary, at the UNSC, opined that stakeholders can play an important role in supporting international cooperation on cybersecurity.

Such positions are consistent with the Indian Government’s disposition that technology environments should adhere to the rule of law and policies framed by appropriate government authorities. Even so, domestically, the Indian government has demonstrated a willingness to participate in multistakeholder dialogue (at forums like India IGF) and seek stakeholder inputs on related policy matters.

Second, India aims to bring content, behaviour and speech over social media and the wider internet within the scope of international cyber security. When discussing the scope of cyber/information security, India has repeatedly referred to cyber terrorism, terrorist content, virulent propaganda, inciting speech, disinformation, terror financing and recruitment activities, and general misuse of social media. This is of course consistent with its domestic policy stance on stricter regulations for social media intermediaries under the 2021 intermediary guidelines and digital media ethics code. India has even called for international dialogue and cooperation to counter terror propaganda, remove content and real time support with investigations. It has called upon the international community to recognise cyber terrorism as a special class of cyber incident which requires stronger international cooperation. As discussed in Part 1 of this series, the OEWG may be receptive to broadening the scope of information security to include issues relating to online speech and social media. This is also evidenced by the fact that several States have raised similar issues during the first substantive session of the 2nd OEWG in December 2021.

Third, India appears to prefer an internationally binding rules-based framework on ICTs and cyberspace. This is evident from both India’s 2021 submission to the OEWG, and its 2021 intervention at the UNSC’s open debate on cybersecurity. These submissions confirm that India appears open to a treaty/convention-based pathway to international cybersecurity. At the same time, during the 2021 OEWG negotiations India categorically requested deleting a paragraph which refers to a 2015 proposal for international code of conduct for information security. The 2015 proposal was tabled by UN Member States who are also members of the Shanghai Cooperation Organisation (“SCO”). Notably, India joined the SCO a few months after the bloc tabled its 2015 proposal. The SCO’s proposal was largely steered under Russian and Chinese guidance.

Fourth, Indian interventions have laid heavy emphasis on supply chain security of ICT products and services. India’s interventions focus on two key aspects. First is an emphasis on cybersecurity resilience and hygiene among SMEs and children. The reference to SMEs can be considered an expression of its economic aspirations via digital transformation. Second, India has called for greater international cooperation on matters surrounding trusted ICT products and services, and trusted suppliers of such products and services. This includes mitigating the introduction of harmful hidden functions like backdoors within ICT products and services which can compromise essential networks. To this end, India has even called for the introduction of a new cyber norm relating to a standard for essential security in cyberspace. This position appears to align itself with recent mandatory testing and certification regulations for telecommunications equipment, and a more recent national security directive passed by Indian telecom authorities in response to growing concerns of Chinese presence in Indian telecom and ICT systems. Under this Directive, Indian telecom authorities have launched the ‘Trusted Telecom Portal’ which aims to ensure that Indian telecom networks only comprise equipment which are deemed to be ‘trusted products’ from ‘trusted sources’. Recent reports also reveal that the Indian Government is in the process of establishing a unified national cyber security task force which will set up a specialised sub department to focus on cyber threats in the telecom sector.

Lastly, on the applicability of international law to States’ use of ICTs—despite its participation in five out of six UN GGEs and the first OEWG—India has yet to substantively articulate an extensive position on this topic. Instead, it has made broader calls for non-binding, voluntary guidance from the international community on the application of key concepts within international humanitarian law like distinction, necessity, proportionality and humanity within the context of ICTs. India’s most animated interventions have pertained to jurisdiction and sovereignty. To be clear, it has not engaged on whether sovereignty is a principle or a rule of international law. Instead, it has called on the international community to reimagine sovereignty and jurisdiction—where a new technical basis (beyond territoriality) can allow States to effectively govern and secure cyberspace.

One such basis for sovereignty that India put forth before the OEWG relates to data ownership and sovereignty. It purports that such a philosophical underpinning would endorse people’s right to informational privacy online.  Yet, these positions reflect and seek to legitimise wider trends in digital and ICT policymaking in India. This includes proposals to restrict cross-border data flows for different purposes and its challenges with carrying out law enforcement investigations owing to lethargic international cooperation via the MLAT frameworks.

Conclusion

India’s current engagement with international cybersecurity issues serves as a mirror for India’s domestic political economy and immediate national interests. Given that it occupies a pivotal position as a digital swing state with the second largest internet user base in the world, India could have the geopolitical heft to steer the conversation away from ideological fault lines—and towards more substantive avenues.

However, in order to do this, it must adopt a more internationalised agenda while negotiating in these cyber norms processes. Since it is still early days when it comes to substantive discussions at the 2nd OEWG, and negotiations at other forthcoming processes are yet to commence, the time may be ripe for India to start formulating a more cohesive strategy in how it engages with international cyber norms processes.

To this end, Indian leadership could approach the forthcoming National Cyber Security Strategy as a jumping off point from via which it can refine the Government’s normative outlook to matters relating to international cybersecurity, international law and responsible state behaviour in the cyberspace. The forthcoming strategy could also help the Government of India define how it collaborates with other States and non-governmental stakeholders. Finally, it could help identify domestic laws, policies and institutions that require reform to keep pace with international developments.

Cyber Security at the UN: Where Does India Stand? (Part 1)

Editorial Note: This is a two-part series, which examines India’s participation in UN-affiliated processes and debates on ICTs and international security

Part 1 provides an overview of the ideological divisions that are shaping UN debates around the international framework for responsible state behaviour in the cyberspace. In Part 2, the author will critique India’s stated positions on ICTs and international security at forums affiliated with the UN. 

Author: Sidharth Deb

Introduction: The International Character of Cyber Threats 

Earlier this month, the United Nations General Assembly’s (“UNGA”) First Committee on Disarmament and International Security (“First Committee”) convened Member-States for the first substantive session of its second Open-Ended Work Group (“OEWG”) on security of, and in the use of, information and communication technologies (“ICTs”). The 2nd OEWG serves as the latest working group under the aegis of the UNGA First Committee on themes relating to ICTs and international cybersecurity. It is notable that in that same week another major cyber vulnerability, in a widely used logging library—the Apache Log4j flaw—threatening global computer systems, came to light. This vulnerability has been described as a major software supply chain flaw which can be used to remotely compromise hundreds of millions of vulnerable devices globally.  

Experts are calling it a cyber pandemic and exploits are already targeting corporate networks globally. More concerning is the fact that nation State-backed hackers have reportedly begun experimenting and launching malicious operations to exploit the flaw. Along with recent incidents like WannaCryNotPetyaSolarWindsColonial Pipeline and the Microsoft Exchange Server, such trends typify a rapidly evolving and increasingly scalable cyber threat landscape which emerge from heterogenous sources. These include States which use ICT capabilities to advance military or political objectives, States-sponsored hacking groups, mercenary technology vendors (developing tools like spyware), and other criminal and/or terrorist non-State actors. To combat these trends the international community must prioritise cyber diplomacy, international cooperation, assistance and baseline harmonisation of jurisdictional efforts as essential prerequisites.  

However, this is challenging since States often have diverging political, economic, developmental and military objectives. Therefore, in order to fulfil the core objective of a peaceful and stable cyberspace, international dialogue on ICT security must successfully navigate both peacetime and conflict paradigms. This includes working around innate complexities conferred via inter-State cyber conflicts. One such challenge relates to the operationalisation of the law of armed conflict within the cyberspace. Keeping these challenges in mind, this post presents an overview of ongoing cyber diplomacy efforts at the UN towards building an international legal and normative framework for responsible state behaviour in the cyberspace. It then evaluates how ideological divisions between countries pose challenges to international consensus and multilateralism. 

The UN, Cybersecurity and the Framework for Responsible State Behaviour 

Against the aforementioned backdrop, the second OEWG commences the next generation of deliberations on the States’ use of ICTs in the context of international peace and security. This Working Group was constituted in accordance with a UNGA resolution (75/240) dated December 31, 2020 and is set to run till 2025. It is open to participation from all 193 UN Member States, and the OEWG’s Chair is in the midst of determining the extent and mechanisms of multistakeholder participation. Both this and the first iteration of the OEWG involve more inclusive participation of the international community as compared to previous Groups of Governmental Experts (“GGEs”) on ICT security, which had only 15 to 25 participating States.  

Given the exponential innovation trajectories of ICT environments and the extended operational timelines, it will be tall order for the 2nd OEWG to fulfil its mandate to identify existing and potential threats to information security. Yet, it is not starting from scratch. Concerted prior work at the GGEs and OEWG, along with subsequent consensus at the UNGA has yielded an international framework for responsible state behaviour towards international cybersecurity. The framework comprises four distinct yet complementary pillars. These pillars include: 

  1. International law, including the UN Charter along with existing principles of international law, as it applies to States’ use of ICTs. This was most recently elaborated in the May 2021 consensus report of the 6th GGE.; 
  1. Politically determined cyber norms which entail voluntary and non-binding norms, rules and principles of responsible State behaviour during peacetime. The norms, inter alia, include interstate cooperation like exchange of information and threat intelligence; attribution of ICT incidents, respecting human rights; protecting critical infrastructures; securing ICT supply chains; enabling ICT vulnerability disclosures; preventing the misuse of ICTs for cybercrime and international wrongful acts; etc. Cyber norms are meant to promote cooperation and increase predictability, reduce risks of misperception and escalation in the cyberspace, and serve as a first step to the eventual formation of customary international law in the cyberspace. 
  1. The other two pillars are confidence building measures and capacity building. These aim to enhance interstate transparency, international and institutional (technical and policy) cooperation, systematise international assistance to implement the voluntary cyber norms framework, and create a baseline of competence and response capabilities across Member States.  

Prima facie these pillars reflect a comprehensive approach in tackling the wide-ranging threats in cyberspace. Yet it does not reflect geopolitical divisions which are emerging within different country blocs. Since cybersecurity’s prominence within the broader scheme of international peace and security continues to increase, it is important to track this aspect of international cyberspace cooperation.  

Ideological Divisions in International Cybersecurity Processes 

Ideological divisions within international cybersecurity processes often reflect similar geographic groupings. One side comprises the US, UK, Estonia and other NATO allies. On the other end of the spectrum, we observe a Sino-Russian grouping which also includes countries like Cuba and Iran. This section highlights four main ways in which ideological divisions are shaping the international cyber diplomacy processes. 

  1. Goal of Dialogue: Legally Binding Agreement or Voluntary Politically-determined Norms-based Framework? 

Differences begin at the most fundamental levels of implementation. Consider the means of operationalising the international framework for state responsibility in the use of ICTs. Since the late 90s, the Russian bloc has made multiple proposals for international work towards a binding treaty/convention on international cybersecurity and cybercrime. Such proposals advance Sino-Russian objectives of embedding core principles of internet sovereignty and state-primacy within a rule-based framework of international ICT policy. Interests around sovereignty may have also motivated the Russian proposal to set up the first UN OEWG on ICT Security, which opened up conversations in cybersecurity to all UN Member States. While the OEWG furthers openness, transparency and inclusivity towards norm formulation, the push for expansion in participation is perhaps motivated by an ability to bring more countries with similar ideological positions into the discussions.  

Among other things, their inclusion can create greater momentum to revisit, expand, or create new norms for State activities in cyberspace. The US and NATO bloc has strongly opposed the need for an international treaty based framework citing that such an approach could risk allowing States to negotiate and dilute core principles like openness, interoperability, multistakeholderism and respect for human rights. At a secondary level, it could also lead to greater fetters and regulation of international transnational ICT/internet corporations—which tend to be concentrated in certain jurisdictions.  

  1. Disputes on Applicability of International Law 

A prominent example here is the failed negotiations at the 5th UN GGE in 2017. An important point of contention related to whether and how international law—especially international humanitarian law—applies to the cyberspace. In broad terms, NATO allies advocated that the principles of use of force, self-defence, and in situations of conflict, principles of international humanitarian law, should apply to the cyberspace. However, Cuba, serving as a front for the other bloc, opposed this. They argued that this would serve as a tacit endorsement of certain cyber operations and would incentivise escalation/militarisation in the cyberspace. This was the straw that broke the camel’s back, and it cost the international community consensus at the 5th GGE.  

  1. Procedural Mechanisms and Modalities of Dialogue  

Since 2017, both the 1st OEWG and 6th GGE successfully adopted consensus reports in March and May 2021 respectively. While they build on prior GGE consensus reports especially the 2013 and 2015 reports, the aforementioned disputes demonstrate the fragility of consensus on international cybersecurity at the UN.  

Even in the run-up to the 2nd OEWG’s first substantive session (December 2021), States have had disagreements on the modalities of engagement. These include whether the OEWG should have broad conversations on all issues simultaneously between Member States, or if the Chair should set up issue-specific thematic subgroups for different aspects of international cybersecurity, etc.  

  1. Definitional Scope of Key Concepts including “Information” Security 

Fundamental differences on key concepts like minimum identifiable standards of inter-State conduct, verification, evidence gathering, attribution and accountability among both State and non-State actors, threaten the international framework for peace and stability in cyberspace. A major point of contention which could emerge within the 2nd OEWG relates to its mandate on identifying existing and potential threats to information security. In contrast to the GGEs, the OEWG is increasing its focus on disinformation, defamation, incitement, propaganda, terrorist content, and other online speech/media. This can be discerned from the 1st OEWG’s final substantive report, the Chair’s Summary, and UNGA Res/75/240. The OEWG’s eventual scope of “information security” will also reveal to what extent international policymakers aim to securitise different infrastructure and online public spaces within ICT environments. Given the implications that this could have on principles like openness, interoperability, and people’s fundamental freedoms and human rights, dialogue on this front will be important to track.

Conclusion: The Importance of Digital Swing States 

Substantive fissures threaten multilateral international cooperation in cybersecurity. This risk manifested once with the operation of parallel processes at the 6th GGE and the 1st OEWG. Similar risks of fragmentation could emerge during the 2nd OEWG’s tenure—since there is already an adhoc committee on a cybercrime convention which will commence substantive discussions under the UNGA’s Third Committee in January 2022. States including France, Egypt and others have also made a proposal for an action oriented Programme of Action to advance responsible state behaviour in the cyberspace.  

Given these risks, commentators observe that the role of swing states is integral for international cyber diplomacy to steer the conversations towards more substantive pathways. One such swing State is India. The next post of this two part series will explore India’s engagement with UN-affiliated processes and debates on cybersecurity over time. Through this, we gain greater clarity on India’s definitional approach to cybersecurity, views on multistakeholderism vis-a-vis cybersecurity, supply chain security, and sovereignty in ICT environments.  

France’s Cyber Influence Warfare Doctrine (L2I) 

By Ananya Moncourt

On 20th October 2021, the French Minister of Defense released the French Armed Force’s Cyber Influence Warfare Doctrine (“Lutte Informatique d’influence” in French, abbreviated as L2I). The doctrine lays out a framework for “military operations conducted in the information layer of cyberspace to detect, characterize and counter attacks” and undertake “intelligence gathering or deception operations”. In this blogpost, I highlight and analyze key features of this new doctrine for the conduct of information warfare by the French military.  

Cyberspace in this context is comprised of three inseparable layers– a physical layer (equipment, computer systems, other materials), a logical layer (digital data, software, data exchange flows) and an information or semantic layer (information and social interactions). The applied misuse of the semantic layer can be seen at works in information influence operations that are used to sway public opinion ahead of key elections or on matters of national importance. France has experienced firsthand the perils of such operations in the Macaron Leaks in 2017

With the release of L2I ahead France’s presidential elections in April 2022, the legitimisation of  offensive influence operation conduct is consequential. Who is conducting these information influence operations, under what legal constraints, and the justification for doing so in terms of identified threat groups are questions that guide this assessment.

Over the last five years, there has been a gradual shift in France’s diplomatic standing from a defensive approach i.e., the use of force when necessary, to a more offensive and unhesitant preparedness to use force. The relocation of military strategy from a “peace-war-crisis continuum” to a “triptych of competition-contestation-confrontation” in L2I reflects this change clearly. With a guiding maxim to “win the war before the war”, L2I is one part of a three-pronged Strategic Vision, released in November 2021. More broadly, it is the final element of a conceptual framework put forth by the military for acting in the information field – the first was the LID, a defensive IT Policy (2018) and the second LIO, an offensive computer warfare doctrine (2019).  

Identifying Threats 

The root cause for identifying threats in the semantic layer stems from the possibility of information manipulation in cyberspace – a key component of hybrid warfare strategies today. In her speech presenting L2I to the world, Florence Parly (Minister of the Armed Forces) highlighted that “false, manipulated or subverted information is a weapon”. Threats that arise from such weaponisation of information form the subtext of the doctrine that references the authenticity with which modern technologies make it possible to create fake news (deep fakes of false remarks by soldiers in operations and false speeches by politicians for example). These developments are seen as direct threats to the legitimacy and capacities of the French military. 

Two points about the locus of action for influence operations in L2I are significant. One, that L2I operations takes place within a framework strictly limited to military operations outside France’s national territory. Two, that its “theatre of operations” is the information layer of cyberspace. The doctrine also explicitly identifies two threats to the French military – “organised armed groups” and “State actors”. The former includes terrorists’ groups and quasi-states (eg: ISIS/Daesh) who leverage the information layer of cyberspace to fund, recruit and co-ordinate violence. The latter refers to proto-states or State actors using intermediaries whose aim is to destabilize state structures and public opinion by promoting false narratives and undertaking informational attacks.  

The Theatre of the ‘War before the War”: Cyberspace as a Battleground 

L2I deems cyberspace a “fertile breeding ground” for information warfare, due to the ease with which legitimacy can be gained by any individual or group within their established networks online. What merits attention, and further research, is the doctrine’s perceptive articulation of a ‘cognitive dimension’ of the information layer of cyberspace. An outcome of human-computer interactions, it is the emotional, irrational, and legitimate stimulation of people who interact in an online information environment that characterises this ‘cognitive layer’. Under the grammar of the doctrine, susceptibility to disinformation thus becomes an obvious threat in cyberspace. Achieving technological superiority and developing offensive cyber capabilities of the armed forces is presented as a straightforward goal. The doctrine further lucidly presents six characteristics of the information or cognitive layer of cyberspace:  

1] A contraction of time and space: The immediacy of information today combined with its large-scale dissemination promotes interaction and connectivity. The geographic boundaries of information and its protracted transmission have faded away.  

2] Possibility of concealing sources of information: Mastery of related technologies makes it possible to conceal or falsify the origins of information. This anonymity makes the use of cyberspace conducive for purposes of influence by States or groups of individuals. 

3] Information persistence:  Information is difficult to erase in cyberspace because it can be duplicated easily or stored elsewhere. Information can therefore be reused outside of any verifiable context. 

4] Freedom of individuals: Anyone can produce and broadcast information, true or false, without any editorial control in cyberspace. This promotes an unbridled production of information.

5] Technological innovation: Continuous innovation in creation, storage and dissemination of information is a significant feature of cyberspace. 

6] A space modelled by Big Tech: Cyberspace is emerging with major digital operators who, de facto; impose their own regulations and terms. 

The characterization of cyberspace as a “deterritorialised” realm in the doctrine raises the question of whether information warfare can be governed through existing international law frameworks that are based on territorial sovereignty. Nevertheless, respect for international law in L2I is carved out in two distinct spheres. In peacetime, L2I is subject to the United Nations Charter and principles of non-interference, and during times of armed conflict International Humanitarian Law principles of necessity, proportionality, distinction and precaution are highlighted. Further, every operation carried out under L2I is subjected to political and legal constraints outlined by ROE (Rules of Operational Engagement), conceived of to define the circumstances and conditions of implementation.  

It is clear that an inherent contradiction lies in L2I’s recognition of a borderless cyberspace (that is diffusing the boundaries between peace and war times) and the subject of its operations to international laws that are distinct for peace and war times. While it is acknowledged that the functioning of cyberspace is premised on an “entanglement of boundaries” and application of legal provisions is complex, a lack of clarity on the line between a free reign of development of capabilities and the checks and balances necessary for use of these capabilities is evident. This begs the question of what can be considered peace and/ or war time in the information layer of cyberspace, and whether such a distinction is relevant at all. Moreover, determining how territorial sovereignty is defined with regard to state action in this particular layer of cyberspace is an important first step towards developing regulatory guidelines for information influence operations. 

New age combatants for new age threats? 

L2I further outlines a dedicated chain of command under the apex authority of the President followed by the Chief of Staff of the Armed Forces. The post of a General Commanding Officer has been created in recognition of cyber influence operations occurring at the confluence of offensive and defensive strategies. Further, in a multi-disciplinary approach to development of human resources, the doctrine recognises the need for highly specialised skills across disciplines and proposes investment in a cyberwarfare troop comprised of computer graphic designers, psychologists, sociologists, linguists and social media specialists.  

The pervasiveness of information in combination with the interconnectedness of our communication systems and increasingly sophisticated technology capabilities has led to evident potential for exploitation of information in cyberspace. In particular, social media has enabled nation-states to delve into the minds of people, communities and adversaries, to control and push certain narratives while marginalising other kinds of information and perspectives for power. The human mind, intertwined with open societies and networks, can be seen as an emerging battle-space of the future. 

Naturally, what groups are identified as threats and what national agencies are mandated to tackle them in cyberspace are critical. The degree of transparency with which these systemised influence operations, often covert, are sanctioned in a country’s legal framework also has significant geopolitical and human rights implications. This is especially important in democratic political systems where people’s trust in institutions depends on the degree of accountability and transparency built into institutions that undertake influence operations. 

Parallelly, in a major move in India in December 2020, the Ministry of Defense has created a new post of Director General of Information Warfare in light of hybrid warfare, social media realities and future battlefields. The scope of authority and areas of work the office will undertake have not been detailed. As India prepares to strengthen her bilateral defence and security partnership with France, clarity on information operation strategies will improve the quality of such cooperation. As such, what the ‘theatre of operations’ and identified threats groups will be for the Indian military are important questions that require articulation.  

The Supreme Court’s Pegasus Order

This blog post has been authored by Shrutanjaya Bhardwaj.

On 28th October 2021, the Supreme Court passed an order in the “Pegasus” case establishing a 3-member committee of technical experts to investigate allegations of illegal surveillance by hacking into the phones of several Indian citizens, including journalists. This post  analyses the Pegasus order. Analyses by others may be accessed here, here and here.

Overview

The writ petitioners alleged that the Indian Government and its agencies have been using a spyware tool called “Pegasus”—produced by an Israeli technology firm named the NSO Group—to spy on Indian citizens. As the Court notes, Pegasus can be installed on digital devices such as mobile phones, and once Pegasus infiltrates the device, “the entire control over the device is allegedly handed over to the Pegasus user who can then remotely control all the functionalities of the device.” Practically, this means the ‘Pegasus user’ (i.e., the infiltrator) has access to all data on the device (emails, texts, and calls) and can remotely activate the camera and microphone to surveil the device owner and their immediate surroundings. 

The Court records some basic facts that are instructive in understanding its final order:

  1. The NSO Group itself claims that it only sells Pegasus to governments. 
  2. In November 2019, the then-Minister of Electronics and IT acknowledged in Parliament that Pegasus had infected the devices of certain Indians. 
  3. In June-July 2020, reputed media houses uncovered instances of Pegasus spyware attacks on many Indians including “senior journalists, doctors, political persons, and even some Court staff”.
  4. Foreign governments have since taken steps to diplomatically engage with Israel or/and internally conduct investigations to understand the issue.
  5. Despite repeated requests by the Court, the Union Government did not furnish any specific information to assist the Court’s understanding of the matter.

These facts led the Court to conclude that the petitioners’ allegations of illegal surveillance by hacking need further investigation. The Court noted that the petitioners had placed on record expert reports and there also existed a wealth of ‘cross-verified media coverage’ coupled with the reactions of foreign governments to the use of Pegasus. The Court’s order leaves open the possibility that a foreign State or perhaps a private entity may have conducted surveillance on Indians. Additionally, the Union Government’s refusal to clarify its position on the legality and use of Pegasus in Court raised the possibility that the Union Government itself may have used the spyware. As discussed below, this possibility ultimately shaped the Court’s directions and relief.  

The Pegasus order is analysed below along three lines: (i) the Court’s acknowledgement of the threat to fundamental rights, (ii) the Union Government’s submissions before the Court, and (iii) the Court’s assertion of its constitutional duty of judicial review—even in the face of sensitive considerations like national security.

Acknowledging the risks to fundamental rights

While all fundamental rights may be reasonably restricted by the State, every right has different grounds on which it may be restricted. Identifying the precise right under threat is hence an important exercise. The Court articulates three distinct rights at risk in a Pegasus attack. Two flow from the freedom of speech under Article 19(1)(a) of the Constitution and one from the right to privacy under Article 21. 

The first right, relatable to Article 19(1)(a), is journalistic freedom. The Court noted that the awareness of being spied on causes the journalist to tread carefully and think twice before speaking the truth. Additionally, when a journalist’s entire private communication is accessible to the State, the chances of undue pressure increase manifold. The Court described such surveillance as “an assault on the vital public watchdog role of the press”.

The second right, also traced to Article 19(1)(a), is the journalist’s right to protect their sources. The Court treats this as a “basic condition” for the freedom of the press. “Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest,” which harms the free flow of information that Article 19(1)(a) is designed to ensure. This observation and acknowledgment by the Court is significant and it will be interesting to see how the Court’s jurisprudence develops and engages with this issue.The third right, traceable to Article 21 as interpreted in Puttaswamy, is the citizen’s right to privacy (see CCG’s case brief on the CCG’s Privacy Law Library of Puttaswamy). Surveillance and hacking are prima facie an invasion of privacy. However, the State may justify a privacy breach as a reasonable restriction on constitutional grounds if the legality, necessity, and proportionality of the State’s surveillance measure is established.

Court’s response to the Government’s “conduct” before the Court

The Court devotes a significant part of the Pegasus order to discuss the Union Government’s “conduct”in the litigation. The first formal response filed by the Government, characterised as a “limited affidavit”, did not furnish any details about the controversy owing to an alleged “paucity of time”. When the Court termed this affidavit as “insufficient” and demanded a more detailed affidavit, the Solicitor General cited national security implications as the reason for not filing a comprehensive response to the surveillance allegations. This was despite repeated assurances given by both the Petitioners and the Court that no sensitive information was being sought, and the Government need only disclose what was necessary to decide the matter at hand. Additionally, the Government did not specify the national security consequences that would arise if more details were disclosed. (The Court’s response to the invocation of the national security ground on merits is discussed in the next section.) 

In addition to invoking national security, the Government made three other arguments:

  1. The press reports and expert evidence were “motivated and self-serving” and thus of insufficient veracity to trigger the Court’s jurisdiction.
  2. While all technology may be misused, the use of Pegasus cannot per se be impermissible, and India had sufficient legal safeguards to guard against constitutionally impermissible surveillance.
  3. The Court need not establish a committee as the Union Government was prepared to constitute its own committee of experts to investigate the issue.

The Court noted that the nature and “sheer volume” of news reports are such that these materials “cannot be brushed aside”. The Court was unwilling to accept the other two arguments in part due to the Union Government’s broader “conduct” on the issue of Pegasus. It noted that the first reports of Pegasus use dated back to 2018 and a Union Minister had informed Parliament of the spyware’s use on Indians in 2019, yet no steps to investigate or resolve the issue had been taken until the present writ petitions had been filed. Additionally, the Court ruled that the limited documentation provided by the Government did not clarify its stand on the use of Pegasus. In this context, and owing to reasons of natural justice (discussed below), the Court opined that independent fact finding and judicial review were warranted.

Assertion of constitutional duty of judicial review

As noted above, the Union Government invoked national security as a ground to not file documentation regarding its alleged use of Pegasus. The Court acknowledged that the government is entitled to invoke this ground, and even noted that the scope of judicial review is narrow on issues of national security. However, the Court held that the mere invocation of national security is insufficient to exclude court intervention. Rather, the government must demonstrate how the information being withheld would raise national security concerns and the Court will decide whether the government’s concerns are legitimate. 

The order contains important observations on the Government’s use of the national security exception to exclude judicial scrutiny. The Court notes that such arguments are not new; and that governments have often urged constitutional courts to take a hands-off approach in matters that have a “political” facet (like those pertaining to defence and security). But the Court has previously held, and also affirmed in the Pegasus order, that it will not abstain from interfering merely because a case has a political complexion. The Court noted that it may certainly choose to defer to the Government on sensitive aspects, but there is no “omnibus prohibition” on judicial review in matters of national security. If the State wishes to withhold information from the Court, it must “plead and prove” the necessary facts to justify such withholding.

The Government had also suggested that the Court let the Government set up a committee to investigate the matter. The Supreme Court had adopted this approach in the Kashmir Internet Shutdowns case by setting up an executive-led committee to examine the validity and necessity of continuing internet shutdowns. That judgment was widely criticised (see here, here and here). However, in the present case, as the petitions alleged that the Union Government itself had used Pegasus on Indians, the Court held that allowing the Union Government to set up a committee to investigate would violate the principle of bias in inquiries. The Court quoted the age-old principle that “justice must not only be done, but also be seen to be done”, and refused to allow the Government to set up its own committee. This is consistent with the Court’s assertion of its constitutional obligation of judicial review in the earlier parts of the order. 

Looking ahead

The terms of reference of the Committee are pointed and meaningful. The Committee is required to investigate, inter alia, (i) whether Pegasus was used to hack into phones of Indian citizens, and if so which citizens; (ii) whether the Indian Government procured and deployed Pegasus; and (iii) if the Government did use Pegasus, what law or regulatory framework the spyware was used under. All governmental agencies have been directed to cooperate with the Committee and furnish any required information.

Additionally, the Committee is to make recommendations regarding the enactment of a new surveillance law or amendment of existing law(s), improvements to India’s cybersecurity systems, setting up a robust investigation and grievance-redressal mechanism for the benefit of citizens, and any ad-hoc arrangements to be made by the Supreme Court for the protection of citizen’s rights pending requisite action by Parliament.

The Court has directed the Committee to carry out its investigation “expeditiously” and listed the matter again after 8 weeks. As per the Supreme Court’s website, the petitions are tentatively to be listed on 3 January 2022.

This blog was written with the support of the Friedrich Naumann Foundation for Freedom.