On Cyber Weapons and Chimeras

This post has been authored by Gunjan Chawla and Vagisha Srivastava

Closeup of laptop computer keyboard, and gun bullets, representing the concept of cyber attacks, Journalism, terrorism, support for terrorists, click enter

“The first thing we do, let’s kill all the lawyers,” says Shakespeare’s Dick the Butcher to Jack Cade, who leads fellow conspirators in the popular rebellion against Henry VI.

The same cliché may as well have been the opening line of Pukhraj Singh’s response to our last piece, which joins his earlier pieces heavily burdened with thinly veiled disdain for lawyers poking their noses into cyber operations. In his eagerness to establish code as law, he omits not only the universal professional courtesy of getting our names right, but also a basic background check on authors he so fervently critiques – only one of whom is in fact a lawyer and the other, an early career technologist.

In this final piece in our series on offensive cyber capabilities, we take exception to Singh’s misrepresentation of our work and hope to redirect the conversation back to the question raised by our first piece – what is the difference between ‘cyber weapons’ and offensive cyber capabilities, if any? Our readers may recall from our first piece in the series Does India have offensive cyber capabilities that Lt Gen Pant had in an interview to Medianama, denied any intent on part of the Government of India to procure ‘cyber weapons’. However, certain amendments inserted in export control regulations by the DGFT suggested the presence of offensive cyber capabilities in India’s cyber ecosystem. Quoting Thomas Rid from Cyber War Will Not Take Place,

“these conceptual considerations are not introduced here as a scholarly gimmick. Indeed theory shouldn’t be left to scholars; theory needs to become personal knowledge, conceptual tools used to comprehend conflict, to prevail in it, or to prevent it.”

While lawyers and strategists working in the cyber policy domain admittedly, still have a lot to learn from those with personal knowledge of the conduct of hostilities in cyberspace, deftly obscured by a labyrinth of regulations and rapidly changing rules of engagement, the question of nomenclature remains an important one. The primary reason for this is that the taxonomy of cyber operations has significant implications for the obligations incumbent on States and State actors under international as well as domestic law.

A chimeral critique

Singh’s most seriously mounted objection in his piece is to our assertion that ‘cyber capabilities’ and ‘cyber operations’ are not synonymous, just as ‘arms’ and ‘armed attack’, or ‘weapons’ and ‘war’ are distinct concepts. However, a wilful misunderstanding of our assertion that cyber capabilities and cyber operations are not interchangeable terms does not foster any deeper understanding of the legal or technical ingredients of a ‘cyber operation’–irrespective of whether it is offensive, defensive or exploitative in intent and design.

The central idea remains, that a capability is wielded with the intent of causing a particular effect (which may or may not be identical to the actual effect resulting from the cyber operation). A recent report by the Belfer Center at Harvard on a ‘National Cyber Power Index’, which views a nation’s cyber power as a function of its intent and capability, also seems to support this position. Certainly, the criteria and methodology of assessment remain open to debate and critique from academics as well as practitioners, and this debate needs to inform our legal position and strategic posture (again, the two are not synonymous) as to the legality of developing offensive cyber capabilities in international as well as domestic law.

Second, in finding at least one of us guilty of a ‘failure of imagination’, Singh steadfastly advocates the view that cyber (intelligence) operators like himself are better off unbounded by legal restraint of their technical prowess, functioning in a Hobbesian (virtual) reality where code is law and technological might makes right. It is thus unsurprising that Singh in what is by his own admission a ‘never to be published manuscript’, seems to favour practices normalized by the United States’ military doctrine, regardless of their dubious legality.

Third, in criticizing lawyers’ use of analogical reasoning—which to Singh, has become ‘the bane of cyber policy’—he conveniently forgets that for those of us who were neither born in the darkness of covert cyber ops, nor moulded by it, analogies are a key tool to understand unfamiliar concepts by drawing upon learnings from more familiar concepts. Indeed, it has even been argued that analogy is the core of human cognition.

Navigating a Taxing Taxonomy

Writing in 2012 with Peter McBurney, Rid postulates that cyber weapons may span a wide spectrum, from generic but low-potential tools to specific high potential weaponry – and may be viewed as a subset of ‘weapons’. In treating cyberweaponry as a subset of conventional weaponry, their underlying assumption is that the (cyber) weapon is being developed and/or deployed with ‘the aim of threatening or causing physical, functional or mental harm to structures, systems or living beings’. This also supports our assertion that intent is a key element to planning and launching a cyber operation, but not for the purposes of classifying a cyber operation as an ‘armed attack’ under international law. However, it is important to mention that Rid considers ‘cyber war’ as an extremely problematic and dangerous concept, one that is far narrower than the concept of ‘cyber weapons’.

Singh laments that without distinguishing between cyber techniques and effects, we fall into ‘a quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese’. He considers the OCOs/DCOs classification too ‘simplistic’ in comparison to the CNA/CND/CNE framework. Even if the technological underpinnings of cyber exploits (for intelligence gathering) and cyber attacks (for damage, disruption and denial) have not changed over the years, as Singh argues—the change in terminology/vocabulary cannot be attributed to ‘ideology’. This change is a function of a complete reorganization and restructuring of the American national security establishment to permit greater agility and freedom of action in rules of hostile engagement by the military in cyberspace.

Unless the law treats cognitive or psychological effects of cyber operations, (eg. those depicted in the Social Dilemma or the Great Hack, or even in doxing classified documents) as harm that is ‘comparable’ to physical damage/destruction, ‘cyber offence’ will not graduate to the status of a ‘cyber weapon’. For the time being, an erasure of the physical/psychological dichotomy appears extremely unlikely. If the Russian and Chinese playbook appears innovative in translating online activity to offline harm, it is because of an obvious conflation between a computer systems-centric cyber security model and the state-centric information security model that values guarding State secrets above all else, and benefits from denying one’s adversary the luxury of secrecy in State affairs.

The changing legal framework and as a corollary, the plethora of terminologies employed around the conduct of cyber operations by the United States run parallel to the evolving relationship between its intelligence agencies and military institutions.

The US Cyber Command (CYBERCOM) was first created in 2008, but was incubated for a long time by the NSA under a peculiar arrangement established in 2009, whereby the head of the NSA was also the head of the US CYBERCOM, with a view to leverage the vastly superior surveillance capabilities of the NSA at the time. This came to be known as a ‘dual-hat arrangement’, a moniker descriptive of the double role played by the same individual simultaneously heading an intelligence agency as well as a military command. Simply put, cyber infrastructure raised for the purposes of foreign surveillance and espionage was but a stepping stone to building cyber warfare capabilities. Through a presidential memorandum in 2017, President Trump directed the Secretary of Defense to establish the US Cyber Command as a Unified Combatant Command, elevating its status from a sub-unit of the US Strategic Command (STRATCOM).

An important aspect of the ‘restructuring’ we refer to are two Presidential directives – one from 2012 and another from 2018. In October 2012, President Obama signed the Presidential Policy Directive- 20 2012 (PPD). It was classified as Top Secret at the time, but leaked by Ellen Nakashima of the Washington Post a month later. The PPD defined US cyber policy, including terms such as ‘Offensive Cyber Effects Operations’ (OCEO) and ‘Defensive Cyber Effects Operations’ (DCEO) and mandated that all cyber operations were to be executed with the explicit authorization from the President. In August, 2018, Congress passed a military-authorization bill that delegated some cyber operations to be authorized by the Secretary of Defense. It is relevant that ‘clandestine military activity (covert operations) or operations in cyberspace are now considered a traditional military activity under this statute, bringing it under the DoD’s authority. The National Security Presidential Memorandum 13 (NSPM) on offensive cyber operations signed by President Trump around the same time, although not available in the public domain, has reportedly further eased procedural requirements for Presidential approval in certain cyber operations.

Thus, if we overcome apprehensions about the alleged ‘quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese,’ we can appreciate the crucial role played by these many terms in the formulation of clear operational directives. They serve an important role in the conduct of cyber operations by (1) delineating the chain of command for the conduct of military cyber operations for the purposes of domestic law and (2) bringing the conversation on cyber operations outside the don’t-ask-don’t-tell realm of ‘espionage’, enabling lawyers and strategists to opine on their legality and legitimacy, or lack thereof, as military operations for the purposes of international law – much to Singh’s apparent disappointment. To observers more closely acquainted with the US playbook on international law, the inverse is also true, where operational imperatives have necessitated a re-formulation of terms that may convey any sense of illegality or impropriety in military conduct (as opposed to the conduct of intelligence agencies, which is designed for ‘plausible deniability’ in case of an adverse outcome).

We relied on the latest (June 2020) version of JP 1-02 for the current definition of ‘offensive cyber operations’ in American warfighting doctrine. We can look to earlier versions of the DoD Dictionary to trace back the terms relevant to CNOs (including CAN, CNE and CND). This exercise makes it quite apparent that the contemporary terminologies and practices are all rooted in (covert) cyber intelligence operations, which the (American) law and policy around cyberspace bends backwards to accommodate and conceal. That leading scholars have recently sought to frame ‘cyber conflict as an intelligence contest’ further supports this position.

  • 2001 to 2007 – ‘cyber counterintelligence’ as the only relevant military activity in cyberspace (even though a National Military Strategy for Cyberspace Operations existed in 2006)
    • 2008: US CYBERCOM created as a sub-unit of US STRATCOM
    • 2009 – Dual Hat arrangement between NSA and CYBERCOM
    • 2010– US CYBERCOM achieves operational capability on May 21; CNA/CNE enter the DoD lexicon
    • 2012 – PPD 20 issued by President Obama
    • 2013 – JP 3-12 published as doctrinal guidance from the DoD to plan, execute and assess cyber operations
    • By 2016 – DoD dictionary defines ‘cyberspace operations’, DCOs, OCOs, (but not cyberspace exploitation) relying on JP 3-12
    • 2018 – NSPDM 13 signed by President Trump
    • 2020 – ‘cyberspace attack’ ‘cyberspace capability’, ‘cyberspace defence’, ‘cyberspace exploitation’, ‘cyberspace operations’, cyberspace security, cybersecurity as well as OCOs/DCOs are defined terms in the Dictionary

Even as JP 3-12 remains an important document from the standpoint of military operations, reliance on this document is inapposite, even irrelevant for the purposes of agencies responsible for cyber intelligence operations. In fact, JP 3-12 is also not helpful to explain the whys and hows of the evolution in the DoD vocabulary. This is a handy guide to decode the seemingly cryptic numbering of DoD’s Joint Publications.

Waging Cyber War without Cyber ‘Weapons’?

It is relevant to mention that none of the documents referenced above, including JP 3-12, make any mention of the term ‘cyber weapon’. A 2010 memorandum from the Chairman of the Joint Chiefs of Staff, however, clearly identifies CNAs as a form of ‘offensive fire’ – analogous to weapons that are ‘fired’ upon a commander’s order, as well as a key component of Information Operations.

The United States’ Department of Defense in its 2011 Defense Cyberspace Policy Report to Congress acknowledged that “the interconnected nature of cyberspace poses significant challenges for applying some of the legal frameworks developed for physical domains” and observed that “there is currently no international consensus regarding the definition of a cyber weapon”.

A plausible explanation as to why the US Government refrains from using the term ‘cyber weapons’ is found in this report, as it highlights certain legal issues in the transporting cyber ‘weapons’ across the Internet through the infrastructure owned and/or located in neutral third countries without obtaining the equivalent of ‘overflight rights’, and suggests ‘a principled application of existing norms to be developed along with partners and allies’. A resolution to this legal problem highlighted in the DoD’s report to Congress is visible in the omission of the term ‘cyber weapon’ in legal and policy frameworks altogether, only to be replaced by ‘cyber capabilities’.

We can find the rationale for and implications of this pivot in the work of Professor Michael Schmitt’s 2019 paper, wherein he argues in the context of applicable international law – contrary to the position he espoused in the Tallinn Manual –that ‘cyber capabilities’ cannot meet the definition of a weapon or means of warfare, but that cyber operations may qualify as methods of warfare. This interpretation permits ‘cyber weapons’ in the garb of ‘cyber capabilities’ to circumvent at least three obligations under the Law of Armed Conflict/International Humanitarian Law.

First, is the requirement for legal review of weapons under Article 36 of the First Additional Protocol to the Geneva Conventions (an issue Col. Gary Brown has also written about) and second, is taking precautions in attack. Third and most important, the argument that cyber weapons cannot be classified as munitions also has the consequence of depriving neutral States of their sovereign right to refuse permission of the transportation of weapons (or in this case, transmission of weaponised cyber capabilities) through their territory (assuming that this is technically possible).

So, in a sense, if we do not treat offensive cyber capabilities, or ‘cyber weapons’ as analogous in international law to conventional weapons normally associated with armed hostilities, in effect, we also restrain the ability of other sovereign States under international law to prevent and prohibit a weaponization of cyberspace without their consent, for military purposes of other cyber powers. Col. Gary Brown whose work Singh seems to nurture a deep admiration for admits that the first ‘cyber operation’ was conducted by the United States against the Soviet Union in 1982, causing a trans-Siberian pipe to explode by use of malware implanted in Canadian software acquired by Soviet agents. Since 1982, the US seems to have functioned in single-player mode until Russia’s DDoS attacks on Estonia in 2007, or at the very least, until MOONLIGHT MAZE was uncovered in 1998. For those not inclined to read, Col. Brown makes a fascinating appearance alongside former CIA director Michael Hayden in Alex Gibney’s 2016 Documentary ‘Zero Days’ which delves into Stuxnet – an obvious cyber weapon by any standards, which the US ‘plausibly denied’ until 2012.

Turning back to domestic law, the nomenclature is also significant from a public finance perspective. As anecdotal evidence, we can refer to this 2013 Reuters report, which suggests that the US Air Force designated certain cyber capabilities as ‘weapons’ with a view to secure funding from Congress.

From the standpoint of managing public perceptions too, it is apparent that the positive connotations associated with ‘developing cyber capabilities’ makes the same activity a lot more palatable, even development-oriented in the eyes of the general public, as opposed to the inherent negativity associated with say, the ‘proliferation of cyber weapons’.

Additionally, the legal framework is also important to delineate the geographical scope of the legal authority (or its personal jurisdiction, if you will) vested in the military as opposed to intelligence agencies to conduct cyber operations. For organizational purposes, the role of intelligence would (in theory) be limited to CNE, whereas CNA and CND would be vested in the military. We know from (Pukhraj’s) experience, this distinction is nearly impossible to make in practice, at least until after the fact. This overlap of what are arguably, artificially created categories of cyber operations, raises urgent questions about the scope and extent of authority the law can legitimately vest in our intelligence agencies, over and above the implicit authority of the armed forces to operate in the cyber domain.

Norm Making by Norm Breaking

In addition to understanding who wields offensive cyber capabilities, under what circumstances, it is also important for the law to specify where or against whom they are permitted to do so by law. Although militaries of modern day ‘civilized’ nations are rarely ever deployed domestically, there has been some recent concern over whether the US CYBERCOM could be deployed against American citizens in light of recent protests, just as special forces were. While the CIA has legal authority to operate exclusively beyond the United States, the NSA is not burdened by such constraints and is authorized to operate domestically. Thus, the governance/institutional choices before a State looking to ‘acquire cyber weapons’ or ‘develop (offensive) cyber capabilities’ range from bad to worse. One might either (1) permit its intelligence agencies to engage in activities that resemble warfighting more than they resemble intelligence gathering and risk unintentional escalations internationally or (2) permit its military to engage in intelligence collection domestically, potentially against its own citizens and risk ubiquitous militarization of and surveillance in its domestic cyberspace.

Even as many celebrate the recent Federal court verdict that the mass surveillance programmes of the NSA revealed by Edward Snowden were illegal and unconstitutional, let us not forget that this illegality is found vis-à-vis the use of this programme against American citizens only – not foreign surveillance programmes and cyber operations conducted beyond American soil against foreign nationals. Turning to an international law analysis, it is the US’ refusal to recognize State sovereignty as a binding rule of international law, that enables the operationalization of international surveillance and espionage networks and transmission of weaponized cyber capabilities that routinely violate not only the sovereignty of States, but also the privacy and dignity of targeted individuals (the United States does not accept the extra-territorial applicability of the ICCPR).

The nom de guerre of these transgressions in American doctrine is now ‘persistent engagement’ and ‘defend forward’, popularized by the Cyber Solarium Commission most recently—a cleverly crafted term that brings about no technical changes in the modus operandi, but disguises aggressive cyber intrusions across national borders as ostensible self-defence.

It is also relevant that this particular problem also finds a clear mention in the Chinese Foreign Minister’s recent statement on the formulation of Digital Security rules by China. Yet, it is not a practice from which either the US or China plan to desist. Recent revelations about the Chinese firm Zhenhua Data Information Technology Co. by the Indian Express have only served to confirm the expansive, and expanding cyber intelligence network of the Chinese state.

These practices of extraterritorial surveillance, condemnable as they may be, have nonetheless, shaped the international legal order we find ourselves in today – a testimony to the paradoxical dynamism of international law– not unlike the process of ‘creative destruction’ of cyberspace highlighted by Singh—where a transgression of the norm (by either cyber power) may one day, itself become a norm. What this norm is, or should be still remains open to interpretation, so let’s not rush to kill all the lawyers—not just yet anyway.

CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020

The Centre for Communication Governance at the National Law University Delhi (CCG) is grateful to the National Security Council Secretariat for this opportunity to make meaningful contributions to its mandate of formulating a futuristic National Cyber Security Strategy 2020 (NCSS). In response to the Call for Comments CCG apart from the comments below, CCG has separately submitted detailed comments to the Office of the National Cyber Security Coordinator.

Our comments are a result of original and thorough legal and policy research which draws upon multiple primary sources of information, including applicable domestic and international law and precedents, and a comparative study of the cyber security strategy and policy documents of 16 other countries. Secondary sources such as news reports, statistics on cybercrime and malicious cyber activity compiled and released by various Government departments and agencies and data on budgetary allocations released by the Union Government have also been relied on.

This submission is presented in six parts, supplemented by three annexures that provide insight into our sources, analysis and research methodology.

Part I introduces the background in which this strategy is being formulated, and presents a principled approach to the formulation of cybersecurity policy, that is driven by a coherent strategic framework constructed under the NCSS to guide it.

Part II presents an analysis of the landscape of existing and emergent threats that pose a risk to the cybersecurity of the entire nation. We do so with the objective of identifying areas that need to be accorded a higher priority in the formulation of the NCSS.

Parts III, IV and V correspond to the three pillars of strategy identified in the Call for Comments. Part III deals with the horizontal dimension of strategy and unpacks the contents of the first pillar, i.e., “Secure”, wherein we present for the consideration of the Secretariat, an original three-tiered model of the ‘national cyberspace’ as a roadmap to cyber sovereignty. We submit for consideration for the Secretariat, the adoption of the principle of peaceful uses of cyberspace to align with the nation’s goals of sustainable economic development, while being mindful of the gradual militarization of cyberspace by both state and non-state actors.

Part IV deals with the “Strengthen” pillar in which CCG examines the existing architecture for cybersecurity to analyse the vertical dimensions of strategy. Herein, we propose measures to strengthen institutions, process and capabilities relevant for cyber security.

Part V deals with the third pillar, namely, “Synergise”, which explains how the horizontal and vertical dimensions of the strategy can be integrated in order to optimize levels of inherent friction that could hinder the achievement of strategic and policy goals. We propose that synergies need to be identified and/or created at three levels. First, at the inter-ministerial level, among the government departments and agencies. Second, at the national level, for enhanced cooperation and strategic partnerships between the public and private sectors. Third, at the international level for enhanced cooperation and strategic partnerships with like-minded nations, geared towards building stronger national defences in cyberspace. In this part, we take the Government’s inclination to treat data a “public good” or “societal commons” to its logical conclusion and accordingly, propose a principled, common-but-differentiated-responsibility model between multiple stakeholders in the cybersecurity ecosystem for grounding public private partnerships and pooling of financial resources.

Part VI concludes this submission and presents the major findings, suggestions and recommendations of this submission.

The full text of the comments is available here.

India’s new Defence Cyber Agency—II: Balancing Constitutional Constraints and Covert Ops?

By Gunjan Chawla

In our previous post on India’s cyber defence infrastructure, we discussed the new Defence Cyber Agency (DCA), one of the three tri-service agencies announced at the Combined Commander’s Conference last year. Under the leadership of Rear Admiral Mohit Gupta, appointed as its head in April this year, the DCA is expected to serve a dual purpose—first, to fight virtual wars in the cyber dimension and second, to formulate a doctrine of cyberwarfare. In doing so, it is expected to contribute towards a cybersecurity strategy policy which integrates cyberwarfare with conventional military operations. In June, Lt. Col. Rajesh Pant, the National Cyber Security Coordinator announced that the new cybersecurity strategy policy will be released early in 2020.

The utilisation of cyberspace for military operations holds the potential to infuse a certain ‘jointness’ among the Army, Navy and Air Force. Lt. Gen. (Retd.) DS Hooda pointed out the herculean task that lies ahead of Rear Admiral Gupta– “to find a way to work around vertical stovepipes into which the three services have enclosed themselves”. The tri-services nature of the DCA could potentially compel the three services to share operational information and resources on a regular basis, which would further help to formulate a comprehensive and robust cyber defence infrastructure for the country.

From Coordination to Integration

Since the appointment of Rear Admiral Gupta as the head of the DCA, the Government has made only one announcement that has a significant bearing on its role and functioning. The Prime Minister’s announcement in August about the creation of a new position of a Chief of Defence Staff (CDS) is a welcome step and is expected to catalyse the move from coordination to integration  in the operations of the Army, Navy and Air Force and the operationalization of the three tri-services agencies. The burden of this herculean task entrusted to Admiral Gupta will now presumably, be shared by the CDS.

Unlike the Chairman of the Chiefs of Staff Committee (COSC), which is an additional position occupied by the senior-most officer among the three Chiefs, who serves as primus inter pares, or the first among equals – the CDS will be above the three chiefs, and act as a single-point military advisor to the Government and coordinate long term planning, procurements and logistics of the three service. However, there is long way to go between the announcement of this reform and its actual implementation.

Each of these two announcements – the setting up of the DCA, as well as creation of the CDS post necessitates certain changes in the legislated structure of the three wings of the armed forces for two distinct, but related reasons.

First, because the present legislations that govern the composition and structure of the three wings do not offer sufficient guidance for routine operations conducted jointly by the three wings, nor do they envision an officer superior in rank to the Chiefs of the three services.

The Central Government has the power to make rules under S. 191(2)(l) of the Army Act, 1950 to provide for the relative rank of the officers, junior commissioned officers, petty officers and non-commissioned officers of the regular Army, Navy and Air Force when acting together. S. 189(2)(l) of the Air Force Act, 1950 also confers the same power with respect to the Air Force. However, such a provision to make rules is conspicuous by its absence in the Navy Act, 1957. S. 184(2) of the Navy Act, 1957 confers upon the Central Government, the power to make regulations to provide for the relative rank, precedence, powers of command and authority of officers and sailors in the naval service in relation to members of the regular Army and the Air Force, but this makes no specific reference to the situation when members of three forces are acting together. Instead, S. 7 of the Navy Act provides that

“When members of the regular Army and the Air Force are serving with the Indian Navy or the Indian Naval Reserve Forces under prescribed conditions, then those members of the Army or the Air Force shall exercise such command, if any, and be subjected to such discipline as may be prescribed [under this Act].”

Additionally, the provision states that it cannot be deemed to authorise members of the regular Army or the Air Force to exercise powers of punishment over members of the Indian Navy. This provision is rooted in the colonial history of our naval laws, as it was felt that as the conditions of service at sea differed from that on land and because the erstwhile Navy (Discipline) Act, 1934 differed in many respects to the law relating to the Army and the Air Force, no attempt should be made to assimilate the revised Navy Act in other respects to the law relating to the Army and Air Force. Oddly enough, such unique demands of the sea as a theatre of war that prevented assimilation of the three wings are amplified in the case of cyberspace as a distinct, but connected theatre of war and deserve appropriate recognition in law – in a manner that encourages integration.

The existence of such disparate provisions on the conditions of service of members of the three forces when acting together could foreseeably, prove to be a hurdle in implementing integration for the creation of tri-services agencies. Additionally, the rank, powers and office of a Chief of Defence Staff is not defined or recognized in either of the three Acts. Should such a post be created by the issuing of rules or regulations by the Central Government, they would have to be laid before Parliament, pursuant to S. 185 of the Navy Act, S. 193A of the Army Act and S. 191A of the Air Force Act. In the current state of the law, it is unclear which of these three Acts could be invoked to formulate rules to create such a post in a manner that facilitates such integration.

The second reason is that the advent of cyberwarfare has brought nation-states into what can be described to as the fourth dimension of warfare—military operations that were until recently restricted to the physical domains of land, sea and air have now entered the virtual realm. The growing risk of cyber espionage and breaches of information security of Government agencies, like the ones in 2008 highlight the urgent need for such coordination to ensure prompt, proportionate responses. Thus, we need to prepare a framework not only because the conduct of hostilities now requires unprecedented, seamless integration between the three forces, but also because these hostilities will be conducted in an entirely new dimension, which possesses certain unique characteristics and limitations as a distinct operational theatre for military action.

Accordingly, the question of whether the Government would treat the breach of ‘India’s cyberspace’ by foreign actors, at par with violations of our sovereign territory, airspace or territorial waters must be answered in the affirmative.

At the minimum, this should include, (1) defence communications and operational networks, (2) security of the Government communication networks (3) security of classified and privileged information and (4) critical information infrastructure (CII) should be considered constituent components of our sovereign-protected cyberspace. Since the promulgation and notification of the Information Technology (Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2014, CII falls within the purview of the NCIIPC. Rule 3(4) excludes systems notified by the Ministry of Defence (MoD) as critical information infrastructure. To enable this legally, (1), (2) and (3) ought to be notified by the MoD as such, and explicitly entrusted to the DCA for appropriate action for their protection with appropriate directions.

Constitutional Constraints on Waging War in Cyberspace

Indeed, our cyber forces have been fashioned as an ‘agency’ and not a ‘service’ unto themselves, but contemporary research indicates that with appropriate training and experience, the agency is expected to provide the base for, and grow into a full-fledged Cyber Command.  However, we cannot rely solely on emergency powers under Article 352 of the Constitution as the starting point of our analysis of the legal framework that applies to India’s defensive operations in the cyber realm. Such an analysis leads us to arguments in favour of invoking the fundamental duties of citizens Article 51A for boosting the recruitment of cyber warriors. Such a system can only remain functional, if at all, on an ad-hoc basis. The domain of Parliamentary action cannot reasonably be restricted on the premise that cyberattacks against Government agencies are the ‘new normal’. The State must prepare for the eventuality that ad hoc arrangements set up as necessary reactions to security breaches need to be institutionalized in law. It is not sufficient to assert that the exigencies of cyberwarfare make it inefficient to seek Parliamentary sanction. And so, the military establishment that engages in hostilities with foreign actors in cyberspace, whether fashioned as an agency, service or command, should be read into the phrase ‘any other armed forces’ of Entry 2 of Schedule VII.

When it comes to the defence of India, the Constitution is unambiguous.

Article 53(2) of the Constitution declares that the supreme command of the armed forces of the Union shall be vested in the President and the exercise thereof shall be regulated by law. (emphasis added) Article 53(3)(b) also states that nothing in this Article shall “prevent Parliament from conferring by law functions on authorities other than the President”.

Article 246(1) of the Constitution vests legislative powers in the Parliament. The provision refers to Schedule VII, which identifies specific areas upon which Parliament is entitled to legislate in the national security domain. These areas include the following:

1. Entry 1 refers to “the Defence of India and every part thereof including preparation for defence and all such acts as may be conducive in times of war to its prosecution and after its termination to effective demobilization.”

2. Entry 2 places “naval, military and air forces; and any other armed forces of the Union” within the legislative competence of Parliament. To this effect, The Army Act and Air Force Act were adopted by the Parliament in 1950 and the Navy Act in 1957.

3. Entry 7 refers to “Industries declared by Parliament by law to be necessary for the purpose of defence or for the prosecution of war”. Although the IT sector is treated as a strategic sector by the Government, no such law has been enacted by Parliament.

The language of Article 246 indicates that Parliament is competent to legislate on these issues. However, the use of the word ‘shall’ in the language Article 53 suggests that Parliament is duty-bound to enact such a law. This can also be inferred from the language of Article 73(1) of the Constitution, which states that “The Executive power of the Union shall extend –(a) to matters with respect to which Parliament has the power to make laws”. This makes it clear that the exercise of the Executive power is made conditional on the legislative competence of the Parliament, and not vice versa.

So far, no specific legislation has been forthcoming from Parliament to approve or regulate the exercise of the executive power to engage in cyberwarfare, nor has the Government proposed any. However, the promulgation of a Cybersecurity Act that would cover not only various cyber-related crimes, offences, forensic and policing, but also, have enabling provisions for cyber war and defences against cyber war has been proposed by other think tanks, and even Admiral Gupta himself.

Thus, the power to make preparations for prosecution of war in cyberspace should be backed by Parliamentary sanction. Such an enactment would also help clarify many other questions and streamline the contours of India’s cybersecurity infrastructure and institutions. For example, the domain of authority of the DCA and its relationship with its civilian counterparts including the National Cyber Security Coordinator (NCSC) and the Indian Computer Emergency Response Team (CERT-In) remain unclear. With proper consideration and consultations, the setting up of the DCA could potentially open the doors to enhanced, perhaps even institutionalised civilian-military cooperation that begins in cyber operations and permeates into conventional operations as well.

Two new domains—space and cyber—enabled by high technology, offer unprecedented opportunities for enhanced communication and coordination among wings of the armed forces in all theaters of war, and be used as force multipliers for intelligence analysis, mission planning and control.[i] Given their crucial role in intelligence analysis, foreseeably, the Government could model the agency as one that ‘cyber-supports’ military operations, but  with a greater emphasis on covert operations rather than conventional warfare.  In such a scenario, we may expect that its structure and functioning would be shrouded in secrecy, analogous to the Research and Analysis Wing (R&AW) or the Intelligence Bureau (IB). This means that the DCA would work closely with the Defence Intelligence Agency (DIA). While structures analogous to existing intelligence agencies could potentially allow greater freedom of action for cyber operations, it could also compromise the DCA’s potential to draw upon civilian expertise.

In the interest of widening the pool from which the DCA recruits and trains its cyber-warriors, a proper legislative mandate would go a long way in establishing and strengthening strategic partnerships with the private sector, where most of the country’s tech talent is currently employed.


[i] As an aside, it is pertinent to mention that India’s entry into the fifth dimension i.e. space remains debatable— even after carrying out the first successful test of anti-satellite (ASAT) weapon and being in the process of setting up a Defense Space Agency, our policies still espouse the principle of peaceful uses of outer space.

[July 15-22] CCG’s Week in Review: Curated News in Information Law and Policy

The National Investigation Agency Act was amended by Parliament this week, expanding its investigation powers to include cyber-terrorism; FaceApp’s user data privacy issues; and the leaked bill to ban cryptocurrencies— presenting this week’s most important developments in law and tech.

Aadhaar

  • [July 15] Govt plans Aadhaar based identification of patients to maintain health records, Live Mint report; The Indian Express report.
  • [July 15] Petition in Delhi HC seeking linking of Aadhaar with property documents, Live Mint report.
  • [July 15] Government stops verification process using Aadhaar for driving license, The Economic Times report.
  • [July 15] Government stops verification process using Aadhaar for driving license: Nitin Gadkari, ET Auto report.
  • [July 18] Will Aadhaar interchangeability for ITR make PAN redundant? Live Mint report.
  • [July 18] Govt floats idea for Aadhaar-like database for mapping citizen health, Business Standard report; Money Control report; Inc42 report.
  • [July 19] Linking Aadhaar with Voter ID— Election Commission to decide within weeks, The Print report; India Legal analysis.
  • [July 21] Mumbai man fights against linking Aadhaar to salary account, The Quint report.
  • [July 21] Violating SC rules, matrimonial site sells love, marriage using Aadhaar data, National Herald report.
  • [July 22] Large cash deposits may soon need Aadhaar authentication, Times of India report; Money Control report.

Right to Information

  • [July 19] Bill to amend RTI law introduced in Lok Sabha amid opposition, India Today report.

Free Speech

  • [July 18] Ajaz Khan of Big Boss fame arrested by Mumbai Police for TikTok video, The Asian Age report; DNA India report.
  • [July 19] Guwahati HC grants anticipatory bail to poets accused of writing communally charged poetry on Assam citizenship crisis, Live Law report.

Internet Governance

  • [July 16] MeitY to finalise Intermediary Liability rules amendment by month end, Medianama report; Inc42 report.

Data Protection and Data Privacy

  • [July 17] Canada probing data theft at military research center: reports, Business recorder report.
  • [July 17] BJP raises issue of privacy breach by tech devices in Rajya Sabha, BJD demads more funds, News 18 report.
  • [July 17] TMC MPs protest outside Parliament in Delhi, demand to bring Data Protection Law, DNA India report.
  • [July 17] Democrats issue warnings against viral Russia-based face-morphing app ‘FaceApp’, NPR report.
  • [July 18] Government notice to Tiktok, Helo; asks to answer 21 questions or face ban, Gadgets Now report; Medianama report; Business insider report.
  • [July 18] Singapore data protection enforcement guide released, Asia Business law Journal report.
  • [July 18] Irish Data Protection Commission issues advice over FaceApp privacy concerns, RTE report.
  • [July 18] Govt admits to data leak of unemployment figures ahead of May announcement in Rajya Sabha, terms the issue ‘serious’, Firstpost report.
  • [July 19] From bad to worse: PM Modi’s office has asked IT Ministry to keep a close eye on TikTok, India Times report.
  • [July 20] Equifax near $700 million settlement of data breach probes: WSJ, AL Jazeera report.
  • [July 21] Jio backs data protection; highlights future growth areas like agriculture, healthcare and education, The Economic Times report.

Data Localisation

  • [July 19] Firms exploring Telangana to set up data centres, The Hindu report.
  • [July 22] Bytedance starts building local data centre in India after lawmakers complain of data privacy, Entrackr report.
  • [July 22] China’s ByteDance to store Indian data locally after MPs raise concerns on privacy, national security, ET Tech report; Outlook report.
  • [July 22] Jio backs data localization to stave off cyberattacks, ET Tech report; Medianama report.

Digital India

  • [July 15] India lags peers in tech skills: Coursera study, ET Telecom report.
  • [July 16] WiFi on the go: Government pushes to keep Bharat connected, ET Telecom report.
  • [July 17] BMTC wants to reboot its IT plan, ET tech report.
  • [July 19] How improved infrastructure and tech firms are changing game development in India, ET Tech report.

Digital Payments and E-Commerce

  • [July 14] How women are sidelined in India’s e-commerce growth, ET Tech report.  
  • [July 17] Digital payment firms write to Government, asking compensation for losses incurred due to ‘zero’ merchant fee, Latestly report.
  • [July 22] How an in-house e-commerce platform Leaf Era has revolutionsed government procurement, ET Tech report.
  • [July 22] Aditya Birla Payments Bank to shut down due to “unanticipated developments in business landscape”, Medianama report.

Cryptocurrency

  • [July 15] Hacked crypto exchange Bitpoint discovers more millions are missing, Coin Desk report.
  • [July 15] India: Leaked draft bill would ban all crypto except ‘Digital Rupee’, Coin Telegraph report.
  • news to those Swiss authorities, Business Insider report.
  • [July 16] US says cryptocurrency is a national security issue, The New Indian Express report.
  • [July 16] Bitcoin and crypto suddenly branded a national security issue, Forbes report.
  • [July 16] Crypto a security threat, instrument for illicit activities: Trump admin, Business Standard report.
  • [July 17] Facebook said its Libra cryptocurrency will be regulated by Swiss authorities – but that was
  • [July 17] Making sense of chaos? Algos scour social media for clues to crypto moves, ET Markets report
  • [July 20] Cryptokart: Another Indian crypto exchange shuts doen operations, Coin Telegraph report.
  • [July 22] Crypto-attacks are rising in Asia—and cybersecurity AI may be the best way to fight the threat: Darktrace, Business Insider report.

Emerging Tech

  • [July 13] Facial recognition tech is growing stronger, thanks to your face, New York Times report.
  • [July 19] Is there a tug of war between Niti Aayog, IT Ministry on artificial intelligence project? India Today report.

Big Tech

  • [July 15] Tech giants to face US hearings on anti-trust, cryptocurrency, ET Telecom report.
  • [July 15] Amazon Web Services still on pole for $10bn defence cloud deal after Oracle case crashes, DataEconomy.com report.
  • [July 16] Google accused of ripping off digital ad technology in US lawsuit, ET Telecom report.
  • [July 19] EU opens investigation into anti-competitive conduct of Amazon: Will it face heat in India too? Entrackr report.

Telecom/5G

  • [July 17] Govt working on revival of BSNL: Minister tells Lok Sabha, The Hindu Business Line report.
  • [July 19] Make in India: Only half of country’s 268 cellphone makers stay afloat, Financial Express report.

More on Huawei

  • [July 16] The US Congress wants to block the Trump administration from weakening Huawei restrictions, The Verge report.
  • [July 17] US-China talks stuck in rut over Huawei, The Wall Street Journal report.
  • [July 19] Two-thirds of Canadians reject closer ties to China and want Huawei banned from 5G networks, poll says, South China Morning Post report.
  • [July 20] White House to host meeting with tech executives on Huawei ban: report, Business Standard report.  

Cybersecurity

  • [July 15] Use Indian IPRs to ensure telecom network security: Trade group. ET Telecom report.
  • [July 15] Indian IT managers facing budget crunch for cybersecurity, Live Mint report
  • [July 16] Your WhatsApp, Telegram files can be hacked: Symantec, ET Telecom report.
  • [July 16] IT companies tightening salary budgets, leveraging variable pay for niche skills, ET Tech report.
  • [July 17] Druva acquires hybrid data protection form CloudLanes, The Economic Times report.
  • [July 17] Indian Army launches massive crackdown on personnel violating its cybersecurity norms, The Print report.
  • [July 19] NSO spyware targets phones to get data from Google, Facebook, iCloud: Report, Medianama report.
  • [July 20] New bills on cybersecurity, crime against women soon: Union Minister, India Today report; The Indian Express report.
  • [July 21] An entire nation just got hacked, CNN report.
  • [July 22] Fix Rogue audits; guard Indian data; bulletproof 5G: India’s new cybersecurity chief’s Vision 2020, ET Prime report.
  • [July 22] Fake FaceApp software may infect your device, says global cybersecurity company Kaspersky Lab, New Nation report.

Tech and Elections

  • [July 14] New election systems use vulnerable software, AP News report.

Tech and Law Enforcement

  • [July 12] Revealed: This is Palantir’s Top-Secret User Manual for Cops, Vice Motherboard report.
  • [July 22] WhatsApp traceability case: Details of data requests made by Tamil Nadu Govt to social media companies, Medianama report.

Tech and Military

  • [July 14] French jetpack man flyboards up Champs-Elysees for Paris Parade, RFI report.
  • [July 15] Dassault offset money to help in skill training: FM Nirmala Sitharaman, Money Control report. Economic Times report.
  • [July 16] Modi Govt to buy Pilatus trainer aircraft following corruption charges, to ban Swiss defence firm for one year, OpIndia report.
  • [July 16] If India chooses F-21, it will plug into ‘world’s largest fighter plane ecosystem’: Lockheed Martin, The Economic Times report.
  • [July 17] AI has a bias problem and that can be a big challenge in cybersecurity, CNBC report
  • [July 17] IAF on spares buying spree, The Quint report.
  • [July 19] Lockheed Martin identifies 200 potential Indian partners, Hindustan Times report.
  • [July 18] Navy to buy Rs. 1,589 crore satellite from ISRO, The Economic Times report.
  • [July 18] Indian MoD issues RFP for heavyweight torpedoes for Kalvari-class submarines, Jane’s 360 report.
  • [July 18] Rafale will provide IAF strategic deterrence: Defence Ministry, Money Control report
  • [July 19] US F-35, poster child for ineptitude, inefficiency, The Middle East Monitor report.
  • [July 19] South African Council to collaborate with Indian defence industry, Outlook India report.
  • [July 20] DRDO carries out a dozen successful summer trials of NAG anti-tank missile, ANI report.
  • [July 21] IAF Pilots could soon fly Tom Cruise;s fighter jet from Top Gun Maverick, News 18 report.
  • [July 21] India to forge ahead with Russia accord despite US threat of sanctions, DNA India report.

National Security Legislation

  • [July 15] Lok Sabha passes bill that gives more powers to NIA, Live Mint report, ANI report.
  • [July 15] Lok Sabha passes NIA Amendment Bill to give more power to anti-terror agency; here’s all you need to know, Business Insider report.
  • [July 17] What is the National Investigation Agency Bill and why is it in contention?, Money Control report.
  • [July 17] Rajya Sabha passes National Investigation Agency Amendment Bill 2019, Live Mint report; Outlook India report.
  • [July 18] Cabinet asks finance panel to consider securing non-lapsable funds for defence, The Indian Express report; Financial Express report.
  • [July 20] New bills on cybersecurity, crime against women soon: Union Minister, India Today report; The Indian Express report.

Opinions and Analyses

  • [July 11] Ryan Gallagher, The Intercept, How US Tech giants are helping build China’s Surveillance state.
  • [July 15] Jemima Kelly, Financial Express, Trump v Crypto: rage against the obscene.
  • [July 15] Ravi Shanker Kappor, News 18 Opinion, Cost of not carrying out economic reforms: Acute shortage of funds for military modernisation.
  • [July 16] Jayshree Pandya, Forbes, Nuances of Aadhaar: India’s digital identity, identification system and ID.
  • [July 16] Binoy Kampark, International Policy Digest, The UN’s free speech problem.
  • [July 16] K Satish Kumar, DNA India, Need more clarity on data bill.
  • [July 16] Abhishek Banerjee, Swarajya, Richa Bharti: The Free Speech Hero India Needs.
  • [July 17] Ananth Krishnan, The Print, Three reasons why it’s not Huawei or the highway for India’s 5G future.
  • [July 17] Rajesh Vellakat, Financial Express, Personal Data Protection Bill: Will it disrupt our data ecosystem?
  • [July 17] Nouriel Roubini, Live Mint Opinion, Seychelles-based BitMEX and the great crypto heist.
  • [July 17] Tim O’Reilly, Quartz, Antitrust regulators are using the wrong tools to break up Big Tech.
  • [July 18] Tiana Zhang, Jodi Wu, Yue Qiu and Richard Sharpe, Mondaq, Newly released draft measures on data security management strengthen China’s data protection framework.
  • [July 18] Gwyn D’Mello, India Times, If you worry about FaceApp and not your Facebook and Aadhaar, you have bigger problems.
  • [July 18] Sue Halpern, The New Yorker, How Cyber Weaqpons are changing the landscape of modern warfare.
  • [July 19] TV Mohandas Pai and Umakant Soni, Financial Express, An AI innovation engine for New India.
  • [July 20] Amit Cowshish, The Tribune, Indo-US defence trade not free from encumbrances.
  • [July 20] Umberto Sulpasso, Eurasia Review, Domestic Knowledge Product: Enhancing Wealth, Welfare and National Security—Analysis.
  • [July 20] Tiffancy C Li, The Atlantic, FaceApp makes today’s privacy laws look antiquated.
  • [July 20] Tom Robinson, Venture Beat, Crypto can prevent money laundering better than traditional finance.
  • [July 21] Vimal Kumar Kashyap, The Pioneer, 5G to usher in fourth industrial revolution.
  • [July 21] Michael Ashley, Forbes, It’s time to fight back for data sovereignty.
  • [July 22] Vidushi Marda, The Hindu, Facial recognition is an invasive and inefficient tool.

Tracking Cybercrime through the National Crime Records Bureau’s “Crime in India” Report, 2015

By Shuchita Thapar

The National Crime Records Bureau released their annual “Crime in India” report for the year 2015 earlier this year. This post analyses the trends in cybercrime traced through the report.  

The National Crime Records Bureau (“NCRB”) released their annual “Crime in India” report (“NCRB Report, or “Report”) for the year 2015 earlier this year. The report tracks statistics for various types of crimes across India, and provides useful insight into socio-legal trends, as well as problems being faced by law enforcement agencies in the country. This post seeks to review the findings of the report in relation to cybercrime in the context of issues facing crime deterrence and law enforcement in the country.

The NCRB has been tracking statistics relating to cybercrime since their 2014 report. Based on other trackers, between 2011 and 2015, the country witnessed a surge of nearly 350% in cybercrime cases reported. However, despite an increasing number of cases being reported, conviction rates remain very low. For example, Maharashtra saw only a single conviction in 2015 despite over 2000 cases being registered. While it is true that convictions are not generally related to the cases filed in the same year, low conviction rates are generally indicative of high pendency of cases, as well as an underdeveloped architecture of investigation and deterrence.

The NCRB Crime in India Report 2015

The NCRB Report tracks, in their cybercrime chapter, cases filed which are linked with the use of the internet and IT enabled services. Under this broad categorisation, the report seeks to trace (amongst other things) patterns of cases reported, cases pending, arrest rates, conviction rates, and offender demographics. A total of 11,592 cybercrime cases were registered in 2015, representing an increase of approximately 20.5% over the previous year. These include offences registered under the Information Technology Act (“IT Act”), as well as related sections of the Indian Penal Code and other special or local laws. Uttar Pradesh had the highest rate of reportage of such crimes, followed by Maharashtra and Karnataka.

The majority of the cases (6567) were registered under “Computer Related Offences”, which involve cases registered under Sections 66 to 66E of the IT Act. These include offences such as ‘sending offensive messages through a communication service’ (Section 66A), ‘dishonestly receiving stolen computer resource or communication device’ (Section 66B), ‘identity theft’ (Section 66C) and others. It is interesting to note that despite Section 66A being struck down last year by the Supreme Court in the Shreya Singhal case, convictions under the section have risen, and in some instances new cases have also been filed. Under the IPC, the majority of cases filed were relating to cheating, involving over 65% of the total cases filed.

A total of 8121 persons were arrested during 2015 in relation to cybercrime offences, representing a 41.2% increase over 2014. The maximum number of persons arrested were in Uttar Pradesh. However, tracking the persons arrested may not be the most useful metric, because it does not represent the number of cases that were brought to successful completion. In fact, only 250 persons were finally convicted under the IT Act and 20 were convicted under the IPC.

Over 14,000 cases registered under the IT Act were investigated in 2015, including over 6000 pending cases. At the end of the year, over 8000 cases remained pending for investigation. 2396 cases were charge-sheeted in 2015, and 4191 cases were pending for trial. Trials were completed in 486 cases, with 193 ending in conviction. 5,094 cases under the IPC were investigated in 2015, with over 1600 being pending cases from the previous year. 710 cases were charge-sheeted in 2015, and trials were completed for only 53 cases. In cases registered under the IPC, over 3600 cases remained pending for investigation at the end of 2015 – the majority of these cases related to forgery and data theft. It is clear that the pendency of cases is not only high, but increasing, although the NCRB report does not offer any potential reasons.

In terms of offender demographics, the majority of persons arrested fell within the 18-30 age bracket – over 65% of the arrestees under the IT Act, and 55% of the arrestees under the IPC are within this category. However, the NCRB report does not track other demographic statistics, including gender and socio-economic status.

The largest section of arrestees were characterized as ‘business competitors’, followed by ‘neighbours/friends/relatives’. The vast majority of persons arrested were Indian nationals, with only 4 foreign nationals being captured. Given the rising number of cyber incidents stemming from abroad, it is clear that the existing cyber law framework may be insufficient to tackle transnational cyber crime.

Conclusions

The NCRB report highlights the fact that problems that have plagued most areas of the Indian criminal justice system continue to be issues in relation to cybercrime. These include high pendency of cases, low conviction rates and low reporting. These problems are exacerbated by rising usage of information technology resources with limited knowledge of good cybersecurity principlesExperts have also suggested that the Indian ecosystem around cyber policing is simply not equipped to secure convictions, because of an inadequately trained police force, limited technical resources, low co-ordination between the public and private sector, and an unequipped judicial system.

The Supreme Court of India has taken suo moto cognizance of the issue after a letter written by Hyderabad-based NGO Prajwala pointed out that 9 videos of sexual assault were being circulated on WhatsApp. After a CBI probe was ordered into these instances, the Centre also set up an expert group to formulate appropriate means to tackle growing cybercrime in India. Following this, the government agreed to take various steps, including the establishment of a National Cyber Crime Coordination Centre (“NCCC”) in order to focus on cybercrimes and national security issues and ensure appropriate communication between agencies. Reports have suggested that Phase I of the NCCC will be live by March 2017. It has also been agreed that cybercrime complaints can be filed online without the necessity of visiting a police station.

There have also been other steps taken, including the establishment of cyber labs promising additional technical, and increased emphasis on international co-operation. It is to be hoped that these measures will go a long way towards assuaging the policing problems currently facing cybercrime in India.

Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi

 

Cybersecurity in the Indian Banking Sector

By Shalini S.

The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary. The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country.  This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds,[1] birthed primarily by the continued migration of services to internet and mobile platforms. This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.

While the adoption of IT for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination.[2] With the significant operational risks of adopting information technology in the delivery of banking services, a significant rise in banking-related technology frauds has been reported, a cause for concern for customers, commercial banks and the RBI. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.

Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers.[3] Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.

The RBI, which is the central banking institution of the country and responsible for the supervision and regulation of the finance sector, also bears the onus of evolving and enforcing parameters of banking operations. Noting the inevitability of increased digitization of traditional banking services and accompanying vulnerabilities, the RBI has previously attempted to address the issue of cybersecurity by evolving minimum standard cyber safety norms for banks and other providers of financial services. In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security. Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011. The guidelines provided detailed insight into building fraud risk perspective in banks, customizing audits to detect irregularities and vulnerabilities and even the appropriate reporting of fraud cases to law enforcement and other relevant stakeholders.[4] Even though the guidelines themselves dealt only cursorily with issues of data security and privacy, the Institute for Development and Research in Banking Technology (IDRBT), an IT institute set up by the RBI, released a handbook on information security governance to the banking sector, to act as a follow-up to the above-mentioned guidelines.

Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner[5], have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence. The same year, RBI also released the Information Technology Vision Document 2011-2017 that highlighted its recognition of the enormity of the menace that is cyber-attacks and reiterated its commitment to mitigating IT fraud in the banking sector. In 2013, it also issued a circular on risk mitigations measures to be undertaken during e-payment transactions to help banks secure electronic payment transactions such as RTGS, NEFT and IMPS from cyber-attacks. Noting the significant increase in fraud in online banking transactions, RBI also advised banks to introduce two or three-stage authentication and transaction verification.[6] However, as telecom companies, whose services are used in authenticating transactions, continue to have fragile digital security and fail to follow minimum safety protocols, these transactions continue in high-risk environments[7] and are in desperate need of monitoring.

While it is clear from the measures outlined in paragraphs above that the banking industry has recognized the risks associated with the penetration of IT into financial services, the proposed IT subsidiary of RBI could prove to be a great institutional addition. The threat landscape highlighted in the paragraphs above, demonstrates the need for a dedicated IT subsidiary to evaluate technical capabilities of banks and provide support in beefing up cyber security in the sector. As the exact form and mandate for the IT arm of the RBI has not been set as yet, it can also be designed to act as an information sharing resource akin to the dedicated cell that was to be formed under the aegis of IDRBT[8] and additionally work towards ensuring compliance of commercial banks to RBI notifications, codes and rules pertaining to cybersecurity and data protection. Since banking, a finance sector function, potentially falls in the category of critical information infrastructure,[9] there needs to be constant security vigilance and cyber security measures on par with global standards. In addition to exploring methods in which the possibilities of IT can be harnessed for effective, cost-efficient, real-time delivery of banking services, it is also crucial for this proposed subsidiary to concentrate on evolving binding basic standards of data security, privacy which is currently, primarily driven by Information Technology Amendment Act, 2008 in the banking sector.[10] The subsidiary which currently aims to track evolving threats and vulnerabilities should also attempt developing real-time fraud prevention models and increase customer confidence by increasing effectiveness of independent financial IT controls.

[1] The Economic Times, Reserve Bank of India plans IT arm, to hire experts to work on banking technologies, 2015, http://economictimes.indiatimes.com/industry/banking/finance/banking/reserve-bank-of-india-plans-it-arm-to-hire-experts-to-work-on-banking-technologies/articleshow/49512043.cms (last visited Oct 26, 2015).

[2] Livemint, Banks bet big on technology to boost efficiency, curb fraud – Livemint (2011), http://www.livemint.com/Industry/8df71WBdwALasI5afwadUJ/Banks-bet-big-on-technology-to-boost-efficiency-curb-fraud.html (last visited Oct 26, 2015).

[3] The Economic Times, RBI asks banks to set up committees to protect IT data, 2011, http://articles.economictimes.indiatimes.com/2011-04-30/news/29490905_1_banking-and-mobile-banking-electronic-channels-frauds (last visited Oct 26, 2015).

[4] Amit Kashyap, Indian Banking: Contemporary Issues in Law and Challenges (2014).

[5] SearchSecurity, RBI guidelines focus on fortifying IT security by banks (2011), http://searchsecurity.techtarget.in/news/2240031005/RBI-guidelines-focus-on-fortifying-IT-security-by-banks (last visited Oct 26, 2015).

[6] The Economic Times, RBI for two-stage verification for online banking transactions, 2014, http://articles.economictimes.indiatimes.com/2014-04-22/news/49318793_1_cheque-truncation-system-authentication-transactions (last visited Oct 27, 2015).

[7] Sharad Vyas, Mumbaikars beware! Your bank details are being stolen and sold! Mid-ay (2015), http://www.mid-day.com/articles/mumbaikars-beware-your-bank-details-are-being-stolen-and-sold/16218163 (last visited Oct 28, 2015).

[8] See, Institute for Development and Research in Banking Technology, Consultancy Report on An initiative for research and intelligence gathering related to security incidents in financial services sector for analysis & sharing of insight (2012), http://www.idrbt.ac.in/PDFs/PT%20Reports/2012/RekhaAG_AnInitiative_2012.pdf (last visited Oct 27, 2015).

[9] See, DeitY, Cyber Security Strategy – Strategic Approach | Government of India, Department of Electronics and Information Technology (DeitY), http://deity.gov.in/content/strategic-approach (last visited Oct 26, 2015).

[10] PSA, Risk management in e-banking (2009), http://psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN-ISSUE-II_1288782887.pdf (last visited Oct 26, 2015).