India’s new Defence Cyber Agency—II: Balancing Constitutional Constraints and Covert Ops?

By Gunjan Chawla

In our previous post on India’s cyber defence infrastructure, we discussed the new Defence Cyber Agency (DCA), one of the three tri-service agencies announced at the Combined Commander’s Conference last year. Under the leadership of Rear Admiral Mohit Gupta, appointed as its head in April this year, the DCA is expected to serve a dual purpose—first, to fight virtual wars in the cyber dimension and second, to formulate a doctrine of cyberwarfare. In doing so, it is expected to contribute towards a cybersecurity strategy policy which integrates cyberwarfare with conventional military operations. In June, Lt. Col. Rajesh Pant, the National Cyber Security Coordinator announced that the new cybersecurity strategy policy will be released early in 2020.

The utilisation of cyberspace for military operations holds the potential to infuse a certain ‘jointness’ among the Army, Navy and Air Force. Lt. Gen. (Retd.) DS Hooda pointed out the herculean task that lies ahead of Rear Admiral Gupta– “to find a way to work around vertical stovepipes into which the three services have enclosed themselves”. The tri-services nature of the DCA could potentially compel the three services to share operational information and resources on a regular basis, which would further help to formulate a comprehensive and robust cyber defence infrastructure for the country.

From Coordination to Integration

Since the appointment of Rear Admiral Gupta as the head of the DCA, the Government has made only one announcement that has a significant bearing on its role and functioning. The Prime Minister’s announcement in August about the creation of a new position of a Chief of Defence Staff (CDS) is a welcome step and is expected to catalyse the move from coordination to integration  in the operations of the Army, Navy and Air Force and the operationalization of the three tri-services agencies. The burden of this herculean task entrusted to Admiral Gupta will now presumably, be shared by the CDS.

Unlike the Chairman of the Chiefs of Staff Committee (COSC), which is an additional position occupied by the senior-most officer among the three Chiefs, who serves as primus inter pares, or the first among equals – the CDS will be above the three chiefs, and act as a single-point military advisor to the Government and coordinate long term planning, procurements and logistics of the three service. However, there is long way to go between the announcement of this reform and its actual implementation.

Each of these two announcements – the setting up of the DCA, as well as creation of the CDS post necessitates certain changes in the legislated structure of the three wings of the armed forces for two distinct, but related reasons.

First, because the present legislations that govern the composition and structure of the three wings do not offer sufficient guidance for routine operations conducted jointly by the three wings, nor do they envision an officer superior in rank to the Chiefs of the three services.

The Central Government has the power to make rules under S. 191(2)(l) of the Army Act, 1950 to provide for the relative rank of the officers, junior commissioned officers, petty officers and non-commissioned officers of the regular Army, Navy and Air Force when acting together. S. 189(2)(l) of the Air Force Act, 1950 also confers the same power with respect to the Air Force. However, such a provision to make rules is conspicuous by its absence in the Navy Act, 1957. S. 184(2) of the Navy Act, 1957 confers upon the Central Government, the power to make regulations to provide for the relative rank, precedence, powers of command and authority of officers and sailors in the naval service in relation to members of the regular Army and the Air Force, but this makes no specific reference to the situation when members of three forces are acting together. Instead, S. 7 of the Navy Act provides that

“When members of the regular Army and the Air Force are serving with the Indian Navy or the Indian Naval Reserve Forces under prescribed conditions, then those members of the Army or the Air Force shall exercise such command, if any, and be subjected to such discipline as may be prescribed [under this Act].”

Additionally, the provision states that it cannot be deemed to authorise members of the regular Army or the Air Force to exercise powers of punishment over members of the Indian Navy. This provision is rooted in the colonial history of our naval laws, as it was felt that as the conditions of service at sea differed from that on land and because the erstwhile Navy (Discipline) Act, 1934 differed in many respects to the law relating to the Army and the Air Force, no attempt should be made to assimilate the revised Navy Act in other respects to the law relating to the Army and Air Force. Oddly enough, such unique demands of the sea as a theatre of war that prevented assimilation of the three wings are amplified in the case of cyberspace as a distinct, but connected theatre of war and deserve appropriate recognition in law – in a manner that encourages integration.

The existence of such disparate provisions on the conditions of service of members of the three forces when acting together could foreseeably, prove to be a hurdle in implementing integration for the creation of tri-services agencies. Additionally, the rank, powers and office of a Chief of Defence Staff is not defined or recognized in either of the three Acts. Should such a post be created by the issuing of rules or regulations by the Central Government, they would have to be laid before Parliament, pursuant to S. 185 of the Navy Act, S. 193A of the Army Act and S. 191A of the Air Force Act. In the current state of the law, it is unclear which of these three Acts could be invoked to formulate rules to create such a post in a manner that facilitates such integration.

The second reason is that the advent of cyberwarfare has brought nation-states into what can be described to as the fourth dimension of warfare—military operations that were until recently restricted to the physical domains of land, sea and air have now entered the virtual realm. The growing risk of cyber espionage and breaches of information security of Government agencies, like the ones in 2008 highlight the urgent need for such coordination to ensure prompt, proportionate responses. Thus, we need to prepare a framework not only because the conduct of hostilities now requires unprecedented, seamless integration between the three forces, but also because these hostilities will be conducted in an entirely new dimension, which possesses certain unique characteristics and limitations as a distinct operational theatre for military action.

Accordingly, the question of whether the Government would treat the breach of ‘India’s cyberspace’ by foreign actors, at par with violations of our sovereign territory, airspace or territorial waters must be answered in the affirmative.

At the minimum, this should include, (1) defence communications and operational networks, (2) security of the Government communication networks (3) security of classified and privileged information and (4) critical information infrastructure (CII) should be considered constituent components of our sovereign-protected cyberspace. Since the promulgation and notification of the Information Technology (Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2014, CII falls within the purview of the NCIIPC. Rule 3(4) excludes systems notified by the Ministry of Defence (MoD) as critical information infrastructure. To enable this legally, (1), (2) and (3) ought to be notified by the MoD as such, and explicitly entrusted to the DCA for appropriate action for their protection with appropriate directions.

Constitutional Constraints on Waging War in Cyberspace

Indeed, our cyber forces have been fashioned as an ‘agency’ and not a ‘service’ unto themselves, but contemporary research indicates that with appropriate training and experience, the agency is expected to provide the base for, and grow into a full-fledged Cyber Command.  However, we cannot rely solely on emergency powers under Article 352 of the Constitution as the starting point of our analysis of the legal framework that applies to India’s defensive operations in the cyber realm. Such an analysis leads us to arguments in favour of invoking the fundamental duties of citizens Article 51A for boosting the recruitment of cyber warriors. Such a system can only remain functional, if at all, on an ad-hoc basis. The domain of Parliamentary action cannot reasonably be restricted on the premise that cyberattacks against Government agencies are the ‘new normal’. The State must prepare for the eventuality that ad hoc arrangements set up as necessary reactions to security breaches need to be institutionalized in law. It is not sufficient to assert that the exigencies of cyberwarfare make it inefficient to seek Parliamentary sanction. And so, the military establishment that engages in hostilities with foreign actors in cyberspace, whether fashioned as an agency, service or command, should be read into the phrase ‘any other armed forces’ of Entry 2 of Schedule VII.

When it comes to the defence of India, the Constitution is unambiguous.

Article 53(2) of the Constitution declares that the supreme command of the armed forces of the Union shall be vested in the President and the exercise thereof shall be regulated by law. (emphasis added) Article 53(3)(b) also states that nothing in this Article shall “prevent Parliament from conferring by law functions on authorities other than the President”.

Article 246(1) of the Constitution vests legislative powers in the Parliament. The provision refers to Schedule VII, which identifies specific areas upon which Parliament is entitled to legislate in the national security domain. These areas include the following:

1. Entry 1 refers to “the Defence of India and every part thereof including preparation for defence and all such acts as may be conducive in times of war to its prosecution and after its termination to effective demobilization.”

2. Entry 2 places “naval, military and air forces; and any other armed forces of the Union” within the legislative competence of Parliament. To this effect, The Army Act and Air Force Act were adopted by the Parliament in 1950 and the Navy Act in 1957.

3. Entry 7 refers to “Industries declared by Parliament by law to be necessary for the purpose of defence or for the prosecution of war”. Although the IT sector is treated as a strategic sector by the Government, no such law has been enacted by Parliament.

The language of Article 246 indicates that Parliament is competent to legislate on these issues. However, the use of the word ‘shall’ in the language Article 53 suggests that Parliament is duty-bound to enact such a law. This can also be inferred from the language of Article 73(1) of the Constitution, which states that “The Executive power of the Union shall extend –(a) to matters with respect to which Parliament has the power to make laws”. This makes it clear that the exercise of the Executive power is made conditional on the legislative competence of the Parliament, and not vice versa.

So far, no specific legislation has been forthcoming from Parliament to approve or regulate the exercise of the executive power to engage in cyberwarfare, nor has the Government proposed any. However, the promulgation of a Cybersecurity Act that would cover not only various cyber-related crimes, offences, forensic and policing, but also, have enabling provisions for cyber war and defences against cyber war has been proposed by other think tanks, and even Admiral Gupta himself.

Thus, the power to make preparations for prosecution of war in cyberspace should be backed by Parliamentary sanction. Such an enactment would also help clarify many other questions and streamline the contours of India’s cybersecurity infrastructure and institutions. For example, the domain of authority of the DCA and its relationship with its civilian counterparts including the National Cyber Security Coordinator (NCSC) and the Indian Computer Emergency Response Team (CERT-In) remain unclear. With proper consideration and consultations, the setting up of the DCA could potentially open the doors to enhanced, perhaps even institutionalised civilian-military cooperation that begins in cyber operations and permeates into conventional operations as well.

Two new domains—space and cyber—enabled by high technology, offer unprecedented opportunities for enhanced communication and coordination among wings of the armed forces in all theaters of war, and be used as force multipliers for intelligence analysis, mission planning and control.[i] Given their crucial role in intelligence analysis, foreseeably, the Government could model the agency as one that ‘cyber-supports’ military operations, but  with a greater emphasis on covert operations rather than conventional warfare.  In such a scenario, we may expect that its structure and functioning would be shrouded in secrecy, analogous to the Research and Analysis Wing (R&AW) or the Intelligence Bureau (IB). This means that the DCA would work closely with the Defence Intelligence Agency (DIA). While structures analogous to existing intelligence agencies could potentially allow greater freedom of action for cyber operations, it could also compromise the DCA’s potential to draw upon civilian expertise.

In the interest of widening the pool from which the DCA recruits and trains its cyber-warriors, a proper legislative mandate would go a long way in establishing and strengthening strategic partnerships with the private sector, where most of the country’s tech talent is currently employed.


[i] As an aside, it is pertinent to mention that India’s entry into the fifth dimension i.e. space remains debatable— even after carrying out the first successful test of anti-satellite (ASAT) weapon and being in the process of setting up a Defense Space Agency, our policies still espouse the principle of peaceful uses of outer space.

[September 2-9] CCG’s Week in Review: Curated News in Information Law and Policy

This week, Delhi International Airport deployed facial recognition on a ‘trial basis’ for 3 months, landline communications were restored in Kashmir as the Government mulls over certification for online video streaming platforms like Netflix and PrimeVideo – presenting this week’s most important developments in law, tech and national security.

Aadhaar

  • [Sep 3] PAN will be issued automatically using Aadhaar for filing returns: CBDT, DD News report.
  • [Sep 3] BJD set to collect Aadhaar numbers of its members in Odisha, Opposition parties slam move, News 18 report; The New Indian Express report; Financial Express report.
  • [Sep 5] Aadhaar is secure, says ex-UIDAI chief, Times of India report.
  • [Sep 5] Passport-like Aadhaar centre opened in Chennai: Online appointment booking starts, Livemint report.
  • [Sep 8] Plans to link Janani Suraksha and Matra Vandan schemes with Aadhaar: CM Yogi Adityanath, Times of India report.

Digital India

  • [Sep 5] Digital media bodies welcome 26% FDI cap, Times of India report.
  • [Sep 6] Automation ‘not  threat’ to India’s IT industry, ET Tech report.
  • [Sep 6] Tech Mahindra to modernise AT&T network systems, Tech Circle report.

Data Protection and Governance

  • [Sep 2] Health data comes under the purview of Data Protection Bill: IAMAI, Inc42 report.
  • [Sep 2] Credit history should not be viewed as sensitive data, say online lenders, Livemint report.
  • [Sep 3] MeitY may come up with policy on regulation of non-personal data, Medianama report.
  • [Sep 3] MeitY to work on a white paper to gain clarity on public data regulations, Inc42 report.
  • [Sep 6] Treating data as commons is more beneficial, says UN report, Medianama report.
  • [Sep 9] Indian Government may allow companies to sell non-personal data of its users, Inc42 report, The Economic Times report.
  • [Sep 9] Tech firms may be compelled to share public data of its users, ET Tech report.

Data Privacy and Breaches

  • [Sep 2] Chinese face-swap app Zao faces backlash over user data protection, KrAsia report; Medianama report.
  • [Sep 2] Study finds Big Data eliminates confidentiality in court judgments, Swiss Info report.
  • [Sep 4] YouTube will pay $170 million to settle claims it violated child privacy laws, CNBC report; FTC Press Release.
  • [Sep 4] Facebook will now let people opt-out of its face recognition feature, Medianama report.
  • [Sep 4] Mental health websites in Europe found sharing user data for ads, Tech Crunch report.
  • [Sep 5] A huge database of Facebook users’ phone numbers found online, Tech Crunch report.
  • [Sep 5] Twitter has temporarily disabled tweet to SMS feature, Medianama report.
  • [Sep 6] Fake apps a trap to track your device and crucial data, ET Tech report.
  • [Sep 6] 419 million Facebook users phone numbers leaked online, ET Tech report; Medianama report
  • [Sep 9] Community social media platform, LocalCircles, highlights data misuse worries, The Economic Times report.

Free Speech

  • [Sep 7] Freedom of expression is not absolute: PCI Chairman, The Hindu report.
  • [Sep 7] Chennai: Another IAS officer resign over ‘freedom of expression’, Deccan Chronicle report.
  • [Sep 8] Justice Deepak Gupta: Law on sedition needs to be toned down if not abolished, The Wire report.

Online Content Regulation

  • [Sep 3] Government plans certification for Netflix, Amazon Prime, Other OTT Platforms, Inc42 report.
  • [Sep 4] Why Justice for Rights went to court, asking for online content to be regulated, Medianama report.
  • [Sep 4] Youtube claims new hate speech policy working, removals up 5x, Medianama report.
  • [Sep 6] MeitY may relax norms on content monitoring for social media firms, ET Tech report; Inc42 report; Entrackr report.

E-Commerce

  • [Sep 4] Offline retailers accuse Amazon and Flipkart of deep discounting, predatory pricing and undercutting, Medianama report; Entrackr report.
  • [Sep 6] Companies rely on digital certification startups to foolproof customer identity, ET Tech report.

Digital Payments and FinTech

  • [Sep 3] A sweeping reset is in the works to bring India in line with fintech’s rise, The Economic Times report.
  • [Sep 3] Insurance and lending companies in agro sector should use drones to reduce credit an insurance risks: DEA’s report on fintech, Medianama report.
  • [Sep 3] Panel recommends regulating fintech startups, RBI extends KYC deadline for e-wallet companies, TechCircle report.
  • [Sep 4] NABARD can use AI and ML to create credit scoring registry: Finance Ministry report on FinTech, Medianama report.
  • [Sep 5] RBI denies action against Paytm Payments bank over PIL allegation, Entrackr report.
  • [Sep 5] UPI entities may face market share cap, ET Tech report.
  • [Sep 6] NBFC license makes fintech startups opt for lending, ET Tech report.
  • [Sep 9] Ease access to credit history: Fintech firms, ET Markets report.

Cryptocurrencies

  • [Sep 1] Facebook hires lobbyists to boost crypto-friendly regulations in Washington, Yahoo Finance report.
  • [Sep 2] US Congress urged to regulate crypto under Bank Secrecy Act, Coin Telegraph report.
  • [Sep 2] Indian exchanges innovate as calls for positive crypto regulation escalate, Bitcoin.com report.
  • [Sep 4] Marshall Islands official explains national crypto with fixed supply, Coin Telegraph report.
  • [Sep 5] Apple thinks cryptocurrency has “long-term potential”, Quartz report.
  • [Sep 5] NSA reportedly developing quantum-resistant ‘crypto’, Coin Desk report.
  • [Sep 6] Crypto stablecoins may face bottleneck, ET Markets report.

Cybersecurity

  • [Sep 3] Google’s Android suffers sustained attacks by anti-Ugihur hackers, Forbes report.
  • [Sep 4] Firefox will not block third-party tracking and cryptomining by default for all users, Medianama report.
  • [Sep 4] Insurance companies are fueling ransomware attacks, Defense One report.
  • [Sep 5] Firms facing shortage of skilled workforce in cybersecurity: Infosys Research, The Economic Times report.
  • [Sep 5] Cybersecurity a boardroom imperative in almost 50% of global firms: Survey, Outlook report; ANI report.
  • [Sep 5] DoD unveils new cybersecurity certification model for contractors, Federal News Network report.
  • [Sep 5] Jigsaw Academy launches cybersecurity certification programme in India, DQ India report.
  • [Sep 6] Indians lead the world as Facebook Big Bug Hunters, ET Tech report.
  • [Sep 6] Australia is getting a new cybersecurity strategy, ZD Net report.
  • [Sep 9] China’s 5G, industrial internet roll-outs to fuel more demand for cybersecurity, South China Morning Post report.

Tech and National Security

  • [Sep 3] Apache copters to be inducted today, The Pioneer report.
  • [Sep 3] How AI will predict Chinese and Russian moves in the Pacific, Defense One report.
  • [Sep 3] US testing autonomous border-patrol drones, Defense One report.
  • [Sep 3] Meet the coalition pushing for ‘Cyber Peace’ rules. Defense One report.
  • [Sep 4] US wargames to try out concepts for fighting China, Russia, defense One report.
  • [Sep 4] Southern Command hosts seminar on security challenges, Times of India report; The Indian Express report
  • [Sep 4] Russia, already India’s biggest arms supplier, in line for more, Business Standard report.
  • [Sep 4] Pentagon, NSA prepare to train AI-powered cyber defenses, Defense One report.
  •  [Sep 5] Cabinet clears procurement of Akash missile system at Rs. 5500 crore, Times Now report.
  • [Sep 5] India to go ahead with $3.1 billion US del for maritime patrol aircraft, The Economic Times report.
  • [Sep 5] DGCA certifies ‘small’ category drone for complying with ‘No-Permission, No-Takeoff’ protocol, Medianama report.
  • [Sep 5] India has never been aggressor but will not hesitate in using its strength to defend itseld: Rajnath Singh, The Economic Times report.
  • [Sep 5] Panel reviewing procurement policy framework to come out with new versions of DPP, DPM by March 2020, The Economic Times report; Business Standard report; Deccan Herald report.
  • [Sep 5] Russia proposes joint development of submarines with India, The Hindu report.
  • [Sep 7] Proud of you: India tells ISRO after contact lost with CHandrayaan-2 lander, India Today report.

Tech and Elections

  • [Sep 4] ECI asks social media firms to follow voluntary code of ethics ahead of state polls: report, Medianama report.
  • [Sep 6] Congress party to reorganise its data analytics department, Medianama report.
  • [Sep 5] Why the 2020 campaigns are still soft targets for hackers, Defense One report.
  • [Sep 5] Facebook meets with FBI to discuss election security, Bloomberg report.
  • [Sep 5] Facebook is making its own AI deepfakes to head off a disinformation disaster, MIT Tech Review report.

Internal Security: J&K

  • [Sep 4] Long convoy, intel failure: Multiple lapses led to Pulwama terror attack, finds CRPF inquiry, India Today report; Kashmir Media Service report; The Wire report.
  • [Sep 4] Extension of President’s Rule in Kashmir was not delayed, MHA says in report to SC lawyer’s article, Scroll.in report.
  • [Sep 6] Landline communication restored in Kashmir Valley: Report, Medianama report.
  • [Sep 7] Kashmir’s Shia areas face curbs, all Muharram processions banned, The Quint report.
  • [Sep 7] No question of army atrocities in Kashmir as it’s only fighting terrorists: NSA Ajit Doval, India Today report.
  • [Sep 8] More than 200 militants trying to cross into Kashmir from Pakistan: Ajit Doval, Money Control report.
  • [Sep 8] ‘Such unilateral actions are futile’, says India after Pakistan blocks airspace for President Kovind, Scroll.in report; NDTV report.

Internal Security: NRC

  • [Sep 2] Contradictory voices in Assam Congress son NRC: Tarun Gogoi slams it as waste paper, party MP says historic document, India Today report.
  • [Sep 3] Why Amit Shah is silent on NRC, India Today report.
  • [Sep 7] AFSPA extended for 6 months in Assam, Deccan Herald report.
  • [Sep 7] At RSS mega meet, concerns over Hindus being left out of NRC: Sources, Financial Express report.

National Security Institutions and Legislation

  • [Sep 5] Azhar, Saeed, Dawood declared terrorists under UAPA law, Deccan Herald report; The Economic Times report.
  • [Sep 8] Home Minister says India’s national security apparatus more robust than ever, Livemint report.
  • [Sep 8] Financial safety not national security reason for women to join BSF: Study, India Today report.

Telecom/5G

  • [Sep 6] Security is an issue in 5G: NCSC Pant on Huawei, Times of India report.

More on Huawei

  • [Sep 1] Huawei believes banning it from 5G will make countries insecure, ZD Net report.
  • [Sep 2] Huawei upbeat on AI strategy for India, no word on 5G roll-out plans yet, Business Standard report.
  • [Sep 3] Huawei denies US allegations of technology theft, NDTV Gadgets 260 report; Business Insider report; The Economic Times report.
  • [Sep 3] Shocking Huawei ‘Extortion and Cyberattack’ allegations in new US legal fight, Forbes report; Livemint report, BBC News report; The Verge report
  • [Sep 3] Committed to providing the most advanced products: Huawei, ET Telecom report.
  • [Sep 4] Huawei says 5G rollout in India will be delayed by 3 years if it’s banned, Livemint report
  • [Sep 4] Trump not interested in talking Huawei with China, Tech Circle report.
  • [Sep 5] Nepal’s only billionaire enlists Huawei to transform country’s elections, Financial Times report.
  • [Sep 8] Trump gets shocking new Huawei warning – from Microsoft, Forbes report.

Emerging Tech

  • [Aug 30] Facebook is building an AI Assistant Inside Minecraft, Forbes report.
  • [Sep 3] AWS partners with IIT KGP for much needed push to India’s AI skilling, Inc42 report.
  • [Sep 3] Behind the Rise of China’s facial recognition giants, Wired report.
  • [Sep 4] Facebook won’t use facial recognition on you unless you tell it to, Quartz report.
  • [Sep 4] An AI app that turns you into a movie star has risked the privacy of millions, MIT Technology Review report.
  • [Sep 6] Police use f facial recognition is accepted by British Court, The New York Times report.
  • [Sep 6] Facebook, Microsoft announce challenge to detect deepfakes, Medianama report.
  • [Sep 6] Facial recognition tech to debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months, Medianama report.

Internet Shutdowns

  • [Sep 3] After more than 10 weeks, internet services in towns of Rakhine and Chin restored, Medianama report.
  • [Sep 4] Bangladesh bans mobile phone services in Rohingya camps, Medianama report.

Opinions and Analyses

  • [Sep 2] Michael J Casey, Coin Desk, A crypto fix for a broken international monetary system.
  • [Sep 2] Yengkhom Jilangamba, News18 Opinion, Not a solution to immigration problem, NRC final list has only brought to surface fault lines within society.
  • [Sep 2] Samuel Bendett, Defense One, What Russian Chatbots Think About Us.
  • [Sep 2] Shivani Singh, Hindustan Times, India’s no first use policy is a legacy that must be preserved.
  • [Sep 3] Abir Roy, Financial Express, Why a comprehensive law is needed for data protection. 
  • [Sep 3] Dhirendra Kumar, The Economic Times, Aadhaar is back for mutual fund investments.
  • [Sep 3] Ashley Feng, Defense One, Welcome to the new phase of US-China tech competition.
  • [Sep 3] Nesrine Malik, The Guardian, The myth of the free speech crisis.
  • [Sep 3] Tom Wheeler and David Simpson, Brookings Institution, Why 5G requires new approaches to cybersecurity.
  • [Sep 3] Karen Roby, Tech Republic, Why cybersecurity is a big problem for small businesses.
  • [Sep 4] Wendy McElroy, Bitcoin.com, Crypto needs less regulation, not more.
  • [Sep 4] Natascha Gerlack and Elisabeth Macher, Modaq.com, US CLOUD Act’s potential impact on the GDPR. 
  • [Sep 4] Peter Kafka, Vox, The US Government isn’t ready to regulate the internet. Today’s Google fine shows why.
  • [Sep 5] Murtaza Bhatia, Firstpost, Effective cybersecurity can help in accelerating business transformation. 
  • [Sep 5] MG Devasahayam, The Tribune, Looking into human rights violations by Army.
  • [Sep 5] James Hadley, Forbes, Cybersecurity Frameworks: Not just for bits and bytes, but flesh and blood too.
  • [Sep 5] MR Subramani, Swarajya Magazine, Question at heart of TN’s ‘WhatsApp traceability case’: Are you endangering national security if you don’t link your social media account with Aadhaar? 
  • [ Sep 5] Justin Sherman, Wired, Cold War Analogies are Warping Tech Policy.
  • [Sep 6] Nishtha Gautam, The Quint, Peer pressure, militant threats enforcing civil curfew in Kashmir?
  • [Sep 6] Harsh V Pant and Kartik Bommakanti, Foreign Policy, Modi reimagines the Indian military.
  • [Sep 6] Shuman Rana, Business Standard, Free speech in the crosshairs.
  • [Sep 6] David Gokhshtein, Forbes, Thoughts on American Crypto Regulation: Considering the Pros and Cons.
  • [Sep 6] Krishan Pratap Singh, NDTV Opinion, How to read Modi Government’s stand on Kashmir.
  • [Sep 7] MK Bhadrakumar, Mainstream Weekly, The Big Five on Kashmir.
  • [Sep 7] Greg Ness, Security Boulevard, The Digital Cyber Security Paradox.
  • [Sep 8] Lt. Gen. DS Hoods, Times of India, Here’s how to take forward the national security strategy.
  • [Sep 8] Smita Aggarwal, Livemint, India’s unique public digital platforms to further inclusion, empowerment. 

[July 1-July 8] CCG’s Week in Review: Curated News in Information Law and Policy

The Union Budget for 2019-2020 brought with it a boost for using Aadhaar to file I-T returns amid escalating privacy concerns, but disappointed those hoping for larger allocations to modernisation of the armed forces. As the uncertainty over Huawei’s inclusion in 5G trials continues — presenting this week’s most important developments in law and tech.

Aadhaar

  • [July 4] Aadhaar bill seeking its use as ID to open bank account passes in Lok Sabha, India today report.
  • [July 4] UIDAI sets up first Aadhaar centres in Delhi and Vijayawada, to set up 114 more centres in 2019, Medianama report.
  • [July 5] Aadhaar ordinance: SC asks Centre, UIDAI to respond to writ petition, The Hindu report; The Economic Times report; Medianma report.
  • [July 6] Budget eases criteria of obtaining Aadhaar for NRIs with Indian passport, Business Standard report.
  • [July 6] Budget 2019 proposes to make PAN, Aadhaar interchangeable; soon you can file ITR using either of these, The Economic Times report.
  • [July 6] J&K Government approves Aadhaar linked payment mode for disbursal of pension, Business Standard report.
  • [July 7] Economic survey has based Aadhaar impact on MGNREGS on false assumptions, say researchers, The Hindu report.
  • [July 8] I-T to allot PAN to those filing returns only with Aadhaar, Live Mint report.

Internet Shutdowns

  • [July 2] India saw 11 internet shutdowns in June, 59 so far in 2019, Medianama report.
  • [July 4] Internet services in Jaipur set to resume today; parts of the city had been offline after rape of minor, Medianama report.
  • [July 4] Facebook, Instagram and WhatsApp back after 8-hour outage that left users unable to upload photos, videos, Medianama report.
  • [July 5] Following communal violence, internet remains closed in Agra, India today report.

Free Speech

  • [July 3] Centre has no plans to scrap sedition law, Minister tells Rajya Sabha; The Hindu report.
  • [July 5] MDMK Chief vaiko convicted in sedition case, sentenced to one year imprisonment, The Hindu Business Line report.

Data Protection

  • [July 1] Data Protection Bill: MHA wants insulation for security agencies, The Tribune report.
  • [July 2] TikTok illegally collecting data received by China, claims Shashi Tharoor, News18 report.
  • [July 2] Tik Tok under investigation in the UK over children’s data use, The Guardian report.
  • [July 2] China’s new data protection scheme, The Diplomat report.
  • [July 3] Comprehensive legislation on data privacy under formulation: Ravi Shankar Prasad; The Economic Times report.
  • [July 4] Won’t allow abuse of Indian data by foreign powers or companies, says RS Prasad in Rajya Sabha , Medianama report.
  • [July 5] Govt needs to leverage data as public good to boost welfare of poor, Live Mint report.
  • [July 6] Economic Survey pushes for interlinking and selling citizens’ data for private purposes: Rethink Aadhaar, Money Life report.

Digital India

  • [July 4] Qualcomm India extends design challenge to MeitY supported startups, The Economic Times report.
  • [July 8] No incentive left for banks to push digital pay, fears fintech, ET Tech report.

Cryptocurrencies

  • [June 30] ‘Govt Screwed Us’ Crypto Startup Coin Recoil Founder Writes An Open Letter To PM. Inc42 report.
  • [July 2] Remaining crypto exchanges in India bet on global markets, ET Tech report.
  • [July 3] Bitcoin’s energy consumption ‘equals that of Switzerland’, BBC report.
  • [July 5] Indian authorities arrest 4 individuals accused of crypto ponzi scheme, Coin Telegraph report.
  • [July 5] US lawmakers tell Facebook to halt Libra as it risks undermining dollar and upending global financial system, Medianama report.
  • [July 7] New ECB boss Christine Lagarde made a serious Bitcoin warning, Forbes report.

Telecom/5G

  • [July 3] Samsung talks about its 5G solution, readiness to work with telecom operators in India, India Today report
  • [July 2] Samsung to ramp up Internet of Things business in India after 5G roll out, Times Now News reports

More on Huawei

  • [July 3] Despite Trump’s promised reprieve, Commerce Department tells staff to continue treating Huawei as blacklisted, Tech Crunch report.
  • [July 3] Indian companies supplying (US origin equipment)  to Huawei may face US sanctions: Govt, The Economic Times report.
  • [July 4] Donald trump eases off Huawei as forms discover holes in his export ban, The Economist’s analysis.
  • [July 4] India to decide on Huawei participation in 5G trial based on security and economic interests, The Economic Times report.
  • [July 5] Huawei disputes US cyber firm’s findings of flaws in gear, The Wall Street Journal report.
  • [July 6] Huawei employees linked to China’s military and intelligence, reports claim, Forbes report.
  • [July 6] Huawei is helping all the UK’s top carriers build their 5G networks, Engadget report.

Cybersecurity

  • [July 2] Air travel needs cybersecurity, now tighter than ever, Financial Express report.
  • [July 3] New Zealand updates its cybersecurity strategy, ZDNet report.
  • [July 3] Tech Mahindra, SSH to deploy cutting edge cybersecurity solutions to secure access control for enterprises, Dataquest India report.
  • [July 3] 25 Central, State govt websites hacked till May this year: Ravi Shankar Prasad; The economic Times report.
  • [July 5] Getting up to speed with AI and Cybersecurity, Tech radar explainer.
  • [July 5] The Biggest Cybersecurity Crises of 2019 so far, The Wired report.
  • [July 6] New ransomware named Sodin exploits Windows flaw identified by cybersecurity firm Kaspersky, The Indian Wire report.

Cyberwarfare

  • [July 3] Suspected Iranian Cyber Attacks Show No sign of slowing, Defense One report.
  • [July 4] Report: Pentagon should assume US satellites are already hacked, Defense One report.

Surveillance/ Tech and Law Enforcement

  • [July 1] NSAB comes up with traceability to help Whatsapp, Economic Times report
  • [July 2] China snares tourists’ phones in surveillance dragnet by adding secret app, The New York Times report; Wired report; The Guardian report.

Tech and Military

  • [July 1] Indian Air Force orders Russian-made anti-tank missiles for USD 29 million, Jane’s Defence Weekly report.
  • [July 1] Modi govt spent Rs. 2.37 lakh crore on modernisation of armed forces in 4 years, Business Today report.
  • [July 2] India’s defence budget has nearly doubled in 5 years but the money is not enough to upgrade the weapons. Business Insider report.
  • [July 4] Funds shrinking, Army wants budget 2019 to make special allowance for GST, customs duties, The Print report.
  • [July 5] Budget 2019: Experts feel not much to change for armed forces, The New Indian Express report.
  • [July 5] 0.01% – The increase in defence allocation from interim budget as modernisation put on hold, News18 report.
  • [July 5] Budget 2019: Defence gets duty exemption on imports, no big allocation, say experts, Financial Express report; The Hindu report.
  • [July 5] India outlines progress in ‘Strategic Partner’ projects, Jane’s Defense Weekly report.
  • [July 5] Defence Ministry approves Army Headquarters restructuring plans: Gen Bipin Rawat, Business Standard report.
  • [July 6] Army, Nation e-Governance Division ink pact for developing revamped app, Money Control report.
  • [July 6] MBDA, French Army team develop AI based automatic target recognition by imaging system, Defense World report.
  • [July 7] Indian Army to buy American howitzer ammo for long-range accurate strikes, The Economic Times report.
  • [July 8] DRDO carries out three successful Nag tests in one day in Pokhran, The Economic Times report.

Opinions and Analyses

  • [July 1] Abhijit Kumar Dutta, Money Control, 5G test run: Is barring Huawei a good idea? Probably not.
  • [July 1] Maahi Mayuri, Mondaq News Alerts, India: Data Localisation: What’s in it for us?
  • [July 2] Allie Funk, Wired, I opted out of facial recognition at the airport – it wasn’t easy.
  • [July 3] Times of India editorial, Don’t hug Huawei: Beware of allowing Chinese firms entry into India’s 5G market.
  • [July 3] Amol Agarwal, Money Control, Facebook’s Libra currency – will it rewrite the crypto playbook?
  • [July 3] Harsh V Pant and Kartik Bommakanti, Observer Research Foundation, India’s national security challenge.
  • [July 3] Manas Chakravarty, Money Control, Why the US is targeting Huawei.
  • [July 3] India’s response to China’s cyber attacks, The Diplomat’s analysis.
  • [July 3] Rohan Venkatramakrishnan, Scroll.in, Where is the personal data protection that Indian were promised? 
  • [July 3] Business Standard editorial comment, The crypto challenge. [paywall]
  • [July 5] Key tech related takeaways from Union Budget 2019-20, Medianama summary.
  • [July 5] Afiya Qureshi, Mashable India, Indian Government plans to monitor the internet through a centralized system: should we worry?
  • [July 5] Pravin Sawhney, The Wire, Defence Budget: Skewed ratio of allocations hurts India’s war preparedness.
  • [July 5] Debajit Sarkar, Financial Express, Budget 2019: There is a need to boost defense expenditure.
  • [July 6] Sounak Mukherjee, Money Control, TMC MP Mahua Moitra’s privacy concerns on Aadhaar stand tall against FM Nirmala Sitharaman’s Budget 2019 proposals,
  • [July 6] Ivan Mehta, The Next Web, India claims its Aadhaar push is for the ‘good’ of the people despite serious privacy concerns.
  • [July 6] Ilangovan Rajasekaran, Frontline, Conviction in sedition case will not affect Vaiko’s election to Rajya Sabha.
  • [July 7] Wired Opinion, How to protect our kids’ data and privacy.
  • [July 7] Sara Harrison, Wired, Twitter’s disinformation dumps are helpful – to a point.
  • [July 7] Lt. Gen. KJ Singh, Times of India (blog), Union Budget tells armed forces to cut the coat as per cloth.

India’s new Defence Cyber Agency

Recent developments in India’s space policy including Mission Shakti, India’s first anti-satellite weapon testing is indicative of the states growing concern into contemporary threats to the state; India is ranked among the 15 least cyber-secure countries in the world from the list of 60 countries. To this end, the Prime Minister announced the setting up of three new tri-service agencies, for Cyber Warfare, Space and Special Operations, at the Combined Commanders’ Conference in Jodhpur last year.

In this post we will mainly deal with the third tri-service agency, the Defence Cyber Agency, which is setup to work in conjunction with the National Cyber Security Advisor. Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1000 personnel from all three branches, the Army, Navy and the Airforce. Rear Admiral Mohit Gupta has been appointed to be the first head of the DCA.

Current Legal Framework

The current legal framework dealing with cyber-security is not centralized. Different agencies are responsible for various aspects of cyber-security. These can broadly be classified into agencies focusing on civilian cyber security, and those focusing on the military cyber security.

The National Cyber Security Policy was adopted by the Government of India in 2013 to ensure a secure and resilient cyberspace for citizens, businesses and the government. This policy was launched to integrate all the initiatives in the area of Cyber Security and to tackle the fast-changing nature of cybercrimes. Initiatives such as setting-up the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC), and creating sector specific Computer Emergency Response Teams (CERT) were implemented under the policy.

The Indian Computer Emergency Response Team (CERT) is an office within the Ministry of Electronics and Information Technology. It is the national nodal agency for responding to computer security incidents as and when they occur. It deals with mostly civilian threats by issuing guidelines, vulnerability notes, and whitepapers relating to security practices as well as providing a point of contact for reporting local problems.

Cyber-Security concerns in India

The 2019 Global Risk Report highlights India’s history of malicious cyber-attacks and lax cybersecurity protocols which led to massive breaches of personal information in 2018. It also specifically mentions the government ID database, Aadhaar, which has reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January that individuals were selling access to the database at a rate of 500 rupees for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.

The Digital India initiative has resulted in a boom in the internet usage in the country. However, due to the lack of proper security protocols in place, there have been an estimated 700 hacks into state and central governments websites, as was reported in Lok Sabha. Additionally, in January of 2017, the National Security Guard page was hacked by suspected Pakistan based operatives who then went on to post anti-India content on it. The need to prevent such attacks on Indian websites has been a matter of debate since 2016, following the hack of the IRCTC website.

While some aspects of cyber security are easy to classify, such as the breach of IRCTC being a civilian breach and hacking the website of the National Security Guard being a military breach, other potential cyber threats could fall within a grey area.

Defence Cyber Agency

The lacuna which the Defence Cyber Agency seeks to fill, exists in the realm of military cyber security. It is currently governed by the Defence Intelligence Agency (DIA) which operates under direct control of Ministry of Defence and focuses on the international offensive and defensive capabilities of the state. It is the nodal agency for all defence related intelligence.

The formation of the Defence Cyber Agency, is supposedly meant to combat the current threat of foreign hackers from nations such as China or Pakistan, who could attack India’s digital infrastructure using Cyber warfare. The new agency could potentially set up the roadmap for the future of India’s cyber security specifically, by combating threats made to military targets.

A common feature of many military agencies is the lack of legislative clarity; in the absence of a clear and coherent policy document or a parliamentary enactment to this effect, the parameters on which the domain of ‘military cyber security’ is demarcated remain unclear. The definition of ‘military’ in this case could potentially be based on the nature of the target (IRCTC hack vs. NSG hack) the origin of the threat (geographical location or the nationality of the perpetrator) or even the source of the threat (China/Pakistan or amateur domestic hackers). 

The Agency is expected to follow a decentralized structure where the bulk of the agency will be focused into smaller teams, spread around the country, with the command center in Delhi. It also aims at putting dedicated officers in major headquarters of the tri-forces to deal with emerging cyber security issues.

One of the main takeaways from the setting up of this agency is the inter-service cooperation between the Army, Navy and the Airforce. The move is also in keeping with the Joint Training Doctrine Indian Armed Forces, of 2017, which seeks to foster ‘Synergy’ and ‘Integration’ amongst the three Services and other stake-holders leading to an enhanced efficiency and optimum utilisation of resources.

Since the new agency will fall under the purview of the Ministry of Defence, the precise mandate and composition of the DCA are not clear at this point. After its formal inauguration, which is supposed to happen sometime this month, it is possible that people will have a better idea of the agency’s role and functions in maintaining India’s cyber defences.

A key issue, which has not been addressed so far remains the need to employ experts in the field of cyber-security. While the new agency is projected to employ over 1000 personnel from the three services, employing personnel with sufficient technical knowledge will be difficult, owing to a general lack of qualified personnel in this field. Additionally, with the boom in the cyber security market, the DCA would not only have to contend with private players in the domestic markets in attracting qualified talent, but also face stiff competition from international players in the scene.

In addition to setting up the DCA, it is also important that all three services take this opportunity to better train existing personnel in basic cyber security practices, including staff which is not specifically deployed to the DCA.

It is hoped that the formation of such an agency will not only improve India’s cyber security but also bolster its international reputation in terms of digital safety. The creation of this new agency highlights the weaponization of cyberspace as a tool of modern warfare, and also the importance of data and information sharing between the three services in order to better protect the nation.

Cyber Vandalism – Not an Act of War

By Shalini S

In September last year, a mutual cyber hacking marathon ensued between Indian and Pakistani hackers, who each hacked and defaced multiple government and private websites. The incident was triggered by a detected defacement of a Kerala government website which was attributed to a Pakistani hacker. Indian hackers and hacktivist groups retaliated by defacing multiple Pakistani government websites and making several others inaccessible. Media reports were quick to label these cyber vandalism exchanges as a cyber war between the two countries with headlines such as:

Hacking triggers cyber war on Pak websites

Hackathon of another kind: A ‘cyber war’ between India and Pakistan?

Indo- Pak Cyber War: Indian Hackers Deface Pakistani website

Hackers from India, Pakistan in full-blown online war

Cyber-war: Indian hackers hack 250+ Pakistani websites after attack on Kerala govt’s website

India and Pakistan seem to be at war; this time in cyberspace!

These headlines while raising public awareness about politically motivated cyber-attacks, were also misleading and patently wrong in terming the episode as cyber war. Other politically motivated cyber-attacks involving independent hackers have also been termed cyber war in the past. The incidents were noteworthy and raised several red flags about the vulnerability of official government websites and state of security of data contained therein. However, it certainly did not cross the threshold to be termed an ‘act of war’ or ‘cyber warfare’.

There are clear thresholds for an attack to qualify as an act of war and several scholars opine that the same standards apply on a virtual battleground. For instance, the US Strategic Command’s Cyber Warfare Lexicon’s definition of cyber warfare  envisions a military object (Page 8). The document also states that “not all cyber capabilities are weapons or potential weapons” (Page 9). The Tallinn Manual on the International Law Applicable to Cyber Warfare which identifies “laws of armed conflict that apply to cyberspace and delineates the limits and modalities of its application”, does not seek to regulate actions of individual hackers or groups of hackers. Susan Brenner, a cyber conflict specialist opines that cyber warfare is the use of cyberspace to achieve the same ends as conventional warfare[1] – “the conduct of military operations by virtual means”.[2]  However, other definitions allow scope to envision the participation of non-state actors in cyber warfare.[3]

Despite numerous attempts at defining and the lack of a clear consensus in existing definitions, ‘cyber war’ has a specific connotation. Most existing definitions of cyber warfare envisage the subversive use of cyber technologies by a nation-state in the conduct of a military operation.

Cyber-attacks are challenging to evolve specific definitions for and this make it difficult to categorize them. However, it is important to identify the exact nature of each attack, unambiguously define and  categorize cyber-attacks in order to formulate a proportional and appropriate policy response.

The issue of distinguishing cyber vandalism from cyber war was most notably raised in the aftermath of the Sony hack of 2014. President Obama had characterized the attack as an act of cyber vandalism, while others opined that it was an act of terrorism or act of warfare albeit perpetuated virtually. The characterization of that particular attack on Sony has been shifting with allegations of the incident being a state-sponsored act. Regardless, it remains that the consequence of classification of any cyber-attack carries its own implications for the formulation of a response policy and thus it must also be accurately communicated to the public and policy makers.

It is clear that the above-described incident of mutual defacement of websites by hackers and hacktivist groups, falls short of qualifying as a cyber war on many counts. There is no indication of the attacks being sponsored by the Indian or Pakistani state. Evidently, it was also not carried out in the furtherance of a military objective. The target of the primary attack, an official government website is not critical information infrastructure and the nature and severity of the attack was fairly minimal. Thus, the act and the subsequent retaliation do not qualify as acts of cyber war and can only be characterized as ‘cyber vandalism’.

Cyber vandalism is the digital equivalent of conventional vandalism wherein legitimate content of a website will be made unavailable or replaced. As advanced cyber capabilities are within the reach of even non-state actors, attacks of this nature might be a frequent occurrence in the future. It is vital then to evolve appropriate legal and policy responses to effectively deal with individuals, hacktivist and organized groups that indulge in cyber vandalism.

The rules of cyber war are still nascent but the Tallinn Manual sheds light on the form that law might take on regulating acts of such nature. The international community is bound to arrive at a consensus on the definitions and clear demarcations of acts of warfare, terrorism, vandalism and espionage in the cyberspace. In the meantime, there must be a concerted effort to understand these new-age operations and evolve better classifications that aids policy formulation on these issues.

[1] Susan W. Brenner, Cybercrime, cyberterrorism and cyberwarfare, 77 Revue internationale de droit pénal 453 (2006) at Para 45, https://www.cairn.info/revue-internationale-de-droit-penal-2006-3-page-453.htm#no33.

[2] Susan Brenner, At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 Journal of Criminal Law and Criminology (2007) at Page 401, http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7260&context=jclc.

[3] Nicolò Bussolati, The Rise of Non-State Actors in Cyberwarfare (2015).

Tallinn Manual 1.0 – A Primer

By Shalini S

The Tallinn Manual[1], is an elaborate, academic body of work that examines the applicability of international law to cyber conflicts.  The Manual was prepared by an International Group of Experts (a group of independent international law scholars and practitioners) at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. The Centre tasked the group of experts with producing a ‘manual on the law governing cyber warfare’.

Object of Creation

Presumably, the basis for curating such a manual is a common understanding amongst scholars that international law as it exists, does undeniably apply to cyberspace.[2]  However, efforts must be directed towards determining precisely how it applies, a view also endorsed by UN Group of Government Experts (UNGGE) in the field of IT.[3] Recognizing cyberspace as a viable battlefield (with states developing cyber offensive capabilities), also presumes that computer network attacks may be governed by International Humanitarian Law in the same manner that traditional weapons are regulated.[4]

The primary objective of the authors of the manual was to identify laws of armed conflict that apply to cyberspace and delineate the limits and modalities of its application. The manual which is designed as a reference tools for policymakers to build on, principally focuses on jus ad bellum[5] and jus in bello in cyberspace.[6] The book is divided into black-letter rules, products of consensus and unanimity among the authors. It also contains accompanying commentary that indicate the rules’ legal basis, applicability in international and non-international armed conflicts, and normative content. Outlined also, are conflicting or differing positions among the Experts as to the rules’ scope or interpretation.[7]

The manual examines the proper conduct of hostilities in cyberspace to minimize unnecessary harm by assessing below-mentioned critical areas:[8]

“1. What constitutes direct participation in hostilities, thereby delineating what civilians can (and cannot do) with respect to military cyber operations;

  1. What types of cyber events can constitute “attacks,” including those affecting computer functionality;
  2. How the principle of neutrality applies to cyber operations;
  3. Whether and how entities deserving special protections under the LOAC, e.g., the Red Cross, must identify themselves in cyberspace;
  4. How to treat non-state actor cyber operations and incidents.”

While the manual itself only offers guidelines to append analogies from established international law principles to cyber conflicts, it has sometimes been understood (in the absence of an overriding caveat to the contrary effect) to encourage hostile or military use of information and communications technology – an invitation to cyber war.[9]

Criticism

The definition of cyber-attack as laid down in the manual has often been criticized for its narrow understanding.[10] While this is attributable to the high threshold to be met by an act to constitute ‘armed conflict’ in international law,[11] the manual fails to clarify the implications of attacks that cause consequential harm, impair functionality without causing physical damage and target physical infrastructure that relies on computer systems.[12] Questions abound on the relationship between cyber warfare operations and lawful self defence.[13] Understandably, scholars opine that cyber warfare poses unique challenges to contemporary jus ad bellum– the body of law governing legitimate use of force.[14] It is also difficult to ‘attribute’ wrongful acts commissioned by states in the existing framework of international law.[15] Uncertainty over applicability of decisions of landmark cases such as the Nicaragua case[16] that decided issues of attribution and state responsibility, to cyberspace is also a cause for concern.[17]

Further, the absence of an international cyberspace law or a cyber security treaty is the most evident limitation on achieving international regulation in cyber space. Consequently, the Tallinn manual which is a non-binding body of personal opinions has been criticized for being premature and undesirable when no universally acceptable cyber security norms exist.[18] Despite the criticism leveled against it, academic collaboration akin to the one that resulted in the publication of the Tallinn Manual is necessary alongside policy deliberations to consider the exact application of international law to conflicts in cyberspace.

Way Forward

The Tallinn Manual 1.0 attempted to “delineate the threshold dividing cyber war from cybercrime and formalize international rules of engagement in cyber space”.[19] It did so by laying down 95 ‘black-letter rules’, focused on codifying principles applicable to cyber-attacks that qualified as armed conflict, an effort that needs to be continued.  Thus, the second iteration to the Tallinn Manual, the Tallinn Manual 2.0, aims to explore peacetime principles[20] such as sovereignty, jurisdiction, state responsibility and intervention in the context of borderless cyberspace.

With the International Court of Justice confirming[21] that use of force provisions in the UN charter apply regardless of the weapon used,[22] customary international law assumes a prominent position in construction of a safer cyber landscape and must be deliberately studied. The NATO Cooperative Cyber Defence Centre of Excellence has in the past, specifically requested cooperation from India to counter growing cyber threats.[23] India must be invested in building international cyber security cooperation and participate in any future negotiations that seek to formulate cyber warfare regulations.

Read more:

  1. What constitutes “attack” in the cyberspace: http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (Page 35-37)
  2. Contextualizing Tallinn Manual’s definition of “attack”: http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace
  3. US policy on cyber warfare (though not related to the manual, makes for an informative read on how States employ International Law in cyberspace): http://www.state.gov/s/l/releases/remarks/197924.htm

[1] Michael N Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press) (2013)

[2] Jacques Hartmann, The Law of Armed Conflict: International Humanitarian Law in War, 80 Nordic Journal of International Law 121-123 (2011)

[3]International Telecommunication Union & World Federation of Scientists, The Quest For Cyber Confidence (2014), http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.02-1-2014-PDF-E.pdf (last visited Aug 24, 2015)

[4] Knut Dörmann, Computer network attack and International Humanitarian Law, Cambridge Review of International Affairs (2001)

[5] The law governing the use of force comprises of the 1899 and 1907 Hague Conventions, the 4 Geneva Conventions supplemented by Additional Protocols of 1977, as well as customary law and State practice

[6]EJIL: Talk! – The Tallinn Manual on the International Law applicable to Cyber Warfare Ejiltalk.org, http://www.ejiltalk.org/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/ (last visited Aug 24, 2015)

[7]Id.

[8]A Call to Cyber Norms Discussions at the Harvard-MIT–University of Toronto Cyber Norms Workshops, 2O11 and 2O12, https://www.americanbar.org/content/dam/aba/uncategorized/GAO/2015apr14_acalltocybernorms.authcheckdam.pdf (last visited Aug 24, 2015)

[9] Supra N. 3

[10] Incoming: What Is a Cyber Attack? SIGNAL Magazine, http://www.afcea.org/content/?q=incoming-what-cyber-attack (last visited Aug 25, 2015)

[11]Kilovaty, Ido. “Cyber Warfare and the Jus Ad Bellum Challenges: Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare.” National Security Law Brief 5, no. 1 (2014): 91-124.

[12] Michael J. Norris, The Law of Attack in Cyberspace: Considering the Tallinn Manual’s Definition of ‘Attack’ in the Digital Battlespace, 5 Student Pulse (2013), http://www.studentpulse.com/articles/775/the-law-of-attack-in-cyberspace-considering-the-tallinn-manuals-definition-of-attack-in-the-digital-battlespace (last visited Aug 25, 2015)

[13] Ibid.

[14]Reese Nguyen, Navigating Jus Ad Bellum in the Age of Cyber Warfare, 101 Cal. L. Rev. 1079 (2013). Available at: http://scholarship.law.berkeley.edu/californialawreview/vol101/iss4/4

[15] The Attribution Problem in Cyber Attacks – InfoSec Resources, http://resources.infosecinstitute.com/attribution-problem-in-cyber-attacks/ (last visited Aug 25, 2015)

[16] Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v. United States of America); Merits, International Court of Justice (ICJ), 27 June 1986, available at: http://www.refworld.org/docid/4023a44d2.html [accessed 25 August 2015]

[17] Peter Margulies, Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility, 14 Melbourne Journal of International Law (2013), http://www.austlii.edu.au/au/journals/MelbJIL/2013/16.html (last visited Aug 25, 2015)

[18]Is The Tallinn Manual On The International Law Applicable To International Cyber Warfare Attacks And Defence | Centre Of Excellence For Cyber Security Research And Development In India (CECSRDI) Perry4law.org, http://perry4law.org/cecsrdi/?p=453 (last visited Aug 24, 2015)

[19] D. Fleck, Searching for International Rules Applicable to Cyber Warfare–A Critical First Assessment of the New Tallinn Manual, 18 Journal of Conflict and Security Law 331-351 (2013)

[20]Tallinn 2.0: cyberspace and the law Aspistrategist.org.au, http://www.aspistrategist.org.au/tallinn-2-0-cyberspace-and-the-law/ (last visited Aug 24, 2015)

[21] Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, I.C.J. Reports 1996, p. 226, International Court of Justice (ICJ), 8 July 1996, available at: http://www.refworld.org/docid/4b2913d62.html [accessed 25 August 2015]

[22] Michael Schmitt, Cyberspace and International Law: Penumbral Mist of Uncertainty, 126 Harvard Law Review (2012)

[23] The Hindustan Times, Help counter cyber threats from China: NATO to India, 2011, http://www.hindustantimes.com/world-news/help-counter-cyber-threats-from-china-nato-to-india/article1-743664.aspx (last visited Aug 24, 2015)

Indian hackers, Anonymous and #OpISIS: The grey area of online vigilantism

By Shalini S

The post originally appeared in Scroll.in on 29th November 2015.

While hacktivists help limit the presence and effect of militant groups online, their operations are marred by legal, ethical and privacy concerns.

article-afhcxhrzyj-1448713203

Photo: Roslan Rahman/ AFP

The Islamic State of Iraq and Syria, better known as ISIS, has been receiving increasing attention, particularly after the recent Paris attacks, and the sporadic news that the militant group was trying to recruit Indian youth through social media. The recent news about some Indian hackers joining Anonymous – a loosely connected international network of activist and “hacktivist” entities around the world – in its cyber operation, #OpISIS, against ISIS’ online presence, was widely celebrated.

In an operation called #OpParis launched under the umbrella of #OpISIS, Anonymous and other hacktivist groups such as CtrlSec and GhostSec directly attacked ISIS’ presence on internet platforms to diminish its online following, disrupt its recruitment drives, and inhibit its dissemination of extremist propaganda.

While Anonymous has been widely lauded for #OpISIS, the operation, much like the collective, is marred by legal and ethical ambiguities. In limiting the presence and effect of extremist groups online, the operations of collectives like Anonymous may become indispensable to law enforcement. However, there is currently a lack of engagement on the possibility of constructively employing the abilities of such unregulated groups within a legally permissible framework.

It is interesting to note how Indian hacktivists are extending advanced technical cooperation to aid the numerous strategies employed by Anonymous to cripple the general outreach of ISIS. Multiple news reports have suggested that Anonymous and other hacktivist groups associated with #OpISIS, are themselves taking down ISIS’ social media accounts. However, this is not accurate as members of Anonymous only monitor social media platforms, identify accounts of ISIS members and recruiters, and report them to the social networking service for suspension.

Legal and strategic issues

Most social networking sites have amended policies to account for increasing social media presence of terror organisations. They suspend user accounts hosting content that “promotes terrorism”. However, these platforms cannot conceivably monitor each account and so allow individual users to report accounts that violate their policies.

To guarantee takedown through increased reporting, Anonymous is also releasing lists of identified accounts publicly and urging other users to report them. Even though new accounts can be opened easily, suspension of existing accounts that have amassed sizeable followers derails ISIS’ social media recruitment drives. While #OpISIS is arguably aiding law enforcement and social networks by ensuring the implementation of existing policies by vehemently flagging violators, experts on Nato, the intergovernmental military alliance, suggest that the operation is a hindrance to the strategised tracking of terrorists by intelligence agencies.

In addition to reporting accounts that share extremist content, Anonymous and its associate hacktivist groups are also attempting to cripple the reach of extremist websites by launching distributed denial-of-service – better known as DDOS – attacks, against them. Such attacks flood the servers of the targeted website beyond capacity with malicious traffic, making it unavailable for public viewing. As this effectively leads to unregulated censorship of online content, it is illegal in most countries. Even in countries that allow blocking and delisting of websites that engage in digital terror propaganda, only internet service providers are commonly allowed to block websites on the request or order of an administrative or judicial authority.

Indian hackers that are aiding Anonymous have also launched DDOS attacks against websites hosting extremist content. To foil future attacks, they are also tracking and spying on personal chats of suspected members and recruiters of extremist groups. Additionally, Indian hacktivists are also engaged in the illegal act of spreading spyware to track the location of suspected ISIS associates. While this monitoring by hacktivists groups may intend to aid law enforcement, it is patently illegal and therefore, principally problematic. Thus, it is critically important to examine how hacktivist cooperation in such operations can be formally endorsed or they must be subjected to regulation of some manner.

Privacy concerns

The most problematic part of Anonymous’ operation is the leaking of personal information of suspected members or recruiters of ISIS, illegally obtained by hacking personal accounts. Evidently, the hacktivist group is engaged in the illegal act of gaining unauthorised access to private user information. Further, a publication of such personal information by non-law enforcement entities is a possible infringement of privacy rights of these individuals.

Even if public interest is cited in justifying the act, we must be mindful that Anonymous is not infallible and has mistakenly identified innocent people as extremists in the past. Considering the nature of the imputed allegations and plausible repercussions, the publication of personal information of suspected extremists must be viewed more seriously. Personal information that Anonymous gained access to is certainly valuable, but must be verified independently by law enforcement authorities.

Law of the land

Hacktivist attacks are generally distinguished from cybercriminal activity as they are often employed to voice civil protest and therefore considered morally defensible. But the law recognises no such distinction and some parts of Anonymous’ operation falls outside the purview of legal permissibility. The effect of employing extra-legal means (described above) to censor extremist content and presence online must be necessarily examined to construct an informed response.

The organisational structure of Anonymous, which lacks a central command and definitive membership, makes it near-impossible to correctly pursue action against verifiable members, if deemed necessary. Regardless, it is important to realise that the impact of our response to Anonymous’ operation today is bound to shape the manner in which hacktivism is construed tomorrow.

With extremist organisations pushing their agenda online, there is a growing need to formally streamline expertise of these individuals and collectives, who have hitherto worked outside the scope of the law. They can be urged to inform larger campaigns against terror groups by working with intelligence agencies instead of operating separately.

Newer reports have claimed that a separate hacker group is engaged in identifying accounts associated with digital currency platform Bitcoin of suspected terror affiliates in order to potentially hamper their financial transactions. Such unconventional engagement in anti-terror programs might even prove beneficial in inhibiting terror organisations’ access and control of financial and physical resources. Nevertheless, we must remain cautious in our reaction to acts of such unorganised groups, as it is likely to shape both the future treatment of hacktivism and the fight against terrorism.