About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal.
Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.
In the present essay, the author reflects upon the following question:
According to Luttwak, “The entire realm of strategy is pervaded by a paradoxical logic very different from the ordinary ‘linear’ logic by which we live in all other spheres of life” (at p. 2) Can you explain the relationship between technological developments and the conduct of war through the lens of this paradoxical logic?
Introducing Luttwak’s Paradoxical Logic of Strategy
While weakness invites the threat of attack, technologically advanced nations with substantial investment in better military technology and R&D that are capable of retaliation, have the power to persuade weaker nations engaged in war to disengage or face consequences. Initiating his discussion on the paradox of war, Luttwak mentions the famous roman maxim si vis pacem, para bellum which translates to – if you want peace, prepare war. Simply understood, readiness to fight can ensure peace. He takes the example of the Cold War to discuss the practicality of this paradoxical proposition. Countries that spend large resources in acquiring and maintaining nuclear weapons resolve to deter from first use. Readiness at all times, to retaliate against an attack is a good defensive stance as it showcases peaceful intent while discouraging attacks altogether. An act of developing anti-nuclear defensive technology – by which a nation waging war may be able to conduct a nuclear attack and defend itself upon retaliation – showcases provocativeness on its part.
The presence of nuclear weapons, which cause large scale destruction, have helped avoid any instance of global war since 1945. This is despite prolonged periods of tensions between many nations across the globe. Nuclear weapons are an important reason for the maintenance of international peace. This is observable with India and its border disputes with China and Pakistan where conflicts have been frequent and extremely tense leading to many deaths. Yet these issues have not escalated to large scale or a full-fledged war because of an awareness across all parties that the other has sufficient means to engage in war and shall be willing to use the means when push comes to shove.
Using the example of standardisation of antiaircraft missiles, Luttwak points out that ‘‘in war a competent enemy will be able to identify the weapon’s equally homogeneous performance boundaries and then proceed to evade interception by transcending those boundaries… what is true of anti aircraft missiles is just as true of any other machine of war that must function in direct interaction with reacting enemy – that is, the vast majority of weapons.”
The five levels of strategy as traced by Luttwak are:
Technical interplay of specific weapons and counter-weapons.
Tactical combat of the forces that employ those particular weapons.
Operational level that governs the consequences of what is done and not done tactically.
Higher level of theatre strategy, where the consequences of stand alone operations are felt in the overall conduct of offence and defence.
The highest level of grand strategy, where military activities take place within the broader context of international politics, domestic governance, economic activity, and related ancillaries.
These five levels of strategy create a defined hierarchy but outcomes are not simply imposed in a one-way transmission from top to bottom. These levels of strategy interact with one another in a two-way process. In this way, strategy has two dimensions: the vertical dimension and the horizontal dimension. The vertical dimension comprises of the different levels that interact with one another; and the horizontal dimension comprises of the dynamic logic that unfolds concurrently within each level.
Situating Technological Advancements Within Luttwak’s Levels of Strategy
In the application of paradoxical logic at the highest level of grand strategy, we observe that breakthrough technological developments only provide an incremental benefit for a short period of time. The problem with technological advancement giving advantage to one participant in war is that this advantage is only initial and short-lasting. In discussing the development of efficient technology, he gives an example of the use of Torpedo boats in warfare which was a narrow technological specialisation with high efficiency. Marginal technological advancement of pre-existing tech is commonplace occurrences in militaries. The torpedo naval ship was a highly specialised weapon i.e. a breakthrough technological development which was capable of causing more damage to larger battleships by attacking enemy ships with explosive spar torpedoes. The problem with such concentrated technology is that it is vulnerable to countermeasures. The torpedo boats were very effective in their early use but were quickly met with the countermeasure of torpedo beat destroyers designed specially to destroy torpedo boats. This initial efficiency and technical advantage and its ultimate vulnerability to countermeasures is the expression of paradoxical logic in its dynamic form.
When the opponent uses narrowly incremental technology to cause damage to more expensive and larger costlier weapons, in the hopes of causing a surprise attack with the newly developed weapon, a reactionary increment in one’s weaponry is enough to neutralise the effects of such innovative technologically advanced weapon(s). The technological developments which have the effect of paradoxical conduct in surprising the opponent and finding them unprepared to respond in events of attacks, can be easily overcome due to their narrowly specialised nature themselves. Such narrowly specialised new tech are not equipped to accommodate broad counter-countermeasures and hence the element of surprise attached with such incremental technology can be nullified. These reciprocal force-development effects of acts against torpedo-like weapons make the responding party’s defence stronger by increasing their ability to fight and neutralise specialty weapons. Luttwak observed a similar response to the development of Anti-tank missiles which was countered by having infantry accompany tanks.
Conclusion
The aforementioned forces create a distinctly homogenous and cyclical process which span the development of technology for military purposes, and concomitant countermeasures. In the same breadth, one side’s reactionary measure also reaches a culmination point and can be vulnerable to newer technical advancement for executing surprise attacks. Resources get wasted in responding to a deliberate offensive action in which the offensive side may be aware of defensive capabilities and it is just aiming to drain resources and cause initial shock. This can initiate another cycle of the dynamic paradoxical strategy. Within the scheme of the grand strategy, what looks like deadly and cheap wonder weapons at the technical level; fails due to the existence of an active thinking opponent. These opponents can deploy their own will to engage in response strategies and that can serve as a dent to the initial strategic assumptions and logic.
In summary, a disadvantage at the technical level can sometimes also be overcome at the tactical level of grand strategy . Paradoxical logic is present in war and strategy, and use of technology in conduct of war also observes the dynamic interplay of paradoxical logic. Modern States have pursued technological advancements in ICT domains and this has increased their dependence on high-end cyber networks for communication, storage of information etc. Enemy States or third parties that may not be equipped with equally strong manpower or ammunition for effective adversarial action may adopt tactical methods of warfare by introducing malware into the network systems of a State’s critical infrastructure of intelligence, research facilities or stock markets which are vulnerable to cyber-attacks and where States’ inability in attribution of liability may pose additional problems.
*Views expressed in the blog are personal and should not be attributed to the institution.
About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal.
Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question:
Edward Luttwak critiques Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of ‘strategy’. Do you agree with this assessment? Why/ why not?
Introduction to Luttwak
Edward Luttwak in his book Strategy: The Logic of War and Peace discusses the conscious use of paradox versus the use of linear logical and straightforward military tactics as means of strategy of war. According to Luttwak, strategy unfolds in two dimensions i.e. the vertical and the horizontal dimensions.
The vertical dimension of strategy deals with the different levels of conflict. Among others his work considers the technical aspect, the operational aspects, the tactical as well as strategic ones. The horizontal dimension of strategy is the one involving dealing with an adversary i.e. the opponent whose moves we seek to reverse and deflect.
A grand strategy is a confluence of the military interactions that flow up and down level by level, forming strategy’s vertical dimension, with the varied external relations among states forming strategy’s horizontal dimension.
While discussing the paradoxes inherent in war, he mentions the famous Latin maxim si vis pacem, para bellum which translates to – if you want peace, prepare for war. Simply understood, readiness to fight can ensure peace (Emphasis added). He says that situations of conflict tend to reward paradoxical logic of strategy which leads to lethal damage sometimes in defying straightforward logical action.
“Art of War” by Nuno Barreto. Licensed under CC BY-SA 2.0
Critiquing Luttwak’s Assessment of Sun Tzu’s Art of War
Sun Tzu’s military treatise the Art of War comprises of chapter-wise lessons and basic principles discussing key war subject matters like laying plans, logistics of waging war, importance of a military general, the requirement of deception in war, resources, surprise attack, attack by stratagem, tactical dispositions, knowing the strength of one’s army in opposition to the other and attacking accordingly, preparedness for surprise, political non-interference in war chain of command, defense, quick and decisive attack, seeking victory as opposed to battle, use of energy to one’s advantage, managing the army, strengths and weaknesses, arrival on battle ground, opponent’s weakness, significance of secrecy and identifying weak places and attacking those. Secrecy and deception are crucial tactics of war for Sun Tzu who on one hand goes so far as to say that all war is based on deception.
Luttwak, on the other hand, finds deception and secrecy to be costly plans in armed conflicts. He discusses the Normandy Surprise attack and Pearl Harbor raid. The diversion created to mislead the opponent involves costs and diverts valuable resources when engaging in paradoxical action and maintaining secrecy of the actual plan of action but he fails to acknowledge the success of these operations. Luttwak also fails to provide alternatives to those strategies which showcase a desirable end achievable by other better replaceable means, especially when deceptions proved effective.
In the example of the 1943 battle of Kursk, Luttwak himself negates his earlier claims of high-risk uncertain war tactics being more harmful than useful, by highlighting Stalin’s trust in the intelligence information received about the German attack. The Soviet leader, on deliberation, decided to take a defensive stance in the battle, giving the German forces an initial offensive advantage. But this defensive measure was taken to draw the Germans into a trap and to destroy their armors creating conditions for an effective counteroffensive by the Soviet army. The Chinese general’s principles of knowing one’s enemy favored the Russian leader immensely. Having a well-equipped and robust army, he ordered his men to surround and attack the Germans, giving effect to Sun Tzu’s principles. Luttwak seems stuck on the strategy of surprise attacking the weakest zone of the opponent while forgoing other lessons from Sun Tzu’s work on intelligence, importance of spies and knowing one’s enemies as well as we know ourselves.
In Luttwak’s view, operational risks and the incidence of friction will ultimately affect the combat by reducing effectiveness of manpower or resources. But when parties waging war are not on an equal footing of resources and manpower and combat risk is already high, operational risks may prove to be better chosen risks as compared to combat risks when outnumbered by the enemy’s weaponry and manpower. Meeting an opponent with equal strength and resources may be more common nowadays than it was in ancient times, and here is where Sun Tzu’s principles lose some contemporary application. But a dismissal of his principles as cheap tricks remains extreme.
The Role of Diplomatic Engagement: A Blind Spot in the Art of War?
Luttwak emphasizes on strategy involving the existence of an adversary and recognizing the existence of another in one’s plan of war and postulates that the Chinese system now or historically does not engage in this. Chinese do not look into the enemy and decide their own actions in isolation. He alleges lack of diplomacy in its historical events due to the geography which minimized interaction between kingdoms. His argument is that the Art of War was composed in the backdrop of Chinese culture that flourished with jungles to the south, protected by the sea towards east, thinly populated areas and of Tibet to its west and an empty northern border which was the entryway for infrequent invasions.
According to Luttwak, intra-cultural conflict between kingdoms in this isolated culture hindered the advent of diplomacy in Chinese culture. Conversely in Europe where arguably the interaction between sovereign states made strategies and elaborate planning a necessity. Adversarial logic is important for him in strategizing and in his opinion this was not present due to lack of third party intervention in China unlike Europe. He says Sun Tzu’s tactics work best intra-culturally because in dealing with foreigners, prediction becomes a more tedious and a less accurate task. But Sun Tzu himself stresses the knowledge of the enemy’s tactics to be an important aspect of strategy building by a general preparing for war. He has recognized the existence of an adversary and penned down military tactics that constitute the Art of War accordingly. The term ‘enemy’ in his treatise cannot be assumed to be exclusive of an enemy sovereign state.
Relevance of the Art of War in Modern Times
To Luttwak, Chinese geography did not facilitate diplomacy. But the researcher argues, geography plays an important role in strategizing as acting in accordance with terrain and natural forces is specific to the places. Sun Tzu’s ideas of utilizing the heaven (weather) and earth (terrain) to one’s advantage places importance on the geographical terrain and weather conditions in one’s favor. Principles cannot be dismissed as cheap tricks just because they were not formulated in the era of modern warfare between nation-states that are enabled by high technology, especially when these wars involve the existence of nuclear weapons and other high-tech means of warfare rather than mere low-tech close contact combat more prevalent in former times. Modern strategy promotes economic war rather than military wars. This may be the contextual limitation to the strict application of Sun Tzu’s principles in modern contexts. But reliance on infantry as a method of warfare is also resorted to in armed conflict and Sun Tzu’s writings cannot be held obsolete in this regard.
Sun Tzu promoted non-interference of the sovereign in the General’s command of war, so as to prevent confusion in the minds of troops with regard to the chain of command. Contemporary developments in international politics create a heavy political and bureaucratic influence on military strategy; and war and politics are intertwined so deeply in the relations of States that this aspect of Sun Tzu’s principles seems irrelevant. But to the extent that we are concerned with the ground level operational chain of command, it must still be vested in the capable hands of military strategists and commanders of forces with minimal interference by members of political parties even when in power.
The nature of national armed forces of sovereign states is such that the commanders are individuals of authority whose commands derive authority from their military ranks and because of their expertise in the ground realities of conflict. An established chain of command headed by experienced high ranking officials of a state’s military is pivotal for effective execution of war strategy.
Sun Tzu gave importance to secrecy and spying as important methods of maintaining information awareness in warfare. Modern day nation-states are diverting heavy funding to national intelligence agencies and keep the gathered information out of the general public’s knowledge. For example in India, as per section 24 of the Right to Information Act of 2005 the Intelligence Bureau and National Security Guard of the Ministry of Home Affairs of India are few of the intelligence and security organizations that are exempted from the state’s duty to divulge information to the public. Military secrets and secret missions today are still as relevant as they were in Sun Tzu’s time or even during the World Wars.
Final Conclusion
Luttwak agrees that actions based on paradoxical logic have always been a prevalent military tactic and will still remain to exist in the most competent military tactics even when straightforward logical tactics that avoid operational risks are favored for parties with great strength, power and number. He gives the example of Israeli armed forces whose actions became predictable and were intercepted by opponents appropriately. But Sun Tzu’s work provides for the use of a more direct attack when one is stronger than the opponent. He stressed the importance of non-repetition of surprise tactics so as to not make the enemy aware of such patterns that become predictable. Even in the case of deceptive attacks of a strong Israeli force, a straightforward logical attack was a digression from its common strategy of attacking weak points and can be taken to be an unanticipated move digressing from Israel’s general tactics.
A paradoxical action is not synonymous to an illogical action. In many strategies like that of the Viet Cong, a paradoxical action as opposed to a straightforward linear act is most suited to ascertain or increase the probability of winning.1 In current times, the Art of War acts as an inspiration. It gives broader strategic principles rather than clever tricks, with its own set of limitations due to technological development and political relevance within war i.e. due to increased friction at vertical level due to variables (factors that were either unknown or avoidable in ancient times but are relevant now). Luttwak’s dismissal of the ancient text as clever tricks may be motivated because of the text being ancient or because of prejudice against eastern political systems by the west as barbaric but that certainly does not completely delete the influence of the Art of War as an important text on war and strategy.
* The views expressed in the blog are personal and should not be attributed to the institution.
References
Luttwak, Edward N., Strategy,The Logic of War and Peace, The Belknap Press of Harvard University Press, 2001, pp. 13-15.
This post has been authored byGunjan Chawla and Vagisha Srivastava
“The first thing we do, let’s kill all the lawyers,” says Shakespeare’s Dick the Butcher to Jack Cade, who leads fellow conspirators in the popular rebellion against Henry VI.
The same cliché may as well have been the opening line of Pukhraj Singh’s response to our last piece, which joins his earlier pieces heavily burdened with thinly veiled disdain for lawyers poking their noses into cyber operations. In his eagerness to establish code as law, he omits not only the universal professional courtesy of getting our names right, but also a basic background check on authors he so fervently critiques – only one of whom is in fact a lawyer and the other, an early career technologist.
In this final piece in our series on offensive cyber capabilities, we take exception to Singh’s misrepresentation of our work and hope to redirect the conversation back to the question raised by our first piece – what is the difference between ‘cyber weapons’ and offensive cyber capabilities, if any? Our readers may recall from our first piece in the series Does India have offensive cyber capabilitiesthat Lt Gen Pant had in an interview to Medianama, denied any intent on part of the Government of India to procure ‘cyber weapons’. However, certain amendments inserted in export control regulations by the DGFT suggested the presence of offensive cyber capabilities in India’s cyber ecosystem. Quoting Thomas Rid from Cyber War Will Not Take Place,
“these conceptual considerations are not introduced here as a scholarly gimmick. Indeed theory shouldn’t be left to scholars; theory needs to become personal knowledge, conceptual tools used to comprehend conflict, to prevail in it, or to prevent it.”
While lawyers and strategists working in the cyber policy domain admittedly, still have a lot to learn from those with personal knowledge of the conduct of hostilities in cyberspace, deftly obscured by a labyrinth of regulations and rapidly changing rules of engagement, the question of nomenclature remains an important one. The primary reason for this is that the taxonomy of cyber operations has significant implications for the obligations incumbent on States and State actors under international as well as domestic law.
A chimeral critique
Singh’s most seriously mounted objection in his piece is to our assertion that ‘cyber capabilities’ and ‘cyber operations’ are not synonymous, just as ‘arms’ and ‘armed attack’, or ‘weapons’ and ‘war’ are distinct concepts. However, a wilful misunderstanding of our assertion that cyber capabilities and cyber operations are not interchangeable terms does not foster any deeper understanding of the legal or technical ingredients of a ‘cyber operation’–irrespective of whether it is offensive, defensive or exploitative in intent and design.
The central idea remains, that a capability is wielded with the intent of causing a particular effect (which may or may not be identical to the actual effect resulting from the cyber operation). A recent report by the Belfer Center at Harvard on a ‘National Cyber Power Index’, which views a nation’s cyber power as a function of its intent and capability, also seems to support this position. Certainly, the criteria and methodology of assessment remain open to debate and critique from academics as well as practitioners, and this debate needs to inform our legal position and strategic posture (again, the two are not synonymous) as to the legality of developing offensive cyber capabilities in international as well as domestic law.
Second, in finding at least one of us guilty of a ‘failure of imagination’, Singhsteadfastly advocates the view that cyber (intelligence) operators like himself are better off unbounded by legal restraint of their technical prowess, functioning in a Hobbesian (virtual) reality where code is law and technological might makes right. It is thus unsurprising that Singh in what is by his own admission a ‘never to be published manuscript’, seems to favour practices normalized by the United States’ military doctrine, regardless of their dubious legality.
Third, in criticizing lawyers’ use of analogical reasoning—which to Singh, has become ‘the bane of cyber policy’—he conveniently forgets that for those of us who were neither born in the darkness of covert cyber ops, nor moulded by it, analogies are akey tool to understand unfamiliar concepts by drawing upon learnings from more familiar concepts. Indeed, it has even been argued thatanalogy is the core of human cognition.
Navigating a Taxing Taxonomy
Writing in 2012 with Peter McBurney, Rid postulates that cyber weapons may span a wide spectrum, from generic but low-potential tools to specific high potential weaponry – and may be viewed as a subset of ‘weapons’. In treating cyberweaponry as a subset of conventional weaponry, their underlying assumption is that the (cyber) weapon is being developed and/or deployed with ‘the aim of threatening or causing physical, functional or mental harm to structures, systems or living beings’. This also supports our assertion that intent is a key element to planning and launching a cyber operation, but not for the purposes of classifying a cyber operation as an ‘armed attack’ under international law. However, it is important to mention that Rid considers ‘cyber war’ as an extremely problematic and dangerous concept, one that is far narrower than the concept of ‘cyber weapons’.
Singh laments that without distinguishing between cyber techniques and effects, we fall into ‘a quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese’. He considers the OCOs/DCOs classification too ‘simplistic’ in comparison to the CNA/CND/CNE framework. Even if the technological underpinnings of cyber exploits (for intelligence gathering) and cyber attacks (for damage, disruption and denial) have not changed over the years, as Singh argues—the change in terminology/vocabulary cannot be attributed to ‘ideology’. This change is a function of a complete reorganization and restructuring of the American national security establishment to permit greater agility and freedom of action in rules of hostile engagement by the military in cyberspace.
Unless the law treats cognitive or psychological effects of cyber operations, (eg. those depicted in the Social Dilemma or the Great Hack, or even in doxing classified documents) as harm that is ‘comparable’ to physical damage/destruction, ‘cyber offence’ will not graduate to the status of a ‘cyber weapon’. For the time being, an erasure of the physical/psychological dichotomy appears extremely unlikely. If the Russian and Chinese playbook appears innovative in translating online activity to offline harm, it is because of an obvious conflation between a computer systems-centric cyber security model and the state-centric information security model that values guarding State secrets above all else, and benefits from denying one’s adversary the luxury of secrecy in State affairs.
The changing legal framework and as a corollary, the plethora of terminologies employed around the conduct of cyber operations by the United States run parallel to the evolving relationship between its intelligence agencies and military institutions.
The US Cyber Command (CYBERCOM) was first created in 2008, but was incubated for a long time by the NSA under a peculiar arrangement established in 2009, whereby the head of the NSA was also the head of the US CYBERCOM, with a view to leverage the vastly superior surveillance capabilities of the NSA at the time. This came to be known as a ‘dual-hat arrangement’, a moniker descriptive of the double role played by the same individual simultaneously heading an intelligence agency as well as a military command. Simply put, cyber infrastructure raised for the purposes of foreign surveillance and espionage was but a stepping stone to building cyber warfare capabilities. Through a presidential memorandum in 2017, President Trump directed the Secretary of Defense to establish the US Cyber Command as a Unified Combatant Command, elevating its status from a sub-unit of the US Strategic Command (STRATCOM).
An important aspect of the ‘restructuring’ we refer to are two Presidential directives – one from 2012 and another from 2018. In October 2012, President Obama signed the Presidential Policy Directive- 20 2012 (PPD). It was classified as Top Secret at the time, but leaked by Ellen Nakashima of the Washington Post a month later. The PPD defined US cyber policy, including terms such as ‘Offensive Cyber Effects Operations’ (OCEO) and ‘Defensive Cyber Effects Operations’ (DCEO) and mandated that all cyber operations were to be executed with the explicit authorization from the President. In August, 2018, Congress passed a military-authorization bill that delegated some cyber operations to be authorized by the Secretary of Defense. It is relevant that ‘clandestine military activity (covert operations) or operations in cyberspace are now considered a traditional military activity under this statute, bringing it under the DoD’s authority. The National Security Presidential Memorandum 13 (NSPM) on offensive cyber operations signed by President Trump around the same time, although not available in the public domain, has reportedly further eased procedural requirements for Presidential approval in certain cyber operations.
Thus, if we overcome apprehensions about the alleged ‘quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese,’ we can appreciate the crucial role played by these many terms in the formulation of clear operational directives. They serve an important role in the conduct of cyber operations by (1) delineating the chain of command for the conduct of military cyber operations for the purposes of domestic law and (2) bringing the conversation on cyber operations outside the don’t-ask-don’t-tell realm of ‘espionage’, enabling lawyers and strategists to opine on their legality and legitimacy, or lack thereof, as military operations for the purposes of international law – much to Singh’s apparent disappointment. To observers more closely acquainted with the US playbook on international law, the inverse is also true, where operational imperatives have necessitated a re-formulation of terms that may convey any sense of illegality or impropriety in military conduct (as opposed to the conduct of intelligence agencies, which is designed for ‘plausible deniability’ in case of an adverse outcome).
We relied on the latest (June 2020) version of JP 1-02 for the current definition of ‘offensive cyber operations’ in American warfighting doctrine. We can look to earlier versions of the DoD Dictionary to trace back the terms relevant to CNOs (including CAN, CNE and CND). This exercise makes it quite apparent that the contemporary terminologies and practices are all rooted in (covert) cyber intelligence operations, which the (American) law and policy around cyberspace bends backwards to accommodate and conceal. That leading scholars have recently sought to frame ‘cyber conflict as an intelligence contest’ further supports this position.
2001 to 2007 – ‘cyber counterintelligence’ as the only relevant military activity in cyberspace (even though a National Military Strategy for Cyberspace Operations existed in 2006)
2008: US CYBERCOM created as a sub-unit of US STRATCOM
2009 – Dual Hat arrangement between NSA and CYBERCOM
2010– US CYBERCOM achieves operational capability on May 21; CNA/CNE enter the DoD lexicon
2012 – PPD 20 issued by President Obama
2013 – JP 3-12 published as doctrinal guidance from the DoD to plan, execute and assess cyber operations
By 2016 – DoD dictionary defines ‘cyberspace operations’, DCOs, OCOs, (but not cyberspace exploitation) relying on JP 3-12
2018 – NSPDM 13 signed by President Trump
2020 – ‘cyberspace attack’ ‘cyberspace capability’, ‘cyberspace defence’, ‘cyberspace exploitation’, ‘cyberspace operations’, cyberspace security, cybersecurity as well as OCOs/DCOs are defined terms in the Dictionary
Even as JP 3-12 remains an important document from the standpoint of military operations, reliance on this document is inapposite, even irrelevant for the purposes of agencies responsible for cyber intelligence operations. In fact, JP 3-12 is also not helpful to explain the whys and hows of the evolution in the DoD vocabulary. This is a handy guide to decode the seemingly cryptic numbering of DoD’s Joint Publications.
Waging Cyber War without Cyber ‘Weapons’?
It is relevant to mention that none of the documents referenced above, including JP 3-12, make any mention of the term ‘cyber weapon’. A 2010memorandum from the Chairman of the Joint Chiefs of Staff, however, clearly identifies CNAs as a form of ‘offensive fire’ – analogous to weapons that are ‘fired’ upon a commander’s order, as well as a key component of Information Operations.
The United States’ Department of Defense in its 2011 Defense Cyberspace Policy Report to Congress acknowledged that “the interconnected nature of cyberspace poses significant challenges for applying some of the legal frameworks developed for physical domains” and observed that “there is currently no international consensus regarding the definition of a cyber weapon”.
A plausible explanation as to why the US Government refrains from using the term ‘cyber weapons’ is found in this report, as it highlights certain legal issues in the transporting cyber ‘weapons’ across the Internet through the infrastructure owned and/or located in neutral third countries without obtaining the equivalent of ‘overflight rights’, and suggests ‘a principled application of existing norms to be developed along with partners and allies’. A resolution to this legal problem highlighted in the DoD’s report to Congress is visible in the omission of the term ‘cyber weapon’ in legal and policy frameworks altogether, only to be replaced by ‘cyber capabilities’.
We can find the rationale for and implications of this pivot in the work of Professor Michael Schmitt’s 2019 paper, wherein he argues in the context of applicable international law – contrary to the position he espoused in the Tallinn Manual –that ‘cyber capabilities’ cannot meet the definition of a weapon or means of warfare, but that cyber operations may qualify as methods of warfare. This interpretation permits ‘cyber weapons’ in the garb of ‘cyber capabilities’ to circumvent at least three obligations under the Law of Armed Conflict/International Humanitarian Law.
First, is the requirement for legal review of weapons under Article 36 of the First Additional Protocol to the Geneva Conventions (an issueCol. Gary Brown has also written about) and second, is taking precautions in attack. Third and most important, the argument that cyber weapons cannot be classified as munitions also has the consequence of depriving neutral States of their sovereign right to refuse permission of the transportation of weapons (or in this case, transmission of weaponised cyber capabilities) through their territory (assuming that this is technically possible).
So, in a sense, if we do not treat offensive cyber capabilities, or ‘cyber weapons’ as analogous in international law to conventional weapons normally associated with armed hostilities, in effect, we also restrain the ability of other sovereign States under international law to prevent and prohibit a weaponization of cyberspace without their consent, for military purposes of other cyber powers. Col. Gary Brown whose work Singh seems to nurture a deep admiration for admits that the first ‘cyber operation’ was conducted by the United States against the Soviet Union in 1982, causing a trans-Siberian pipe to explode by use of malware implanted in Canadian software acquired by Soviet agents. Since 1982, the US seems to have functioned in single-player mode until Russia’s DDoS attacks on Estonia in 2007, or at the very least, until MOONLIGHT MAZE was uncovered in 1998. For those not inclined to read, Col. Brown makes a fascinating appearance alongside former CIA director Michael Hayden in Alex Gibney’s 2016 Documentary ‘Zero Days’ which delves into Stuxnet – an obvious cyber weapon by any standards, which the US ‘plausibly denied’ until 2012.
Turning back to domestic law, the nomenclature is also significant from a public finance perspective. As anecdotal evidence, we can refer to this 2013 Reuters report, which suggests that the US Air Force designated certain cyber capabilities as ‘weapons’ with a view to secure funding from Congress.
From the standpoint of managing public perceptions too, it is apparent that the positive connotations associated with ‘developing cyber capabilities’ makes the same activity a lot more palatable, even development-oriented in the eyes of the general public, as opposed to the inherent negativity associated with say, the ‘proliferation of cyber weapons’.
Additionally, the legal framework is also important to delineate the geographical scope of the legal authority (or its personal jurisdiction, if you will) vested in the military as opposed to intelligence agencies to conduct cyber operations. For organizational purposes, the role of intelligence would (in theory) be limited to CNE, whereas CNA and CND would be vested in the military. We know from (Pukhraj’s) experience, this distinction is nearly impossible to make in practice, at least until after the fact. This overlap of what are arguably, artificially created categories of cyber operations, raises urgent questions about the scope and extent of authority the law can legitimately vest in our intelligence agencies, over and above the implicit authority of the armed forces to operate in the cyber domain.
Norm Making by Norm Breaking
In addition to understanding who wields offensive cyber capabilities, under what circumstances, it is also important for the law to specify where or against whom they are permitted to do so by law. Although militaries of modern day ‘civilized’ nations are rarely ever deployed domestically, there has been some recent concern over whether the US CYBERCOM could be deployed against American citizens in light of recent protests, just as special forces were. While the CIA has legal authority to operate exclusively beyond the United States, the NSA is not burdened by such constraints and is authorized to operate domestically. Thus, the governance/institutional choices before a State looking to ‘acquire cyber weapons’ or ‘develop (offensive) cyber capabilities’ range from bad to worse. One might either (1) permit its intelligence agencies to engage in activities that resemble warfighting more than they resemble intelligence gathering and risk unintentional escalations internationally or (2) permit its military to engage in intelligence collection domestically, potentially against its own citizens and risk ubiquitous militarization of and surveillance in its domestic cyberspace.
Even as many celebrate the recent Federal court verdict that the mass surveillance programmes of the NSA revealed by Edward Snowden were illegal and unconstitutional, let us not forget that this illegality is found vis-à-vis the use of this programme against American citizens only – not foreign surveillance programmes and cyber operations conducted beyond American soil against foreign nationals. Turning to an international law analysis, it is the US’ refusal to recognize State sovereignty as a binding rule of international law, that enables the operationalization of international surveillance and espionage networks and transmission of weaponized cyber capabilities that routinely violate not only the sovereignty of States, but also the privacy and dignity of targeted individuals (the United States does not accept the extra-territorial applicability of the ICCPR).
The nom de guerre of these transgressions in American doctrine is now ‘persistent engagement’ and ‘defend forward’, popularized by the Cyber Solarium Commission most recently—a cleverly crafted term that brings about no technical changes in the modus operandi, but disguises aggressive cyber intrusions across national borders as ostensible self-defence.
It is also relevant that this particular problem also finds a clear mention in theChinese Foreign Minister’s recent statement on the formulation of Digital Security rules by China. Yet, it is not a practice from which either the US or China plan to desist. Recent revelations about the Chinese firm Zhenhua Data Information Technology Co. by the Indian Express have only served to confirm the expansive, and expanding cyber intelligence network of the Chinese state.
These practices of extraterritorial surveillance, condemnable as they may be, have nonetheless, shaped the international legal order we find ourselves in today – a testimony to the paradoxical dynamism of international law– not unlike the process of ‘creative destruction’ of cyberspace highlighted by Singh—where a transgression of the norm (by either cyber power) may one day, itself become a norm. What this norm is, or should be still remains open to interpretation, so let’s not rush to kill all the lawyers—not just yet anyway.
In our previous post, “Does India have offensive cyber capabilities?”, we discussed a recent amendment to the SCOMET list appended to the ITC-HS classification by the Directorate General of Foreign Trade (DGFT). The amendment did not define, but described software for military offensive cyber operations as a term including (but not limited to) software which are designed to destroy, damage, degrade or disrupt systems, equipment and other softwares specified by Category 6 (Munitions), as well as software for cyber reconnaissance and cyber command and control.
In this post, we examine what exactly constitutes ‘offensive cyber capabilities’ (OCCs) and their role in conducting cyber operations with reference to various concepts from US, UK and Australia’s cyber doctrines. We begin by comparing two definitions of ‘cyber capabilities’.
‘Cyber Capabilities’ = ‘Cyber Operations’?
In US military doctrine, a ‘cyberspace capability’ is defined not as human skill in handling tools and software, but as “a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.” (emphasis added)
In contrast, the Australian Strategic Policy Institute (ASPI) in Defining Offensive Cyber Capabilitiesnotes that “In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace.” (emphasis added)
The ASPI’s emphasis on resources, skills and knowledge merits special attention. Without skilled personnel to wield such devices or software, offensive cyber operations cannot be mounted successfully. This is an especially important distinction if we are looking to formulate a functional definition relevant to India’s requirements. Our conceptualisation of OCCs must accord priority to not only the acquisition of tools, devices and software developed by other nations, but to build internal capacity through investment in creation and dissemination of technical knowledge and skill development.
This view also finds support in the United Kingdom’s articulation of defence ‘cyber capabilitiy’. In the UK’s Cyber Primer formulated by the Ministry of Defence, it is acknowledged (see fn 7) that defence cyber capabilities can be a combination of hardware, firmware, software and operator action (emphasis added).
Yet, surprisingly, the ASPI’s concluding definition of OCCs equates offensive capabilities with offensive cyber operations (OCOs), “offensive cyber capabilities are defined as operations in cyberspace to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.” (emphasis added)
The underlying logic of this equation is perhaps the old adage – the proof of the pudding is in the eating? This means that in ASPI’s conceptualisation, to ‘have’ OCCs would be meaningless, and not entirely credible if no OCOs are conducted by entities claiming to possess OCCs. However, from a legal standpoint, one cannot say that ‘capabilities’ and ‘operations’ are synonymous any more than one could claim that having ‘arms/ammunitions/weapons’ are synonymous to an ‘armed attack’.
This leads us to an obvious question – what are offensive cyber operations?
Offensive Cyber Operations: Cyber Attacks (or Exploits) by Another Name?
In the United States’ military doctrine, Offensive Cyber Operations (OCOs) are understood to be operations that are “intended to project power by application of force in or through cyberspace.”
This definition of OCOs is also reiterated in the March 2020 report of the Cyberspace Solarium Commission (CSC). The CSC was constituted last year by the US Congress under the John S. McCain National Defense Authorization Act, 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences” and presented its report to the public on 11 March 2020.
Over the years, the vocabulary of the US military doctrine and strategy documents of the Department of Defense (DoD) too, have used a variety of terms to classify various categories of cyber operations. In 2006, the DoD preferred using the broader term ‘Computer Network Operations’ (CNOs) instead of ‘cyber attacks’, as seen in its National Military Strategy for Cyberspace Operations. CNOs were classified into computer network attack (CNAs), computer network defense (CND) and computer network exploitation (CNEs).
More recent documents have dropped the use of the term ‘CNO’ and exhibit a preference for ‘cyberspace operations’ or ‘cyber operations’ instead. The US DoD Dictionary of Military and Associated Termsdefines ‘cyberspace operations’ as ‘[t]he employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace’.
Yet, in spite of the multiplicity of terms employed, offensive cyber capabilities can be categorised broadly, as the ability to conduct a cyber attack or cyber exploitation. Although similar, it is important to distinguish cyber attacks from cyber exploitations. Herbert Lin has observed that “[t]he primary technical difference between cyber attack and cyber exploitation is in the nature of the payload to be executed—a cyber attack payload is destructive whereas a cyber exploitation payload acquires information nondestructively”.
Indeed, the US DoD dictionary defines ‘cyberspace attacks’ and ‘cyberspace exploits’ separately. ‘Cyberspace attacks’ are actions taken in cyberspace that create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fire. In contrast, cyberspace exploitation refers to actions taken in cyberspace to gain intelligence, maneuver, collect information, or perform other enabling actions required to prepare for future military operations’.
A definition of OCOs similar to the US’ conceptualisation can also be found in the UK Cyber Primer. This Primer defines OCOs as “activities that project power to achieve military objectives in, or through, cyberspace”.
The UK envisions OCOs as one of four non-discrete categories within the broader term ‘cyber operations’ that can be used to inflict temporary or permanent effects that reduce an adversary’s confidence in networks or capabilities. Such action can support deterrence by communicating intent or threats. These four categories are, namely, (1) defensive cyber operations; (2) offensive cyber operations; (3) cyber intelligence, surveillance and reconnaissance; and (4) cyber operational preparation of the environment.
Thus, we can infer from a combined reading of all these definitions that
cyber capabilities and cyber operations are not synonymous, but
cyber capabilities (both the technological tools, as well as the human skill elements) are a prerequisite to conducting OCOs, which may be intended to either –
‘project power through the application of force’ (US) or
‘achieve military objectives‘ (UK) or
‘manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks’ (ASPI) or
‘destroy, damage, degrade or disrupt systems, equipment and other softwares (India’s DGFT) – in or through cyberspace.
A one trick pony?
In order to execute an offensive cyber operation, the tools (or capabilities) used could range from simple malware, virus, phishing attacks, ransomware, denial of service attacks, to more sophisticated and specially-built softwares. But these tools would be futile if not for the existence of vulnerabilities in the system being attacked to enable the exploit.
From the standpoint of conducting an offensive cyber operation (whether an attack or exploit), one would necessarily require:
Cyber capabilities (technical tools and software) to exploit a pre-existing vulnerability, or to introduce a new vulnerability into the targeted system
A specific intent (i.e. specific orders or directions to meet a particular, specified military or strategic objective through on in cyberspace)
A person/organization/entity/State identified as the target and (i.e. an intended target)
Planning and clearly defining the expected consequences of the attack (i.e. the intended effects)
The presence or absence of any of these factors would heavily determine the likelihood of the success of a cyber attack or exploit. Often, the actual outcome of a cyber attack is different from the intended outcome. As one cyber intelligence analyst puts it, “Any cyber operator worth her salt knows that even mission-driven, militaristic hacking thrives under great, terrifying ambiguity.”
Additionally, while the tools used are time-consuming to produce, they are rendered useless after deploying an attack. In most cases, this is because operators of the system being attacked will ensure the application of security patches to close known vulnerabilities in the aftermath of a cyber attack. For this reason, OCCs, especially those that have been ‘specially designed or modified for use in military offensive cyber operations’, once deployed, have extremely limited to negligible potential for re-use or re-deployment, especially against the same target. However, without sufficient emphasis on and investment in human skills and capabilities, the effectiveness of the available technical tools would also suffer in the long run.
A ‘digital strike’ to start a ‘cyber war’?
The deployment of cyber capabilities in an OCO must cause actual physical damage comparable in scale and effects to that of a conventional, kinetic attack to be termed as an ‘armed attack’ or an unlawful ‘use of force’ in international law. Although some of the attacks or exploitations in cyberspace could result in physical damage akin to damage caused by a traditional kinetic attack, most don’t.
Drawing from a list of significant cyber incidents recorded by the Center for Strategic and International Studies (CSIS), we can observe that very few attacks carried out in the past had the potential to lead to casualties. Scholars still disagree if all these cyber incidents could be termed as ‘a use of force’ or ‘a tool of coercion’ in international law.
However, it is interesting to note that the intent of the perpetrator of a cyber attack, a crucial element that is baked into American definitions of OCOs, is conspicuously missing from the international law analyses to classify cyber attacks as a ‘use of force’ or ‘armed attack’ – which relies largely on the scale and effects (actual, not intended) of the cyber attack. (see Tallinn Manual 2.0, Rules 69 and 71) The omission of any reference to human skill or judgment in the US’ definition of cyber capabilities too, provides additional insulation from inquiries into the actual intent of the perpetrator of a cyber attack.
At this point in time it is difficult to conceptualize a ‘war’ that is waged exclusively in cyberspace, does not manifest physical effects or spill over into other domains—not just air, land and sea, but also the economy. For this very reason, i.e. the interconnected nature of cyberspace with other domains of where conflict manifests from competing interests, OCCs provide States a strategic military advantage by strengthening the effectiveness of conventional means and methods of warfare and streamlining military communications. However, the increasing dependence of the Government, critical infrastructure as well as businesses on the internet in the networked economy necessarily implies that a failure to develop or acquire cyber capabilities will make regular economic losses and disruptions by way of cyber attacks inevitable.
This leads us to another question worth considering in the context of State hostilities in cyberspace—whether economic losses occasioned by cyber attacks can be considered as a factor in determining whether its scale and effects are comparable to that of a kinetic armed attack?
Both cyber attack and cyber exploitations hold the potential to cause economic losses to the State under attack. Today it is common knowledge that the notorious WannaCry and NotPetya attacks resulted in losses totalling up to billions of dollars. Attacks on financial systems, commercial softwares, platforms or applications that generate economic value, or civilian infrastructure linked closely with the state economy could all fall under this risk. Such attacks can also substantially slow down State functions if the chaos generated within cyber systems spills over into the physical realm.
We must also remember, that any response to this question cuts both ways – if India – or any other nation – wishes to treat economic losses caused by hostile States and other actors in cyberspace as indicative of an unlawful ‘use of force’ or an ‘armed attack’ in cyberspace, we must also be prepared to have our adversaries draw similar conclusions regarding economic losses inflicted upon them, and anticipate retaliatory action.
Given the massive risks to the economy associated with a high incidence of cyber attacks, it would be interesting to observe what direction the debate on offensive cyber capabilities takes with the release of the National Cyber Security Strategy 2020. With India’s cyber ecosystem under development, both the cyber offence and cyber defence capabilities are of immense strategic value and merit a deeper exploration and stricter scrutiny by policymakers.
This question lingers as an especially intriguing one, as the amendments to Appendix III of the ITC-HS classification referred to in our last post have now been taken down from the website of the Directorate General of Foreign Trade, only to be replaced by a sanitized version of the SCOMET list amended on 11.06.2020 – one that includes no reference ‘military offensive cyber operations’ or even ‘cyber’ simpliciter. Even the reference to ‘intrusion software’ under head 8E401 has now been omitted. The version of the SCOMET list that we relied on for our previous post is no longer available on the DGFT website, but for interested researchers, can be downloaded here on CCG’s Blog.
While we await the release of the much-anticipated National Cyber Security Strategy 2020 (NCSS), a very significant development in the domestic regulation of foreign trade – by way of an amendment quietly inserted by the Directorate General of Foreign Trade (DGFT) on 11.06.2020, contains an extremely significant indication for the direction we can expect the NCSS document to take.
The Foreign Trade Policy (FTP) is formulated and notified by the DGFT under the statutory authorization provided by Section 5 of the Foreign Trade (Development and Regulation) Act, 1992. The FTP regulates among many other things, the import and export of certain types of technologies. It also enforces in compliance with India’s obligations under international export control agreements like the Wassenaar Arrangement.
The latest FTP was formulated for the period of 2015-2020, and last revised in December 2017. The FTP is published in three parts – (i) the Policy Document (ii) Handbook of Procedures and (iii) the ITC-HS Classification.
The Indian Trade Classification based on Harmonized System of Coding, better known as the ITC-HS classification system uses eight digit codes to describe and categorize items subject to regulation. Schedule I of the ITC-HS deals with import policy, while Schedule II of the ITC-HS describes the rules and regulations related to export policies.
Appendix III to Schedule II contains a descriptive list for the category of SCOMET (Special Chemicals, Organisms, Materials, Equipment and Technology). The SCOMET list itemises goods, services and technologies used for civilian and military applications, including also some ‘dual-use items’ for export control regulation.
Category 6 of the SCOMET list is the Munitions list, while Category 8 relates to “Special Materials and Related Equipment, Material Processing, Electronics, Computers, Telecommunications, Information Security, Sensors and Lasers, Navigation and Avionics, Marine, Aerospace and Propulsion”.
Under 6A021, which falls under the Munitions list, “software” subject to export control regulations is now defined to include,
“Software” specially designed or modified for the conduct of military offensive cyber operations;
Note 1 6A021.b.5. includes “software” designed to destroy, damage, degrade or disrupt systems, equipment or “software”, specified by Category 6, cyber reconnaissance and cyber command and control “software”, therefor.
Note 2 6A021.b.5. does not apply to “vulnerability disclosure” or to “cyber incident response”, limited to non-military defensive cybersecurity readiness or response.
Note 2 under 6A021 appears as a welcome relief to the information security research community by keeping vulnerability disclosures beyond the purview of export control regulations. However, it is relevant to mention that “vulnerability disclosures” and “cyber incident response” had already been excluded from the purview of export control restrictions in an earlier amendment to the SCOMET list on 03.07.2018. However, this exception appears not under category 6, but category 8, as an exception to head 8E401 Computers (Technology). Therefore, the exception carved out under 6A021 by the 11.06.2020 amendment is a mere reiteration of the exception already contained under 8E401, inserted by the amendment of 03.07.2018, which reads as follows:
c. “Technology” for the “development” of “intrusion software”.
Note 1: 8E401.a and 8E401.c do not apply to ‘vulnerability disclosure’ or ‘cyber incident response’.
Note 2: Note 1 does not diminish national authorities’ rights to ascertain compliance with 8E401.a and 8E401.c.
Technical Notes:
1. ‘Vulnerability disclosure’ means the process of identifying, reporting, or communicating a vulnerability to, or analysing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.
2. ‘Cyber incident response’ means the process of exchanging necessary information on a cyber security incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident.
Therefore, our export control regulations may have been cognizant of and sensitive to the need for ensuring free flow of data and information with regards to vulnerability disclosures and cyber incident response systems since 2018. It is also relevant to mention that the previous version of this list dated 24.04.2017 made no references whatsoever to ‘cyber incident response’ or ‘vulnerability disclosure’.
The June 2020 amendment to the SCOMET list is a highly significant development, as this is the first official document that strongly suggests the existenceof offensive cyber capabilities specially designed for military use in the broader ecosystem of tech regulation in India.
While MeitY had made a passing reference to “offensive cyber” in a draft report authored by one of four Committees constituted in February 2018, for the promotion of AI and the development of a regulatory framework. The Report of Group D, the Committee on Cyber Security, Safety, Legal and Ethical Issues briefly speaks of “defensive and offensive AI techniques”. However, this report contained recommendations that do not carry the force of law. In contrast, the DGFT’s latest amendment to the SCOMET list has the effect of subjecting the export of such technologies to strict regulatory control by the Government.
This regulatory development stands in contrast to the response of National Cyber Security Coordinator Lt. Gen. Pant in an interview to Medianama on 2 June 2020, only a few days before the date of this amendment to the SCOMET list:
MediaNama: In terms of follow-up to hardware and software procurement, does India procure any software as cyber weapons? Is there a process to import or export them? There has been a discussion at the Open-ended Working Group [OEWG] at the UN regarding global procurement of cyber weapons. What is India’s position, policy on procurement of cyber weapons?
Lt General Pant: No, no. I don’t think anyone will be speaking of cyber weapons, sale or anything like that.
It now remains to be seen whether the National Cyber Security Strategy, yet to be released, will officially acknowledge the existence of ‘offensive cyber capabilities’, if not ‘cyber weapons’ within India’s cyber ecosystem.
In our previous post on India’s cyber defence
infrastructure, we discussed the new Defence Cyber Agency (DCA), one of
the three tri-service agencies announced at the Combined Commander’s Conference last
year. Under the leadership of Rear Admiral Mohit Gupta, appointed
as its head in April this year, the DCA is expected to serve a dual purpose—first,
to fight virtual wars in the cyber dimension and second, to formulate a
doctrine of cyberwarfare. In doing so, it is expected to contribute towards a cybersecurity
strategy policy which integrates cyberwarfare with conventional military operations.
In June, Lt. Col.
Rajesh Pant, the National Cyber Security Coordinator announced that the new
cybersecurity strategy policy will be released early in 2020.
The utilisation
of cyberspace for military operations holds the potential to infuse a certain ‘jointness’
among the Army, Navy and Air Force. Lt. Gen. (Retd.) DS Hooda pointed out the herculean task that lies
ahead of Rear Admiral Gupta– “to find a way to work around vertical stovepipes
into which the three services have enclosed themselves”. The
tri-services nature of the DCA could potentially compel the three services to
share operational information and resources on a regular basis, which would
further help to formulate a comprehensive and robust cyber defence infrastructure
for the country.
From Coordination to Integration
Since the appointment of Rear Admiral Gupta as the head of the DCA, the Government has made only one announcement that has a significant bearing on its role and functioning. The Prime Minister’s announcement in August about the creation of a new position of a Chief of Defence Staff (CDS) is a welcome step and is expected to catalyse the move from coordination to integration in the operations of the Army, Navy and Air Force and the operationalization of the three tri-services agencies. The burden of this herculean task entrusted to Admiral Gupta will now presumably, be shared by the CDS.
Unlike the Chairman of the Chiefs of Staff Committee (COSC), which is an additional position occupied by the senior-most officer among the three Chiefs, who serves as primus inter pares, or the first among equals – the CDS will be above the three chiefs, and act as a single-point military advisor to the Government and coordinate long term planning, procurements and logistics of the three service. However, there is long way to go between the announcement of this reform and its actual implementation.
Each of these two announcements – the setting up of the DCA, as well as
creation of the CDS post necessitates certain changes in the legislated
structure of the three wings of the armed forces for two distinct, but related
reasons.
First, because
the present legislations that govern the composition and structure of the three
wings do not offer sufficient guidance for routine operations conducted jointly
by the three wings, nor do they envision an officer superior in rank to the
Chiefs of the three services.
The
Central Government has the power to make rules under S. 191(2)(l) of the Army Act, 1950 to provide for the relative
rank of the officers, junior commissioned officers, petty officers and
non-commissioned officers of the regular Army, Navy and Air Force when acting
together. S. 189(2)(l) of the Air Force Act, 1950 also confers the same power with respect
to the Air Force. However, such a provision to make rules is conspicuous by its
absence in the Navy Act, 1957. S. 184(2) of the Navy Act,
1957 confers upon the Central Government, the power to make regulations to
provide for the relative rank, precedence, powers of command and authority of
officers and sailors in the naval service in relation to members of the regular
Army and the Air Force, but this makes no specific reference to the situation
when members of three forces are acting together. Instead, S. 7 of the Navy Act provides
that
“When members of the regular Army and the Air Force are serving with the Indian Navy or the Indian Naval Reserve Forces under prescribed conditions, then those members of the Army or the Air Force shall exercise such command, if any, and be subjected to such discipline as may be prescribed [under this Act].”
Additionally, the provision states that it cannot be deemed to authorise members of the regular Army or the Air Force to exercise powers of punishment over members of the Indian Navy. This provision is rooted in the colonial history of our naval laws, as it was felt that as the conditions of service at sea differed from that on land and because the erstwhile Navy (Discipline) Act, 1934 differed in many respects to the law relating to the Army and the Air Force, no attempt should be made to assimilate the revised Navy Act in other respects to the law relating to the Army and Air Force. Oddly enough, such unique demands of the sea as a theatre of war that prevented assimilation of the three wings are amplified in the case of cyberspace as a distinct, but connected theatre of war and deserve appropriate recognition in law – in a manner that encourages integration.
The existence
of such disparate provisions on the conditions of service of members of the
three forces when acting together could foreseeably, prove to be a hurdle in
implementing integration for the creation of tri-services agencies.
Additionally, the rank, powers and office of a Chief of Defence Staff is not
defined or recognized in either of the three Acts. Should such a post be
created by the issuing of rules or regulations by the Central Government, they
would have to be laid before Parliament, pursuant to S. 185 of the Navy Act, S.
193A of the Army Act and S. 191A of the Air Force Act. In
the current state of the law, it is unclear which of these three Acts could be
invoked to formulate rules to create such a post in a manner that facilitates
such integration.
The second
reason is that the advent of cyberwarfare has brought nation-states into what
can be described to as the fourth dimension of warfare—military operations that
were until recently restricted to the physical domains of land, sea and air
have now entered the virtual realm. The growing risk of cyber espionage and breaches of information
security of Government agencies, like the ones in 2008 highlight the urgent need for
such coordination to ensure prompt, proportionate responses. Thus, we need to
prepare a framework not only because the conduct of hostilities now requires
unprecedented, seamless integration between the three forces, but also because
these hostilities will be conducted in an entirely new dimension, which
possesses certain unique characteristics and limitations as a distinct
operational theatre for military action.
Accordingly, the question of
whether the Government would treat the breach of ‘India’s cyberspace’ by
foreign actors, at par with violations of our sovereign territory, airspace or
territorial waters must be answered in the affirmative.
At the minimum,
this should include, (1) defence communications and operational networks, (2)
security of the Government communication networks (3) security of classified
and privileged information and (4) critical information infrastructure (CII) should
be considered constituent components of our sovereign-protected cyberspace.
Since the promulgation and notification of the Information Technology (Critical
Information Infrastructure Protection Centre and Manner of Performing Functions
and Duties) Rules, 2014, CII falls within the purview of the NCIIPC. Rule 3(4)
excludes systems notified by the Ministry of Defence (MoD) as critical
information infrastructure. To enable this legally,
(1), (2) and (3) ought to be notified by the MoD as such, and explicitly entrusted
to the DCA for appropriate action for their protection with appropriate
directions.
Constitutional Constraints on Waging War
in Cyberspace
Indeed, our cyber forces have been fashioned as an ‘agency’ and not a ‘service’ unto themselves, but contemporary research indicates that with appropriate training and experience, the agency is expected to provide the base for, and grow into a full-fledged Cyber Command. However, we cannot rely solely on emergency powers under Article 352 of the Constitution as the starting point of our analysis of the legal framework that applies to India’s defensive operations in the cyber realm. Such an analysis leads us to arguments in favour of invoking the fundamental duties of citizens Article 51A for boosting the recruitment of cyber warriors. Such a system can only remain functional, if at all, on an ad-hoc basis. The domain of Parliamentary action cannot reasonably be restricted on the premise that cyberattacks against Government agencies are the ‘new normal’. The State must prepare for the eventuality that ad hoc arrangements set up as necessary reactions to security breaches need to be institutionalized in law. It is not sufficient to assert that the exigencies of cyberwarfare make it inefficient to seek Parliamentary sanction. And so, the military establishment that engages in hostilities with foreign actors in cyberspace, whether fashioned as an agency, service or command, should be read into the phrase ‘any other armed forces’ of Entry 2 of Schedule VII.
When it comes to the defence of India, the Constitution is unambiguous.
Article 53(2) of the Constitution declares that the supreme command of the armed forces of the Union shall be vested in the President and the exercise thereof shall be regulated by law. (emphasis added) Article 53(3)(b) also states that nothing in this Article shall “prevent Parliament from conferring by law functions on authorities other than the President”.
Article 246(1) of the Constitution vests legislative powers in the Parliament. The provision refers to Schedule VII, which identifies specific areas upon which Parliament is entitled to legislate in the national security domain. These areas include the following:
1. Entry 1 refers to “the Defence of India and every part thereof including preparation for defence and all such acts as may be conducive in times of war to its prosecution and after its termination to effective demobilization.”
2. Entry 2 places “naval, military and air forces; and any other armed forces of the Union” within the legislative competence of Parliament. To this effect, The Army Act and Air Force Act were adopted by the Parliament in 1950 and the Navy Act in 1957.
3. Entry 7 refers to “Industries declared by Parliament by law to be necessary for the purpose of defence or for the prosecution of war”. Although the IT sector is treated as a strategic sector by the Government, no such law has been enacted by Parliament.
The language of
Article 246 indicates that Parliament is competent to legislate on these issues.
However, the use of the word ‘shall’ in the language Article 53 suggests that
Parliament is duty-bound to enact such a law. This can also be inferred from
the language of Article
73(1)
of the Constitution, which states that “The Executive power of the Union shall
extend –(a) to matters with respect to which Parliament has the power to make
laws”. This makes it clear that the exercise of the Executive power is made
conditional on the legislative competence of the Parliament, and not vice versa.
So far, no specific legislation has been forthcoming from Parliament to approve or regulate the exercise of the executive power to engage in cyberwarfare, nor has the Government proposed any. However, the promulgation of a Cybersecurity Act that would cover not only various cyber-related crimes, offences, forensic and policing, but also, have enabling provisions for cyber war and defences against cyber war has been proposed by other think tanks, and even Admiral Gupta himself.
Thus, the power to make preparations for prosecution of war in cyberspace should be backed by Parliamentary sanction. Such an enactment would also help clarify many other questions and streamline the contours of India’s cybersecurity infrastructure and institutions. For example, the domain of authority of the DCA and its relationship with its civilian counterparts including the National Cyber Security Coordinator (NCSC) and the Indian Computer Emergency Response Team (CERT-In) remain unclear. With proper consideration and consultations, the setting up of the DCA could potentially open the doors to enhanced, perhaps even institutionalised civilian-military cooperation that begins in cyber operations and permeates into conventional operations as well.
Two new domains—space and cyber—enabled by high technology, offer unprecedented opportunities for enhanced communication and coordination among wings of the armed forces in all theaters of war, and be used as force multipliers for intelligence analysis, mission planning and control.[i] Given their crucial role in intelligence analysis, foreseeably, the Government could model the agency as one that ‘cyber-supports’ military operations, but with a greater emphasis on covert operations rather than conventional warfare. In such a scenario, we may expect that its structure and functioning would be shrouded in secrecy, analogous to the Research and Analysis Wing (R&AW) or the Intelligence Bureau (IB). This means that the DCA would work closely with the Defence Intelligence Agency (DIA). While structures analogous to existing intelligence agencies could potentially allow greater freedom of action for cyber operations, it could also compromise the DCA’s potential to draw upon civilian expertise.
In the interest
of widening the pool from which the DCA recruits and trains its cyber-warriors,
a proper legislative mandate would go a long way in establishing and strengthening
strategic partnerships with the private sector, where most of the country’s
tech talent is currently employed.
[i] As an
aside, it is pertinent to mention that India’s entry into the fifth dimension
i.e. space remains debatable— even after carrying out the first successful test
of anti-satellite (ASAT) weapon and being in the process of setting up a Defense Space Agency, our policies still espouse
the principle of peaceful uses of outer space.
This week, Delhi International Airport deployed facial recognition on a ‘trial basis’ for 3 months, landline communications were restored in Kashmir as the Government mulls over certification for online video streaming platforms like Netflix and PrimeVideo – presenting this week’s most important developments in law, tech and national security.
Aadhaar
[Sep 3] PAN will be issued
automatically using Aadhaar for filing returns: CBDT, DD News report.
[Sep 3] BJD set to collect Aadhaar
numbers of its members in Odisha, Opposition parties slam move, News 18 report; The New Indian Express report; Financial Express report.
[Sep 5] Aadhaar is secure, says
ex-UIDAI chief, Times of India report.
[Sep 5] Passport-like Aadhaar centre
opened in Chennai: Online appointment booking starts, Livemint report.
[Sep 8] Plans to link Janani Suraksha
and Matra Vandan schemes with Aadhaar: CM Yogi Adityanath, Times of India report.
Digital India
[Sep 5] Digital media bodies welcome
26% FDI cap, Times of India report.
[Sep 6] Automation ‘not threat’
to India’s IT industry, ET Tech report.
[Sep 6] Tech Mahindra to modernise
AT&T network systems, Tech Circle report.
Data Protection and Governance
[Sep 2] Health data comes under the
purview of Data Protection Bill: IAMAI, Inc42 report.
[Sep 2] Credit history should not be
viewed as sensitive data, say online lenders, Livemint report.
[Sep 3] MeitY may come up with policy
on regulation of non-personal data, Medianama report.
[Sep 3] MeitY to work on a white paper
to gain clarity on public data regulations, Inc42 report.
[Sep 6] Treating data as commons is
more beneficial, says UN report, Medianama report.
[Sep 9] Indian Government may allow
companies to sell non-personal data of its users, Inc42 report, The Economic Times report.
[Sep 9] Tech firms may be compelled to
share public data of its users, ET Tech report.
Data Privacy and Breaches
[Sep 2] Chinese face-swap app Zao faces
backlash over user data protection, KrAsia report; Medianama report.
[Sep 2] Study finds Big Data eliminates
confidentiality in court judgments, Swiss Info report.
[Sep 4] YouTube will pay $170 million
to settle claims it violated child privacy laws, CNBC report; FTC Press Release.
[Sep 4] Facebook will now let people
opt-out of its face recognition feature, Medianama report.
[Sep 4] Mental health websites in
Europe found sharing user data for ads, Tech Crunch report.
[Sep 5] A huge database of Facebook
users’ phone numbers found online, Tech Crunch report.
[Sep 5] Twitter has temporarily
disabled tweet to SMS feature, Medianama report.
[Sep 6] Fake apps a trap to track your
device and crucial data, ET Tech report.
[Sep 6] 419 million Facebook users
phone numbers leaked online, ET Tech report; Medianama report.
[Sep 9] Community social media
platform, LocalCircles, highlights data misuse worries, The Economic Times report.
Free Speech
[Sep 7] Freedom of expression is not
absolute: PCI Chairman, The Hindu report.
[Sep 7] Chennai: Another IAS officer
resign over ‘freedom of expression’, Deccan Chronicle report.
[Sep 8] Justice Deepak Gupta: Law on
sedition needs to be toned down if not abolished, The Wire report.
Online Content Regulation
[Sep 3] Government plans certification
for Netflix, Amazon Prime, Other OTT Platforms, Inc42 report.
[Sep 4] Why Justice for Rights went to
court, asking for online content to be regulated, Medianama report.
[Sep 4] Youtube claims new hate speech
policy working, removals up 5x, Medianama report.
[Sep 6] MeitY may relax norms on
content monitoring for social media firms, ET Tech report; Inc42 report; Entrackr report.
E-Commerce
[Sep 4] Offline retailers accuse Amazon
and Flipkart of deep discounting, predatory pricing and undercutting, Medianama
report; Entrackr report.
[Sep 6] Companies rely on digital
certification startups to foolproof customer identity, ET Tech report.
Digital Payments and FinTech
[Sep 3] A sweeping reset is in the
works to bring India in line with fintech’s rise, The Economic Times report.
[Sep 3] Insurance and lending companies
in agro sector should use drones to reduce credit an insurance risks: DEA’s
report on fintech, Medianama report.
[Sep 4] Firefox will not block
third-party tracking and cryptomining by default for all users, Medianama report.
[Sep 4] Insurance companies are fueling
ransomware attacks, Defense One report.
[Sep 5] Firms facing shortage of
skilled workforce in cybersecurity: Infosys Research, The Economic Times report.
[Sep 5] Cybersecurity a boardroom
imperative in almost 50% of global firms: Survey, Outlook report; ANI report.
[Sep 5] DoD unveils new cybersecurity
certification model for contractors, Federal News Network report.
[Sep 5] Jigsaw Academy launches
cybersecurity certification programme in India, DQ India report.
[Sep 6] Indians lead the world as
Facebook Big Bug Hunters, ET Tech report.
[Sep 6] Australia is getting a new
cybersecurity strategy, ZD Net report.
[Sep 9] China’s 5G, industrial internet
roll-outs to fuel more demand for cybersecurity, South China Morning Post report.
Tech and National Security
[Sep 3] Apache copters to be inducted
today, The Pioneer report.
[Sep 3] How AI will predict Chinese and
Russian moves in the Pacific, Defense One report.
[Sep 3] US testing autonomous
border-patrol drones, Defense One report.
[Sep 3] Meet the coalition pushing for
‘Cyber Peace’ rules. Defense One report.
[Sep 4] US wargames to try out concepts
for fighting China, Russia, defense One report.
[Sep 4] Southern Command hosts seminar
on security challenges, Times of India report; The Indian Express report.
[Sep 4] Russia, already India’s biggest
arms supplier, in line for more, Business Standard report.
[Sep 4] Pentagon, NSA prepare to train
AI-powered cyber defenses, Defense One report.
[Sep 5] Cabinet clears procurement of Akash
missile system at Rs. 5500 crore, Times Now report.
[Sep 5] India to go ahead with $3.1
billion US del for maritime patrol aircraft, The Economic Times report.
[Sep 5] DGCA certifies ‘small’ category
drone for complying with ‘No-Permission, No-Takeoff’ protocol, Medianama report.
[Sep 5] India has never been aggressor
but will not hesitate in using its strength to defend itseld: Rajnath Singh,
The Economic Times report.
[Sep 5] Panel reviewing procurement
policy framework to come out with new versions of DPP, DPM by March 2020, The
Economic Times report; Business Standard report; Deccan Herald report.
[Sep 5] Russia proposes joint
development of submarines with India, The Hindu report.
[Sep 7] Proud of you: India tells ISRO
after contact lost with CHandrayaan-2 lander, India Today report.
Tech and Elections
[Sep 4] ECI asks social media firms to
follow voluntary code of ethics ahead of state polls: report, Medianama report.
[Sep 6] Congress party to reorganise its
data analytics department, Medianama report.
[Sep 5] Why the 2020 campaigns are
still soft targets for hackers, Defense One report.
[Sep 5] Facebook meets with FBI to
discuss election security, Bloomberg report.
[Sep 5] Facebook is making its own AI
deepfakes to head off a disinformation disaster, MIT Tech Review report.
Internal Security: J&K
[Sep 4] Long convoy, intel failure:
Multiple lapses led to Pulwama terror attack, finds CRPF inquiry, India Today report; Kashmir Media Service report; The Wire report.
[Sep 4] Extension of President’s Rule
in Kashmir was not delayed, MHA says in report to SC lawyer’s article,
Scroll.in report.
[Sep 6] Landline communication restored
in Kashmir Valley: Report, Medianama report.
[Sep 7] Kashmir’s Shia areas face
curbs, all Muharram processions banned, The Quint report.
[Sep 7] No question of army atrocities
in Kashmir as it’s only fighting terrorists: NSA Ajit Doval, India Today report.
[Sep 8] More than 200 militants trying
to cross into Kashmir from Pakistan: Ajit Doval, Money Control report.
[Sep 8] ‘Such unilateral actions are
futile’, says India after Pakistan blocks airspace for President Kovind,
Scroll.in report; NDTV report.
Internal Security: NRC
[Sep 2] Contradictory voices in Assam
Congress son NRC: Tarun Gogoi slams it as waste paper, party MP says historic
document, India Today report.
[Sep 3] Why Amit Shah is silent on NRC,
India Today report.
[Sep 7] AFSPA extended for 6 months in
Assam, Deccan Herald report.
[Sep 7] At RSS mega meet, concerns over
Hindus being left out of NRC: Sources, Financial Express report.
National Security Institutions
and Legislation
[Sep 5] Azhar, Saeed, Dawood declared
terrorists under UAPA law, Deccan Herald report; The Economic Times report.
[Sep 8] Home Minister says India’s
national security apparatus more robust than ever, Livemint report.
[Sep 8] Financial safety not national
security reason for women to join BSF: Study, India Today report.
Telecom/5G
[Sep 6] Security is an issue in 5G:
NCSC Pant on Huawei, Times of India report.
More on Huawei
[Sep 1] Huawei believes banning it from
5G will make countries insecure, ZD Net report.
[Sep 2] Huawei upbeat on AI strategy
for India, no word on 5G roll-out plans yet, Business Standard report.
[Sep 3] Huawei denies US allegations of
technology theft, NDTV Gadgets 260 report; Business Insider report; The Economic Times report.
[Sep 3] Shocking Huawei ‘Extortion and
Cyberattack’ allegations in new US legal fight, Forbes report; Livemint report, BBC News report; The Verge report.
[Sep 3] Committed to providing the most
advanced products: Huawei, ET Telecom report.
[Sep 4] Huawei says 5G rollout in India
will be delayed by 3 years if it’s banned, Livemint report
[Sep 4] Trump not interested in talking
Huawei with China, Tech Circle report.
[Sep 5] Nepal’s only billionaire
enlists Huawei to transform country’s elections, Financial Times report.
[Sep 8] Trump gets shocking new Huawei
warning – from Microsoft, Forbes report.
Emerging Tech
[Aug 30] Facebook is building an AI
Assistant Inside Minecraft, Forbes report.
[Sep 3] AWS partners with IIT KGP for
much needed push to India’s AI skilling, Inc42 report.
[Sep 3] Behind the Rise of China’s
facial recognition giants, Wired report.
[Sep 4] Facebook won’t use facial
recognition on you unless you tell it to, Quartz report.
[Sep 4] An AI app that turns you into a
movie star has risked the privacy of millions, MIT Technology Review report.
[Sep 6] Police use f facial recognition
is accepted by British Court, The New York Times report.
[Sep 6] Facebook, Microsoft announce
challenge to detect deepfakes, Medianama report.
[Sep 6] Facial recognition tech to
debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months,
Medianama report.
Internet Shutdowns
[Sep 3] After more than 10 weeks,
internet services in towns of Rakhine and Chin restored, Medianama report.
[Sep 4] Bangladesh bans mobile phone
services in Rohingya camps, Medianama report.
Opinions and Analyses
[Sep 2] Michael J Casey, Coin Desk, A crypto fix for a broken international monetary system.
[Sep 2] Yengkhom Jilangamba, News18 Opinion, Not a solution to immigration problem, NRC final list has only brought to surface fault lines within society.
[Sep 2] Samuel Bendett, Defense One, What Russian Chatbots Think About Us.
[Sep 2] Shivani Singh, Hindustan Times, India’s no first use policy is a legacy that must be preserved.
[Sep 3] Abir Roy, Financial Express, Why a comprehensive law is needed for data protection.
[Sep 3] Dhirendra Kumar, The Economic Times, Aadhaar is back for mutual fund investments.
[Sep 3] Ashley Feng, Defense One, Welcome to the new phase of US-China tech competition.
[Sep 3] Nesrine Malik, The Guardian, The myth of the free speech crisis.
[Sep 3] Tom Wheeler and David Simpson, Brookings Institution, Why 5G requires new approaches to cybersecurity.
[Sep 3] Karen Roby, Tech Republic, Why cybersecurity is a big problem for small businesses.
[Sep 4] Wendy McElroy, Bitcoin.com, Crypto needs less regulation, not more.
[Sep 4] Natascha Gerlack and Elisabeth Macher, Modaq.com, US CLOUD Act’s potential impact on the GDPR.
[Sep 4] Peter Kafka, Vox, The US Government isn’t ready to regulate the internet. Today’s Google fine shows why.
[Sep 5] Murtaza Bhatia, Firstpost, Effective cybersecurity can help in accelerating business transformation.
[Sep 5] MG Devasahayam, The Tribune, Looking into human rights violations by Army.
[Sep 5] James Hadley, Forbes, Cybersecurity Frameworks: Not just for bits and bytes, but flesh and blood too.
[Sep 5] MR Subramani, Swarajya Magazine, Question at heart of TN’s ‘WhatsApp traceability case’: Are you endangering national security if you don’t link your social media account with Aadhaar?
[ Sep 5] Justin Sherman, Wired, Cold War Analogies are Warping Tech Policy.
[Sep 6] Nishtha Gautam, The Quint, Peer pressure, militant threats enforcing civil curfew in Kashmir?
[Sep 6] Harsh V Pant and Kartik Bommakanti, Foreign Policy, Modi reimagines the Indian military.
[Sep 6] Shuman Rana, Business Standard, Free speech in the crosshairs.
[Sep 6] David Gokhshtein, Forbes, Thoughts on American Crypto Regulation: Considering the Pros and Cons.
[Sep 6] Krishan Pratap Singh, NDTV Opinion, How to read Modi Government’s stand on Kashmir.
The Union Budget for 2019-2020 brought with it a boost for using Aadhaar to file I-T returns amid escalating privacy concerns, but disappointed those hoping for larger allocations to modernisation of the armed forces. As the uncertainty over Huawei’s inclusion in 5G trials continues — presenting this week’s most important developments in law and tech.
Aadhaar
[July 4] Aadhaar bill seeking its use as ID to open bank account passes in Lok Sabha, India today report.
[July 4] UIDAI sets up first Aadhaar centres in Delhi and Vijayawada, to set up 114 more centres in 2019, Medianama report.
[July 5] Aadhaar ordinance: SC asks Centre, UIDAI to respond to writ petition, The Hindu report; The Economic Times report; Medianma report.
[July 6] Budget eases criteria of obtaining Aadhaar for NRIs with Indian passport, Business Standard report.
[July 6] Budget 2019 proposes to make PAN, Aadhaar interchangeable; soon you can file ITR using either of these, The Economic Times report.
[July 6] J&K Government approves Aadhaar linked payment mode for disbursal of pension, Business Standard report.
[July 7] Economic survey has based Aadhaar impact on MGNREGS on false assumptions, say researchers, The Hindu report.
[July 8] I-T to allot PAN to those filing returns only with Aadhaar, Live Mint report.
Internet
Shutdowns
[July 2] India saw 11 internet shutdowns in June, 59 so far in
2019, Medianama report.
[July 4] Internet services in Jaipur set to resume today; parts of
the city had been offline after rape of minor, Medianama report.
[July 4] Facebook, Instagram and WhatsApp back after 8-hour outage
that left users unable to upload photos, videos, Medianama report.
[July 5] Following communal violence, internet remains closed in
Agra, India today report.
Free
Speech
[July 3] Centre has no plans to scrap sedition law, Minister tells
Rajya Sabha; The Hindu report.
[July 5] MDMK Chief vaiko convicted in sedition case, sentenced to
one year imprisonment, The Hindu Business Line report.
Data
Protection
[July 1] Data Protection Bill: MHA wants insulation for security
agencies, The Tribune report.
[July 2] TikTok illegally collecting data received by China,
claims Shashi Tharoor, News18 report.
[July 2] Tik Tok under investigation in the UK over children’s
data use, The Guardian report.
[July 2] China’s new data protection scheme, The Diplomat report.
[July 3] Comprehensive legislation on data privacy under
formulation: Ravi Shankar Prasad; The Economic Times report.
[July 4] Won’t allow abuse of Indian data by foreign powers or
companies, says RS Prasad in Rajya Sabha , Medianama report.
[July 5] Govt needs to leverage data as public good to boost
welfare of poor, Live Mint report.
[July 6] Economic Survey pushes for interlinking and selling
citizens’ data for private purposes: Rethink Aadhaar, Money Life report.
Digital
India
[July 4] Qualcomm India extends design challenge to MeitY
supported startups, The Economic Times report.
[July 8] No incentive left for banks to push digital pay, fears
fintech, ET Tech report.
Cryptocurrencies
[June 30] ‘Govt Screwed Us’ Crypto Startup Coin Recoil Founder
Writes An Open Letter To PM. Inc42 report.
[July 2] Remaining crypto exchanges in India bet on global
markets, ET Tech report.
[July 3] Bitcoin’s energy consumption ‘equals that of
Switzerland’, BBC report.
[July 5] Indian authorities arrest 4 individuals accused of crypto
ponzi scheme, Coin Telegraph report.
[July 5] US lawmakers tell Facebook to halt Libra as it risks
undermining dollar and upending global financial system, Medianama report.
[July
7] New ECB boss Christine Lagarde made a serious Bitcoin warning, Forbes report.
Telecom/5G
[July 3] Samsung talks about its 5G solution, readiness to work with telecom operators in India, India Today report
[July 2] Samsung to ramp up Internet of Things business in India after 5G roll out, Times Now News reports
More
on Huawei
[July 3] Despite Trump’s promised reprieve, Commerce Department
tells staff to continue treating Huawei as blacklisted, Tech Crunch report.
[July 3] Indian companies supplying (US origin equipment) to
Huawei may face US sanctions: Govt, The Economic Times report.
[July 4] Donald trump eases off Huawei as forms discover holes in
his export ban, The Economist’s analysis.
[July 4] India to decide on Huawei participation in 5G trial based
on security and economic interests, The Economic Times report.
[July 5] Huawei disputes US cyber firm’s findings of flaws in
gear, The Wall Street Journal report.
[July 6] Huawei employees linked to China’s military and
intelligence, reports claim, Forbes report.
[July
6] Huawei is helping all the UK’s top carriers build their 5G networks,
Engadget report.
Cybersecurity
[July 2] Air travel needs cybersecurity, now tighter than ever, Financial Express report.
[July 3] New Zealand updates its cybersecurity strategy, ZDNet report.
[July 3] Tech Mahindra, SSH to deploy cutting edge cybersecurity solutions to secure access control for enterprises, Dataquest India report.
[July 3] 25 Central, State govt websites hacked till May this year: Ravi Shankar Prasad; The economic Times report.
[July 5] Getting up to speed with AI and Cybersecurity, Tech radar explainer.
[July 5] The Biggest Cybersecurity Crises of 2019 so far, The Wired report.
[July 6] New ransomware named Sodin exploits Windows flaw identified by cybersecurity firm Kaspersky, The Indian Wire report.
Cyberwarfare
[July 3] Suspected Iranian Cyber Attacks Show No sign of slowing,
Defense One report.
[July 4] Report: Pentagon should assume US satellites are already
hacked, Defense One report.
Surveillance/
Tech and Law Enforcement
[July 1] NSAB comes up with traceability to help Whatsapp,
Economic Times report
[July 2] China snares tourists’ phones in surveillance dragnet by
adding secret app, The New York Times report;
Wired report;
The Guardian report.
Tech
and Military
[July 1] Indian Air Force orders Russian-made anti-tank missiles for USD 29 million, Jane’s Defence Weekly report.
[July 1] Modi govt spent Rs. 2.37 lakh crore on modernisation of armed forces in 4 years, Business Today report.
[July 2] India’s defence budget has nearly doubled in 5 years but the money is not enough to upgrade the weapons. Business Insider report.
[July 4] Funds shrinking, Army wants budget 2019 to make special allowance for GST, customs duties, The Print report.
[July 5] Budget 2019: Experts feel not much to change for armed forces, The New Indian Express report.
[July 5] 0.01% – The increase in defence allocation from interim budget as modernisation put on hold, News18 report.
[July 5] Budget 2019: Defence gets duty exemption on imports, no big allocation, say experts, Financial Express report; The Hindu report.
[July 5] India outlines progress in ‘Strategic Partner’ projects, Jane’s Defense Weekly report.
[July 5] Defence Ministry approves Army Headquarters restructuring plans: Gen Bipin Rawat, Business Standard report.
[July 6] Army, Nation e-Governance Division ink pact for developing revamped app, Money Control report.
[July 6] MBDA, French Army team develop AI based automatic target recognition by imaging system, Defense World report.
[July 7] Indian Army to buy American howitzer ammo for long-range accurate strikes, The Economic Times report.
[July 8] DRDO carries out three successful Nag tests in one day in Pokhran, The Economic Times report.
Opinions
and Analyses
[July 1] Abhijit Kumar Dutta, Money Control, 5G test run: Is barring Huawei a good idea? Probably not.
[July 1] Maahi Mayuri, Mondaq News Alerts, India: Data Localisation: What’s in it for us?
[July 2] Allie Funk, Wired, I opted out of facial recognition at the airport – it wasn’t easy.
[July 3] Times of India editorial, Don’t hug Huawei: Beware of allowing Chinese firms entry into India’s 5G market.
[July 3] Amol Agarwal, Money Control, Facebook’s Libra currency – will it rewrite the crypto playbook?
Recent
developments in India’s space policy including Mission Shakti, India’s first anti-satellite
weapon testing is indicative of the states growing concern into contemporary
threats to the state; India is ranked among the 15 least cyber-secure countries in the world from the list of 60
countries. To this end, the Prime Minister announced the setting up of three
new tri-service agencies, for Cyber Warfare, Space and Special Operations, at
the Combined Commanders’ Conference in Jodhpur last year.
In this post we will mainly deal with the third tri-service agency, the Defence Cyber Agency, which is setup to work in conjunction with the National Cyber Security Advisor. Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1000 personnel from all three branches, the Army, Navy and the Airforce. Rear Admiral Mohit Gupta has been appointed to be the first head of the DCA.
Current Legal Framework
The current legal framework dealing with cyber-security is
not centralized. Different agencies are responsible for various aspects of
cyber-security. These can broadly be classified into agencies focusing on
civilian cyber security, and those focusing on the military cyber security.
The National Cyber Security Policy was adopted by the Government of India in 2013 to
ensure a secure and resilient cyberspace for citizens, businesses and the
government. This policy was launched to integrate all the initiatives in
the area of Cyber Security and to tackle the fast-changing nature of
cybercrimes. Initiatives such as setting-up the National Cyber Coordination
Centre (NCCC), National Critical Information Infrastructure Protection Centre
(NCIIPC), and creating sector specific Computer Emergency Response Teams (CERT)
were implemented under the policy.
The Indian Computer
Emergency Response Team (CERT) is an office within the Ministry of
Electronics and Information Technology. It is the national nodal agency for
responding to computer security incidents as and when they occur. It deals with
mostly civilian threats by issuing guidelines, vulnerability notes, and
whitepapers relating to security practices as well as providing a point of
contact for reporting local problems.
Cyber-Security concerns in
India
The 2019 Global Risk Report highlights India’s history of malicious
cyber-attacks and lax cybersecurity protocols which led to massive
breaches of personal information in 2018. It also specifically mentions the
government ID database, Aadhaar, which has reportedly
suffered multiple breaches that potentially compromised the records of all 1.1
billion registered citizens. It was reported
in January that individuals were selling access to the database at a rate of
500 rupees for 10 minutes, while in March a
leak at a state-owned utility company allowed
anyone to download names and ID numbers.
The Digital
India initiative has resulted in a boom in the internet usage in the country.
However, due to the lack of proper security protocols in place, there have been
an estimated 700 hacks into state and central governments
websites, as was reported in Lok Sabha. Additionally, in January of 2017, the
National Security Guard page was hacked by suspected Pakistan based operatives
who then went on to post anti-India content on it. The need to prevent such
attacks on Indian websites has been a matter of debate since 2016, following the hack of
the IRCTC website.
While some
aspects of cyber security are easy to classify, such as the breach of IRCTC
being a civilian breach and hacking the website of the National Security Guard
being a military breach, other potential cyber threats could fall within a grey
area.
Defence Cyber Agency
The lacuna which the Defence Cyber Agency seeks to fill, exists in the realm of military cyber security. It is currently governed by the Defence Intelligence Agency (DIA) which operates under direct control of Ministry of Defence and focuses on the international offensive and defensive capabilities of the state. It is the nodal agency for all defence related intelligence.
The
formation of the Defence Cyber Agency, is supposedly meant to combat the
current threat of foreign hackers from nations such as China or Pakistan, who
could attack India’s digital infrastructure using Cyber warfare. The new agency
could potentially set up the roadmap for the future of India’s cyber security
specifically, by combating threats made to military targets.
A common
feature of many military agencies is the lack of legislative clarity; in the
absence of a clear and coherent policy document or a parliamentary enactment to
this effect, the parameters on which the domain of ‘military cyber security’ is
demarcated remain unclear. The definition of ‘military’ in this case could
potentially be based on the nature of the target (IRCTC hack vs. NSG hack) the
origin of the threat (geographical location or the nationality of the
perpetrator) or even the source of the threat (China/Pakistan or amateur
domestic hackers).
The Agency
is expected to follow a decentralized structure where the bulk of the agency will
be focused into smaller teams, spread around the country, with the command
center in Delhi. It also aims at putting dedicated officers in major
headquarters of the tri-forces to deal with emerging cyber security issues.
One of the
main takeaways from the setting up of this agency is the inter-service
cooperation between the Army, Navy and the Airforce. The move is also in
keeping with the Joint Training Doctrine Indian Armed
Forces, of 2017,
which seeks to foster ‘Synergy’ and ‘Integration’ amongst the three
Services and other stake-holders leading to an enhanced efficiency and optimum
utilisation of resources.
Since the new agency will fall under the purview of the Ministry of Defence, the precise mandate and composition of the DCA are not clear at this point. After its formal inauguration, which is supposed to happen sometime this month, it is possible that people will have a better idea of the agency’s role and functions in maintaining India’s cyber defences.
A key
issue, which has not been addressed so far remains the need to employ experts
in the field of cyber-security. While the new agency is projected to employ
over 1000 personnel from the three services, employing
personnel with sufficient technical knowledge will be difficult, owing to a
general lack of qualified personnel in this field. Additionally, with
the boom in the cyber security market, the DCA would not only have to contend
with private players in the domestic markets in attracting qualified talent,
but also face stiff competition from international players in the scene.
In addition
to setting up the DCA, it is also important that all three services take this
opportunity to better train existing personnel in basic cyber security
practices, including staff which is not specifically deployed to the DCA.
It is hoped
that the formation of such an agency will not only improve India’s cyber
security but also bolster its international reputation in terms of digital
safety. The creation of this new agency highlights the weaponization of cyberspace
as a tool of modern warfare, and also the importance of data and information
sharing between the three services in order to better protect the nation.
In September last year, a mutual cyber hacking marathon ensued between Indian and Pakistani hackers, who each hacked and defaced multiple government and private websites. The incident was triggered by a detected defacement of a Kerala government website which was attributed to a Pakistani hacker. Indian hackers and hacktivist groups retaliated by defacing multiple Pakistani government websites and making several others inaccessible. Media reports were quick to label these cyber vandalism exchanges as a cyber war between the two countries with headlines such as:
These headlines while raising public awareness about politically motivated cyber-attacks, were also misleading and patently wrong in terming the episode as cyber war. Other politically motivated cyber-attacks involving independent hackers have also been termed cyber war in the past. The incidents were noteworthy and raised several red flags about thevulnerability of official government websites and state of security of data contained therein. However, it certainly did not cross the threshold to be termed an ‘act of war’ or ‘cyber warfare’.
There are clear thresholds for an attack to qualify as an act of war and several scholars opine that the same standards apply on a virtual battleground. For instance, the US Strategic Command’s Cyber Warfare Lexicon’s definition of cyber warfare envisions a military object (Page 8). The document also states that “not all cyber capabilities are weapons or potential weapons” (Page 9). The Tallinn Manual on the International Law Applicable to Cyber Warfarewhich identifies “laws of armed conflict that apply to cyberspace and delineates the limits and modalities of its application”, does not seek to regulate actions of individual hackers or groups of hackers. Susan Brenner, a cyber conflict specialist opines that cyber warfare is the use of cyberspace to achieve the same ends as conventional warfare[1] – “the conduct of military operations by virtual means”.[2] However, other definitions allow scope to envision the participation of non-state actors in cyber warfare.[3]
Despite numerous attempts at defining and the lack of a clear consensus in existing definitions, ‘cyber war’ has a specific connotation. Most existing definitions of cyber warfare envisage the subversive use of cyber technologies by a nation-state in the conduct of a military operation.
Cyber-attacks are challenging to evolve specific definitions for and this make it difficult to categorize them. However, it is important to identify the exact nature of each attack, unambiguously define and categorize cyber-attacks in order to formulate a proportional and appropriate policy response.
The issue of distinguishing cyber vandalism from cyber war was most notably raised in the aftermath of the Sony hack of 2014. President Obama had characterized the attack as an act of cyber vandalism, while others opined that it was an act of terrorism or act of warfare albeit perpetuated virtually. The characterization of that particular attack on Sony has been shifting with allegations of the incident being a state-sponsored act. Regardless, it remains that the consequence of classification of any cyber-attack carries its own implications for the formulation of a response policy and thus it must also be accurately communicated to the public and policy makers.
It is clear that the above-described incident of mutual defacement of websites by hackers and hacktivist groups, falls short of qualifying as a cyber war on many counts. There is no indication of the attacks being sponsored by the Indian or Pakistani state. Evidently, it was also not carried out in the furtherance of a military objective. The target of the primary attack, an official government website is not critical information infrastructure and the nature and severity of the attack was fairly minimal. Thus, the act and the subsequent retaliation do not qualify as acts of cyber war and can only be characterized as ‘cyber vandalism’.
Cyber vandalism is the digital equivalent of conventional vandalism wherein legitimate content of a website will be made unavailable or replaced. As advanced cyber capabilities are within the reach of even non-state actors, attacks of this nature might be a frequent occurrence in the future. It is vital then to evolve appropriate legal and policy responses to effectively deal with individuals, hacktivist and organized groups that indulge in cyber vandalism.
The rules of cyber war are still nascent but theTallinn Manual sheds light on the form that law might take on regulating acts of such nature. The international community is bound to arrive at a consensus on the definitions and clear demarcations of acts of warfare, terrorism, vandalism and espionage in the cyberspace. In the meantime, there must be a concerted effort to understand these new-age operations and evolve better classifications that aids policy formulation on these issues.
The CCG Blog 