The Pegasus Hack–II: Secrecy for Snooping in Public Procurement?

“Into the Rabbit Hole” by Aswin Behera @Behera_Aswin is licensed under CC BY 4.0.
From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative

By Gunjan Chawla

The recent revelation of the Pegasus hacks has re-ignited public discourse on privacy, surveillance and intelligence reform. As the proposed Personal Data Protection Bill, 2019 makes room for wide exemptions to military, intelligence and law enforcement agencies for the collection and processing of citizens’ data, privacy and data protection laws in their current form will be limited in their potential to enforce meaningful procedural safeguards and oversight over State surveillance.

Although these conversations are not new, we must continue to have them. At the same time, it is important to not miss the forest of State-run cybersurveillance programmes for the sprawling branches of the Pegasus tree.  That the global cyber-surveillance industry thrives on State secrecy – is no secret.

While the need for and significance of surveillance reforms cannot be over-emphasized, data protection or privacy law in itself may not succeed in ensuring that Government is prohibited or restrained from acquiring Pegasus-like spyware. Nor will they ensure that the Government is obligated to disclose that such technologies that risk undermining basic fundamental freedoms of its citizenry have been procured by it, with the intent of deployment by law enforcement and/or intelligence agencies. In an earlier piece the Pegasus Hack, CCGNLUD had addressed issues in international frameworks for export controls designed for dual-use technology and their limitations in providing meaningful remedy to the aggrieved.

In this piece, the author argues that Parliamentary legislation and oversight on public procurement processes, classifications and procedures is far more likely to address the root of the multi-faceted problems we are faced with in the wake of Pegasus. Yet, public commentary or critique on the far-reaching consequences of such provisions is hard to come by. This is despite the fact that multiple estimates peg the share public procurements by Government departments and agencies as accounting for 20-30% of India’s national GDP.[1]

The argument proceeds as follows. First, we highlight the central provision that enables the Government to keep such concerning acquisitions of technology in the dark, away from Parliamentary and public scrutiny. Second, we examine the far-reaching implications of this somewhat obscure provision for the cybersecurity industry in India and the public at large. Finally, we explain how this State-sanctioned secrecy in procurement of spyware – whether from foreign or Indian vendors – could potentially deprive the aggrieved targets of surveillance through Pegasus of meaningful legal remedy before the Courts.

Executive Regulations on Public Procurements and ‘National Security’

In the absence of a Parliamentary enactment, public procurements in general, are  governed by the overarching principles and procedures codified in the General Financial Rules, 2017 (GFR).  These rules were first issued after independence in 1947, and later revised in 1963 and 2005.[2]

Rule 144 of the GFR mandates that every authority procuring goods in public interest shall have the responsibility and accountability to bring efficiency, economy and transparency in matters relating to public procurement and for fair and equitable treatment of suppliers and promotion of competition in public procurement.[3] It also sets out certain ‘yardsticks’ with which procuring agencies must conform – and some are more problematic than others.

One of the most significant changes introduced in the 2017 iteration of the GFR, is the introduction of a ‘national security exception’. Under the these new provisions, Ministries/Departments may be exempted from requirement of e-procurement and e-publication of tender enquiries and bid awards, which is mandatory as a general rule. This may be permitted

  1. In individual cases where confidentiality is required for reasons of national security, subject to approval by the Secretary of the Ministry/Department with the concurrence of the concerned Financial Advisor, [Rule 159(ii)]and
  2. In individual case[s] where national security and strategic considerations demands confidentiality, after seeking approval of concerned Secretary and with concurrence of Financial Advisors. [Rule 160(ii)]

This indicates that the ‘national security exception’ is intended to apply to non-military procurements, expanding the realm of secrecy in procurements far beyond military matters with direct adverse consequences for the civilian realm of affairs. This is supported by the fact that Rule the procurement of goods for the military is excluded from the scope of the GFR by Rule 146. This rule prescribes that the procurement of goods required on mobilisation and/or during the continuance of military operations shall be regulated by special rules and orders issued by the Government from time to time.

Thus, the acquisition of spyware as a product to enhance India’s cybersecurity posture—which can easily be proved to implicate strategic considerations that demand confidentiality—could be exempted from mandatory obligations of e-procurement through the central portal and e-publication of the tender inquiry as well as the bid award, after approval from the concerned Secretary and/or Financial Advisors. Although the rule also obliges the Finance Ministry to maintain statistical information on cases where such an exemption is granted, and the value of the contract,[4] whether or not such statistics are amenable to public disclosure through Right to Information (RTI) applications remains unclear at the time of writing.

What Implications for the Cybersecurity Industry?

In addition to spyware and malware, we can expect that even legitimate cybersecurity products and services when procured by Government could also be caught within the above mentioned clause for exempting an ‘individual case where national security and strategic considerations demands confidentiality’.

Given the current state of India’s information security, the acquisition of legitimate cybersecurity products and services will, and should be conducted across Ministries including but not limited to the Ministry of Defence or even law enforcement.

The demand and market for cybersecurity products and services in the country is burgeoning. These exceptions could also be invoked by the relevant ministry/department to keep the identity of vendors of cybersecurity products and private sector partners for the development of surveillance and other cyber capabilities outside the public domain.

The invocation of such regulatory provisions to keep details of the vendors of cybersecurity products and service providers as confidential may create information asymmetries about Government’s needs and preferences among private players in the market. This will not be conducive for creating a competitive market for cybersecurity products and services. These asymmetries can then distort the market with far-reaching implications for the health and growth of the cybersecurity and IT industry at large.

It also militates against the objective of promoting fair competition and transparency in the public procurement process. Adopting the right blend of rules to encourage competition in industry is crucial to fostering a healthy ecosystem for the cybersecurity industry in India, which is still in its infancy.

The Courts will Protect Us?

In other words, through the 2017 amendment of the GFRs, Government of India’s executive branch gave to itself–the power to procure goods and services ‘in the interest of national security’– whie remaining sheltered from the public gaze. This was the first time such a provision was inserted into the GFR – the language of its 2005, 1963 and 1947 iterations make no mention of ‘national security’ whatsoever.

It is pertinent to point out that the term ‘national security’ is an extra-constitutional one – it does not occur anywhere in the Constitution of India. Instead, the Constitution refers only to ‘security of the State’ or ‘defence of India’, or ‘sovereignty and integrity of India’. In recent years, the Executive has co-opted the term ‘national security’ as a catch-all phrase to encompass everything from serious threats of cross-border terrorism and acts of foreign aggression, to issues like organised protests which were traditionally considered as falling under ‘public order’ – a category clearly distinguished from ‘security of the State’ as early as 1966 by the Supreme Court of India in Ram Manohar Lohia v. State of Bihar AIR 1966 SC 740.

A more recent order of the Supreme Court in dated December 14, 2018, in Manohar Lal Sharma v. Narendra Damodardas Modi (The Rafale Case) underlines the Court’s reluctance to hold the Executive accountable for procurements and public spending in domains like defence.  The Court stated,

We also cannot lose sight of the tender in issue. The tender is not for construction of roads bridges et cetera it is a defence tender for the procurement of aircrafts.  The parameters of scrutiny would give far more leeway to the government keeping in mind the nature of the procurement itself.[5]

Additionally, the emergence of the Supreme Court’s “sealed cover” jurisprudence, although recent in its origins –is testament to the growing shadow of secret executive action pervading the judicial sphere with opacity as well. In this context, it is relevant that recent coverage of the award of the “all-India tender” for the provision of a video conferencing platform for the Supreme Court of India does not yet disclose which entity or corporation was awarded this contract.

Coming back to the Pegasus, should the aggrieved persons targeted with this spyware seek judicial remedy, Section 123 of the Indian Evidence Act, 1872 prohibits Government officials from providing evidence “derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit.” (emphasis added)

This means that if a case relating to procurements exempted from e-publication is brought before courts, the appropriate authority to give or withhold permission for disclosure to court would be the same Secretary and Financial Advisors who permitted the procurement to be exempted from publication requirements in the first place. Section 124 further prohibits compelled disclosure of official communications made to a Government official in confidence.

And thus, the conspiracy of silence on potentially criminal acts of Government officials could easily escape judicial scrutiny. This will invariably create a challenging situation for individuals impacted by the use of the Pegasus spyware to effectively seek judicial redressal for violation of their right to privacy and hold the government accountable.

Without an explicit acknowledgment from the Government of the fact that the spyware was in fact procured by it – questions on the legality of procedures that resulted in its targeted deployment against citizens and judicial remedies for violations of due process in criminal investigation remains a moot point. In their current form, the applicable rules permit the Government to enable secret procurement of goods and services for non-military purposes under the GFR’s ‘national security exception’, and also permits the Government to disallow disclosure of this information in judicial proceedings.

Given the lower level of judicial scrutiny that such procurements will likely be subjected to, the doctrine of checks and balances and the doctrine of separation of powers necessitates that appropriate parliamentary mechanisms be set up to ensure effective oversight over all government procurements. Presently, the legal framework for procurements is comprised almost exclusively of executive-issued regulations. Constitutionalism requires that no organ of government should be granted or allowed to exercise unfettered discretion and is always held accountable by the other organs of the government.

This is an essential element of the Rule of Law and can only be ensured by way of a Parliamentary enactment on procurement procedures and concomitant disclosure requirements as well as effective Parliamentary oversight mechanisms to enforce accountability on public spending incurred for procurements in the name of national security.


[1] Government Procurement in India : Domestic Regulations and Trade Prospects, CUTS International, October 2012,p. 33, accessible at http://www.cuts-citee.org/pdf/Government-Procurement-in-India_Domestic-Regulations-Trade-Prospects.pdf. CUTS’ analysis draws upon reports and estimates in various reports of the World Bank, Planning Commission of India, the Central Vigilance Commission along with the Reserve Bank of India’s GDP Data on Macro-Economic Aggregates.

[2] General Financial Rules, 2005 http://finmin.nic.in/the_ministry/dept_expenditure/GFRS/gfr2005.pdf .

[3]Rule 144, General Financial Rules 2017.

[4] Rule 159(ii), General Financial Rules 2017.

[5] Manohar Lal Sharma v. Narendra Damodardas Modi, WP (Crl) 225/2018 etc, at para 9.

A Brief Look at the Tamil Nadu Cyber Security Policy 2020

This post is authored by Sharngan Aravindakshan.

The Tamil Nadu State Government (State Government) released the Tamil Nadu Cyber Security Policy 2020 (TNCS Policy) on September 19, 2020. It has been prepared by the Electronics Corporation of Tamil Nadu (ELCOT), a public sector undertaking which operates under the aegis of the Information Technology Department of the Government of Tamil Nadu. This post takes a brief look at the TNCS Policy and its impact on India’s cybersecurity health.

The TNCS Policy is divided into five chapters –

  1. Outline of Cyber Security Policy;
  2. Security Architecture Framework – Tamil Nadu (SAF-TN);
  3. Best Practices – Governance, Risk Management and Compliance);
  4. Computer Emergency Response Team – Tamil Nadu (CERT-TN)); and
  5. Chapter-V (Cyber Crisis Management Plan).

Chapter-I, titled ‘Outline of Cyber Security Policy’, contains a preamble which highlights the need for the State Government to have a cyber security policy. Chapter-I also lays out the scope and applicability of the TNCS Policy, which is that it is applicable to ‘government departments and associated agencies’, and covers ‘Information Assets that may include Hardware, Applications and Services provided by these Agencies to other Government Departments, Industry or Citizens’. It also applies to ‘private agencies that are entrusted with State Government work’ (e.g. contractors, etc.), as well as ‘Central Infrastructure and Personnel’ who provide services to the State Government, which is likely a reference to Central Government agencies and personnel.

Notably, the TNCS Policy does not define ‘cyber security’, choosing to define ‘information security management’ (ISM)  instead. ISM is defined as involving the “planning, implementation and continuous Security controls and measures to protect the confidentiality, integrity and availability of Information Assets and its associated Information Systems”. Further, it states that Information security management also includes the following elements –

(a) Security Architecture Framework – SAF-TN;

(b) Best Practices for Governance, Risk Management and Compliance (GRC);

(c) Security Operations – SOC-TN;

(d) Incident Management – CERT-TN;

(e) Awareness Training and Capability Building;

(f) Situational awareness and information sharing.

The Information Technology Department, which is the nodal department for IT security in Tamil Nadu, has been assigned several duties with respect to cyber security including establishing and operating a ‘Cyber Security Architecture for Tamil Nadu’ (CSA-TN) as well as a Security Operations Centre (SOC-TN) and a state Computer Emergency Response Team (CERT-TN). Its other duties include providing safe hosting for Servers, Applications and Data of various Departments /Agencies, advising on government procurement of IT and ITES, conducting training programmes on cyber security as well as formulating cyber security related policies for the State Government. Importantly, the TNCS Policy also mentions the formulation of a ‘recommended statutory framework for ensuring legal backing of the policies’. While prima facie it seems that cyber security will have more Central control than State, given the nature of these documents, any direct conflict is in any case unlikely.

Chapter-II gives a break-up of the Cyber Security Architecture of Tamil Nadu (CSA-TN). The CSA-TN’s constituent components are (a) Security Architecture Framework (SAF-TN), (b) Security Operations Centre (SOC-TN), (c) Cyber Crisis Management Plan (CCMP-TN) and (d) the Computer Emergency Response Team (CERT-TN). It clarifies that the “Architecture” defines the overall scope of authority of the cyber security-related agencies in Tamil Nadu, and also that while the policy will remain consistent, the Architecture will be dynamic to meet evolving technological challenges.

Chapter-III deals with best practices in governance, risk management and compliance, and broadly covers procurement policies, e-mail retention policies, social media policies and password policies for government departments and entities. With respect to procurement policies, it highlights certain objectives, such as building trusted relationships with vendors for improving end-to-end supply chain security visibility and encouraging entities to adopt guidelines for the procurement of trustworthy ICT products. However, the TNCS Policy also specifies that it is not meant to infringe or supersede existing policies such as procurement policies.

On the subject of e-mails, it emphasizes standardizing e-mail retention periods on account of the “need to save space on e-mail server(s)” and the “need to stay in line with Federal and Industry Record e-Keeping Regulations”. E-mail hygiene has proved to be essential especially for government organizations, given that the malware discovered in one of the nuclear facilities situated in Tamil Nadu (nuclear facilities) is believed to have entered the systems through a phishing email. However, surprisingly, other than e-mail retention, the TNCS Policy does not deal with e-mail safety practices. For instance, the Information Security Best Practices released by the Ministry of Home Affairs provides a more comprehensive list of good practices for email communications which includes specific sections on email communications and social engineering. These do not find mention in the TNCS Policy.

On social media policies, the TNCS Policy makes it clear that it prioritizes the ‘online reputation’ of its departments. However, Employees are advised against reacting online and pass on this information to the official spokesperson for an appropriate response. The TNCS Policy also counsels proper disclosure where personal information is collected through online social media platforms. Some best practices for safe passwords are also detailed, such as password age (no reuse of any of the last ten passwords, etc.) and length (passwords may be required to have a minimum number of characters, etc.).

Chapter-IV highlights the roles and responsibilities of the Computer Emergency Response Team – Tamil Nadu (CERT-TN). It specifies that CERT-TN is the nodal agency responsible for implementing the Security Architecture Framework, and for monitoring, detecting, assessing and responding to cyber vulnerabilities, cyber threats, incidents and also demonstrate cyber resilience. The policy also recognizes that CERT-TN is the statutory body that is authorized to issue directives, guidelines and advisories to government departments. It will also establish, operate and maintain the Information Security Management systems for the State Government.

CERT-TN will also coordinate with the National or State Computer Security Incident Response Teams (CSIRTs), government agencies, law enforcement agencies, and research labs. However, the “Coordination Centre” (CoC) is the designated nodal intermediary between the CERT-TN and governmental departments, CERT-In, State CERTs, etc. under the TNCS Policy.  The CoC will also be responsible for monitoring responses to service requests, delivery timelines and other performance related issues for the CERT-TN. The TNCS Policy makes it clear that Incident Handling and Response (IHR) will be as per Standard Operation Process Manuals (prepared by CERT-TN) that will be regularly reviewed and updated. ‘Criticality of the affected resource” will determine the priority of the incident.

Significantly, Chapter-IV also deals with vulnerability disclosures and states that vulnerabilities in e-Governance services will only be reported to CERT-TN or the respective department if they relate to e-Governance services offered by the Government of Tamil Nadu, and will not be publicly disclosed until a resolution is found. Other vulnerabilities may be disclosed to the respective vendors as well. An upper limit of 30 days is prescribed for resolving reported vulnerabilities. An ‘Incident Reporter’ reporting in good faith will not be penalized “provided he cooperates with the stakeholders in resolving the vulnerability and minimizing the impact”, and the Incident Reporter’s contribution in vulnerability discovery and resolution will be publicly credited by CERT-TN.

Chapter-IV also mandates regular security assessments of the State Government’s departmental assets, a help-desk for reporting cyber incidents, training and awareness both for CERT-TN, as well as by CERT-TN for other departments. Departments will also be graded by “maturity of Cyber Security Practices and Resilience Strength by the Key Performance Indicators”. However, these indicators are not specified in the policy itself.

Chapter-V is titled ‘Cyber Crisis Management Plan’ (CCMP), meant for  countering cyber-attacks and cyber terrorism. It envisages establishing a strategic framework and actions to prepare for, respond to, and begin to coordinate recovery from a Cyber-Incident, in the form of guidelines. ‘Detect’(ing) cyber-incidents is noticeably absent in this list of verbs, especially considering the first chapter which laid emphasis on the CERT-TN’s role in “Monitoring, Detecting, Assessing and Responding” to cyber vulnerabilities and incidents.

In conformity with CERT-In’s Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism which requires ministries / departments of State governments and Union Territories to draw up their own sectoral Cyber Crisis Management Plans in line with CERT-In’s plan, the TNCS Policy establishes the institutional architecture for implementing such plan.  The TNCS Policy contemplates a ‘Crisis Management Group’ (CMG) for each department, constituted by the Secretary to the Government (Chairman), Heads of all organizations under the administrative control of the department and the Chief Information Security Officers (CISO)/Deputy CISOs within the department. It will be the task of the CMG to prepare a contingency plan in consultation with CERT-In, as well as coordinate with CERT-In in crisis situations. The TNCS Policy also envisions a ‘Crisis Management Cell’ (CMC), under the supervision of the CMG. The CMC will be constituted by the head of the organization, CISO, head of HR/admin and the person In-charge of the IT Section. The TNCS Policy also requires each organization to nominate a CISO, preferably a senior officer with adequate IT experience. The CMC’s priority is to prepare a plan that would ensure continuity of operations and speedy restoration of an acceptable level of service.

Observations

The TNCS Policy is a positive step, with a whole-of-government approach towards increasing governmental cyber security at the State government level. However, its applicability is restricted to governmental departments and their suppliers / vendors / contractors. It does not, therefore, view cyber security as a broader ecosystem that requires each of its stakeholders including the public sector, private sector, NGOs, academia, etc. to play a role in the maintenance of its security and recognize their mutual interdependence as a key feature of this domain.

Given the interconnected nature of cyberspace, cyber security cannot be achieved only through securing governmental assets. As both the ITU National Cybersecurity Strategy Guide and the NATO CCDCOE Guidelines recommend, it requires the creation and active participation of an equally robust private industry, and other stakeholders. The TNCS Policy does not concern itself with the private sector at large, beyond private entities working under governmental contracts. It does not set up any initiatives, nor does it create any incentives for its development. It also does not identify any major or prevalent cyber threats, specify budget allocation for implementing the policy or establish R&D initiatives at the state level. No capacity building measures are provided for, beyond CERT-In’s training and awareness programs.

Approaching cyber security as an ecosystem, whose maintenance requires the participation and growth of several stakeholders including the private sector and civil society organisations, and then using a combination of regulation and incentives, may be the better way.

On Cyber Weapons and Chimeras

This post has been authored by Gunjan Chawla and Vagisha Srivastava

Closeup of laptop computer keyboard, and gun bullets, representing the concept of cyber attacks, Journalism, terrorism, support for terrorists, click enter

“The first thing we do, let’s kill all the lawyers,” says Shakespeare’s Dick the Butcher to Jack Cade, who leads fellow conspirators in the popular rebellion against Henry VI.

The same cliché may as well have been the opening line of Pukhraj Singh’s response to our last piece, which joins his earlier pieces heavily burdened with thinly veiled disdain for lawyers poking their noses into cyber operations. In his eagerness to establish code as law, he omits not only the universal professional courtesy of getting our names right, but also a basic background check on authors he so fervently critiques – only one of whom is in fact a lawyer and the other, an early career technologist.

In this final piece in our series on offensive cyber capabilities, we take exception to Singh’s misrepresentation of our work and hope to redirect the conversation back to the question raised by our first piece – what is the difference between ‘cyber weapons’ and offensive cyber capabilities, if any? Our readers may recall from our first piece in the series Does India have offensive cyber capabilities that Lt Gen Pant had in an interview to Medianama, denied any intent on part of the Government of India to procure ‘cyber weapons’. However, certain amendments inserted in export control regulations by the DGFT suggested the presence of offensive cyber capabilities in India’s cyber ecosystem. Quoting Thomas Rid from Cyber War Will Not Take Place,

“these conceptual considerations are not introduced here as a scholarly gimmick. Indeed theory shouldn’t be left to scholars; theory needs to become personal knowledge, conceptual tools used to comprehend conflict, to prevail in it, or to prevent it.”

While lawyers and strategists working in the cyber policy domain admittedly, still have a lot to learn from those with personal knowledge of the conduct of hostilities in cyberspace, deftly obscured by a labyrinth of regulations and rapidly changing rules of engagement, the question of nomenclature remains an important one. The primary reason for this is that the taxonomy of cyber operations has significant implications for the obligations incumbent on States and State actors under international as well as domestic law.

A chimeral critique

Singh’s most seriously mounted objection in his piece is to our assertion that ‘cyber capabilities’ and ‘cyber operations’ are not synonymous, just as ‘arms’ and ‘armed attack’, or ‘weapons’ and ‘war’ are distinct concepts. However, a wilful misunderstanding of our assertion that cyber capabilities and cyber operations are not interchangeable terms does not foster any deeper understanding of the legal or technical ingredients of a ‘cyber operation’–irrespective of whether it is offensive, defensive or exploitative in intent and design.

The central idea remains, that a capability is wielded with the intent of causing a particular effect (which may or may not be identical to the actual effect resulting from the cyber operation). A recent report by the Belfer Center at Harvard on a ‘National Cyber Power Index’, which views a nation’s cyber power as a function of its intent and capability, also seems to support this position. Certainly, the criteria and methodology of assessment remain open to debate and critique from academics as well as practitioners, and this debate needs to inform our legal position and strategic posture (again, the two are not synonymous) as to the legality of developing offensive cyber capabilities in international as well as domestic law.

Second, in finding at least one of us guilty of a ‘failure of imagination’, Singh steadfastly advocates the view that cyber (intelligence) operators like himself are better off unbounded by legal restraint of their technical prowess, functioning in a Hobbesian (virtual) reality where code is law and technological might makes right. It is thus unsurprising that Singh in what is by his own admission a ‘never to be published manuscript’, seems to favour practices normalized by the United States’ military doctrine, regardless of their dubious legality.

Third, in criticizing lawyers’ use of analogical reasoning—which to Singh, has become ‘the bane of cyber policy’—he conveniently forgets that for those of us who were neither born in the darkness of covert cyber ops, nor moulded by it, analogies are a key tool to understand unfamiliar concepts by drawing upon learnings from more familiar concepts. Indeed, it has even been argued that analogy is the core of human cognition.

Navigating a Taxing Taxonomy

Writing in 2012 with Peter McBurney, Rid postulates that cyber weapons may span a wide spectrum, from generic but low-potential tools to specific high potential weaponry – and may be viewed as a subset of ‘weapons’. In treating cyberweaponry as a subset of conventional weaponry, their underlying assumption is that the (cyber) weapon is being developed and/or deployed with ‘the aim of threatening or causing physical, functional or mental harm to structures, systems or living beings’. This also supports our assertion that intent is a key element to planning and launching a cyber operation, but not for the purposes of classifying a cyber operation as an ‘armed attack’ under international law. However, it is important to mention that Rid considers ‘cyber war’ as an extremely problematic and dangerous concept, one that is far narrower than the concept of ‘cyber weapons’.

Singh laments that without distinguishing between cyber techniques and effects, we fall into ‘a quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese’. He considers the OCOs/DCOs classification too ‘simplistic’ in comparison to the CNA/CND/CNE framework. Even if the technological underpinnings of cyber exploits (for intelligence gathering) and cyber attacks (for damage, disruption and denial) have not changed over the years, as Singh argues—the change in terminology/vocabulary cannot be attributed to ‘ideology’. This change is a function of a complete reorganization and restructuring of the American national security establishment to permit greater agility and freedom of action in rules of hostile engagement by the military in cyberspace.

Unless the law treats cognitive or psychological effects of cyber operations, (eg. those depicted in the Social Dilemma or the Great Hack, or even in doxing classified documents) as harm that is ‘comparable’ to physical damage/destruction, ‘cyber offence’ will not graduate to the status of a ‘cyber weapon’. For the time being, an erasure of the physical/psychological dichotomy appears extremely unlikely. If the Russian and Chinese playbook appears innovative in translating online activity to offline harm, it is because of an obvious conflation between a computer systems-centric cyber security model and the state-centric information security model that values guarding State secrets above all else, and benefits from denying one’s adversary the luxury of secrecy in State affairs.

The changing legal framework and as a corollary, the plethora of terminologies employed around the conduct of cyber operations by the United States run parallel to the evolving relationship between its intelligence agencies and military institutions.

The US Cyber Command (CYBERCOM) was first created in 2008, but was incubated for a long time by the NSA under a peculiar arrangement established in 2009, whereby the head of the NSA was also the head of the US CYBERCOM, with a view to leverage the vastly superior surveillance capabilities of the NSA at the time. This came to be known as a ‘dual-hat arrangement’, a moniker descriptive of the double role played by the same individual simultaneously heading an intelligence agency as well as a military command. Simply put, cyber infrastructure raised for the purposes of foreign surveillance and espionage was but a stepping stone to building cyber warfare capabilities. Through a presidential memorandum in 2017, President Trump directed the Secretary of Defense to establish the US Cyber Command as a Unified Combatant Command, elevating its status from a sub-unit of the US Strategic Command (STRATCOM).

An important aspect of the ‘restructuring’ we refer to are two Presidential directives – one from 2012 and another from 2018. In October 2012, President Obama signed the Presidential Policy Directive- 20 2012 (PPD). It was classified as Top Secret at the time, but leaked by Ellen Nakashima of the Washington Post a month later. The PPD defined US cyber policy, including terms such as ‘Offensive Cyber Effects Operations’ (OCEO) and ‘Defensive Cyber Effects Operations’ (DCEO) and mandated that all cyber operations were to be executed with the explicit authorization from the President. In August, 2018, Congress passed a military-authorization bill that delegated some cyber operations to be authorized by the Secretary of Defense. It is relevant that ‘clandestine military activity (covert operations) or operations in cyberspace are now considered a traditional military activity under this statute, bringing it under the DoD’s authority. The National Security Presidential Memorandum 13 (NSPM) on offensive cyber operations signed by President Trump around the same time, although not available in the public domain, has reportedly further eased procedural requirements for Presidential approval in certain cyber operations.

Thus, if we overcome apprehensions about the alleged ‘quicksand of lexicon, taxonomies, hypotheses, assumptions and legalese,’ we can appreciate the crucial role played by these many terms in the formulation of clear operational directives. They serve an important role in the conduct of cyber operations by (1) delineating the chain of command for the conduct of military cyber operations for the purposes of domestic law and (2) bringing the conversation on cyber operations outside the don’t-ask-don’t-tell realm of ‘espionage’, enabling lawyers and strategists to opine on their legality and legitimacy, or lack thereof, as military operations for the purposes of international law – much to Singh’s apparent disappointment. To observers more closely acquainted with the US playbook on international law, the inverse is also true, where operational imperatives have necessitated a re-formulation of terms that may convey any sense of illegality or impropriety in military conduct (as opposed to the conduct of intelligence agencies, which is designed for ‘plausible deniability’ in case of an adverse outcome).

We relied on the latest (June 2020) version of JP 1-02 for the current definition of ‘offensive cyber operations’ in American warfighting doctrine. We can look to earlier versions of the DoD Dictionary to trace back the terms relevant to CNOs (including CAN, CNE and CND). This exercise makes it quite apparent that the contemporary terminologies and practices are all rooted in (covert) cyber intelligence operations, which the (American) law and policy around cyberspace bends backwards to accommodate and conceal. That leading scholars have recently sought to frame ‘cyber conflict as an intelligence contest’ further supports this position.

  • 2001 to 2007 – ‘cyber counterintelligence’ as the only relevant military activity in cyberspace (even though a National Military Strategy for Cyberspace Operations existed in 2006)
    • 2008: US CYBERCOM created as a sub-unit of US STRATCOM
    • 2009 – Dual Hat arrangement between NSA and CYBERCOM
    • 2010– US CYBERCOM achieves operational capability on May 21; CNA/CNE enter the DoD lexicon
    • 2012 – PPD 20 issued by President Obama
    • 2013 – JP 3-12 published as doctrinal guidance from the DoD to plan, execute and assess cyber operations
    • By 2016 – DoD dictionary defines ‘cyberspace operations’, DCOs, OCOs, (but not cyberspace exploitation) relying on JP 3-12
    • 2018 – NSPDM 13 signed by President Trump
    • 2020 – ‘cyberspace attack’ ‘cyberspace capability’, ‘cyberspace defence’, ‘cyberspace exploitation’, ‘cyberspace operations’, cyberspace security, cybersecurity as well as OCOs/DCOs are defined terms in the Dictionary

Even as JP 3-12 remains an important document from the standpoint of military operations, reliance on this document is inapposite, even irrelevant for the purposes of agencies responsible for cyber intelligence operations. In fact, JP 3-12 is also not helpful to explain the whys and hows of the evolution in the DoD vocabulary. This is a handy guide to decode the seemingly cryptic numbering of DoD’s Joint Publications.

Waging Cyber War without Cyber ‘Weapons’?

It is relevant to mention that none of the documents referenced above, including JP 3-12, make any mention of the term ‘cyber weapon’. A 2010 memorandum from the Chairman of the Joint Chiefs of Staff, however, clearly identifies CNAs as a form of ‘offensive fire’ – analogous to weapons that are ‘fired’ upon a commander’s order, as well as a key component of Information Operations.

The United States’ Department of Defense in its 2011 Defense Cyberspace Policy Report to Congress acknowledged that “the interconnected nature of cyberspace poses significant challenges for applying some of the legal frameworks developed for physical domains” and observed that “there is currently no international consensus regarding the definition of a cyber weapon”.

A plausible explanation as to why the US Government refrains from using the term ‘cyber weapons’ is found in this report, as it highlights certain legal issues in the transporting cyber ‘weapons’ across the Internet through the infrastructure owned and/or located in neutral third countries without obtaining the equivalent of ‘overflight rights’, and suggests ‘a principled application of existing norms to be developed along with partners and allies’. A resolution to this legal problem highlighted in the DoD’s report to Congress is visible in the omission of the term ‘cyber weapon’ in legal and policy frameworks altogether, only to be replaced by ‘cyber capabilities’.

We can find the rationale for and implications of this pivot in the work of Professor Michael Schmitt’s 2019 paper, wherein he argues in the context of applicable international law – contrary to the position he espoused in the Tallinn Manual –that ‘cyber capabilities’ cannot meet the definition of a weapon or means of warfare, but that cyber operations may qualify as methods of warfare. This interpretation permits ‘cyber weapons’ in the garb of ‘cyber capabilities’ to circumvent at least three obligations under the Law of Armed Conflict/International Humanitarian Law.

First, is the requirement for legal review of weapons under Article 36 of the First Additional Protocol to the Geneva Conventions (an issue Col. Gary Brown has also written about) and second, is taking precautions in attack. Third and most important, the argument that cyber weapons cannot be classified as munitions also has the consequence of depriving neutral States of their sovereign right to refuse permission of the transportation of weapons (or in this case, transmission of weaponised cyber capabilities) through their territory (assuming that this is technically possible).

So, in a sense, if we do not treat offensive cyber capabilities, or ‘cyber weapons’ as analogous in international law to conventional weapons normally associated with armed hostilities, in effect, we also restrain the ability of other sovereign States under international law to prevent and prohibit a weaponization of cyberspace without their consent, for military purposes of other cyber powers. Col. Gary Brown whose work Singh seems to nurture a deep admiration for admits that the first ‘cyber operation’ was conducted by the United States against the Soviet Union in 1982, causing a trans-Siberian pipe to explode by use of malware implanted in Canadian software acquired by Soviet agents. Since 1982, the US seems to have functioned in single-player mode until Russia’s DDoS attacks on Estonia in 2007, or at the very least, until MOONLIGHT MAZE was uncovered in 1998. For those not inclined to read, Col. Brown makes a fascinating appearance alongside former CIA director Michael Hayden in Alex Gibney’s 2016 Documentary ‘Zero Days’ which delves into Stuxnet – an obvious cyber weapon by any standards, which the US ‘plausibly denied’ until 2012.

Turning back to domestic law, the nomenclature is also significant from a public finance perspective. As anecdotal evidence, we can refer to this 2013 Reuters report, which suggests that the US Air Force designated certain cyber capabilities as ‘weapons’ with a view to secure funding from Congress.

From the standpoint of managing public perceptions too, it is apparent that the positive connotations associated with ‘developing cyber capabilities’ makes the same activity a lot more palatable, even development-oriented in the eyes of the general public, as opposed to the inherent negativity associated with say, the ‘proliferation of cyber weapons’.

Additionally, the legal framework is also important to delineate the geographical scope of the legal authority (or its personal jurisdiction, if you will) vested in the military as opposed to intelligence agencies to conduct cyber operations. For organizational purposes, the role of intelligence would (in theory) be limited to CNE, whereas CNA and CND would be vested in the military. We know from (Pukhraj’s) experience, this distinction is nearly impossible to make in practice, at least until after the fact. This overlap of what are arguably, artificially created categories of cyber operations, raises urgent questions about the scope and extent of authority the law can legitimately vest in our intelligence agencies, over and above the implicit authority of the armed forces to operate in the cyber domain.

Norm Making by Norm Breaking

In addition to understanding who wields offensive cyber capabilities, under what circumstances, it is also important for the law to specify where or against whom they are permitted to do so by law. Although militaries of modern day ‘civilized’ nations are rarely ever deployed domestically, there has been some recent concern over whether the US CYBERCOM could be deployed against American citizens in light of recent protests, just as special forces were. While the CIA has legal authority to operate exclusively beyond the United States, the NSA is not burdened by such constraints and is authorized to operate domestically. Thus, the governance/institutional choices before a State looking to ‘acquire cyber weapons’ or ‘develop (offensive) cyber capabilities’ range from bad to worse. One might either (1) permit its intelligence agencies to engage in activities that resemble warfighting more than they resemble intelligence gathering and risk unintentional escalations internationally or (2) permit its military to engage in intelligence collection domestically, potentially against its own citizens and risk ubiquitous militarization of and surveillance in its domestic cyberspace.

Even as many celebrate the recent Federal court verdict that the mass surveillance programmes of the NSA revealed by Edward Snowden were illegal and unconstitutional, let us not forget that this illegality is found vis-à-vis the use of this programme against American citizens only – not foreign surveillance programmes and cyber operations conducted beyond American soil against foreign nationals. Turning to an international law analysis, it is the US’ refusal to recognize State sovereignty as a binding rule of international law, that enables the operationalization of international surveillance and espionage networks and transmission of weaponized cyber capabilities that routinely violate not only the sovereignty of States, but also the privacy and dignity of targeted individuals (the United States does not accept the extra-territorial applicability of the ICCPR).

The nom de guerre of these transgressions in American doctrine is now ‘persistent engagement’ and ‘defend forward’, popularized by the Cyber Solarium Commission most recently—a cleverly crafted term that brings about no technical changes in the modus operandi, but disguises aggressive cyber intrusions across national borders as ostensible self-defence.

It is also relevant that this particular problem also finds a clear mention in the Chinese Foreign Minister’s recent statement on the formulation of Digital Security rules by China. Yet, it is not a practice from which either the US or China plan to desist. Recent revelations about the Chinese firm Zhenhua Data Information Technology Co. by the Indian Express have only served to confirm the expansive, and expanding cyber intelligence network of the Chinese state.

These practices of extraterritorial surveillance, condemnable as they may be, have nonetheless, shaped the international legal order we find ourselves in today – a testimony to the paradoxical dynamism of international law– not unlike the process of ‘creative destruction’ of cyberspace highlighted by Singh—where a transgression of the norm (by either cyber power) may one day, itself become a norm. What this norm is, or should be still remains open to interpretation, so let’s not rush to kill all the lawyers—not just yet anyway.

CCG’s Comments to the Ministry of Defence on the Defence Acquisition Procedure, 2020

On 28 July 2020, the Ministry of Defence (‘MoD’) uploaded the second draft of the Defence Procurement Procedure 2020 (‘DPP 2020’), now renamed as the ‘Defence Acquisition Procedure 2020’ (‘DAP 2020’) on its website, inviting comments and suggestions from interested stakeholders and the general public.

CCG submitted its comments on the DAP 2020 underscoring its key concerns with this latest iteration of the MoD’s policy for capital acquisitions. The comments were authored by Gunjan Chawla, with inputs and research from Sharngan Aravindakshan and Vagisha Srivastava.

Our comments to the MoD are aimed at:

(1) Highlighting certain points in law and procedure to refine the DAP 2020 and facilitate the building of a more robust regulatory framework for defence acquisitions that contribute to the building of an Aatmanirbhar Bharat (self-reliant India).

(2) Presenting certain legal tools and frameworks that remain at the Ministry’s disposal in this endeavour geared towards a thorough preparation for the defence of India, in tandem with the envisioned goal of the National Cybersecurity Strategy 2020-2025 [currently being formulated by the office of the National Cybersecurity Coordinator (‘NCSC’)] to build a cyber secure nation.

Other than this broader objective of formulating a clear, coherent and comprehensive policy for acquisition of critical technologies to strengthen India’s national security posture, our comments are intended to contribute meaningfully to the building of legal frameworks that enable enhancing the state of cybersecurity in India generally, and the defence establishment and defence industrial base ecosystem specifically.

The comments are divided into five parts.

Part I introduces the scope and ambit of this document. These comments are not a granular evaluation of the merits and demerits of every procedural step to be followed in various categories of defence acquisitions. Here, we broadly trace the evolution of the structure, objectives and salient features of India’s defence procurement and acquisition policies in recent years. The scope of the comments are restricted to those features of the DAP that are most closely related with or have implications for the cybersecurity of the defence establishment. In this regard, we note the omission of Chapter X on ‘Simplified Capital Expenditure Procedure’ from the text of the draft DAP document as a serious error that ought to be rectified at the earliest opportunity.

Part II deals with the cybersecurity and information security in the acquisitions process generally, as this is a concern that must be addressed irrespective of the procedural categorisation of a particular acquisition. The inherently sensitive and strategic nature of defence acquisitions demands that processes and procedures be formulated in a manner that prevents any unwarranted leakage of information at premature stages in the acquisition process. Herein, we recommend that:

  1. The DAP 2020 should carefully distinguish between the terms ‘information security’ and ‘cyber security’, and refrain from using them interchangeably in policy documents.
  2. Demand a full disclosure of the history of cyber-attacks, breaches and incidents suffered by the vendor company (and related corporate entities) prior to the signing of the acquisition contract. This should be supplemented with a good faith disclosure of incidents where the cyber infrastructure or assets of the vendor company may have been used, with or without proper authorization, in the conduct of a cyber breach or other incident including attacks or exploits or other violations of digital privacy and human rights.

    As discussed in the comments, this line of inquiry would further India’s adherence to at least three of eleven voluntary, non-binding norms on responsible state behaviour in cyberspace articulated in the 2015 Report of the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the context of International Security.
  3. Designation of online procurement portals as ‘Critical Information Infrastructure’ and/or ‘Protected Systems’ within the meaning of Sections 70 and 70A of the Information Technology Act, 2000.

Part III of the comments focuses on issues in the acquisition of information and communications technologies (ICT) and cyber systems. All suggestions and comments included in this Part are aimed towards ensuring that our vision of  Aatmanirbhar Bharat (self-reliant India) is also a sustainable one.

Key recommendations presented in this part include:

  1. Clearly defining the terminologies used with regard to the ‘cyber domain’ in Chapter VIII, such as ICTs/cyber systems in order to bring more clarity to the procurement process, as well the scope and ambit of the DAP document.
  2. In these definitions and classification, distinguishing both ‘cyber weapons’ and ‘cyber physical weapons’ from cyber systems for command and control or C4I2SR, as well as ‘cybersecurity products and services’, which are essential to protect the confidentiality and integrity of sensitive government data across various ministries from external threats.
  3. The MoD should clarify the scope and ambit of the DAP and the DPM and the extent to which they apply to various categories of IT, ICT and cyber systems.
  4. The defence budget dataset should be re-assessed to evaluate the ratio of revenue expenditures to capital expenditure alongside an assessment of the contribution of capital expenditures incurred over the years to capital assets owned by the armed forces and that portion of capital expenditure that is diverted towards maintenance, upkeep and life cycle costs of equipment as per the CBRP model.

Further building on the issues that have been highlighted in the previous sections, Part IV delves into the broader legal and Constitutional framework applicable to procurements generally, and defence acquisitions specifically.

Herein, we propose opening up a discussion on opportunities and challenges in strengthening Parliamentary oversight over the defence acquisitions. Given the huge sums of public funds that are involved in defence acquisitions, ensuring accountability and integrity in these processes is of paramount importance.

We note that the Defence Acquisition Procedure as well as the Defence Procurement Manual are internal guidelines issued by the Ministry of Defence as policy directives to be followed as matter of the Executive’s internal administration and so far, do not enjoy legislative backing through an Act of Parliament. Accordingly, this section presents a brief overview of current processes and mechanisms in this regard, and recommends that:

  1. This defect in the DAP ought to be remedied on a priority basis, drawing on the Constitutional authority vested in Parliament pursuant to Article 246 read with Schedule VII, List I Entry 1 to enact laws ‘for the preparation of defence of India’.

Part V concludes the major findings and recommendations of this submission.

The comments can be accessed here on CCG’s Blog.

What are ‘offensive cyber capabilities’?

Antivirus interface over modern tech devices in dark background 3D rendering

By Gunjan Chawla and Vagisha Srivastava

In our previous post, “Does India have offensive cyber capabilities?”, we discussed a recent amendment to the SCOMET list appended to the ITC-HS classification by the Directorate General of Foreign Trade (DGFT). The amendment did not define, but described software for military offensive cyber operations as a term including (but not limited to) software which are designed to destroy, damage, degrade or disrupt systems, equipment and other softwares specified by Category 6 (Munitions), as well as software for cyber reconnaissance and cyber command and control.

In this post, we examine what exactly constitutes ‘offensive cyber capabilities’ (OCCs) and their role in conducting cyber operations with reference to various concepts from US, UK and Australia’s cyber doctrines. We begin by comparing two definitions of ‘cyber capabilities’.

‘Cyber Capabilities’ = ‘Cyber Operations’?

In US military doctrine, a ‘cyberspace capability’ is defined not as human skill in handling tools and software, but as “a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.” (emphasis added)

In contrast, the Australian Strategic Policy Institute (ASPI) in Defining Offensive Cyber Capabilities notes that “In the context of cyber operations, having a capability means possessing the resources, skills, knowledge, operational concepts and procedures to be able to have an effect in cyberspace.” (emphasis added)

The ASPI’s emphasis on resources, skills and knowledge merits special attention. Without skilled personnel to wield such devices or software, offensive cyber operations cannot be mounted successfully. This is an especially important distinction if we are looking to formulate a functional definition relevant to India’s requirements. Our conceptualisation of OCCs must accord priority to not only the acquisition of tools, devices and software developed by other nations, but to build internal capacity through investment in creation and dissemination of technical knowledge and skill development.

This view also finds support in the United Kingdom’s articulation of defence ‘cyber capabilitiy’. In the UK’s Cyber Primer formulated by the Ministry of Defence, it is acknowledged (see fn 7) that defence cyber capabilities can be a combination of hardware, firmware, software and operator action (emphasis added).

Yet, surprisingly, the ASPI’s concluding definition of OCCs equates offensive capabilities with offensive cyber operations (OCOs), “offensive cyber capabilities are defined as operations in cyberspace to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks.” (emphasis added)

The underlying logic of this equation is perhaps the old adage – the proof of the pudding is in the eating? This means that in ASPI’s conceptualisation, to ‘have’ OCCs would be meaningless, and not entirely credible if no OCOs are conducted by entities claiming to possess OCCs. However, from a legal standpoint, one cannot say that ‘capabilities’ and ‘operations’ are synonymous any more than one could claim that having ‘arms/ammunitions/weapons’ are synonymous to an ‘armed attack’.

This leads us to an obvious question – what are offensive cyber operations?

Offensive Cyber Operations: Cyber Attacks (or Exploits) by Another Name?

In the United States’ military doctrine, Offensive Cyber Operations (OCOs) are understood to be operations that are “intended to project power by application of force in or through cyberspace.”

This definition of OCOs is also reiterated in the March 2020 report of the Cyberspace Solarium Commission (CSC). The CSC was constituted last year by the US Congress under the John S. McCain National Defense Authorization Act, 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences” and presented its report to the public on 11 March 2020.

Over the years, the vocabulary of the US military doctrine and strategy documents of the Department of Defense (DoD) too, have used a variety of terms to classify various categories of cyber operations. In 2006, the DoD preferred using the broader term ‘Computer Network Operations’ (CNOs) instead of ‘cyber attacks’, as seen in its National Military Strategy for Cyberspace Operations.  CNOs were classified into computer network attack (CNAs), computer network defense (CND) and computer network exploitation (CNEs).

More recent documents have dropped the use of the term ‘CNO’ and exhibit a preference for ‘cyberspace operations’ or ‘cyber operations’ instead. The US DoD Dictionary of Military and Associated Terms defines ‘cyberspace operations’ as ‘[t]he employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace’.

Yet, in spite of the multiplicity of terms employed, offensive cyber capabilities can be categorised broadly, as the ability to conduct a cyber attack or cyber exploitation. Although similar, it is important to distinguish cyber attacks from cyber exploitations. Herbert Lin has observed that “[t]he primary technical difference between cyber attack and cyber exploitation is in the nature of the payload to be executed—a cyber attack payload is destructive whereas a cyber exploitation payload acquires information nondestructively”.

Indeed, the US DoD dictionary defines ‘cyberspace attacks’ and ‘cyberspace exploits’ separately. ‘Cyberspace attacks’ are actions taken in cyberspace that create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fire. In contrast, cyberspace exploitation refers to actions taken in cyberspace to gain intelligence, maneuver, collect information, or perform other enabling actions required to prepare for future military operations’.

A definition of OCOs similar to the US’ conceptualisation can also be found in the UK Cyber Primer. This Primer defines OCOs as “activities that project power to achieve military objectives in, or through, cyberspace”.

The UK envisions OCOs as one of four non-discrete categories within the broader term ‘cyber operations’ that can be used to inflict temporary or permanent effects that reduce an adversary’s confidence in networks or capabilities.  Such action can support deterrence by communicating intent or threats. These four categories are, namely, (1) defensive cyber operations; (2) offensive cyber operations; (3) cyber intelligence, surveillance and reconnaissance; and (4) cyber operational preparation of the environment.

Thus, we can infer from a combined reading of all these definitions that

  1. cyber capabilities and cyber operations are not synonymous, but
  2. cyber capabilities (both the technological tools, as well as the human skill elements) are a prerequisite to conducting OCOs, which may be intended to either –
    • ‘project power through the application of force’ (US) or
    • ‘achieve military objectives‘ (UK) or  
    • ‘manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks’ (ASPI)  or
    • ‘destroy, damage, degrade or disrupt systems, equipment and other softwares (India’s DGFT) – in or through cyberspace.

A one trick pony?

In order to execute an offensive cyber operation, the tools (or capabilities) used could range from simple malware, virus, phishing attacks, ransomware, denial of service attacks, to more sophisticated and specially-built softwares. But these tools would be futile if not for the existence of vulnerabilities in the system being attacked to enable the exploit.

From the standpoint of conducting an offensive cyber operation (whether an attack or exploit), one would necessarily require:

  1. Cyber capabilities (technical tools and software) to exploit a pre-existing vulnerability, or to introduce a new vulnerability into the targeted system
  2. A specific intent (i.e. specific orders or directions to meet a particular, specified military or strategic objective through on in cyberspace)
  3. A person/organization/entity/State identified as the target and (i.e. an intended target)
  4. Planning and clearly defining the expected consequences of the attack (i.e. the intended effects)

The presence or absence of any of these factors would heavily determine the likelihood of the success of a cyber attack or exploit. Often, the actual outcome of a cyber attack is different from the intended outcome. As one cyber intelligence analyst puts it, “Any cyber operator worth her salt knows that even mission-driven, militaristic hacking thrives under great, terrifying ambiguity.”

Additionally, while the tools used are time-consuming to produce, they are rendered useless after deploying an attack. In most cases, this is because operators of the system being attacked will ensure the application of security patches to close known vulnerabilities in the aftermath of a cyber attack. For this reason, OCCs, especially those that have been ‘specially designed or modified for use in military offensive cyber operations’, once deployed, have extremely limited to negligible potential for re-use or re-deployment, especially against the same target. However, without sufficient emphasis on and investment in human skills and capabilities, the effectiveness of the available technical tools would also suffer in the long run.

A ‘digital strike’ to start a ‘cyber war’?

The deployment of cyber capabilities in an OCO must cause actual physical damage comparable in scale and effects to that of a conventional, kinetic attack to be termed as an ‘armed attack’ or an unlawful ‘use of force’ in international law. Although some of the attacks or exploitations in cyberspace could result in physical damage akin to damage caused by a traditional kinetic attack, most don’t.

Drawing from a list of significant cyber incidents recorded by the Center for Strategic and International Studies (CSIS), we can observe that very few attacks carried out in the past had the potential to lead to casualties. Scholars still disagree if all these cyber incidents could be termed as ‘a use of force’ or ‘a tool of coercion’ in international law.

However, it is interesting to note that the intent of the perpetrator of a cyber attack, a crucial element that is baked into American definitions of OCOs, is conspicuously missing from the international law analyses to classify cyber attacks as a ‘use of force’ or ‘armed attack’ – which relies largely on the scale and effects (actual, not intended) of the cyber attack. (see Tallinn Manual 2.0, Rules 69 and 71) The omission of any reference to human skill or judgment in the US’ definition of cyber capabilities too, provides additional insulation from inquiries into the actual intent of the perpetrator of a cyber attack.

At this point in time it is difficult to conceptualize a ‘war’ that is waged exclusively in cyberspace, does not manifest physical effects or spill over into other domains—not just air, land and sea, but also the economy. For this very reason, i.e. the interconnected nature of cyberspace with other domains of where conflict manifests from competing interests, OCCs provide States a strategic military advantage by strengthening the effectiveness of conventional means and methods of warfare and streamlining military communications. However, the increasing dependence of the Government, critical infrastructure as well as businesses on the internet in the networked economy necessarily implies that a failure to develop or acquire cyber capabilities will make regular economic losses and disruptions by way of cyber attacks inevitable.

This leads us to another question worth considering in the context of State hostilities in cyberspace—whether economic losses occasioned by cyber attacks can be considered as a factor in determining whether its scale and effects are comparable to that of a kinetic armed attack?

Both cyber attack and cyber exploitations hold the potential to cause economic losses to the State under attack. Today it is common knowledge that the notorious WannaCry and NotPetya attacks resulted in losses totalling up to billions of dollars. Attacks on financial systems, commercial softwares, platforms or applications that generate economic value, or civilian infrastructure linked closely with the state economy could all fall under this risk. Such attacks can also substantially slow down State functions if the chaos generated within cyber systems spills over into the physical realm.

We must also remember, that any response to this question cuts both ways – if India – or any other nation – wishes to treat economic losses caused by hostile States and other actors in cyberspace as indicative of an unlawful ‘use of force’ or an ‘armed attack’ in cyberspace, we must also be prepared to have our adversaries draw similar conclusions regarding economic losses inflicted upon them, and anticipate retaliatory action.

Given the massive risks to the economy associated with a high incidence of cyber attacks, it would be interesting to observe what direction the debate on offensive cyber capabilities takes with the release of the National Cyber Security Strategy 2020. With India’s cyber ecosystem under development, both the cyber offence and cyber defence capabilities are of immense strategic value and merit a deeper exploration and stricter scrutiny by policymakers.

This question lingers as an especially intriguing one, as the amendments to Appendix III of the ITC-HS classification referred to in our last post have now been taken down from the website of the Directorate General of Foreign Trade, only to be replaced by a sanitized version of the SCOMET list amended on 11.06.2020 – one that includes no reference ‘military offensive cyber operations’ or even ‘cyber’ simpliciter. Even the reference to ‘intrusion software’ under head 8E401 has now been omitted. The version of the SCOMET list that we relied on for our previous post is no longer available on the DGFT website, but for interested researchers, can be downloaded here on CCG’s Blog.

Does India have offensive cyber capabilities?

cyber, attack,hacked word on screen binary code display, hacker

By Gunjan Chawla

While we await the release of the much-anticipated National Cyber Security Strategy 2020 (NCSS), a very significant development in the domestic regulation of foreign trade – by way of an amendment quietly inserted by the Directorate General of Foreign Trade (DGFT) on 11.06.2020, contains an extremely significant indication for the direction we can expect the NCSS document to take.

The Foreign Trade Policy (FTP) is formulated and notified by the DGFT under the statutory authorization provided by Section 5 of the Foreign Trade (Development and Regulation) Act, 1992.  The FTP regulates among many other things, the import and export of certain types of technologies. It also enforces in compliance with India’s obligations under international export control agreements like the Wassenaar Arrangement.

The latest FTP was formulated for the period of 2015-2020, and last revised in December 2017. The FTP is published in three parts – (i) the Policy Document (ii) Handbook of Procedures and (iii) the ITC-HS Classification.

The Indian Trade Classification based on Harmonized System of Coding, better known as the ITC-HS classification system uses eight digit codes to describe and categorize items subject to regulation. Schedule I of the ITC-HS deals with import policy, while Schedule II of the ITC-HS describes the rules and regulations related to export policies.

Appendix III to Schedule II contains a descriptive list for the category of SCOMET (Special Chemicals, Organisms, Materials, Equipment and Technology). The SCOMET list itemises goods, services and technologies used for civilian and military applications, including also some ‘dual-use items’ for export control regulation.

Category 6 of the SCOMET list is the Munitions list, while Category 8 relates to “Special Materials and Related Equipment, Material Processing, Electronics, Computers, Telecommunications, Information Security, Sensors and Lasers, Navigation and Avionics, Marine, Aerospace and Propulsion”.

Under 6A021, which falls under the Munitions list, “software” subject to export control regulations is now defined to include,

“Software” specially designed or modified for the conduct of military offensive cyber operations;

Note 1 6A021.b.5. includes “software” designed to destroy, damage, degrade or disrupt systems, equipment or “software”, specified by Category 6, cyber reconnaissance and cyber command and control “software”, therefor.

Note 2 6A021.b.5. does not apply to “vulnerability disclosure” or to “cyber incident response”, limited to non-military defensive cybersecurity readiness or response.

Note 2 under 6A021 appears as a welcome relief to the information security research community by keeping vulnerability disclosures beyond the purview of export control regulations. However, it is relevant to mention that “vulnerability disclosures” and “cyber incident response” had already been excluded from the purview of export control restrictions in an earlier amendment to the SCOMET list on 03.07.2018.  However, this exception appears not under category 6, but category 8, as an exception to head 8E401 Computers (Technology). Therefore, the exception carved out under 6A021 by the 11.06.2020 amendment is a mere reiteration of the exception already contained under 8E401, inserted by the amendment of 03.07.2018, which reads as follows:

c. “Technology” for the “development” of “intrusion software”.

Note 1: 8E401.a and 8E401.c do not apply to ‘vulnerability disclosure’ or ‘cyber incident response’.

 Note 2: Note 1 does not diminish national authorities’ rights to ascertain compliance with 8E401.a and 8E401.c.

Technical Notes:

1. ‘Vulnerability disclosure’ means the process of identifying, reporting, or communicating a vulnerability to, or analysing a vulnerability with, individuals or organizations responsible for conducting or coordinating remediation for the purpose of resolving the vulnerability.

2. ‘Cyber incident response’ means the process of exchanging necessary information on a cyber security incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident.

Therefore, our export control regulations may have been cognizant of and sensitive to the need for ensuring free flow of data and information with regards to vulnerability disclosures and cyber incident response systems since 2018. It is also relevant to mention that the previous version of this list dated 24.04.2017 made no references whatsoever to ‘cyber incident response’ or ‘vulnerability disclosure’.

The June 2020 amendment to the SCOMET list is a highly significant development, as this is the first official document that strongly suggests the existenceof offensive cyber capabilities specially designed for military use in the broader ecosystem of tech regulation in India.

While MeitY had made a passing reference to “offensive cyber” in a draft report authored by one of four Committees constituted in February 2018, for the promotion of AI and the development of a regulatory framework. The Report of Group D, the Committee on Cyber Security, Safety, Legal and Ethical Issues briefly speaks of “defensive and offensive AI techniques”. However, this report contained  recommendations that do not carry the force of law. In contrast, the DGFT’s  latest amendment to the SCOMET list has the effect of subjecting the export of such technologies to strict regulatory control by the Government.

This regulatory development stands in contrast to the response of National Cyber Security Coordinator Lt. Gen. Pant in an interview to Medianama on 2 June 2020, only a few days before the date of this amendment to the SCOMET list:

MediaNama: In terms of follow-up to hardware and software procurement, does India procure any software as cyber weapons? Is there a process to import or export them? There has been a discussion at the Open-ended Working Group [OEWG] at the UN regarding global procurement of cyber weapons. What is India’s position, policy on procurement of cyber weapons?

Lt General Pant: No, no. I don’t think anyone will be speaking of cyber weapons, sale or anything like that.

It now remains to be seen whether the National Cyber Security Strategy, yet to be released, will officially acknowledge the existence of ‘offensive cyber capabilities’, if not ‘cyber weapons’ within India’s cyber ecosystem.

Technology and National Security Law and Policy: Seminar Course Curriculum [February-June 2020]

Given the rapidly evolving landscape of international security issues and the challenges and opportunities presented by new and emerging technologies, Indian lawyers and policymakers need to acquire the capacity to engage effectively with national security law and policy. However, curricula in Indian law schools do not engage adequately with issues of national security. National security threats, balance of power, issues of secrecy and political accountability, terrorism and surveillance laws tend to be discussed in a piece-meal manner within various courses or electives.

To fill this knowledge gap within the legal community, the Centre for Communication Governance at National Law University Delhi (CCG-NLU) offered this seminar course to fourth and fifth-year students of the B.A. LL.B. (Hons.) Programme during in February-June 2020..

The course explores interdisciplinary approaches in the study of national security law and policy, with a particular focus on issues in cybersecurity and cyberwarfare. Through this course curriculum, we aim to (1) recognize and develop National Security Law as a discrete discipline of legal studies, and (2) impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The curriculum is split into six modules taught over a period of 12 weeks:

  • Module I: Unpacking ‘National Security’
  • Module II: Introduction to Strategic Thinking – Linking Law and Policy
  • Module III: National Security in the Domestic Sphere
  • Module IV: War and National Security in International Law
  • Module V: Cybersecurity, Cyberwarfare and International Law
  • Module VI: Cybersecurity in India

The course outline and reading list can be accessed here:

The Architecture of Cybersecurity Institutions in India

This is an edited excerpt of Part IV and Annexure ‘B’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.

This consolidated organogram is a depiction of cyber security institutions in India as an inter-ministerial and inter-departmental ecosystem. Different ministries and departments are in charge of different aspects of national security in general and cyber security in particular.

The National Security Advisor (NSA) holds a rank equivalent to a Cabinet Minister in charge of the National Security Council Secretariat (NSCS) and is the apex officer relating to national security. The NSA is also in charge of the National Technical Research Organization (NTRO) which is a technical intelligence agency under the Prime Minister’s Office (PMO). The National Critical Information Infrastructure Protection Centre (NCIIPC) was established under Section 70A of the Information Technology Act, 2000 and functions as a unit of the NTRO. 

The National Cyber Security Coordinator (NCSC) is the nodal officer for issues related to cybersecurity, functioning under the PMO along side the NSCS to coordinate with different agencies like CERT-In at the national level.

Our research reveals that the Ministry of Communications, Ministry of Electronics and Information Technology (MeitY), Ministry of Home Affairs (MHA), Ministry of Defence (MoD) and the Ministry of External Affairs (MEA) are most relevant to the establishment, operation and maintenance of technical and administrative ecosystem that enables cybersecurity. The departmental structure of each of these Ministries is outlined below.


Ministry of Communications

The Ministry of Communications consists of two Departments – (i) Department of Telecommunications (DoT) and the (ii) Department of Posts.

The DoT deals with  (a) issues of policy, licensing and coordination matters relating to telegraphs, telephones, wireless, data, facsimile and telematic services and other like forms of communications, (b) standardization, research and development in telecommunications, (c) procurement of stores and equipment required by the Department of Telecommunications and (d) administration of laws including the Indian Telegraph Act, 1885 (13 of 1885), the Indian Wireless Telegraphy Act, 1933 (17 of 1933), the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), among others. Within its ambit is also the Digital Communications Commission, which is responsible for implementing the Government’s telecom policy in all matters relating to telecommunication.

Ministry of Electronics and Information Technology

The Ministry for Electronics and Information Technology (MeitY) deals with all policy matters relating to information technology, electronics and the internet (barring issues relating to licensing of Internet Service Providers, which fall within the mandate of the DoT). Its major functions include (a) the administration of matters relating to cyber laws including the Information and Technology Act, 2000, (b) Promotion of standardization, testing and quality in IT and standardization of procedure for IT application and Tasks and (c) digital initiatives including Digital India, among others.

Significantly, the Indian Computer Emergency Response Team (CERT-In) as well as the Unique Identification Authority of India (UIDAI) are both within its ambit. The Cyber Swacchta Kendra (Botnet Cleaning and Malware Analysis Center) functions under CERT-In.

Ministry of Home Affairs

The Ministry of Home Affairs (MHA) discharges multifarious responsibilities, the important among them being – internal security, border management, Centre-State relations, administration of Union Territories, management of Central Armed Police Forces, disaster management, etc. The MHA continuously monitors the internal security situation, issues appropriate advisories, shares intelligence inputs, extends manpower and financial support, guidance and expertise to the State Governments for maintenance of security, peace and harmony.

Among others, the MHA’s Cyber and Information Security Division (consisting of the Cyber Crime Wing, Cyber Security Wing and Monitoring Unit) as well as some wings of the Department of Internal Security including the Modernization Division of the Police and the Counter Terrorism and Counter Radicalization Division have particular relevance to cyber security.

The Indian Cyber Crime Coordination Centre (I4C) was established as a scheme in 2018 to combat cyber crime in a coordinated and effective manner.

Ministry of Defence

The MoD is comprised of four Departments – Department of Defence (DOD), Department of Defence Production (DDP), Defence Research & Development Organisation (DRDO) and Department of Ex-Servicemen Welfare and also Finance Division.

A new Department of Military Affairs has been created recently, and is headed by the Chief of Defence Staff, General Bipin Rawat. Departments that have particular relevance to cybersecurity, including the newly established Defence Cyber Agency are highlighted.

Ministry of External Affairs

The Ministry of External Affairs (MEA) is responsible for all matters relating to India’s external affairs including consular functions. Departments / activities that have relevance to cybersecurity are highlighted in purple, including international security, counter terrorism and others. The New Emerging and Strategic Technologies (NEST) Division was recently set up as the nodal point for all matters connected to new and emerging technologies including exchange of views with foreign governments and coordination with domestic ministries and departments.  News reports indicate that a major restructuring of the MEA is in the offing.

India’s Cybersecurity Budget FY 2013-14 to FY 2019-20: Analysis of Budgetary Allocations for Cybersecurity and Related Activities

This is an edited excerpt of Part V and Annexure ‘C’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.

Note on Research Methodology

CCG compiled the data on allocations (budgeted and revised) and actual expenditure from the Demands for Grants of Ministries as approved by Parliament and presented in the Annual Expenditure Budget of various ministries and their respective departments which are related to cybersecurity from FY 2013-17 to FY 2019-20. 

The departments have been identified from publicly available information represented in the organograms presented as Annexure ‘B’. We understand a ‘relevant department’ to mean those departments which are either directly related to cybersecurity and/or support the functioning of the technical and security aspects of internet governance at large.

We have then identified those budget heads under the Union Budgets for FY 2013-14 through FY 2019-2020, which correspond most closely to the departments identified and highlighted in Annexure ‘B’ to calculate the total allocation to ministries for cybersecurity-related activities. We then analyse this data in under four broad categories:

(I) Department Wise Allocation: The departments that are directly related to the expenditure for cybersecurity are calculated under this heading. Various expenditures under Ministry of Electronics and Information Technology (MEITY), Department of Telecommunication (DOT), and Ministry of Home Affairs are tabulated for this. 

Under MeitY, we have included the budget heads for

  1. Computer Emergency Response Team (CERT-IN),
  2. Centre for Development of Advanced Computing (C-DAC),
  3. Centre for Materials for Electronics and IT (C-MET),
  4. Society for Applied Microwave Electronics Engineering and Research (SAMEER),
  5. Standardization Testing and Quality Certification (STQC),
  6. Controller of Certifying Authorities (CCA), and
  7. Foreign Trade and Export Promotion and
  8. Certain components of the Digital India Initiative, namely:
  • Manpower Development,
  • National Knowledge Network,
  • Promotion of electronics and IT HW manufacturing,
  • Cybersecurity projects (which includes National Cyber Coordination centre and others),
  • Research and Development in Electronics/IT,
  • Promotion of IT/ITeS industries,
  • Promotion of Digital Payment, and
  • Pradhan Mantri Digital Saksharta Abhiyan (PMGDISHA).

Under Ministry of Communication, our focus was only on the Department of Telecommunication. We considered the budget allocated to the following, to come up with the total Department budget. These heads are:

  1. Telecom Regulatory Authority of India (TRAI),
  2. Human Resource Management under National Institute of Communication Finance,
  3. Wireless Planning and Coordination,
  4. Telecom Engineering Centre,
  5. Technology Development and Investment Promotion,
  6. South Asia Sub-Regional Economic Cooperation (SASEC) under Information Highway Project,
  7. Telecom Testing and Security Certification Centre,
  8. Telecom Computer Emergency Response Team,
  9. Central Equipments Identity Register (CEIR),
  10. 5G Connectivity Test Bed,
  11. Promotion of Innovation and Incubation of Future Technologies for Telecom Sector,
  12. Centre for Development of Telematics (C-DoT), and
  13. Labour, Employment and Skill Development.

Under Ministry of Home Affairs, the funds allocated for the following budget heads have been included:

  1. Education, Training and Research purposes,
  2. Criminology and Forensic Science,
  3. Modernisation of Police Forces and Crime and Criminal Tracking Network and Systems (CCTNS),
  4. Indian Cyber Crime Coordination Centre, and
  5. Technical and Economic Cooperation with Other Countries.

All these budget heads were tabulated to come up with the total for department wise allocation. Along with departments mentioned under ‘Supporting Departments’, all these departments were again classified on the basis of their functions and activities,  and analysed under (III).

(II) Supporting Department Wise Allocation: While certain expenditures of the Ministry of Defence, Ministry of External Affairs, Department of Telecommunication, and Ministry of Home Affairs can potentially be used for cybersecurity-related activities, but it it is not possible to infer from the Demands for Grants, the share of cyber in the total allocation, we have treated them as ‘allocations to supporting departments’. In this data, the total funds indicated may not be directly related to cybersecurity efforts, but they contribute towards the larger security and governance framework, which enables the creation of a secure ecosystem for cyber. These headings are tabulated under this section.

Under Ministry of Defence, the following heads were considered to contribute towards the larger security and governance framework in cyberspace:

  1. Navy/Joint Staff,
  2. Ordnance Factories R&D,
  3. Research and Development, including the Research and Development component of R&D head,
  4. Capital Outlay on R&D, and
  5. Technology Development and Assistance for Prototype Development under Make Procedure

Under Ministry of External Affairs, we considered the following heads as important contributors:

  1. The Special Diplomatic Expenditure,
  2. Expenditure for International Cooperation,
  3. Expenditure for Technical and Economic Cooperation with other Countries, and
  4. Other Expenditure of Ministry

Under Department of Telecommunication again, there were several heads that we considered not to be directly related to cybersecurity, but they did significantly contribute towards it. These include allocations for

  1. Defence Spectrum,
  2. Capital Outlay on Telecommunication and Electronic Industries,
  3. Capital Outlay on Other Communication Services, and
  4. Universal Service Obligation Fund (USOF)

Under Ministry of Home Affairs, the departments that are involved with defence and intelligence along with law enforcement are important to be considered for cybersecurity. Thus we included the allocations for

  1. Intelligence Bureau,
  2. NATGRID,
  3. Delhi Police, and
  4. Capital Outlay on Police.

(III) Activity Wise Allocation: For further analysis, we have categorized the expenditures mentioned in Department Wise Allocation into five categories, each of which have been identified as constituent elements of the three Pillars of Strategy namely:

  1. Human Resource Development Component (Strengthen)
  2. Technical Research & Development Component, Capacity Building (Strengthen/Synergize)
  3. International Cooperation and Investment Promotion Component (Secure/Synergise)
  4. Standardisation, Quality Testing and Certification Component (Strengthen)
  5. Active Cyber Incident Response/ Defence Operations and Security Component (Secure/Strengthen)      

The total for these are calculated to identify if any trends or patterns emerge in expenditure by the ministries. Apart from the ministries covered in classifications (I) and (II), we have also included budgets of two other heads/departments. Namely, these are (i) the allocation towards corporate data management under the authority of the Ministry of Corporate Affairs, which has been included in category (5) indicated above and (ii) the allocation towards technical and economic cooperation with other countries for the Department of Economic Affairs under the Ministry of Finance, which has been included in category (3) indicated above.

(IV) Ministries share over Financial Year: The total value tabulated in Department wise allocation and supporting department wise allocation for the ministries is then used to calculate the share of budget allocated to Cyber Security and related activities with respect to the total budget allocation of ministries. The ministries taken into account, which contribute significantly to Cyber Security and related activities are:

  1. Department of Telecommunication (under the Ministry of Communications),
  2. Ministry of Defence,
  3. Ministry of External Affairs,
  4. Ministry of Electronics and Information Technology,
  5. Ministry of Home Affairs, and
  6. Department of Science and Technology (under the Ministry of Science and Technology).

Ministry-wise Allocations and Expenditure on Cybersecurity and Related Activities FY 2013-14 to FY 2019-20

Figure 9 depicts actual expenditure (from FY 2013-14 to FY 2017-18), the Revised Expenditure (RE) for FY 2018-19 and Budgeted Expenditure for FY 2019-20. With the exception of FY 2016-17, we can see a clear trend of increasing allocations for expenditure towards cyber-security related activities, especially for the DoT. It is relevant to point out that this representation also includes the expenditure on Departments playing a supporting role in cybersecurity activities, such as the IDS/Joint Staff and R&D under the Ministry of Defence (MoD) as well as the MEA’s expenditure on international technical cooperation. As the expenditure incurred on cybersecurity related activities alone cannot be inferred from these budget heads, they have been treated as Departments playing a supporting role for cybersecurity efforts and included in overall expenditure.

Figure 9: Ministry-wise Total Expenditure on Cybersecurity and Related Activities
FY 2013-14 to FY 2019-20

Figure 10 is a narrower subset of the expenses indicated in Figure 9. It represents the allocations to Departments in Ministries that have been entrusted with core activities that contribute towards cybersecurity operations, R&D, e-Governance and internet governance at large. These include, to name a few, the promotion of electronics and IT hardware manufacturing and other initiatives such as Digital India, C-DAC, NCCC and other similar programmes under MeitY, TRAI, C-DoT and the 5G test bed under the authority of the DoT and MHA’s expenses towards modernization of police forces, forensics, and initiatives such as the Indian Cyber Crime Coordination Centre.

Figure 10 reveals an immediate upsurge in such allocations in the time period during and immediately after the formulation of the National Cyber Security Policy 2013, after which the allocations begin to dwindle in FY 2014-15. We can also note that with the exception of FY 2015-16 actual expenditure is consistently lower than the Budgeted Expenditure allocated to all these Ministries for cybersecurity related activities.

Figure 10: Ministry-wise Total Expenditure on Cybersecurity and Related Activities
FY 2013-14 to FY 2019-20

It is interesting to note that if we convert the absolute figures represented in Figure 10 into percentages, and represent the same data set as such, it reveals a remarkable consistency and a clear pattern emerges in burden-sharing between these three Ministries (MHA, MeitY and DoT under the Ministry of Communications).

Figure 11 depicts the same allocations indicated as absolute figures in Figure 10 as percentages of the total expenditure on core cybersecurity activities. It is clear that the MHA consistently bears the bulk of expenses on cyber security related activities, clearly with an emphasis on cyber crimes. The remaining half seems to be divided between MeitY and DoT more or less equally. FY 2015-16 allocations and actual expenditure in FY 2014-15 is the only exception to this equal distribution.

Figure 11: Ministry-wise Total Allocation for Cybersecurity and Related Activities
FY 2013-14 to FY 2019-20

Activity-wise Allocation and Expenditure on Cybersecurity

To further analyse how these budgetary allocations are being utilized, we have re-categorized the expenditures mentioned in Department/Ministry wise allocation into five categories, each of which have been identified as constituent elements of the three Pillars of Strategy namely: 

  1. Human Resource Development Component (Strengthen)
  2. Technical Research and Development Component, Capacity Building (Strengthen/Synergize)
  3. International Cooperation and Investment Promotion Component (Secure/Synergise)
  4. Standardization, Quality Testing and Certification Component (Strengthen)
  5. Active Cyber Incident Response/ Cyber Defence Operations and Security Component (Secure/Strengthen)

The total expenses incurred for these allocations are calculated to identify if any trends or patterns emerge to identify which activities are being prioritized according to the actual expenditure incurred by the relevant ministries. It is important to note that none of these categories include any expenses earmarked for cyber defence operations under the MoD, as the budget heads do not permit drawing such an inference in its current format.

In this reclassification, we have included one budget head each for two other Departments that do not figure in the data represented in Figures 9, 10 or 11. Namely, these are (a) the allocation towards corporate data management under the authority of the Ministry of Corporate Affairs, which has been included in category (5) indicated above and (b) the allocation towards technical and economic cooperation with other countries for the Department of Economic Affairs under the Ministry of Finance, which has been included in category (3) indicated above.

Figure 12 represents activity-wise trends in these Ministries’ actual expenditure. The figures for FY 2018-19 and FY 2019-20 represent the RE and BE for those years, respectively. It is not surprising that the expenditure on international cooperation and investment promotion towers over all other activities, as the allocated expenses would contribute to overall cooperation efforts at the international level and the promotion of investment broadly, and not only cybersecurity. Nonetheless, these are crucial contributions to enhancing India’s cybersecurity posture at home and abroad. For a clearer analysis, we remove the indicator for expenses towards international cooperation and investment promotion in Figure 13.

Figure 12: Activity-wise Expenditure for Cyber Security
FY 2013-14 to FY 2019-20
Figure 13: Activity-wise Expenditure for Cybersecurity FY 2013-14 to FY 2019-20 (excluding international cooperation and investment promotion)

From Figure 13, we can clearly infer which of the four activities at the core of the Government’s cybersecurity efforts are being prioritized in terms of allocation of budgetary resources. Clearly, emphasis on equipment testing and certification needs to be sharpened. There is an apparent tension between the funds that are made available for active cybersecurity operations and programmes on the one hand, and investments in human resource development on the other.

We submit that in both these areas, the Government must look to the private sector to create synergies and supplement the financial resources available for these particular activities. We also recommend that the expenditure earmarked for quality testing, development of technical standards and certification should be increased, and accorded greater priority than before.

Share of Ministries’ Budget Allocated to Cybersecurity and Related Activities

If we try to contextualize the utilization of funds made available for cybersecurity-related activities against the total allocations to relevant Ministries, there is no identifiable trend in expenditure patterns of the MEA, MeitY and DoT. Figure 14 represents the total expenditure on cybersecurity-related activities as a percentage of the total expenses allocated to the relevant Ministry. Cybersecurity-related activities appear to be fluctuating in terms of the priority accorded to them over time, in the diversion of financial resources towards this area. The contribution of the Department of Science and Technology towards R&D in cybersecurity has been consistently low, almost negligible. This has only changed with the establishment of the National Mission on Interdisciplinary Cyber Physical Systems in FY 2018-19. has been MHA’s share of expenditure on cybersecurity activities appears relatively more consistent, and could potentially be leveraged to create synergies for the rationalization of expenditure across Ministries.

Figure 14: Share of Cybersecurity-related Activities in Total Budget Allocated to Ministries

Budget for NCSS 2020?

In anticipation of the National Cyber Security Strategy 2020 expected to be released soon, we will be closely monitoring the the Union Budget for FY 2020-21 for fresh allocations to the relevant departments indicated in our analysis. We will also be on the lookout for fresh allocations that may be relevant to various components of the NCSS 2020. Watch this space for more on India’s Cybersecurity Budget 2020, coming soon!

CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020

The Centre for Communication Governance at the National Law University Delhi (CCG) is grateful to the National Security Council Secretariat for this opportunity to make meaningful contributions to its mandate of formulating a futuristic National Cyber Security Strategy 2020 (NCSS). In response to the Call for Comments CCG apart from the comments below, CCG has separately submitted detailed comments to the Office of the National Cyber Security Coordinator.

Our comments are a result of original and thorough legal and policy research which draws upon multiple primary sources of information, including applicable domestic and international law and precedents, and a comparative study of the cyber security strategy and policy documents of 16 other countries. Secondary sources such as news reports, statistics on cybercrime and malicious cyber activity compiled and released by various Government departments and agencies and data on budgetary allocations released by the Union Government have also been relied on.

This submission is presented in six parts, supplemented by three annexures that provide insight into our sources, analysis and research methodology.

Part I introduces the background in which this strategy is being formulated, and presents a principled approach to the formulation of cybersecurity policy, that is driven by a coherent strategic framework constructed under the NCSS to guide it.

Part II presents an analysis of the landscape of existing and emergent threats that pose a risk to the cybersecurity of the entire nation. We do so with the objective of identifying areas that need to be accorded a higher priority in the formulation of the NCSS.

Parts III, IV and V correspond to the three pillars of strategy identified in the Call for Comments. Part III deals with the horizontal dimension of strategy and unpacks the contents of the first pillar, i.e., “Secure”, wherein we present for the consideration of the Secretariat, an original three-tiered model of the ‘national cyberspace’ as a roadmap to cyber sovereignty. We submit for consideration for the Secretariat, the adoption of the principle of peaceful uses of cyberspace to align with the nation’s goals of sustainable economic development, while being mindful of the gradual militarization of cyberspace by both state and non-state actors.

Part IV deals with the “Strengthen” pillar in which CCG examines the existing architecture for cybersecurity to analyse the vertical dimensions of strategy. Herein, we propose measures to strengthen institutions, process and capabilities relevant for cyber security.

Part V deals with the third pillar, namely, “Synergise”, which explains how the horizontal and vertical dimensions of the strategy can be integrated in order to optimize levels of inherent friction that could hinder the achievement of strategic and policy goals. We propose that synergies need to be identified and/or created at three levels. First, at the inter-ministerial level, among the government departments and agencies. Second, at the national level, for enhanced cooperation and strategic partnerships between the public and private sectors. Third, at the international level for enhanced cooperation and strategic partnerships with like-minded nations, geared towards building stronger national defences in cyberspace. In this part, we take the Government’s inclination to treat data a “public good” or “societal commons” to its logical conclusion and accordingly, propose a principled, common-but-differentiated-responsibility model between multiple stakeholders in the cybersecurity ecosystem for grounding public private partnerships and pooling of financial resources.

Part VI concludes this submission and presents the major findings, suggestions and recommendations of this submission.

The full text of the comments is available here.