India’s new Defence Cyber Agency—II: Balancing Constitutional Constraints and Covert Ops?

By Gunjan Chawla

In our previous post on India’s cyber defence infrastructure, we discussed the new Defence Cyber Agency (DCA), one of the three tri-service agencies announced at the Combined Commander’s Conference last year. Under the leadership of Rear Admiral Mohit Gupta, appointed as its head in April this year, the DCA is expected to serve a dual purpose—first, to fight virtual wars in the cyber dimension and second, to formulate a doctrine of cyberwarfare. In doing so, it is expected to contribute towards a cybersecurity strategy policy which integrates cyberwarfare with conventional military operations. In June, Lt. Col. Rajesh Pant, the National Cyber Security Coordinator announced that the new cybersecurity strategy policy will be released early in 2020.

The utilisation of cyberspace for military operations holds the potential to infuse a certain ‘jointness’ among the Army, Navy and Air Force. Lt. Gen. (Retd.) DS Hooda pointed out the herculean task that lies ahead of Rear Admiral Gupta– “to find a way to work around vertical stovepipes into which the three services have enclosed themselves”. The tri-services nature of the DCA could potentially compel the three services to share operational information and resources on a regular basis, which would further help to formulate a comprehensive and robust cyber defence infrastructure for the country.

From Coordination to Integration

Since the appointment of Rear Admiral Gupta as the head of the DCA, the Government has made only one announcement that has a significant bearing on its role and functioning. The Prime Minister’s announcement in August about the creation of a new position of a Chief of Defence Staff (CDS) is a welcome step and is expected to catalyse the move from coordination to integration  in the operations of the Army, Navy and Air Force and the operationalization of the three tri-services agencies. The burden of this herculean task entrusted to Admiral Gupta will now presumably, be shared by the CDS.

Unlike the Chairman of the Chiefs of Staff Committee (COSC), which is an additional position occupied by the senior-most officer among the three Chiefs, who serves as primus inter pares, or the first among equals – the CDS will be above the three chiefs, and act as a single-point military advisor to the Government and coordinate long term planning, procurements and logistics of the three service. However, there is long way to go between the announcement of this reform and its actual implementation.

Each of these two announcements – the setting up of the DCA, as well as creation of the CDS post necessitates certain changes in the legislated structure of the three wings of the armed forces for two distinct, but related reasons.

First, because the present legislations that govern the composition and structure of the three wings do not offer sufficient guidance for routine operations conducted jointly by the three wings, nor do they envision an officer superior in rank to the Chiefs of the three services.

The Central Government has the power to make rules under S. 191(2)(l) of the Army Act, 1950 to provide for the relative rank of the officers, junior commissioned officers, petty officers and non-commissioned officers of the regular Army, Navy and Air Force when acting together. S. 189(2)(l) of the Air Force Act, 1950 also confers the same power with respect to the Air Force. However, such a provision to make rules is conspicuous by its absence in the Navy Act, 1957. S. 184(2) of the Navy Act, 1957 confers upon the Central Government, the power to make regulations to provide for the relative rank, precedence, powers of command and authority of officers and sailors in the naval service in relation to members of the regular Army and the Air Force, but this makes no specific reference to the situation when members of three forces are acting together. Instead, S. 7 of the Navy Act provides that

“When members of the regular Army and the Air Force are serving with the Indian Navy or the Indian Naval Reserve Forces under prescribed conditions, then those members of the Army or the Air Force shall exercise such command, if any, and be subjected to such discipline as may be prescribed [under this Act].”

Additionally, the provision states that it cannot be deemed to authorise members of the regular Army or the Air Force to exercise powers of punishment over members of the Indian Navy. This provision is rooted in the colonial history of our naval laws, as it was felt that as the conditions of service at sea differed from that on land and because the erstwhile Navy (Discipline) Act, 1934 differed in many respects to the law relating to the Army and the Air Force, no attempt should be made to assimilate the revised Navy Act in other respects to the law relating to the Army and Air Force. Oddly enough, such unique demands of the sea as a theatre of war that prevented assimilation of the three wings are amplified in the case of cyberspace as a distinct, but connected theatre of war and deserve appropriate recognition in law – in a manner that encourages integration.

The existence of such disparate provisions on the conditions of service of members of the three forces when acting together could foreseeably, prove to be a hurdle in implementing integration for the creation of tri-services agencies. Additionally, the rank, powers and office of a Chief of Defence Staff is not defined or recognized in either of the three Acts. Should such a post be created by the issuing of rules or regulations by the Central Government, they would have to be laid before Parliament, pursuant to S. 185 of the Navy Act, S. 193A of the Army Act and S. 191A of the Air Force Act. In the current state of the law, it is unclear which of these three Acts could be invoked to formulate rules to create such a post in a manner that facilitates such integration.

The second reason is that the advent of cyberwarfare has brought nation-states into what can be described to as the fourth dimension of warfare—military operations that were until recently restricted to the physical domains of land, sea and air have now entered the virtual realm. The growing risk of cyber espionage and breaches of information security of Government agencies, like the ones in 2008 highlight the urgent need for such coordination to ensure prompt, proportionate responses. Thus, we need to prepare a framework not only because the conduct of hostilities now requires unprecedented, seamless integration between the three forces, but also because these hostilities will be conducted in an entirely new dimension, which possesses certain unique characteristics and limitations as a distinct operational theatre for military action.

Accordingly, the question of whether the Government would treat the breach of ‘India’s cyberspace’ by foreign actors, at par with violations of our sovereign territory, airspace or territorial waters must be answered in the affirmative.

At the minimum, this should include, (1) defence communications and operational networks, (2) security of the Government communication networks (3) security of classified and privileged information and (4) critical information infrastructure (CII) should be considered constituent components of our sovereign-protected cyberspace. Since the promulgation and notification of the Information Technology (Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2014, CII falls within the purview of the NCIIPC. Rule 3(4) excludes systems notified by the Ministry of Defence (MoD) as critical information infrastructure. To enable this legally, (1), (2) and (3) ought to be notified by the MoD as such, and explicitly entrusted to the DCA for appropriate action for their protection with appropriate directions.

Constitutional Constraints on Waging War in Cyberspace

Indeed, our cyber forces have been fashioned as an ‘agency’ and not a ‘service’ unto themselves, but contemporary research indicates that with appropriate training and experience, the agency is expected to provide the base for, and grow into a full-fledged Cyber Command.  However, we cannot rely solely on emergency powers under Article 352 of the Constitution as the starting point of our analysis of the legal framework that applies to India’s defensive operations in the cyber realm. Such an analysis leads us to arguments in favour of invoking the fundamental duties of citizens Article 51A for boosting the recruitment of cyber warriors. Such a system can only remain functional, if at all, on an ad-hoc basis. The domain of Parliamentary action cannot reasonably be restricted on the premise that cyberattacks against Government agencies are the ‘new normal’. The State must prepare for the eventuality that ad hoc arrangements set up as necessary reactions to security breaches need to be institutionalized in law. It is not sufficient to assert that the exigencies of cyberwarfare make it inefficient to seek Parliamentary sanction. And so, the military establishment that engages in hostilities with foreign actors in cyberspace, whether fashioned as an agency, service or command, should be read into the phrase ‘any other armed forces’ of Entry 2 of Schedule VII.

When it comes to the defence of India, the Constitution is unambiguous.

Article 53(2) of the Constitution declares that the supreme command of the armed forces of the Union shall be vested in the President and the exercise thereof shall be regulated by law. (emphasis added) Article 53(3)(b) also states that nothing in this Article shall “prevent Parliament from conferring by law functions on authorities other than the President”.

Article 246(1) of the Constitution vests legislative powers in the Parliament. The provision refers to Schedule VII, which identifies specific areas upon which Parliament is entitled to legislate in the national security domain. These areas include the following:

1. Entry 1 refers to “the Defence of India and every part thereof including preparation for defence and all such acts as may be conducive in times of war to its prosecution and after its termination to effective demobilization.”

2. Entry 2 places “naval, military and air forces; and any other armed forces of the Union” within the legislative competence of Parliament. To this effect, The Army Act and Air Force Act were adopted by the Parliament in 1950 and the Navy Act in 1957.

3. Entry 7 refers to “Industries declared by Parliament by law to be necessary for the purpose of defence or for the prosecution of war”. Although the IT sector is treated as a strategic sector by the Government, no such law has been enacted by Parliament.

The language of Article 246 indicates that Parliament is competent to legislate on these issues. However, the use of the word ‘shall’ in the language Article 53 suggests that Parliament is duty-bound to enact such a law. This can also be inferred from the language of Article 73(1) of the Constitution, which states that “The Executive power of the Union shall extend –(a) to matters with respect to which Parliament has the power to make laws”. This makes it clear that the exercise of the Executive power is made conditional on the legislative competence of the Parliament, and not vice versa.

So far, no specific legislation has been forthcoming from Parliament to approve or regulate the exercise of the executive power to engage in cyberwarfare, nor has the Government proposed any. However, the promulgation of a Cybersecurity Act that would cover not only various cyber-related crimes, offences, forensic and policing, but also, have enabling provisions for cyber war and defences against cyber war has been proposed by other think tanks, and even Admiral Gupta himself.

Thus, the power to make preparations for prosecution of war in cyberspace should be backed by Parliamentary sanction. Such an enactment would also help clarify many other questions and streamline the contours of India’s cybersecurity infrastructure and institutions. For example, the domain of authority of the DCA and its relationship with its civilian counterparts including the National Cyber Security Coordinator (NCSC) and the Indian Computer Emergency Response Team (CERT-In) remain unclear. With proper consideration and consultations, the setting up of the DCA could potentially open the doors to enhanced, perhaps even institutionalised civilian-military cooperation that begins in cyber operations and permeates into conventional operations as well.

Two new domains—space and cyber—enabled by high technology, offer unprecedented opportunities for enhanced communication and coordination among wings of the armed forces in all theaters of war, and be used as force multipliers for intelligence analysis, mission planning and control.[i] Given their crucial role in intelligence analysis, foreseeably, the Government could model the agency as one that ‘cyber-supports’ military operations, but  with a greater emphasis on covert operations rather than conventional warfare.  In such a scenario, we may expect that its structure and functioning would be shrouded in secrecy, analogous to the Research and Analysis Wing (R&AW) or the Intelligence Bureau (IB). This means that the DCA would work closely with the Defence Intelligence Agency (DIA). While structures analogous to existing intelligence agencies could potentially allow greater freedom of action for cyber operations, it could also compromise the DCA’s potential to draw upon civilian expertise.

In the interest of widening the pool from which the DCA recruits and trains its cyber-warriors, a proper legislative mandate would go a long way in establishing and strengthening strategic partnerships with the private sector, where most of the country’s tech talent is currently employed.

---

[i] As an aside, it is pertinent to mention that India’s entry into the fifth dimension i.e. space remains debatable— even after carrying out the first successful test of anti-satellite (ASAT) weapon and being in the process of setting up a Defense Space Agency, our policies still espouse the principle of peaceful uses of outer space.

India’s new Defence Cyber Agency

Recent developments in India’s space policy including Mission Shakti, India’s first anti-satellite weapon testing is indicative of the states growing concern into contemporary threats to the state; India is ranked among the 15 least cyber-secure countries in the world from the list of 60 countries. To this end, the Prime Minister announced the setting up of three new tri-service agencies, for Cyber Warfare, Space and Special Operations, at the Combined Commanders’ Conference in Jodhpur last year.

In this post we will mainly deal with the third tri-service agency, the Defence Cyber Agency, which is setup to work in conjunction with the National Cyber Security Advisor. Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1000 personnel from all three branches, the Army, Navy and the Airforce. Rear Admiral Mohit Gupta has been appointed to be the first head of the DCA.

Current Legal Framework

The current legal framework dealing with cyber-security is not centralized. Different agencies are responsible for various aspects of cyber-security. These can broadly be classified into agencies focusing on civilian cyber security, and those focusing on the military cyber security.

The National Cyber Security Policy was adopted by the Government of India in 2013 to ensure a secure and resilient cyberspace for citizens, businesses and the government. This policy was launched to integrate all the initiatives in the area of Cyber Security and to tackle the fast-changing nature of cybercrimes. Initiatives such as setting-up the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC), and creating sector specific Computer Emergency Response Teams (CERT) were implemented under the policy.

The Indian Computer Emergency Response Team (CERT) is an office within the Ministry of Electronics and Information Technology. It is the national nodal agency for responding to computer security incidents as and when they occur. It deals with mostly civilian threats by issuing guidelines, vulnerability notes, and whitepapers relating to security practices as well as providing a point of contact for reporting local problems.

Cyber-Security concerns in India

The 2019 Global Risk Report highlights India’s history of malicious cyber-attacks and lax cybersecurity protocols which led to massive breaches of personal information in 2018. It also specifically mentions the government ID database, Aadhaar, which has reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January that individuals were selling access to the database at a rate of 500 rupees for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.

The Digital India initiative has resulted in a boom in the internet usage in the country. However, due to the lack of proper security protocols in place, there have been an estimated 700 hacks into state and central governments websites, as was reported in Lok Sabha. Additionally, in January of 2017, the National Security Guard page was hacked by suspected Pakistan based operatives who then went on to post anti-India content on it. The need to prevent such attacks on Indian websites has been a matter of debate since 2016, following the hack of the IRCTC website.

While some aspects of cyber security are easy to classify, such as the breach of IRCTC being a civilian breach and hacking the website of the National Security Guard being a military breach, other potential cyber threats could fall within a grey area.

Defence Cyber Agency

The lacuna which the Defence Cyber Agency seeks to fill, exists in the realm of military cyber security. It is currently governed by the Defence Intelligence Agency (DIA) which operates under direct control of Ministry of Defence and focuses on the international offensive and defensive capabilities of the state. It is the nodal agency for all defence related intelligence.

The formation of the Defence Cyber Agency, is supposedly meant to combat the current threat of foreign hackers from nations such as China or Pakistan, who could attack India’s digital infrastructure using Cyber warfare. The new agency could potentially set up the roadmap for the future of India’s cyber security specifically, by combating threats made to military targets.

A common feature of many military agencies is the lack of legislative clarity; in the absence of a clear and coherent policy document or a parliamentary enactment to this effect, the parameters on which the domain of ‘military cyber security’ is demarcated remain unclear. The definition of ‘military’ in this case could potentially be based on the nature of the target (IRCTC hack vs. NSG hack) the origin of the threat (geographical location or the nationality of the perpetrator) or even the source of the threat (China/Pakistan or amateur domestic hackers). 

The Agency is expected to follow a decentralized structure where the bulk of the agency will be focused into smaller teams, spread around the country, with the command center in Delhi. It also aims at putting dedicated officers in major headquarters of the tri-forces to deal with emerging cyber security issues.

One of the main takeaways from the setting up of this agency is the inter-service cooperation between the Army, Navy and the Airforce. The move is also in keeping with the Joint Training Doctrine Indian Armed Forces, of 2017, which seeks to foster ‘Synergy’ and ‘Integration’ amongst the three Services and other stake-holders leading to an enhanced efficiency and optimum utilisation of resources.

Since the new agency will fall under the purview of the Ministry of Defence, the precise mandate and composition of the DCA are not clear at this point. After its formal inauguration, which is supposed to happen sometime this month, it is possible that people will have a better idea of the agency’s role and functions in maintaining India’s cyber defences.

A key issue, which has not been addressed so far remains the need to employ experts in the field of cyber-security. While the new agency is projected to employ over 1000 personnel from the three services, employing personnel with sufficient technical knowledge will be difficult, owing to a general lack of qualified personnel in this field. Additionally, with the boom in the cyber security market, the DCA would not only have to contend with private players in the domestic markets in attracting qualified talent, but also face stiff competition from international players in the scene.

In addition to setting up the DCA, it is also important that all three services take this opportunity to better train existing personnel in basic cyber security practices, including staff which is not specifically deployed to the DCA.

It is hoped that the formation of such an agency will not only improve India’s cyber security but also bolster its international reputation in terms of digital safety. The creation of this new agency highlights the weaponization of cyberspace as a tool of modern warfare, and also the importance of data and information sharing between the three services in order to better protect the nation.