Technology & National Security Reflection Series Paper 13: Flipping the Narrative on Data Localisation and National Security

Romit Kohli*

About the Author: The author is a fifth year student of the B.A. LL.B. (Hons.) programme at the National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. This post was written in Summer, 2021. Therefore, it does not reflect recent policy developments in the field of data governance and data protection such as the December 2021 publication of the Joint Parliamentary Committee Report and its proposed Data Protection Bill, 2021.

I. Introduction

Countries all over the world are seeking to preserve and strengthen their cyber-sovereignty in various ways. One popular mechanism for the same is labelled with the nebulous phrase ‘data localisation’. Data localisation refers to requirements imposed by countries which necessitate the physical storage of data within their own national boundaries. However, the degree of data localisation varies across jurisdictions. At one end of the spectrum, we have ‘controlled localisation’ that favours the free-flow of data across borders, subject to only mild restrictions.  A prominent example of controlled localisation is the European Union’s (“EU”) General Data Protection Regulation (GDPR). At the other end of the spectrum, we have jurisdictions like China which impose much stricter localisation requirements on businesses operating within their national boundaries.

In India data localisation has become a significant policy issue over the last few years. Various government documents have urged lawmakers to introduce a robust framework for data localisation in India. The seminal policy document in this regard is the Justice BN Srikrishna Committee report, which provided the basis for the Personal Data Protection Bill of 2019.This bill proposed a framework which would result in a significant economy-wide shift in India’s data localisation practices. At the same time, various government departments have sought to implement sector-specific data localisation requirements with different levels of success.

This blog post argues that far from being a facilitator of national security, data localisation measures may present newer threats to national security in their implementation. We seek to establish this in three steps. First, we analyse the link between India’s national security concerns and the associated objectives of data localisation. This analysis demonstrates that the mainstream narrative regarding the link between national security and data localisation is inherently flawed. Thereafter, we discuss the impact of data localisation on the economic growth objective, arguing that India’s localisation mandate fails to consider certain unintended consequences of data localisation which restrict the growth of the Indian economy. Lastly, the article argues how this adverse impact on economic growth poses a threat to India’s national security, which requires us to adopt a  more holistic outlook of what constitutes national security. 

Image by World Bank Photo Collection’s Photostream. Copyrighted under CC BY 2.0.

II. The Mainstream Narrative

The Srikrishna Committee report underscores national security concerns as a basis for two distinct policy objectives supporting the introduction of data localisation measures. First, the report refers to the need for law enforcement agencies to have access to data which is held and controlled by data fiduciaries, stating that such access is essential for ‘… effectively [securing] national security and public safety…’ since it facilitates the detection of crime and the process of evidence gathering in general (Emphasis Added). However, experts argue that such an approach is ‘… unlikely to help India achieve objectives that actually require access to data’. Instead, the government’s objectives would be better-served by resorting to light-touch localisation requirements, such as mandating the storage of local copies of data in India while still allowing the data to be processed globally. They propose complementing these domestic measures with negotiations towards bilateral and multilateral frameworks for cross-border access to data.

Second, the report states that the prevention of foreign surveillance is ‘critical to India’s national security interests’ due to the lack of democratic oversight that can be exercised over such a process (Emphasis Added). However, we believe that data localisation fails as an effective policy measure to address this problem because notwithstanding the requirements imposed by data localisation policies, foreign governments can access locally stored data through extra-territorial means, including the use of malware and gaining the assistance of domestic entities. What is required,, is a more nuanced and well-thought-out solution which leverages the power of sophisticated data security tools. 

The above analysis demonstrates that the objectives linked to national security in India’s data localisation policy can be better served through other means. Accordingly, the mainstream narrative which seeks to paint data localisation as a method of preserving national security in the sense of cyber or data security is flawed. 

III. The (Unintended) Impact on the Indian Economy

The Srikrishna Committee Report ostensibly refers to the ‘… positive impact of server localisation on creation of digital infrastructure and digital industry’. Although there is no disputing the impact of the digital economy on the growth of various industries generally, the report ignores the fact that such growth has been fuelled by the free flow of cross-border data. Further, the Srikrishna Committee Report fails to consider the costs imposed by mandatory data localisation requirements on businesses which will be forced to forgo the liberty of storing their data in the most cost-effective way possible. These costs will be shifted onto unsuspecting Indian consumers. 

The results of three seminal studies help illustrate the potential impact of data localisation on the Indian economy. The first study, which aimed at quantifying the loss that data localisation might cause to the economy, found that mandatory localisation requirements would reduce India’s GDP by almost 1% and that ‘… any gains stemming from data localisation are too small to outweigh losses in terms of welfare and output in the general economy’. A second study examined the impact of data localisation on individual businesses and found that due to a lack of data centres in India, such requirements would impose a 30-60% increase in operating costs on such businesses, who would be forced to store their data on local servers. The last study analysed the sector-specific impact of localisation, quantifying the loss in total factor productivity at approximately 1.35% for the communications sector, 0.5% for the business services sector, and 0.2% for the financial sector. More recent articles have also examined the prejudicial impact of data localisation on Indian start-ups, the Indian IT sector, the cyber vulnerability of small and medium enterprises, and India’s Ease of Doing Business ranking. 

At this point, it also becomes important to address a common argument relied upon by proponents of data localisation, which is the fact that localisation boosts local employment, particularly for the computer hardware and software industries. Although attractive on a prima facie level, this argument has been rebutted by researchers on two grounds. First, while localisation might lead to the creation of more data centres in India, the majority of the capital goods needed for such creation will nonetheless be imported from foreign suppliers. Second, while the construction of these centres might generate employment for construction workers at a preliminary stage, their actual functioning will fail to generate substantial employment due to the nature of skilled work involved. 

The primary lesson to be drawn from this analysis is that data localisation will adversely impact the growth of the Indian economy—a lesson that seems to have been ignored by the Srikrishna Committee report. Further, when discussing the impact of data localisation on economic growth in India, the report makes no reference to national security. We believe that this compartmentalisation of economic growth and national security as unrelated notions reflects an inherently myopic view of the latter. 

IV. Towards a Novel Narrative

National security is a relative concept—it means different things to different people in different jurisdictions and socio-economic contexts. At the same time, a noticeable trend vis-à-vis this relative concept is that various countries have started incorporating the non-traditional factor of economic growth in their conceptions of national security. This is because the economy and national security are inextricably linked, with several interconnections and feedback loops. 

Although the Indian government has made no explicit declaration in this regard, academic commentary has sought to characterise India’s economic slowdown as a national security concern in the past. We believe that this characterisation is accurate since India is a relatively low-income country and therefore, its national security strategy will necessarily depend upon the state of its economy. Further, although there have been objections surrounding a dismal defence-to-GDP ratio in India, it is believed that these objections are based on ‘trivial arithmetic’. This is because the more appropriate way of remedying the current situation is by concentrating policy efforts on increasing India’s GDP and accelerating economic growth, rather than lamenting low spends on defence. 

This goal, however, requires an upgradation of India’s national security architecture. While the nuances of this reform fall outside the precise scope of this blog post, any comprehensive reform will necessarily require a change in how Indian policymakers view the notion of national security. These policymakers must realise that economic growth underpins our national security concerns and consequently, it is a factor which must not be neglected.

This notion of national security must be used by Indian policymakers to examine the economic viability of introducing any new law, including the localisation mandate. When seen through this broader lens, it becomes clear that the adverse economic impact of data localisation policies will harm India’s national security by inter alia increasing the costs of doing business in India, reducing the GDP, and prejudicing the interests of Indian start-ups and the booming Indian IT sector. 

V. Conclusion

This blog post has attempted to present the link between data localisation and national security in a different light. This has been done by bringing the oft-ignored consequences of data localisation on the Indian economy to the forefront of academic debate. At the center of the article’s analysis lies an appeal to Indian policymakers to examine the notion of national security through a wider lens and consequently rethink their flawed approach of addressing national security concerns through a localisation mandate. This, in turn, will ensure sustained economic growth and provide India with the technological advantage it necessarily requires for preserving its national interests.  

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 12 (B): Contours of Access to Internet as a Fundamental Right

Shreyasi Tripathi^*

About the Author: The author is a 2021 graduate of National Law University, Delhi. She is currently working as a Research Associate with the Digital Media Content Regulatory Council.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.  Along with a companion piece by Tejaswita Kharel, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you agree with the Supreme Court’s pronouncement in Anuradha Bhasin that access to the internet is an enabler of other rights, but not a fundamental right in and of itself? Why/why not? Assuming for the sake of argument, that access to the internet is a fundamental right (as held by the Kerala High Court in Faheema Shirin), would the test of reasonableness of restrictions be applied differently, i.e. would this reasoning lead to a different outcome on the constitutionality (or legality) of internet shutdowns?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic.

1. INTRODUCTION 

Although it did little to hold the government accountable for its actions in Kashmir, it would be incorrect to say that the judgment of Anuradha Bhasin v. The Union of India is a complete failure. This reflection paper evaluates the lessons learnt from Anuradha Bhasin and argues in favour of access to the internet as a fundamental right, especially in light of the COVID-19 pandemic. 

Image by Khaase. Licensed under Pixabay License.

2. EXAMINING INDIA’S LEGAL POSITION ON RIGHT TO INTERNET 

Perhaps the greatest achievement of the Anuradha Bhasin judgement is the fact that the Government is no longer allowed to pass confidential orders to shut down the internet for a region. Moreover, the reasons behind internet shutdown orders must not only be available for public scrutiny but also be reviewed by a Committee. The Committee will need to scrutinise the reasons for the shutdown and must benchmark it against the proportionality test. This includes evaluating the pursuit of a legitimate aim, exploration of suitable alternatives, and adoption of the least restrictive measure while also making the order available for judicial review. The nature of the restriction,  its territorial and temporal scope will be relevant factors to determine whether it is proportionate to the aim sought to be achieved. The court also expanded fundamental rights to extend to the virtual space with the same protections. In this regard, the Court  made certain important pronouncements on the right to freedom of speech and expression. These elements will not be discussed here as they fall outside the scope of this paper. 

A few months prior in 2019, the Kerala High Court recognised access to the internet as a fundamental right. Its judgement in Faheema Sharin v. State of Kerala, the High Court addressed a host of possible issues that arise with a life online. Specifically, the High Court recognised how the internet extends individual liberty by giving people a choice to access the content of their choice, free from control of the government. The High Court relied on a United Nations General Assembly Resolution to note that the internet “… facilitates vast opportunities for affordable and inclusive education globally, thereby being an important tool to facilitate the promotion of the right to education…” – a fact that has only strengthened in value during the pandemic. The Kerala High Court held that since the Right to Education is an integral part of the right to life and liberty enshrined under Article 21 of the Constitution, access to the internet becomes an inalienable right in and of itself. The High Court also recognised the value of the internet to the freedom of speech and expression to say that the access to the internet is protected under Art. 19(1)(a) of the Constitution and can be restricted on grounds consistent with Art. 19(2).

3. ARGUING IN FAVOUR OF RIGHT TO INTERNET  

In the pandemic, a major reason why some of us have any semblance of freedom and normalcy in our lives is because of the internet. At a time when many aspects of our day to day lives have moved online, including education, healthcare, shopping for essential services, etc. – the fundamental importance of the internet should not even be up for debate. The Government also uses the internet to disseminate essential information. In 2020 it used a contact tracing app (Aarogya Setu) which relied on the internet for its functioning. There also exists a WhatsApp chatbot to give accurate information about the pandemic. The E-Vidya Programme was launched by the Government to allow schools to become digital. In times like this, the internet is not one of the means to access constitutionally guaranteed services, it is the only way (Emphasis Added). 

In  this context, the right of access to the internet should be read as part of the Right to Life and Liberty under Art. 21. Therefore, internet access should be subject to restrictions only based on procedures established by law. To better understand what shape such restrictions could take, lawmakers and practitioners can seek guidance from another recent addition to the list of rights promised under Art. 21- the right to privacy. The proportionality test was laid down in the Puttaswamy I judgment and reiterated in  Puttaswamy II (“Aadhaar Judgement”). In the Aadhar Judgement  when describing the proportionality for reasonable restrictions, the Supreme Court stated –

“…a measure restricting a right must, first, serve a legitimate goal (legitimate goal stage); it must, secondly, be a suitable means of furthering this goal (suitability or rational connection stage); thirdly, there must not be any less restrictive but equally effective alternative (necessity stage); and fourthly, the measure must not have a disproportionate impact on the right-holder (balancing stage).” –

This excerpt from Puttaswamy II provides as a defined view on the proportionality test upheld by the court in Anuradha Bhasin. This means that before passing an order to shut down the internet the appropriate authority must assess whether the order aims to meet a goal which is of sufficient importance to override a constitutionally protected right. More specifically, does the goal fall under the category of reasonable restrictions as provided for in the Constitution. Next, there must be a rational connection between this goal and the means of achieving it. The appropriate authority must ensure that an alternative method cannot achieve this goal with just as much effectiveness. The authority must ensure that the method being employed is the least restrictive. Lastly, the internet shutdown must not have a disproportionate impact on the right holder i.e. the citizen, whose right to freedom of expression or right to health is being affected by the shutdown. These reasons must be put down in writing and be subject to judicial review.

Based on the judgment in Faheema Sharin, an argument can be made how the pandemic has further highlighted the importance of access to the internet, not created it. The reliance of the Government on becoming digital with e-governance and digital payment platforms shows an intention to herald the country in a world that has more online presence than ever before. 

4. CONCLUSION 

People who are without access to the internet right now* – people in Kashmir, who have access to only 2G internet on mobile phones, or those who do not have the socio-economic and educational means to access the internet – are suffering. Not only are they being denied access to education, the lack of access to updated information about a disease about which we are still learning could prove fatal. Given the importance of the internet at this time of crisis, and for the approaching future, where people would want to avoid being in crowded classrooms, marketplaces, or hospitals- access to the internet should be regarded as a fundamental right.

This is not to say that the Court’s recognition of this right can herald India into a new world. The recognition of the right to access the internet will only be a welcome first step towards bringing the country into the digital era. The right to access the internet should also be made a socio-economic right. Which, if implemented robustly, will have far reaching consequences such as ease of social mobility, increased innovation, and fostering of greater creativity.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 12(A): Contours of Access to Internet as a Fundamental Right

Tejaswita Kharel^*

About the Author: The author is a 2021 graduate of National Law University, Delhi. She is currently working as a lawyer in Kathmandu, Nepal. Her interests lie in the area of digital rights, freedom of speech and expression and constitutional law.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. Along with a companion piece by Shreyasi Tripathi, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you agree with the Supreme Court’s pronouncement in Anuradha Bhasin that access to the internet is an enabler of other rights, but not a fundamental right in and of itself? Why/why not? Assuming for the sake of argument, that access to the internet is a fundamental right (as held by the Kerala High Court in Faheema Shirin), would the test of reasonableness of restrictions be applied differently, i.e. would this reasoning lead to a different outcome on the constitutionality (or legality) of internet shutdowns?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic.

1. INTRODUCTION 

The term ‘internet shutdown’ can be defined as an “intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information”.¹ It has become a tool used by States against residents of the country in question when they are faced with some imminent threat to law and order or a certain breakdown of law and order. It is used with the belief that a blanket shutdown of the Internet helps restrict misinformation, spreading of fake news,  incitement of violence, etc. that could take place. 

Image by Ben Dalton. Copyrighted under CC BY 2.0.

2. ANURADHA BHASIN JUDGEMENT: INTERNET AS ENABLER OF FUNDAMENTAL RIGHTS ENSHRINED UNDER THE CONSTITUTION OF INDIA 

Due to the suspension of mobile and broadband internet services in Jammu and Kashmir on August 4, 2019 before the repeal of Article 370 of the Constitution of India, a petition was filed at the Supreme Court by Anuradha Bhasin (a journalist at Kashmir Times). The petition challenged  the Government’s curb of media freedom in Jammu and Kashmir as a result of the blanket internet and communications shutdown. On 10th January 2020, the Supreme Court’s judgement in Anuradha Bhasin v. Union of India, held that the internet has been deemed as a means to realise fundamental rights under Article 19 of the Constitution. The Court’s decision specifically applied to the right to freedom of speech and expression and the right to carry on trade or businesses. 

The Court did not explore or answer the question of whether access to the internet by itself is a fundamental right since it was not a contention by the counsels. However, the Court did state that since fundamental rights could be affected by the measures applied by authorities (which in this case was an internet shutdown), a lawful measure which could restrict these fundamental rights must be proportionate to the goal. 

One reading of the Supreme Court’s decision in Anuradha Bhasin is that the case could act as an enabler which legitimises government-mandated internet shutdowns. Nevertheless, the Court does explicitly hold that the curtailment of fundamental rights affected by internet access restrictions must be proportionate. In pursuance of this restrictive measures need to be the least restrictive in nature. However, determining what constitutes the least restrictive measure is a subjective question and would vary on a case by case basis. There is no guarantee that internet shutdowns would not be the opted measure. . 

3. Critiquing the Rationale of the Anuradha Bhasin Judgement

It is important to investigate why the Court was hesitant to not deem internet access as a fundamental right. One major reason could be due to the fact that access to the internet is not possible for all the citizens of India in the current situation in any case. At the time of writing this paper, approximately half of India’s population has access to and uses the internet. Where such a visible ‘Digital Divide’ exists, i.e. when half of the Indian population cannot access the Internet and the government has not yet been able to provide such universal access to the internet, it would not be feasible for the Court to hold that the access to internet is in fact a fundamental right. 

If the Court were to hold that access to the internet is a fundamental right in the current situation, there would be a question of what internet access means ? Is access to the internet simply access to an internet connection? Or does  it also include the means required in order to access the internet in the first place? 

If it is just the first, then deeming access to the internet as a fundamental right would be futile since in order to access an internet connection, electronic devices (e.g. laptops, smartphones, etc.) are required. At a purely fiscal level, it would be improbable for the State to fulfil such a Constitutional mandate. Moreover, access to the internet would be a fundamental right only to those who have the privilege of obtaining the means to access the internet. The burden on the State would be too high since the State would be expected to not just provide internet connection but also the electronics which would be required in order to access the same. In either case, it does not seem feasible for access to the internet to be deemed as a fundamental right due to the practical constraint of India’s immense digital divide.  

4. RIGHT TO INTERNET FOR CURRENT AND FUTURE CHALLENGES 

At a future point where it is feasible for more people to access the internet in India (especially in rural/remote areas), it may be appropriate to deem access to the internet as a fundamental right. However, at this juncture to argue that the access to internet is a fundamental right (knowing that it is primarily accessible to more privileged segments) would be an assertion anchored on privilege.  Therefore, as important as the internet is for speech and expression, education, technology, etc. the fact that it is not accessible to a lot of people is something for policymakers and wider stakeholders to consider. 

This is especially important to look at in the context of COVID-19. Lockdowns and movement restrictions have increased remote work and accelerated online education. In order to work or study online, people must have access to both devices and  the internet. 

In this context a UNICEF Report (August 2020)observed that only 24% of Indian households had internet connection to access education and in November 2020 an undergraduate student died as a result of suicide since she was unable to afford a laptop. This provides macro and micro evidence of the blatant digital divide in India. Hence, it is not feasible to deem the right to access the internet as a fundamental right.  

In any case, if we were to assume that the right to access the internet was a fundamental right as what was held on 19 September 2019 by the Kerala High Court in Faheema Shirin R.K v. State of Kerala, the issue of whether internet shutdowns are legal or not would still be contended. Article 19(2) provides certain conditions under which the right to freedom of speech and expression under Article 19(1)(a) can be reasonably restricted. Similarly, Article 19(6) of the Constitution provides that  the right to carry on trade and business can be reasonably restricted in the interest of the general public. If access to the internet would be deemed as a fundamental right, it would be necessary to look at the scope of Articles 19(2) and 19(6) through a different lens. Nevertheless, such alteration would not yield a different application of the law. In essence, the Government’s restrictions on internet access would operate in the same way.

It is highly likely that Internet shutdowns would still be constitutional. However, there could be a change in the current stance to the legality of internet shutdowns. Situations wherein internet shutdowns would be legal may become narrower. There may even be a need for specific  legislation for clarity and for compliance with the constitutional obligations. 

5. CONCLUSION 

Due to COVID-19, many people are unable to access education or work in the same way that was done before. Even courts are functioning online and with that the necessity to access the internet has never been stronger. The court in Anuradha Bhasin held that the internet was an enabler to rights under Articles 19(1)(a) and 19(1)(g). However,  now with the added scope for the necessity to be able to use the internet as a medium of accessing education and as a medium to access justice (which has been recognised as a fundamental right under Article 21 and 14), lawmakers and Courts must evaluate whether the rising dependency on the access internet would in itself be a reason for internet access becomes crystallised as a fundamental right. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Access Now, in consultation with stakeholders from around the world, launched its #KeepItOn campaign against internet shutdowns and developed the first international consensus on the definition of an internet shutdown in RightsCon 2016, available at https://www.rightscon.org/cms/assets/uploads/2016/07/RC16OutcomesReport.pdf.

Technology and National Security Reflection Series Paper 11(B): Effectively Managing the COVID-19 Pandemic: Alternative Route under the Extant Constitutional Framework?

Kumar Ritwik^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He is a Delhi-based advocate practicing at the Supreme Court of India.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. Along with a companion piece by Bharti Singh, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you think the ongoing COVID-19 Pandemic could have been better managed (more efficiently or more democratically) if the government had invoked emergency provisions under the constitution instead of relying on the national disaster management act? Why or why not?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic.

1. INTRODUCTION 

After the onset of the Covid-19 pandemic, India’s Ministry of Home Affairs (“MHA”) vide Order No. 1-29/2020-pp dated 24th March 2020, under section 6(2)(i) of the Disaster Management Act (“DM Act”), 2005, announced a nationwide lockdown and restrictions among other things. The order included an imposition of restrictions on movement and other liberties of Indian citizens. Wide ranging restrictions articulated in that order and subsequent orders under the DM Act directly impacted, among other things, individuals’ right to movement [Art. 19(1)(d)] and their right to livelihood (Art. 21). Though well-intentioned, these measures left much to be desired in terms of government support. Several significant administrative issues and concerns were raised. In this article, I argue that the Indian Government could have managed the pandemic better if it had invoked emergency provisions under Part XVIII of the Constitution instead of relying primarily on the DM Act, 2005 . 

Image by mohamed_hassan. Licensed under Pixabay License.

2. LIMITATION OF THE DISASTER MANAGEMENT ACT IN COUNTERING COVID-19

To be fair, the government’s interventions have relied on the trinity of the DM Act; the Epidemic Diseases Act, 1897; and relevant state-level Public Safety Act(s). However, such interventions have resulted in some pretty significant concerns. Specifically, administrative officials, located far away in the national capital i.e. New Delhi, are invoking powers and issuing decrees under these statutes. They are granted the power to control and restrict the movement of a billion lives in the country. In essence we are observing that the decision(s) of officials who are far removed from ground-level realities are impacting the lives of individuals residing in remote cities, towns and/or villages.

I argue that since health is a state subjectState governments should have been ordinarily tasked with both the primary responsibility as well as power to decide how to best deal with the pandemic. However, given the extraordinary scale of the pandemic, a different route was chosen wherein the Union Government could exert tight control and issue numerous advisories and directives over an extended period. This was consistent with the idea that a streamlined uniform approach towards tackling the pandemic would work best across all states. As was observed later, States struggled to manage the crisis due to institutional and budgetary constraints. It was quite transparent how dependent States are on the Union Government for financial aid as well as technical expertise. As stated earlier, ground level realities are most closely dealt with by the district bureaucracy, and therefore involving them in the crisis management planning apart from implementation measures would have been beneficial. Emergency provisions under India’s Constitution could have served as an effective alternative which allowed the country to manage the crisis in a different and perhaps, more effective manner.

In the initial period of the pandemic, parliamentary operations suffered major disruptions. A direct result of these disruptions was a lack of meaningful legislative discussion and accountability. Our constitution envisages a system of checks & balances between the powers of the legislature, executive and judiciary. Disruptions to the operation of Parliament signalled that, over a period of several months, direct executive action could face little oversight or accountability from the legislative branches of government at both the Central and State levels.

In such a situation, it is reasonable to turn to the judiciary for ensuring adequate accountability of executive actions. Unfortunately, the judiciary has failed on most occasions with its lax attitude towards the apathy of the officials. While the courts have occasionally rebuked the governments on specific points such as its handling of the migrants’ crisis, there has been no concerted effort by the Indian judiciary in holding the executive or its officials accountable for its management of the crisis. This is in addition to the fact that an extended period of the lockdown ensured that only those few fortunate enough to have constant access to high-speed internet could approach the judiciary for remedies/to submit its petitions as well.

The DM Act, strictly speaking, was not enacted to issue directives on public health emergencies or pandemics. In fact, the Epidemic Diseases Act, 1897 has been enacted with the intent of controlling infectious disease outbreaks like Covid-19 . Though creative and inclusive interpretation would allow for a pandemic to be covered under the scope of the DM Act, the structure and mechanism within the statute has been rendered useless or ineffective to deal with a crisis of such magnitude. These circulars and the regulations that they invoke continue to remain disproportionate and outside the scope or stipulated purpose of the particular statute.      

However, the DM Act has brought with itself immense powers that are enshrined with the government. Any regulation or decision may be taken by the government that is deemed fit and necessary in its own opinion, to aid in the efforts of reducing risks of a disaster (or a pandemic in this case). Additionally, Section 8(1) of the DM Act empowers the Central Government to constitute a National Executive Committee (‘NEC’), comprising senior bureaucrats and leaders [S. 8 (2)]. 

The NEC is empowered to issue directions so as to fulfill obligations and objectives under the Act. State governments and district bureaucracy are bound by circulars or regulations which are issued by the NEC. In fact, the NEC can empower another authority or other authorities to issue guidelines that would bind State Governments as well. Such an overarching framework under Article 256 of the Constitution has essentially been put in place to ensure that where the Union Government finds itself in certain extraordinary situations, it has the necessary tools to adopt measures across all States in a uniform manner. In this case, the Union Government empowered the Union Home Ministry to issue all necessary guidelines for State authorities.

3. EMERGENCY  PROVISIONS AS BETTER AVENUES AGAINST HEALTH  EMERGENCIES 

In contrast, Articles 355 and 356 read alongside Articles 246 and 256 would grant wide powers to the Government of India to impose emergency and invoke these provisions to grant itself all the necessary powers to deal with the crisis. Interestingly, emergency provisions still do stipulate a time limit period whereas the DM act does not. The DM Act grants an unlimited time period to the government machinery to apply these regulations and deems it applicable to all places deemed worthy of its application.

After the bitter experience of the emergency period of 1975-1977, drastic changes were made in order to make the extension of an emergency period contingent on legislative accountability as well. However, with the DM Act, regulations do not require any legislative sanction or even a discussion to that effect either. Therefore, the broad powers enshrined under the DM Act appear to contradict Constitutional ideals, though there has been little critique of the same in the public discourse.

This silence is perhaps owed to the fact that almost every citizen wishes to see the Government mount an aggressive and effective response to such a pandemic, without creating significant hurdles in their path to do so. However, in doing so, these wide-ranging regulations have also brought forth a huge chilling effect and have the potential to incentivise abuse of power by officials in such situations as well.

4. CONCLUSION 

With the large-scale powers that the DM Act accords to officials, India’s treatment of the pandemic essentially resembles an emergency situation. Extraordinary powers are held by the State machinery with little or no safeguards/mechanisms in place that ensure periodic review and/or legislative accountability. Therefore, the current framework serves as a de facto emergency framework.

This is a departure from most mature democracies. Countries have taken the aid of new legislations aimed at the public health emergency, with numerous parliamentary democracies ensuring that regulatory interventions continue to have some kind of legislative scrutiny. The UK legislated close to a hundred laws (collectively referred to as the ‘lockdown laws’ in the UK) to deal with the pandemic, whereas New Zealand pushed for a single comprehensive law instead.

Instead of acting without any restrictions under a statute that was not originally meant for handling a pandemic that has stretched over many years, the Indian Government could have followed this example and relied upon the extant emergency powers within the constitutional framework or legislated a new public health law which could empower officials with the safeguards necessary in a democratic setup instead.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 11(A): Evaluating the Validity of Disaster Management Act Against Constitutional Emergency Provisions in Containing the COVID-19 Pandemic

Bharti Singh^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. In 2021 she completed her LL.M. from National Law School of India University, Bengaluru. She is currently working as a researcher in areas related to health policy. 

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. Along with a companion piece by Kumar Ritwik, the two essays bring to a life a fascinating debate by offering competing responses to the following question:

Do you think the ongoing COVID-19 Pandemic could have been better managed (more efficiently or more democratically) if the government had invoked emergency provisions under the constitution instead of relying on the national disaster management act? Why or why not?

Both pieces were developed in the spring semester, 2020 and do not reflect an updated knowledge of subsequent factual developments vis-a-vis COVID-19 or the ensuing pandemic. 

1. Introduction

Since the introduction of the Constitution of India, the COVID-19 pandemic represents an unprecedented event. It has created extraordinary infrastructural challenges to both governing authorities and legal institutions. In the initial phases of this pandemic the Government of India faced the difficult task of not only adopting containment measures which minimise the effects and casualties of the virus; but also ensure the delivery of essential services to its citizens. It has had to execute these tasks whilst preserving citizens’ liberties and the basic values of the Constitution. Given the death toll along with, economic, financial, political, educational and broader health related costs exacted by the pandemic it is critical for the government to deploy best-in-class infrastructural solutions which remain consistent with India’s constitutional values.

In this article, I argue that after evaluating the competing options, the Government of India’s decision to rely on the Disaster Management Act (“DM Act”), 2005 rather than invoking the Constitution of India’s emergency provisions was the appropriate course of action. The DM Act defines the term ‘disaster’ as a situation of  “… catastrophe, mishap, calamity or grave occurrence which has arisen because of man- made or natural causes and has resulted in “substantial loss of life or human suffering”. Further, it has to be “… of such a nature or magnitude as to be beyond the coping capacity of the community of the affected area”. The gravity of human suffering caused by the COVID-19 pandemic, both in terms of aggregate infections and deaths, becomes more and more evident with the passage of time.

Image by MiroslavaChrienova. Licensed under Pixabay License.

2. Limitations of Constitutional Emergency Provisions

An emergency can be proclaimed pursuant to Article 352(1) of the Indian Constitution. According to it, if the President is satisfied that the grave emergency exists to the security of India or any part thereof is threatened by “war/ external aggression or armed rebellion”. The term “armed rebellion” replaced the former term “internal disturbance” after the emergency proclamation in 1975. When an emergency is proclaimed, Article 353, permits (1) the Central government to direct any state on how to use its executive power (2) permits parliament to make laws even in matters which are in the state list. Article 358 suspends the six fundamental rights protected under Article 19 during Constitutional emergencies. Article 359 suspends enforcement of fundamental rights during emergencies. 

In the context of COVID-19, any decision by the Government to declare a national emergency under Article 352 of the Constitution, would be unconstitutional in light of the 44th Constitutional Amendment in 1978. The 44th Amendment holds that such emergencies can only be declared if the security of India or any part thereof is threatened by war or external aggression or armed rebellion (Emphasis Added). These are the only three grounds under which an emergency can be declared under Article 352.

The Constitution of India does not have any explicit provisions for disaster management. In absence of any such provision, disaster management was conventionally considered to be within the competence of the states as per colonial practice. The legal basis of the Disaster Management Act can be traced in Entry 23, Concurrent List of the Constitution which relates to “Social security and social insurance” as well as Entry 29, Concurrent List which relates to “Prevention of the extension from one State to another of infectious or contagious diseases or pests affecting men, animals or plants,”. Owing to the federal structure of India’s Democracy, public health and public order are listed in the State List under the Seventh Schedule of the Constitution. Critically, while operationalising and implementing Government interventions to contain the spread of COVID-19, the Government’s use of provisions under the DM Act must be mindful of the unprecedented and unique factors of this disaster where the primary causality is human life and not degradation of environment or loss of property.

The framework of the DM Act is consistent with the federal structure of India’s democracy. Conversely, the proclamation of Emergency under the Constitution centralises powers within the Union Government. When in effect, the Union Government can direct state governments and make laws on the entries present under the State list in the Constitution of India. Under Article 357 of the Indian Constitution, the power of state can be vested in the legislature, which can delegate it to the President and the President can further delegate it to an appropriate authority. In his way the powers vested in the Central Government under the provisions of emergency are very flexible. However, this compromises the quasi federal structure of India’s constitutional democracy.

In India’s Constituent Assembly Debates, the Emergency provisions were being conceived  as an exception to otherwise federal structure of the Government., Originally this power to declare emergency/President’s Rule in a particular State was envisioned to be vested with the Governors of the State. At the time, the position of Governor was supposed to be an elected office. Ultimately this was not the case as  the office came to be appointed by the President. In effect this means that the  power to declare an emergency under the Constitution is essentially vested in the President. Under Constitutional emergency conditions  as per Article 256, even the legislative powers can be vested in the president and need not be vested in Parliament. The President can make incidental and consequential provisions necessary to give effect to proclamation.

3. Conclusion: The Merits of the Disaster Management Act

India is a diverse country, not just in terms of culture and heritage but also in terms of geography. The States, with international airports and tourism specific industries, are more prone to the spread of the virus and the number of cases varies across states. In the context of COVID-19, State-specific measures become important since local authorities may have to simultaneously manage other natural and man-made disasters. Recent examples of this include the cyclone Amphan in Kolkata, or the gas leakage from the chemical plants in Visakhapatnam. States which are prone to natural calamities such as cyclones, floods, famines could be afforded the flexibility to create State and district plans under DM Act, to tackle such calamities as well as the spread of the COVID-19 in more vulnerable locations. Further, policymakers should not ignore the heterogeneity of infrastructure across the health industry as well as the strength of the economy– the dependency of which also varies from state to state.   

The demand for Personal Protective Equipment (PPEs)  for essential workers or essential infrastructure like ventilators also varies across states based on variables such as the number of cases. These factors dictate the need for state-specific measures and targeted  district-specific measures as well. The intensity of the spread of the virus is being determined district wise by distinguishing them as red, orange and green zones, and the laying out of district plan per Section 31 becomes of utmost importance for the Red Zone districts. 

The Centre should limit its role to coordination between states and the other departments of the government, rather than dictating consistency across the states. Instead, states should be empowered in terms of implementation, enforcement and the funds. The cooperative federalism envisaged in India’s Constitution will be a better model for the government to follow. This principle could have been utilised at the time of crisis of inter-state migration of workers and could further have been utilised for facilitating transportation of essential goods, in order to minimise economic harms and societal destabilisation during periods of government mandated lockdowns.   

I conclude by reiterating that it is better for the Government to manage the pandemic under the Disaster Management Act, 2005. However, in case a State Government is going through the breakdown of its constitutional or infrastructural machinery and in which case it is unable or unwilling to exercise its  responsibility to provide relief to affected persons, then the Central Government should impose the Constitutional Emergency provisions in such territories.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 4: Redefining National Security

Animesh Chaudhary*

About the Author: The author is a 2021 graduate of National Law University, Delhi. He is currently working at Rural Electrification Corporation Limited.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

“National Security” is one of the foremost concerns of any nation state. However, the meaning of this term has acquired an overwhelmingly military character over time. This military approach to national security follows the assumption that the principal threat to security comes from other nations. While such an understanding was suitable a few decades ago health pandemics, climate change, technological changes etc. are challenging this notion today. This submission aims to identify the gaps in traditional understandings of national security and proposes redefining the concept. 

This piece is divided into three parts- Part I looks at the traditional military approach to “National security”. Part II analyses the need to update this traditional understanding. Part III identifies “Human Security” as a modern and suitable concept of national security.

Photo by MySecuritySign.com. Licensed via CC BY 2.0.

I.         Traditional Military approach to “National Security”

The traditional approach has been to view “National Security” from a military lens i.e. ‘securing the nation from military threat’. The policy measures of nation States and many strategists have followed this understanding.

Weber found a monopoly on violence, allowing to deal with internal or external military threats, as a crucial condition for the State. Similarly, James Baker notes that while no common definition of “national security” exists, the core issues which warrant national security treatment will primarily include nuclear attack, terrorist attacks and conventional attacks. “National Security” is also used to justify “the maintenance of armies, the development of new weapon systems, and the manufacture of armaments”.

In many ways, it can be easily understood how this understanding of National security developed. Wars in 18^th and 19^th century were generally short. The security strategy in the past was focused mainly on “external military threats”, which consequently required corresponding military responses.  However, in present times, such an understanding is inadequate.

II.                Need to update the definition of National Security

 i)  Nature of threats is changing

Today, for most nations, the threat of military aggression has reduced considerably. Instead, nations have to face “environmental pollution, depletion of ozone, [global] warming, and migrations of refugees“¹ among others. Health issues such as the Coronavirus pandemic, changes in technology, or spiralling economy as seen in many third-world countries are other threats to nations. 

One of the greatest enablers of this change is technology. It is difficult to place technological threats within the traditional military approach to national security, yet it is undeniable that technological disruptions present great danger to the security of nations.  The impact of technologies on the international security environment are all-encompassing.² These include both conventional changes like technological weapons, and non-conventional changes like cyber warfare.

ii)  Non-Military Threats can cause Military Conflict

Another reason for updating the present understanding of “National Security” is that a number of non-traditional threats can lead to military conflict. This makes it imperative for proactive policymakers to treat all such threats as National Security issues.

Scholars have studied resource conflicts, energy security, climate change and insecurity and tied them in with military conflicts. Some have found that “… water resource scarcity can be both the cause and the consequence of armed conflicts.” ³

Proactive policymaking demands recognising such threats before they acquire a military character.

iii)  Conventional understanding of ‘National Security’ is narrow and patriarchal

If National Security means the security of a nation, it is imperative to define ‘nation’ first. While it is difficult to come up with a precise definition of a ‘nation’, it is submitted that any definition, that does not take into account the people is narrow in scope. 

In this context, national security fails to include everyday experiences of a significant population. Further, the current definition is patriarchal and excludes the experiences of women.

J.Tickner finds that the traditional perspectives on security through a military point of view has marginalised or omitted women, which has resulted in a masculine and militaristic definition of National Security.⁴ Women, on the other hand, have defined security as “absence of violence whether it be military, economic, or sexual.”⁵ National Security, when understood as “absence of violence against people of the nation”, can then be extended to all other disempowered groups.

Similarly, the perception of security that many people of colour have in America, does not align with the dominant definition of national security in America. In the Indian context, crimes against underprivileged groups are not considered a national security threat. Understood in these terms, it is clear that the traditional understanding does not cover the security threats faced by disempowered groups in a nation. A definition that does not take into account is therefore severely lacking in scope, and needs to be updated.

III.          “Human Security”- A Modern understanding of National Security

Put forth in 1994 by the United Nations Development Program, ‘Human Security‘ very simply relates to the security of people. Erstwhile Prime Minister of Japan Obuchi Keizo called Human Security “the keyword to comprehensively seizing all of the menaces that threaten the survival, daily life, and dignity of human beings”

In essence, Human Security puts “people first” and recognises that the security of States does not necessarily translate to security of the people in it.  This has been borne out of the events of the 20^th century – world wars, multiple genocides, and the realisation that conventional notions of security need to be challenged when serious violations of rights occur.

The advantages of a human security understanding of national security are manifold:

i)   People first approach

The biggest advantage of this concept is that it puts people first in its definition of the ‘nation’. It recognises different forms of violence and threats that individuals face every day.  It brings into focus “structural violence” i.e. “the indirect violence done to individuals when unjust economic and political structures reduce their life expectancy through lack of access to basic material needs.”⁶

Understanding National Security as “absence of violence for people in a nation”, also allows us to recognise new unconventional threats that arise in the 21^st century.

ii)    Radically alters Public notions of Emergency and Urgency

There is normative value in recognising ‘Human Security’ as ‘National Security’. By recognising violence against individuals as national security threats, it sends a message that threats faced by individuals are the most important threats that any nation faces. It legitimises the security issues faced by groups that are not dominant in a nation.

“National Security” issues receive utmost urgency and importance in policy making. As Sachs notes, “Questions of “security” are often given pride of place before other potential policy concerns.”

This leads to a number of questions, why should emergency conditions and sense of urgency be reserved only for military threats? Why should crimes against women be considered any less urgent in a country which reports 87 rapes per day? Why shouldn’t crimes against Scheduled caste and Scheduled tribes be considered as urgent? How do nations issue national or local emergency in times of military conflict, but go on about in a routine manner when extreme gender, social and economic injustices exist?

By equating human security issues with national security threats, it is these questions that we can answer adequately. Crimes against minorities, women and other groups, poverty, lack of access to healthcare and education, and other social, economic and environmental ills that plague nations have become normalised to such an extent that all these issues have become routine. The concept of ‘Human Security’ challenges this status quo.

iii)   Leveraging Public Trust

National Security threats often generate public trust and public consensus swiftly. Public trust is an important part of a democratic system,⁷ while a lack of public trust is one the biggest obstacles in governance. By recognising “Human Security threats” as “National Security” threats, this public trust can be leveraged to improve governance.

As Lester Brown notes, while responding to a national security threat, “the ‘public good’ is much more easily defined; sacrifice can not only be asked but expected, it is easier to demonstrate that “business as usual” must give way to extraordinary measures.”

If such consensus and unity could be achieved with respect to “Human security”, it would allow governance to take place a lot more efficiently.

Conclusion

The traditional understanding of National Security in terms of military threats to the State is no longer adequate in the 21^st century. Today, ‘Human Security’ offers a more holistic understanding with its ‘people first’ approach. It recognises and legitimises the experiences of disempowered groups and challenges conventional notions of security.

Human Security offers multiple advantages as an analytical concept, and holds normative value by contesting the traditional understanding of a nation, urgency and emergency. The definition of Human Security is broad, but that acts as an advantage for it covers a wider range of threats, including the new threats caused by technology and climate.

This redefinition of ‘National Security’ does pose challenges relating to vagueness, increased powers of the executive, conceptual and funding issues, among others, but overall provides a strong base for policymakers to realign their priorities as per the requirements of today.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Kalevi J. Holsti, The State, War, and the State of War (1996), Pg. 15.
2. Group Captain Ajay Lele, “Technology and National Security” Indian Defence Review Issue Vol 24.1 Jan-Mar 2009.
3. Swain, A., 2015. “Water Wars”. In: International Encyclopaedia of the Social & Behavioural Sciences, 2nd edition, Vol 25. Oxford: Elsevier. pp. 443–447.
4. Tickner J. A. (1997b), “Re-visioning Security”, in: International Relations Theory Today, eds. K. Booth, S. Smith, Polity Press Cambridge.
5. Tickner, J. (1993). “Gender in International Relations: Feminist Perspectives on Achieving Global Security” Political Science Quarterly.
6. J. Ann Tickner, “Re-visioning Security,” International Relations Theory Today (Ken Booth and Steve Smith, eds., 1994), p. 180.
7. Beshi, T.D., Kaur, R. “Public Trust in Local Government: Explaining the Role of Good Governance Practices”. Public Organiz Rev 20, 337–350 (2020).

Technology & National Security Reflection Series Paper 3: Technology and the Paradoxical Logic of Strategy

Manaswini Singh^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

In the present essay, the author reflects upon the following question: 

According to Luttwak, “The entire realm of strategy is pervaded by a paradoxical logic very different from the ordinary ‘linear’ logic by which we live in all other spheres of life” (at p. 2) Can you explain the relationship between technological developments and the conduct of war through the lens of this paradoxical logic?

Introducing Luttwak’s Paradoxical Logic of Strategy

While weakness invites the threat of attack, technologically advanced nations with substantial investment in better military technology and R&D that are capable of retaliation, have the power to persuade weaker nations engaged in war to disengage or face consequences. Initiating his discussion on the paradox of war, Luttwak mentions the famous roman maxim si vis pacem, para bellum which translates to – if you want peace, prepare war. Simply understood, readiness to fight can ensure peace. He takes the example of the Cold War to discuss the practicality of this paradoxical proposition. Countries that spend large resources in acquiring and maintaining nuclear weapons resolve to deter from first use. Readiness at all times, to retaliate against an attack is a good defensive stance as it showcases peaceful intent while discouraging attacks altogether. An act of developing anti-nuclear defensive technology – by which a nation waging war may be able to conduct a nuclear attack and defend itself upon retaliation – showcases provocativeness on its part.

The presence of nuclear weapons, which cause large scale destruction, have helped avoid any instance of global war since 1945. This is despite prolonged periods of tensions between many nations across the globe. Nuclear weapons are an important reason for the maintenance of international peace. This is observable with India and its border disputes with China and Pakistan where conflicts have been frequent and extremely tense leading to many deaths. Yet these issues have not escalated to large scale or a full-fledged war because of an awareness across all parties that the other has sufficient means to engage in war and shall be willing to use the means when push comes to shove. 

Using the example of standardisation of antiaircraft missiles, Luttwak points out that ‘‘in war a competent enemy will be able to identify the weapon’s equally homogeneous performance boundaries and then proceed to evade interception by transcending those boundaries… what is true of anti aircraft missiles is just as true of any other machine of war that must function in direct interaction with reacting enemy – that is, the vast majority of weapons.”

Image by VISHNU_KV. Licensed via CC0.

Luttwak’s Levels of Strategy

The five levels of strategy as traced by Luttwak are: 

1. Technical interplay of specific weapons and counter-weapons.
2. Tactical combat of the forces that employ those particular weapons.
3. Operational level that governs the consequences of what is done and not done tactically.
4. Higher level of theatre strategy, where the consequences of stand alone operations are felt in the overall conduct of offence and defence.
5. The highest level of grand strategy, where military activities take place within the broader context of international politics, domestic governance, economic activity, and related ancillaries.

These five levels of strategy create a defined hierarchy but outcomes are not simply imposed in a one-way transmission from top to bottom. These levels of strategy interact with one another in a two-way process. In this way, strategy has two dimensions: the vertical dimension and the horizontal dimension. The vertical dimension comprises of the different levels that interact with one another; and the horizontal dimension comprises of the dynamic logic that unfolds concurrently within each level.

Situating Technological Advancements Within Luttwak’s Levels of Strategy

In the application of paradoxical logic at the highest level of grand strategy, we observe that breakthrough technological developments only provide an incremental benefit for a short period of time. The problem with technological advancement giving advantage to one participant in war is that this advantage is only initial and short-lasting. In discussing the development of efficient technology, he gives an example of the use of Torpedo boats in warfare which was a narrow technological specialisation with high efficiency. Marginal technological advancement of pre-existing tech is commonplace occurrences in militaries. The torpedo naval ship was a highly specialised weapon i.e. a breakthrough technological development which was capable of causing more damage to larger battleships by attacking enemy ships with explosive spar torpedoes. The problem with such concentrated technology is that it is vulnerable to countermeasures. The torpedo boats were very effective in their early use but were quickly met with the countermeasure of torpedo beat destroyers designed specially to destroy torpedo boats. This initial efficiency and technical advantage and its ultimate vulnerability to countermeasures is the expression of paradoxical logic in its dynamic form. 

When the opponent uses narrowly incremental technology to cause damage to more expensive and larger costlier weapons, in the hopes of causing a surprise attack with the newly developed weapon, a reactionary increment in one’s weaponry is enough to neutralise the effects of such innovative technologically advanced weapon(s). The technological developments which have the effect of paradoxical conduct in surprising the opponent and finding them unprepared to respond in events of attacks, can be easily overcome due to their narrowly specialised nature themselves. Such narrowly specialised new tech are not equipped to accommodate broad counter-countermeasures and hence the element of surprise attached with such incremental technology can be nullified. These reciprocal force-development effects of acts against torpedo-like weapons make the responding party’s defence stronger by increasing their ability to fight and neutralise specialty weapons. Luttwak observed a similar response to the development of Anti-tank missiles which was countered by having infantry accompany tanks.

Conclusion

The aforementioned forces create a distinctly homogenous and cyclical process which span the development of technology for military purposes, and concomitant countermeasures. In the same breadth, one side’s reactionary measure also reaches a culmination point and can be vulnerable to newer technical advancement for executing surprise attacks. Resources get wasted in responding to a deliberate offensive action in which the offensive side may be aware of defensive capabilities and it is just aiming to drain resources and cause initial shock. This can initiate another cycle of the dynamic paradoxical strategy. Within the scheme of the grand strategy, what looks like deadly and cheap wonder weapons at the technical level; fails due to the existence of an active thinking opponent. These opponents can deploy their own will to engage in response strategies and that can serve as a dent to the initial strategic assumptions and logic.

In summary, a disadvantage at the technical level can sometimes also be overcome at the tactical level of grand strategy . Paradoxical logic is present in war and strategy, and use of technology in conduct of war also observes the dynamic interplay of paradoxical logic. Modern States have pursued technological advancements in ICT domains and this has increased their dependence on high-end cyber networks for communication, storage of information etc. Enemy States or third parties that may not be equipped with equally strong manpower or ammunition for effective adversarial action may adopt tactical methods of warfare by introducing malware into the network systems of a State’s critical infrastructure of intelligence, research facilities or stock markets which are vulnerable to cyber-attacks and where States’ inability in attribution of liability may pose additional problems.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 2: Sun Tzu’s Art of War: Strategy or Stratagems?

Manaswini Singh^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question:

Edward Luttwak critiques Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of ‘strategy’. Do you agree with this assessment? Why/ why not?

Introduction to Luttwak

Edward Luttwak in his book Strategy: The Logic of War and Peace discusses the conscious use of paradox versus the use of linear logical and straightforward military tactics as means of strategy of war. According to Luttwak, strategy unfolds in two dimensions i.e. the vertical and the horizontal dimensions. 

The vertical dimension of strategy deals with the different levels of conflict. Among others his work considers the technical aspect, the operational aspects, the tactical as well as strategic ones. The horizontal dimension of strategy is the one involving dealing with an adversary i.e. the opponent whose moves we seek to reverse and deflect. 

A grand strategy is a confluence of the military interactions that flow up and down level by level, forming strategy’s vertical dimension, with the varied external relations among states forming strategy’s horizontal dimension.      

While discussing the paradoxes inherent in war, he mentions the famous Latin maxim si vis pacem, para bellum which translates to – if you want peace, prepare for war. Simply understood, readiness to fight can ensure peace (Emphasis added). He says that situations of conflict tend to reward paradoxical logic of strategy which leads to lethal damage sometimes in defying straightforward logical action.

“Art of War” by Nuno Barreto. Licensed under CC BY-SA 2.0

Critiquing Luttwak’s Assessment of Sun Tzu’s Art of War

Sun Tzu’s military treatise the Art of War comprises of chapter-wise lessons and basic principles discussing key war subject matters like laying plans, logistics of waging war, importance of a military general, the requirement of deception in war, resources, surprise attack, attack by stratagem, tactical dispositions, knowing the strength of one’s army in opposition to the other and attacking accordingly, preparedness for surprise, political non-interference in war chain of command, defense, quick and decisive attack, seeking victory as opposed to battle, use of energy to one’s advantage, managing the army, strengths and weaknesses, arrival on battle ground, opponent’s weakness, significance of secrecy and identifying weak places and attacking those. Secrecy and deception are crucial tactics of war for Sun Tzu who on one hand goes so far as to say that all war is based on deception. 

Luttwak, on the other hand, finds deception and secrecy to be costly plans in armed conflicts. He discusses the Normandy Surprise attack and Pearl Harbor raid. The diversion created to mislead the opponent involves costs and diverts valuable resources when engaging in paradoxical action and maintaining secrecy of the actual plan of action but he fails to acknowledge the success of these operations. Luttwak also fails to provide alternatives to those strategies which showcase a desirable end achievable by other better replaceable means, especially when deceptions proved effective.

In the example of the 1943 battle of Kursk, Luttwak himself negates his earlier claims of high-risk uncertain war tactics being more harmful than useful, by highlighting Stalin’s trust in the intelligence information received about the German attack. The Soviet leader, on deliberation, decided to take a defensive stance in the battle, giving the German forces an initial offensive advantage. But this defensive measure was taken to draw the Germans into a trap and to destroy their armors creating conditions for an effective counteroffensive by the Soviet army. The Chinese general’s principles of knowing one’s enemy favored the Russian leader immensely. Having a well-equipped and robust army, he ordered his men to surround and attack the Germans, giving effect to Sun Tzu’s principles. Luttwak seems stuck on the strategy of surprise attacking the weakest zone of the opponent while forgoing other lessons from Sun Tzu’s work on intelligence, importance of spies and knowing one’s enemies as well as we know ourselves.

In Luttwak’s view, operational risks and the incidence of friction will ultimately affect the combat by reducing effectiveness of manpower or resources. But when parties waging war are not on an equal footing of resources and manpower and combat risk is already high, operational risks may prove to be better chosen risks as compared to combat risks when outnumbered by the enemy’s weaponry and manpower. Meeting an opponent with equal strength and resources may be more common nowadays than it was in ancient times, and here is where Sun Tzu’s principles lose some contemporary application. But a dismissal of his principles as cheap tricks remains extreme. 

The Role of Diplomatic Engagement: A Blind Spot in the Art of War?

Luttwak emphasizes on strategy involving the existence of an adversary and recognizing the existence of another in one’s plan of war and postulates that the Chinese system now or historically does not engage in this. Chinese do not look into the enemy and decide their own actions in isolation. He alleges lack of diplomacy in its historical events due to the geography which minimized interaction between kingdoms. His argument is that the Art of War was composed in the backdrop of Chinese culture that flourished with jungles to the south, protected by the sea towards east, thinly populated areas and of Tibet to its west and an empty northern border which was the entryway for infrequent invasions. 

According to Luttwak, intra-cultural conflict between kingdoms in this isolated culture hindered the advent of diplomacy in Chinese culture. Conversely in Europe where arguably the interaction between sovereign states made strategies and elaborate planning a necessity. Adversarial logic is important for him in strategizing and in his opinion this was not present due to lack of third party intervention in China unlike Europe. He says Sun Tzu’s tactics work best intra-culturally because in dealing with foreigners, prediction becomes a more tedious and a less accurate task. But Sun Tzu himself stresses the knowledge of the enemy’s tactics to be an important aspect of strategy building by a general preparing for war. He has recognized the existence of an adversary and penned down military tactics that constitute the Art of War accordingly. The term ‘enemy’ in his treatise cannot be assumed to be exclusive of an enemy sovereign state.

Relevance of the Art of War in Modern Times

To Luttwak, Chinese geography did not facilitate diplomacy. But the researcher argues, geography plays an important role in strategizing as acting in accordance with terrain and natural forces is specific to the places. Sun Tzu’s ideas of utilizing the heaven (weather) and earth (terrain) to one’s advantage places importance on the geographical terrain and weather conditions in one’s favor. Principles cannot be dismissed as cheap tricks just because they were not formulated in the era of modern warfare between nation-states that are enabled by high technology, especially when these wars involve the existence of nuclear weapons and other high-tech means of warfare rather than mere low-tech close contact combat more prevalent in former times. Modern strategy promotes economic war rather than military wars. This may be the contextual limitation to the strict application of Sun Tzu’s principles in modern contexts. But reliance on infantry as a method of warfare is also resorted to in armed conflict and Sun Tzu’s writings cannot be held obsolete in this regard.

Sun Tzu promoted non-interference of the sovereign in the General’s command of war, so as to prevent confusion in the minds of troops with regard to the chain of command. Contemporary developments in international politics create a heavy political and bureaucratic influence on military strategy; and war and politics are intertwined so deeply in the relations of States that this aspect of Sun Tzu’s principles seems irrelevant. But to the extent that we are concerned with the ground level operational chain of command, it must still be vested in the capable hands of military strategists and commanders of forces with minimal interference by members of political parties even when in power. 

The nature of national armed forces of sovereign states is such that the commanders are individuals of authority whose commands derive authority from their military ranks and because of their expertise in the ground realities of conflict. An established chain of command headed by experienced high ranking officials of a state’s military is pivotal for effective execution of war strategy.

Sun Tzu gave importance to secrecy and spying as important methods of maintaining information awareness in warfare. Modern day nation-states are diverting heavy funding to national intelligence agencies and keep the gathered information out of the general public’s knowledge. For example in India, as per section 24 of the Right to Information Act of 2005 the Intelligence Bureau and National Security Guard of the Ministry of Home Affairs of India are few of the intelligence and security organizations that  are exempted from the state’s duty to divulge information to the public. Military secrets and secret missions today are still as relevant as they were in Sun Tzu’s time or even during the World Wars. 

Final Conclusion

Luttwak agrees that actions based on paradoxical logic have always been a prevalent military tactic and will still remain to exist in the most competent military tactics even when straightforward logical tactics that avoid operational risks are favored for parties with great strength, power and number. He gives the example of Israeli armed forces whose actions became predictable and were intercepted by opponents appropriately. But Sun Tzu’s work provides for the use of a more direct attack when one is stronger than the opponent. He stressed the importance of non-repetition of surprise tactics so as to not make the enemy aware of such patterns that become predictable. Even in the case of deceptive attacks of a strong Israeli force, a straightforward logical attack was a digression from its common strategy of attacking weak points and can be taken to be an unanticipated move digressing from Israel’s general tactics.

A paradoxical action is not synonymous to an illogical action. In many strategies like that of the Viet Cong, a paradoxical action as opposed to a straightforward linear act is most suited to ascertain or increase the probability of winning.¹ In current times, the Art of War acts as an inspiration. It gives broader strategic principles rather than clever tricks, with its own set of limitations due to technological development and political relevance within war i.e. due to increased friction at vertical level due to variables (factors that were either unknown or avoidable in ancient times but are relevant now). Luttwak’s dismissal of the ancient text as clever tricks may be motivated because of the text being ancient or because of prejudice against eastern political systems by the west as barbaric but that certainly does not completely delete the influence of the Art of War as an important text on war and strategy.

---

* The views expressed in the blog are personal and should not be attributed to the institution.

References

1.  Luttwak, Edward N., Strategy, The Logic of War and Peace, The Belknap Press of Harvard University Press, 2001, pp. 13-15.

Introducing the Reflection Series on CCG’s Technology and National Security Law and Policy Seminar Course

In February 2022, CCG-NLUD will commence the latest edition of its Seminar Course on Technology and National Security Law and Policy (“the Seminar Course”). The Seminar Course is offered to interested 4th and 5th year students who are enrolled in the B.A. LL.B. (Hons.) programme at the National Law University, Delhi. The course is set against the backdrop of the rapidly evolving landscape of international security issues, and concomitant challenges and opportunities presented by emerging technologies.

National security law, viewed as a discrete discipline of study, emerges and evolves at the intersection of constitutional law; domestic criminal law and its implementation in surveillance; counter-terrorism and counter-insurgency operations; international law including the Law of Armed Conflict (LOAC) and international human rights law; and foreign policy within the ever-evolving contours of international politics.

Innovations and technological advancements in cyberspace and next generation technologies serve as a jumping off point for the course since they have opened up novel national security issues at the digital frontier. New technologies have posed new legal questions, introduced uncertainty within settled legal doctrines, and raised several legal and policy concerns. Understanding that law schools in India have limited engagement with cyber and national security issues, this Seminar Course attempts to fill this knowledge gap.

The Course was first designed and launched by CCGNLUD in 2018. In 2019, the Seminar Course was re-designed with the help of expert consultations to add new dimensions and debates surrounding national security and emerging technologies. The redesign was meant to ground the course in interdisciplinary paradigms in a manner which allows students to study the domain through practical considerations like military and geo-political strategy. The revised Seminar Course engages more  deeply with third world approaches which helps situate several issues within the rubric of international relations and geopolitics. This allows students to holistically critique conventional precepts of the international world order.  

The revamped Seminar Course was relaunched in the spring semester of 2020. Owing to the sudden countrywide lockdown in the wake of COVID-19, most sessions shifted online. However, we managed to navigate these exigencies with the support of our allies and the resolve of our students.

In adopting an interdisciplinary approach, the Seminar Course delves into debates at the intersection of national security law and policy, and emerging technologies, with an emphasis on cybersecurity and cyberwarfare. Further, the Course aims to:

1. Recognize and develop National Security Law as a discrete discipline of legal studies, and
2. Impart basic levels of cybersecurity awareness and inculcate good information security practices among tomorrow’s lawyers.

The Technology and National Security Seminar Reflection Paper Series (“The Reflection Series”) is meant to serve as a mirror of key takeaways and student learnings from the course. It will be presented as a showcase of exceptional student essays which were developed and informed by classroom discussions during the 2020 and 2021 editions of the Seminar Course. The Reflection Series also offers a flavour of the thematic and theoretical approaches the Course adopts in order to stimulate structured discussion and thought among the students. A positive learning from these two editions is that students demonstrated considerable intellectual curiosity and had the freedom to develop their own unique understanding and solutions to contemporary issues—especially in the context of cyberspace and the wider ICT environments. Students were prescribed atypical readings and this allowed them to consider typical issues in domains like international law through the lens of developing countries. Students were allowed to revisit the legitimacy of traditional sources of authority or preconceived notions and assumptions which underpin much of the orthodox thinking in geostrategic realms like national security.

CCG-NLUD presents the Reflection Series with a view to acknowledge and showcase some of the best student pieces we received and evaluated for academic credit. We thank our students for their unwavering support and fruitful engagement that makes this course better and more impactful.

Starting January 5, 2022, select reflection papers will be published three times a week. This curated series is meant to showcase different modules and themes of engagement which came up during previous iterations of the course. It will demonstrate that CCG-NLUD designs the course in a way which covers the broad spectrum of issues which cover topics at the intersection of national security and emerging technology. Specifically, this includes a showcase of (i) conceptual theory and strategic thinking, (ii) national security through an international and geostrategic lens, and (iii) national security through a domestic lens.

Here is a brief glimpse of what is to come in the coming weeks:

1. Reimagining Philosophical and Theoretical Underpinnings of National Security and Military Strategy (January 5-12, 2022)

Our first reflection paper is written by Kushagra Kumar Sahai (Class of ’20) in which he evaluates whether Hugo Grotius, commonly known as the father of international law owing to his seminal work on the law of war and peace, is better described as an international lawyer or a military strategist for Dutch colonial expansion.

Our second reflection paper is a piece written by Manaswini Singh (Class of ’20). Manaswini provides her take on Edward Luttwak’s critique of Sun Tzu’s Art of War as a book of ‘stratagems’ or clever tricks, rather than a book of strategy. In a separate paper (third entry), Manaswini also undertakes the task of explaining the relationship between technological developments and the conduct of war through the lens of the paradoxical logic of strategy.

Our fourth reflection paper is by Animesh Choudhary (Class of ’21) on Redefining National Security. Animesh, in his submission, points out several fallacies in the current understanding of national security and pushes for “Human Security” as an alternative and more appropriate lens for understanding security issues in the 21^st century.

2. International Law, Emerging Technologies and Cyberspace (January 14-24, 2022)

In our fifth reflection paper, Siddharth Gautam (Class of ’20) explores whether cyber weapons could be subjected to any regulation under contemporary rules of international law.

Our sixth reflection paper is written by Drishti Kaushik (Class of ’21) on The Legality of Lethal Autonomous Weapons Systems (“LAWS”). In this piece, she first presents an analysis of what constitutes LAWS. She then attempts to situate modern systems of warfare like LAWS and its compliance with traditional legal norms as prescribed under international humanitarian laws.

Our seventh reflection paper is written by Karan Vijay (Class of ’20) on ‘Use of Force in modern times: Sisyphus’ first world ‘boulder’. Karan examines whether under international law, a mere threat of use of force by a state against another state would give rise to a right of self-defence. In another piece (eighth entry), Karan writes on the authoritative value of interpretations of international law expressed in texts like the Tallinn Manual with reference to Article 38 of the Statute of the International Court of Justice i.e. traditional sources of international law.

Our ninth reflection paper is written by Neeraj Nainani (Class of ’20), who offers his insights on the Legality of Foreign Influence Operations (FIOs) under International law. Neeraj’s paper, queries the legality of the FIOs conducted by adversary states to influence elections in other states through the use of covert information campaigns (such as conspiracy theories, deep fake videos, “fake news”, etc.) under the established principles of international law.

Our tenth reflection paper is written by Anmol Dhawan (Class of ’21). His contribution addresses the International Responsibility for Hackers-for-Hire Operations. He introduces us to the current legal issues in assigning legal responsibility to states for hacker-for-hire operations under the due diligence obligation in international law.

3. Domestic Cyber Law and Policy (January 28- February 4, 2022)

Our eleventh and twelfth reflection papers are two independent pieces written by Bharti (Class of ’20)and Kumar Ritwik (Class of ’20). These pieces evaluate whether the Government of India’s ongoing response to the COVID-19 pandemic could have benefited if the Government had invoked emergency provisions under the Constitution. Since the two pieces take directly opposing views, they collectively product a fascinating debate on the tradeoffs of different approaches.

Our thirteenth and fourteenth reflection papers have been written by Tejaswita Kharel (Class of ’20) and Shreyasi (Class of ’20). Both Tejaswita and Shreyasi interrogate whether the internet (and therefore internet access) is an enabler of fundamental rights, or whether access to the internet is a fundamental right unto itself. Their analysis rely considerably on the Indian Supreme Court’s judgement in Anuradha Bhasin v. Union of India which related to prolonged government mandated internet restrictions in Kashmir.

We will close our symposium with a reflection paper by Romit Kohli (Class of ’21), on Data Localisation and National Security: Flipping the Narrative. He argues that the mainstream narrative around data localisation in India espouses a myopic view of national security. His contribution argues the need to go beyond this mainstream narrative and constructs a novel understanding of the link between national security and data localisation by taking into consideration the unintended and oft-ignored consequences of the latter on economic development.

A Brief Look at the Tamil Nadu Cyber Security Policy 2020

This post is authored by Sharngan Aravindakshan.

The Tamil Nadu State Government (State Government) released the Tamil Nadu Cyber Security Policy 2020 (TNCS Policy) on September 19, 2020. It has been prepared by the Electronics Corporation of Tamil Nadu (ELCOT), a public sector undertaking which operates under the aegis of the Information Technology Department of the Government of Tamil Nadu. This post takes a brief look at the TNCS Policy and its impact on India’s cybersecurity health.

The TNCS Policy is divided into five chapters –

1. Outline of Cyber Security Policy;
   
2. Security Architecture Framework – Tamil Nadu (SAF-TN);
   
3. Best Practices – Governance, Risk Management and Compliance);
   
4. Computer Emergency Response Team – Tamil Nadu (CERT-TN)); and
   
5. Chapter-V (Cyber Crisis Management Plan).

Chapter-I, titled ‘Outline of Cyber Security Policy’, contains a preamble which highlights the need for the State Government to have a cyber security policy. Chapter-I also lays out the scope and applicability of the TNCS Policy, which is that it is applicable to ‘government departments and associated agencies’, and covers ‘Information Assets that may include Hardware, Applications and Services provided by these Agencies to other Government Departments, Industry or Citizens’. It also applies to ‘private agencies that are entrusted with State Government work’ (e.g. contractors, etc.), as well as ‘Central Infrastructure and Personnel’ who provide services to the State Government, which is likely a reference to Central Government agencies and personnel.

Notably, the TNCS Policy does not define ‘cyber security’, choosing to define ‘information security management’ (ISM)  instead. ISM is defined as involving the “planning, implementation and continuous Security controls and measures to protect the confidentiality, integrity and availability of Information Assets and its associated Information Systems”. Further, it states that Information security management also includes the following elements –

(a) Security Architecture Framework – SAF-TN;

(b) Best Practices for Governance, Risk Management and Compliance (GRC);

(c) Security Operations – SOC-TN;

(d) Incident Management – CERT-TN;

(e) Awareness Training and Capability Building;

(f) Situational awareness and information sharing.

The Information Technology Department, which is the nodal department for IT security in Tamil Nadu, has been assigned several duties with respect to cyber security including establishing and operating a ‘Cyber Security Architecture for Tamil Nadu’ (CSA-TN) as well as a Security Operations Centre (SOC-TN) and a state Computer Emergency Response Team (CERT-TN). Its other duties include providing safe hosting for Servers, Applications and Data of various Departments /Agencies, advising on government procurement of IT and ITES, conducting training programmes on cyber security as well as formulating cyber security related policies for the State Government. Importantly, the TNCS Policy also mentions the formulation of a ‘recommended statutory framework for ensuring legal backing of the policies’. While prima facie it seems that cyber security will have more Central control than State, given the nature of these documents, any direct conflict is in any case unlikely.

Chapter-II gives a break-up of the Cyber Security Architecture of Tamil Nadu (CSA-TN). The CSA-TN’s constituent components are (a) Security Architecture Framework (SAF-TN), (b) Security Operations Centre (SOC-TN), (c) Cyber Crisis Management Plan (CCMP-TN) and (d) the Computer Emergency Response Team (CERT-TN). It clarifies that the “Architecture” defines the overall scope of authority of the cyber security-related agencies in Tamil Nadu, and also that while the policy will remain consistent, the Architecture will be dynamic to meet evolving technological challenges.

Chapter-III deals with best practices in governance, risk management and compliance, and broadly covers procurement policies, e-mail retention policies, social media policies and password policies for government departments and entities. With respect to procurement policies, it highlights certain objectives, such as building trusted relationships with vendors for improving end-to-end supply chain security visibility and encouraging entities to adopt guidelines for the procurement of trustworthy ICT products. However, the TNCS Policy also specifies that it is not meant to infringe or supersede existing policies such as procurement policies.

On the subject of e-mails, it emphasizes standardizing e-mail retention periods on account of the “need to save space on e-mail server(s)” and the “need to stay in line with Federal and Industry Record e-Keeping Regulations”. E-mail hygiene has proved to be essential especially for government organizations, given that the malware discovered in one of the nuclear facilities situated in Tamil Nadu (nuclear facilities) is believed to have entered the systems through a phishing email. However, surprisingly, other than e-mail retention, the TNCS Policy does not deal with e-mail safety practices. For instance, the Information Security Best Practices released by the Ministry of Home Affairs provides a more comprehensive list of good practices for email communications which includes specific sections on email communications and social engineering. These do not find mention in the TNCS Policy.

On social media policies, the TNCS Policy makes it clear that it prioritizes the ‘online reputation’ of its departments. However, Employees are advised against reacting online and pass on this information to the official spokesperson for an appropriate response. The TNCS Policy also counsels proper disclosure where personal information is collected through online social media platforms. Some best practices for safe passwords are also detailed, such as password age (no reuse of any of the last ten passwords, etc.) and length (passwords may be required to have a minimum number of characters, etc.).

Chapter-IV highlights the roles and responsibilities of the Computer Emergency Response Team – Tamil Nadu (CERT-TN). It specifies that CERT-TN is the nodal agency responsible for implementing the Security Architecture Framework, and for monitoring, detecting, assessing and responding to cyber vulnerabilities, cyber threats, incidents and also demonstrate cyber resilience. The policy also recognizes that CERT-TN is the statutory body that is authorized to issue directives, guidelines and advisories to government departments. It will also establish, operate and maintain the Information Security Management systems for the State Government.

CERT-TN will also coordinate with the National or State Computer Security Incident Response Teams (CSIRTs), government agencies, law enforcement agencies, and research labs. However, the “Coordination Centre” (CoC) is the designated nodal intermediary between the CERT-TN and governmental departments, CERT-In, State CERTs, etc. under the TNCS Policy.  The CoC will also be responsible for monitoring responses to service requests, delivery timelines and other performance related issues for the CERT-TN. The TNCS Policy makes it clear that Incident Handling and Response (IHR) will be as per Standard Operation Process Manuals (prepared by CERT-TN) that will be regularly reviewed and updated. ‘Criticality of the affected resource” will determine the priority of the incident.

Significantly, Chapter-IV also deals with vulnerability disclosures and states that vulnerabilities in e-Governance services will only be reported to CERT-TN or the respective department if they relate to e-Governance services offered by the Government of Tamil Nadu, and will not be publicly disclosed until a resolution is found. Other vulnerabilities may be disclosed to the respective vendors as well. An upper limit of 30 days is prescribed for resolving reported vulnerabilities. An ‘Incident Reporter’ reporting in good faith will not be penalized “provided he cooperates with the stakeholders in resolving the vulnerability and minimizing the impact”, and the Incident Reporter’s contribution in vulnerability discovery and resolution will be publicly credited by CERT-TN.

Chapter-IV also mandates regular security assessments of the State Government’s departmental assets, a help-desk for reporting cyber incidents, training and awareness both for CERT-TN, as well as by CERT-TN for other departments. Departments will also be graded by “maturity of Cyber Security Practices and Resilience Strength by the Key Performance Indicators”. However, these indicators are not specified in the policy itself.

Chapter-V is titled ‘Cyber Crisis Management Plan’ (CCMP), meant for  countering cyber-attacks and cyber terrorism. It envisages establishing a strategic framework and actions to prepare for, respond to, and begin to coordinate recovery from a Cyber-Incident, in the form of guidelines. ‘Detect’(ing) cyber-incidents is noticeably absent in this list of verbs, especially considering the first chapter which laid emphasis on the CERT-TN’s role in “Monitoring, Detecting, Assessing and Responding” to cyber vulnerabilities and incidents.

In conformity with CERT-In’s Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism which requires ministries / departments of State governments and Union Territories to draw up their own sectoral Cyber Crisis Management Plans in line with CERT-In’s plan, the TNCS Policy establishes the institutional architecture for implementing such plan.  The TNCS Policy contemplates a ‘Crisis Management Group’ (CMG) for each department, constituted by the Secretary to the Government (Chairman), Heads of all organizations under the administrative control of the department and the Chief Information Security Officers (CISO)/Deputy CISOs within the department. It will be the task of the CMG to prepare a contingency plan in consultation with CERT-In, as well as coordinate with CERT-In in crisis situations. The TNCS Policy also envisions a ‘Crisis Management Cell’ (CMC), under the supervision of the CMG. The CMC will be constituted by the head of the organization, CISO, head of HR/admin and the person In-charge of the IT Section. The TNCS Policy also requires each organization to nominate a CISO, preferably a senior officer with adequate IT experience. The CMC’s priority is to prepare a plan that would ensure continuity of operations and speedy restoration of an acceptable level of service.

Observations

The TNCS Policy is a positive step, with a whole-of-government approach towards increasing governmental cyber security at the State government level. However, its applicability is restricted to governmental departments and their suppliers / vendors / contractors. It does not, therefore, view cyber security as a broader ecosystem that requires each of its stakeholders including the public sector, private sector, NGOs, academia, etc. to play a role in the maintenance of its security and recognize their mutual interdependence as a key feature of this domain.

Given the interconnected nature of cyberspace, cyber security cannot be achieved only through securing governmental assets. As both the ITU National Cybersecurity Strategy Guide and the NATO CCDCOE Guidelines recommend, it requires the creation and active participation of an equally robust private industry, and other stakeholders. The TNCS Policy does not concern itself with the private sector at large, beyond private entities working under governmental contracts. It does not set up any initiatives, nor does it create any incentives for its development. It also does not identify any major or prevalent cyber threats, specify budget allocation for implementing the policy or establish R&D initiatives at the state level. No capacity building measures are provided for, beyond CERT-In’s training and awareness programs.

Approaching cyber security as an ecosystem, whose maintenance requires the participation and growth of several stakeholders including the private sector and civil society organisations, and then using a combination of regulation and incentives, may be the better way.