Cyber Security Becoming a Critical Component Of National Security
Given defence and security initiatives are mostly conceptualized and led at the level of the national governments, they inevitably and organically become a critical component of national security
While Internet was first developed as part of a country’s national defence project, the same technologies have increasingly become the cornerstone of our everyday personal and professional lives. However, the widespread usage and the sheer ubiquity of the cyber world have also triggered questions on cyber security in a way engineering a ‘back to defence’ project. Because such defence and security initiatives are mostly conceptualized and led at the level of the national governments, they inevitably and organically become a critical component of national security. And national security is a broader all-encompassing term most commonly embodying the military aspects and understood as such; it also intersects with economic and financial security, health security, among several others. That critical national infrastructure (both defence and non-defence) including sensitive government and public assets and installations are all inter-linked through Internet thereby being increasingly susceptible to predatory cyberattacks, cyber security has become an integral part of national security.
A 2017 Symantec report had described India as the second most targeted country and third most in terms of detection of attacks. In recent months, a Kaspersky report showed India facing a 37 per cent rise in cyberattacks in the first quarter of 2020 compared with the previous quarter. Furthermore, it was reported in June that there had been a whopping 500 per cent surge in cyber security attacks since the lockdown.
What constitutes cyber security in military offensive terms?
Apart from the obvious cyber component of military hardware and weaponry, a cyber battlefield could involve the following: intelligence collection by way of exploitation of captured digital media, exploration of data feeds of adversaries’ unmanned aerial systems, securing operational friendly UAVs, accessing closed networks in or near the area of operations, using electronic warfare systems as delivery platforms for precision attacks, conducting cyberspace intelligence, surveillance, and reconnaissance (ISR) operations and launching offensive social media operations, among others.
The Indian government initiatives so far
From the promulgation of IT Act in 2000 to the setting up of National Technical Research Organisation (which includes National Institute of Cryptology Research) and Indian Computer Emergency response Team (CERT-in) in 2004 to coming up with a National Cyber Security Policy in 2013 to the establishment of a National Critical Information Infrastructure Protection Centre (NCIIPC) in 2014 to the appointment of a National Cyber Security Coordinator in 2015, the government has initiated the process in the right earnest. Although the NCIPPC was initiated embracing several sectors, it has been progressively streamlined to subsume the following five critical sectors: power and energy; banking, financial institutions and insurance; information and communication technology; transportation; and e-governance and strategic public enterprises. Each of these sectors can be considered a lifeline in their own right and any major disruption of any one of them can constitute a threat to national security itself. Very shortly, a National Cyber-Security Strategy 2020 pending a Cabinet approval will make an appearance designed with an eye on offering comprehensive cyber security solutions for the country.
Elevation of cyber security: The ‘paramountcy’ of national security
Both the NTRO and the National Cyber Security Coordinator function directly under the Prime Minister’s Office. The fact that National Security Council Secretariat examined aspects of cyber security in collaboration with Data Security Council of India implies a strong national security-level approach to the subject. Furthermore, that the mandate of the DRDO has been expanded to support national cyber security architecture inclusive of testing capabilities, security solutions, networking systems and cyber defence tools again is a testament to treating of cyber security as a component of defence and national security. At the same time, it is important to note that although defence and intelligence agencies have been placed under the Critical Information Infrastructure (CII) framework, they have been kept out of the purview of the NCIIPC’s charter. In addition, that there is no outside audit of the cyber security services of the three defence forces implies that cyber security has automatically been elevated as well as subjected to the ‘paramountcy’ of national security.
The Chinese entering Indian cyber systems through the investment ‘backdoor’
In recent years, the Chinese have devised ingenious ways of making inroads into the cyber systems containing Indian users’ data. Now, instead of Chinese companies directly attempting to steal Indian user data, several Chinese state-backed businesses are effectively doing the same thing by way of making huge investments into Indian companies and unicorns. Interestingly, Chinese are making investments selectively into large firms with enormous consumer traction which would allow them access to humongous amount of data on Indian users. Therefore, an investment or a partnership with Indian companies gives them ready access to this data which is sent to servers in China for further misuse and manipulation. The Chinese military could potentially use that data to map Indian people’s habits, movements, networks and locations vis-à-vis key public and private installations in major cities, strategic towns and resource centres. Given that information, misinformation, disinformation, and propaganda are tools of modern war, such prior information advantage could add to the Chinese firepower in the eventuality of a real war between the two countries.
The challenges that lie ahead
Need for an integrated single point of command: First, there is a need for a centralized command to have oversight and to coordinate and synchronize efforts to handle larger cyber security issues. At present, each of the top critical bodies such as RBI, SEBI, IRDAI, TRAI, among others, have different cyber security framework for their regulatory entities. So, it is imperative that we develop an inter-regulator coordination backed by an integrated single point of command to handle both defence and non-defence related cyber incidents and security issues.
Common standards and protocols necessary: Second, we need to have uniform standards, protocols and norms across the country in the cyber landscape. The agencies involved include ministry of electronics and information technology (MeitY), Indian Standards Institute (ISI), Bureau of Indian Standards (BIS) and NCCIPC. We also need to develop something on the lines of the US’ National Institute of Standards and Technology (NIST).
Time to develop code-breaking capability: Third, we can truly master the cyber universe only when India develops the capability to break codes. At present, India does not have any credible code breaking capability. Because of the introduction of the 128 or the 256 bits keys, breaking of code has been rendered extremely difficult.
A trusted public private partnership need of the hour: Fourth, a trusted partnership between the government and the private cyber community and experts needs to be nurtured. Typically for the private sector, the commercial and proprietary reasons that shape their cyber defence framework also constrain their sharing of information with government agencies in case of a breach. From the government’s standpoint, sharing of information would potentially compromise intelligence sources and methods. This trust deficit needs to be addressed by way of finding a balance. As privatization of defence unfolds, it is unclear who would be responsible for cyber security issues of the defence industry. A healthy collaboration between the government and the private must show the way forward.
Amendment of IT Act and institution of data privacy laws required: Fifth, the IT Act needs to be further refined in keeping with the hi-tech and the sophisticated nature of the cyber threat today. Additionally and in tandem, data privacy laws have to be introduced and brought into effect.
Strengthening technical foundations the key: Sixth, unless the technical foundations of our Internet systems are strengthened, our systems will remain vulnerable. For, some of the technical products that we use in everyday work are still dependent on other countries. In order to secure the internet in a fool-proof manner, the hardware devices must be built indigenously with in-built security features. Until this is achieved, cyber security and therefore national security would remain ‘porous’ and vulnerable.
Therefore, cyber technologies have increasingly become an integral part of defence as well as non-defence infrastructure with inherent implications for national security. That an adversary could employ these same technologies to hurt us in all ways should keep us on our toes. A ‘cyber-26/11’ or a ‘cyber-Ladakh’ can never be ruled out.