India need a cyber doctrine and policy for critical national infrastructure protection
India need a cyber doctrine and policy for critical national infrastructure protection
Advertisement

The news regarding attempts of Chinese hackers in December 2021 and January 2022 to attack State Load Dispatch Centres (SLDCs) near the LAC was considered by many as routine. Of course, the military establishment would have taken a serious note. However, the people of India should understand the more significant consequences of cyber-attack, which do not remain restricted only to disruption in internet connectivity or financial transactions.

From a security point of view, such cyber-attacks aim to collect information to prepare for any future activity by the People’s Liberation Army. China’s ‘Science of Military Strategy’, published by the PLA’s Academy of Military Sciences, speaks of “winning local wars under the conditions of informationization” (2013). China has modernised its cyber warfare units through this initiative, thereby possessing both offensive and defensive technologies. Combined with its wolf-warrior diplomacy and its eyes on Ladakh and Arunachal, it leaves no room for doubt that in the future, China will have intentions and the power to unleash cyber-warfare against both civilian and military establishments in India.

Advertisement

How can a future warfare situation look? Malware can be unleashed on an adversary’s Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (C4ISR) that can go undetected for months or probably years until the system is on a very high operational level in times of an open conflict. Alternatively, the electrical grids that supply electricity to the military bases, hospitals, and print and online media could be cut off just before a major offensive. Even AI can be used to create fake videos and deliver them to infinite end users of the internet. Such videos can attempt to disturb the internal peace and security of the country. It might occur even before retaliatory attacks are initiated, or the country comes to terms with the new realities. Future warfare would thus be swift, intense, and of a relatively shorter duration of 5-6 hours or maybe of a few days. Such an attack blurs the lines of distinction and neutrality as outlined by the International Humanitarian Law.

The proliferation of offensive cyber capabilities of our adversaries and their easy access even to non-state actors has created tactical issues of an asymmetric power struggle. Such weaponisation makes space as well as non-space-based communications mechanisms vulnerable to cyber-attacks. Currently, in the realm of cyber deterrence, the government possesses passive deterrence or the deterrence by denial in which the cyber-attacks are thwarted. In this scenario, cyber security experts focus on building resilient networks to secure the digital infrastructure and minimise the attacks. To ensure a double safety mechanism and hence success, the operational domain should be expanded to include active deterrence, ensuring an equal and proportionate cyber retaliation. More retaliatory or disruptive capabilities should be incorporated into the armed forces’ operational domain. Such technologies can be a relatively inexpensive affair to protect the indigenously developed missile systems, which have taken years of hard work of our scientists and others who have contributed to it.

At the highest level, the armed forces should be able to disable the military command and structure system and create alternate pathways to their missile command system. Active deterrence will ensure a scenario wherein adversary’s missiles would not be able to take off, or their trajectories can be altered to secure the country. Strategic communication of our deterrent declaration is a must to ensure the credibility of our response which should be able to instil fear in the perpetrator’s mind. Cyber power projection will deter the adversary from initiating attacks in the first place. Additionally, they can be coupled with the active use of artificial intelligence and other propaganda and psychological warfare techniques.

As it is clear that we need to prepare for a mix of open hostilities and hybrid warfare, we can consider what other countries are doing for their cyber defence. Washington’s National Security Presidential Directive No. 54 (2008) adopted a comprehensive approach to cyber security. Later, in 2010, the National Security Strategy of the US prioritised the digital infrastructure as a strategic national asset and hence warranted a national policy to ensure its safety. Further, the U.S. missile defence strategy has actively included a ‘left-of-launch’ strategy in which pre-emptive action is taken to prevent the adversary from launching missiles. This has been used actively against Iran for its national security interests. On the lines of the US, NATO adopted an enhanced policy and action plan on cyber defence in 2014.

In the context of Russia, its Information Security Doctrine (2000) had enlisted threats endangering information support and had mentioned threats of propaganda and psychological warfare that “the propaganda of specimens of mass culture based on the cult of violence or on spiritual and moral values contrary to the values adopted in Russian society”. It also paved the way for adopting different measures to enhance the security of systems related to “informatizing weapons and military equipment, security of troop and arms control systems, and the security of management systems for environmentally hazardous and economically important enterprises”. The ongoing conflicts between Russia and Ukraine have actively used AI maliciously apart from the cyber-attacks.

Through its National Cyber Security Policy (2021), Pakistan has treated cyber-attacks at par with attacks on the core aspects of national security and hence speaks of “active defence” in a very camouflaged manner. Further, its doctrine of ‘full spectrum’ deterrence (2013) that replaced ‘minimum deterrence’ seeks to “plug the gaps” ranging from “sub-conventional to strategic levels” surely has components of cyber-attacks. Although India has taken maiden steps in the right direction by institutionalising bilateral research with Australia to improve regional cyber resilience by creating a joint ‘Centre of Excellence for Critical and Emerging Technology Policy’, much needs to be done with other strategic partners.

Two-three years from now, the geopolitical and the tactical situation will be more hostile, and if the situation demands that India revisit its NFU status in the case of its nuclear missiles, an essential condition will mandate that the missiles are loaded with the warheads and kept for ready to launch, unlike what it is today. Then in such a case, it would be a matter of extreme necessity to adopt a similar approach to the ‘left-of-launch’ strategy, which involves pre-emptive action to prevent the adversary from launching missile attacks.

For the aforesaid purpose, we should focus on the development of indigenous technologies apart from getting help from our strategic allies such as Russia, France and Japan. Also, cooperative mechanisms at the level of QUAD and AUKUS should be initiated for joint cyber defences. In the last few years, the government’s visionary strategic foresight has led to the establishment of various agencies such as the office of the National Cybersecurity Coordinator and a National Critical Information Infrastructure Protection Agency (NCIIPC). They are parallel to the Defence Cyber Agency (DCA) and the Military Defence Space Agency (DSA) of the Indian Armed Forces. However, a synchronisation or a fusion of the civilian and the military establishments and the incorporation of a strategic doctrine encompassing power projection for a fruitful deterrence is a must.