When it comes to cyber security in and of our country, there is a lot to achieve. This write-up attempts to discuss some of the issues which have strategic significance with respect to the provision of cyber security. This blog is in three parts wherein the various issues and redressals have been dealt with. This part focuses on the governance and operational issues.
While at one end of the spectrum one can envisage security strategies at the level of individual business entities, here we shall look at issues at the national strategic level; in other words, at issues which are of importance towards securing our national cyberspace.
The main players involved in securing our national cyberspace are the government; the defence forces which, though being part of the government, are best treated as a separate entity when dealing with national security; the industry; the academia and finally the citizen at large. There is a need to contextualize this discussion in relation to the different types of cyber-attacks, which may be broadly classified under the heads of cyber warfare, espionage (political or industrial), terrorism, crime and hactivism. The top targets of strategic significance are government and defence infostructures as well as designated Critical Information Infrastructures (CIIs). While cyber-attacks may be carried out at the nation-state level, be state sponsored, or be carried out at group or individual levels, only attacks which are launched either by a nation-state or are state-sponsored are of concern at the strategic level. Amongst the types of attacks, cyber-warfare, espionage and terrorism are likely to have state backing.
We refer to cyberspace as the fifth domain, the other four domains being land, sea, air and space. These domains have relevance mainly with reference to state-on-state conflicts. Yet, at least in the Indian context, there is hardly any discussion on cyber security vis-à-vis such conflicts, which in cyberspace translate to cyber warfare and which are essentially the charter of the Ministry of Defence. It would not be far off the mark to state that the focus so far in India has been on cyber-crime, hactivism and industrial cyber espionage, while state-level cyber warfare, offensive and defensive, has not received the consideration it deserves. This piece will endeavor to highlight some relevant aspects in this area.
The strategic issues which will be dealt with here pertain to policy, strategy and governance, some operational approaches, cyber audit and red-teaming, R&D aspects and finally issues related to the critical area of skill development. An attempt has been made to delve into those areas which have, so far received, either scant attention or none at all. Also, the discussion here analyses several issues from the perspective of our defence forces, insofar as their role in securing our national cyberspace is concerned as also from the point of view of existing strategies and practices in the defence environment which may find wider applicability.
Policy, Strategy and Governance
Cyberspace Capabilities – Need for Urgency
The Information Technology Act was promulgated in 2000, the IT Amendment Act in 2008, and the National Cyber Security Policy in 2013. CERT-In was established in 2004, and based on Sec 70A of the IT Act (Amendment) 2008, NCIIPC came into existence in 2014, while the NCCC (first phase) was established this year. Both CERT-In and NCIIPC are primarily advisory in nature, with limited response capabilities. Approval for establishment of a limited Defence Cyber Agency, instead of a full-fledged Cyber Command, has been given this year, which too is expected to take at least a few years to set-up.
The above cyber security milestones in India do not appear to reflect the urgency which is dictated by the emergence of cyberspace as an active domain of conflict in the global warfighting arena. Although the general awareness on cyber security at all levels is improving, in the absence of serious cyber-attacks directly affecting individual stakeholders (government, defence, CII, industry), a sense of complacency appears to be prevalent in most quarters. This needs to change.
Unlike the US, UK, Australia, Japan, even Estonia, and almost certainly China and Russia, we do not yet have a National Cyber Security Strategy. It is time to move beyond policy, guidelines and advisories and come up with such a strategy, which clearly lays down the approach, objectives and a time-bound plan for adequately securing our national cyberspace.
Cyberspace Governance Architecture
Presently, at the national level we have the CERT-In (with the National Cyber Coordination Centre (NCCC) under it) and the National Critical Information Infrastructure Protection Centre (NCIIPC) in place for protecting our cyber assets, with the former functioning under MEITY and the latter under the NTRO/ PMO. A Cyber Security Operations Centre (Cyber SOC) under MEITY is also expected to come up soon. This current organizational architecture for cyber governance at the national level perhaps needs a review. Specifically, there appears to be a case for a permanent apex authority which coordinates, and better still subsumes, the functioning of CERT-In as well as NPIIC, similar perhaps to the recently established National Cyber Security Centre of the UK.
Military vis-a-vis Civilian Control of Cyberspace
Countries like the United States (as also China and the UK, amongst others) perceive cyber threats from the lens of national security, and thus their cyber threat management strategy is military-centric, handled by the US Cyber Command under the US STRATCOM/ DoD. The US formally declared Cyberspace as an operational domain of warfare as early as the year 2011. Subsequently, many other countries, including India, have followed suit. The European Union and some other countries, on the other hand, view vulnerabilities in cyberspace primarily as a threat for commerce and data integrity, leaving their management to mostly civilian authorities.
In India, the NCIIPC functions under PMO/ RAW/ NTRO while the NCCC functions under MEITY. It needs to be deliberated upon whether or not the CERT-In/ NCIIPC combination functioning under the coordination of the National Security Advisor (NSA) is the right apex structure to tackle state-on-state cyber conflict as part of multi-domain war, which should logically be the charter of the Ministry of Defence. Further, given our national security landscape, the division of authority/ responsibility between military and civil authorities as regards protection of our national cyberspace needs to be spelt out in unambiguous terms.
It is often said that, in defence strategies, deterrence precedes protection, resilience and response. Nuclear deterrence has largely been responsible for a reduction in large-scale conventional conflicts after World War II. Conventional military capabilities also have significant deterrence value. Given the ‘non-attributable’ as well as ‘asymmetric’ characteristics of cyber-attacks, the concept of deterrence in the cyber domain takes on a different flavour, making it a current subject of study by the major players in cyberspace. However, it is fairly evident that there can be no effective cyber defence strategy based purely on a protection/ resilience/ response paradigm. Therefore, India too needs to incorporate cyber deterrence in its national cyber security strategy and develop capabilities accordingly. Specifically, the various connotations and inter-se importance of Deterrence-by-Denial vis-à-vis Deterrence-by-Retaliation in the cyber domain need to be studied, and steps taken to operationalize the concept of Cyber Deterrence.
Sometimes termed “Active Defence,” in military operations it is often stated that offence is the best form of defence. Although both “Deterrence” as well as “Active Defence” need offensive capabilities, there is a difference in the two concepts, in that the former implies a “force in being” while the latter involves the actual employment of offensive capabilities after a conflict breaks out. Both involve the possession and employment of offensive cyber capabilities, which therefore need to be developed and used to advantage towards protecting our national cyberspace.
Centralized Management of CII Protection
The NCIIPC has been designated as the national nodal agency for all measures to protect nation’s CII. Although its stated objectives include delivering advice that aims to reduce the vulnerabilities of critical information infrastructure, identification of critical information infrastructure elements, providing strategic leadership to respond to cyber security threats, etc., it is also clearly stated in its charter that the basic responsibility for protecting the CII system shall lie with the agency running that CII. Given the large number of government and private agencies involved in the management of CII, there appears to be a strong case for a more centralized control/ authority/ responsibility for protecting our national critical cyberspace.
The Indian Army cyberspace is air-gapped from the Internet, a strategy which has been found to be pretty effective towards shielding it from cyber-attacks from across the globe. The US DoD secure networks (SIPRNet and NIPRNet) also adopt air-gapping as a cyber-protection mechanism. Of course, there are ways and means to carry out cyber-attacks from across the air-gap, exemplified best by the Stuxnet attack on Iran’s nuclear centrifuges. While the Stuxnet attack resorted to social engineering, there are electronic, acoustic, magnetic and physical means as well which may be resorted to for carrying out cyber-attacks across a physical air-gap (also known as out-of-band covert channels (OOB-CC)). However, the degree of difficulty of these is very high as compared to attacking physically connected networks. There is a need to study whether some form of “air-gapping” needs to be adopted as an approach towards protecting our CII at the national level, as also by the industry for its critical operations.
Defence in Depth
The Indian Army network is topologically structured as a three-level hierarchy. At the highest level is the entire network, air-gapped from the global cyberspace. At the next level, it has Zonal Access Networks, with zones roughly corresponding to stations. At the lowest level are LANs spanning individual headquarters/ units/ establishments. Protection measures are implemented at each level of hierarchy. For instance, there may be a station level firewall and DMZ, and a similar arrangement at headquarters/ unit level as well. In the civilian cyberspace, network architecture is usually structured as a single level hierarchy, not air-gapped, and protected at the perimeter with firewalls, etc. – in other words, a flat hierarchy of government/ industry networks, each responsible for their own defence. With the maturing of cloud services and an increasingly permissible BYOD environment, the definition of perimeters is gradually getting blurred. Nevertheless, in order to achieve defence in depth especially in the context of our CIIs, there appears to be a strong case to implement a multiple-level hierarchical security architecture, engineered and controlled by a central authority as discussed above.
With the increasing adoption of cloud technologies, where both computing and storage move out of the physical premises of establishments, network security becomes more complex. On the other hand, there is a view that securing cloud-based infrastructure would in fact be simpler as compared to securing individual enterprise networks. In view of this, the NCIIPC perhaps needs to come up with standard security architectures for cloud-based implementations, at least for the CIIs.
Several notable issues related to cyberspace strategy and governance, as also some approaches to cyberspace management and operations at the apex level, have been highlighted above. The next part of this blog will discuss the imperative of developing offensive cyber capabilities at the national level.