Cyber Deterrence: Mitigation of the Threat from the Virtual Medium

“History teaches us that a purely defensive posture poses significant risks. When we apply the principle of warfare to the cyber domain, as we do to sea, air, and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests”.

General James Cartwright, Commander in Chief, US Strategic Command

Cyberspace is a virtual medium, far less tangible than ground, water, air or even space and the RF spectrum. One way to understand cyberspace is to view it as comprising of three layers, the physical layer, a syntactic layer sitting above the physical and a semantic layer sitting on top[1]. All information systems rest on the physical layer. Removal of the physical layer causes the system to disappear from the virtual medium as well. The syntactic level contains the instructions that designers and users give the computer system and the protocols through which computers interact with one another like device recognition, addressing, routing, document formatting, database manipulation, etc. This is the level at which hacking finds a place of existence, as human intruders seek to assert their own authority over that of designers and cyberspace users. The topmost i.e., the semantic layer, contains the information in the machine.

Cybersecurity has emerged as the present century’s most difficult security challenge. The global digital economy hinges on a fragile system of undersea cables and private sector led partnerships, while the most complex military command and control systems can be interfered with by non-state actors as well as rogue states. A grand jury in the United States in May 2014, indicted five members of the Chinese military with hacking into American computer networks and engaging in cyber espionage on behalf of a foreign government. Among the entities targeted were nuclear technology developer, Westinghouse and a large integrated specialty metal company headquartered in Pittsburgh[2]. Incidents such as these and a spate of revelations about cyber attacks worldwide have caused key policy makers to be perplexed with the enormity of the problem. Technology continues to race ahead of the ability of policy and legal communities to keep pace with it.  At the same time international cooperation remains stubbornly difficult, both among governments as well as between them and the private sector entities. In 2007, the International Telecommunication Union (ITU) set up a High-Level Experts Group to try to address the problem but progress made so far is fairly slow. The European Union and Asia-Pacific Economic Cooperation (APEC) are working on the issue at the respective regional levels[3].

Cyber Deterrence

Deterrence aims to create dis-incentives for starting or carrying out hostile action. The target threatens to punish bad behavior but implicitly promises to withhold punishment if there are no bad acts or atleast none that meet some threshold. Deterrence consists of essentially two basic components - the expressed intention to defend a certain interest and the demonstrated capability actually to achieve the defense of the interest in question or to inflict such a cost on the attacker that, even if he should be able to gain his end, it would not seem worth the effort to him. If deterrence is anything that dissuades an attack, it is usually said to have two components: deterrence by denial (the ability to frustrate the attacks) and deterrence by punishment (the threat of retaliation).

Cyber deterrence is repeatable since no act of cyber retaliation is likely to eliminate the offending state, leading to the government’s overthrow, or even disarming of a state. Cyber deterrence is also symmetric because it takes place among peers. The target state (the potential retaliator) does not, a priori, occupy a higher moral ground than the attacker. Cyber deterrence is an effective means of reducing the threat of cyber attacks. It focuses on deterring a nation’s adversaries from attacking its critical infrastructure, both civil and military. The goal is to reduce the risk of cyber attacks to an acceptable level, at an acceptable cost since information security is vital and non-negotiable.

India’s Cyber Deterrence Policy

The Information Technology (Amendment) Bill, 2008[4] provides the broad framework to govern the use of information technology in India. It defines a variety of activities as cyber crimes, making them punishable by imprisonment and fines. Crimes such as tampering with source code documents, hacking, publishing and transmitting of obscene electronic information, publishing of false digital signature certificates for fraudulent or unlawful purposes are covered under the ambit of the act.

The Indian cyber law is primarily designed to promote e-commerce, but also incorporates key elements of cyber deterrence. The law introduces the concept of ‘protected system’. The central government has been given the powers to declare any computer, computer system or computer network as a ‘protected system’ by notification in the official Gazette and any attempt to hack into such a system is a deemed offence. For the first time in the legislative history of India, cybersecurity has not only been given tremendous focus but also has been given a clear legal definition. Cybersecurity is defined as “protecting information equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification, or destruction”.[5] In addition, a variety of new kinds of crimes involving the sending of offensive messages through communications services or communication devices now have penalty provisions. Thus offenses like cyber defamation, cyber nuisance, cyber harassment and cyber stalking have been brought within the ambit of Indian cyber law. Identity theft, an increasingly common practice, is now also subject to criminal penalty. Cyber terrorism has also been defined in the widest possible terms and has been now made a heinous crime punishable by up to lifetime imprisonment and fines.

The private sector in India which is equally vulnerable to Cybersecurity threats has launched many initiatives to support cyber deterrence. The Indian banking and financial sectors have been particularly active in this area. The RBI has mandated all banks to follow stringent Internet banking guidelines, which are aimed at enhancing security and reducing risks and private banks are putting in place added security safeguards to protect third party data.

Implications for India

The proliferation of IT in India, coupled with low levels of security awareness (at personal, corporate and governmental levels) offers high vulnerability to attacks from hostile national, sub-national and non-state actors /entities. In May 2008, a report in the Times of India national daily identified more than 50,000 operational botnets in India which could be employed to render inoperable government and military communication networks and wreak havoc on command and control during military conflict[6]. That the apparatus in India to counter the surge of cyber attacks is highly inadequate may be an understatement. Arbor Networks undertook a research for the Govt to assess the national cyber threat. The report alarmingly states that 2013 witnessed a huge rise in attacks against the banking & financial services sectors and Government establishments too faced such frequent attacks. The consultancy firm stated that there was a 136% increase in cyberthreats and attacks against government organisations and 126% against financial services organizations in India[7]. Highlights of the report are,

• Banks, financial and government institutions are main targets.
• 136% increase in cyberthreats and attacks against government.
• Financial services organisations including banks witnessed a 126% increase in cybercrimes.
• 34% of Indian financials (institutions) reported cyberthreats and attacks in 2013 — up 15% from 2012.
• 43% of Government organisations reported cyberthreats and attacks — up 19% from 2012.

Cyber Terrorism. Many amendments to the IT legal provisions are on the anvil but fail to specifically address the use to telecommunications equipment, electronic devices and networks in assisting, planning or executing physical acts of terror in India. The IT Act provides for creation of a Computer Emergency Response Team (CERT) to address cyber security incidents, but falls short of establishing an operational body for proactive defence of India’s information and electronic assets. The Defence Information Warfare Agency (DIWA) established to handle all aspects of information warfare, including psychological operations, cyber war, EM spectrum and soundwaves, is responsible for aggressive Information Operations (IO) in India. However, the agency’s capability for co-ordinated IO action against adversaries is unknown and untested. Cyber forensics capability also needs to be built up since India’s weaknesses in this field was revealed when it had to rely on FBI to trace the 26/11 email allegedly sent from Hyderabad by the so-called ‘Deccan Mujahideen’, to Lahore[8]. It is essential that as part of an overall security preparedness strategy, all infrastructure and networks supporting government, military and essential services must go through security hardening procedures which must include regular security audits. Also the government must encourage security awareness training across the board to anyone who accesses sensitive information electronically, including ministers, Armed Forces personnel and diplomats.

Key Recommendations

• India needs to draw out a cohesive and comprehensive cybersecurity plan, which should outline how various components of India’s actions in cyberspace should be coordinated to produce the most effective system of cyber deterrence possible.
• Resources in terms of government and private funding, strategies and structures for execution of a National cyber deterrence plan.
• India needs to participate actively in all forms of international cooperation on cybersecurity to promote more unified policies in the face of cyber threats.
• Our cybersecurity laws need to be further strengthened so as to transform them into a more potent deterrent.
• India needs to ensure that its existing laws are effectively implemented and do not remain mere provisions on paper. Constitution of IT courts and Police Cyber Crime divisions would strengthen the legal fangs.
• Undertake periodic assessment of cyber threats to national and critical infrastructure and institutions including financial (stock exchanges) and banking sector and draw out mitigation strategies to deal with them.
• Private sector shies away from investment in cyber deterrence due to practically no return on investment (RoI), thus failing to acknowledge the threats and vulnerabilities. Govt to make mandatory provisions in company laws for all companies to invest in cyber security.
• Creation of a tri-service Cyber Command under HQ IDS to integrate with the DIWA under DIA.
• Introduction of biometric access to security installations and multi-layered protocol for access to sensitive information.

Conclusion

The transformation of the Internet from an elite research network to a mass communications medium through socail networking paltforms, has altered the global cyber-threat equation dramatically. The global Information and Communication Technology (ICT) systems can be exploited by a variety of illegitimate users and can even be used as a tool in state-level aggression. Rapid adaptation of newer IT enabled technologies the worldover presents challenges that India has no choice but to address.  Due to the nature of cyber warfare, cyber deterrence, cyber espionage and cyber terrorism, no nation can truly be invulnerable to attacks. Cyber attacks will continue to be weapons of choice to many due to grey areas of jurisdiction in bringing perpetrators to book, relative anonymity of operating over the Internet and the negligible cost associated with mounting a cyber attack against an adversary. India can, to a large extent, effectively mitigate many of these risks by establishing a robust mechanism to govern the use of information technology in the nation, providing for a centralised  structure for proactive defence of information assets, aggressive IO and swift cyber forensic analysis enabled by potent cyber laws (IT Act), thus establishing a process to regularly evaluate information technology risks with national security implications including the state of preparedness and training on information security awareness issues at personal, corporate, military and governmental levels.