With Independence Day seeing a flurry of articles on India’s progress over the years, now is as good a time as any to see how India has fared in the cyber domain. On the face of it, it would seem that India is no better or worse off than other countries. It has not faced any debilitating cyber attacks despite having adversarial relations with countries that have advanced cyber capabilities. Experts ascribe this to the fact that friend and foe alike are content to sit on the networks and harvest the data for information. However, successive stories of leakage of data are sufficient to indicate there are any number of vulnerabilities in networks, systems and software that can be exploited by adversaries. The increasing reported instances of cybercrime only serves to bear this out. On the policy front, while there has been considerable progress in fashioning proactive policies in a number of areas central to cyber security from safeguarding critical information infrastructure to fostering start-ups, the moot questions are whether a) these policies are sufficient and b) whether they are being effectively implemented. There are other areas where policies are urgently needed but are developing at a snail’s pace such as in encryption, even as new technological developments such as blockchain technologies are in urgent need of policy direction to enable a healthy environment for their development. With the increasing militarisation of cyberspace, there is also a need for understanding the role of the military and the intelligence agencies in cyberspace, and developing doctrines as well as concretising operational issues such as chains of command, etc. While India has taken a more pro-active interest in the international debates on cyber security, and is actively participating in international fora, its position on many issues is yet to be clearly delineated. The deeply interlinked nature of activities in cyberspace means that all these policy issues and areas are deeply interlinked which creates enormous challenges for policy makers.
India had a head start in the cyber-domain, being one of the first countries to have an Information Technology Act, and to set up Computer Emergency Response Team (CERT). The potential for Information and Communications Technologies to drive growth and development was seen as early as the 1970s when the National Informatics Centre (NIC) was setup to provide information technology solutions to the government. The 1980s saw increased utilisation of communications technologies through the establishment of country-wide networks, among these, the National Informatics Centre Network (NICNET), a nationwide VSAT network for public sector organisations, which also connected the central government with the state governments and district administrations, and the Education and Research Network (ERNET), which served the academic and research communities. Internet service for the public was made available from August 14, 1995. Today, India has not only the second largest user base worldwide with over 462 million users, but also has the fastest growth with an increase of 108 million over the previous year. This was largely due to the drop in data tariffs by over 75% over the previous year.
Successive governments have been proactive in using information and communication technologies (ICT) to improve governance and accelerate development. The present government has taken these efforts to a new level by making internet connectivity and digitalisation the cornerstone of many of its activities. Just one of these campaigns, the Digital India Campaign has a number of ambitious goals, from creating broadband highways, improving delivery of government services, and reducing electronics imports. Others like Start-up India endeavour to have digital products created in India rather than just consuming those created elsewhere. The Aadhaar unique identification card initiative, with over a billion numbers generated, functions on a digital backbone, with the biometric data stored in a central database.
The vast expansion in all things digital has increased the attack surface for adversaries. Recent attacks around the world on critical infrastructure ranging from electricity grids to financial institutions to even nuclear plants make the various doomsday scenarios of Cyber Armageddon, quite plausible. Response and remediation to these attacks show that governments, largely have a limited role in emergency response to such attacks, other than monitoring and providing advisories through the relevant organisations. Their role is more towards pre-empting attacks, through, on the one hand, enacting policies to reduce the risks and locate vulnerabilities, as well as formulating broader policies that enhance security but are also flexible enough to allow for openness, innovation and privacy. These policies need to be addressed across many domains, from law enforcement, to commerce, to data security, as well as India’s approach to global internet governance policy.
How has India fared so far? In terms of creating legal and administrative frameworks, this has been an on-going process for over two decades though implementing them has proved to be the more difficult part. Though many of them are deeply interlinked and should by rights be carefully sequenced, these frameworks have often been developed piecemeal and in isolation, and have taken an inordinately long time to implement in a domain where policymaking cannot keep pace with technology even in the most advanced countries. To give a few examples, a privacy law and a data protection law are essential to safeguard the individual at a time when companies are mining data streams of individuals for a variety of purposes and even selling them to third parties. In terms of implementation, the most glaring example is that of the Cyber Appellate Tribunal the apex body to try cases of cyber fraud which has been without a Chairperson since 2011 and has nearly all the cases from 2010 in pending status. Cases of cybercrime have gone up exponentially even as the rate of conviction remain abysmally low. Companies and individuals are easily susceptible to cybercrime because of low cyber literacy, lack of awareness especially about cyber hygiene and best practices.
Policy makers, whether in the Ministry of Home Affairs (looking at cybercrime), the Ministry of Electronics and Information Technology (looking at issues of cyber security) or at nodal agencies are hamstrung by a number of seemingly immutable factors, ranging from the fact that much of the software and hardware is of foreign origin, and much of the data resides on foreign servers. This is getting further exacerbated with increasing digitalisation as companies in just about every sector, critical or otherwise, are entering into collaboration with application service providers without undertaking due diligence, in a rush to provide apps and services to customers. The security ramifications of the headlong rush to digitalisation are yet to be fully comprehended. The fact that much of the infrastructure rests in the privates sector also hamstrings the government’s room for manoeuvre in terms of fashioning and implementing policies to secure the digital environment. As a case in point, in just one sector, telecom, the National Telecom Policy of 2012 had set a target for domestic telecom equipment to meet Indian telecom sector demands to the extent of 60-80 per cent by 2020 after it was noted that over 60% of the equipment was being sourced from China. That laudable goal notwithstanding, the fact is that even today, the vast majority of telecom equipment, amounting to Rs. 70,000 crores annually, continues to be imported from China.
The sheer size of the population, the federal setup, legacy issues, the multiplicity of agencies concerned with cyber security, lack of experienced and expert manpower in not just core areas of cyber security, but also in law enforcement and the judiciary, are all factors that will see the cyberspace environment become progressively worse before it gets better. The security aspects of new technologies and concepts from cloud computing to the internet of things and driverless cars to crypto-currencies, to name just a few, will provide more regulatory and policy headaches for policymakers in the coming days.
The external environment has also turned darker in recent times, as countries turn to militarisation following the failure of collaborative efforts to evolve norms to secure cyberspace. Norms development has been an on-going process for well over a decade in the United Nations and other fora, and for a time, looked to be making some progress, particularly in the Group of Governmental experts process instituted by the First Committee of the United General Assembly tasked with promoting Peace and Disarmament. The very success of the process seems to have led to its own un-doing as different groups of countries tried to secure their interests by putting forward untenable proposals. While the United States and its allies were supportive of the process initially, the bias towards multi-lateralism is probably one reason why there was no attempt made at arriving at a consensus report leading to a collapse of the process in 2017.
India has participated in many of the norm-making mechanisms related to cyber-security though it has tended to take nuanced positions based on its interests. The preference has hitherto been for multilateral fora since India faces the same problems other developing countries face at multi-stakeholder fora; that of limited participation due to limited funding for other stakeholder, disinterest on the part of stakeholders in the private sector, as well as limited domain expertise and exposure. Efforts are being made to enhance participation in multi-stakeholder fora, be it in internet governance or cyber security. Having said that, the multilateral/multi-stakeholder debate has taken on the shape of a proxy battle on ideological lines. As security considerations come to the fore, even liberal Western countries are imposing stringent regulations and laws without consulting other stakeholders.
In fact, India’s vision of a fair and equitable multi-stakeholder mechanism could be said to blur the distinction between multi-lateralism and multistakeholderism, viewing this as a false dichotomy. In his message to ICANN53 where India formally signed up to the multi-stakeholder process, the Minister of Communications mooted a ‘multi-layered’ system of multilateral and multi-stakeholder institutions working on a common platform that will support equity, innovation, collaboration and inclusion. India has begun to more actively participate in organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN), the de facto global internet governing body, and is also holding the next iteration of the Global Conference on Cyberspace under the aegis of the London Process, a state-sponsored summit originally initiated to propagate the values and ideals of a global and open cyberspace. On the whole though, as consensus on the basic tenets of securing cyberspace and the means of doing so continues to evade the global community, the various seminars, conferences and commissions risk being relegated to being nothing more than talking shops.
On the bilateral front, India has signed MoUs on enhancing cyber security co-operation with a number of countries. There has also been a deepening of dialogues with a few countries such as Israel, the United States and Russia with substantive proposals on exchange of information, expertise and co-operation in research and development. Co-operation with the United States is the most crucial but also the most problematic. On the law enforcement side, there are multiple hindrances when it comes to co-operation ranging from lack of familiarity with US procedures and laws, and using out-dated mechanisms such as mutual legal assistance treaties (MLATS) and Letters Rogatory to obtain information and evidence for judicial cases that take an inordinate amount of time and effort to process. On the intelligence side, historically, effective two-way co-operation has been less than optimal since the agencies in the US intelligence constellation tend to provide information on a need-to-know basis. The cyber intelligence agencies have gone a step further and have been found actively hacking into the networks of friends and foes alike.
The militarisation of cyberspace continues apace as countries set up cyber commands, and gather up cyber ammunition in the form of exploits, vulnerabilities and malware. The United States has, in recent days, elevated the status of its Cyber Command to that of a Combatant Command. Though this is largely an administrative decision to separate it from the National Security Agency (NSA), it further accentuates the emerging arms race in cyberspace. India’s approach has been exceptional and sober, with the government taking a graduated response, first undertaking to set up a Cyber Defence Agency which would presumably upgraded to a Cyber Command. While this is a measured and restrained approach, scaling up should be a continuous process with set timelines, fixed structures and budgets. While the services are currently struggling jointness in the Armed Forces, jointness in cyber security should go beyond the Armed Forces and merge civilian capabilities as well. While on the one hand, the Armed forces bring in the expertise, operational capability and a clear mandate to defend the nation from any external threat and also house technical expertise, the private sector also has much to contribute in terms of domain knowledge, technical and financial resources. A cyber strategy would be effective only if it succeeds in synchronising the capacities, infrastructure and expertise spread throughout the government, the armed forces and the private sector.
The fact that the country has not yet been subject to a cyber attack of a magnitude that would impact on the life of the citizens, or cause the economy to crash should not give rise to complacency and the feeling that “all is well” as far as the country’s cyber security is concerned. Attacks in the recent past have taken place through known vulnerabilities, as in the case of the Wannacry ransomware attack, as well as through unknown vectors. While some progress has been made in setting in place structures to improve the country’s cyber security posture such as appointing a National Cyber Security Co-ordinator, setting up a National Cyber Co-ordination Centre, creating sectoral CERTs, activating the National Cyber Infrastructure Protection Centre, augmenting the expertise of the judiciary and of law enforcement, providing funding for R&D, more remains to be done. At the operational level, the most pressing issues are providing existing agencies with more teeth to enforce regulatory requirements, whether it be in reporting cyber attacks or sharing information. The capacities and capabilities of these agencies should be augmented to the required level. This also holds true for law enforcement and forensic agencies as well. At the policy making level, the time has probably come to have cyber security elevated as a specific Ministerial level responsibility to send the message down the line of its importance. This is not to suggest that a separate Ministry with attendant bureaucracy be set up but that the subject itself should be elevated to the apex level. Ultimately, the conversation that needs to take place is that between strategic experts, domain experts and policy makers to pinpoint the specific areas of weakness and how they can be plugged, the strategic calculations behind attacks, the policy actions that need to be taken to secure the country’s cyberspace, and that dialogue is, as yet, not happening to a sufficient degree.
(Cherian Samuel is Research Fellow in the Strategic Technologies Centre at the Institute for Defence Studies and Analyses (IDSA). Views expressed are personal.)
(This article is carried in the print edition of September-October 2017 issue of India Foundation Journal.)