Cyber warfare no longer remains a figment of science fiction but a proximate reality that states need to grapple with when framing geo-strategic policy. The challenge lies in reigning in the use of this sphere, which has rapidly proliferated into becoming an essential part of human existence today. The main barrier to cohesive normative regulation is its global ubiquity, which has prevented the development of universal consensus because states differ in their economic and political ambitions. A second barrier is the ‘non-physical’ nature of cyber-warfare, which has made the task of applying traditional principles of international law a challenge.
The failure of the United Nations Group of Governmental Experts (UN-GGE) earlier this year to agree upon a universal set of norms to govern the use of cyberspace is therefore not surprising – even if it is disappointing, given the initial progress made by the same body in recent years. To prevent this stalemate from de-generating into cyber anarchy, normative certainty leading to predictable state behaviour can still be catalysed by the framing of clear national or regional cyber strategies backed up by justifications in international law for the positions articulated.
Last week, The Wire reported that a committee formed under the aegis of India’s National Security Council Secretariat and headed by former ambassador to the United Nations, Asoke Mukherji, has been set up to “suggest policy and strategy for India for development and negotiating of cyber norms.” This would of course catapult India to a leadership position at the cyber norms high table. More crucially, it would also send a signal to the wider world that India not only has a credible deterrence strategy in place but also has the intent to act through the utilisation of cyberspace. This posturing could deter the kind of acts that have plagued the region in the past few months and lead to long-term stability.
How deterrence works in cyberspace
Classical deterrence theory rested on two main prongs – a credible threat of punishment due to retaliation and denial of gains due to a robust defence mechanism. In nuclear deterrence theory, the first prong clearly overshadowed the second, given the challenges in mounting effective defence to a nuclear threat. In the cyber sphere, however, the problems of attributing an attack to a state or non-state actor and identifying precisely the number of adversaries and assets involved prevents the efficacy of punishment oriented retaliation.
While the attribution problem is a valid concern, it should not detract from the use of cyberspace in a ladder of retaliatory options – both to conventional and cyber attacks.
Martin Libicki of the RAND Corporation creates a hierarchy of retaliatory options in order of belligerency – diplomatic, economic, cyber, physical force and finally, nuclear force. So, the strategic use of cyber warfare could seek to serve the goal of deterrence through punishment, without reaching the levels of belligerency and consequent, instability, which would arise if physical or nuclear force were to be used instead. If articulated clearly in India’s cyber strategy, it would therefore imply that – depending on the severity of the attack coming in from its neighbours – India could respond to high-intensity cyber threats through the use of physical force and low-intensity physical attacks, such as border infiltration, with cyber-attacks. Thus, cyber deterrence becomes a part of the composite strategy looking to deter the full spectrum of hostile acts. However, the problem of attribution remains and India’s cyber strategy should clearly identify standards of attribution which would enable the tracing back of an attack to a state or non-state entity.
The second prong of deterrence by denial could also play a unique role in crafting India’s cyberspace strategy. In a seminal article written earlier this year, Joseph Nye stresses the importance of this form of deterrence which is not stifled by the problems of attribution. As of today, cyber defences are fairly porous and strategically, offence can be far more fruitful than defence. However, the development of robust cyber defences can not only augment the capacity to thwart a cyber-attack and recover from it but also reduces the incentive to the attacker of carrying out the attack in the first place. This is where perception of a country’s resilience mechanism becomes crucial. If a potential attacker perceives that India’s Electronic Voting Machines or its Aadhaar database are protected by robust security mechanisms, it is far less likely to bear the costs of mounting such an attack given the low chances of success. Again, public posturing becomes important to let the potential adversary know about existing defence mechanisms.
The two other forms of deterrence identified by Nye are the related constructs of entanglement and normative taboos. Entanglement refers to interdependences which impose grave consequences both on the attacker and the victim. As explained by Robert Axelrod, a complex set of repeated interactions in various spheres between complex actors could lead to iterative relationships that lead to a solution of co-operative restraint by both actors. In the cyber sphere, this entanglement could be mutual interest in the stability of the internet itself, which serves as the bedrock of cross-border trade, societal communication and domestic transactions in various economies.
The prospect of deterrence by normative taboo took a big hit with the breakdown of the UN-GGE talks as there are no universal norms now that can censure actions by states. This is where India’s normative push needs to pivot towards multilateralism and co-opt like-minded allies-through forums such as the Shanghai Cooperation Organisation (SCO), BRICS and the Bay of Bengal Initiative for Multi-Sectoral Technical and Economic Cooperation (BIMSTEC), and bilaterally through engagement with allies such as Japan, United States, South Korea, Russia and Thailand, to concretise the preservation of the internet as the universal need of the hour.
How India should deal with international law in cyberspace
The 2015 report of the fourth UN-GGE had laid down a commendable framework for futher discussion on the evolution of cyber norms. India has wisely chosen to build on this process, rather than abandon it altogether. Section III of the report lays down several norms, rules and principles for responsible state behaviour in cyberspace. These include not knowingly allowing their territory to be used for intentionally wrongful acts using Information Communication Technologies (ICTs); to cooperate for the exchange of information using ICTs; refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations and to not knowingly supporting ICT activity contrary to the principles of international law.
The fifth UN-GGE could have therefore clarified at least three major questions:
- Response to internationally wrongful acts (countermeasures in cyberspace),
- Self-Defence in cyber space,
- Clarify, at least indicatively, the threshold of ‘use of force’ in the cyber realm.
However, the politicisation of norms and stonewalling by Cuba and reportedly, Russia and China prevented consensus from emerging, which does leave India with an opportunity to pick up the pieces and fit these into its grand strategy.
First, India needs to clarify when cyber-attacks amount to the use of force as prohibited by Article 2 (4) of the UN Charter.
The extreme variety of cyber operations makes this classification a challenging exercise. The International Group of Experts that drafted the Tallinn Manual agreed that ‘acts that injure or kill persons or damage or destroy objects are unambiguously uses of force’. This implies that cyber-attacks which have the same effect as a physical act would come under the prohibition imposed by Article 2(4.) This would include attacks that damage electricity grids or disrupt air-traffic control, thereby endangering human life.
On the other end of the spectrum, non-destructive cyber operations intended solely to disrupt the economy or undermine confidence in the government would not qualify as the ‘use of force’ although it would violate other standards of international law, such as unlawful intervention enshrined in Article 2(7) of the Charter. Therefore, Russian interference in the US elections through hacking e-mail servers and leaking sensitive information may not qualify as the ‘use of force’ but if proven, would certainly attract censure under international law. All cyber-attacks that fall between the two ends of the spectrum could be judged on the basis of eight non-exhaustive criteria .These criteria include severity, immediacy and directness, invasiveness measurability of effects, military character, state involvement and presumptive legality. An attack on India’s Aadhaar database and the subsequent leaking of confidential biometric information could qualify as the use of force as per these eight criteria, given the recognition of data as individual property in the present digital age and the declaration of UIDAI’s Central Identities Data Repository (CIDR) as a ‘protected system’ under Section 70 of the IT Act.
Equally crucial in India’s norms formation process is the response (known formally as ‘countermeasures’) to attacks that do not meet the threshold of use of force but violate other provisions of international law. As per existing standards of international law codified in the Articles on State Responsibility, countermeasures are the temporary non-performance of international obligations by states injured by the internationally wrongful act in order to induce the restoration of a state of legality between the two states. This would imply that persistent attacks on electronic voting systems in India could be met with retaliation through a Distributed Denial of Service (DDoS) attack on the central banking systems of an adversary till the attacks cease and adequate compensation is made for the disruption. International law does stipulate, however, that if the wrongful acts in question do not amount to a use of force, then the countermeasure cannot be a use of force either.
What form can self-defence in cyberspace take?
Second, India needs to lay out ground rules for the use of self-defence in cyberspace. This point turned out to the Achilles heel of the UN-GGE process. The non-applicability of self-defence to cyber-attacks gives an asymmetric advantage to less powerful states, whose economies are less digitised and are therefore less vulnerable to cyber-attacks. This asymmetric advantage would be mitigated if the more powerful states could meet a cyber-attack with conventional force. As reported by The Wire, India will probably affirm this right when framing its strategy as it would enable them to respond to Chinese or Pakistani cyber threats with a broader range of retaliatory options.
Article 51 of the UN Charter which enshrines the Right to Self-Defence reads:
Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security…
The first debate in international law regarding this Article is the threshold of an ‘armed attack.’ In the Oil Platforms and Nicaragua cases, the International Court of Justice held that the gravest uses of force qualify as an armed attack and thus trigger a right to self-defence as per Article 51. This interpretation is backed up a teleological reading of the UN Charter as the prohibition in Article 2(4) refers to the ‘use of force’ whereas Article 51 uses the phrase ‘armed attacks.’ Several experts, including the former US state department legal advisor have pointed out the banality of this distinction as it leaves states exposed to various security risks. Further, Cambridge professor Christine Gray notes the lack of state practice to back this claim. The Tallinn Manual acknowledges this divergence in thought and stops short of resolving this question. An intermediate path taken by Judge Bruno Simma in a separate opinion in the Oil Platforms case may be useful in this context. In essence, he argues that the right to self-defence may exist against the use of force that does not meet the higher threshold but within a far more limited range.
Indian state practice indicates that it has not cared much for this distinction. The official positions justifying surgical strikes on territories administered by Pakistan and Myanmar in the past couple of years do not focus on the gravity or intensity of the acts they were trying to prevent. Transposing this position into India’s cyber strategy would be prudent in terms of its deterrent value. It would certainly issue a credible threat to adversaries who were planning to get away with low-intensity cyber-attacks.
Anticipatory self-defence in cyberspace
The second debate with regard to the right to self-defence is the applicability of anticipatory self-defence in cyberspace. Most observers agree that states do not need to wait for the actual attack to commence, notwithstanding the fact that the UN Charter reads ‘if an armed attack occurs.’ There is also universal acknowledgment of the three prongs of the Caroline test: namely the necessity for the use of self-defence (“instant, overwhelming leaving no choice of means and no moment for deliberation”), proportionality (the attack must not involve anything unreasonable or excessive) and imminence of the attack itself. The disagreement lies in how imminent the prospective attack must be.
In this context, the Tallinn Manual distinguishes between the placement of a logic bomb and the placement of a remotely activated malware. The logic bomb is a piece of software that will execute the attack on some pre-determined factors without an external command whereas malware requires external activation. The placement of the logic bomb may meet the criterion of imminence if the activating conditions are ‘likely’ to occur whereas placing the malware does not necessarily mean that the right will be triggered. Self-defence becomes justified in the case of the malware placement only when it is clear that the aggressor has decided to launch the attack and delaying the retaliatory option would prevent the efficacy of its defence.
India’s war doctrine permits the launch of pre-emptive operations in case there are continuing provocations cumulatively amounting to an ‘armed attack.’ The transposition of this strategy to cyberspace may be prudent if there are repeated data breaches or incursions that cumulatively inflict significant damage to Indian property.
Testing India’s cyber readiness
Modern Indian military posturing sees its origins in the aftermath of the parliament attacks in 2001. Politicised as ‘The Cold Start Doctrine,’ the army has sought to cut down mobilisation times in response to attacks by having nimbler, integrated units stationed close to the border. By pursuing narrower aims through sub-conventional warfare, India also prevents a nuclear spill-over from any nation. There have been doubts expressed on the deterrence value of this posturing largely because the strategy has yet to be coherently expressed by the army. The most recent posturing along these lines was by present army chief Bipin Rawat, who believes that future wars will be ‘short and intense,’ which would require the army to ‘move fast.’
General Rawat’s emphasis on operational agility applies as much in cyberspace. Without the organisational set-up to back India’s normative push on cyber-defence, India’s deterrence strategy will remain starkly incomplete. India’s latest cyberspace strategy articulated a clear vision of India stating that its goal was “to build a secure and resilient cyberspace for citizens, businesses, and government.” However, little progress has been made thus far in terms of operationalising cyber defence.
To date, there is no national level organisation in the military which is tasked with cyber defence. There are some bodies that specialise in elements of cyber defence and domestic cyber security. The National Technical Research Organisation (NTRO) – established in 2004 and modelled after the National Security Agency in the US – is a specialised technical research unit which comes under the control of the Prime Minister’s Office and engages largely in intelligence gathering. The Indian Computer Emergency Response Team (CERT-In) was established in 2004 under the Ministry of Electronics and Information Technology and acts as the national central body for cyber incident response, while also facilitating cross-sector co-operation in cyber strategy. Experts have emphasised the need for the formation of a centralised National Cyber Security Agency that reports to the PMO The NCSA would ideally consist of a policy wing and an advanced research wing that would focus on intelligence gathering and identifying trends in cyberwarfare while an operations wing – headed by a member of the armed forces – would focus on both exploitation and resilience. A cohesive cyber command would naturally streamline India’s retaliatory options and thus bolster its deterrence capability.
There is no easy formula to galvanise a stable cyber deterrence regime. The threat of cyberwarfare has changed the rules of the game in the global discourse on national security in many ways. Yet Clausewitz’s immortal dictum expressed aeons ago – identifying war as the continuation of politics by other means – continues to underpin world order today. Deterrence, therefore could be articulated quite simply. The adversary needs to perceive that India’s cyber capabilities – and its intent to act on them – are enough to overcome any cyber-attack or unwarranted border provocation. This perception is the key to a stable future in digital South Asia.
Arindrajit Basu is pursuing a Masters in Public International Law at the University of Cambridge.