Commentary

Find our newspaper columns, blogs, and other commentary pieces in this section. Our research focuses on Advanced Biology, High-Tech Geopolitics, Strategic Studies, Indo-Pacific Studies & Economic Policy

Guest User 10/3/22 Guest User 10/3/22

Securing India’s Cyberspace from Quantum Techniques

By Arjun Gargeyas and Sameer Patil

Last month, there were reports that the Indian Army is developing cryptographic techniques to make its networks resistant to attacks by systems with quantum capabilities. The Army has collaborated with industry and academia to build secure communications and cryptography applications. This step builds on last year’s initiative to establish a quantum computing laboratory at the military engineering institute in Mhow, Madhya Pradesh. With traditional encryption models at risk and increasing military applications of quantum technology, the deployment of “quantum-resistant” systems has become the need of the hour.

Guest User 4/4/22 Guest User 4/4/22

China’s New Focus on US Cyber Activities

By Megha Pardhi

In the last few years, Chinese companies have released several reports accusing U.S. agencies of cyberattacks on Chinese infrastructure. Although China has long released data on the numbers of U.S. hacking attempts, detailed reports were not a common occurrence. Recent reports indicate that Beijing is intensifying its efforts at narrative-building by focusing on malicious cyber activities of the United States.

Prateek Waghre 2/3/20 Prateek Waghre 2/3/20

Budget and Cybersecurity, a missed opportunity

This article originally appeared in Deccan Chronicle.In the lead-up to the 2020 Budget, the industry looked forward to two major announcements with respect to cybersecurity. First, the allocation of a specific ‘cyber security budget’ to protect the country’s critical infrastructure and support skill development. In 2019, even Rear Admiral Mohit Gupta (head of the Defence Cyber Agency) had called for 10% of the government’s IT spend to be put towards cyber security. Second, a focus on cyber security awareness programmes was seen as being critical especially considering the continued push for ‘Digital India’.On 1^st February, in a budget speech that lasted over 150 minutes, the finance minister made 2 references to ‘cyber’. Once in the context of cyber forensics to propose the establishment of a National Police University and a National Forensic Science University. Second, cyber security was cited as a potential frontier that Quantum technology would open up. This was a step-up from the last two budget speeches (July 2019 and February 2019) both of which made no references to the term ‘cyber’ in any form. In fact, the last time cyber was used in a budget speech was in February 2018, in the context of cyber-physical weapons. When combined with other recent developments such as National Security Council Secretariat’s (NSCS) call for inputs a National Cyber Security Strategy (NCSS), the inauguration of a National Cyber Forensics Lab in New Delhi, and an acknowledgement by Lt Gen Rajesh Pant (National Cyber Security Coordinator) that ‘India is the most attacked in cyber sphere’ are signals that the government does indeed consider cyber security an important area.While the proposal to establish a National Forensic Science University is welcome, it will do little to meaningfully address the skill shortage problem. The Cyber Security Strategy of 2013 had envisioned the creation of 500,000 jobs over a 5-year period. A report by Xpheno estimated that there are 67,000 open cyber security positions in the country. Globally, Cybersecurity Ventures estimates, there will be 3.5 million unfilled cyber security positions by 2021. 2 million of these are expected to be in the Asia Pacific region.It is unfair to expect this gap to be fulfilled by state action alone, yet, the budget represents a missed opportunity to nudge industry and academia to fulfilling this demand at a time when unemployment is a major concern. The oft-reported instances of cyber or cyber-enabled fraud that one sees practically every day in the newspaper clearly point to a low-level of awareness and cyber-hygiene among citizens. Allocation of additional funds for Meity’s Cyber Swachhta Kendra at the Union Budget would have sent a strong signal of intent towards addressing the problem.Prateek Waghre is a research analyst at The Takshashila Institution, an independent centre for research and education in public policy.

12/23/19 12/23/19

India’s National Cybersecurity Policy Must Acknowledge Modern Realities

Earlier this year, it was discovered that India was the target of two cyberattacks in the same month. The malware attacks at the Kundankulam Nuclear Power Plant and the Indian Space Research Organization (ISRO) are believed to be the outcomes of phishing attempts on employees. In 2018, it was reported that an officer of the Indian Air Force was sharing sensitive information on Facebook with two women who had honey-trapped him. None of these incidents are known to have resulted in severe harm, but the possibility that they could have is reason enough for India to cultivate and shape international discussions on cyberspace.As is the case with both international terrorism and protection of the environment, cooperation is a prerequisite to deal with cyberthreats given their borderless nature. India’s National Cyber Security Policy (2013) did not assign much weight to this aspect and defined no measurable outcomes against which progress could be judged. With its upcoming National CyberSecurity Policy (2020-2025), India has the opportunity to align its domestic policy with its global aspirations.Warfare in Cyberspace Is UniqueCyberspace is an amalgamation of the virtual with the physical. Actions in the virtual realm can affect the physical domain. With low barriers to entry, cyberspace provides attractive options for the launch of attacks and allows actors to achieve strategic outcomes both within and outside of the information domain. From crumbling critical infrastructure to designing a smart misinformation campaign that can influence democratic processes, the spectrum of outcomes that cyberattacks can achieve is broad. The Stuxnet malware, a U.S.-Israel joint operation to target Iran’s nuclear enrichment plant in Natanz, displayed the capabilities of a highly sophisticated and targeted cyber-offensive operation. Operations against Ukraine’s power grid in 2015, misinformation campaigns targeting U.S. presidential elections in 2016, and the WannaCry and NotPetya ransomware outbreaks in 2017 all showed the potential for real-world impact and collateral damage.There are two features that distinguish these attacks from conventional ones. First, cyberattacks are hardly predictable. Accurately determining an incoming attack is at present not possible. Second, as long as there is plausible deniability, attribution is tough. As such, warfare in cyberspace poses a unique challenge to national security and the lack of rules to govern it intensifies this challenge.Security in CyberspaceThe United Nations Charter, the Laws of Armed Conflict (LOAC), and other regional arrangements provide a general overarching framework for governments to manage problems of security across all domains. Cyberspace differs from conventional domains of warfare because it functions as both a battlefield and a weapon. It is therefore risky to assume that existing rules of conflict can be extended to cyberspace as well.American political scientist Joseph Nye has discussed the absence of coherence among existing norms that govern cyberspace. Existing practices are based on agreements between private players (largely multinational corporations) with only a mild degree of enforceability. Since providing security is a critical function of government and it is most susceptible to attacks, only governments are properly incentivized to set the rules. Numerous track two groups and various private conferences and commissions continue to work on the development of norms. Successive UN-GGEs (Governmental Groups of Experts) have developed a consensus that the UN Charter and international law apply to cyberspace. But cyberspace is changing faster than countries can legislate internally and negotiate externally.There is no denying that all security efforts need to be collaborative. But as with international terrorism and environmental protection, effective norms and rules can only be set if all stakeholders consensually arrive at what the rules should be. Currently there are two camps on the global stage: a Sino-Russian camp and a rival one comprising the United States, Western Europe, Japan, Australia, and New Zealand. The former espouses the supremacy of national sovereignty in the governance of domestic cyberspace, risk of destabilization by the application of existing international humanitarian law to cyberspace, and the need for new, binding international agreements. The latter advocates for a free and open internet as well as the full applicability of international law (including the right to self-defense, use of countermeasures) to cyberspace. Resolutions sponsoring the formation of the Russia-backed Open Ended Working Group (OEWG) and the UN-GGE 2019-21 were both passed in the United Nations General Assembly in 2018. The UN now has two parallel tracks working toward the establishment of norms in cyberspace. The OEWG is open to all member states and will hold consultations with stakeholders across members, NGOs, and private industry while the UN-GGE is comprised of 25 member states with consultation typically limited to regional organizations. The prevailing atmosphere of mistrust portends further deterioration rather than improvement. This variance between great powers has weighed heavily on international discussion on norms while cyberattacks continue to happen, quietly.There is some scope for optimism yet. At a panel in the recently concluded Internet Governance Forum in Berlin, the Global Commission on the Stability of Cyberspace (GCSC) proposed eight norms including protection of the public core of internet and infrastructure essential to elections, referenda, and plebiscites. This was followed by informal consultations at both the OEWG and UN-GGE in early December. Through the Paris Tech Accords, Digital Geneva Convention, and Charter or Trust, private companies have also sought to play a more active role in the shaping of norms, which is significant as they operate a significant portion of the public internet.What Has India Done So Far?In 2011, India’s proposal for a Committee on Internet Related Policies (CIRP) comprising 50 member states was met with the criticism that it would create an exclusive club. Since then, an analysis of India’s contribution to debates on internet governance by the Center for Internet and Society (India) has revealed a tendency to shift between support for multilateralism and mutli-stakeholderism. Researchers have termed this “nuanced multilateralism,” where a broad range of stakeholders are consulted, but not involved in implementation and enforcement. On the question of cyberspace sovereignty, India seems to share common ground with the Sino-Russian camp, but has refrained from commenting definitively on the issues dividing the two camps. India was one of the member states that backed both UNGA resolutions that resulted in the formation of the OEWG and the UN-GGE (2019-2021). It is also a member of the UN-GGE and has not yet contributed formally to OEWG proceedings. On the multilateral front, it has stayed out of the Osaka Track for Data Governance and the Budapest Convention on Cybercrime.There is no single approach that captures India’s engagement with multilateral institutions. Its rule-taker instinct is evident from India’s support for the United Nations’ peacekeeping operations. Contrary to this is the rule-breaker approach, which is evident from India’s endeavor to be recognized as a nuclear weapon state while also challenging the norms established by the Nonproliferation Treaty. The expectation that India will be a rule-maker all by itself is unrealistic. In the multipolar world that exists today, no single country, let alone India, can become make the only rule-maker. A more achievable goal for India would be to play the role of a rule-shaper, an active voice among rising powers. This goal finds its strength in India’s economic prowess and diplomatic experience in working with alliances.India’s success in shaping the international narrative on climate change has already proven its ability as a rule-shaper. With its upcoming National Cybersecurity Policy (2020-2025), India must look to articulate and justify its position on the applicability of international law to cyberspace. It should bring its domestic policy in line with its global aspirations. Given the importance of private companies in this exercise, it must also consider creating an office of a tech ambassador that will present its position consistently. This level of transparency can serve as an important confidence-building measure as it engages across multiple stakeholders and fora to shape future norms.Shibani Mehta and Prateek Waghre are Research Analysts at The Takshashila Institution, an independent center for research and education in public policy.

This article originally appeared in The Diplomat

12/12/19 12/12/19

2020 cybersecurity policy has to enable global collaboration

The rapid expansion of digital penetration in India brings with it the need to strengthen cybersecurity. The critical nature of the myriad cyber threats that India faces was underscored by the recent breach at the Kudankulam nuclear power plant and the Indian Space Research Organisation. These were just two of the 1,852 cyber-attacks that are estimated to have hit entities in India every minute in 2019. Symantec’s 2019 Internet Security Threat Report ranks India second on the list of countries affected by targeted attack groups between 2016 and 2018.It’s clear that India faces expanded and more potent cyber threats. Given this fact, the new national cybersecurity policy, set to be announced early next year, should improve on the shortcomings of the previous policy of 2013. The most significant of these were the absence of clear, measurable targets, failure to set standards for the private sector and limited focus on international collaboration.

In many ways, the broad thrust of the 2013 policy was on point. It argued for the need to build a “secure and resilient cyberspace,” given the significance of the IT sector to foster growth while leading to social transformation and inclusion. This called for creating a “secure computing environment and adequate trust and confidence in electronic transactions, software, services, devices and networks”. Since then, certain steps have been taken to operationalise the policy. These include the establishment of the National Cyber Security Coordination Centre and Cyber Swachhta Kendra along with announcements to set up sectoral and state CERTs and expand the number of standardisation, testing and quality certification testing facilities. However, much more needs to be done and that too at a faster pace.While it is no one’s argument that state capacity can be augmented overnight, setting clear targets can help drive action towards an identified goal. Moreover, the lack of these in the 2013 policy means that it is extremely difficult today to assess whether the policy had the desired impact. Five-year plans are well-written documents, whether or not you agree with the goals they outline for the nation or even if the five-year approach is right at all.The most quantifiable item on the agenda for the 2013 cybersecurity policy was the objective to create a workforce of 500,000 professionals skilled in cybersecurity in the next five years through capacity building, skill development, and training. The objective set a number that one can look at five years from then and see if they exceeded or fell short of expectations. And the data in this regard is sobering. For instance, in 2018, IBM estimated that India was home to nearly 100,000 trained cybersecurity professionals. What’s further alarming is that it estimated the total number needed at nearly three million. The 2020 policy must, therefore, not just identify clear targets but also identify the ways and means through which that target should be met.Almost everything else in the 2013 document was fairly ambiguous. It contained repeated references to adopt and adhere to global standards for cybersecurity. However, there was no clarity on what specific standards should be followed and how long industry should take to adopt them.This brings us to the second shortcoming. The policy at the time was hoping to balance a trade-off between encouraging innovation while ensuring that basic standards for security and hygiene were met. When it comes to the private sector, it repeatedly used words such as “encourage”, “enable” and “promote”, being careful to not make anything mandatory. Even when it did mandate something, say global best practices for cybersecurity to critical infrastructure, it is hard to say how it planned to declare the mandate a success or a failure. This is again a pitfall that the 2020 policy must avoid. The policy must establish or identify standards that the industry should adopt within a fixed timeframe. Also, there is a need for the government to engage with the private sector, particularly when it comes to sharing skills and expertise.Finally, when it comes to international collaboration, the 2013 policy argued for developing bilateral and multilateral relationships in the area of cybersecurity with other countries and to enhance national and global cooperation among security agencies, CERTs, defence agencies and forces, law enforcement agencies and the judicial systems. Since then, India has entered into a bunch of cybersecurity-related MoUs. However, there is an urgent need to set into place domestic frameworks, say for instance with regard to data protection, which will enable broader global collaboration and participation in rule setting. Unfortunately, this has not been happening. For instance, India was not a signatory to the Budapest convention which would have allowed for easier access to data for law enforcement. It also did not enter into an executive agreement under the US-initiated CLOUD Act. On a related note, the government also did not sign the Osaka Track, a plurilateral data sharing agreement proposed at the 2019 G20 Summit. These are important dialogues that India must be part of if it needs to build a resilient and thriving cyber ecosystem.