You are here

Keynote address by Dr Arvind Gupta, Deputy National Security Advisor at the 18th Asian Security Conference on "Securing Cyberspace: Asian and International Perspectives"

  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • Dr Arvind Gupta, Deputy National Security Advisor
    February 10, 2016

    I would like to thank Ambassador Jayant Prasad, Director General of IDSA for inviting me to address the participants of 18th Asian Security Conference. With its eighteenth edition ASC has truly come of age.

    2. The theme chosen for this year’s conference is apt. The world is becoming increasingly turbulent. The unstoppable march of globalisation, facilitated by ICTs, has raised many troubling questions concerning the maintenance of peace and stability. Cyber security is now an international security concern. It is also a top concern for most countries and figures high in their national security priorities. The focus is on managing the threats in cyberspace which affect everyone. The key question before a state is how to defend itself from the ever increasing occurrences of cyber-attacks.

    3. The year 2015 saw a number of important developments in the field of cyber security. President Xi’s visit to the US in September 2015 will be remembered for some outspoken public comments by President Obama on US concerns over on-line theft of intellectual property. Aware that cyber concerns, if unresolved, can create misunderstanding and destabilise the bilateral ties, the two countries agreed to bilateral cyber security dialogues. In President Obama’s words, the two governments agreed that “neither the US nor the Chinese government will conduct or knowingly support cyber related theft of intellectual property including trade secrets or other confidential business information for commercial advantage”. President Obama, according to reports, took up strongly with President Xi the issue of cyber threats. On his part, President Xi, declared that “China strongly opposes and combats the theft of commercial secrets and hacking attacks”. The meeting took place in the backdrop of a well-publicised cyber-attack on the Office of Personnel Management (OPM) resulting in the stealing of the fingerprints of 5.6 million people in December 2014 and compromising records of some 22 million people. Acknowledgement by both sides that cyber security is an issue between them was in itself a remarkable development. During the same year, China and Russia also signed a comprehensive agreement on cyber security.

    4. In 2015, the UN Group of Governmental Experts (UNGGE) came out with its 3rd Report which was an advance over the previous report. As a result of the efforts of the UNGGE, there is now a growing recognition that international law, particularly the UN charter, applies as much as to cyberspace as to other domains. The UNGGE emphasises that principles of sovereign equality; settlement of international disputes by peaceful means; refraining from the threat or use of force against the territorial integrity or political independence of any state; respect for human rights and fundamental freedoms including the freedom of expression; and non-intervention in the internal affairs of other states are some of the principles which also apply to the ICT security. In other words, international law is technology neutral. One of the main observations of the report is that states have jurisdiction over the ICT infrastructure located within their territory.

    5. The international law has many aspects including intervention in self-defence, economic sanctions, counter measures and so on. A debate has broken out whether intervention through cyber means in other countries’ networks, under certain circumstance, is justified or not. The debate is sharp but inconclusive.

    6. Cyber security issues are contentious and are proving to be difficult even as the incidents of cyber-attacks, cybercrime, cyber terrorism grow exponentially. Every year new types of attacks are invented and carried out. The toolkit of attackers is expanding. It is quite possible that states may be clandestinely developing arsenal of tools of cyber-attack even as they discuss the need for accepted norms in cyberspace.

    7. The challenge before states is how to defend their critical, military and civilian infrastructure from destabilising cyber-attacks. Cybercrime is on the increase. Theft of personal information and intellectual property is rampant. The distinction between state and non-state actors in cyberspace is blurring. Even as technologies of active defence are developed, the attackers are several steps ahead.

    8. While most states are engaged in implementing strategies to defend their networks from cyber-attacks, they are also toying with the idea of developing capabilities which would deter potential attackers. Efforts have been made to develop a theory and practice of “cyber deterrence” on the lines of nuclear deterrence.

    9. Drawing analogies from the nuclear arms control vocabulary, it is argued that both denial and punishment are essential for deterring cyber aggression. The idea is to make it clear to the potential attacker that the cost of cyber aggression will outweigh the benefits. An effective cyber deterrence strategy will include deterrence by denial as well as penalty by punishment. Deterrence by denial will rely on strong defences. The efforts of the attacker would be rendered futile if defences and resilience i.e. the capability to bounce back are strong. Deterrence by punishment, on the other hand, relies on the ability to counter attack. It is argued that the attacker should know that retaliation should be “certain, severe and immediate”. This will deter him.

    10. The question is whether cyber deterrence can work in the way similar to nuclear deterrence. Nuclear deterrence works because both sides know fairly accurately the nature, size and scope of each other’s nuclear arsenal and the means of delivery. Over decades, arms control negotiations were focussed on issues such as transparency and verifiability of each other’s arsenals. Detailed nuclear CBMs, based on verification, were developed. Attempts were made to understand each other’s nuclear doctrines. In the nuclear cease, actors were few. Non-state actors did not possess nuclear weapons. In cyberspace, the situation is vastly different. As yet, there is no clarity even on what cyber-attack means. There is no agreed definition of a cyber- weapon. There are no means of verification. Multiple actors operate in cyberspace with complete anonymity.

    11. Sceptics point out that cyber deterrence will fail because of the lack of attributability in cyberspace. In cyberspace, where anonymity is the key, it is difficult to identify precisely who the attacker is. Non-attribution is the fundamental weakness of the cyber deterrence argument. There is, however, some literature which suggests that the problem of attribution may be overcome sooner or later. Such claims are, however, unverifiable at present.

    12. For cyber deterrence to be meaningful, a state would have to define its thresholds through appropriate signalling. It will need to indicate its cyber thresholds. Some ambiguity will no doubt be deliberate. Yet, a potential attacker should know that retaliation would be severe and unacceptable if a redline is crossed. Indicating redlines will depend upon a country’s capabilities, intents and interests. Today, the redlines are absent. For instance, should cyber espionage, directed against military and non-military targets, be treated as an act of cyber warfare? Is an attack on the banking networks, stock exchanges, power grids an act of war? Does cyber espionage merit a counter attack? Should retaliation be in cyberspace or by other means? With key questions unanswered, to have a cyber-deterrence on the lines of nuclear deterrence seems difficult.

    13. The Tallinn Manual 1.0, originally called Tallinn Manual on the International Law applicable to cyber warfare, deals with conflict scenarios in cyberspace where international law would apply. While Tallinn Manual is not an official document, its work is sponsored by NATO and other countries. Presently, a second version of the Tallinn Manual, Tallinn Manual (2.0), is being worked out. The Tallinn Manual 2.0 deals with the application of international law to cyberspace during peacetime. A recent meeting held in the Hague on 2-3 February dealt with these issues. During discussions, attempts were made at defining a diplomatic law for cyberspace. It was suggested that attack on the computer systems of a foreign embassy should be prohibited by law. It was also professed that intervention in cyberspace may be permitted under certain circumstances.

    14. In India’s point of view, Tallinn Manual, while being a useful exercise, does not reflect the existing law on the subject because of the absence of state practice which is critical for development of customary international law.

    15. These difficulties notwithstanding, states are going ahead with incorporation of cyber security in to their military doctrines. Such doctrines postulate that a state, exercising its right to defend itself, could retaliate to a cyber-attack by cyber or any other means. The US national strategy of 2015 says that US could use cyber tools or other means to retaliate against cyber-attacks.

    16. The problem of cyber-attacks cannot be seen in isolation. Today, cyberspace is inter-twined with other domains of warfare, namely, land, water, air and space. This inter-twining implies that cyber-attacks will not be seen as mere cyber-attacks. The retaliation in non-cyber form i.e. retaliation through non cyber means including possibly military means cannot be ruled out. Cyber-attacks, as means of warfare, would only enlarge the battle domain. Cyber warfare may induce states to opt for full-spectrum deterrence.

    17. Cyber warfare is a contested concept. Cyber espionage, attack on critical infrastructures etc are routine happenings in cyberspace. So far military means have not been used to deter attacks. Nor have economic sanctions been used because attributing a cyber-attack has been so difficult. Further, many victims feel shy of reporting cyber-attacks. Such incidents have not been regarded as acts of warfare so far because no definition of cyber warfare exists so far. Whether a cyber-attack is seen as a component of cyber warfare will depend upon the context of the attack. The authors of the Tallinn Manual have grappled for many years to come up with some acceptable definitions but so far the progress has been slow.

    18. India cannot be oblivious to these developments. Internet usage is spreading rapidly in India. Even though internet penetration in the country is still low, nearly 400 million people are using the internet. Digital India will take broadband internet to every village Panchayat. With one billion SIM card subscribers, a revolution in connectivity is sweeping India. India’s future progress and growth is linked with the expansion of the digital network, overcoming digital divides and ensuring that robust cyber security policies are adopted right from the beginning.

    19. India has taken several steps in the recent past to strengthen its cyber defensive capabilities. To mention a few:

    • A national cyber security policy has been announced and is being implemented.
    • An elaborate national cyber security assurance framework is under implementation.
    • The National Cyber Security Coordinator appointed last year is coordinating the Indian cyber security effort spread across the various agencies.
    • Coordination amongst various agencies has improved.
    • A National Critical Information Infrastructure Protection Centre (NCIIPC) has been set up. There is a regular dialogue with the key sectors of the economy.
    • Public-private partnership is being constructed. There is an active dialogue between the government and the private sector.
    • A National Cyber Coordination Centre (NCCC) is being set up.
    • Efforts are being made to develop cyber security skills in the country. New cyber security curricula are being introduced in the colleges.
    • Cyber security R&D policy has also been under active consideration of the government.
    • CERT-India, an organization that was set up in 2004, has done significant work in dealing with cyber incidents as well as spreading awareness.
    • India is pursuing active cyber diplomacy with cyber security dialogues having been set up with several countries and is participating in several international fora including the UN on cyber security.

    20. All these synchronized and coordinated efforts are already showing results. But we cannot be complacent in the face of growing threats and evolving technologies. Due to the explosive growth of ICTs, cyber security scenario is likely to remain challenging. We will need to work hard on the various aspects of cyber security including the emerging challenges.

    21. Like other countries, India also faces the daunting task of stopping and preventing cyber-attacks on its networks. India will have to closely study the evolution of cyber deterrence idea. Building cyber deterrence capability would entail building robust networks that can be defended, encouraging comprehensive R&D in the area of cyber security and strengthening indigenous manufacture of ICT products and technologies. It will also require strong cyber diplomacy to ensure that India is not at the receiving end of the emerging ICT Export Control regime under the Wassenaar Agreement. We also need to closely analyse the patterns of cyber-attacks against us and build suitable response measures including the capability to conduct cyber operations if required. India would need to take note of the increasingly assertive cyber security doctrines that are being adopted by other countries. This will help in working out our own cyber security doctrines. The inputs from the Conference like this would be most useful.

    22. In conclusion, I would like to point out that there is a lack of consensus in the international community on norms of behaviour in cyberspace. We are at a stage where technology is far ahead of our thinking on cyber laws and cyber norms. The UN Group of Governmental Experts has proved to be a useful platform to discuss these issues but the absence of a broader representative platform where contentious issues can be hammered out and consensus arrived at is conspicuous by its absence. Ad-hoc groups adopting ad-hoc procedures to deliberate over ad-hoc cyber security agendas will not necessarily build a consensus. The international community needs to come together to discuss how to deal with threats in cyberspace which are growing by the minute. The task may seem daunting but states should seriously reflect whether the world needs a Cyber Convention on cyber security. Unlike in the other commons like the land, the sea and space, where international law has grown immediately, cyberspace is still largely lawless. This Conference, where leading experts have assembled, can generate ideas on the way forward towards building a consensus on cyber security issues.

    Thank you!