Cyber space is increasingly being misused. The sheer scale of cyber attacks is breathtaking. Sensitive commercial information including intellectual property rights related information has been stolen, privacy of millions of individuals has been compromised, credit card frauds have been perpetrated, and sensitive nuclear and military installations have been targeted successfully. New kinds of “cyber weapons” are being developed. Stuxnet, Duqu, Flame and Wiper are some of the exotic names given to computer viruses which have the capability of interfering with cyber based installations and carrying out cyber espionage and surveillance.
A war of words has ensued between the US and China on allegations that US companies and sensitive information systems are being attacked by Chinese cyber attackers in China including by the units of the Chinese army. China denies these allegations and says it is itself a victim of cyber attacks. Cyber security has emerged as a major area of contention between the US and China.
Are we seeing a new kind of armed conflict in cyber space? Are the states directly attacking the information infrastructure of other states clandestinely? Or are they sponsoring hackers to do the job for them? Or, are there groups who undertake such attacks on their own without state sponsorship? While there is no clarity on these issues, fierce debate has ensued among legal pundits whether these cyber attacks can be termed as cyber warfare and whether the law of armed conflicts applies to cyber operations.
The conventional wisdom is that international armed conflicts are those where states are involved and where violence is the end results of attacks. Purists would say that cyber attacks cannot be called cyber warfare because it is difficult to be sure whether the attacks are being done by states or by actors authorised by states and because cyber attacks do not result in injury or death. The contrary opinion is that cyber attacks do result in massive disruption which can be as lethal as an armed attack.
After all in a traditional armed conflict not all acts of state result in violence. Espionage is also an act of warfare if the two states are in a state of war. Further, there is evidence that in some attacks states, state agencies or groups allied with states are involved. So cyber attacks can be called cyber warfare even though they may not result in death or violence directly.
There is also a debate what constitutes a cyber weapon. While it is easy to visualise a gun or a bullet as a weapon, but can a piece of software be regarded as a weapon? There is growing view that a piece of software which disrupts, say, a hospital can be termed a cyber weapon. Most analysts would regard the worm Stuxnet which interfered with the Supervisory Control and Data Acquisition (SCADA) systems of the Iranian nuclear programme and stopped the centrifuges as an example of cyber weapons. Scores of computer viruses can today steal information from an adversary’s computer system without anybody noticing. Further, acts of cyber espionage or cyber disruption in peace time can trigger actual armed conflict.
Cyber security issues have definitely moved up the agenda of internationals security. But, little tangible has been achieved so far. In recent years governments, industry, businesses, civil society and other stakeholders have got together to deliberate over the rules of state behaviour in cyber space. Two major international conferences, one in London (2011) and one in Budapest (2012) have been held. Both conferences underlined the need for international cooperation and the rules of the road in cyber space. The next conference will be held in Seoul in October 2013. The UN Secretary General has also set up a Group of governmental expert (GGE) to deliberate over such issues. India has been active participant of these conferences and meetings. But no agreement yet on what needs to be done.
As these conferences bring out, states are following different approaches on cybersecurity and state behaviour in cyber space. The Chinese, the Russians and many others assert state sovereignty over the internet. They are for restrictions on the internet on grounds of the stability of the country and the regimes. On the other hand, the US and several countries favour maintenance of freedom of speech and for respect for human rights. The two approaches differ widely.
Apart from the states there are civil society groups, intergovernmental organisations, business interests, and others who have vital stakes in the internet and cyber space. They are wary of the states efforts to control the internet. They would like to see the internet retain its open architecture. In India, the government is in the process of making a cyber security policy and establishing an elaborate cyber security infrastructure. Public-private partnership (PPP) is being preferred. Yet, Indian cyber space, which is growing at a rapid pace, is insecure and highly vulnerable as the spate of recent cyber attacks has shown. A Computer Emergency Response Team (CERT) India, functioning since 2004, is the lone institution generating some awareness about cyber security. Unfortunately, the institution is under funded and under resourced. Cybersecurity effort is fragmented with little coordination among myriads of institutions. Some work on cyber security is done by the National Technical Research Organisation (NTRO), mainly for the sensitive agencies. Given the scale of the problem, this seems insufficient. There is no clarity on how to deal with cyber warfare issues. What should be India’s approach on cyber security? It should take cyber attacks extremely seriously and urgently build its defensive technical and legal capabilities. At the same time it should have deterrent capabilities to deter hackers from attacking its cyber space. It should also consider setting up a cyber command type of structure in the armed forces and incorporate cyber conflict in its military doctrines.
India needs to ensure its national interests are protected during cybersecurity negotiations. It has yet to take firm position on issues such as the rules of the road, state behaviour in cyber space, confidence building measures, application of the law of the armed conflict to cyber conflicts and cyber weapons.
It must strike a balance between open, insecure internet and an overregulated an over protected cyber space. These issues must be debated so that a societal consensus can emerge.
The author is the Director General of the Institute for Defence Studies and Analyses, New Delhi