In 2019, the book «India’s strategic options in a changing cyberspace» written by Cherian Samuel and Munich Charma was published. (New Delhi, Pentagon Press LLP in association with Institute for Defence Studies and Analyses, 2019). In their work, the authors examine the general concept of cyberspace, while extrapolating it to India’s cyberspace dimension.
Cybersecurity problems are tightly included in the new agenda of international relations, which stresses the importance of their comprehensive study, now more relevant than ever. The work raises several issues that appear to be important for a modern understanding of cyberspace. Among the issues raised, we find cyber deterrence, the regulatory framework for cyberspace, the protection of the critical state infrastructure, Active Cyber Defense knowledge, and its attendant legal and ethical issues.
To begin with, the authors illustrate the reasons why the decided to start the book. Firstly, due to the constant change in threats and actors, cyber policy is said to be a moving target. The second problematic lies on the fact that the development of adequate measures becomes difficult for governments, especially international organizations.
The first problem identified by the authors refers to an instrumental nature — namely a lack of technical knowledge, a sophisticated conceptual framework. Trying to analyze the meaning of cyberspace, cybersecurity, cyber warfare, cyber weapons, deterrence in cyberspace, and critical information infrastructure, the authors conclude that each actor understands them in their own way. For example, the concept of “Cybersecurity” is developed in the West. It focuses mainly on the technical side of security. Conversely, the “International Information Security” concept is widespread in China and the CIS and focuses on its political and instrumental use, as well as the compromise “Security in the field of information and security, communication technologies and their use.”
The second problem refers to the lack of access to source data, the presence of conflicting versions of events. According to the authors, the problem would arise due to the lack of the ability to formulate a full-fledged unambiguous conclusion based on the available data. Cyberspace often becomes part of military strategies and doctrines of states. The authors tried to provide the reader with a complete picture of the different countries’ and organizations’ versions, having worked out each of them qualitatively.
The third problem relates to the high politicization of the topic. In the beginning, cyberspace was characterized as common property; its regulation was possible within the framework of international institutions and forums established over the years. Among the more prominent ones we list the United Nations Group of Governmental Experts (UNGGE) and the Internet Governance Forum (IGF). Examples of NGOs’ participation and think tanks are the Global Conference on Cyber Space (GCCS), the Global Commission on the Stability of Cyberspace, and the World Internet Conference.
Over time, however, the tendency to diversify measures to regulate cyberspace has emerged. Only the general trend developed by the Western community remained — to keep cyberspace “open, secure, stable and free.” By declaring Western centricity, the authors refer to the fact that the development and implementation of the latest infrastructure took place from the global West to the East. If the issue of development and implementation has long ceased to be exclusively Western and acquired the outlines of a network structure, now the politicization of the topic lies in ideologically loaded terms. This is expressed in well-established clichés according to which the best hackers who can influence the election results are Russians or Chinese.
Issue number four refers to the fact that the topic of cyberspace is very voluminous. It includes the aspect of global governance in cyberspace, the level of militarization, the legal obligations of each of the parties, and the right to self-defense of the country and the individual. In their book, authors focused on specific areas of cyberspace, like for instance the concept of Active Cyber Defense. After analyzing the approaches of different countries, the authors conclude that the strategy is moving from offensive to defensive, a tendency that intensified after the World War II. Nation-states trying to protect their interests, undertake actions that need to be declared. Any response thereafter is made in accordance with calculations of political benefit, economic leverage, or purely self-defense. In this regard, the authors compared the development of concepts for nuclear weapons and cyber weapons. The development of atomic weapons after the Second World War and artificial intelligence and quantum calculus today depends entirely on the development of technology. Despite some similarities, cyberspace appear to be more complicated due to the inability to establish the source of the attack and the consequences of asymmetrical response.
And, finally, the fifth identified problem is the lack of a clear international legal framework. The author highlights the concepts of different states, from the USA to China and from Russia to the UK. There are two block approaches to the regulation of cyberspace. The first — tentatively referred to as “Western” — assume that in general, the existing body of international law, humanitarian law in particular, already covers cyberspace. It can be applied to issues related to emerging information technology. This approach was most clearly developed in the Tallinn Guidelines for Cyber Warfare and Cyber Operations (developed in two points by the NATO Joint Center for Excellence in Cyber Defense).
The second approach, the Russian one, suggests that although relevant international law applies to cyberspace, the formation of an additional base of legally binding documents is necessary. The Russian approach focuses more on how to prevent information wars, while the Tallinn leadership regulates the rules of war itself. Therefore, the domestic approach does not accept the method of the North Atlantic Alliance, perceiving it as already de facto legalizing cyber warfare. The key document refers to the 2011 Convention on International Information Security, which aims to prevent the misuse of information and communication technologies for political, military, terrorist, and criminal purposes.
Furthermore, the authors devote special attention to a very crucial document, now taken as a kind of consensus between the two designated approaches — the Report of the UN Group of Government Experts (UN GGE) 2015, stating that:
- States will not attack each other’s critical infrastructure
- they will no longer insert malicious “bookmarks” into their IT products.
- refrain from indiscriminately accusing each other of cyber attacks.
- make efforts in the fight against hackers carrying out computer sabotage from or through their territory.
Per contra, cyber-norms have already dramatically influenced social norms. The role of « norm entrepreneurs » consists in persuasion through the organizational platform.
Going forward, while many States still perceive the evolving norms with a sense of unity, the focus seems to have shifted from negotiations norms among adversaries to shaping patterns with like-minded countries, setting the norm of competition in cyberspace.
At the level of national states, the confidentiality issue arises due to mass surveillance, that is when a democratic state enters a polemic with civil society over the legality of access to encrypted data (for example, a terrorist). Beyond the identity, attribution also extends to figuring out the motivations and intentions of the attacker, and whether he/she is acting alone or on behalf of a state or an entity. The vulnerability of critical infrastructure further exacerbates the situation. Cyberattacks are the equivalent of natural disasters. And to eliminate these disasters and preventive responses, cyberspace offers unprecedented opportunities for public-private partnerships. This would ideally be achieved through more cooperation between government outsourcing their responsibility of being overarching security provider to private companies or acquiescing to private sector demands. Nevertheless, the approaches and laws for data protection have subjective applicability and relevance, like the requirements, digitization, and technology maturity vary across every nation-state.
In the ratio of information security and communication in cyberspace, the author calls encryption a possible key to solving the problem.
Having made cybersecurity one of the priority areas of action, India appears as a flagship cybersecurity country. Critical infrastructure is now much more dependent on cyberspace, and trade-offs can be detrimental. Higher confidence in attribution can justify punishment and strengthen deterrent capability by setting a precedence that threat actors, including nation-states, will have to pay as a response for any hostility. Cybersecurity, as a non-traditional security domain, would require a non-traditional approach to problem-solving and public-private partnerships. Something that, in this case, could help provide solutions to many problems.
If we trace the logic of the authors’ thoughts, we can see that the line moves from the level of international organizations to the individual level, which is of interest. Cyberspace, like nothing else, shows the entry into the world stage of new actors. These actors appear due to objective necessity. States are no longer the only guarantors of personal security. The network system of interaction of actors partly erases state borders. However, boundaries appear as soon as the actor crosses the established red line, the permitted boundary of actions. At the same time, for each actor, this red line remains individual. The combination of the tangible physical world of the infrastructural and virtual world remains too voluminous for operationalization. However, the apparent shrink of the cyber universe is observed.
Dr. Cherian Samuel is Research Fellow in the Strategic Technologies Centre at the Manohar Parrikar Institute for Defence Studies and Analyses. He has written on various cybersecurity issues, including critical infrastructure protection, cyber resilience, cybercrime, and internet governance. Munish Sharma is a Consultant in the Strategic Technologies Centre at the Manohar Parrikar Institute for Defence Studies and Analyses. His research interests include cybersecurity, critical information infrastructure protection, space security, and geopolitical aspects of emerging technologies.
From our partner RIAC