VIF TASK FORCE REPORT

@

Credible Cyber Deterrence in Armed Forces of

Vivekananda International Foundation

Credible Cyber Deterrence in Armed Forces of India

“Nations must also take responsibility to ensure that the digital space does not become a playground for the dark forces of and radicalization”

-

Vivekananda International Foundation Published in March 2019 by Vivekananda International Foundation 3, San Martin Marg, Chanakyapuri, New Delhi - 110021 Tel: +91-(0)11-24121764, +91-(0)11-24106698 Fax: +91-(0)11-43115450 E-mail: [email protected] Web: www.vifindia.org Follow us on twitter@vifindia

Copyright © Vivekananda International Foundation

Design and production: https://magnumcustompublishing.com ‘‘We are facing a future where security challenges will be less predictable; situations will evolve and change swiftly; and, technological changes will make responses more difficult to keep pace with. The threats may be known, but the enemy may be invisible. Domination of cyber space will become increasingly important… When we speak of Digital India, we would also like to see a Digital Armed Force.”

- PM’s address to the Combined Commander’s Conference, October, 2014

3

Table of Contents

Task Force Members 9 Foreword 11 Acknowledgements 13 List of Abbreviations 15

PART I 17 Executive Summary 19 Approach to Capacity Building 20 Seven Pillars for Capacity Building of Cyber Power: 20 Note: FORMATION vis-à-vis Agency 21 Recommended Timelines and Roadmap 22 Recommended Missions of Cyber Formation 22

Recommendations 22 Policy: Cyber Warfare-enabled Armed Forces and Cyber Formation 23 Strategy for Cyber-enabled Armed Forces 24 Cyber Doctrine for Indian Armed Forces 25 Technology, R&D, Standards and Integrity of Data 28 Integration and Development of Concepts for Application of Cyber Power for effective Cyber Deterrence 29 International Engagement and Legal Framework 30 Priority Tasks of the (DCyA) 30 Organisation for Building Capabilities for Cyber Deterrence 32 Human Resource, Training and Certification 34 Recommended Approach for Technology Development 36 Contractual Clauses for System Protection and Availability 36 Emerging Threats and Negation Technologies 37 Integration and Development of Concepts for Application of Cyber Power for Effective Cyber Deterrence 38

5 International Engagement and Legal Framework 39 Supporting National Institutions, Policies and Infrastructure 41 Policies and Infrastructure 41 Budgetary Assurance 42 Road Map and Action Plan 42

PART II 43 Section One: Policy and Strategy for Cyber Deterrence through Development of Cyber Power in Indian Armed Forces. 44 Environment Scan 45 The Indian Scene 47 Approach to Capacity Building 48 Seven Essential Factors Constituting Cyber Power 49 Seven Pillars for Capacity Building 50 Note: FORMATION vis-à-vis Agency 51

Section Two: Policy and Strategy for Developing Cyber Capability of the Indian Armed Forces 52 Introduction 53 Aim 53 Threat Scenario 53 Characteristics of Cyber Warfare 54 Targets for Cyber Warfare 55 Role of Cyber Formation/Defence Cyber Agency 55 Polic y for Creating Cyber Warfare Enabled Armed Forces 56 Strategy 57 Conclusion 58

Section Three: Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations 59 Indian Armed Forces Cyber Doctrine 61 Organisation and Adaptation of Cyber Force 62 Human Resource, Training and Certification 63 Technology, R&D, Standards and Integrity of Data 65

6 Integration and Development of Concepts for Application of Cyber Power for Effective Cyber Deterrence 67 International Engagement and Legal Framework 68

Section Four: Organisation for Cyber Deterrence, Synergy, Staffing and Adaptation of Cyber Force 69 Organisation for Capacity Building in Cyber Deterrence 71

Section Five: Human Resource, Training and Certification 77 Focus Area of Securing Military Cyber Space 79 Some Other Issues 81 Conclusion 82

Section Six: Technology, R&D, Standards and Integrity of Data 83 Introduction 84 Suggested Approach for Technology Development 84 Emerging Threats and Corresponding Negation Technologies 86 Priority Technologies for Defence Forces 86 Research and Development 90 Contractual Clauses for System Protection and Availability 91 Contract Goals 92 Conclusion 92

Section Seven: Integration and Development of Concepts for Application of Cyber Power for Effective Cyber Deterrence 93 Synergy, Jointness and Integration 96 Development of Concepts for Application of Cyber Power 96

Section Eight: International Engagement and Legal Framework 97 International Engagement 98 Military Diplomacy 102 Legal Framework 103 Introduction 104 The Constitution of India and Cyber 104 Cyber Space Jurisdiction 105 Rule 2 of Tallinn Manual 105

7 Establish Nation-wide Cyberwar fighting Processes and Procedures 106 Privacy and Cyberwar 106 Cyberwar and Deniability 107 Protection to the Engaging Forces 107 Amendment to Section 69 of the Information Technology Act 108 Conventions and Treaties 109 Cyber Forensics 110 Rules of Engagement 110 Some Actions/Matters which may be Acceptable as the Rules of Cyber Engagement 111 Role of Defence Services Headquarters 111 State of Cyber Readiness 111 Preparedness by Defence Forces 111 Recommendations and Timelines 112

Section Nine: Supporting Institutions, Policies and Infrastructure 113 Establish National Cybersecurity Commission (NCSC) 114 Cyber Policy Research Centre 114 Integrated Cyber Threat Intelligence Centre 115 Indian Cyber security Operations Centre 115 Assurance Framework, Test and Certification 115 An Agency for Information Security 115 National Centre for Cybersecurity Resilience 115 Cyber Command. 115 National Policies to be Revised and Infrastructure 116

Section Ten: Comprehensive Cyber Power at National Level 117 Recommended Integration of DCyA at National Level 119

Section Eleven: Road Map and Action Plan 122 Invited Experts 124 Task Force Team 126

8 Task Force Members

1. Lt. Gen. Davinder Kumar, PVSM, VSM Bar, ADC (Veteran)

2. Lt. Gen. Anil Kumar Ahuja, PVSM, UYSM, AVSM, SM, VSM & Bar (Veteran)

3. Lt. Gen. (Dr.) V.K. Saxena, PVSM, AVSM, VSM (Veteran)

4. Lt. Gen. (Dr.) S.P. Kochhar, AVSM Bar, SM, VSM, ADC (Veteran)

5. Maj. Gen. P.K. Mallick VSM (Veteran)

6. Brigadier Abhimanyu Ghosh (Veteran)

7. Brigadier (Dr.) Ashok Kumar Pathak (Veteran)

8. Commander Arun Saigal (Veteran)

9. Commander Mukesh Saini (Veteran)

10. Air Devesh Vatsa VSM

9

Foreword

India has to be militarily powerful to be a meaningful player in international politics. As the world’s fifth largest economy, it must be a secure nation to deter her enemies. India’s Poet Laureate Dr. Ramdhari Singh Dinkar, in his poem quoted above, has correctly observed that only the powerful possess the ability to pardon someone and that no one cares for the weak or toothless.

Cyber strategies and deterrence are the new ‘normal’ of national power. Historically speaking, the doctrinal response to new strategic challenges has always been slow and reactive. For example, it took a year to respond to (1914); almost two decades to evolve a doctrine against strategic air bombing (1937); a half-a-decade passed before mechanised warfare (1940) evolved to counter mechanised forces; the doctrine of nuclear deterrence took many decades to evolve after the first use of a nuclear bomb in 1945. Global powers are still struggling to evolve ways to counter cyber warfare. Addressing the Combined Commanders Conference in October 2014, Prime Minister Modi said, ‘When we speak of Digital India, we would also like to see a Digital Armed Forces’.

Aware of cyber power being a critical component of India’s comprehensive deterrence capability, the Vivekananda International Foundation set up a task force under the chairmanship of Lt. Gen. Davinder Kumar (Retired) to suggest a road map for cyber deterrence in her armed forces. I am happy to present the task force’s report for discussion and debate.

The task force has primarily concentrated on military aspects of cyber deterrence and how it should be integrated with national capabilities. It has made recommendations in policy, strategy, organisation, technology, manpower, international engagement, legal framework, research and development, and training. A fair attempt has been made to look at it from a higher perspective where cyber war becomes a subset of cyber power. The report identifies seven pillars for enhancing the cyber capabilities of the Indian armed forces, including operationalisation of a ‘Defence Cyber Agency’ as a stepping stone to develop cyber power within the designated time frame.

11 Lt. Gen. Davinder Kumar (Retired) was the Signals Officer-in-Chief of the and after retirement has devoted himself to the study and analysis of cyber issues, and particularly the emergence of India as a cyber power. The other members of the task force looked at development and application of cyber power as a means of conveying cyber deterrence. I would like to thank Lt. Gen. Kumar and his team for their painstaking research, focused approach and sincerity in preparing this report. My special thanks to all invited experts for their contributions in making this report.

New Delhi Dr. Arvind Gupta 27 March 2019 Director, VIF Acknowledgements

At the very outset, I would like to convey my grateful thanks to Dr. Arvind Gupta, Director, Vivekananda International Foundation (VIF) and Lt. Gen. Ravi Sawhney PVSM, AVSM (Veteran), Centre Head and Senior Fellow, for assigning this subject for study, providing necessary guidance, support and a balanced and highly experienced team to prepare this report. It is rare to have a task force with over 400 years of collective wisdom and varied experience, both in combat and policy making. Each member of the task force made a sizable contribution and I would like to express my gratitude for their contribution to the task assigned and for their participation in stimulating informed discussions in a frank and forthright manner. Resultantly, we have an India-centric comprehensive document dealing with all aspects of acquisition and application of cyber power in line with recommended policy, strategy and doctrine. The task force is confident that implementation of these recommendations would fill a strategic gap in India’s security architecture and provide the base for the creation of a Cyber Command.

My grateful thanks to Ms. Anuttama Ganguly, Joint Secretary, and her team for providing excellent logistic support. Our thanks also to the IT, editing and printing teams.

My special thanks to the ‘Invited Experts’, who so willingly gave their time and valuable inputs. My grateful thanks to Member Secretary Commander Mukesh Saini for his excellent time management in facilitating realtime information sharing amongst members and assistance in creating the final document, besides working on the legal framework.

Finally, I reiterate that the team worked diligently in ‘mission’ mode and delivered on schedule. I could not have asked for anything more.

Lt. Gen. Davinder Kumar, PVSM, VSM Bar, ADC (Veteran) Chair Person, Task Force

13

List of Abbreviations

AoR Area of Responsibility BREXIT Britain to exit the European Union CAN Computer Network Attack CBMs Confidence Building Measures CC-TLD Country Code Top Level Domain Servers CERT Computer Emenrgency Response Team CII Critical Information Infrastructure CISO Chief Information Security Office CIWO Command Officer CND Computer Network Defence CNO Computer Network Operations CSO Cybersecurity Officer DASI Directorate of Air Inspection DCyA Defence Cyber Agency DDoS Distributed Denial of Service DevSecOps Development - Security - Operations DGND Director of Naval Design DIARA Defence Information Assurance and Research Agency DLP Data loss prevention EDR Endpoint detection and response ELINT Electronic Intelligence EM Electro- Magnetic EW GCHQ Government Communications Headquarters HPC High-performance computing HUMINT Human Intelligence ICANN Internet Corporation for Assigned Names and Numbers IETF Internet Engineering Task Force IEW Information and Electronic warfare IMO International Maritime Organisation IoT Internet of Things IT Act, 2000 Information Technology Act 2000 ITU International Telecommunication Union IW Information Warfare MASINT Measurement and signature intelligence

15 MDR Managed detection and response MeitY Ministry of Electronics and Information Technology MiM Man-in-the-Middle NCC National Cadet Corp NCCC National Cyber Coordination Centre NCIIPC National Critical Information Infrastructure Protection Centre NCSC National Cyber Security Commission NCSP National Cybersecurity Policy NEP National Electronic Policy – 2012 NIB National Information Board NMCOC National Maritime Cyber Operations Centre NSCS National Security Council Secretariat NSQF National Skill Qualification Framework NSS National Service Scheme NTA Network traffic analysis NTRO National Technical Research Organisation OPSEC Operational Security OSCE Organisation for Security and Cooperation in Europe OSINT Open Source Intelligence OSS Operational Support System QRT Quick Response Team RoCyE Rules of Cyber Engagement SaaS Software as a Service SCADA Supervisory Control And Data Acquisition SCO Shanghai Cooperation Organisation SIEM Security Information and Event Management SIGINT Signal Intelligence SOC Security Operation Centre TA TLD Top Level Domain UBA User-behaviour analytics UNGGE United Nations Groups of Governmental Experts VAPT Vulnerability Assessment & Penetration Testing VDN Virtual Dispersive Networking WESEE and Electronics Systems Engineering Establishment WMD of Mass Destruction WSIS World Summit on Informational Society

16 PART I

17

Executive Summary

Military practitioners have been excited more and more reliant on cyber power, by the use of the term ‘cyber war’ for some vulnerability also increases and proper years now. Influence of technology on warfare safeguards are absolutely essential. It is is increasing, and cyber capabilities only certain that complexities in this form of emphasise the fact. It is often mooted that conflict will increase and so will their impact. information technology and cyber could well It behoves us therefore, to recognise the need determine the victor in the digital battlefield for developing cyber power by way of skilled of tomorrow. human resource, formal training, technology, research and development, and necessary Twenty-first century warfare is all funding. Application of cyber power must about improved situational awareness, form part of our planning process. contextual knowledge, discerning disposition and synergised action. Technological Though instruments of cyber power can breakthroughs have profoundly altered and work independently, there is an exponential shaped the doctrinal, organisational and increase in their effects when deployed with strategic contours of warfare. Information Electronic Warfare (EW) and Kinetic Energy Technologies, sensors, miniaturisation and systems. Cyber power application will have a ubiquitous wireless connectivity have created significant impact on other warfare domains. an entirely new domain of warfare by way of One may state that in times to come, ‘cyber space’ and put warfare on the cusp ‘cyber superiority’ will be an essential and of an epochal shift from the conventional to operational imperative. an information-based virtual age. This wave Developments of cyber power for of cyber-driven transformation is radical, operations in cyberspace significantly expand sweeping and innovative, demanding a relook options available to policymakers and field at established strategic plans and to chalk out commanders. a new direction for operational enhancement and improved tactical efficiency. Cyberspace The consequences of the application of and cyber power offer a whole new set cyber power for offensive operations may of technological solutions to some of the vary in severity, lethality, intent or geographical challenges of . distribution and can manifest in complex, dynamic and unpredictable ways, having far- Cyberspace promises distinct advantages reaching tactical and strategic implications. in a connected world, from intelligence accretion and analysis to faster and more We need to formulate and promulgate reasoned decision-making. As we become our policy for capacity building of cyber

19 VIF Task Force Report

deterrence related strategy, and a doctrine for next three years and concurrently develop our armed forces. Accordingly, the task force capabilities for full spectrum Information set its aim as follows: Warfare with cyber power as one of its major constituents. TO PREPARE A ROADMAP AND AN ASSOCIATED ACTION PLAN FOR ACQUIRING The task force accordingly decided it CREDIBLE CYBER DETERRENCE ACROSS would follow two approaches – one that FULL SPECTRUM IN THE ARMED FORCES, would concentrate on capability build up COMMENSURATE WITH INDIA’S STANDING within our armed forces, and secondly, a AND SECURITY NEEDS AND INTEGRATING suggested integration with the national THE SAME WITH THE NATIONAL CYBER cybersecurity architecture at a macro level. SECURITY ECO-SYSTEM. The task force recommends building of credible cyber deterrence through Approach to Capacity Building development of capabilities for cyber power India released its National Cybersecurity for our armed forces on the Seven Pillars Policy (NCSP) in 2013. This very comprehensive illustrated below: document deals with almost all facets of cyber security. Surprisingly, NCSP-2013 does not talk Seven Pillars for Capacity Building of about the creation and application of cyber Cyber Power: Indian Armed Forces power; the role, organisation, equipping and 1. Policy and Strategy for Development training of the Indian Armed Forces to execute and Employment of Cyber Power cyber-enabled operations and cyberwar; leaving a glaring gap in national security. 2. Indian Armed Forces Doctrine for Application of Cyber Power and There is an urgent requirement to Information Operations enunciate our national cyber power policy 3. Organisation for Cyber Deterrence, and doctrine, build ‘Cyber Power as a Synergy, Staffing and Adaptation of System’ commensurate with India’s security Cyber Force needs and integrate it with other warfighting domains to guard against the full spectrum 4. Human Resource, Training and of threats. Certification 5. Technology, R&D, Standards and The government, very recently, has Integrity of Data accorded approval for the raising of a Defence Cyber Agency (DCyA). It is felt that at best, this 6. Integration and Development of is a half-hearted attempt, keeping in mind the Concepts for Application of Cyber threats and India’s geopolitical role. Power for effective Cyber Deterrence 7. International Engagement and Legal The task force recommends that the Framework formation of DCyA be taken as an intermediate step towards the formation of a full-fledged Cyber Formation or Cyber Command over the

20 Executive Summary

Note: FORMATION vis-à-vis Agency

A ‘Formation’ is an organisation entity in the Indian Army like a , Division, Corps and Command. There is no organisation like an ‘Agency’. The raising of a Defence Cyber Agency is perhaps the lowest in the rung, not well understood, has limited resources and would not be in a position to convey ‘Deterrence’ as stated in the recommended Cyber Doctrine for the Indian Armed Forces.

Accordingly, the task force felt that while a Defence Cyber Agency is a long awaited and a welcome measure, it must provide the base for an Indian Cyber Command which must be created within the next three years to effectively respond to likely and emerging threats.

Since one is not certain of the government’s likely decision, the report has expressions like ‘Formation/DCyA’. Formation conveys the organisational level of cyber power, (cyber brigade/division/corps/command) is a familiar entity, and hence, well understood. Recommendations made in the report are equally valid to both, the Formation and Defence Cyber Agency.

Further, the terms convey the long-term applicability and validity of the report as the DCyA transforms to a Cyber Command.

21 Recommendations

Formation of Defence Cyber Agency Recommended Timelines and (DCyA) be taken as an intermediate step Roadmap towards the formation of a full-fledged Cyber Formation or Cyber Command over the next The suggested timelines and associated three years, while concurrently developing recommendations are mentioned. Most capabilities for full spectrum Information activities have to start concurrently. Following Warfare with cyber power as one of its major legends have been used: constituents. • {Immediate} – Action on these recommendations should start Build capabilities of cyber power for our with utmost urgency and should armed forces on Seven Pillars as illustrated be completed within six months of below: approval of recommendations 1. Policy and strategy for development • {Priority One} – These and employment of cyber power recommendations should not take 2. Indian Armed Forces doctrine for more than one year to complete application of cyber power and • {Priority Two} – These information operations recommendations are not necessarily 3. Organisation for cyber deterrence, of lesser priority but expected to take synergy, staffing and adaptation of up to two years cyber force • {Priority Three} – Work on these 4. Human resource, training and recommendations is contingent certification on completion of some other 5. Technology, R&D, standards and recommendations or require elaborate integrity of data execution. However, implementation should not take more than three years 6. Integration and development of concepts for application of cyber power for effective cyber deterrence Recommended Missions of Cyber Formation are: 7. International engagement and legal • Defending own computer networks, framework platforms and weapon systems • Defence against foreign-origin or foreign-sponsored cyberattacks,

22 Recommendations

especially if they cause loss of life, • Ensure budgetary support and property or significant foreign policy effective liaison with other agencies, and economic consequences academia and R&D establishments • Provide offensive cyber options, to be implemented on approval as force Policy: Cyber Warfare-enabled multipliers for other operations. This Armed Forces and Cyber Formation would include covert operations • Provide a dedicated, trained and • Synergising cyber intelligence with equipped military organisation to Signals Intelligence, Electronic execute all operational aspects in this Intelligence (ELINT), Human domain Intelligence (HUMINT) and operational • Cyber Formation/DCyA would work in security for a comprehensive threat conjunction with the overall national analysis in the information warfare Cybersecurity architecture, including domain the three Services • Plan and execute cyber deception • Be responsible for conduct of ‘cyber • Recruit, train, retain and periodically support operations’ to include: refresh human resource. Equip them • intelligence collection, collation, and be responsible for their cadre analysis and dissemination management • Cyber deterrence • Be a part of ‘Military Diplomacy’ and • Formulation of prioritised cyber exchange information with friendly target lists of potential adversaries nations, joint training and follow an integrated approach for Internet • Plan and execute retaliatory governance, legal framework and offensive operations favourable policies • Conduct testing and certification • Effectively liaison with civilian of hardware and software counterparts for policy making, • Assist in development of processes, exchange of information, indigenous technologies, and ensure interoperability of systems weapons, cryptology and • Establish a suitable organisation cryptoanalysis tools and language for information assurance and • Conduct training and cyber management exercises, and management of • Create necessary ‘Systems’ and international cyber cooperation infrastructure for training, laying down Cyber Formation /DCyA to have a robust of policies and processes legal component to ensure operations are • Establish technology research conducted in compliance with the rules of facilities, both by the Services and engagement, international and domestic jointly with the private sector laws, and that enough legal justification exists

23 VIF Task Force Report

for transcending to physical conflict (kinetic Cybersecurity Organisation. It would offensive action) when necessary. be responsible for testing and validating all software and hardware to The Cyber Formation would be responsible be used, particularly in critical areas; for planning and conducting of cyber setting up a facility for examining offensive operations, deception and cyber and certifying all hardware procured/ exploitation, particularly related to likely manufactured, and participate in all targets, vulnerability assessment, probing decisions/discussions related to the missions, penetration testing and exploitation award of contracts or projects {Priority of adversary networks. One} It would also be responsible for complete • Formulate robust ‘rules of engagement’ information management and information for responding to cyber attacks and assurance. authorise the cyber command or formation for the conduct of such Strategy for Cyber-enabled Armed operations Forces • Formulate contingency plans for • Creation of an appropriately ‘situated ‘Degraded Operations’, evolve and and constituted’ operational formation rehearse continued execution of for all aspects of cyber power to convey operations in different spheres, albeit deterrence across full spectrum with degraded capability (Immediate) • Cyber Command/Formation to be • The primary responsibility for cyber responsible for creating superior defence would rest with respective military capabilities in cyberspace ministries, departments, organisations • Cyber Formation to be responsible and industry for simulator training and for setting • Services (Army, Navy and Air Force) up and managing the National Cyber would be responsible for their basic Range cyber security, to include cyber • Cyber Command/Formation to resilience and defence in depth be structured and empowered to Cyber Command/Formation would outsource operations and employ be responsible for specific military embodied personnel selectively aspects and be the only organisation • Cyber Command/Formation to be authorised, equipped and trained to responsible for evolving a ‘Cyber conduct offensive cyber operations, Technology Perspective and Capability including those related to strategic Road Map’ for Information Warfare intelligence and deception • Cyber Formation would be responsible for enforcing compliance of policies enunciated by the National

24 Recommendations

Cyber Doctrine for Indian Armed Forces For the purpose of cyber deterrence and application of cyber power, both civil and India must release at the earliest an military assets would be considered as one. ‘Integrated National Cyber Doctrine’, However, subsequent to clearance by the developed jointly by the civil authority and nominated authority, the conduct of a cyber the armed forces with ‘Cyber Security’ dealt offensive or cyber deception would be the by the civil authorities and ‘Cyber Power’ by prerogative of the armed forces. the armed forces. {Priority One} Indian Armed Forces cyber doctrine would be The application of cyber power, either on its own or in conjunction with other constituents of power, should be decided by Multi-layered resilience with active defence the Cabinet Committee on Security (CCS), and deterrence keeping in mind the overall threat scenario, This doctrine would form the basis for the impact on national security and the developing full spectrum of cyber power in responses needed for a given situation. the armed forces which would comprise of The following situations would warrant cyber-crime investigation including cyber application of cyber power either by itself or forensic, counter cyber terror operations, integrated with other instruments of power: cyber espionage, and in-depth cyber defence with particular emphasis on platforms, cyber • Any cyber intervention which adversely offensive, cyber deception, cyber-enabled impacts: operations and cyberwar either by itself, or • India’s sovereignty and security in conjunction with EW and kinetic means. • Availability of India’s critical Development of processes and capabilities information infrastructure for employing cyber power in different • Free navigation, mobility operations and training of cyber leaders must and freedom of action in the be top priority. electromagnetic and cyber space of India While the responsibilities of the civil authorities and armed forces must be • Any cyber probing mission resulting unambiguously defined, the absolute in loss of a platform, manned or necessity of information exchange, integration autonomous, will be considered as an of capabilities, joint training and development act of war and would attract response of mission-oriented cyber weapons, and so accordingly on, should also be clearly emphasised. • Exfiltration of sensitive information having an adverse effect on the A dedicated organisation tasked with the economy, financial system, defence, raising and operationalisation of ‘Defence security, atomic infrastructure and Cyber Agency’ (DCyA), suitably empowered strategic industry would draw a strong and with assured budgetary support, would and focused response in any manner be central to building requisite capabilities. India deems fit. {Immediate}

25 VIF Task Force Report

Implementation would be done in two The armed forces must ensure near 100 parts concurrently and monitored by the percent computer literacy over the next three Chiefs of Staff Committee periodically: years which must include ‘Good Practices’ • Part 1, enhance the capabilities of and ‘Cyber Hygiene’ to be followed by all. each Service and raise DCyA as an Computer awareness, literacy and aptitude umbrella organisation responsible must be reflected in the appraisal which could for training, equipping, fielding, form the basis of retraining and selection of infrastructure, integration and cyber . {Priority One to Three} information management Availability of cyber warriors and cyber • Part 2, integration of cyber power leaders across multiple skills which constitutes with cybersecurity architecture at cyber power is an extremely critical factor the macro level and command and and perhaps the biggest challenge. The control ensuring least turbulence armed forces will have to adopt a multi-level in implementation and be flexible approach and concurrent execution. Following enough to face new threats and may be considered: accept new technologies • Establish world-class training facilities The country needs to build a thought along with industry and academia leadership and weave together India’s to impart training with curricula for potential to create cyber deterrence under different levels and highly qualified one organisation with complete responsibility, faculty. {Priority One to Two} accountability and budgetary support • Select/Recruit younger jawans/ sailors/airmen with necessary The exercise of cyber power is entirely qualifications and aptitude for ICT dependent upon the tactical skills of the and computers and train for three operator as he is the ‘man behind the gun’. to four months to concentrate on At the operational and strategic levels, we Computer Network Defence (CND). need cyber leaders to plan and conduct The brightest amongst these should cyber operations, both in stand-alone and be listed for Computer Network integrated applications, in conjunction with Attack (CNA) training after a tenure IW and kinetic power. of two years in the field. This training Innovation, change of working culture, could be outsourced to corporate attractive provisions with regard to pay or academic establishments on and allowances, creation of an appropriate a zonal or a region basis {Priority cadre with multiple avenues for growth and One to Three} promotion, recognition and status backed • While we must exercise the option by concentrated training, acquisition of of outsourcing, the armed forces skills and chance of location across the must have their own military training globe are a few measures which may facilities and system integration help in getting and retaining the right with IW and KE assets {Priority One human resource. to Three}

26 Recommendations

• Select M.Tech.-qualified officers and and mental robustness to withstand send them to countries like Israel, cognitive attacks aimed at behavioural UK, USA, South Korea and Russia for change, perception management and training in cyber warfare, participation lowering of {Priority One to in field exercises, and learn processes Three} and drills for employment of cyber • Explore organisations like the National power in the Indian context. These Cadet Corps (NCC), National Service officers will form the nucleus in Scheme (NSS) and police cadets accordance with the concept of ‘Train to provide young, motivated and the Trainers’. They will also form the disciplined resource for the cyber backbone of the cyber leadership cadre. All these organisations {Priority One} must have cyber wings which act as • Multi-level cybersecurity should be a nursery to meet the requirements of introduced as a topic for graduate, cyber operators and warriors partially post-graduate and doctoral studies in {Priority One to Three} Indian institutions {Priority Two} • Raise at least one Territorial Regiment in • Special care and emphasis on each Command capable of conducting selecting people for Computer all types of cyber operations, Network Exploitation (CNE). They particularly CND and counter-offensive must be trained specifically in different and detaching integrated teams in languages, information assurance, big support of operations {Priority One data, analytics, co-relation, Artificial to Three} Intelligence, cryptanalysis, code • The launch of a cyber offensive breaking, blockchain, analysis of or cyber deception would be the ‘kill switches’, patch management, responsibility of the cyber formation. network management systems and Accordingly, at least 10 integrated designing of both disruptive and teams will be created in three years destructive cyber weapons {Priority on an incremental basis {Priority One One to Three} to Three} • Emphasis must be on correct • As part of ‘Crowd Sourcing’, create recruitment, training, retention and an organisation like ‘Institute of re-training. Rules must be flexible and Cybersecurity Professionals’, focused on attracting the requisite select highly qualified resource resource. Some degree of relaxation from corporate, academia and R&D in regimentation and working establishments to be ‘on call’ to assist environment would be in order during crises. Initially, they could be • An extremely important aspect of invited to contribute in the formulation training would be the development of strategy and assist in the capability of an offensive spirit, agility of mind build up {Priority One to Three}

27 VIF Task Force Report

• Involve Indian diaspora for technology, facilities. This approach would mitigate training, investments and setting up the risk to supply chain vulnerabilities to a R&D facilities {Priority One to Three} large extent, especially in the case of critical • The armed forces must immediately systems. {Priority One to Three} establish an ‘Academy of Information India being one of the fastest growing Operations and Management’ with Internet and smartphone markets carries dedicated wings and facilities for substantial clout. She must use that for getting training in the employment of cyber favourable terms with regard to the integrity power across the full spectrum. of chips, ensure a supplier’s responsibility This must be independent of the in case of malware, cyber insurance and training facilities of the Services fastest delivery of patches/kill switches, with and must concentrate on advance a penalty for delays. Joint inspection facilities training and strategy with the requisite for chips, products and systems must also be participation of the civil sector {Priority considered. These should be an integral part One to Three} of the contract document and would be easier to incorporate if manufacturing is being done Technology, R&D, Standards and in India. {Priority One to Three} Integrity of Data Encourage start-ups and small and Analyse and revise the National Electronic medium-sized enterprises (SMEs) to work Policy (NEP) – 2012 under the ‘Make in India’ on secure software, products and systems. programme to meet the requirements of both Some have done well, exported their products cybersecurity and cyber power. It must be and established joint ventures. Military made more attractive for people to invest. orientation should be relatively easy and must {Priority One to Three} be explored. {Priority One to Three}

The policy must concentrate on production A formal military-industry interface of secure products and systems, their and their association with design and integration with expertise in ‘engineering to manufacturing agencies is necessary. {Priority production’ based on Indian standards for One} information security and secure products which are about to be released. Special emphasis We must have an organisation like the must be put on the design and availability of Weapons and Electronics Systems Engineering ‘secure industrial control systems’. Establishment (WESEE) in all three services to start with and later establish the same in Given that semiconductor chip selected commands. {Priority One} manufacturing foundries are capital intensive with still longer gestation periods, it may be Integrated teams must carry out a regular a good idea to hire facilities abroad initially. audit of platforms, weapons, systems and This would compress the time frame for the software to find vulnerabilities and how to development of skills and be cost-effective, close those. The manufacturer must be made while concurrently, we establish our own equal partner through well-drawn contract and

28 Recommendations be responsible for ‘availability’ of systems, Continuously examine options and devise a regular inspection to look for malware and methodology for the acquisition of technology release of patches to nullify any vulnerability to include R&D, manufacturing, and availability or accommodate the change in technology. of human resource with requisite skills and {Priority One to Three} requirements of infrastructure like cyber range, networks for simulation, and for making of Consider appointment of an Inspector cyber weapons. {Priority One to Three} General (Cybersecurity) to be assisted by a small team of experts like DASI of the , to oversee cybersecurity of Integration and Development platforms and weapon systems during peace of Concepts for Application of and field exercises. {Priority Two} Cyber Power for effective Cyber Deterrence R&D for product development and cyber weapons: India needs focused R&D in the The foremost task of the Cyber Formation/ development of safe products, discovery and DCyA would be to ensure that integration analysis of vulnerabilities, fixing attribution, is embodied across all functions, including the design of ‘kill switches’ and security operations, intelligence, technology patches; creation and analysis of malware, management, perspective plans, logistics and production and delivery of cyber weapons human resources development (HRD). Such and concentrate in capability building for embodiment enables common understanding electronic combat as part of Information leading to efficient and optimised responses. Warfare (IW). {Priority One} Cyber Formation/DCyA would also jointly The Indian Armed Forces must have formulate processes for collaboration with modern means and capabilities for cyber the diplomatic, economic and information exploitation, technical intelligence, cyber instruments of the national power, at all levels – deception and launching of probing strategic, operational and tactical. {Priority Two} operations. In addition, depending on the An integrated approach comprising knowledge of vulnerabilities, it must develop of proactive engagement and shared cyber weapons, both for causing disruption understanding would be developed to bring and destruction. {Priority One to Three} distinct professional, technical and cultural Sharing of intelligence between the disciplines of entities and sub-entities civil and military as also the launch of cyber together. {Priority Two to Three} weapons are a must and should be ensured Capacity building of cyber power would through a statute if necessary. {Immediate} depend on appropriate mission sets, targets Ensuring correctness of information and spheres of operation. Based on these, and integrity of data are absolutely critical the armed forces will work out tactics, requirements along with regular surveillance techniques, procedures and authorities in for any ‘Insider Threat’ for sabotage, stealing cyberspace for military operations. technology or exfiltration of data.

29 VIF Task Force Report

While cyber logistics has emerged as a Priority Tasks of the Defence Cyber new field requiring expertise and attention, Agency (DCyA) cyber deception is an essential capability both for cyber defence and cyber warfare. The first and foremost task of the Cyber Formation/DCyA would be to release a ‘Electronic Combat’ with integration policy document detailing the cyber power of computer network operations (CNO), eco-system for the armed forces, capacity electronic warfare (EW) and electromagnetic building in each Service, and integration at spectrum (EM Spectrum) has taken Information DCyA headquarters. {Priority One} Warfare (IW) to a new level and has provided unique capability focused on the exploitation The DCyA would coordinate and issue of asymmetry. necessary policies, ensure the creation of suitably empowered and integrated organisations on the ground, facilitate International Engagement and Legal release of funds, ensure availability of Framework skilled manpower and training infrastructure. While India has signed several bilateral, {Priority One to Three} regional and multilateral agreements for These organisations must have cooperation in cyberspace, special efforts government sanction to facilitate development would be required for armed forces training, of cyber logistics and infrastructure for participation in exercises, military diplomacy, training, establishments of laboratories and sharing of information of military value, joint release of funds. {Priority One} development of technology and a common voice in the formulation of laws and policies. Based on policies and processes Such agreements with friendly countries can promulgated by the Cyber Formation/DCyA, improve capacity building and must be given each Service must provide resources, impetus at the highest level. The positioning manpower, basic training, infrastructure, of cyber experts in our diplomatic missions and logistics for capacity building to ensure abroad is strongly recommended. {Priority necessary defence and resilience against One to Three} envisaged threats. {Priority One to Three}

The armed forces must have forensic Create awareness about cyber threats in resources to investigate cyber-crimes all ranks of the armed forces, their impact effectively. These could be add-on resources in all areas of our existence and the ability in the legal department of the Services. of cyber weapons to cause disruption and Leaders must be conversant with the IT Act destruction almost equivalent to weapons 2000 as amended in 2008. They also should of mass destruction (WMD). {Priority One be aware of the organisation for Internet to Three} Governance, ICANN, Tallinn Manuals and UN laws/deliberations of cyber war and cyber Commanders to be sensitised to interventions. {Priority Two to Three} digital domain threats, operations as part of the Information Warfare in a digitised battlefield and the certainty of an adversary

30 Recommendations launching cyber weapons, cyber deception Measurement of CSI will be a part of the and 24/7 monitoring of our networks and annual inspection of the establishment. A communication systems as part of cyber score below the required threshold will invite intelligence, besides conducting cyber- special measures by the DCyA. {Priority Two enabled operations with kinetic power. They to Three} must overcome complexes with regard to cyber power being ‘technical’ and concentrate Each Service Headquarters will ensure that on developing its application, both for cyber necessary training and infrastructure is available resilience and cyber offensive. {Priority One for the men to prepare for Certification Tests to Three} to be conducted by DCyA or other nominated agency {Priority One to Three} Formation and unit commanders/ equivalent must ensure that the work and Cross-domain training and exercises responsibilities of cyber personnel are given involving persons from each Service and DCyA due importance and recognition and that they must be done regularly. Actions to obviate the are treated with professional dignity at par flaws particularly related to the discovery with other fighters. {Priority One to Three} of vulnerabilities must be undertaken on top priority and a record maintained. All Each Service must ensure availability concerned must be informed and that data of cyber qualified resources at the unit/ be maintained at the nominated data centre ship/squadron level under a nominated to ensure integrity. {Priority Two to Three} Cybersecurity Officer/Chief Information Security Office (CSO/CISO)), chartered with There is a strategic, inescapable and the responsibility of training, creating general urgent requirement for a ‘Directorate of awareness, information assurance, regular Information Assurance and Management’ monitoring of possible threats, readiness of the at the tri-service level with its nodes at each establishment for cyber resilience measures formation/equivalent connected with each and ensuring that activities as part of cyber other and further with the data centres hygiene and good practices are in order and established by each Service. {Priority Two to complied with at all levels. {Priority One} Three}

Special attention must be given to the use Institute a Cyber Cadre with immediate of social media and look out for any ‘insider effect with flexible construct and less threat’ during the periodic but random audits. regimentation. {Immediate} Surprise audits and checks must be instituted As part of intelligence acquisition and and to be conducted by empowered teams monitoring, recruit requisite resource to from the respective Service Headquarters/ operate in the dark web and deep web and DCyA. {Priority One to Three} monitor it. This capability and task could be Cyber formation/DCyA must formulate given to the Defence Intelligence Agency parameters for measuring the ‘Cybersecurity (DIA) and coordinated with the National Index’ (CSI) of a unit/organisation and Intelligence Agency (NIA) at the appropriate communicate the same to all concerned. level. {Priority Two to Three}

31 VIF Task Force Report

Recruit, train and deploy ‘cyber modules’ and ‘lone wolf’ operators for strategic The Indian Navy would have overall intelligence and special tasks. {Priority Two responsibility for maritime cyber defence to Three} and to provide a firm base for cyber offensive operations to the DCyA. Organisation for Building Capabilities for Cyber Deterrence An empowered coast guard to be responsible for cyber defence of all shore Indian Army establishments and to conduct periodic audit of compliance with DCyA and Naval The army must be organised, equipped and Headquarter’s policies and processes. trained for Information Warfare and must have integral capabilities to thwart electronic/cyber The Cyber Formation or Defence Cyber interventions, launch offensive operations at Agency to oversee all aspects of cyber power the tactical level and provide a launch pad to capacity building across the maritime domain DCyA teams for offensive operations (CNO). in coordination with institutions like National {Priority One to Three} Security Council Secretariat (NSCS), Computer Emergency Response Team (CERT), National The Indian Army needs to balance its Technical Research Organisation (NTRO) and obsession with kinetic energy systems with National Critical Information Infrastructure the absolute necessity of ways and means for Protection Centre (NCIIPC). ‘Electronic Combat’ (IW+EW+EM Space) for that is the most likely threat which manifests The National Maritime Cyber Operations 24/7. {Priority One to Three} Centre (NMCOC) would be the coordination centre for cyber operations within the Navy, Measures for ensuring computer network Coast Guard and other services. The CERT- defence (CND) should be available at all Navy and its Cyber QRTs would be part of it. levels of command and integrated cyber, IO and EW organisation at the formation level. The WESEE would be the nodal technical Information Warfare brigades with specialised cyber advisor to develop a cyber-secure units in the cyber domain, EW and IO should framework, including for Internet of Things be on the ‘Order of ’ of a Corps to begin (IoT) and to issue relevant guidelines for with. {Priority One to Three} implementation and inspection of cybersecure naval equipment, including naval propulsion The Directorate General of Information and engine control systems. {Priority One Systems be transformed to a Tri-service to Three} Directorate of Information Security and provide the secretariat for ‘Cybersecurity WESEE would guide Director General of Advisory Committee’ at Headquarters IDS. Naval Design (DGND) on design, inspection, {Priority Two} development, manufacture, installation of connected onboard sensors and weapons of all naval vessels i.e., from design to delivery

32 Recommendations and subsequent operationalisation. {Priority Institute special measures and complete One to Three} access control for platform security and inside threats. {Immediate} Shipboard Cyber Expertise: While the Navy must have a dedicated Chief Information Security Officer on board, as an Defence Information Assurance and interim measure, the skill set of the officer Research Agency (DIARA) looking after communications and EW needs Following are the indisputable and to be enhanced to include all aspects of absolute strategic imperatives for creation cybersecurity and application of cyber power. and operationalisation of DCyA: {Priority One to Three} • Immediate government letter Integral establishments of the Navy sanctioning formation of a Defence like the Signal School, INS Valsura and the Cyber Agency, its approved Submarine and Naval Aviation Training organisation with incremental School should be organised and equipped for manpower, the military training in application of cyber power. and delegation of powers to the {Priority One} Commander of DCyA. (Immediate) • Appoint Commander of DCyA/Cyber Indian Air Force Formation, post essential staff and issue raising orders. (Immediate) The cybersecurity policy 2018 of the Indian Air Force (IAF) to be shared and • Form a steering committee, headed integrated with the Joint Policy of the Armed by CISC and include stakeholders by Forces. {Priority One} issuing appropriate government letter. This committee would report to the To explore whether ‘Vayusenix’ ( An Raksha Mantri and be accountable for Operating System by Air Force) can be timely operationalisation of the DCyA. upgraded suitably and adopted into the A slippage of eight weeks or more to operating system of the armed forces. be brought to the notice of the Prime {Priority One} Minister/Prime Minister’s Office, National Security Adviser, Chiefs of The IAF needs to secure government Staff Committee and National Security sanction for the organisation, establishment Council Secretariat, clearly stating and other logistic impediments on top priority. reasons and recommended solutions Headquarters must {Priority One} ensure expeditious resolution of logistics to prevent an adverse effect on operational • Nominate a think with requisite capability. {Immediate} domain knowledge and experience as a consulting agency for compressing The training establishment at Bengaluru time frame and creation of ‘knowledge’ should be upgraded for joint training. through analysis of technical {Priority One}

33 VIF Task Force Report

developments and utility in the Indian Human Resource, Training and context. {Priority Two} Certification • The DCyA should have a young • The government must declare profile and flexible policies with ‘cybersecurity’ as a separate cadre regard to tenure, promotions and immediately. There is a strategic cadre management. Merit must be necessity to develop an eco-system acknowledged and rewarded. Selection to generate human resource with should involve tests for aptitude, required skills {Immediate} security consciousness, out of the box • At the national level, all academic and innovative thinking and a never say institutions must be directed to die spirit {Priority One to Three} include basic cybersecurity training • The DCyA must have supporting as part of their curricula {Priority One facilities for human resource, training to Three} and certification, technology, R&D, • The armed forces should identify intelligence, cryptology, coding, academic institutions for training in language, networks and sensors, different skills up to advanced and safe products and systems, policies, doctorate levels. Selected institutions processes and battle drills, integration, are to be given grants or easy finance military diplomacy, international for establishing training facilities and cooperation and interaction with employing highly qualified faculty. cybersecurity components in civil, Selected people to be sent abroad including joint exercises {Priority One for specialised training {Priority One to Three} to Three} • In the first year, the DCyA should • The NCC, NSS and Police Cadets provide a minimum of Two integrated must have cyber wings and become teams which must be operational nurseries of skilled resource, both for within 18 months. Thereafter, in the civil and armed forces {Priority One second year, capacity must be built to Three} for Three integrated teams and for Five teams in the third year. The teams • An Institute of Cybersecurity must be constituted based on the Professionals be formed to draw task on hand and have a very flexible skilled and experienced resource, both construct {Priority One to Three} from within the country and abroad {Priority Two} • Operational parameters, particularly for command and control of these • All military stations be directed to teams and the integral elements form ‘cyber orientation clubs’ open to would get formulated as we go on families of armed forces personnel, both to create awareness and for talent hunting {Priority Two}

34 Recommendations

The focus of capacity building by the armed breaking, cyber weapons, conduct forces would be on: of cyber operations, re-skilling and • Identifying and protecting up-scaling, providing adequate vulnerabilities in military cyber space mobility and opportunities for carrier progression {Priority Two to Three} • Create escalating levels of expertise for cybersecurity • Establish world-class training infrastructure to include one cyber • High level of multidisciplinary expertise range per geography to conduct for deterrent capability theatre aligned specialised courses, • Developing advanced knowledge for create network simulation centres, the future data centres and laboratories for • The primary thrust of training must be information management, supply on detection of threats, chain integrity, cyber deception and of damages and recovery from cyber forensics {Priority One to Three} cyberattacks {Priority One to Three} • Ensure adequate vacancies and • Specialised training to selected finance for language training. At least persons would be imparted in cyber efficiency in one foreign language offensive operations, deception, and be made essential part of officers network penetration and protection training and incentives be given as {Priority One to Three} per language proficiency {Priority One to Three} • Train ‘Cyber Leaders’ in planning, conduct and management of cyber • Create a pool of ‘Master Instructors’ operations at the operational and for training and for them to be available strategic level, both in standalone for crisis management in case of a mode and integrated with Kinetic and major cyber intervention {Priority One Information operations {Priority One to Three} to Three} • Establish an online training and • As a policy directive, cyber proficiency certification facility along with resource in the armed forces be created and for content generation {Priority One organised at four levels: {Priority One to Three} to Three} • Conduct military hackathons, • Level One: Cyber Literate competitions and give away awards to incentivise the seen face of the • Level Two: Cyber Operators cyber workforce both to attract fresh • Level Three: Cyber Warriors talent as well as to keep existing talent • Level Four: Cyber Leaders motivated. The unseen face will also be equally incentivised {Priority Two • Establish skilling institutes, both to Three} covert and overt, for training in special operations, counter-intelligence, code

35 VIF Task Force Report

• Creation of indigenous capabilities be awarded to a consortium of in language, big data, analytics, companies/institutions in a PPP model artificial intelligence, cryptology, with ‘womb-to-tomb’ commitment networks survivability and availability, {Priority One to Three} and nation-wide connectivity are • Timelines for implementation of strategic operation requirements each phase must be clearly specified and imperatives. We must establish with a provision for penalty in case an eco-system at the earliest and of slippage and incentives for early involve all stakeholders {Priority One completion within the budget and for to Three} innovations {Priority One to Three} • The project director/lead company Recommended Approach for to have complete responsibility and Technology Development accountability, be suitably empowered • Establish a ‘National Mission and to have assured access to finance for Information/Cybersecurity {Priority One to Three} Technologies Development’, to be • Attractive provisions and incentives headed by a technocrat and members for start-ups and involvement of drawn from stakeholders, including medium and small scale enterprise representatives from users, private {Priority One} industry, academia and the R&D establishment {Priority One} • Ensuring availability of human resource and training facilities • Carry out a detailed analysis of present and emerging technologies and related • Review/Revise National Electronic threats. Home into technologies that Policy – 2012 and give it strong are needed with timelines for their impetus {Priority One to Three} development to support the doctrine. • Hire a foundry for semiconductors from Some of these technologies, however, a friendly country and concurrently would have to be developed with commence deliberation for a foundry higher priority to meet the immediate in India {Priority One to Three} security requirements of the defence forces. For offensive operations, Contractual Clauses for System the making of cyber weapons and Protection and Availability deception, we would need application- • Supply chain vulnerabilities will specific technologies {Priority One remain a major cause of concern to Three} for ICT networks and systems of the • Create/award dedicated ‘Projects’ for armed forces till such time as basic the development of each technology, infrastructures for the manufacturing its transformation from engineering of chips and network products are not into production, integration and set up in India. Therefore, vendors must upgradation. These projects to be bound by contractual obligations to

36 Recommendations

ensure due diligence from the issue of protect an enterprise’s IT operations today Request for Proposal (RFP) onwards requires a new, holistic approach to assessing for protection of networks and data and designing their security towards an to mitigate against vulnerabilities of integrated and unified security infrastructure cross-border supply chain. They must that prevents attacks in real time. be made accountable for any systems The building of cyber-security into failure on their watch {Priority One} applications is critical in addressing such • Vendors must adhere to Indian law, risks, as well as all the devices that are including the Data Protection Law to interconnected from the very beginning. be announced shortly {Priority One to Three} As attackers improve their capabilities, the armed forces must improve their ability • Contracts may include: to control access and protect their systems • Cyber insurance and its operability from attacks. as per the Indian legal system The armed forces must formally engage • Restrictions with regard to access, with security and risk leaders, evaluate processing and sharing of data the latest technologies to protect against • A clause prohibiting remote access advanced attacks, better enable digital by vendors for maintenance and operational transformation and embrace new repairs of systems computing styles such as cloud, mobile and • Procedures and obligations for DevOps {Priority One to Three} disaster recovery and business India has to develop its own technologies, continuity as part of ensuring electronic manufacturing base, R&D system resilience infrastructure and highly skilled human • Provision of an Escrow account resource. Being late has an advantage of • Overall security and adherence to ‘leap ahead’, but delay can have catastrophic the Indian Official Secrets Act consequences. There is a need to encourage industry, provide a level field, encourage • Training on secure codes, and start-ups and MSMEs and create a vibrant • Maintenance of software codes eco-system. {Priority One to Three} as per the Software Licensing and • One will have to study and analyse Protection (SLP) contract adverse security effects, if any, of the involvement of foreign companies in Emerging Threats and Negation building our infrastructure {Priority Technologies One to Three} Today we are facing 5th generation • Cybersecurity and cyber power are cybersecurity threats wherein attacks are multi- complex subjects. The armed forces everything – multidimensional, multi-stage, would need some agency to translate multi-vector and polymorphic. To properly their operational requirement into

37 VIF Task Force Report

identifying and exploiting the relevant assets from such cyberattacks and technologies. It is for this reason that launch debilitating offensives, both the task force has recommended an to convey her resolve and credibility organisation like the Weapons and of deterrence {Priority One} Electronics Systems Engineering • Space-based assets play a crucial role Establishment (WESSE) of the Navy, in surveillance, intelligence, navigation staffed appropriately both with the and communications. Many nations Army and Air Force. Further, scientific are developing and testing anti- advisers to the service chiefs will have satellite weapons. It is a matter of to play a more active part {Priority One time when conflicts will be from, to to Three} and in space. Integrated cyber and EW capability provides an alternative Integration and Development of and potent option for anti-satellite Concepts for Application of Cyber operations. India must develop this Power for Effective Cyber Deterrence capability at the earliest {Priority One to Three} Cyber power integrated with EW and Kinetic capabilities present exponential • The Internet of Things (IoT) is capabilities in creating deadly and desired another fast developing capability effects. The armed forces must develop for surveillance and cyberattacks in processes and drills for synergetic application the cognitive, physical and electronic in the digital battlefield to have force domains. Interference in IoT-based multiplication effect. {Priority One} applications of major platforms like aircrafts and ships, present a very India needs to build all elements of cyber serious challenge to our systems and power to develop deterrence capabilities, an extremely attractive opportunity for both ‘deterrence by defence and resilience’ offensive tasks {Priority One to Three} and ‘deterrence by retaliation’. {Priority One} • Aircrafts, drones, helicopters and Cyber power is offence dominant and in some classified space assets have essence, a sum of intelligence, technology, highly integrated cyber and EW information sharing, skilled human resource systems capable of both logical and total synergy. Our culture, actions and bombing and remote injunction of policies must reflect these {Priority One} computer viruses. We will have to • Computer Network Operations (CNO) closely examine this capability and are increasingly finding acceptance develop appropriate systems and as an attractive, low cost and low processes for defensive and offensive technology asymmetric option tasks {Priority One to Three} to undermine sovereignty, target • There is a definite requirement for individual leaders and engineer integrating the capabilities and social discord. Accordingly, India resources of cyber and PsyOps, must have the ability to protect her both in planning and execution.

38 Recommendations

Social media, in our context, is a a leadership position in various international very powerful dual-use weapon. initiatives taken at the level of United Nations, While we need to quell false news International Telecommunication Union and propaganda, we must integrate (ITU), regional bodies and autonomous all necessary capabilities by way of organisations like the Internet Corporation language, technology, content and for Assignments of Names and Numbers so on to effectively conduct ‘media (ICANN), Internet Engineering Task Force warfare’ {Priority One to Three} (IETF), etc.

Cyber power can be applied by itself and Diplomatic influence needs to be exerted in cyber-enabled operations in conjunction to secure a leading position in the above with kinetic weapons. Its biggest utility is organisations, both for policy formulation and as a ‘Weapon of Information’ in cognitive for dealing with large-scale cyber interventions. operations and perception management. The armed forces need to be actively • Concepts would have to be developed associated with: for integrated application in accordance • Cyber diplomacy, because as opposed with the Indian Armed Forces doctrine. to overall cyber defence, diplomacy While training abroad is a must, the offers higher potential for conflict de- learnings would have to be transformed escalation, and thus, for developing to Indian requirements. This calls for norms of state behaviour, that needs to a very innovative, mentally agile and be implemented by the armed forces highly skilled human resource {Priority for peace in cyberspace {Priority One One to Three} to Three} • Each Service must have a cyber range • Formulation and orchestration of and a network simulation facility for international norms that would limit regular training. Cyber operations, as disruptive activity by states against part of IW, must form part of every war other states and deter non-state game, the deductions debated and the actors {Priority One to Three} conclusions recorded, disseminated and incorporated suitably in battle • The task force recommends the drills {Priority One to Three} following for furtherance of stated objectives of the Indian Armed Forces Cyber Doctrine: {Priority One to Three} International Engagement and Legal Framework • India needs to play an active and constructive role in international International Engagement cyber diplomacy to pursue national security interests While defence and deterrence are effective in the short-term, cyber diplomacy holds more • Cyber diplomacy should be an promise to contribute towards peace and indispensable component of stability in the long run. India needs to take military dialogue and diplomacy

39 VIF Task Force Report

• The central role of the UN in infrastructure which is within Internet governance and the Indian territory or legal jurisdiction primacy of the state in cyber • Over the entity, person, cyber conflicts need emphasis infrastructure, data and content • International consensus on which is the source of or abettor norms of state behaviour needs of a devastating cyberattack on to be pursued on bilateral and any object or person or cyber multilateral platforms despite the infrastructure based within the failure of UNGGE 2017 jurisdictional Indian cyber territory • Extraterritorial, in accordance with Legal Aspects the international laws, treaties and agreements The environment must be made aware of the provisions of Article 51A, which empowers Establish nation-wide cyberwar fighting the government to enlist qualified manpower processes and procedures as Cyberwar for quick boosting capacity of cyber warriors Standard Operating Procedures (CyWar in case of a cyber war. {Priority One to Three} SOP). These will form the basis on which cyber war games, drills and exercises would Define Indian cyberspace jurisdiction as be conducted and measured. {Priority One follows: {Priority One} to Three} The Indian cyber-physical territory includes, Amend Section 69 of the Information but is not limited to the embassies, the high Technology Act to provide for any situation commissions, the consulates, satellites related to cyber war or defence against cyber and systems owned by the Indian Armed war and empower the concerned defence Forces such as aircraft, ships, submarines, officer to intercept, monitor and decrypt and or any other ground vehicles. It is any information on computer resources. recommended that India may exercise her {Priority One} cyberspace jurisdiction: • Over an entity or a person who is Promulgate a Cybersecurity Act that would engaged in cyber activity on her cover not only various cyber-related crimes, territory offences, forensics and policing, but also, have enabling provisions for cyber war and defences • Over the objects related information against cyber war. {Priority Two} technology located on her territory • India with its significant manpower • Over data and content process over and technical know-how should her territory proactively support weaker nations to • Extraterritorial establish their cyber defences. It will: • Over data or content which is being • Help project India as a reckonable stored processed or transmitted cyber power belonging to the entity or cyber

40 Recommendations

• Prevent these nations from • National Cybersecurity Commission becoming a source of cyberattack (NCSC) {Immediate} on India • Cyber Policy Research Centre {Priority • Prompt these nations to become One} strategic partners in case India • Integrated Cyber Threat Intelligence faces a cyber offensive Centre {Priority One} Cyber forensics plays a critical role in • Indian Cybersecurity Operational cyber war to prove any stand in any court Centre {Priority One} of law, Indian or International. Therefore, it • National Cyber Test Facility {Priority must be an intrinsic part of cyber power in the One} armed forces. {Priority One to Three} • Information Management and Cyber forensics is also necessary for Assurance Agency {Priority One} cyber battle damage assessment and to • National Centre for Cybersecurity recalibrate for the next attack. Cyber forensic Resilience {Priority One} experts must be embedded in cyber forces to meet legal and international obligations. • Cyber Command {Priority One} {Priority One to Three} Policies and Infrastructure The Rules of Cyber Engagement (RoCyE) should be defined for the uniformed forces • Prepare and issue a National Integrated and other cyber forces. To implement RoCyE, Cyber Doctrine {Priority One} there should be a state of alertness/readiness • Establish a National Academy of which must be defined. {Priority One to Three} Information Security {Priority One} • Following ‘State of Readiness’, flags • Revise National Electronic are recommended {Priority Two} Policy-2012 and carry out aggressive • Blue – Normal state implementation {Priority One} • Green – Enhanced cyber • Revise National Cybersecurity intelligence/surveillance by Nation Policy-2013 {Priority One} State/reckonable Non-state actor • Create a formal military-industry • Yellow – Cyberwar likely interface to secure products and software {Priority One} • Orange – Cyberwar imminent • Depute a think tank to lead and • Red – Cyberwar in progress form an Institute of Cybersecurity Professionals {Priority Two} Supporting National Institutions, Policies and Infrastructure • Develop standard operating procedures for executing a cyber war The task force recommends establishment {Priority Two} of the following institutions. Details given in the main paper.

41 VIF Task Force Report

• Undertake a nation-wide cyber war delegation of powers and monitoring at the exercise at least every alternate year highest level. It is surprising that in spite of the {Priority Three} Prime Minister’s clear pronouncement during • Initiate process for formulation and the Formation Commanders conference approval of a Cybersecurity Act in 2014, cyber power development in the {Priority Two} defence forces has been minimal. This calls for introspection and an aggressive mission- oriented approach to remove bottlenecks. Budgetary Assurance The task force has recommended capacity The development of cyber power in building in support of the stated doctrine the armed forces has been sluggish and within 36 months, which encompasses disjointed. One of the reasons is the paucity sanction and transformation to a full-fledged of funds. Consequently, today the country is Cyber Command and recognition of India as vulnerable with regard to information security an emerging cyber power. as compared with likely adversaries. We have to make up for lost time. The availability of The starting points would be the issue of funds, empowerment, delegation of financial necessary government sanctioning letters, powers, carry over of unspent money to an appropriate organisation for project the next financial year, committee-based management, forming a steering committee decision making and pre-audit are some and fund allocation. of the essential factors. The main issue is capacity building in cyber power must have The nominated organisation must have the total support of the government along a director for each of the seven pillars. This with complete assurance of fund availability. would be a tri-service organisation under HQ, IDS and would deliver a quarterly progress As a ballpark figure, budgetary allocation report to the Chiefs of Staff Committee. of Rs 6,000 crores over the next three years, exclusively for building cyber power may be Finally, the task force would like to place made. What is not negotiable is the assurance on record their thanks to Dr. Arvind Gupta, of availability of finance from the highest Director, VIF and Lt. Gen. R.K. Sawhney, PVSM, political authority. {Priority One} AVSM, Centre Head and Senior Fellow, VIF, and the VIF staff for their support. It is emphasised once again that urgent capacity building of Road Map and Action Plan cyber power in our armed forces is a strategic The road map is illustrated in the summary necessity. We hope this report will help the of recommendations, but any plan is only powers that be in quick decision making. as good as its implementation. With regard to developing cyber power for our defence forces, two cardinal principles of ‘System Approach’ and ‘Concurrency’ must be adopted. An action plan must be introduced by different entities through astute project management,

42 PART II

43 VIF Task Force Report

Cyber power is an ideal tool for conducting and to convey cyber deterrence capability. While underdeveloped and developing nations are busy preparing for offensive cyber operations, the developed nations, due to their increased vulnerability, are concentrating on defensive cyber operations with active defence as part of their doctrine. The scenario is, however, changing with developed nations going for credible offensive capabilities, development of cyber weapons and propagating the idea of ‘Cyber Deterrence’.

Section One

Policy and Strategy for Cyber Deterrence through Development of Cyber Power in Indian Armed Forces.

44 Environment Scan

Cyberspace has become a full-blown war Once limited to opportunistic criminals, zone as governments across the globe clash cyber-interventions are becoming preferred for digital supremacy in this new and mostly weapons for governments seeking to defend invisible theatre of operations. Electronic national sovereignty and to project national technologies, Electro Magnetic Spectrum power. From leaking debit card details to and an estimated seven billion people make influencing the US presidential election, cyberspace unique. An increasingly wide cyberattacks have become a significant part range of social, political, economic and of our political and social discourse. military activities depend on cyberspace, The exponential rise of ‘cyber power’ in a making it both a much sought after capability short span of four decades is both amazing and vulnerability. Cyberspace has truly and mindboggling. From cyber-crimes to become a tool for ‘virtual expansionism’, the cyber espionage to cyber terrorism to social only limit being the innovation of people. engineering to cyber war and now cognitive As the Industrial Age gave way to the dimension for the management of human Information Age, the quantity and speed of behaviour, there have been substantial information transfer has grown, as has its enhancements in each of these capabilities penetration into society. This evolution has by way of people, processes, complexity and resulted in physical force being supplemented technology. by additional forces – content and code Technology and organisational innovations (information and computer software) – that over the last few decades have not only can influence all three elements of the fully transformed the nature and character ‘Clausewitz's Trinity’ nearly instantaneously of the battlefield but created the potential and simultaneously. of ‘non-obvious warfare’. Types of warfare The accelerated intertwining of cyberspace that could be conducted in a non-obvious and human activity in recent decades has manner include cyber warfare, , given rise to both a new domain and new form electronic warfare, drone warfare, sabotage, of warfare, which is man-made, is in constant special operations, assassinations and transformation and demands understanding mining, proxy attacks, WMD and intelligence by both civilian and military leaders. It is support to combat operations. Cyber power for the first time that human security is so can influence all these types of warfare and threatened and that puts extra pressure on other war-fighting domains. governance and on organisations chartered The 21st century battlefield is largely with their security. digitised with largescale deployment of

45 VIF Task Force Report

Information and Communication Technologies banking, entertainment and more. Cyberspace (ICTs) in every facet, from C4ISTAR, information has driven changes in the economy and management, weapon systems in all domains domestic politics in many nations, with social that is ground, air, sea, outer space and media helping to change political power. cyberspace down to the individual soldier. Radical ideology and political agendas are being spread globally in near real time. A digitised battlefield has made national borders irrelevant, challenging the very Cyber power is an ideal tool for conducting concept of national sovereignty and is a place asymmetric warfare and projecting cyber where operations are conducted at the speed deterrence capabilities. While underdeveloped of light. Typically, a digitised battlefield will be and developing nations are busy preparing shaped continually by the national doctrine for offensive cyber operations, developed and would remain a work in progress due nations, due to their increased vulnerability, to the rapid march of technology and its are concentrating on defensive cyber consequent impact on the conduct of war. operations. The scenario is, however, We experience that human and international changing with developed nations going for conflicts are entering a new phase in their credible offensive capabilities, development long histories. In this shadowy battlefield, of cyber weapons and propagating the idea victories are fought for with bits instead of ‘Cyber Deterrence’. of bullets, malware instead of militias and Several nations have formed military cyber botnets instead of bombs. commands and many more are considering To understand the application of cyber similar changes to government and military power, it is essential that one comprehend the command organisations. Al Qaeda and its Information Environment (IE), for what moves associated movements (AQAM), Anonymous, through cyberspace is information in the and the Russian Business Network are form of code (software) that gets displayed examples of non–state actors that use the as content on a graphic user interface (GUI). domain for nefarious acts at will. The Islamic The IE could be described as, ‘The aggregate State of Iraq and the Levant (ISIL) is actively of individuals, organisations and systems pursuing military-style cyber capabilities. that collect, process, disseminate or act on Global ICT corporations have equal information across the physical, informational access and vested interests in manoeuvring and cognitive dimensions’. These IE in cyberspace to achieve corporate economic dimensions are inextricably linked, resulting objectives. These corporations also provide in cyberspace operations increasingly being much of the key connectivity necessary for used to manoeuvre in support of both civilian governments and to manoeuvre. and military objectives. They will have to take on the responsibility Militaries and civilians alike now use of providing uninterrupted services with cyberspace operations to achieve objectives resilience. concerning communications, targeting, Cyberspace is thus an ‘integrated civilian navigation (global positioning systems– GPS), and military domain’. Military forces must logistics, training, education, shopping,

46 Environment Scan collaborate with civilian-owned, managed and capacity building in terms of indigenous operated cyberspace elements to achieve ICT technologies, R&D, human resource the desired effects. This interaction blurs the development and public-private partnership lines when military actions begin and end on cybersecurity issues. The salient aspects compared to those of civilian organisations. of this architecture include: • Operationalisation of a National Critical The Indian Scene Information Infrastructure Projection Centre (NCIIPC) India is very vulnerable to cyber interventions due to certain strategic • Establishment of the National Cyber deficiencies, absence of a clear-cut policy Coordination Centre (NCCC) by directive and cyber warfare doctrine; ongoing MeitY for threat management and transformation to digital economy and its information sharing in real time fast pace; inadequate appreciation of the • Establishment of Cybersecurity threats, both internal and external; a cavalier Assurance and Certification Bodies for attitude towards security and law; lack of testing, evaluation and cybersecurity synergy between government organisations audit and private industry, extreme shortage of • Creation of an R&D fund for setting skilled human resources and inadequate priorities for research, indigenisation implementation of policies. Resultantly, India and human resource development has only certain islands of cyber power; grossly insufficient as compared to the threats • Public-Private Partnership on and its national security needs. cybersecurity • Capacity building and creation of India was among the handfuls of nations to 500,000 Cybersecurity professionals promulgate the Information Technology Act in the year 2000 to deal with cyber interventions. The National Security Council Secretariat The same was revised in 2008. Similarly, the (NSCS) coordinates and oversees cybersecurity National Policy on Electronics was issued in issues, including cyber diplomacy. The 2012 and the National Cybersecurity Policy National Cyber Security Coordinator at (NCSP) in 2013. Yet, till a few years ago, well- the NCSC has been entrusted with the co-ordinated and focused efforts towards responsibility of coordinating and synergising cybersecurity were missing, except for the cybersecurity efforts establishment of the Computer Emergency Response Team – India (CERT-IN) and similar According to the National Cyber Security organisations at the state level and the Coordinator, India, by 2020, will face defence forces. increasingly sophisticated ‘destructive’ cyber threats as compared to the ‘disruptive’ attacks India has since adopted an integrated in Indian cyberspace that are currently adding approach and conceptualised a cybersecurity up to 200 million malware-related and 190,000 architecture with emphasis on protection ‘unique’ intrusions in any given week. Coupled of critical information infrastructure, with this is the likely threat from our adversary

47 VIF Task Force Report

which is recognised as an emerging cyber and crypto experts; specialists in information superpower with full spectrum capabilities. management and analysis; intelligence resource for interacting with the underworld/ Surprisingly, the NCSP-2013 does not talk deep/dark web and more; backed by forceful about the creation and application of cyber and determined implementation in a mission power, the role, organisation, equipping and mode due to the extreme shortage of time. training of the Indian armed forces to execute These activities will have to be implemented cyber-enabled operations and cyberwar, concurrently along with spreading awareness leaving a glaring gap in policy with regard to amongst the masses about threats to their national security. In the prevailing environment security, their responsibilities as citizens, of potent threats, direct and indirect in the promoting application of good practices and cyber domain, and the likely degradation cyber hygiene. of our fighting potential, social engineering directed towards causing a perceived failure In pursuance of above, the task force set of governance and fake news, this is a very the following aim: serious strategic deficiency which is required ‘To prepare a roadmap and associated to be overcome without delay. India does action plan for capability building of the not have time as the strategic window is Indian armed forces for cyber deterrence closing very fast. We, very urgently, need to across the full spectrum, commensurate enunciate our national cyber power policy with India’s standing and her security needs, and doctrine, build ‘Cyber Power as a System’ and to integrate the same with the national commensurate with India’s standing and cybersecurity eco-system.’ security needs, and integrate it with other warfighting domains to enhance our national security across the full spectrum of threats. Approach to Capacity Building

This requires strong political will, Before we suggest approaches to capacity total synergy between government and building, let us define ‘cyber power’ as private sector, a dedicated and empowered perceived by us. Cyber power can be defined organisation, assured finance, well-trained and as: highly skilled human resource with attractive • The ability to use cyberspace to create emoluments and a flexible environment, advantages and influence events in all training infrastructure, acceptance of operational environments and across cybersecurity as a government cadre, focused instruments of power participation of private industry, electronic • Cyber power is society’s orga­ manufacturing base and components, nised capability to leverage digital particularly for ‘secure’ products; standards; technology for surveillance, international cooperation including joint exploitation, subversion and coercion exercises and sharing of incident reports; legal in international conflict mechanism; R&D and testing laboratories; centres of excellence for cyber weapons; • Military cyber power can be defined as kill switches and analysis; language, coding ‘application of operational concepts,

48 Environment Scan

strategies and functions that employ is well placed, being the second largest user the tools of cyberspace to accomplish of the Internet globally. India needs to exert military objectives and missions.’ much more in international fora to ensure favourable terms with regard to Internet Seven Essential Factors governance, positioning of hardware and legal Constituting Cyber Power framework. 1. Internet and information technology India woefully lacks in cyber military (IT) capabilities strength when viewed from the perspective 2. IT industry capabilities of threats and capabilities of exploiting this very potent and ubiquitous domain 3. Internet market capabilities: The of warfare. The task force would present size and scale of domestic Internet an action plan and road map to overcome infrastructure is a major push factor this strategic deficiency and acquire cyber 4. The influence of Internet culture: The deterrence capabilities in consonance with reach and penetration of Internet India’s standing amongst the comity of triggering behavioural changes in nations and the threats. Achieving this would people be contingent on having the political will to 5. Internet diplomacy/foreign policy develop capabilities and use them to ensure capabilities: This is a nation state’s our national security and sovereignty. bargaining power For the sake of clarity and uniformity, the 6. Cyber military strength is the ability to task force will lay down essential indicators of defend critical national and military IT cyber power and then suggest a methodology infrastructure from attacks, deterrent for harnessing the same. These are: capability, the ability to conduct • Infrastructure, including networks size offensive operations in cyberspace and and broadband penetration prevent espionage in own networks • A clear international strategy that lays 7. National interest for taking part in out priorities and defends a nation’s cyberspace strategy: To be a cyber right to have a voice on cyber issues power, it is not sufficient for a nation- state to merely possess part or all • Independent technological capabilities. It depends upon the capabilities, especially in operating motive or willingness to use possessed systems and central processing units power. The nation-state’s cyber • The ability to defend networks, be strategy must enunciate theoretical it for national security, economic guidance, behavioural norms, criteria security, user privacy, social stability/ for action and a strategic plan. harmony

An analysis of the above factors indicates • Competitiveness in development of that as far as penetration, infrastructure and software applications and e-commerce culture of the Internet are concerned, India

49 VIF Task Force Report

• Recognition as a credible cyber power 2. Indian Armed Forces Doctrine for capable of influencing decisions application of cyber power and information operations The Prime Minister, while addressing the Combined Commanders Conference in 3. Organisation for cyber deterrence, 2014, clearly stated the absolute necessity of synergy, staffing and adaptation of transforming the Indian Armed Forces into a cyber force digital army in pursuance of the government’s 4. Human resource, training and declaration of ‘Digital India’ as one of its major certification objectives. This transformation has been 5. Technology, R&D, standards and rather sluggish. integrity of data The government, very recently, has 6. Integration and development of accorded approval for the raising of a concepts for effective cyber deterrence Defence Cyber Agency (DCyA). This, at best, 7. International engagement and legal is a half-hearted attempt keeping in mind the framework perceived threats and India’s geopolitical role.

The Task Force recommends that the formation of DCyA be taken as an intermediate step towards the formation of a full-fledged Cyber Formation/Cyber Command in the next three years while concurrently developing capabilities for full spectrum Information Warfare with Cyber Power as one of its major constituents.

The task force has, accordingly, decided that it would follow two clear and concurrent approaches i.e., to concentrate on capability building of the armed forces and integration with the national cybersecurity architecture at a macro level.

Cyber power of our armed forces must be based on the Seven Pillars below:

Seven Pillars for Capacity Building 1. Policy and strategy for development and employment of cyber power

50 Environment Scan

Note: FORMATION vis-à-vis Agency

A ‘Formation’ is an organisation entity in the Indian Army like a Brigade, Division, Corps and Command. There is no organisation like an ‘Agency’. Raising of Defence Cyber Agency is perhaps the lowest in the rung, not well understood, has limited resources and would not be in a position to convey ‘Deterrence’ as stated in the recommended Cyber Doctrine for Indian Armed Forces.

Accordingly, the Task Force felt that while Defence Cyber Agency is a long awaited and welcome measure; it must provide the base for an Indian Cyber Command which must be created within the next three years to effectively respond to the likely and emerging threats.

Since, one is not certain of the government’s likely decision, the report has expression like ‘Formation/DCyA’. Formation conveys the organisation level of cyber power, (cyber brigade/division/corps/command) and is a familiar entity, hence well understood. Recommendations made in the report are equally valid to both, the Formation and Defence Cyber Agency.

Further, the terms convey the long-term applicability and validity of the report as the DCyA transforms to a Cyber Command.

51 VIF Task Force Report

“One should never submit spinelessly, nor sacrifice oneself in foolhardy valour. It is better to adopt such policies as would enable one to survive and live to fight another day.”

– 7.15.13-20,12.1.1-9 Arthshatra by Chanakya

Section Two

Policy and Strategy for Developing Cyber Capability of the Indian Armed Forces

52 Policy and Strategy for Developing Cyber Capability of the Indian Armed Forces

Cyber-enabled armed forces and creation of cyber command are aimed at addressing a critical void in developing India’s fifth- generation warfare capability in a digitised battlefield.

Introduction armed force, capable of creating a secure cyberspace environment and to be a force Within the ambit of Information Warfare, multiplier for conventional operations in other cyberspace has emerged as a distinct domains. new man-made domain. Specific policies, strategies, organisations and techniques are required for operating in this domain, and are Threat Scenario quite akin to those required for operations on India has about 500 million Internet users land, air, outer space and maritime domains. (2018 statistics) and this is likely to increase to 635.8 million by 2021. Internet penetration To evolve a policy for operating in this is a measure of the extent of reliance on domain, a comprehensive review of the net-enabled services by common citizens, threats that can emanate in cyberspace and business, critical information infrastructure, potential targets need to be identified and military and government. In this domain, it a determined response mechanism be put is hard to draw clear boundaries between in place to counter it. Various stakeholders military and non-military users since cyber need to be identified and national level operations go beyond a single domain. Also, organisations evolved for synergising activities cyberspace challenges emanate both from across different departments/organisations. state-affiliated and non-state actors and Thereafter, cyber resilience and deterrence can impact all elements of national power strategies need to be evolved to meet national (diplomatic, informational, economic and security requirements in consonance with military) concurrently through manipulation appropriate domestic and international laws. of data and gateways. A strategy also needs to be worked out to optimise and create hardware and software, Cyber threats manifest in many forms plan future technology development, impart and may result in serious disruption of training, certification and create a pool of government, public and private sector skilled manpower. Being an activity that resources and services – impacting lives, the transcends national borders, an international economy and national security. cyber cooperation strategy is required. India has been amongst the worst- affected countries from global cyberattacks Aim in the recent past. The 2017 WannaCry This chapter aims to evolve a cyber ransomware attack affected about 48,000 resilience strategy and a deterrence-enabled computers. The Stuxnet malware attack in

53 VIF Task Force Report

2010 affected about 10,000 computers in the attack. Even on being detected, a India, some of which belonged to critical reasonable scope of deniability exists infrastructure facilities, including power grids • Neutral (or innocent) third country and offshore oil rigs of the Oil and Natural Gas involvement. Many cyberattacks Corporation. The Nuclear Power Corporation may originate from co-opted servers of India, by its own admission, blocks at least in neutral countries, at times without 10 targeted cyberattacks a day. Closer to the involvement or knowledge of those conventional security domain, Indian security countries. The culpability of such forces regularly confront cyber radicalism countries and the legitimacy of actions from extremist groups who use the web to against them still remains ambiguous spread propaganda, incite violence and plan and carry out catastrophic attacks. • Ambiguity in defining ‘Attacks’. An acceptable definition of a ‘cyberattack’ While India promulgated a National which would justify retaliatory punitive Cybersecurity Policy in 2013 with an integrated action, including physical (kinetic) vision and strategies for implementation, in retaliation, does not exist yet practice, the application of this policy remains • Grey Zone of ‘Cyber Espionage’. dispersed (fragmented) across different Cyber intrusions are extensively sectors. The overall approach has remained used for ‘cyber espionage’, which that of strengthening cyber defence and may be related directly to gathering enhancing survivability. Cyber space has not or be aimed been viewed as a domain for the conduct at industrial espionage, or theft of of warfare. commercial information. Despite such cyberattacks being directed Characteristics of Cyber Warfare against the nation’s military/defence capability, the legitimacy of counter- Some peculiar characteristics of this attacks in the cyber or physical domain domain are: remains suspect • Asymmetric nature of warfare. • Absence of objectives for Cyberattacks can be launched by a retaliation. O r i g i n a t o r s o f much weaker adversary (militarily, cyberattack, even if identified, may technologically and economically), or have no assets or organisational even by non-state actors at negligible interests to be retaliated against. The cost. Also, the positioning of ‘cyber retribution may ultimately need to be attacks’ in the escalatory ladder of in the elementary kinetic domain conflicts still remains ambiguous. • Cross Domain Linkage. Cyberattacks These could well be situated from the against targets in a particular lowest end of the spectrum to upper- sphere may result in cross-sectoral end strategic conflict levels disruption. For example, intrusion • Anonymity. It is difficult and time- into networks controlling critical consuming to identify perpetrators of civilian infrastructure, power grids,

54 Policy and Strategy for Developing Cyber Capability of the Indian Armed Forces

transportation networks and financial Role of Cyber Formation/Defence systems can have national security/ Cyber Agency military implications. No distinction • Defending own computer networks, can generally be drawn between civil platforms and weapon systems and military targets, except those attacks which are directed purely • Defence against foreign origin or against military weapon systems foreign-sponsored cyberattacks, and networks especially if they can cause loss of life, property, or significant foreign policy and economic consequences Military Targets for Cyber Warfare • Synergising cyber intelligence with In a generic sense, information, signals intelligence, Electronic information systems and networks constitute Intelligence (ELINT), Human cyber warfare targets. In the military domain, Intelligence ( HUMINT) and operational these targets can be grouped broadly into the security for a comprehensive following categories: threat analysis in the information • Command, control, communication, warfare domain computer, intelligence, surveillance, • Provide offensive cyber options to be reconnaissance and logistics networks implemented on approval, as force (C4 ISR L) and systems multipliers for other operations. This • Critical information storage systems would include covert operations which may contain classified • Plan and execute cyber deception operational plans, intelligence data, critical technology and weapon control • Recruit, train, retain and periodically data refresh human resource, equip them and be responsible for cadre • Decision support and fire control management systems • Be a part of military diplomacy and • Navigation and guidance systems of exchange of information with friendly complex platforms like aircraft, ships, nations, joint training and integrated missiles, drones and precision-guided approach for Internet governance, munitions legal framework and favourable • Assets in outer space and their policies supporting infrastructure on earth • Effective liaison with civilian • Exploiting the cognitive domain aimed counterparts for policy making, at change in behaviour and undermine processes, exchange of information the morale of combatants through and ensuring interoperability of well-orchestrated systems campaigns and perception management activities

55 VIF Task Force Report

• Establish suitable organisation through effective predictive, preventive and for information assurance and protective, response and recovery actions. management These functionalities have been announced • Create system and infrastructure for in the NCSP-2013. The Cyber Formation/DCyA training, laying down of policies and must be integrated with these organisations processes for offensive tasks and deception. Information must be shared with complete transparency • Establish technology research facilities on a real-time basis to ensure synergy and by the Services and jointly with the delivery of requisite effects. private sector • Ensure requisite budgetary support and Cyber warfare enabled armed forces and effective liaison with other agencies, Cyber Formation would provide a dedicated, academia and R&D establishments trained and equipped military organisation to execute all operational aspects in this Policy for Creating Cyber Warfare domain. Cyber Formation/DCyA would work Enabled Armed Forces in concert with the cyber organisations of each individual sector/department, including IT systems are used in all spheres of the three Services. national activity, including in the armed forces. All sectors remain responsible for This organisation would be responsible creating a robust and secure system within for the conduct of cyber support operations, the guidelines contained in the National including intelligence collection, collation, Cybersecurity Policy-2013 and regulations analysis and dissemination, cyber deterrence, that may get included in future and the Data formulation of prioritised cyber target lists Protection Law. of potential adversaries; plan and execute retaliatory offensive operations; conduct For the present, the overall organisational testing and certification of hardware structure for managing cybersecurity at the and software; assist in development of national level would remain under the National indigenous technologies and weapons Security Adviser and the National Cybersecurity including cryptology and cryptoanalysis Coordinator. The Indian Computer Emergency related tools; conduct training and cyber Response Team (CERT-IN) and the National exercises; and management of international Critical Information Infrastructure Protection cyber cooperation. Centre (NCIIPC) would perform the primary functions of managing protection and Cyber Formation/DCyA would also need resilience of the nation’s critical information to have a robust legal component to ensure infrastructure. These agencies, in close that operations are conducted in accordance coordination with the National Technical with the rules of engagement that comply Research Organisation (NTRO), would also be with international and domestic laws and responsible for obtaining strategic information that enough legal justification exists for relating to ICT infrastructure threats and transcending to physical conflict (Kinetic evolving a crisis management mechanism offensive action), should it become necessary.

56 Policy and Strategy for Developing Cyber Capability of the Indian Armed Forces

Cyber Formation would be responsible be responsible for specific military aspects, for planning and conduct of Cyber Offensive as given above. Notably, it would also be the Operations, deception and cyber exploitation only organisation within the country to be particularly related to likely targets, vulnerability authorised, equipped and trained to conduct assessment, probing missions, penetration offensive cyber operations including those testing and exploitation of adversary’s networks. related to strategic intelligence and deception. It will be responsible for complete information Enforcing Implementation of management and information assurance. Cybersecurity Policy. The Cybersecurity Organisation will be responsible for formulating Strategy and promulgating information security The strategy for creating and policies, while the Cyber Formation would operationalising cyber-enabled armed forces be responsible for enforcing compliance. It (DCyA/Cyber Formation) should be based on would also be responsible for testing and the following factors: validating all software and hardware to be used, particularly in critical areas. It should Creation of an appropriately ‘situated’ also be responsible for setting up facility and ‘constituted’ operational formation for for examining and certifying all hardware all aspects of ‘application of cyber power’ procured/manufactured. including cyber warfare. Evolving Rules of Engagement. Time- The organisation will address issues in the critical detection, identification and retaliation military and civil domains, including critical necessitates formulation of legally tenable and infrastructure within the overall national robust rules of engagement for responding cybersecurity organisation as evolved through to cyberattacks. Launching of counter- the National Cybersecurity Policy. It must be offensives would be a command decision synergised with all other ministries, significant based on necessity, appropriateness and R&D organisations and strategic industry. proportionality of response. Commanders The onus of overall coordination and specific would determine the appropriate level in war tasking along with a delegation of appropriate or peace. Responsibility and authority would operational and legal authority would, be vested in the Cyber Command. however, rest with the National Cybersecurity Contingency Plans for ‘Degraded Coordinator for the present. Operations’. Despite robust cyber defensive Delineation of Responsibilities. The measures, penetration of cyber networks primary responsibility of cyber defence, cannot be ruled out totally. The Cyber including that of the existing governance Command would need to evolve and rehearse networks (.gov /.nic) would rest with respective continued execution of operations in different ministries, departments, organisations and spheres, albeit with degraded capability. industry. Similarly, the Army, Navy and Air Manual or standby infrastructure, operating Force would be responsible for their basic procedures and manning staff would need cybersecurity to include cyber resilience and to be planned for as part of operational defence in depth. The cyber command would contingency.

57 VIF Task Force Report

Training. The National Cybersecurity than adhering to the Defence Procurement Policy has envisaged training of approximately Procedure (DPP). 500,000 personnel in a time span of about five years (commencing 2013). The Conclusion Cyber Command would need to assume responsibility for imparting specialised The cyber domain has inseparable training aimed at creating superior military linkages between the civil and military capabilities in cyberspace. Some of this spheres. Cyberattacks directed against training may have to be conducted through government, critical infrastructures, economy, public-private participation by incorporating military, industry and so on, have cross- technology majors. The Cyber Formation domain implications. The peculiar nature of would also be responsible for establishing attacks, with inbuilt anonymity, deniability simulator training, and for setting up and and legal implications of defining the nature managing the National Cyber Range. of attacks make cyber defence and retaliation a complex phenomenon. While the country Outsourcing and TAisation of Cyber has developed cybersecurity capability, this Organisations. Due to the peculiar nature of sphere has not yet been addressed as a cyber operations, the Cyber Command would domain of specialised asymmetric warfare. need to be structured and empowered to selectively outsource operations. Alternatively, Cyber-enabled armed forces and the it may also resort to employing select creation of a Cyber Command is an endeavour embodied personnel (akin to Territorial to address this critical void in developing Army [TA] battalions). This would provide India’s fifth-generation warfare capability in a an opportunity for inducting personnel with digitised battlefield. proficiency in contemporary cyber technology and the benefit of deniability (anonymity).

Evolving Cyber Technology Perspective and Capability Road Map. Cyber Formation with cross-domain and international linkages, including with the IT industry and R&D organisations, would be best suited to carry out perspective planning for the IT and cyber domain in the overall context of information warfare. It could also be used as a single point contact for equipment acquisitions, which are time-consuming and result in acquiring of equipment with redundant/ outdated technologies. Also, in case of cyber warfare equipment, the acquisitions be made as applicable for strategic systems, rather

58 ‘Doctrine is indispensable to an army. Doctrine provides a military organisation with a common philosophy, a common language, a common purpose, and a unity of effort’.

– General George H. Decker, 1960

Section Three

Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations

59 VIF Task Force Report

India needs an ‘Integrated National Cyber Doctrine’ developed jointly by the civil authorities and the Armed Forces with ‘Cybersecurity’ aspects dealt with by the civil authorities and ‘Cyber Power’ by the Defence Forces.

This doctrine may be read in conjunction ‘Enable required degree of self-sufficiency in with the following documents: defence equipment and technology through • Joint Doctrine Indian Armed Forces indigenisation to achieve the desired degree 2017 of technological independence by 2035.’ • Joint Training Doctrine Indian Armed This probably presents the biggest Forces 2017 challenge, given the present state of the domestic defence-industrial complex. • National Cybersecurity Policy (NCSP) 2013 The doctrine is a bold announcement. It • National Policy on Electronics (NEP) talks about the TRIAD of Cyber, Space and 2012 Special Forces. The government has approved very recently the raising of a Defence Cyber • Information Warfare Joint Doctrine Agency, a and a Indian Armed Forces Special Forces Division. The real challenge • National Policy of Digital now is how quickly we can operationalise Communications these organisations and integrate them with Though not promulgated in the public the comprehensive national power. It must domain, one would like to believe that two be appreciated that in the digital battlefield seminal documents – the National Security of today cyber power would be central to any Policy and the National Security Strategy exist capability for ‘credible deterrence’. in some form. All three services have their India needs an ‘Integrated National respective doctrines and the latest is the Joint Cyber Doctrine’ developed jointly by the civil Doctrine of the Indian Armed Forces-2017 and authority and the armed forces with cyber the Joint Training Doctrine-2017. security aspects dealt by the civil authorities The Joint Doctrine states that conflict and cyber power’ by the defence forces. will be determined or prevented through In the absence of a National Cyber a process of credible deterrence, coercive Doctrine and keeping in mind the threat diplomacy, and conclusively by punitive landscape, both present and emerging, destruction, disruption and constraint in a the task force recommended the following nuclear environment across the spectrum national cybersecurity architecture and kinetic of conflict. capabilities: Another important pronouncement • The employment of cyber power is under the ‘National Military Objectives’ is: subject to long-standing political,

60 Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations

economic, and military considerations • Cyberattacks are launched at the speed – one of which is the need to minimise of light. Hence, cyber defence has to unintended and costly conflict among be proactive and largely automated the parties involved • Cyber power is ‘Offence Dominant’ • States have become more skilled in and demands complete synergy. It employing these instruments over must be so deployed the past decade and have developed In the light of above-stated considerations, increasingly complex means with the task force studied existing cybersecurity which to exploit vulnerabilities architecture, the gaps by way of strategic • Cyber power is fast graduating from deficiencies, level of integration with other a disruptive to destructive component instruments of power, organisation at the with exponentially increased potency national level and the cyber readiness of our when integrated with EW and kinetic armed forces. The conclusion was that while power. Coupled with its ubiquitous the awareness, resources, organisation and nature, it is capable of altering the limited infrastructure for cybersecurity existed military balance on the ground and some activities were • Non-state actors, ‘lone wolf’ and ‘insider being undertaken, there was a glaring gap in threats’ along with the anonymity the cyber power capabilities of our defence of the attacker add another very forces. Given the threats and the digitised challenging dimension to the threat battlefield, it is a strategic deficiency that landscape, necessitating international could seriously impact our national security cooperation and complete synergy of and therefore needs to be addressed urgently own capabilities in ‘Mission’ mode.

• Many states, in their doctrines, The situation is time critical. We have have declared their right to respond to promulgate our cyber doctrine and build with conventional military means to capabilities, which in view of galloping cyber threats and the operational technology and related threats will remain a requirement of cyber deterrence to ‘work in progress’. The task force has taken reduce chances of conflict and to a roadmap of three years and hopes that promote alterations, enhancements and revisions • Cyber espionage has become a major would be done through constant monitoring source of intelligence, discovering to keep them relevant. of vulnerabilities, proving of cyber weapons by probing attacks, and Indian Armed Forces Cyber Doctrine providing content for disinformation and perception management. Its Application of cyber power either on its importance can be gauged from the own or in conjunction with other constituents fact that nations are launching cyber of power will be decided by the CCS keeping espionage campaigns in mind the overall threat scenario, the impact on national security and response needed to

61 VIF Task Force Report

a given situation. The task force recommends Defence in depth is the coordinated use of that the following situations would warrant multiple security countermeasures to protect use of cyber power either by itself or the integrity of the information assets in an integrated with other instruments of power: enterprise ... Defence in depth minimises • Any cyber intervention which adversely the probability that the efforts of malicious impacts the availability of India’s hackers will succeed. critical information infrastructure Active Cyber Defence (ACD) means acting would attract a punitive response in anticipation to oppose an attack involving through conventional military means, computers and networks. Cyberattacks can including use of cyber power be launched to repel an attack (active defence) • Any cyber probing mission resulting or to support the operational action. in loss of a platform, manned or This doctrine would form the basis for autonomous, will be considered as developing full spectrum cyber power in an act of war and attract a response the armed forces which would comprise of accordingly cyber-crime investigation including cyber • Exfiltration of sensitive information forensic, counter cyber terror operations, having an adverse effect on the cyber espionage, cyber defence in depth economy, financial system, defence, with particular emphasis on platforms, cyber security, atomic infrastructure and offensive, cyber deception and cyberwar, strategic industry would draw a strong either by itself or in conjunction with EW and and focused response in whatever kinetic means. manner India deems fit Development of processes and capabilities For the purpose of cyber deterrence and for employment of cyber power in different application of cyber power, both civil and operations and training of cyber leaders military assets would be considered as one. must be the top priority. While areas of However, subsequent to clearance by the responsibilities between the civil authorities nominated authority, the conduct of cyber and armed forces must be defined clearly, the offensive operations and cyber deception absolute necessity of information exchange, would be the prerogative of the armed forces. integration of capabilities, joint training and development of mission-oriented cyber In view of the above, the Indian Armed weapons and so on should be emphasised Forces Cyber Doctrine would be: clearly. ‘Multi-layer Resilience with Active Defence and Deterrence’ Organisation and Adaptation of or Cyber Force A dedicated organisation tasked with the ‘Defence in Depth, Active Defence and raising and operationalisation of DCyA, suitably Deterrence’ empowered and with assured budgetary support would be central to building requisite

62 Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations capabilities. The implementation would be Human Resource, Training and done in two parts concurrently and monitored Certification by the COSC periodically. The exercise of cyber power is dependent In Part 1, we would enhance the entirely on the skills of the operator at the capabilities at each Service and raise DCyA tactical level as he is the ‘man behind the as an umbrella organisation responsible for gun’. At the operational and strategic level, training, equipping, fielding, infrastructure, we need cyber leaders adept in planning integration and information management. and conducting of cyber operations, both in standalone and integrated applications, in In Part 2, which would be implemented conjunction with IW and kinetic power. concurrently, we will recommend the methodology for integration of cyber power This is an extremely critical area. The with cyber security architecture at the macro NCSP-2013 had set the aim of producing level, and command and control for ensuring 500,000 cybersecurity Experts in next five least turbulence in implementation and yet years (2018). Presently, according one of the be flexible enough to adjust to new threats estimate there are only 1,50,000 such experts. and technologies. There is an additional demand of half a million people with requisite skills. The country needs to build thought leadership and weave together India’s A very tall order but doable with innovation potential to create cyber power across the full and out of the box approach, change of spectrum under one organisation, empowered working culture, attractive provisions with appropriately with complete responsibility, regard to pay and allowances, creation of accountability and budgetary support. an appropriate cadre with multiple avenues for growth, promotion channels, recognition One of the suggestions is to establish a and status backed by concentrated training, National Cyber Security Commission (NCSC) acquisition of skills and chance of location – a fully empowered body under the Prime across the globe. Minister, with its own department, on the lines of the Space Commission and the Atomic The armed forces must ensure 100 Energy Commission. Headed by a minister percent computer literacy in the next three rank person, it would have two operational years which must include ‘Good Practices’ heads, one to handle the civilian aspect i.e., and ‘Cyber Hygiene’ to be followed by all. cyber security and the other who would be Computer awareness, literacy and aptitude responsible for development and exercise of must be reflected in the appraisal which could cyber power by the armed forces. form the basis of re-training and selection of cyber warriors. At the macro level, the NCSC would carry out requisite organisation transformation Availability of cyber warriors and cyber and be responsible for ‘Adaptation of Cyber leaders across multiple skills which constitutes Forces’. cyber power is an extremely critical factor and perhaps the biggest challenge. The

63 VIF Task Force Report

armed forces will have to adopt a multi-level • Multi-level cyber security should be approach and concurrent execution. Following introduced as a topic for graduation, may be considered: postgraduate and doctoral studies in • Establish world-class training facilities the Indian academic institutions along with the industry and academia to • Special care and emphasis must be impart training with curricula for different given to select people for Computer levels and highly qualified faculty Network Exploitation (CNE). They • Select/recruit younger jawans/sailors/ must be trained specifically in airmen with necessary qualifications different languages, information and aptitude for ICT and computers assurance, big data, analytics, co- and put them through a rigorous relation, AI, cryptanalysis, code training capsule of three to four months breaking, blockchain, analysis of designed by experts to concentrate on ‘kill switches’, patch management, Computer Network Defence (CND). network management systems and The brightest amongst these should designing of both disruptive and be listed for training in Computer destructive cyber weapons Network Attack (CNA) after a tenure • Emphasis must be on correct of two years in the field. This training recruitment, training, retention and could be outsourced to corporate or re-training. Rules must be flexible academic establishments. A number and focused on attracting requisite of such courses can be conducted resource. Some degree of relaxation simultaneously on a zone/region basis in regimentation and working • While we must exercise this option of environment would be in order outsourcing, the armed forces must • An extremely important aspect of have training facilities of their own to training would be the development of impart military training and system an offensive sprit, the agility of mind integration with IW and KE assets and mental robustness to withstand • Select limited batches of M.Tech. cognitive attacks aimed at behavioural qualified officers and send them to change, perception management and different countries like Israel, UK, lowering of morale USA, South Korea, and Russia for • Explore organisations like NCC, NSS, training in different aspects of cyber ACC, and Police Cadets to provide warfare, participate in field exercises young, motivated and disciplined and develop processes and drills for resource for recruitment in the Cyber employment of cyber power in the Warrior cadre. All these organisations Indian context. These officers will must have cyber wings which would form the nucleus in accordance with be a nursery to meet partially the the concept of ‘Train the Trainers’. requirements of cyber operators and They will also form the backbone of cyber warriors cyber leaders

64 Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations

• Raise at least one Territorial Regiment in Technology, R&D, Standards and each Command capable of conducting Integrity of Data all types of cyber operations, particularly CND and counteroffensive As far as cyber security and cyber power and detaching Integrated Teams in are concerned, the absence of network support of operations technology, products and systems, electronic manufacturing industry, Indian standards • The launch of cyber offensive and for secure products, foundry for producing cyber deception would be the chips; limited crypto and cryptanalysis responsibility of the Cyber Formation. capabilities and very limited resource for Accordingly, at least 10 integrated system integration are some of the strategic teams will be created in three years deficiencies with a direct impact on India’s on an incremental basis ‘Technological Sovereignty’ and present • As part of ‘Crowd Sourcing’, create serious vulnerabilities as far as cyber power an organisation like ‘Institute of is concerned. These are essential and Cybersecurity Professionals’, select fundamental pre-requisites for cyber power a highly qualified resource from and need immediate attention. corporate, academia and R&D Some of the major deficiencies were to establishments ‘on call’ to assist be addressed by the implementation of the during crises. Initially, they could be National Electronic Policy (NEP) – 2012. The invited to contribute in the formulation policy needed to be revised in the light of a of strategy and assist in the capability push under the ‘Make in India’ programme and build up integrated to meet the requirements of both • Involve Indian diaspora for technology, cyber security and cyber power and made training, investments and setting up more attractive for people ready to invest. R&D facilities The policy must concentrate on production • The armed forces must immediately of secure products and systems, their establish an Academy of Information integration with expertise in ‘engineering to Operations and Management with production’, based on Indian standards for dedicated wings and facilities for information security and secure products, which training in the employment of cyber are about to be released. Special emphasis power across the full spectrum. This must be put on the design and availability of must be independent of training ‘secure industrial control systems’. facilities of the Services and must concentrate on advanced training and Given the fact that semiconductor chip strategy with requisite participation of manufacturing foundries are very capital the civil sector both in the faculty and intensive with still longer gestation period, it as trainees. may be a good idea to hire the facilities abroad in the interim. That would compress the time frame for development of skills and be cost- effective, while concurrently, we establish own

65 VIF Task Force Report

facilities. This approach would mitigate the risks It is for consideration if an ‘Inspector due to supply chain vulnerabilities to a large General, Cybersecurity’ should be appointed extent, especially in case of critical systems. with a small team of experts like Directorate of Air Staff Inspection (DASI) of the Indian Air India being the fastest growing Internet Force, to oversee cybersecurity of platforms and smartphone market carries substantial and weapon systems during peace and clout. She must use that for getting favourable field exercises. terms with regard to the integrity of chips, the responsibility of the supplier in case of malware, cyber insurance and fastest delivery R&D for Secure Products Development of patches/kill switches with a penalty for and Cyber Weapons delays and setting up joint inspection facilities India needs focused R&D in the for chips, products and systems. development of safe products, discovery and analysis of vulnerabilities, fixing attribution, These should be an integral part of the the design of ‘kill switches’ and security contract document and would be easier to patches, creation and analysis of malware, incorporate if manufacturing is being done production and delivery of cyber weapons; in India. and concentrate on capability building for Energise the ‘Make in India’ programme electronic combat as part of IW. and encourage start-ups and SMEs to work The Indian Armed Forces must have the on secure software, products and systems. most modern means and capabilities for cyber Some of them have done well, exported their exploitation, technical intelligence, cyber products and established joint ventures. deception and launching of probing attacks. Military orientation in these cases should be In addition, depending on the knowledge relatively easy and must be explored. of vulnerabilities, it must develop cyber A formal military-industry interface and its weapons both for causing disruption and association with design and manufacturing destruction. This necessitates R&D efforts in agencies is necessary. the development of critical technologies and their engineering into production. We must have a WESEE-like organisation in all three services to start with and later in Sharing of intelligence between the selected commands. civil and military as also the launch of cyber weapons if the situation warrants, is a must Integrated Teams must carry out a regular and should be ensured through a statute if audit of platforms, weapons, systems and necessary. software to find vulnerabilities and how to close those. The manufacturer must be Ensuring correctness of information made an equal partner through a well-drawn and integrity of data are absolutely critical contract and be responsible for ‘availability’ of requirements along with regular surveillance systems, regular inspection for malware and for any ‘Insider Threat’ of sabotage, stealing release of patches to nullify any vulnerability technology or exfiltration of data. or accommodate change in technology.

66 Indian Armed Forces Doctrine for Application of Cyber Power and Information Operations

Policy should be clear about options and maritime, cyberspace and outer space, methodology for the acquisition of technology towards optimisation of costs and enhancing which should include R&D, manufacturing, readiness. It does not imply physical and availability of human resource with integration. requisite skills. The foremost task of Cyber Formation/ There is urgent requirement for DCyA would be to ensure that integration is infrastructure like a cyber range, networks embodied across all functions – operations, for simulation and making of cyber weapons. intelligence, technology management, perspective plans, logistics, and human Integration and Development resource development (HRD). Such an of Concepts for Application of embodiment enables common understanding Cyber Power for Effective Cyber leading to efficient and optimised responses. Deterrence Cyber Formation/DCyA would also jointly Key facets of any , formulate processes for collaboration with particularly in the digitised battlefield of the diplomatic, economic and information today, are intelligence, sharing of information, instruments of the national power, at all levels synchronisation and integration of various – strategic, operational and tactical. elements of combat power so that their An integrated approach comprising effects complement and reinforce each other proactive engagement and shared to achieve a quick and decisive victory with understanding would be developed to bring least cost to life and material. distinct professional, technical and cultural The current generation of warfare supports disciplines of entities and sub-entities information operations and is characterised by together. a blurring of lines between war and politics, The capacity buildup of cyber power would combatants and civilians. Simply put, it is a depend on what are appropriate mission sets, war in which one of the major participants targets and spheres for operations. Based on may not be a state, but rather a violent non- these, the armed forces will work out tactics, state actor or non-state actor sponsored by techniques, procedures and authorities in a state. cyber space for military operations. Conceptually, joint and integrated Application of cyber power is generally operations imply enunciation of the ‘ways and done in four areas namely intelligence, means’ of conducting Integrated and Joint technology, logistics (human resource with actions with a singular aim of synergising and requisite skills, training, training infrastructure) enhancing the warfighting capability of joint and command and control. It is a 24/7 activity service components. carried out in the following manner, namely: ‘Integration’ in contemporary military • Business as usual – defacing websites, matters implies integration of ‘processes’ disruption and denial across all operational domains of land, air,

67 VIF Task Force Report

• Information Operations – cyber The armed forces must have resources for espionage, social engineering, cyber forensic and investigation of cyber- perception management (Mainly crimes. These could be add-on resources in Disruptive) the current legal department of the Services. • Attack on Critical Information Leaders must be conversant with the IT Act Infrastructure (CII) and information 2000 as amended in 2008. They also should assets (Destructive) be aware of the organisation for Internet Governance, ICANN, Tallinn Manuals and UN While cyber logistics has emerged as a laws/deliberations on cyber war and cyber new field requiring expertise and attention, interventions. cyber deception is an essential capability in cyber warfare. As far as the budget is concerned, one can only make some assumptions. A ballpark ‘Electronic combat’ with integration of figure of 6,000 crores over three years CNO, EW and EM Spectrum has taken IW to exclusively for capacity building of cyber a new level and has provided unique capability power in the armed forces may be considered focused on the exploitation of asymmetry. as the budget estimate. What is important and not negotiable is the assurance of availability International Engagement and Legal of finance from the highest political authority. Framework

Nature and characteristics of cyber space demands international cooperation by way of exchange of information, technology development, training and an appropriate legal framework to ensure cyber security and the right of safe navigation and passage in cyber space.

While India has signed several bilateral, regional and multilateral agreements for cooperation in cyber space, special efforts would be required for armed forces training, participation in exercises, military diplomacy, sharing of information of military value, joint development of technology and a common voice in the formulation of laws/policies. Such agreements with friendly countries can help ‘leap ahead’ in capacity building and hence must be given impetus at the highest level. The positioning of cyber experts in our missions abroad is strongly recommended.

68 Each Service must ensure availability of cyber qualified resource at the unit/ship/squadron level under a nominated Cyber Security Officer/Chief Information Security Officer (CSO/CISO), chartered with responsibilities for training, creating general awareness, information assurance, regular monitoring of possible threats, readiness of the establishment for cyber resilience measures and ensuring that cyber hygiene and other good practices are complied with at all levels.

Section Four

Organisation for Cyber Deterrence, Synergy, Staffing and Adaptation of Cyber Force

69 VIF Task Force Report

The organisation involves the provision logistics development and infrastructure for of dedicated and appropriately skilled training, besides establishment of laboratories human resource, infrastructure, training and and release of funds. necessary equipment/systems in accordance with the policy and doctrine. In short, it The task force recommendation is based implies the establishment of a cyber power on policies and processes promulgated by eco-system. the Cyber Formation/DCyA, wherein, each Service provides resources, manpower, basic While each Service has established training, including infrastructure and logistics, some capabilities, there are no guidelines or for capacity building to provide necessary policy formulation. Resultantly, an integrated resilience against threats envisaged. approach is lacking. There is a lack of synergy, transparency and organised development of There is an urgent requirement of creating cyber power. The organisation is fragmented awareness of cyber threats, their impact because of ambiguous command and control, on all areas of our existence and the ability and therefore, there is ad-hoc responsibility of cyber weapons to cause disruption and and accountability. destruction almost equivalent to WMD (mentioned above). Commanders have to be There is an acute shortage and uncertainty sensitised to threats in the digital domain. of finance, with each Service fighting for They must overcome misconception with their perceived share. There is very limited regard to cyber power being ‘technical’ and interaction amongst the Services, both at the concentrate on development of cyber power working and policymaking levels. Exchange and its application for cyber resilience and of information is not formalised, thereby, offensive operations defeating the basic tenet of synergy essential for cyber resilience. There is a shortage of Formation and unit commanders/ skilled manpower, training facilities, system equivalent must ensure that the work and integrators and cyber leaders. responsibilities of cyber personnel are given due importance and recognition they deserve The first and foremost task of the Cyber and that they are dealt with professional Formation/DCyA would be to release a dignity at par with other fighters. document detailing the cyber power eco- system for the armed forces, capacity building Each Service must ensure availability in each Service and integration at DCyA of cyber-qualified resource at the unit/ headquarters. ship/squadron level under a nominated Cybersecurity Officer/Chief Information The DCyA would coordinate, issue Security Office (CSO/CISO)), chartered with necessary policies, ensure creation of suitably responsibilities for training, creating general empowered and integrated organisations on awareness, information assurance, regular the ground, the release of funds, availability of monitoring of possible threats, readiness skilled manpower and training infrastructure. of the establishment for cyber resilience These organisations must have measures and ensuring that activities as government sanction to facilitate cyber part of cyber hygiene and good practices

70 Organisation for Cyber Deterrence, Synergy, Staffing and Adaptation of Cyber Force are in order and complied with at all levels Institute a Cyber Cadre with immediate (mentioned above). effect with flexible construct and less regimentation. Special attention must be given to the use of social media and look out for any ‘insider Tap organisations like NCC, ACC, NSS and threat’ during the periodic, but random audit. Police Cadets for getting younger, disciplined Surprise audits and checks must be instituted and motivated resource. by the empowered team from the respective As part of intelligence acquisition and Service Headquarters/DCyA. monitoring, recruit requisite resource to DCyA must formulate parameters for operate in and monitor dark web and deep measuring a ‘Cyber Security Index’ (CSI) of web. This capability and task could be given a unit/organisation and communicate the to Military Intelligence and other intelligence same to all concerned. Measurement of CSI set ups at the appropriate level. will be part of the annual inspection of the Recruit, train and deploy ‘cyber modules’ establishment. A score below the required and ‘lone wolf’ operatives for strategic threshold will invite special measures to be intelligence and special tasks. indicated by the DCyA. As part of ‘crowd sourcing’ raise a special Each Service Headquarters will ensure TA unit consisting of experts in cyber-related that necessary training and infrastructure skills. They can be deployed on special tasks are available for the men to prepare for and as part of crisis management either Certification Tests to be conducted by DCyA directly or as part of concerned CERT. or other nominated agency. Create an ‘Institute of Cyber Professionals’ Cross-domain training and exercises to draw volunteers and as a possible resource involving persons from each Service and for CND and CNA tasks. DCyA must be done regularly. Actions to obviate the flaws, particularly related to the discovery of vulnerabilities must be Organisation for Capacity Building in undertaken on top priority and a record Cyber Deterrence maintained. All concerned must be informed and data be maintained in the nominated data Indian Army centre, thus ensuring its integrity. A quick analysis of the role, equipment There is a strategic, inescapable and profile and human resource of the three urgent requirement of a ‘Directorate of Services would show that the army’s major Information Assurance and Management’ to vulnerabilities lie in its manpower and the be formed immediately at the tri-service level C4ISR assets, including sensors and to an with its nodes at each formation/equivalent extent in weapon platforms. The adversary connected with fully secure and high-speed will make efforts to collect intelligence by all data links connected further with the data means like HUMINT, ELINT, SIGINT, MASINT, centres established by each Service. OPSEC and OSINT with the aim of attacks

71 VIF Task Force Report

in cognitive and Electronic Warfare (EW) Indian Navy domains. These present a strong challenge India has a vibrant Blue Economy to our defences. based upon maritime trade, mercantile The organisation must have capabilities marine vessels, port activity, offshore oil to be able to handle adversary’s efforts in and natural gas exploration and associated EW, perception management and attempts networks of evacuation pipelines, undersea to change human behaviour by cognitive communications cables and so on. Peninsular warfare. Also, connectivity from sensors to India’s vast coastline is dotted with 12 major shooters as indeed the working of sensors and over 200 other ports. It has an Exclusive and weapons themselves must be ensured Economic Zone of over 2,172 lakh square through resilient networks, regular hardware kilometres. All these national maritime assets and software maintenance and highly skilled require protection from interference during manpower to maintain fighting potential and peace and during hostilities. These fall into avoid the feeling of isolation for that would two distinct classes: aid cognitive attacks. (a) Civilian/economic and Such a scenario dictates that the army (b) Military, i.e., Navy and Coast Guard must be organised, equipped and trained for Information Warfare and must have Civilian/Economic Maritime Assets. The integral capabilities to thwart electronic/cyber International Maritime Organisation (IMO) interventions, launch offensive operations at has promulgated a series of advisories the tactical level and provide a launch pad to containing guidelines for cyber security, the DCyA teams for offensive CNO. most significant and comprehensive ones being Guidelines on Maritime Cyber Risk The Indian Army needs to balance its Assessment (5 July 2017) and Guidelines on obsession with kinetic energy systems Cybersecurity on Board Ships (December with the absolute necessity of ways and 2017). Their implementation on all vessels means for ‘Electronic Combat’ (IW+EW+EM flying the Indian flag must be ensured and Space) for that is the most likely threat that audited periodically by a dedicated and manifests 24/7. empowered organisation. The task force recommends that Navy and Coast Guard Assets. Exclusive necessary measures for ensuring CND Navy and Coast Guard seagoing and shore- should be available at all levels of command based assets including ships, aircraft, and integrated cyber, IO and EW organisation submarines, harbours, dockyards, air bases, at the formation level. Information Warfare refuelling facilities, armament and stores brigades with specialised units in the cyber depots, shore-based surveillance and coastal domain, EW and IO should be on the ‘Order defence weapons all need to be protected of Battle’ of a Corps to begin with. from cyber intervention by state and non- state actors who not only seek to disrupt the national economy but also to degrade the

72 Organisation for Cyber Deterrence, Synergy, Staffing and Adaptation of Cyber Force fighting capability of naval warfighting assets The Indian Navy’s Cyber Agency and the of all kinds. ’s Cyber Agency would be responsible for implementation of the Action Organisational and technical arrangements Plan, including training and maintaining skilled must be in place separately for civilian manpower, inspection and enforcement and military requirements up to a certain of maritime cyber security standards and level, beyond which they must grow into a providing respective CERTs and Cyber QRTs. congruence at the top of a pyramidal maritime cyber security hierarchy. There would be corresponding cyber security professionally manned billets at Distinct Roles for Indian Navy the levels of Navy Command and Fleet Headquarters, and at Regional Coast Guard The Indian Navy would have overall Commands. These organisations would also responsibility for maritime cyber defence in have designated Command-level CERTs, its area of jurisdiction and would provide a appropriately trained and staffed. firm base for cyber offensive operations to the DCyA. The WESEE would develop cyber expertise to become the technical cyber advisor An empowered Coast Guard would to develop the cyber-secure framework, be responsible for cyber defence of all including for Internet of Things (IoT) and issue shore establishments and for periodic audit relevant guidelines for implementation and of compliance with standards, policies inspection of cyber-secure naval equipment, and processes issued by DCyA and Naval including naval propulsion and engine control Headquarters. The status and non-compliance systems. will be reported to the DCyA and Naval Headquarters. WESEE would guide the Director General of Naval Design (DGND) on design, inspection, development, manufacture, installation of Proposed Organisational Hierarchy connected onboard sensors and weapons of Cyber Formation/Defence Cyber Agency all naval vessels i.e., from design to delivery would be the apex body to oversee all and subsequent operationalisation. WESEE aspects of capacity building of cyber power would provide this service to the Coast Guard for the maritime domain in coordination with also. established institutions such as NSCS, CERT, NTRO and NCIIPC. Shipboard Cyber Expertise

The National Maritime Cyber Operations While the Navy must have a dedicated Centre (NMCOC) would be the coordination Chief Information Security Officer on board, as centre for cyber operations within the Navy an interim measure, the skill set of the officer and Coast Guard and with other services. looking after Communications and EW should The CERT-Navy and its Cyber QRTs would be be enhanced to include all aspects of cyber part of it. security and applications of cyber power.

73 VIF Task Force Report

Skill Development Guard and GCHQ. It should also be noted that India has entered into cyber security related Skills required for capacity building in agreements with countries like the USA, UK cyber power are multi-fold with a very high and Israel. These connections should be degree of specialisation. The Navy would leveraged to our advantage to ‘leap ahead’ formulate curricula for each skill and ensure and save time. availability of infrastructure and faculty, as also ensure facilities for certification are available. Most of the training could be outsourced. Indian Air Force Integral establishments of the Navy like the The Indian Air Force (IAF) has had an Signal School, INS Valsura and Submarine extensive cyber security policy in place since and Naval Aviation Training School should be 2007. This was revised in 2012 and 2018. organised and equipped for military training Treated as a Bible in the Service, this cyber and application of cyber power. security policy covers the entire gamut of An annual seminar on maritime cyber cyber activity, be it AFNET or Internet or LAN security should be organised by the National or weapon systems. It discusses in detail Maritme Foundation on the sidelines of one the various procedures to be adopted in IAF their annual conferences. cyberspace. To augment the Cybersecurity policy, various Cybersecurity instructions Designated teams need to be sent to and advisories are issued from time to time various countries for interaction and learning. to ensure the Cybersecurity posture of IAF Study courses should be organised remains relevant with respect to both the in foreign universities having expertise in technology and emerging threats. maritime cyber security. The IAF has done some pioneering The Navy must have its own cyber range, work in cyber defence, offence, information data centres, network simulators, incident management and created organisations for reporting network, and facilities for software audit, training and for separating the Internet maintenance and inspection. from AFNET.

Periodical Inspections of Naval and The interaction between AFNET and Coast Guard establishments must include Internet is carried out through a Centralised specialist cyber professionals to review cyber Internet Access Server which is managed awareness, incident reporting and response in turn by the Internet Security Operations mechanisms. Center. The IAF has developed its own operating system ‘Vayusenix’. CERT-IAF conducts regular audits, and is responsible International Cooperation for ‘Patch Management’ and works directly It is necessary to interact with international under the Directorate of Operations (IW) maritime organisations who have already which is the apex policymaking body for developed expertise in maritime cyber any cyber security related issue and is security. Some of them are IMO, US Coast functionally under the Assistant Chief of Air

74 Organisation for Cyber Deterrence, Synergy, Staffing and Adaptation of Cyber Force

Staff Operations and Space, who is also the SIWO are not established under the Chief Information Security Officer (CISO) of government gazette the IAF. Air Commodore Ops (IEW) is the • With no sanction for an establishment, overall in- of the Directorate for its manpower for running these day-to-day operations. organisations is not available on Command Headquarters plays a crucial accretion basis. The manpower for role in cyber defensive operations in the Area these key roles is arranged from within of Responsibility (AoR) of the concerned resources on an ad-hoc basis Command. Command Information Warfare • Ad-hoc manpower may be routed Officer (CIWO) is responsible for ensuring back to the parent branch/trade. This effective implementation of the cyber security results in a skill drain, as the trained policy and the directives issued by Air and experienced resource is not Headquarters. CIWO also plays a crucial role available after being routed back to in carrying out routine and surprise checks of the parent trade cyber security units at air force stations. • Sans establishment, the IAF faces The Indian Air Force takes cyber audits certain bottlenecks in undertaking of its ICT infrastructure very seriously. There capital works viz., Work Services are various kinds of audits, varying in role and for creating Cyber Ranges, Cyber complexities to evaluate different systems. Laboratories etc. It includes audit of Critical Information • Non-availability of establishment also Infrastructures (CII), weapon systems and hampers the procurement process. There platforms, Headquarters at all levels, air is crucial software (Forensics, SIEM etc.) force bases, logistic organisation and so that could not be purchased on time on. The audit also includes Vulnerability • The Forensics Lab is to be certified Assessment and Penetration Testing (VAPT) and recognised by Indian courts for an and surprise audits. The IAF also carries out an early trial of cyber-related cases audit of personal ICT devices of Air Warriors on a voluntary basis to protect them from cyber interventions. Defence Information Assurance and Research Agency (DIARA) Impediments to Cyber Security To begin with, DIARA will form the nucleus of the Cyber Defence Agency There are certain procedural impediments (DCyA) and ultimately merge with it. Hence which have a direct impact on capacity the way the Defence Cyber Agency comes building of cyber power and national security up will be contingent and dependent on which must be resolved at the earliest. Some the involvement, functioning, organisation of these are: and empowerment of DIARA, the support • Cyber security organisations viz., and guidance that it receives from the Dte of Ops (IW), CERT-IAF, iSOC, SOC government, the Chiefs of Staff Committee and certain appointments viz., CIWO/ and the National Cybersecurity Coordinator.

75 VIF Task Force Report

Following are indisputable and absolute a consulting agency for compressing strategic imperatives in the creation and time frame and creation of knowledge operationalisation of DCyA: through analysis of technical • Immediate government letter developments and their utility in the sanctioning formation of the Defence Indian context, emerging threats, and Cyber Agency, its approved organisation locating human resource with incremental manpower, the • DCyA should have a younger profile, Command and Control and Delegation flexible policies about tenure, of Powers to the Commander DCyA promotions and cadre management. Merit must be respected, • The government letter must include acknowledged and rewarded. approval in principle for location and Selection should involve tests for infrastructure – buildings for offices, aptitude, security consciousness, out conference and meeting rooms, of the box and innovative ,thinking and communication hub, data centre, the ‘never say die’ spirit cyber range, laboratories; and access • DCyA must have different departments control system to include the latest and supporting facilities for human security systems. Some of these resource, training and certification; assets would require shielding from technology and R&D; intelligence, Electro Magnetic Interference cryptology, coding, language, networks • Budget allocation of 2,000 crores with a and sensors; safe products and provision to carry over the balance to the next systems; policies, processes and battle financial year, financial sanctioning power drills; integration, military diplomacy, of 20 crores with the Commander and 100 international cooperation; and interaction crores with the approval of the integrated with cyber security components in the finance officer and the Steering Committee civil, including joint exercises • A Steering Committee, duly empowered, • In the first year, DCyA should be headed by the CISC and having able to provide a minimum of Two Members as stakeholders, be formed integrated teams which must be by issuing appropriate government operational in 18 months. Thereafter, letter. The Steering Committee would in the second year, capacity must be report to the Raksha Mantri and be built for Three integrated teams, and responsible and accountable for timely for Five integrated teams in the third implementation and operationalisation year. Needless to say the teams would of DCyA. Slippage of eight weeks be constituted, based on the task, or more to be brought to the notice and hence will have a very flexible of the PM/PMO, NSA, COSC and construct NCSC clearly stating the reasons and • Operational parameters, particularly recommended solutions for command and control of these • Nominate a think tank with requisite teams and the integral elements, domain knowledge and experience as would get formulated as we go on

76 Human resource in the IT sector in general and cyber security experts in particular is not prone to a long chain of rigid hierarchies. They work in flat organisations driven by the concept of ‘knowledge worker’. Their organisational culture inculcates and encourages interdisciplinary cooperation, seamless flow of information, honesty and integrity in reporting and ownership of responsibilities. Members in the organisation have to be creative, innovative and keen to learn from each other’s experience. We must recognise these cultural attributes and formulate specific HR policies and terms of engagement for this highly technical and limited resource.

Section Five

Human Resource, Training and Certification

77 VIF Task Force Report

The efficacy and application of cyber power theoretical subset of cyberspace, which is contingent upon human resource, their skills includes relevant linkages with non-military and level of competence. Unfortunately, there is cyberspace, wherever necessary. an extreme shortage and availability of resource. Getting the right people is most critical and a Military cyberspace will include all top priority for any organisation. Next in priority networks, communications and data centres is training, retention and re-skilling. specifically used by the military in isolation from non-military users. It includes the electro- The task before cyber power operators magnetic space, including EM Spectrum, is highly specialised and demanding. Hence C4ISR assets, weapon platforms (aircrafts, keeping them motivated is a big challenge. ships, maritime assets, tanks, drones, missiles, This is particularly so since the working logistics elements, networked soldiers in culture and attitude does not lend itself to combat), and social media networks in the regimentation. Further, they are quite aware area of interest and influence, and digitised of their expertise and the enormous demand national media reporting on military activities in the civil sector for their services, and hence and so on. the expectation for higher emoluments, career progression, dignity and recognition. The sole aim of defining military Unfortunately, these come with great difficulty cyberspace is to highlight the complexities of due to a distinct bias against ‘techies’ in the the operational environment in which a cyber Services. The challenge, therefore, is two-fold warrior must operate, the multitude of skills – first to keep them motivated, and second, required to effectively deliver and integrate to make the environment aware about the with other warfighting domains. importance of their task and how it adds Human resource in the IT sector in general another option to warfighting and in delivery and cyber security experts in particular is not of un-proportionate dividends. prone to a long chain of rigid hierarchies. Another challenge in terms of recruiting They work in a flat organisation driven by and retaining technically qualified individuals the concept of the ‘knowledge worker’. is that the skill set of an expert hacker is the Their organisational culture inculcates and same as those of a cyber security/ICT expert. encourages interdisciplinary cooperation, Such skilled persons are in great demand, a seamless flow of information, honesty both in industry and Dark Web and are well and integrity in reporting and ownership of compensated. responsibilities. Members in the organisation have to be creative, innovative and keen The domain where this human resource to learn from their experience. We must will perform is the new global called recognise these cultural attributes and ‘cyberspace’ which is an integrated civilian formulate specific HR policies and terms and armed forces domain. This paper deals of engagement for this highly technical and with capacity building of cyber power in the limited resource. Indian Armed Forces. Hence, the major area of its application could be called ‘Military The situation can be eased considerably Cyber Space’ for better understanding – a by outsourcing training to the private sector.

78 Human Resource, Training and Certification

They can deploy domain specialists, hardware families of the armed forces personnel, both and software in a much faster time frame to create awareness and for talent hunting. than is possible through normal defence procurement procedures. The curricula can Focus Area of Securing Military be drawn jointly by the armed forces and Cyber Space private enterprise. Aspects of security of information and Intellectual Property Rights As far as the armed forces are concerned, (IPR) can be resolved through a well-drawn capacity building focus would be on identifying contract with comprehensive and stringent and protecting vulnerabilities in the military non-disclosure components. Such a measure cyber space, create escalating levels of will be a catalyst in building a cybersecurity expertise for cyber security, high level of eco-system. multidisciplinary expertise for deterrent capability and developing advance knowledge The situation is critical and needs to be for the future. dealt with at multiple levels concurrently. The primary thrust of training will be The government must declare cyber in detection of threats, containment of security as a separate cadre immediately, as damages and recovery from cyberattacks. there is a strategic necessity to develop an eco- While defensive capabilities will have their system to generate skilled human resources. own place, specialised training to selected persons should be imparted in cyber offensive At the national level, all academic operations. institutions must be directed to include basic cyber security training as part of their At the operational and strategic levels, we curricula. The armed forces should identify need cyber leaders who are adept in planning academic institutions for training in different and can conduct cyber operations, both in skills up to advanced and doctorate levels. The standalone and integrated applications in selected institutions must be given grants for conjunction with IW and kinetic power. establishing training facilities and employing qualified faculty. The selected people should Some skills required for developing the be sent abroad for specialised training. full spectrum of cyber deterrence are: PC operating systems and exploits (A computer Organisations like the NCC, NSS and exploit, or exploit, is an attack on a computer Police Cadets must have cyber wings and system, especially one that takes advantage become a nursery for skilled resource, both of a particular vulnerability the system offers for the civil and armed forces. to intruders. Used as a verb, exploit refers to the act of successfully making such an attack). An Institute of Cyber Professionals must be formed to draw skilled and experienced • Mobile operating systems and exploits resource, both from within the country and • Computer hardware and embedded abroad. devices All stations must be directed to form • Networking protocols, wired and cyber orientation clubs, which will be open to wireless networks

79 VIF Task Force Report

• Switches, routers and wireless access Skill Qualification Framework (NSQF). Training points would be in accordance with a ‘Qualification • Firewalls and intrusion prevention Pack’ designed by the DCyA to cater for the systems specific needs of the armed forces. Stress will laid on cyber hygiene, good practices, • Databases and memory operations incident reporting and creating awareness • Computer attack, exploitation and of possible threats. A target of more than security 90 percent persons becoming cyberliterate • Constructing and detecting malware should be achieved within two years. Training would include refresher capsules conducted • Hacking tools and programming periodically to remain abreast with technology languages and emerging threats. All existing training • Internet architecture, Dark Net, institutions will be organised and equipped Internet of Things and Open Source by way of faculty, infrastructure and finance Intelligence (OSINT) for this task. • Advanced exploits relying on With regard to new recruitment, Level 3 assembly level programming, data qualification of NSQF must be the essential execution prevention, address space qualifying criterion. They would be given layout mechanisms, function pointer reorientation training by way of a Cyber overwrites, spraying, EMET Foundation Course as part of initial training mitigations, kernel hacking, etc. in their respective institutions. • Language expertise All Level 3 and 4 persons will be subjected • Coding, code breaking, cryptology and to aptitude and psychometric tests (to cryptanalysis be developed by DIPR) to ascertain their • System integration, cyber deception suitability for cyber roles and associated • Data storage and management, big aspects like confidentiality. Those clearing data, AI, and analytics this test would undergo an additional cyber • Electrical, electronic and civil capsule of approximately three months engineering expertise duration and conform to the next NSQF level. • Psychology and behaviour analysts Level 2: Cyber Operators The task force recommends four levels of cyber proficiency in the armed forces. These are: We need to understand that a cyber specialist needs to have a flexible mind and good insight into cyber/software/network Level One: Cyber Literate aspects of relevant application and/or This level has two possible entrants – equipment that is inducted into the cadre. soldiers in service and those who are to Cyber operators would form Level 2 with a be recruited. Both groups will be made minimum qualification of graduate or Level 5 cyberliterate up to Level 3 or 4 of the National to 9 of NSQF.

80 Human Resource, Training and Certification

They will be sourced from those who making and formulation of concepts of qualify in the test mentioned above and operations, both in the cyber-enabled tasks through direct recruitment at a rank equivalent and in integration with other warfighting to that of a Junior Commissioned Officer assets. They must be sent to friendly countries (JCO). This resource will man and operate like the USA, UK, Russia, Israel and South networks, systems and platforms. They Korea for specialised training in the field of would be specifically trained in software their expertise. They would be in command maintenance, cyber defence, vulnerability of cyber units and be responsible for capacity detection and resolution, security audits, building and application of cyber power. network penetration and integration. They will They would provide domain knowledge for form the backbone of cyber power capability. India-specific research and development and Cyber operators would be proficient in one interact with top academic institutions for the or more of the skills stated above. Some provision of faculty and talent hunting. of them can be embedded with equipment manufacturers to monitor and learn. Some Other Issues • There will be a requirement for setting Level 3: Cyber Warriors up skilling institutes, some of them These are hardcore cyber experts in their anonymous, to re-skill and up-skill respective fields with at least an engineering personnel so that they stay updated degree and minimum of three years of and have adequate mobility and experience. They would be given tasks like opportunities for career progression cyber exploitation on 24/7 basis, identification • The functioning of these institutes of vulnerabilities, probing missions, should be entrusted to those personnel information management, engineering inputs who undergo rigorous screening in for cyber weapons, integration with kinetic terms of integrity, confidentiality and energy assets; execute tasks assigned as subject matter expertise a constituent of IW; design and data on kill • Recommend setting up one cyber switches; and so on. They would provide range per geography to conduct a firm base to DCyA integrated teams for theatre aligned specialised courses offensive operations and also be able to conduct counter-offensive missions. The • Language training. Ensure availability brightest amongst them will be sent abroad of adequate vacancies and finance for for specialised training and postings to Indian language training diplomatic missions. • Create a pool of Master Instructors to lead the training and be available for Level 4: Cyber Leaders crisis management in case of a major cyber intervention These are highly qualified people with a • Establish online training and a Master’s Degree or Ph.D. with five to seven certification facility along with resource years experience and an ‘outstanding’ career for content generation. Conduct profile. They would be involved in policy

81 VIF Task Force Report

military hackathons, competitions and organisation would define a cyber warrior. It is awards to incentivise the seen face of a very scarce resource with several suitors to the cyber workforce, both to attract attract them with tempting terms of service. fresh talent and to keep existing talent We, thus, have a challenge which demands motivated. a proactive approach with an attractive • The unseen face will also have to be package, good working conditions, enabling equally incentivised by non-public policies, recognition as a separate cadre and disclosures. dignity as a knowledge worker. The armed forces will have to adapt Conclusion to this environment and rely on years of management experience along with a study Human resource and related aspects of of human resource practices in the private training, role, responsibilities, attitude and sector. institutional values, coupled with innovation, agility of mind, motivation, out of the box Time is critical and there is no choice. thinking and unwavering belief in the

82 India has to develop its own technologies, electronic manufacturing base, R&D infrastructure and highly skilled human resource. Being late has an advantage of ‘leap ahead’ but delays can have catastrophic consequences also. There is a need to encourage our industry, provide a level-playing field at the minimum, encourage start-ups and MSMEs and create a vibrant eco-system.

Section Six

Technology, R&D, Standards and Integrity of Data

83 VIF Task Force Report

Introduction integrated circuit chips produced in India. Without these, India will continue to have Cyber security requires continuous tracking serious and unacceptable vulnerabilities in of evolving technologies globally and alignment her defence posture. with the country’s R&D objectives and agenda. Contribution is required from all stakeholders In this information age, information and – government, industry and academia. Public- technology are the new currencies of power. Private Partnership (PPP) is the way forward, The nation must have capabilities and processes as it would help in combining the best of to ensure integrity of information through all both worlds and complement capabilities to stages, capture, transport, storage, processing develop a secure cyber eco-system. Increased and retransmission. There is an operational government-funded research and public- and strategic necessity to have indigenous private coordination are needed, particularly capabilities in language, big data, analytics, in the expanding fields of new secure artificial intelligence, cryptology and data networking and computing architectures, centres with wide band secure connectivity. high performance computing, encryption, data Data is the new oil and we as a nation integrity, artificial intelligence, big data, privacy have to ensure that our data is stored in and risk management strategies. servers located in India. While the national Capability building in cyber power is data policy is likely to be announced soon, the essentially about the availability of appropriate government’s stand on ‘localisation of data’ technologies and their exploitation in achieving is praiseworthy. the desired effect. The availability of an indigenous technology base, its application Suggested Approach for Technology in the development of products, integration Development in accordance with national standards to India has to develop and harness indigenous build systems and ensure interoperability technologies to back up her doctrine. India coupled with indigenous semi-conductors, has the capability but needs political support, an electronic manufacturing and testing eco- enabling policies, financial backing, and less system, focused R&D to support immediate bureaucratic control. India is a lead country requirements and concurrent work on in designing semiconductor chips but lacks a harnessing futuristic technologies are critical foundry for in-house production. strategic requirements for any nation in order to have ‘Technology Sovereignty’ and develop It is very heartening to know that India very full spectrum capabilities in cyber power. recently, has produced a completely indigenous microprocessor, thanks to researchers from Unfortunately, India has a long way to go IIT Madras. The microprocessor can be used in these areas with attendant adverse impact in mobile computing devices and embedded on cyber and national security. We have to low power wireless and networking systems. design, produce, integrate, field, maintain The project named ‘Shakti’ is funded by and upgrade fully secure indigenous products the Ministry of Electronics and Information and systems as per Indian standards with Technology. The manufacturing was done at

84 Technology, R&D, Standards and Integrity of Data the semiconductor laboratory of ISRO. The • Create/award dedicated ‘projects’ for first batch of 300 chips, known as RISECREEK, the development of each technology, were fabricated at Intel’s fabrication facility in its transformation from engineering the US. into production, integration and upgradation. These projects to be Another project with SCCI collaboration awarded to a consortium of companies/ has successfully created a new standard institutions in a PPP model with for cyber-physical systems design and ‘womb to tomb’ commitment development. This is perhaps the first time in the world that the world of models • Timelines for implementation of each and realisations are fused into a single phase must be clearly specified with architectural continuum! This puts India at provision for penalty in case of slippage the forefront of digital and cyberphysical and incentives for early completion systems modelling standards efforts. Such within the budget and innovations architecture allows a new system to be • The Project Director/Lead Company modelled and automatically synthesised to will have complete responsibility and a working system that is guaranteed to accountability. They would be suitably conform to the model, speeding up the entire empowered and have assured access development cycle. to financing

These and many more ‘islands of • Attractive provisions and incentives for excellence’ exist. We need to integrate start-ups and involvement of medium them to create secure systems. We must and small scale enterprise (MSSE) encourage this and produce a qualified • Ensuring availability of human resource resource for ‘engineering into production’ and and training facilities as given in the system integration. This should be one of the previous chapter main R&D objectives. • Review/Revise National Electronic The task force recommends multiple Policy-2012 and give it strong impetus approaches to be implemented concurrently: • Hire a foundry for semi-conductors Establish a ‘National Mission for Information/ from a friendly country and Cybersecurity Technologies Development’. concurrently commence deliberation This should be headed by a technocrat and for a foundry in India members drawn from stakeholders, including representatives from users, private industry, Cyber security is an integrated civilian academia and R&D establishments and military domain. Hence, the technologies would be largely common, especially for • Carry out a detailed study and analysis defensive tasks. Some of these technologies, of present and emerging threats however, would have to be developed on and home onto technologies that higher priority to meet the immediate security are needed with timelines for their requirements of the defence forces. For development to support the doctrine offensive operations, the making of cyber

85 VIF Task Force Report

weapons and deception, we might need some • Memory-scraping malware on point- application-specific technologies. of-sale systems • Bespoke attacks that steal specific Emerging Threats and data (instead of compromising an Corresponding Negation entire system) Technologies In these scenarios, firewalls, anti-virus The old IT world is dying; cyber security measures and tool-based security approaches experts now have to deal with threats created no longer cut it. By 2020, it is predicted that by Cloud, the Internet of Things, mobile/ 60 percent of digital businesses will suffer wireless and wearable technology. Data that major service failures due to the IT security was once contained within systems is now team’s inability to manage digital risk in new travelling through a dizzying variety of routers, technology and use cases. data centres and hosts. New solutions are needed now. Today we are facing 5th Generation cyber security threats wherein, attacks are multi- Increasing digital connectivity and the everything – multidimensional, multi-stage, automation of virtually all processes in the multi-vector and polymorphic. To properly world of business throughout the whole value protect a business’s IT operations today chain have led to the creation of agility. This has requires a new, holistic approach to assessing also led to the development of extremely high and designing their security toward an levels of threat and significantly raised cyber integrated and unified security infrastructure security risks. The building of cybersecurity that prevents attacks in real time. into applications is critical in addressing such risks, as well as all the devices that From curious hackers to corporate and are interconnected from the very beginning. state-sponsored espionage to organised As attackers improve their capabilities, crime, the new networked world has provided enterprises must also improve their ability near unimpeded access to all sorts of to protect access and protect from attacks. assets and private data with near complete Security and risk leaders must evaluate and anonymity! As a result, every successful engage with the latest technologies to protect advancement of malicious activity has driven against advanced attacks, better enable digital corresponding advancements in IT security. business transformation and embrace new This cycle will certainly continue. computing styles such as cloud, mobile and DevOps.’ What’s more, cyber criminals and hackers are getting smarter. For instance, they are using: Priority Technologies for Defence • Man-in-the-Middle (MiM) attacks to Forces eavesdrop on entire data conversations • Spying software and Google Glass to Cloud workload protection platforms track fingerprint movements on touch and cloud access security brokers: The screens continued and growing significance of

86 Technology, R&D, Standards and Integrity of Data software as a service (SaaS), combined with Network traffic analysis: Network traffic persistent concerns about security, privacy and analysis (NTA) solutions monitor network compliance, continues to increase the urgency traffic, flows, connections and objects for for control and visibility of cloud services. behaviours indicative of malicious intent.

Remote Browser: Nearly all successful Managed detection and response: attacks originate from the public Internet, and Managed detection and response (MDR) browser-based attacks are the leading source providers deliver services for buyers looking of attacks on users. Information security to improve their threat detection, incident architects cannot stop attacks but can contain response and continuous-monitoring the damage by isolating end-user Internet capabilities but don't have the expertise or browsing sessions from enterprise endpoints resources to do it on their own. and networks. Micro-segmentation: Once attackers have gained a foothold in enterprise systems, they By isolating the browsing function, malware typically can move unimpeded laterally (‘east/ is kept off of the end user's system and the west’) to other systems. Micro-segmentation enterprise significantly reduces the surface is the process of implementing isolation and area for attack by shifting the risk of attack to segmentation for security purposes within the server sessions, which can be reset to a the virtual data centre. Like bulkheads in a known good state during every new browsing submarine, micro-segmentation helps to limit session, a tab opened or URL accessed. the damage from a breach when it occurs. Deception: Deception technologies are Software-defined perimeters: A software- defined by the use of deceits, decoys and/ defined perimeter (SDP) defines a logical set or tricks designed to thwart or throw off an of disparate, network-connected participants attacker's cognitive processes, disrupt an within a secure computing enclave. attacker's automation tools, delay an attacker's activities, or detect an attack. By using Operational Support System (OSS) deception technology behind the enterprise security scanning and software composition firewall, enterprises can better detect attackers analysis for DevSecOps: Information security that have penetrated their defences with a high architects must be able to automatically level of confidence in the events detected. incorporate security controls without manual Deception technology implementations now configuration throughout a DevSecOps cycle span multiple layers within the stack, including in a way that is as transparent as possible endpoint, network, application and data. to DevOps teams and doesn't impede DevOps agility but fulfils legal and regulatory Endpoint detection and response: Endpoint compliance requirements as well as manages detection and response (EDR) solutions risk. Security controls must be capable of augment traditional endpoint preventative automation within DevOps tool chains in order controls such as an anti-virus by monitoring to enable this objective. Software composition endpoints for indications of unusual behaviour analysis (SCA) tools specifically analyse the and activities indicative of malicious intent. source code, modules, frameworks and

87 VIF Task Force Report

libraries that a developer is using to identify learning and artificial intelligence. There is a and inventorise OSS components and to significant deal of interest for purposes of identify any known security vulnerabilities systems security in these technologies. or licensing issues before the application is released into production. This is of special Deep learning, just like behaviour analytics, significance to India in case of imported focuses on anomalous behaviour. Whenever AI equipment and systems. and machine learning systems are fed with the right data regarding potential systems security Container security: Containers use a threats, they can make decisions on how to shared operating system (OS) model. An prevent hacks depending on their immediate attack on a vulnerability in the host OS could environment without any human intervention. lead to a compromise of all containers. They are not inherently insecure, but they are The system scrutinises entities instead being deployed in an unsecured manner by of users that have access to the information developers, with little or no involvement from system. The most recent developments security teams and little guidance from security in machine learning technology and exact architects. Traditional network and host-based business analytics means that we are now security solutions are blind to containers. able to analyse different entities that are found in the enterprise at both the macro Hardware Authentication. Tech gurus and the micro levels. Business organisations have developed a solution in the user and government agencies are now be able authentication process with a new Core to stamp out any persistent or advanced vPro processor that belongs to the sixth cyber threats using artificial intelligence and generation of processors. The core vPro can machine learning. combine different hardware components with enhanced factors simultaneously for user In the past few years, hackers have been identity validation purposes. employing customised attacks on systems. Instead of launching a battalion at a wall, Tech Company Intel has built on previous they carefully analyse a system’s defences, experiences and mistakes and dedicated a and then send in the Trojan horse. Thanks to portion of the processor for security reasons the volume, and variety of big data, to make a device part of the entire process most companies are not even aware that their of authentication. Hardware authentication systems have been breached. can be especially important when it comes to the Internet of Things (IoT) where the network Instead of focusing on the first line of of connected devices ensures that any device defence, the next-generation breach detection that seeks to be connected has the rights for focuses on what happens once the criminal connectivity to that particular network. This is inside the system. It takes behavioural is of immense value in hardening various analytics and adds even more tools to identify network systems on board military platforms. the bread crumbs that a hacker leaves behind.

Deep Learning: Some technologies are Rather than relying on detecting known encompassed in deep learning such as machine signatures, we can marry big data techniques

88 Technology, R&D, Standards and Integrity of Data such as machine learning with deep cyber malicious behaviour. That behaviour can security expertise to profile and understand trigger a red flag to system defenders if they user and machine behaviour patterns, are employing UBA. The technology uses big enabling them to detect this new breed of data analytics to identify anomalous behaviour attacks. In other words, breach detection by a user. tools can pick out strange movements and An ‘Attack Chain’ comprises of initial changes in a sea of data and determine that penetration, lateral movement and then something is very, very wrong. compromises theft and exfiltration of sensitive Virtual Dispersive Networking (VDN): data. The middle links in that attack chain VDN takes a page out of now traditional military have not been very visible to enterprise radio spread-spectrum security approaches, security pros, and that is why the interest in where radios rotate frequencies randomly or user behaviour analytics today. Visibility into split up communications traffic into multiple an activity that does not fit the norm of the streams so that only the receiving radio can legitimate user can close a blind spot in the reassemble them properly. With Dispersive, middle of the attack chain. however, the Internet (or any network) is now Data loss prevention: A key to data loss the underlying communications platform. prevention is ‘authentication’ and technologies VDN splits a message into multiple parts, such as encryption and tokenisation. They can encrypts each component separately and protect data down to field and sub-field level routes them over servers, computers and which can benefit an enterprise in several ways: even mobile phones. Traditional bottlenecks • Cyber attackers cannot monetise data can be completely avoided. The data also in the event of a successful breach ‘roll’ dynamically to optimum paths – both randomising the paths the messages take • Data can be securely moved and used while simultaneously taking into account across the extended enterprise, and congestion or other network issues. Hackers business processes and analytics are left scrambling to find data parts as can be performed on the data in its they whip through data centres, the Cloud, protected form, dramatically reducing the Internet and so on. To prevent cyber exposure and risk criminals from attacking the weak point of the technology – the place ‘where the two High-Performance Computing: High- endpoints must connect to a switch in order performance computing (HPC) is essential to initiate their secure communications’ – to a nation’s economic competitiveness, Dispersive has a hidden switch that also scientific discovery and national security. HPC leverages VDN. This makes the switch very network access has become commonplace as hard to find. new applications emerge leveraging massive scientific data sets collected by sensors or User Behaviour Analytics (UBA): Once scientific instruments and new HPC systems someone's username and password is support the execution of applications in compromised, whoever has them can waltz parallel. This new complexity has heightened onto a network and engage in all kinds of HPC security requirements while the existing

89 VIF Task Force Report

pressure to maximise performance remains. disabling the device, rendering it unusable by New research is needed to determine the thief without unlocking credentials from whether traditional security mechanisms will the owner. A kill switch built into the OS of the be effective for next generation HPC systems. phone or as third-party app renders devices unusable and ultimately worthless. Autonomous Systems: Technologies for autonomous systems and components are French and Israeli electronic warfare units maturing and their security implications have use kill switches to disable opponent military been raised often. Research challenges for systems. R&D efforts are required to be made autonomous systems include manipulation in India both for offensive and defensive of machine learning algorithms and resulting aspects of the Kill Switch. effects on resilience. Research and Development Mobile Devices: Network access usually requires physical connection such as a Nations and organisations globally are telephone or Ethernet jack. These constraints busy developing products, systems and have been shattered by the introduction of processes for cyber security to safeguard wireless networking and ubiquitous handheld against future threats. There are 11 hard devices. There are more stakeholders problem areas in cyber security which have involved in achieving security today, including been universally identified. These are: component and device manufacturers, • Scalable trustworthy systems operating system designers and developers, (including system architectures and application developers, cloud storage requisite development methodology) providers, and network providers. Mobility creates new challenges for protection (e.g., • Enterprise-level metrics (including secure update), detection, and situational measures of overall system awareness. trustworthiness) • System evaluation life cycle (including Kill Switch: A kill switch is an event that approaches for sufficient assurance) is used to stop a programme from continuing to execute. A kill switch, also known as an • Combatting insider threats emergency stop (e-stop) and as emergency • Combatting malware and botnets power off (EPO), is a safety mechanism used • Global-scale identity management to shut off machinery in an emergency when it cannot be shut down in the usual manner. • Survivability of time-critical systems • Situational understanding and attack There also is a debate about implementing attribution kill switches in robots and advanced artificial intelligence systems. • Provenance (relating to information, systems, and hardware) In digital devices, a digitally implemented kill switch is used to protect data by either • Privacy-aware security erasing it, or permanently/temporarily • Usable security

90 Technology, R&D, Standards and Integrity of Data

Cyber security is a complex subject • New technologies and models for and requires capabilities in a multitude of access control, storage of data, data disciplines. No country will part with its core masking and data erasure technologies for cyber security as that would • New resource-constrained crypto have a direct impact on national security. India and multi-factor authentication needs to develop these technologies as per technologies for the Internet of Things its operational requirements. The government and other low cost, low energy systems must bring all stakeholders together with the common aim of developing these • New security architectures for hyper- technologies as a mission. Technologies scale cloud infrastructures and recommended to be developed on priority highly virtualised computing and have been listed earlier in this paper. We communications systems would now consider the requirements for • Physical layer security for securing data security and integrity. The task force communications when cryptography recommends the following priorities: is not possible due to limitations on • Extending encryption to allow computational capability, or because computation to be performed directly of the network architectures involved on encrypted data to enable full end- The above research topics are being taken to-end data security up by various governments and agencies • Quantum-safe cryptography, including globally. In India, research topics have to be implementation-efficient algorithms chosen carefully keeping in view: that are resistant to advances in • Short-, medium- and long-term Quantum Computing should this be requirements necessary • Availability of funds • New data anonymisation methods for • Requirements of different stakeholders enhancing protection of user identity, like Ministry of Electronics and privacy and confidentiality Information Technology (MeitY), • Strengthening the chain of custody of Ministry of Defence (MoD), data or transactions using distributed intelligence agencies, the Department ledger technologies such as blockchain of Science and Technology, Education • Technologies for intrusion, malware Department, Ministry of Home Affairs and distributed denial of service (MHA), private industry, etc. detection, including new methods for • Inter se priority real-time application of network traffic analysis, based on advanced machine Contractual Clauses for System learning algorithms Protection and Availability • Malware-based defences to ‘live with the threat’, analogous to biological Supply chain vulnerabilities will remain a defences in living species major cause of concern for ICT networks and systems of the armed forces till such time

91 VIF Task Force Report

as basic infrastructures for manufacturing of Vendors that develop a source code for the chips and network products are not set up armed forces need to be bound by the Official in India. Recent incidents of and Secrets Act. Also, a contract should have Specter Malware affected almost all modern provision for the Escrow account. The contract processors, including Intel, AMD and ARM should stipulate that the vendor shall provide chips. Since the initial discovery, variants of secure code training to all authorised personnel both Meltdown and Specter have also been and maintain software codes as per the SLP discovered. Similarly, VPN Filter appeared (Software Licensing and Protection) Contract. to be particularly interested in targeting networking devices. It targeted devices using Conclusion default credentials, or those with known exploits. Therefore, vendors need to be India has to develop its own technologies, bound by contractual obligations to ensure an electronic manufacturing base, R&D due diligence for protection of networks and infrastructure and a highly skilled human data to mitigate vulnerabilities of cross-border resource. Being late has an advantage of supply chain. The vendor also needs to be ‘leap ahead’, but delays can have catastrophic held accountable for failure of its systems. consequences. There is a need to encourage Contracts may include cyber insurance, and our industry, provide at least a level field, its operability as per the Indian legal system. encourage start-ups and MSMEs and create a vibrant eco-system.

Contract Goals One will have to study and analyse adverse security effects, if any, of the Key contractual goals may include the involvement of foreign companies in building following: our infrastructure.The subject of Cybersecurity • Risk identification by analysing and and cyber power are complex. The armed correlating incident logs forces would need some agency to translate • Risk mitigation by ensuring defence in their operational requirement into identifying depth and mandated audits and exploiting relevant technologies. It is for this reason that the task force has • Risk transfer by effective insurance policies recommended an organisation like WESEE The vendor must exercise due diligence and of the Navy, staffed appropriately with Army set expectations for security (and privacy) right and Air Force personnel. Further, scientific from the RFP stage. It should adhere to Indian advisers to the Service Chiefs will have to play Data Protection Law (under finalisation) and a more active part. respect other provisions of the law of the land. India has always responded successfully The contract should limit access and processing to challenges to her security. The development of data. Curb on remote access by the vendor of cyber power is a national security objective for maintenance is a security requirement. and a strategic requirement. Disaster recovery and business continuity as part of resilience needs to be ensured through India needs to act NOW. insertions of suitable provisions in the contract.

92 Cyber Power is Offence Dominant and in essence, a sum of intelligence, technology, information sharing, skilled human resource and total synergy. Our culture, actions and policies must reflect these. It is a weapon whose potency increases exponentially when integrated with EW and KE capabilities.

Section Seven

Integration and Development of Concepts for Application of Cyber Power for Effective Cyber Deterrence

93 VIF Task Force Report

Cyberspace is the nervous system of a Further, a disruptive attack could cause nation providing connectivity, content and immense physical effect too. Political mistrust cognition. It is the blending of electronics has converted cyberspace into a theatre and electromagnetic energy to create, store, of war, and cyber provocations beyond a modify, exchange and exploit information. threshold, even if without due attribution, may The armed forces see cyberspace from lead to both a cyber and kinetic response for the perspective of Command, Control, which we as a nation should be prepared for. Computers, Communications and Intelligence It is only then that we can justify deterrence (C4ISR), and connectivity between sensors as our doctrine for the application of cyber and shooters. Therefore, the armed forces power. Article 51 of United Nation Charter need a synergy of electronic warfare, cyber provides options for the use of force in self- warfare and kinetic weapon systems to have defence when under a cyberattack. effect. As of now, cyber power can be applied In order to understand cyber operations in support of cyber-enabled operations fully at the strategic level, a politico-military as an important constituent of national framework must be imposed on cyberspace, comprehensive power. Pure cyber war is spelling out the ‘Ends’, ‘Ways’ and ‘Means’ some distance away but is certain and likely model of strategic analysis, which need to be to manifest in different shapes and contours applied in conjunction with other instruments as new technologies and threats emerge. of coercion and confrontation to achieve a Israel’s attack on a alleged nuclear facility political goal. For cyber operations, ways of Syria, Russian operations in Ukraine and the and means are distinct from other methods recovery of the US drone RQ70 in complete because of the nature and challenges in working condition by Iran are some major cyberspace. In cyberspace, unlike in the examples of integrated and cyber-enabled physical battle space, a distinction needs operations. to be made between warlike intentions and criminal/espionage activities to ensure an In 2016, China released its first ever appropriate response. ‘National Cyberspace Security Strategy’ setting out its positions on cyberspace development Cyber operations are carried out 24/7. In and security. Interestingly, the strategy sees almost all situations, these would precede cyber security as ‘the nation’s new territory kinetic operations and would last long after for sovereignty’. At the 2016 World Internet hostilities cease. Under international law, Conference in Wuzhen, President Xi Jinping a major cyber incident can be classified as declared, ‘We should respect the right of an armed attack. According to the Tallinn individual countries to independently choose Manual, in order to meet this qualification, their own path of cyberspace development, the cyber operation or tool used must have model of cyberspace regulation and Internet the same destructive capability or effect public policies.’ as a conventional kinetic operation. This is debatable since today cyber weapons can In characterising the Internet as a cause both disruptive and destructive effect. fundamental domain of state control, China

94 Integration and Development of Concepts for Application of Cyber Power for effective Cyber Deterrence is challenging long-held assumptions and importance and it is imperative that India principles that have governed the Internet develop cyber power to support her political and have allowed it to proliferate over the aims, ensure her security and sovereignty. past few decades. Cyber power is offence dominant and in Taking a cue from China, India needs to essence a sum of intelligence, technology, build all elements of cyber power to ensure information sharing, skilled human resource national security and sovereignty, and be and total synergy. Our doctrine, culture, counted as a leader in the digital domain, actions and policies must reflect these. taking off from its robust Digital India and Computer Network Operations (CNO) Make in India programmes. It should have are increasingly finding acceptance as an the ability to defend critical national and attractive, viable, low cost and low technology military IT infrastructure from cyber-attacks asymmetric option to undermine sovereignty, by demonstrated deterrent capabilities – both target individual leaders and engineer social ‘deterrence by defence and resilience’ as well discord. The ability of the nation-state to as ‘deterrence by retaliation’ as given in the survive organised cyberattacks from both recommended doctrine in Section Three. state and non-state actors is at the very heart ‘Deterrence by defence and resilience’ of Computer Network Defence (CND) which would include stated policies and doctrines, will have a decisive impact in preserving organisation and structures, licensing and sovereignty and social harmony. contractual provisions to ensure accountability The number of intelligent machines on the of vendors, capacity building regarding R&D, battlefield is increasing with advancements cyber security education and awareness and in Artificial Intelligence (AI) and Robotics. proactive/active defence leveraging artificial Several such systems like UCAVs and drones intelligence and machine learning. The are already operational. Many more intelligent resilience of critical infrastructure is required weapon systems like drone swarms, combat to bounce back in event of an attack. robots, pilotless aircraft and intelligent space ‘Deterrence by retaliation’ is the ability payloads are under active development. to conduct synergised offensive operations Such machines will eventually pervade and the ability to prevent own networks from across conventional battle spaces of land, espionage and interference. Our policies must sea, air and space and lead to a paradigm clearly articulate our position of launching shift in operational strategy, tactics and an offensive using both kinetic and cyber organisations. These machines will have power in case the adversary goes beyond the autonomous computing capability and will threshold as perceived by us. This position communicate, navigate and synchronise must have complete and declared backing of using wireless media and electronic sensors. the political authority. Counter-measures and tactics will rely Finally, it must be understood, both by the heavily on the use of EW and cyber power in policy and decision makers, that cyberspace an integrated manner, both for defensive and is an extremely potent domain of strategic offensive operations.

95 VIF Task Force Report

Space-based assets play a crucial role Further, there is a definite requirement of in surveillance, intelligence, navigation and integrating capabilities and resources of cyber communications. While militarisation of and Psy Ops, both in planning and execution. space happened almost in the beginning, Social media in our context is a very powerful weaponisation is a recent phenomenon dual-use weapon. While we need to quell false with many nations developing and testing news and propaganda, we must integrate all anti-satellite weapons. It is a matter of time necessary capabilities by way of language, before conflicts will be from, to and in space. technology, content and so on to effectively Integrated cyber and EW capability provides conduct ‘media warfare.’ an alternative and potent option for anti- satellite operations. Development of Concepts for Application of Cyber Power The Internet of Things (IoT) is another fast developing capability for surveillance Application of cyber power in pursuance and cyberattacks in cognitive, physical and of our national aim would require the electronic domains. Interference in IoT-based development of concepts, processes and applications of major platforms like aircrafts drills at strategic, operational and tactical and ships present a very serious challenge to levels. This is a big challenge due to the lack protect our systems and provide extremely of experience, the absence of cyber leaders attractive opportunities for offensive tasks. and inadequate understanding of cyber power as a weapon system capable of disruptive and Synergy, Jointness and Integration destructive effects in practically every sphere. It is also a very potent source of intelligence. At the tri-services level, air and naval Cyber power can be applied by itself and systems have integrated networks, sensors, in cyber-enabled operations in conjunction computer-controlled weapons and navigation with kinetic weapons. Its biggest utility is systems all of which are typically integrated as a ‘Weapon of Information’ in cognitive with platforms (i.e., the aircraft/ship) for the operations and perception management. purpose of early warning, survival and stealth. On the other hand, Army’s electronic combat Concepts would have to be developed assets are mostly platform independent and for integrated application in accordance with grouped with field formations as conventional the Indian Armed Forces doctrine. While military units. training abroad is a must, the learnings must be transformed to Indian requirements. This Aircrafts, drones, helicopters and some calls for very innovative, mentally agile and classified space assets have highly integrated highly skilled human resource. cyber and EW systems capable of both logical bombing and remote injunction of computer Each Service must have a cyber range and viruses. We will have to closely examine this a network simulation facility for regular training. capability and develop appropriate systems Cyber operations as part of IW, must form part and processes for defence. of every war game, the deductions debated and the conclusions recorded, disseminated and incorporated suitably in battle drills.

96 Cyber security is contingent on international cooperation in which India should take a leading role. Defence against cyberattacks will only be successful when countries cooperate and mount a coordinated defence. Therefore, nations need to cooperate to de-escalate weaponisation of cyber space, though proactive defence and technological innovation in cyber space are also a necessity. Further, the charter of the United Nations and the existing international legal framework needs to be respected. Nations must talk of cyber peace and not cyber war.

Section Eight

International Engagement and Legal Framework

97 VIF Task Force Report

International Engagement an act of hostile action on a nation? Whether pulling down a nuclear Challenges for the military in the era of online installation, causing an accident, connectivity and information flows are unique stealing information critical to national and require a great amount of coordination security may qualify for such act? between nations. They multiply further as cyber Will this act by individual/group not space is an integrated civil and military domain necessarily confined by geographical and encompasses critical infrastructures, critical borders, automatically imply that Internet resources like root servers, Top Level the presumed aggressor nation has Domain (TLD) servers, and Country Code Top started the war? And, what should be Level Domain servers (CC-TLD) manned and the response? owned by private players. • Are attacks on critical infrastructure The year 2017 was tumultuous for politics, owned by the private sector that also economics, and international relations. The support humanitarian activities and United Kingdom’s decision of BREXIT (Britain could be used to achieve military to exit the European Union), the election of objectives also considered an act of Donald Trump as US President, China’s efforts aggression? to challenge the world order, the turmoil in • Legitimate cyber worriers are Europe over its economy and anti-immigrant indistinguishable from non-state policies have all contributed to current actors. Therefore, should they be geopolitics being vitiated by distrust, which treated as non-combatants? in turn is being reflected in cyber space. The apparent of the US from • How can nations resolve differences in international engagement in cyberspace and sovereign laws associated with cyber China’s economic and political advance may space? well rewrite digital trade rules and openness • How do the Geneva and Hague in ways not envisaged by the Internet’s Conventions get correlated in cyber inventors. As part of its efforts to take the space? Is there a case for a ‘Digital lead in the digital arena, China has made it Geneva Convention’? clear that the retreat of Atlantic powers will be complemented by Chinese propositions Faced with these challenges, the military on digital commons. across the globe has to effectively defend each nation’s sovereignty in cyber space. Major challenging issues confronting international policy makers are: Further, nowhere in any domain except cyber space is it easy to remain anonymous. • Whether a cyberattack is an act of war It is very difficult to attribute a hostile act to a and does this mean that it is a use of nation/individual player. When lethal attacks, force under UN Article 2(4)? such as Distributed Denial of Service (DDoS) • When the nation state is not directly attacks are launched, servers from any involved, does an act by a single country can be compromised and a false flag person/group of persons constitute may be raised. Often, the country of origin of

98 International Engagement and Legal Framework the attack turns out to be the neutral player visualised that weapon stockpiles of the future and the hostile actor is never identified with will include stashes of zero-day vulnerabilities, conviction. Even in the case of DDoS against botnets, control codes and sophisticated various countries and the StuxNet attack, the malware which cannot be identified openly act of warfare in the cyber domain could not unlike other weapon systems. Also weapons be clearly attributed. Attribution to a state are not solely controlled by the military/ is easy but it is more difficult to pinpoint political leadership but most such weapons responsibility in case of non-state actors. are mere software residing in obscure covers. Thus, the attribution problem marks an How do such weapons deter is a major important distinction between cyber warfare challenge for international community. and traditional warfare regarding intent and More than 30 states now have identity which are not clearly revealed. commissioners for cyber foreign policy. In 2010, 15 countries, including the USA, Denmark has even appointed a cyber diplomacy UK, Russia, China and India advocated an ambassador. Cyber diplomacy in the widest arms control approach to cyber warfare. sense encompasses confidence-building However, it will take a lot of discussion to measures (CBMs). It also comprises certain define a cyber weapon. And even if that is aspects of international norm building, data achieved, major challenges of attribution, dual protection and freedom of expression, Internet use of weapons and proxy attacks need to be governance and prosecution under international overcome. Challenges to distinguish between agreements for mutual legal assistance. tools for cyber protection and offensive Many governments, however, have tools prevent control over the proliferation neither the knowledge nor the necessary of weapons in cyber space. Control of such resources to maintain basic cybersecurity tools through the Wassenaar Agreement has standards, or even ascertain what attacks are not been agreed upon as yet. being conducted via servers on their territory. Nevertheless, most states voice profound Even though, the term cyber warfare has reservations over national sovereignty when been used for more than two decades, it was presented with the idea of a central global only recently that the world saw StuxNet. regulatory body for security in cyberspace, It employed no fewer than four zero-day thereby rendering it an unrealistic prospect. It vulnerabilities and demonstrated a deep is more likely that cyberspace and information knowledge of the inner working of SCADA. space will be increasingly subject to national This shows very clearly that weaponising sovereignty. cyber warfare is very complex, involving detailed planning by one or more nation On the multilateral level, in 2015 a group states, non-state actors and private players. of 25 international experts commissioned by A malware specifically affecting only the the UN General Assembly (UNGGE) reached adversary’s network without any collateral a consensus that international law should damage to civilian/humanitarian networks is be applied in cyberspace as well, including still a long way from being productionised on the right to self-defence. However, in the a mass scale and is a great challenge. It is summer of 2017, the UNGGE could not

99 VIF Task Force Report

agree on whether to establish a so-called be evolved to define the threshold and nature attribution council. As a precondition for of deterrence. Technological innovations need attribution – meaning the technical, legal and to be adopted to counter non-attributability so political identification of the perpetrator of a that wrong inferences are not drawn. Some cyberattack – it was decided that sensitive of the high profile bilateral, regional and multi- information must be exchanged among lateral cooperation at international level are Computer Emergency Response Teams as follows: (CERTs) and between secret services and (a) Bilateral Dialogue on Cyber Issues security agencies. Ever since multilateral negotiations at the UN level failed in 2017, • US-China cyber agreement (Sept cybersecurity experts have been calling for 2015) ‘coalitions of the willing’ from G20 or G7 • Both parties agreed not to engage in states to drive international norm setting cyber-enabled economic espionage forward. Two track formats, such as the Global against each other and refrain from Commission on the Stability of Cyberspace, conducting or knowingly supporting predominate. cyber-enabled theft of intellectual Strengthening attribution concerns not property only states, but also the private sector. In • US-Russia Cooperation on ICT Security February 2017, Microsoft called for a ‘Digital (June 2013) Geneva Convention’. The most recent initiative, • US-UK Agreement on data access a ‘Charter of Trust’ launched by Siemens at (2016) [Awaiting passage of enabling the Munich Security Conference in February legislation by US] 2018, sets the same course. Finally, the World Economic Forum (WEF) aims to create a Global • USA-EU Privacy Shield (July 2016) Centre for Cybersecurity to combat cyber-crime (b) Regional/international cooperation and thus, also improve cooperation between • Shanghai Cooperation Organisation the private sector and state authorities, the so (SCO) called Public-Private Partnership. Joint proposal of China, Kazakhstan, These challenges call for international Kyrgyzstan, the Russian Federation, cooperation in which India should take a Tajikistan and Uzbekistan for an leading role. Defence against cyberattacks international code of conduct for will only be successful when countries information security was submitted cooperate and mount a coordinated defence. to the UN General Assembly in 2015. Therefore, nations need to cooperate to de- India is also incorporated as a Member escalate the weaponisation of cyber space, of SCO since 2017. though proactive defence and technological innovation in cyber space is also a necessity. • Organisation for Security and Also, the charter of the United Nations and the Cooperation in Europe (OSCE) existing international legal framework need to • Adoption of confidence building be respected. Policy level frameworks must measures (CBM)

100 International Engagement and Legal Framework

• BRICS and ASEAN Regional Forum (3) London Process • Regional cooperation on ICT-related • International conferences on security through a number of regional cyberspace to focus on building a new measures including adoption of CBM). international consensus on its future • Expert Group on Cyber Security • London Cyber Conference (2011) NATO countries which recognise • Budapest Cyber Conference (2012) cyberspace as a domain of operations in which NATO must defend itself • Seoul Cyber Conference (2013) as effectively as it does in the air, • Hague Global Conference on on land, and at sea (NATO Warsaw Cyberspace (2015) Summit Communiqué 8-9 July 2016) • Global Forum on Cyber Expertise and collaborative efforts to drive policy issues like publication of the • New Delhi Cyber Conference in 2017 Tallinn Manual Parts 1 and 2. While defence and deterrence are (c) International Cooperation effective in the short term, cyber diplomacy is more promising insofar as contributing (1) World Summit on Informational to peace and stability in the long run. India Society (WSIS) needs to take a leadership position by virtue of • WSIS + 10 Review Outcome being the second largest user of cyberspace, Document (2015) in various international initiatives taken at the • Emphasize on harnessing the potential level of United Nations, ITU, regional bodies of ICTs to achieve the 2030 Agenda for and autonomous organisations like Internet Sustainable Development Corporation for Assignments of Names and Numbers (ICANN), Internet Engineering Task • Recognise the leading role of Force (IETF), etc.) governments in cyber security matters relating to national security At present, the coordination of the cyber domain is exercised de-facto by ICANN (2) United Nations Group of Government for its governance, by its control on root Experts (UNGGE) servers which are not spread out evenly While the UNGGE of 2013 and 2015 geographically. Diplomacy is required to had agreed that international law exert influence in cyberspace through such and the UN Charter apply in cyber organisations and service providers to space, the 2017 UNGGE reached a address large scale attacks. Realising the stalemate on how international law strategic importance of ICANN, India hosted applies in cyber space and norms and the annual ICANN Summit in Hyderabad in confidence building measures that 2016, where she made a strong case for need to be agreed to by responsible transparency and democratisation of this states to avoid cyber conflicts. international body and urged Indian industry to play a proactive role in its policy making.

101 VIF Task Force Report

Military Diplomacy • Central role of UN in Internet governance and primacy of the state The armed forces need to be actively in cyber conflicts needs emphasis associated with cyber diplomacy because as opposed to overall cyber defence, diplomacy • International consensus on norms of offers the potential for conflict de-escalation state behaviour need to be pursued and thus for developing norms of state in bilateral and multilateral platforms behavior that need to be implemented by despite failure of the UNGGE 2017 the armed forces for peace in cyber space. • Military diplomacy should evolve Further, most conventions/treaties of the pre- norms and CBMs across the global ICT era do not cater to situations arising out community with emphasis on arms of cyber incidents/attacks. The international control in cyberspace framework should identify such provisions and propose amendments. The orchestration of international accords should be such that norms evolved would limit disruptive activity by states against other states and deter non- state actors.

International engagement is an important aspect of India’s cyber security policy. India has cyber engagements with over 15 countries, including the USA, UK, Russia, Japan, Germany, France and member nations of ASEAN. Recently, India signed cyber agreements with the USA, Israel and Russia. CERT-In has also entered into cooperation agreements with its overseas counterpart agencies that are willing to work together and share information in a timely manner. At present 10 such MoUs have been signed.

The task force recommends the following for furtherance of the stated objectives of the Indian Armed Forces Cyber Doctrine: • India needs to play an active and constructive role in international cyber diplomacy to pursue national security interests • Cyber diplomacy should be an indispensable component of military dialogue and diplomacy

102 ‘Cyber power will flow only through a structured national response towards evolving new strategic weapons in cyber space used by nation states, terrorists or state-sponsored hackers. ‘Defence – surveillance – intelligence – offence’ will go hand-in-hand, backed by appropriate legal empowerment. Without lawful authority, any cyber action on another nation may amount to a cyber-crime for which reasonable laws exist. Additionally, several international engagements are needed to reduce the enormity of scope’.

Legal Framework

103 VIF Task Force Report

Introduction Advanced Persistent Threats (ATPs) are early signs of large-scale cyber war. The world is in the state of strategic transformation as it transcends from The Constitution of India and Cyber industrial age warfare to an information War age warfare Technology is the new normal. It’s all pervasive nature, rapid induction and Any legal framework in India has to exploitation is accelerating this transformation. emerge from the Constitution of India. Article Consequently, there is a distinct gap between 352 empowers the President, on the advice the technology application and legal of the Council of Ministers, to declare an framework which may be a decade or more. Emergency in part or whole of India in the There is a definite need to reduce this gap case of war or external aggression, or the and ensure that the procedures, processes likelihood of war, or the probability of a foreign and legal framework are made more agile attack. The declared Emergency should and dynamic. The legal framework, which is be approved by Parliament within 30 days. generally based on precedence, thus faces Moreover, the proclamation of an Emergency an undefined challenge. must be renewed every six months. And, at any stage, if more than 10 percent of The nature of cyber warfare is very similar parliamentarians write to the Speaker of the to . All nations having shorelines House, or to the , Parliament or owning ships are neighbours. There are no has to re-approve continuation of Emergency border lines. The area of operation is full of within 15 days. enemies, friends, neutrals and not so neutrals with a fair mix of innocent users of the sea. The contours and texture of cyber war is And like naval forces, cyber forces must abide complex and difficult to understand. It is also by a structured legal framework lest they are likely that the government of the day may not termed militia/cyber pirates. like to make all details public to prevent panic as well as not give the opportunity to the For eons, India has had the Chturangi enemy to get a battle damage assessment. It Sena (Quad Services) concept, viz., Thal Sena will be a challenge for any government to use (Land Forces), Jal Sena (Naval Forces), Nabh Article 352 for any pure cyber war situation. Sena (Air and space forces) and Maya (Virtual Only when cyber war is used in conjunction Power). Therefore, conceptually, cyber war with physical war, the government may be able has been an integral part of warfare in Indian to use this provision of the Constitution. It is in scriptures. Cyber war, as warfare in other the best interest of the nation that Article 352 domains, will be executed within the bounds is not enforced and all appropriate measures, of the Constitution of India, international laws including limited cyber war and cyber defence and treaties where India is a signatory. are initiated without resorting to declaring a Developing norms of states behaviour state of Emergency. However, there should be in cyber space is a challenging task. Cyber a stage where the government may consider weapons such as Stuxnet, DuQu, Flame, a formal response to any cyberattack, with or WannaCry, Petya, Non-Petya and a long list of without the use of Article 352.

104 International Engagement and Legal Framework

On one side it is felt that there is a are arguments for the physical aspects of shortage of quality manpower, while on the information technology as far as jurisdictional other, outside the US and China, we have issues are concerned. Cyberspace now the highest number of R&D and analytics covers not only physical infrastructure but centres established by the private sector also data and associated information. With in India. Therefore, probably there is a cognitive war becoming an integral part of reasonable amount of quality manpower cyber war, the way information is presented to in IT and IT Security available within India humans and intelligent machines also become but is sucked-in by the private sector. The relevant. We may call the presentation of shortage is apparently due to exponential information as content. Therefore, jurisdiction growth in cyber-crime, and private industry over physical infrastructure, data, information is not able to cope with it. However, in case and content is important for exercising the of an emergency arising out of a breaking sovereignty of the Indian state. out of cyber war, Article 51A can be invoked to use this manpower for the quick capacity Rule 2 of Tallinn Manual boosting of cyber warriors. Several attempts have been made since 2005 to establish a Without prejudice to applicable resource register to facilitate implementation International obligations, a state may of Article 51A. This project needs revival and exercise its jurisdiction: more effective implementation. The proposed (a) Over persons engaged in cyber Cybersecurity Act may make it mandatory activities on its territory; to have structured reports and returns for (b) Over cyber infrastructure located industry and academic institutions. on its territory; and

Cyber Space Jurisdiction (c) Extraterritorially, in accordance with international law Sections 1(2) and Section 75 of the IT Act, 2000 states that Indian laws related to Information Technology are applicable within The Indian cyber-physical territory includes and outside India if cause and action fall but is not limited to the embassies, high within the country’s territorial jurisdiction. commissions, and consulate satellites and Rule 2 of the Tallinn Manual determines the systems owned by the Indian Armed Forces jurisdiction issue of a state on which the such as aircrafts, ships, submarines, tanks concerned authority can prescribe, enforce or any other ground vehicles. It is, therefore, and adjudicate all matters, including those recommended that India may exercise and that are civil, criminal or administrative in pronounce her cyber jurisdiction as follows: nature. The rule of jurisdiction covers the • Over an entity or a person who is physical or legal presence of a person (in engaged in cyber activity on her personam) or object (in rem) on its territory. territory The manual concedes that there is a difficulty • Over the objects related information in determining jurisdiction to cloud and grid technology located on her territory computing environments. These limitations

105 VIF Task Force Report

• Over data and content process over full-fledged all government ministries and her territory departments exercises. The involvement • Extraterritorial, over data or content of critical infrastructure, other industries which is being stored processed or and even citizens should be envisioned and transmitted belonging to the entity planned. or cyber infrastructure within Indian Reference to the CWSOP can be a guide Territory or legal jurisdiction for control and coordination. It will also • Extraterritorial over the entity or create appropriate linkages and introduce a person or a cyber infrastructure responsibility and accountability. Assessment or data or content which is the measures and matrices can also be part of it source of or abettor of a devastating to ensure that everyone undertakes roles with cyberattack on any object or person a clear vision of its element in the overall cyber or cyber infrastructure based within security structure in case of a cyber war or any the jurisdictional Indian cyber territory other serious cyber engagement. • Extra territorial in accordance with international laws, treaties and Privacy and Cyberwar agreements It is likely that cyber operations, on certain specific occasions, intrude into the privacy of Establish Nation-wide Cyberwar an individual. Many countries, including India, fighting Processes and Procedures are sensitive to the subject and are in the process of framing tougher laws. However, There is a need to establish nation-wide even the Shrikrishna Committee Report as cyber war fighting processes and procedures well as the draft Personal Data Protection Act or what may be called as Cyber War Standard 2018 recommends that the Right to Privacy Operating Procedures (CWSOP). Cyber space is a fundamental right in accordance with being ubiquitous in nature requires CWSOP Article 21 of the Constitution but is not an to cover every ministry and department of the absolute right, and is subject to reasonable Centre as well as state governments. It should restrictions. These restrictions include also involve industry through confederations national sovereignty, integrity, relations with and such like institutions. foreign states. The CWSOP will form the basis on which Article 19(2) of the Constitution states cyber war games, drills and exercise can be ‘Nothing in sub clause (a) of clause (1) shall conducted and measured. affect the operation of any existing law, or Unless there are reasonably well-defined prevent the State from making any law, in so far and written processes and procedures in as such law imposes reasonable restrictions place, chaos is expected in case of any on the exercise of the right conferred by severe cyberattack. Therefore, there will be a the said sub-clause in the interests of the need to undertake various cyber war gaming sovereignty and integrity of India, the security exercises, starting from paper exercises to of the State, friendly relations with foreign

106 International Engagement and Legal Framework

States, public order, decency or morality or subjecting their practitioners to legal penal in relation to contempt of court, defamation action in courts. At some stage, India will or incitement to an offence’. sign the Convention of Cyber-crime (Budapest Convention) or something similar to contain Cyberwar and Deniability cyber-crime at the international level. It is, therefore, necessary that the government Deniability is a major factor in cyber war. must retain the power to protect cyber forces Acts of surveillance, intelligence gathering and without giving any explanation to anyone in non-military intrusion do not amount to an act the public domain. The existing Section 197 of war. According to the Tallinn Manual, an of Code of Criminal Procedure 1973, needs operation, even surveillance origination from to be strengthened. military base, may be assumed to be an act of cyber war. Therefore, it may be prudent to leave The Information Technology Act 2000 is surveillance, intelligence, planting backdoors focused on empowering cyber commerce and dormant cyber weapons to agencies. and enhancing cyber activities, covering But its control and coordination should be some limited aspects of cyber-crime. It has undertaken through the armed forces in close no mandate to make any rules or regulation coordination with the Ministry of Defence. for the armed forces and cyber war.

The orchestration of offensive cyber It is, therefore, necessary that a Cyber operations and deception should rest with Security Act is introduced to cover not the defence services even during peace time. only various facets of cyber-related crimes, Many countries, including US, Israel and offences, forensics and policing, but also China exercise the control over cyber security to have enabling provisions for conducting product companies through a appointed a cyber war and for defence in the event former cyber war expert from the defence of a similar attack. As discussed earlier, forces. Under present law, all listed companies formally announcing a state of emergency and important unlisted companies should have using Article 352 may not be practical under government proposed independent directors most circumstances. Therefore, the Cyber with domain knowledge. The Security Act should empower the Executive government may like to appoint former to take appropriate action in case of a cyber cyberwar experts as independent directors war, including its precursor and pre-requisite in all major IT companies and cyber security stages. Also, the Cybersecurity Policy, 2013 product companies. (which in any case does not cover the aspect of the nation-state at war) has become dated. Protection to the Engaging Forces A faster route to implement initial concepts of cyber war may be included in the new Cyber The tools and techniques of cyber war are Security Policy/Strategy. Most countries have similar to cyber-crime – the only differences empowered themselves through the National are the actors, the target and its impact. Cybersecurity Strategy. The recently released Therefore, by the very nature of job, cyber Cyber Security Strategy of the United States war may be termed as cyber-crime, thereby of America in its ‘Pillar III: Persevere Peace

107 VIF Task Force Report

through Strength’ has elaborated its will to undertake interception, monitoring and deter a cyberattack and in case of such a decryption of any information in computer situation, impose appropriate consequences resources. The rules under this section were on the attacker. Therefore, the Cyber Security published on 27th October 2009. These rules Policy/Strategy will form a suitable legal do not provide for any situation related to instrument to enhance cyber power. cyber war and defence against cyber war. Therefore, the rules need to be amended to Amendment to Section 69 of the include cyber war forces and the concerned Information Technology Act officials should be equally empowered.

Section 69 of the Information Technology Act empowers government officials to

Section 69 - Power to issue directions for interception or monitoring or decryption of any information through any computer resource:

(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

(2) The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to- (a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or (b) intercept, monitor, or decrypt the information, as the case may be; or (c) provide information stored in computer resource.

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.]

108 International Engagement and Legal Framework

Conventions and Treaties has initiated a cyber war or is abetting a cyber war. Therefore, to filter chaff from actual acts UN Secretary-General Antonio Guterres of cyber war, the acts of cyber-crime must be has said, “Episodes of cyber warfare between identified. states already exist. What is worse is that there is no regulatory scheme for that type Additionally, India should enter into of warfare, it is not clear how the Geneva various bilateral and multilateral treaties to Convention or international humanitarian law contain cyber-crime. A lesson from China who applies to it.” has taken a step further, is to contain/prevent the precursor stage of cyber war. China has The International community is attempting entered into bilateral treaties/agreements with to create an appropriate convention for cyber various nations including the US and Canada war but is failing. The reasons are manifold, not to conduct state-sponsored cyberattacks including: against each other’s private sectors aimed at • It is at an early stage and nations have stealing trade secrets or other confidential not yet developed their full capacity of business information. Additionally, India could cyber arsenals, and therefore, do not enter into a strategic cyber war partnership want any restrictions on it with other nations, especially Israel and US to • There is a lack of consensus on what support each other in case of any cyber war amounts to a cyber war and how will it on the respective countries. differentiate from a cyberattack using India with its significant manpower and (or abusing) non-state actors technical know-how should proactively • International politics support weaker nations to establish their cyber defences. It will have a multi-fold The ‘Tallinn Manual’ is not even an impact. Firstly, it will be a formal sign of a official document. It is an attempt to map reckonable cyber power. Secondly, it will a real- in a virtual world, which prevent these nations from becoming a may not be practical. The ‘Tallinn Manual’ source of routed cyberattacks on India. These is at the very initial stage of codification nations can also become strategic partners of a cyber war but is still years away from in case India comes under a cyber offensive. practical use. Therefore, the very first step is to segregate acts of cyber-crime from cyber The Budapest Convention on Cyber Crime war. To achieve, this ‘Budapest Convention’ has 57 countries as its members. From the is not the best, but a good start point. If an perspective of cyber war it is necessary to filter attack is coming from any signatory country, out cyber-crime from acts of war by a nation it must first be assumed to be an act of state. It will be an arduous task to enter into a cyber-crime and the signatory country is bilateral relationship with these 56 countries obliged to protect the victim country from any to ensure that they take appropriate action if cyber-crime originating from its jurisdictional a cyber-crime is originating from their country. area. If no such action is taken, then it can It is, therefore, necessary that India becomes be presumed that the attacking nation-state a signatory to the Convention of Cyber Crime

109 VIF Task Force Report

by the Council of Europe. This will help forces It is, therefore, necessary to have formal to filter cyber-crime out and can also be used cyber forensic experts embedded in cyber as a ground to formulate lateral discussions on forces to meet legal and international cyber war, as an early agreement at the United obligations. Nations is not expected. Rules of Engagement Cyber Forensics Presently all efforts of cyber war are Cyber forensics plays a critical role in fragmented and unstructured at the national cyber war to prove any stand in any court of level. There is no allocation of areas of law within India or internationally. To detect responsibility, or distribution of targets. intrusion or undertake one, technical analysis There is no single point of collation of cyber may be sufficient, but cyber warriors will war-related information, let alone control and be bound by law, therefore, it is necessary coordination. This does not mean that various that cyber forensics is made part of cyber organisations and the three services are doing power forces. There may be occasions when nothing, but lack of structure has created India will have to prove to the international multiple challenges. Uncoordinated or ad-hoc community that a cyberattack has been actions are detrimental to national security. conducted against India. At that point in There are unknown gaps, unallocated targets, time the quality of cyber evidence will be of and over-concentration of surveillance, leading paramount importance. to exposures, fratricide and inflated sense of self-importance. Therefore, a cyber forces It also forms the bedrock of a trust coordination centre must be established at relationship for any bilateral or multilateral the earliest. obligation. There may be a need to not only technically establish the source of attack Rules of Cyber Engagement (RoCyE) emanating from a friendly country, but also should be defined for the uniformed forces may require formal cyber evidence to back and other cyber forces. To implement RoCyE, that claim. there should be a defined state of alertness and readiness. Without having proper defences If the Tallinn Manual becomes the within the armed forces and across the nation, accepted convention of cyber war or is in taking a cyber offensive posture publically accordance with the International Human could be counter-productive. Therefore, Rights Commission, there exists a definite the public stance must be appropriately possibility to prove the many aspects and structured by armed forces, the executive impact of cyber war on human suffering. and bureaucracy. Therefore forensic evidence of battle damage assessment may be required to be preserved. Cyber forensics is also necessary for cyber battle damage assessment to recalibrate the next round of attack.

110 International Engagement and Legal Framework

Some Actions/Matters which may be Role of Defence Services Acceptable as the Rules of Cyber Headquarters Engagement Headquarters’ of Army, Navy, Air Force and • Conjoining with military kinetic action Integrated Defence Staff should be involved in • Attacks on persons cyber war and be directly or indirectly aware of legal provisions related to it. Officers must • Attacks on technical infrastructure be made aware of the Information Technology • Attacks on content Act 2000 (as amended in 2008), and the • Routing attack through cooperating changes it has made to the Indian Evidence third party Act 1886 and the Code of Criminal Procedure 1974. Legal aspects of cyber war should form • Routing attack through non- a part of training curricula and promotion- cooperating third party related examinations. Case studies should • Laws of proportionality be discussed and analysed in various training • Laws of proactive defence courses, including the role of the United Nations, ITU and the Internet Governance. • Area of operations At the level of Higher Command and the • Choice of cyber weapons National Defence College, exercises should • Protection against fratricide include cyber diplomacy and protection of India’s interests. • Controlling overconcentration and gaps in cyber attack State of Cyber Readiness • and ruse • Surprise, deception and deniability Following the State of Readiness, flags are recommended • Handling of neutrals • Blue – Normal state • Indiscriminate/unauthorised attack • Green – Enhanced Cyber Intelligence/ • Maintaining cyber superiority Surveillance by Nation State/ • Maintaining cyber dominance reckonable non-state actor • Cessation of cyber war • Yellow – Cyberwar likely • Retraction of cyber mines and booby • Orange – Cyberwar imminent traps • Red – Cyberwar in progress • Battle damage assessment (Note: The list is not exhaustive) Preparedness by Defence Forces

All defence personnel, especially of the cyber warfare cadre and Cyber TAs, must be aware of the legal provisions governing their actions. Cyber rules of engagement

111 VIF Task Force Report

must be known to all connected with the • Introduce a Cybersecurity Act to cover cyber command. Training curricula should inter alia facets of cyber war (within be amended accordingly. The scope and one year) intensity may vary depending on the expected • Enter into bilateral, regional and task to be performed after training. Similarly multilateral strategic partnerships entrance exams related to promotions and for cyber security and cyber war (a performance enhancement must include continuous diplomatic process) questions related to cyber legal matters. • Support weaker nations in building their cyber defences (first year onward) Recommendations and Timelines • Sign the Budapest Convention to filter Given the aforesaid, following action out cyber-crime (Most immediate) points are recommended: • Enhance cyber forensic capabilities to • Formally define Indian cyberspace and engage effectively in any international claim its jurisdiction territorially and relations for establishing our claims extra-territorially (Immediate) (within one year) • Take all necessary actions proactively • Establish rules of cyber engagement to prevent a situation from reaching (within one year) a stage of invoking Article 352 (a • Promulgate a State of Cyber Readiness continuous process) dashboard (Immediate) • Establish a cyber war standard • Include cyber legal subjects in training operating procedure for every entity. curricula as well as various exams This will form the basis of measured, being held by defence forces nation-wide cyber war gaming, exercises and drills. CWSOP for government ministry and departments should be prepared within a year, the first major cyber war game with two years. By the end of the second year, CWSOP for private entities should be promulgated. A nation-wide cyber war defence exercise should be conducted in the third year • Amend rules under Section 69 of the Information Technology Act 2000 to empower Cyber forces to undertake interception and decryption (Immediate)

112 Capacity building for cyber deterrence is a national effort and demands involvement of all stakeholders.

Section Nine

Supporting Institutions, Policies and Infrastructure

113 VIF Task Force Report

Cyber security and Cyber power need employment rules and facilities; a separate institutional support primarily due to present cadre for cyber professionals; crowd sourcing; and emerging threats. There has been industry clusters for manufacturing secure exponential increase, both in the type products; education curricula; standards and intensity of cyber interventions, and and certification; intelligence and counter- extremely rapid advances in technologies. intelligence mechanisms; cyber forensics; Due to the unique and ubiquitous nature security standards; cryptography; language of cyberspace, requisite interventions are experts; and policy research. It will form required in the international fora, for security integrated cyber security teams capable of and privacy of people. The situation demands providing full-spectrum capabilities, conduct continuous action and proactive behaviour. periodic audits to ascertain readiness for The government cannot do it alone – it is a present and likely threats, and coordinate with national effort and demands the involvement all ministries and States for protection of the of all stakeholders. In addition, institutions National Critical Information Infrastructure and infrastructure are required to support (NCII) in their jurisdiction. this effort. These are listed below with recommended priority. Cyber Policy Research Centre

There is no think tank or organisation that is Establish National Cybersecurity studying or analysing policies and documents Commission (NCSC) being produced by governments, industry, The NCSC should be a fully empowered civil society, academia, interested enterprise body on the lines of the Space Commission and international policymaking organisations. and the Atomic Energy Commission. The The thousands of pages that are being commission would be responsible and churned out require deeper understanding accountable for cybersecurity across the full through analysis and discussions to decide spectrum and conduct offensive information what is in India’s best interests. We are unable operations, including deception, both by itself to address policy and operational issues due or integrated with EW and kinetic power. It will to the lack of focused studies. Numerous formulate and release a national strategy of Non-Governmental Organisations (NGOs) development and application of cyber power created at the behest of foreign governments and a National Integrated Cybersecurity are obfuscating policy discussions to derail Doctrine. The civilian head of cyber security national positions. These attempts have to be and the military cyber formation commander dealt with both proactively and aggressively. would report to the Chairman, NCSC. We are the second largest users of both the Internet and mobile phones in the world The NCSC will have the onerous task and present a very large market. We must of creating synergy amongst various ensure that India’s voice is not only heard, stakeholders through an enabling policy and but also, that no policy detrimental to India is legal framework: developing technology and passed. The research facility would make the centres of excellence; skilled manpower appropriate expertise available, particularly, with flexible, progressive and innovative when a large volume of cyber security

114 Supporting Institutions, Policies and Infrastructure research and policies requires timely revision An Agency for Information Security as technology evolves. India is very vulnerable to social engineering, fake news and propaganda that Integrated Cyber Threat Intelligence creates the perception of possible governance Centre failure and chaos. Our likely adversaries have India needs to create a cyber threat and continue to exercise these capabilities intelligence centre which would collect, on an almost daily basis. There is an urgent collate, analyse and share attack data on need to counter this threat on a real-time infrastructure, financial systems, websites basis in view of the tremendous speed of the and services. It would also correlate ‘big data’ electronic and social media. India needs an generated from the government with financial Information Security Agency to proactively and commercial data to create patterns and counter these threats. This agency would be identify anomalies for advance preventive responsible for the creation of content for our actions. It will maintain a comprehensive possible offensive. database on vulnerabilities, kill switches, conduct predictive analysis and be responsible National Centre for Cybersecurity for probing missions. Resilience

A facility where companies and sector- Indian Cyber security Operations wide organisations can test security of Centre systems in a contained environment, such This will be the nerve centre for as by subjecting a replica electric grid to conducting information operations across cyberattack. By applying lessons learned from the full spectrum and would be manned by past incidents, improve the management the NCSC. It will work in close cooperation of future cyber incidents and enhance the with the Crisis Management Group and have country’s cyber-resilience, and thereby, connectivity with all stakeholders. raise the level of cyber resilience across the country through a cyber assurance framework Assurance Framework, Test and and redundancies. For all cyber assets, be it Certification hardware or software, the Centre should have the authority for certification and accreditation There is an immediate requirement of various testing agencies/laboratories for setting up a national cyber test facility, across the country to test products as per providing for network emulation, monitoring certification norms and audit, vulnerability analysis, simulated attacks, graduated response, performance Cyber Command. analysis and security assurance modelling. In view of present and emerging threats, India needed a Cyber Command (Cyber Formation) yesterday. The announcement of a Defence Cyber Agency is too late and

115 VIF Task Force Report

too little. It indicates a defensive mindset • Create a formal Military-Industry and is contrary to the designed application Interface for harnessing technology of technology which is essentially ‘Offence and system development. Dominant’ and the Tri-service Doctrine which talks about deterrence. The government must push this through at the earliest. A delayed decision may land the nation in a serious state of strategic inadequacy. We cannot afford to repeat the mistakes of delayed nuclearisation of India.

National Policies to be Revised and Infrastructure

Capacity building of cyber power for our armed forces is a national imperative and would require enabling policies, total synergy, a clear demarcation of responsibilities between defence forces and civilians, harnessing technology to produce India-specific products and continuous development of skills. Following are recommended: • Formulate and release National Cyber Doctrine • Release the Indian Cybersecurity Act at the earliest • Revise National Electronic Policy-2012 and ensure aggressive implementation • Revise National Cybersecurity Policy-2013 to include development of full spectrum capabilities for IW • Develop Standard Operating Procedure for cyber war • Establish National Academy of Information Security • Create an Institute of Cybersecurity Professionals anchored on a prominent think tank

116 While the National Cybersecurity Policy-2013 and the corresponding Cybersecurity architecture deals with the civil aspects fairly in detail, there is a sizable gap when it comes to ‘development of cyber deterrence capabilities in the armed forces’ and that is precisely the mandate of this Task Force.

Section Ten

Comprehensive Cyber Power at National Level

117 VIF Task Force Report

Cyber power, by its very nature, demands enabling policies, processes, transparency, total synergy between policymakers, jointness and information exchange to create stakeholders and those responsible for its necessary synergy across the spectrum as capability build up and application in the mandated in the recommended doctrine. field. Cyber power is a major component of the nation’s information warfare architecture. The armed forces must take part in the Its integration with EW and kinetic power decision-making process, and collaborate increases its efficacy manifold and provides with major stakeholders to address challenges different options to commanders for that continue to hinder timely intelligence warfighting. and information sharing, joint planning, operations and training, and the development As stated earlier, Cyber space is an of necessary cyber tools. In this information- integrated domain between civil and military. dominant era, the armed forces need to have It must have a single authority responsible and real-time communication with the intelligence accountable for its protection, security and community to continuously pursue strategic ensuring safe passage to India for its lawful intelligence to anticipate geostrategic shifts, exploitation. as well as shorter-term intelligence so that the nation as a whole can respond to the actions For the purpose of better understanding, and provocations of rivals. we have theoretically separated the functions of cyber security for civil application, cyber The National Information Board (NIB) is the resilience and active defence and cyber power highest decision-making body for information for military applications to include offensive and cyber operations. It has members from all cyber operations and deception. ministries, security agencies and the armed While the National Cybersecurity forces. Policy-2013 and the corresponding cyber The National Security Council Secretariat security architecture deal with civil aspects (NSCS) coordinates and oversees cyber in detail, there is a sizable gap when it comes security issues, including Cyber Diplomacy. to development of cyber power in the armed forces and that is precisely the mandate of The National Cybersecurity Coordinator this Task Force. Recommendations would (NCSC) has been entrusted to coordinate and be incomplete without the methodology for synergise cyber security efforts. integrating cyber security and cyber power to create ‘comprehensive cyber capability’ at the The National Security Adviser (NSA) chairs national level. Accordingly, this section deals the National Intelligence Bureau (NIB) while with this aspect with a term of reference of the NCSC is the secretariat of the NIB. not creating any turbulence. The IT Act 2000, including its amendment The Defence Cyber Agency/Cyber in 2008, provides a comprehensive legal Formation has to be integrated with existing framework to boost e-commerce and also national institutions and agencies responsible to create an enabling environment for for various facets of cyber security. We need e-Governance in the country. It also addresses

118 Comprehensive Cyber Power at National Level various cyber offences, crimes and protective National Cyber Coordination Centre (NCCC) measures against them. provides real-time situational awareness and rapid response to cyber security incidents Operationally, the Indian Computer and enable timely information sharing for Emergency Response Team (CERT-In) is the proactive, preventive and protective actions national nodal agency for emergency response by individual entities. Representatives of all and mitigation of cyber incidents, as per the stakeholders, including the armed forces, are provisions of Section 70B of the Information integrated into the NCCC. Information from Technology Act 2000. All organisations have the NCCC should be factored into the Threat been mandated to report cyber security Intelligence Platform of the DCyA for decision- incidents to the Indian Computer Emergency making. Following are the organisations Response Team expeditiously. represented in the NCCC: CERT-In is mandated to perform collection, • National Security Council Secretariat analysis and dissemination of information on • MHA cyber incidents; forecast and alerts of cyber security incidents; measures for handling • MEA cyber security incidents; coordination of • MeitY/CERT-IN/NIC/STQC cyber incident response activities; and issue • DOT guidelines, advisories, vulnerability notes and whitepapers relating to information security • MoD/HQ IDS/Armed Forces practices, procedures, prevention, response • NTRO/NCIIPC and reporting of cyber incidents. • DRDO Armed Forces CERTs are closely • Industry/TSP/ISP collaborating with the National CERT. The Defence Cyber Agency must have real- A conceptual schematic diagram of the time communications with CERT-In. Cross- integration of the DCyA with the appropriate attachments of people from the armed forces stakeholders is given overleaf. and CERT-In is strongly recommended. Recommended Integration of DCyA The National Critical Information at National Level Infrastructure Protection Centre (NCIIPC) is the National Nodal Agency for the protection At the highest level, the Defence Planning of critical information infrastructure minus Committee and National Information Board the armed forces and some strategic sectors. will give policy directions to the DCyA through However, the DCyA needs to plug into the Headquarters Integrated Defence Staff the NCIIPC to enhance protection and (IDS). resilience of the nation’s critical information Offensive cyber operations and deception infrastructure. It must identify the critical at the national level and special operations defence infrastructure and apply the learnings will be conducted by the armed forces, duly to ensure their resilience and protection. supported by the DRDO, NTRO and security

119 VIF Task Force Report

120 Comprehensive Cyber Power at National Level agencies with input from the Defence Threat Several centres of excellence in Intelligence Platform and the NCCC. collaboration with industry and academia would feed into national R&D and testing The DRDO and the NTRO will collaborate efforts. The armed forces must interact and with industry and R&D establishments to have military specific centres of excellence. provide offensive and defensive tools. The armed forces will be kept in the loop and The roles of major ministries, including the project their requirements of cyber weapons Ministry of Home Affairs (MHA), the Ministry and tools for deception. of External Affairs(MEA) and the Department of Space have been indicated in the Diagram. Cyber resilience of the armed forces The MEA has an important role to play in cyber networks and systems will be audited diplomacy, including military diplomacy that periodically and ensured by testing facilities could prevent escalation of cyber conflicts. under the DRDO who would also undertake this task for regional commands and integrated The Ministry of Finance (MoF) will play mission teams. a major role not only in protecting national economic infrastructures, but also to enhance The National Cybersecurity Commission, the capacity of the DCyA through proper with strategic advisors and domain experts, budget allocation. would control and coordinate the entire cyber eco-system.

Till the formation of the Cybersecurity Commission and the appointment of its head, the National Cybersecurity Coordinator (NCSC) would undertake this task and related responsibilities.

The NCSC will also be the Member Secretary of the NIB (National Information Board), while the CISC would be the Member Secretary of the Defence Planning Committee.

Indigenous industry, academia and think tanks would play a major role for capacity building, public-private partnership for advocacy and expertise by active collaboration and funding from the cybersecurity commission. The armed forces must provide domain specialists to explain their requirements. Most technologies are of dual use.

121 VIF Task Force Report

The task force has recommended capacity building in support of a stated doctrine within a period of 36 months, which encompasses sanction and transformation to a full-fledged Cyber Command and recognition of India as an emerging cyber power.

Section Eleven

Road Map and Action Plan

122 Road Map and Action Plan

The road map is illustrated in the summary Arvind Gupta, Director, VIF, and Lt. Gen. R.K. of recommendations. But any plan is as good Sawhney, PVSM, AVSM, Centre Head and as its implementation. With regard to the Senior Fellow, VIF, and the Staff of VIF for development of cyber power for our defence their support and emphasise once again the forces, two cardinal principles – ‘System strategic necessity of urgent capacity building Approach’ and ‘Concurrency’ – have to be in cyber power within our armed forces and its adopted. Accordingly, an action plan has to integration with other components of power. be brought into play through simultaneous We hope that this report will help the powers actions by different entities and that calls that be in decision- making. for astute project management, delegation of powers and monitoring at the highest Jai Hind level. It is surprising that in spite of a clear pronouncement by the Prime Minister during the Formation Commanders conference in 2014, the development of cyber power in the defence forces has been minimal. This calls for introspection and an aggressive and mission-oriented approach to remove all bottlenecks.

The task force has recommended capacity building in support of the stated doctrine within a period of 36 months which encompasses sanction and transformation to a full-fledged Cyber Command and recognition of India as an emerging cyber power.

The start point would be to issue the necessary sanctioning letters by the government for establishing an appropriate organisation for project management, formation of a steering committee and allocation of funds.

The nominated organisation must have a director for each of the seven pillars. This would be a tri-service organisation under the Headquarters, IDS and would render quarterly progress report to the Chiefs of Staff Committee.

Finally, the task force members would like to place on record their thanks to Dr

123 VIF Task Force Report

Invited Experts

Dr. Karnika Seth is an internationally renowned cyber law expert and the Chairperson of Lex Cyberia at Seth Associates, the World’s first integrated cyberlaws research, forensics and legal consulting centre. Dr. Seth practices law at the Court of India, Delhi High Court and other legal forums and is the principal legal advisor to many multinational groups and government entities. Her contribution to the growth and development of cyber laws internationally and in India is widely acknowledged in the corporate world and by international organisations, including ICANN and ICMEC. She has been awarded the Digital Empowerment Award (2015) and the National Gaurav Award (2017). She graduated in Masters in Law from Kings College, University of London, and has a doctorate degree in cyber law (Ph.D.) from NIU in 2017.

Air Vice Marshal A.K. Nabh AVSM VM (Veteran). A fighter pilot, he had been working as ACAS Operations (Space), Air Headquarters (Vayu Bhawan) before superannuation in August 2018. The AVM has written many papers and spearheaded a few innovative projects to enhance the combat potential of the Indian Air Force. The Air Vice Marshal was a member of the task force for implementation of Artificial Intelligence in the Defence Services. He has held many crucial Command and Staff Appointments including Chief of Operations, Command of a UN contingent, Director Air Defence Ops, Principal Director (Intelligence), and Principal Director Ops (Information & Electronic Warfare). The Officer, as ACAS Ops (Space), headed and guided Cyber & EW Operations, Media & Publicity Operations, besides Space Operations and Air Traffic Service and airspace management in India.

Jiten Jain, CEO, India Infosec Consortium and Director, Voyager Infosec Jiten Jain is a leading cyber security expert having specialisation in geopolitical intelligence analysis and mapping them to global cyber conflicts. He is currently heading Indian Infosec Consortium, an independent, not-for-profit organisation of leading ethical hackers and cyber experts in India. He is also the co-founder of Voyager Infosec, a leading cyber security firm specialising in cyber threat intelligence. Jiten is a recipient of the Chevening Fellowship by the British Government and has studied Cyber Defence and Information Assurance at the Defence Academy of United Kingdom. He is also invited by various arms of the , including its defence forces to train their cyber professionals. He is the youngest speaker to have addressed the Air Commanders

124 Invited Experts

Conferences of Indian Air Force. Acknowledging his authority on cyber security, Amity University has conferred him with an honorary professorship. Jiten is also a visiting faculty at the National Police Academy of India and at the Foreign Service Institute of the Ministry of External Affairs

Cherian Samuel. Cherian Samuel is a Research Fellow with the Strategic Technologies Centre at the Institute for Defence Studies and Analyses. He has written on various cyber security issues including critical infrastructure protection, cyber resilience, cyber-crime, and Internet governance. His recent publications include: Securing Cyberspace: International and Asian Perspectives, Cherian Samuel and Munish Sharma, eds., Pentagon Press, 2016; ‘India’s International Cybersecurity Strategy,’ in Cybersecurity: Some Critical Insights and Perspectives, Damien D. Cheong ed., S. Rajaratnam School of International Studies, Singapore (January 2015); ‘Net-Centric Defence Forces: A Macro View,’ DSA Magazine, July 2014; ‘Cybersecurity and National Development,’ CASS Journal, Vol. 1, No. 3, July–September 2014; ‘Cybersecurity and Cyberwar,’ Seminar, October 2013; ‘Prospects for India-US Cybersecurity Cooperation,’ Strategic Analysis, Volume 31, Issue 2, September 2011. His monograph Global, Regional and Domestic Dynamics of Cybersecurity was published in December 2014. He was coordinator of the IDSA Task Force on Cybersecurity, which published a report titled ‘India's Cybersecurity Challenges’ in March 2012.

Group Ajey Lele (Veteran). Group Captain Ajey Lele (Retired) is a Senior Fellow with the Institute for Defence Studies and Analyses (IDSA), New Delhi. He has obtained a Masters in Physics from Pune University and also a Masters and M.Phil. in Defence and Strategic Studies from Madras University. He has done his doctorate from the School of International Studies, Jawaharlal Nehru University (JNU), New Delhi. His specific areas of research include issues related to Weapons of Mass Destruction (WMD), Space Security, and Strategic Technologies. He has a few publications against his name.

125 VIF Task Force Report

Task Force Team

Lt. Gen. Davinder Kumar, PVSM, VSM Bar, ADC (Veteran). Lt.Gen. Davinder Kumar retired as Signal Officer-in-Chief of the Indian Army in September 2006 after 41 years of distinguished service. He holds three post graduate degrees and five fellowships, and is the only serving officer to get a Fellowship of the National Academy of Engineering. He is a recipient of the Best Engineer award in 2005, a university gold medalist for his Master of Engineering and a gold medalist in B.Tech., having been adjudged the best all round officer. After superannuation, he was the CEO & Managing Director of Tata Advanced Systems Ltd., the Tata Group’s lead vehicle in defence, aerospace, and homeland security until September 2011. He has been on the Board of Directors of both public and private sector companies. An expert in electronics, telecommunication networks, information technologies, space technologies, network centric warfare, information warfare and cyber warfare, he was instrumental for the approval and setting up of almost all networks in the army, the Army Cyber Group and the First Information Warfare Brigade of the Indian Army. He headed the national study on Cryptography, was a member of the National Committee on spectrum management and Adviser on IT to the state of Madhya Pradesh. He has worked with the Indian Space Research Organisation (ISRO), Oil India, and the Planning Commission. He was a member of the Hardware and Human Resource Groups of the IT Task Force and the Advisory Committee of National Disaster Management Authority appointed by the Prime Minister. He has over 400 papers to his credit and has been invited to speak at various national and international fora.

Lt. Gen. Anil Kumar Ahuja, PVSM, UYSM, AVSM, SM, VSM & Bar (Veteran). Lt. Gen. Anil Ahuja served in the Indian Army for 39 years and superannuated as Deputy Chief of Integrated Defence Staff (Policy Planning and Force Development) in August 2016. During his military career, he commanded an Operational Corps and a Mountain Division along the Northern borders in Arunachal Pradesh and Assam. He also commanded a Brigade in counter- operations. He has been India’s Defence Attache to Vietnam, Cambodia and Lao PDR (2002–2005) and a UN Military Observer in Angola (1991–1993). Besides extensive operational experience in Northern and Eastern Theatres, he has also held numerous challenging staff appointments. During his tenure as the Deputy Chief, he was the Indian Co-Chair of the US-India Defence Technology and Trade Initiative (DTTI) Inter-Agency Task Force and has been intimately involved with issues of defence cooperation. Besides active experience, he has attended professional courses at National Defence College, Army War College and at the Netherlands Defence College. He possesses M.Phil.

126 Task Force Team degrees in defence and strategic studies. His areas of particular interests include: Northeast India, issues of jointness, higher defence organisation, force development and defence acquisitions. He has served as the Secretary of the Defence Acquisition Council (DAC) for nearly two years. For his distinguished service, he has been awarded PVSM, UYSM, AVSM, SM, VSM & BAR.

Lt. Gen. (Dr.) V.K. Saxena, PVSM, AVSM, VSM (Veteran). Lt. Gen. Saxena has been the former Director General of the Corps of Army Air Defence. Currently he is a Distinguished Fellow at VIF and a Fellow at USI of India. The general is a UN and law scholar, and a prolific writer, having authored five books on subjects like air defence, United Nations, human rights and ballistic missile defence (BMD). He gets published at the rate of two to three articles per month across multiple defence magazines and the VIF. His core competency domains are air defence, aerospace, ballistic missiles, unmanned aerial systems, military communications, cyber security, space, nuclear security, and defence procurement.

Lt. Gen. (Dr.) S.P. Kochhar, AVSM Bar, SM, VSM, ADC (Veteran). Lt. Gen. Kochhar is currently the CEO of Telecom Sector Skill Council of India. He was Signal Officer in Chief of the Indian Army and Principal Advisor for ESDM, Ministry of MSME prior to this. He holds a Ph.D., two M.Phils and an M.Tech. Having a strategic and futuristic vision, he has successfully tenanted positions at corporate board/chief executive/regulatory levels in the government, public sector undertakings, private telecom industry, academic universities and colleges. His area of expertise is the defence industry, skills/academic/ICT/ telecom and HR. He is also a speaker at many national and International forums on these and related subjects. He has a flair for finding optimum collaborative-adaptive and inclusive solutions and an ability to implement them quickly and qualitatively. He is known for getting a better ROI for every spend.

Maj. Gen. P.K. Mallick VSM (Veteran). An electronics and telecommunications engineering graduate from B E College, Shibpur, M.Tech. from IIT Kharagpur, and Fellow of the Institute of Electronics and Telecommunication Engineers (IETE), Maj. Gen. P.K. Mallick, VSM is an alumnus of the Defence Services , Wellington, College of Defence Management, Secunderabad and National Defence College. Commissioned in the Corps of Signals of the Indian Army, the officer has varied experience in command, staff and instructional appointments. The officer has taken part in OP RAKSHAK (Punjab), OP RHINO and OP RAKSHAK in the Valley. He had a tenure of Instructor, Chief Instructor, and OC Junior

127 VIF Task Force Report

Wing in MCTE Mhow. He has commanded a Divisional Signal Regiment in OP VIJAY and OP PARAKRAM in . A winner of the COAS Gold Medal Essay Competition, the officer is a prolific writer and regularly contributes to defence-related journals and has published more than 50 papers. He has delivered talks and participated in panel discussions at USI, CLAWS, CAPS, NMF, CENJOWS, HQ ANC, Army War College, Military College of Telecommunication Engineering, Mhow, Intelligence School, Pune, Computer Society of India (Bangalore) and Institute of Electronics and Telecommunication Engineers (Lucknow). The Officer was posted as SDS (Army) at NDC, New Delhi, before retirement in April 2015.

Brigadier Abhimanyu Ghosh (Veteran). Brigadier Abhimanyu Ghosh has worked as Officer on Special Duty (Joint Secretary), National Security Council Secretariat (NSCS), handling and coordinating cyber security policy issues. Prior to that, he had a distinguished career of over 35 years in the Indian Army which included stints as UN Military Observer in Angola (Africa), Instructor at Army War College and Chief Signal Officer of a Strike Corps. He steered the nascent Army Cybersecurity Establishment (ACSE) as its Commander for more than three years, with responsibilities as CISO of Indian Army and Head of Army CERT. He holds an M.Phil., M.Sc. (Defence Studies) and a B.E. (Telecommunication). He is a cyber security certified professional holding many certificates, including CISA, CISSP and CEHP. He has represented the Government of India in several bilateral and multilateral international conferences on cybercsecurity, including being a member of the Indian delegation at the UNGGE 2013 and 2016. He had the privilege of co-chairing the India-US Cyber Dialogue 2017 and the BRICS Expert Committee Meeting on Information Security 2015. Brigadier Ghosh has written articles on cyber security in various military journals and presented his papers at various national and international platforms.

Brigadier (Dr.) Ashok Kumar Pathak (Veteran). Brigadier Pathak is an Army veteran from the Core of Signals. He held various command and staff appointments, including the UN Mission as an international observer in Angola. He is a certified Black Belt Six Sigma, Ph.D. in Management Information Systems for Warfare: Strategic Implications. He also holds three masters degrees, including an M.B.A., M.Sc. (Defence & Strategic Studies) and M.Sc. (Physics). He is Director at the Maharishi Institute of Management, Noida, Aravali College of Engineering, Faridabad, Army Institute of Management, Greater Noida, and Dean at the School of Business Studies, Sharda University, Greater Noida.

128 Task Force Team

Commander Arun Saigal (Veteran). Commander Arun Saigal is a communications and electronic warfare specialist of the Indian Navy. He held various command and staff appointments, including Commissioning Signal Communication of INS Dunagiri. He is a Fellow of the Institute of Electronics and Telecommunication Engineers and holds an M.Sc. (Defence Studies) from Madras University. Commander Arun Saigal has been an Instructor at the Defence Services Staff College, Wellington, and also at a similar institution in a foreign country. He is an avid reader, researcher and member of many professional bodies. He has been co-opted on the Federation of Indian Chambers of Commerce and Industry (FICCI) Committees on Communications, IT & Cybersecurity. He co-chaired the Cybersecurity Committee for one year. Post premature retirement in 1992, he worked as General Manager (Marketing) with a private company. Presently he runs a company providing consultancy solutions to security and law enforcement agencies.

Commander Mukesh Saini (Veteran). Commander Saini is a veteran naval officer with more than 33 years of experience in Information Warfare and Cybersecurity. A specialist in communication and electronics warfare, he assisted Israel in developing the India-specific EW Payload for UAVs. He was head of National Information Security Coordination cell at National Security Council Secretariat, a precursor to National Information Security Coordinator’s office. Most of the information security infrastructures (such as CERT-IN, NTRO, FINCERT) of national importance were created during his tenure. He was also Coordinator of Indo-US Cyber Security Forum. He then joined Microsoft (India) as Chief (Information) Security Advisor. He is founder and MD of XCySS, Cybersecurity Company. He was also Group IT Security head for the Essel Group of Companies. He is an avid writer and speaker on the subject of privacy and cybersecurity. He holds three Masters Degrees and several professional certifications of management, privacy and cybersecurity, including CISSP, GDPR, ISO 27001.

Air Commodore Devesh Vatsa VSM. Air Commodore Devesh Vatsa is an IIT graduate and serving Indian Air Force Officer. He holds a Ph.D. and an M.B.A. Air Commodore Vatsa is a hands-on all communication systems specialist of the Indian Air Force. He has been instrumental in the commissioning of the NOC & DATA Centres of AFNET. He has also been instrumental in implementing various cyber security initiatives in the IAF, including the unified cyber security posture. As AOC, he administers AFNET, IAF Data Centre, NOC/SOC and IAF-CERT. He has been commended by both AOC-in-C and the CAS. For his distinguished services to IAF, he was awarded Vishisht Seva Medal.

129

About the VIVEKANANDA INTERNATIONAL FOUNDATION

The Vivekananda International Foundation is an independent non- partisan institution that conducts research and analysis on domestic and international issues, and offers a platform for dialogue and conflict resolution. Some of India’s leading practitioners from the fields of security, military, diplomacy, government, academia and media have come together to generate ideas and stimulate action on national security issues.

The defining feature of VIF lies in its provision of core institutional support which enables the organisation to be flexible in its approach and proactive in changing circumstances, with a long-term focus on India’s strategic, developmental and civilisational interests. The VIF aims to channelise fresh insights and decades of experience harnessed from its faculty into fostering actionable ideas for the nation’s stakeholders.

Since its inception, VIF has successfully pursued quality research and scholarship and made efforts to highlight issues in governance, and strengthen national security. This is being actualised through numerous activities like seminars, round tables, interactive dialogues, Vimarsh (public discourse), conferences and briefings. The publications of VIF form lasting deliverables of VIF’s aspiration to impact on the prevailing discourse on issues concerning India’s national interest.

Vivekananda International Foundation 3, San Martin Marg, Chanakyapuri, New Delhi - 110021 Phone No: +91-(0)11-24121764, +91-(0)11-24106698 Fax No: +91-(0)11-43115450 E-mail: [email protected] www.vifindia.org Follow us on Twitter @VIFINDIA