There is increasing concern in the strategic community and the general public about cyber security and we are in the final stages of preparing a whole-of-government cyber security architecture.
Our increasing dependence on cyberspace and the internet is evident. We had over 100 million internet users in India over two years ago. Add to this the 381 million mobile phone subscriptions with internet connectivity and the increasing seamlessness with which all sorts of devices connect to the internet. There are well over 2 billion internet users in the world — a number that doubled in the five years between 2005 and 2010. These figures are growing exponentially. Most of us in one way or the other use and depend on cyber space in the performance of our work and daily life.
Fear of the unknown
Public concern about cyber security is rising, partly because of the weight of anecdotal evidence that is building up about cyber war and attacks. Stuxnet and Ghostnet, for instance, appear to most of us as unseen forces having apparently magical effects in the real world. It is also fear of the unknown, because most persons lack a conceptual framework or understanding that would enable them to deal with the issue.
The other reason for public concern and anxiety is the anarchic nature of the domain of cyberspace, glimpses of which naturally cause alarm. When this is combined with the potential effects of malicious attacks and disruptions in the cyber world upon such basic social necessities as power supplies, banking, railways, air traffic control, etc., it is only natural that people should worry about cyber security.
Nor do the experts help to allay concerns in their choice of the terms they use. We speak of cyber crime, when these acts are not a traditional law and order problem and cannot be dealt with as such, thanks to problems of attribution and punishment and lack of legal frameworks.
We also speak of cyber war, even though conflict or attacks in the cyber world do not follow the rules or logic of war as understood so far in other domains. In this new domain of contention war, espionage, surveillance, control and the traditional security functions, activities and crimes occur but differ from those in traditional domains. Here we have to unlearn some of the lessons we learnt from earlier revolutions. Traditional deterrence hardly works in a battle-space like the cyber world where the speed of operations and attack is almost that of light. At these speeds there is a premium on attacking first, or offence.
The effect of ICT on warfare is evident in command and control, in the new surveillance and communication technologies and in cyber operations which have kinetic effects in the real world. We have seen a new way of warfare, a true RMA, since the early 1990s, enabled by ICT.
The ICT revolution has also brought power to non-state actors and individuals, to small groups such as terrorists. It has given small groups and individuals the means to threaten and act against much larger, more complex and powerful groups. Since the technology is now available or accessible widely, and is mostly held in private hands, ICT has redistributed power within states.
We see the practical effects of these changes all around us. Look at the social and political effects of new technologies in the turmoil in West Asia. The cocktail of social media, 24-hour television, NGOs and Special Forces create a virtual reality which soon has effects in the real world.
These are not just law and order problems, and they are not amenable to the traditional responses that states are accustomed to. We have seen technology place increasingly lethal power in the hands of non-state actors. The effects can range from the benign to the dangerous, though the technology itself is value neutral. In West Asia today, we see its use by popular movements to mobilise people and influence opinion against regimes across the Arab world. Autocratic regimes across the world now take the power of ICT very seriously.
Equally, intelligence and espionage increasingly rely on what are euphemistically called national technical means, namely cyber penetration and surveillance. The same technologies also empower the state in terms of its capacity for internal surveillance, interception and so on. Their power and reach raise fundamental issues about the lines that a democratic society must draw between the collective right to security and the individual's right to privacy. What makes this more complicated is the fact that these technologies are not just available to the state, where laws and policies can control and limit their use. They are widely available in the public domain, where commercial and individual motives can easily lead to misuse that is not so easily regulated unless we rethink and update our legal and other approaches.
Between states, information technologies and their effects have made asymmetric strategies much more effective and attractive. In situations of conventional imbalance between states we see that asymmetric strategies are increasingly common. Cyber war and anti-satellite capabilities are uses of technology by a weaker state to neutralise or raise the cost and deter the use of its military strength by a stronger country.
In the name of defence all the major powers are developing offensive cyber capabilities as well as using cyber espionage. So are smaller powers who see ICT as an equaliser. One estimate speaks of about 120 countries developing the capacity for cyber warfare. But by its nature, as WikiLeaks showed, the threats in this domain are not just from states. These technologies have also enabled individuals and small groups to use cyberspace for their own ends. We in India are subject to unwelcome attention from many of them.
The government is in the process of putting in place the capabilities and the systems that will enable us to deal with this anarchic new world of constant and undeclared cyber threat, attack, counter-attack and defence. We need to prepare to deal with both threats to cyberspace and risks arising through cyberspace.
While the NTRO is tasked to deal with the protection of our critical security cyber infrastructure, institutions like CERT-IN have proved their worth during events like the Commonwealth Games in defending our open civil systems. We are making a beginning in putting in place a system of certification and responsibility for telecommunication equipment and are working on procedures and protocols which will rationalise communication interception and monitoring. We need to harden our networks. And we will develop metrics to certify and assure that our critical cyber networks, equipment and infrastructure are secure. We need also to create a climate and environment within which security is built into our cyber and communications working methods. And, most important, we must find ways to indigenously generate the manpower, technologies and equipment that we require for our cyber security.
There is only one part of the IDSA Task Force's recommendations with which I have a difference of emphasis. It speaks about “proactive diplomatic policy” on cyber security, and suggests that multilateral efforts for international internet governance are useful. The Report itself recognises that most proposals for international internet governance are thinly masked efforts to control or shape the internet, and that some are ideologically driven. Inter-governmental rules of the road are certainly desirable. No one can argue against them. But we must be clear that they will not have practical effect or be followed unless they are in the clear self-interest of those who should be following them. Let us, therefore, concentrate on putting our own cyber security house in order. That should be our first priority.
(Shivshankar Menon is the National Security Adviser. This is an edited version of his May 16 speech at the launch of the Institute for Defence Studies and Analyses Task Force report on India's Cyber Security Challenges.)