Cyberworld is touted to be the fifth dimension or the fifth theater of conflictand it is a domain without a Central Cyber Command. Every other day officials, experts, f’experts across nations and communities talk about cyberwar, weaponized documents, and other cyber weapons and Nations are discussing non-proliferation knowing well that this thinking will not proliferate! In the midst of all this the risk grows with time, as Cyber Command and Control is distributed among multiple organizations who are looking at it from their own perspective and confine it to their own area(s) of operation. National (rapid) response, containment, remediation, or strategic / operational understanding are (in my opinion and to my knowledge) dangerously absent.
An Organization Soup For Cyber Security
In India, a Tri-Services Command has been setup, then there is the NCSC and agencies like NTRO, CERT-In, NCIIPC and all of them (as well as about 20 more) working to keep the country safe. (These are old listing of cyber security organizations with each having their focus areas). Even if their reporting goes up to NSA, in times of crisis how will the intelligence banks be collated to provide predictive or response strategies.
In my opinion, what is missing is the understanding that the cyber ecosystem (or cyber world) cannot be governed by a Tri-Service Command or CERT-In or NTRO since each looks at the threat and risk from their own Point of View (PoV). For example DoD will envisage conflict or war scenarios and will always work to be prepared for offensive action or to defend the defence establishment. As trained defence personnel, their idea of cyber defence may not include civilian establishment, until called in by the C-in-C / Government to cover the same. The first line of protection of the civilian infrastructure is the responsibility of the Law Enforcement Agencies and the Para Military Forces. The primary responsibility of the Armed Forces is the protection of the nation.
Who Will Lead (Needed A Chief Of Cyber Staff)!
Cyber protection of the civil establishment is the prerogative of LEA, Para Military, NCIIPC or NTRO or MeITY or RBI /SEBI ?? Or who??
Consider this scenario – if the country faces an intrusion or conventional attack on civilian targets, the armed forces will be deployed / mobilized for protection, but, in the event of a cyber attack it seems that each sector is left to it’s own with CERT-In as the protective / responsive agency. The question which begs to be answered in such a case is – does CERT-In have the wherewithal (resources / capability / capacity / mandate) to respond, contain, recover, pursue and decimate.
Even if CERT-In establishes the attack was from an enemy nation state, can it “pursue” or “attack” the attacker infrastructure. Or will this call be taken by the tri-service machinery. And even if the tri-services is called in, what strategy will they follow? Even if we assume that NSA and MOD will take charge, will they order an engagement in the cyber arena – how? On directions by the NSA, Tri Service Command, PMO or the President (C-in-C of Armed Forces). Again should we assume they will order the activation / implosion of APTs and DDOS etc on the enemy. Will NTRO, Army, Navy, AirForce, NIA, or IB reveal their hand(s) and share their intel and APTs?
This will be very interesting – will each agency now see common “weapons” among the various agencies, and the embarrassment of having spent money with the same vendors through on the same target(s). Many a times it has happened that independent or state researchers have compromised botnet operations of Intelligence / Law Enforcement Agencies. And, many a times these agencies are working on the same targets seeing each other or sensing or messing up.
It’s like asking for everyone to bring their guns and cannons – and they all bring a Bofors to the table. Until the order in the face of an attack, each would have said they have the best cannon / gun but no one ever told the other which cannon / gun they had or who was the supplier. Now in a crisis it turns out that each does have a cannon / gun, but all have the same make, purchased (surreptitiously) from the same vendor.
Then the best part (hilariously) will be that each of them has trained their cannon on the same target (as directed by the same vendor)!
This is why a Central Cyber Command is needed
Or, at the very least, a separate Cyber Security Unit in MHA or MOD that is commanded by a professional cyber security professional. Additionally this commander should not be a “pure play” armed forces officer or bureaucrat, lest the tone-at-the-top is weak from the word go! The commander has to be a superman who is a business man, a warrior, a technologist, psychologist, politician and more.
In time to come, we are bound to see a convergence of cyberspace, space and a deeper incursion of technology in conventional weaponry systems as well as day-to-day life and related infrastructure. Cyber risk, threat and conflict (both overt and covert) will be the primary driver that will have to be addressed when needing to contain any infractions. It will be impossible for the office of the NSA to become the conductor of such an orchestra which will be made up of disparate agencies that will land up working at cross purposes.
A Central Agency or Command will establish the necessary governance structure that will nurture and build national strength for peace, growth and offensive measures.
Cyberspace is unique as it offers a theater of tremendous opportunity for growth and progress as well as dangerous conflict that has the power to bring the world, or nation to a standstill.
Cyberwar – the wrong word!
Finally, can we stop calling them cyber warriors, ninjas, or whatever. These guys are hackers, professionals, who know how things work. They are not trained in the art of Warfare or criminal investigation, national security etc. but, having said this, they can be trained into these domains and they must be FIRST trained before being taken up into the environment unconditionally.
Yes, my final word is about the term cyberwar! High time we also recognized that this is a misnomer. Wars are fought by nations and armies, lives are lost and heroes are born on battlefields – it is a dirty business. Cyber “war” is a wrong term so let us search for a newer one which will not dilute the seriousness and impact of a war per se. Let us not dilute the term “war” in which individuals stand up to fight for the country and offer their lives as the supreme sacrifice. Where they are given medals for their sacrifice and do not die, they become martyrs.
This is not War !
Website defacements, XSS, DDOS and the likes of such attacks are not “War” and should not be termed so. It is just adding to the FUD surrounding the malicious cyber ecosystem and only serves to (a) increase the TRP of the media company using such sensationalism, and, (b) denigrates the sacrifices of those who have lost their lives for the nation.
Conceptual Cyber Governance Model for the Nation:
Endnote.. I had put forward a conceptual model for governance, many years back, and the presentation for Cyber Governance can be viewed here.
I shall be happy to discuss this anytime anywhere … and shall look forward to reader comments and interactions.
Nice article Dinesh and yes we surely need a ‘central agency’ to take care of the ‘cyber world’. As you rightly pointed out, the ‘multiple’ agencies with overlapping areas create a kind of chaos and is really difficult to identify a particular agency to handle a particular problem . Establishing the ‘central command’ will have its own challenges, as the ‘cyber world’ is really ‘border-less’ and with limitless possibilities of ‘adverse events’. The structure you depicted shows a good start to ‘plan for it’ but I feel there will be challenges in doing so – apart from addressing the ‘mindset of existing authorities’ (personnel in those respective command positions) it will also require to identify or define ‘areas’ in which ‘various of these second level / third level’ entities will work and the communication, information sharing / tasks sharing / transferring etc. and when the ‘supreme command’ should be approached. Definitely rounds of detailed discussions would be required, involving people of various expertise, to make the ‘plan’ for establishing this structure – and not to forget this will require approval from the ‘parliament’ (both houses) and there will be ‘amendments required in legal systems to establish such authorities’.