Will the recent attack on Indian defence and government officials under operation Armour Piercer (click here to read details) amount to cyber aggression or an act of cyber-war. What will constitute an act of cyberwar on India is not defined nor there are any guidelines. Even the US does not have it, does not mean we should also not have it too. The recent incident of Solarwinds, which compromised most of the US government departments including the White House is an unambiguous act of cyber-war. But as no action is defined as cyberwar such leads to confusion in reacting to the situation.

Presently all efforts of cyberwar are fragmented and unstructured at the national level. There is no allocation of areas of responsibility or distribution of targets amongst various so-called Cyberwar fighting units created by three services. There is no single point of collation of cyber war-related information, let alone control and coordination. This does not mean that various organisations and the three services are doing nothing, but lack of structure has created multiple challenges. Uncoordinated or ad-hoc actions are detrimental to national security. There are unknown gaps, unallocated targets and over-concentration of surveillance, leading to exposures, fratricide and inflated sense of self-importance. Therefore, a cyber forces coordination centre must be established at the earliest.

Rules of Cyber Engagement (RoCyE) should be defined for the uniformed forces and other cyber forces. To implement RoCyE, there should be a defined state of alertness and readiness. Without having proper defences within the armed forces and across the nation, taking a cyber offensive posture publically could be counter-productive. Therefore, the public stance must be appropriately structured by armed forces, the executive and bureaucracy.

Some points that may be kept in mind while framing the Rules of Cyber Engagement are:

• Conjoining with military kinetic action

• Attacks on persons

• Attacks on technical infrastructure

• Attacks on content

• Routing attack through cooperating the third party

• Routing attack through non-cooperating third party

• Laws of proportionality

• Laws of proactive defence

• Area of operations

• Choice of cyber weapons

• Protection against fratricide

• Controlling overconcentration and gaps in cyber attack

• Perfidy and ruse

• Surprise, deception and deniability

• Handling of neutrals

• Indiscriminate/unauthorised attack

• Maintaining cyber superiority

• Maintaining cyber dominance

• Cessation of cyberwar

• Retraction of cyber mines and booby traps

• Battle damage assessment

(Note: The list is not exhaustive)

Role of Defence Services Headquarters

Headquarters’ of Army, Navy, Air Force and the Chief of Defence Staff should be involved in cyberwar and be directly or indirectly aware of legal provisions related to it. Officers must be made aware of the Information Technology Act 2000 (as amended in 2008), and the changes it has made to the Indian Evidence Act 1886 and the Code of Criminal Procedure 1974. Legal aspects of cyberwar should form a part of training curricula and promotion-related examinations. Case studies should be discussed and analysed in various training courses, including the role of the United Nations, ITU and Internet Governance. At the level of Higher Command and the National Defence College, exercises should include cyber diplomacy and the protection of India’s interests.

State of Cyber Readiness

Following are the recommended State of Readiness flags:

• Blue – Normal state

• Green – Enhanced Cyber Intelligence/Surveillance by Nation-State/reckonable non-state actor is enhanced

• Yellow – Cyberwar likely

• Orange – Cyberwar imminent

• Red – Cyberwar in progress

Preparedness by Defence Forces

All defence personnel, especially of the cyber warfare cadre and Cyber Territorial Army, must be aware of the legal provisions governing their actions. Cyber rules of engagement must be known to all connected with the cyber command. Training curricula should be amended accordingly. The scope and intensity may vary depending on the expected task to be performed after training. Similarly, entrance exams related to promotions and performance enhancement must include questions related to cyber legal matters.

Without formalising Cyberwarfare processes and their integration with cyberwarfare formations may lead to unintended impact. It will be far better if all cyber warfare units are brought under the control of the Chief of Defence Staff. Close coordination with Intelligence agencies and the process of handing over targets to Defence forces must be sorted out in peacetime. A nation can be brought on its knees by use of Cyber Offensive. Not knowing its contours, not creating coordination processes and not laying down the Rules of Cyber Engagement (RoCyE) can adversely impact national security.

(Image Source: https://foreignpolicy.com/)