In April, media reports announced the appointment of Rear Admiral Mohit Gupta as the head of the new Defence Cyber Agency (DCA) being raised for the Indian military.
Admiral Gupta’s work is cut out for him as, starting from a virtual scratch, he will have to build an organisation capable of warfighting in the cyber dimension. Two of his crucial tasks will be to develop a doctrine that integrates cyberwarfare with conventional operations and to evolve long-term, robust policies for the security of defence networks.
In preparing the doctrine, some recent events could serve as a guide as to how a cyberwar could play out. On 22 June, The Washington Post reported that the US Cyber Command had launched a “cyber strike that disabled Iranian computer systems used to control rocket and missile launches”. The report also stated: “The strike against the Islamic Revolutionary Guard Corps was coordinated with US Central Command”.
The cyber strikes had taken weeks of preparation and were carried out in retaliation to the shooting down of a US RQ-4A Global Hawk drone in the vicinity of Iranian airspace on 20 June.
The second event took place on May 4 when the Israel Defence Forces (IDF) carried out an airstrike against a building in the Gaza Strip that was claimed to house a Hamas cyber unit. The IDF tweeted, “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work.”
The IDF spokesperson, Brig. Gen. Ronen Manlis said, “After dealing with the cyber dimension, the Air Force dealt with it in the physical dimension.”
Both these incidents carry some valuable lessons. Cyber operations are increasingly being used as part of a nation’s warfighting efforts, but these should not be viewed only as standalone operations. It is a fact that some very targeted and effective cyberattacks have been conducted, like the American ‘Operation Olympic Games’ that damaged the Natanz nuclear facility in Iran. However, as far as the military is concerned, cyber operations will require to be fully integrated with conventional operations.
The US responded to a kinetic attack on its military drone by a cyber strike on Iran’s air defence networks, while the IDF responded to a cyber threat from Hamas through a kinetic air strike.
Therefore, there are no neat dividing lines between cyber operations and conventional use of force. And cyber deterrence straddles both areas, using deterrence by denial (a defensive measure to harden critical systems against attacks) and deterrence by cost imposition. A 2017 report of the US Department of Defense Task Force on Cyber Deterrence pointed out that deterrence by cost imposition “requires credible response options at varying levels of conflict”, including the “full range of military responses”.
In attempting to draw up a doctrine for cyberwarfare, Admiral Gupta will have to find a way to work around the vertical stovepipes into which the three services have enclosed themselves. There is great reluctance within the army, navy, and air force to share operational information and resources. Cyberwarfare is also seen narrowly as a technical, information technology (IT) issue, and there is not enough understanding of its value in our operational planning. Unless these matters are doctrinally addressed, the effectiveness of cyber operations will remain limited.
A second crucial task for DCA will be the framing of a long-term policy for the security of our defence networks. There are many aspects to this, but perhaps the most important is to wean the Indian military away from its current reliance on foreign hardware and software.
After the Snowden revelations, it was clear that IT companies in the US were aiding the worldwide surveillance operations by their government. Yahoo, Google, Microsoft and Apple were all complicit in this programme known as PRISM. Other countries have not been far behind.
In October 2018, Bloomberg reported that tiny malicious microchips, not part of the original design, had been found in the motherboards of Supermicro, one of the world’s biggest suppliers of server motherboards. These had apparently been inserted at factories run by manufacturing subcontractors in China.
Despite a surfeit of such examples, there is no concerted effort to promote indigenous products in our military networks. There is a similar story with software. A serious attempt was made in the army to adopt the Bharat Operating System Solutions (BOSS), developed by the Centre for Development of Advanced Computing. After a test-bed in Northern Command that lasted almost three years, the effort has now been rolled back with a return to the Windows Operating System. Compare this with Chinese and Russian militaries, both of whom have recently announced that due to security concerns they will replace Windows with their indigenously developed operating system.
The actions of IT companies after the recent placing of Huawei on the ‘entity list’ by the US government should be the real wake-up call for our military. Google has blocked Huawei’s future access to Android updates, while UK-based chip designer ARM has suspended business with Huawei. Last week, the US warned of punitive action against Indian companies found supplying equipment or other products of American origin to Huawei.
I have no sympathy for Huawei or its predatory practices, but the real lesson here is that foreign companies could cut off support to their hardware and software at any time, based on their government’s direction. And before we dismiss this possibility, let us remember that we live in an anarchic system of international relations where national interests reign supreme. Our military’s reliance on foreign companies is a serious vulnerability that could prove devastating in a time of crisis.
The doctrine and policies put in place by the DCA will define the future path to be taken by the Indian military to successfully prosecute cyber operations as a part of its warfighting strategy. If this requires ruffling some traditional feathers and intruding on established turfs, the DCA should not be too hesitant.