The network intrusions into the Kudankulam Nuclear Power Plant and Indian Space Research Organisation highlight a glaring gap in India’s cyber response strategy.
The fact that the attackers had the audacity to target such critical organisations without the fear of reprisal should trigger a critical review of our posturing in cyberspace.
To quote a three-star general, who responded to my dire warnings long before these intrusions were detected, “We are beyond a wake-up call now.”
Purely defensive manoeuvring is unlikely to restrain the adversary. So, cyber deterrence relies on complex offence-defence symbiosis. Former Central Intelligence Agency (CIA) technologist Matthew Monte goes to the extent of deeming cyber defence lacking a flavour of offence as “ineffective.”
Unlike the case of conventional technologies like nuclear weapons, the parameters of cyber deterrence are highly unpredictable.
The first realisation for our cyber commanders should be that cyberspace is purely a domain of power projection. The undue pressure of creating physical or kinetic effects just acts as a distraction.
Gen. James Cartwright, the US’s earliest cyber commander, foresaw this way back when he postulated that the coercive power of “cyberweapons” could be used to “reset diplomacy.” Bringing the adversary back to the negotiating table is a laudable goal.
Rebecca Slayton of Cornell concluded that the cost of developing Stuxnet was roughly $300 million – heftier than an airstrike – while the benefits were limited to paltry $14 million.
It busts a major myth around the cyber conflict that it is always asymmetric.
The aim of Stuxnet wasn’t really destroying Iranian nuclear centrifuges. As former National Security Agency (NSA) hacker Dave Aitel put it, Stuxnet marked the “announcement of a team… that has been playing World-Cup level soccer on the cyber battlefield for a decade-and-a-half.”
Gen. Michael Hayden, who headed both NSA and CIA, mused that Stuxnet had the “whiff of August 1945” – alluding to the bombings of Hiroshima and Nagasaki. The idea was to set new declaratory thresholds for cyber conflict.
As former US deputy secretary of defence Aaron Hughes explained, cyber deterrence “is largely a function of perception.” Its aim is to make the adversary believe that its transgressions may lead to the imposition of unacceptable costs.
However, a major problem with current strategies is that they are struggling to account for the escalatory nature of cyber conflict.
As scholars like Jason Healey of Columbia have suggested that – despite its awesome cyber firepower – it was the US which got deterred during the 2016 election interference by the Russians.
Retaliation in cyberspace turns out to be extremely disproportionate and even bizarre.
President Barack Obama and his team had feared that any action against Russia may trigger cyberattacks on the fragile private sector. It was a crucial lesson learnt after Iranian hackers crippled major American banks in 2012 as a response to Stuxnet.
Even the North Korean regime got away with the brazen act of destroying Sony Pictures in 2014 by hacking and making all its data public. The American studio was planning to release a film that parodied Kim Jong-un. As life imitated art, Obama vowed a “proportional response.” Both the Iranian and North Korean attacks were rudimentary in nature.
Nonetheless, such shooting wars should not divert us from the fact that cyber conflict has greatly intensified over the last few years.
The US military’s “Left of Launch” strategy – aimed at disrupting missile tests using cyber-electromagnetic attacks – is thought to have undermined the North Korean program. As President Donald Trump aborted an airstrike on Iran at the last moment in 2019, the US Cyber Command (USCYBERCOM) went ahead and degraded Iranian military command-and-control.
Again, the aim is to sow fear, doubt and confusion in the mind of the adversary. Cyber deterrence works within the cognitive spectrum.
From a defensive standpoint, it’s better to visualise domestic cyberspace as a “continually contested territory,” as former secretary of the US Navy Richard Danzig put it. It calls for a “persistent engagement” with the intruder – an attritive battle hinged at retaining control.
As such, many of the concepts of counterinsurgency like “Clear, Hold & Build” and “Find, Fix, Finish, Exploit, Analyse & Disseminate” become applicable to cyber defence.
The same idea of constant contestation, when exported to the adversary’s information battlespace, becomes pre-emptive manoeuvring like the “Defend Forward” doctrine of USCYBERCOM.
Presence-based cyber operations like espionage prepare the battlefield for event-based operations. The former generally precede the latter by many months or even years. The idea is to produce a potent mix of not just effects but also perceptions.
The National Cyber Coordination Centre (NCCC) should be brought back from stasis to seed automated situational awareness across the defensive spectrum. The National Critical Information Infrastructure Protection Centre could act as the feeder for NCCC.
The Defence Cyber Agency (DCyA) needs to lead the two-pronged framework of deterrence by denial and deterrence by punishment. The job of the National Technical Research Organisation would be to keep the battlefield primed, allowing DCyA to generate effects at a place and time of choosing.
Cyber conflict blurs the lines between war and peace. Victory in cyberspace means not only retaining the initiative, but also the narrative.
Pukhraj Singh is a cyber intelligence analyst who has worked with the Indian government and response teams of global companies. He blogs at www.pukhraj.me.