In order to offer a convincing defence of retaliatory cyber measures against Pakistan, India requires coordinated planning.
Likely to be among the options weighed by India’s National Security Adviser in response to Pakistan’s alleged complicity in the Uri terrorist attack is coercive cyber action. On at least one previous occasion, India has seriously considered a retaliatory attack on Pakistan’s digital networks. In theory, a cyber attack could be swift, minimise the risks of causalities, offer plausible deniability and likely to inflict serious damage on Pakistan’s economic infrastructure. In reality, however, the picture is more complicated. Any assessment by New Delhi of this option should account for the following:
Coercive cyber measures, like any military option, should be the culmination of extensive assessment by India of its intelligence and technical capabilities. Take as two possible targets, the Hub Power Station in Karachi and the Karachi (now Pakistan) Stock Exchange. The Hubco plant is among the largest thermal power-generating projects in Pakistan, capable of "generating over 10% of the country’s electricity." The KSE (now Pakistan Stock Exchange) is its premium financial trading platform. To mount a cyber attack against either installation, military planners should be supported by intelligence inputs from the ground, providing valuable information about:
Both require an assessment of the installation that goes well beyond aerial or satellite reconnaissance. Without strengthening India’s intelligence networks in Pakistan, therefore, a serious attack on its digital networks will be difficult to conceive or execute.
Then there is the matter of the "cyber weapon" itself. Not many government agencies in India, including the National Technical Research Organisation, have the in-house expertise required to build and exploit vulnerabilities that can manipulate or destroy the integrity of electronic data. India’s armed forces fare marginally better, having deployed "red teams" that do penetration testing to protect their own networks. But the military too may not be in a position to create a sophisticated cyber-weapon designed for the specific purpose of bringing down, say, Pakistan’s electricity grid.
It is worth remembering that Stuxnet was the product of an inter-agency effort involving the United States and Israel. Stuxnet owes its origins in no small part to the United States' well-developed bug bounty programme, which invites hackers to identify vulnerabilities in operating systems and communications platforms. Having a bug bounty programme (which in the US is tightly regulated by the White House) contributes to a strategic culture that can co-opt technical expertise in India into the national security narrative. There is no reason why New Delhi should shy away from a programme for its defence and intelligence agencies, given the talented pool of computer scientists in the country. In fact, internet giants like Facebook and Google routinely rely on Indian citizens to identify fixes and flaws in their products through their own bug bounty schemes. Today, Indian agencies rely on private expertise on an ad hoc basis, or buy zero-day vulnerabilities from the 'dark net'.
An evaluation of coercive cyber measures against Pakistan by the National Security Adviser — the last step in the chain of decision-making before it is presented as a credible option before the Prime Minister — can be done only if he is able to lean on multi-agency coordination that will supply both human intelligence and technical expertise.
The tail, however, should not wag the dog. Conceiving and creating a cyber weapon will likely involve months, but this process should be guided by a political strategy as to its specific objective, likely impact, and potential fallout. Unlike conventional weapons or WMDs, it is impossible to create an "arsenal" of cyber weapons that can be deployed at will.
The first step for India’s defence planners, then, would be to absorb coercive cyber measures as a central pillar of its Pakistan policy. This would involve:
Cyber attacks are difficult to attribute to governments, as they often originate from non-state actors and sometimes, through servers based in a third country. Links between non-state actors and the governments of the territory in which they are based can at best be established using circumstantial evidence. In India’s case, military planners need to walk a fine line between denying any involvement in a cyber attack, and signalling to Islamabad that its so-called "asymmetric" actions will be countenanced by similar responses. Were New Delhi to be implicated in a coercive cyber manoeuvre against Pakistan, Indian diplomats should be prepared to defend the legality of its conduct in multilateral venues like the United Nations.
In essence, India’s legal defence against a cyber attack on Pakistan would be to claim an act of reprisal. Given the UN’s visible lack of enthusiasm in enacting a Comprehensive Convention on International Terrorism, India will have to rely on traditional principles of state responsibility to hold Pakistan responsible for the actions of groups like the Jaish-e-Mohammed and Lashkar-e-Taiba. Without wading into the vast and rich jurisprudence on the subject, it is sufficient to say that even if India should produce evidence linking terrorist groups to the Pakistani government, it may be difficult to satisfy purely legal requirements.
Article 8 of the draft articles on Responsibility of States for Intentionally Wrongful Acts states:
"The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct."
The 'direction/control' test is a high standard to which India or the international community may never hold Pakistan. The first hurdle for India is to meet this threshold, absent a 'smoking gun'.
The second (and related) difficulty is to establish that attacks by terrorists are not only attributable to Pakistan but that they also violate a prohibition on the "use of force" enshrined in Article 2(4) of the UN Charter. If that seems incredulous, there’s more. For India to claim "self-defence" in international law under Article 51 of the Charter, attacks such as the one in Uri should constitute an "armed attack" by the Pakistani state, a legal threshold that is generally accepted to be higher than the plain "use of force".
In the aftermath of the 9/11 attacks, the United States invoked "its inherent right of self defence” under Article 51 to bomb Afghanistan — a decision that polarised international opinion on the legality of its claim. In that instance, however, the US had the overwhelming support of the UN Security Council, which subsequently legitimised the intervention through the establishment of the International Security Assistance Force in 2001. In India’s case, no such support from UNSC members will be forthcoming. In any case, New Delhi has no appetite for an armed intervention of the scale seen in Afghanistan.
Simply put, it is improbable that India can convincingly make the case for "self-defence" through a cyber attack against Pakistan. Reprisals on the other hand involve the use of force, but need not be reported to the UN Security Council, and constitute an act akin to self-defence for attacks of a lesser degree.
Amidst this legalese, it is important not to miss the larger, political picture. For India to offer a convincing defence of retaliatory cyber measures against Pakistan requires coordinated planning between the Ministry of External Affairs and the National Security Council Secretariat. Irrespective of what New Delhi may term its actions, the cyber attack should be a proportionate response to Pakistan’s transgressions. The MEA and its lawyers should advise the NSA on this count and thoroughly review the cyber weapon’s impact on civilian populations. To help mould the evolving body of international law in its favour, India must also step up engagement with international platforms such as the UN Group of Governmental Experts on ICT security and the Tallinn Manual consultations on the law of armed conflict in cyberspace.
Coercive cyber measures offer some advantages to a policy planner where conventional military options appear limited, as in India's case against Pakistan. Nevertheless, several concerns persist, which should prompt New Delhi to examine the desirability of this option.
The lesson here, perhaps, is that a declared doctrine on the use of cyber weapons, pursuant to the building of capacities, can signal deterrence to Pakistan more effectively than the use of such instruments in isolation by India. It will likely take years to bring such a strategy to fruition: after the May 1998 tests, it took India nearly five years to articulate a nuclear weapons doctrine. The rapid advancement of digital technologies suggests that a cyber doctrine, if articulated, should be flexible, and open to review and possible restatements. Pakistan’s nuclear weapons capability is often cited as a dead-end for India’s conventional superiority, but cyberspace opens a new theatre of conflict. But it is critical this process begins now, failing which India could be drawn towards an inevitable confrontation in digital spaces with Pakistan without a clear assessment of its goals or outcomes.
This post contains modified excerpts from the journal article — The Missing Option? India, Pakistan and armed conflict in cyberspace — from the forthcoming issue of the GP-ORF series, Digital Debates.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Hildegunn Kyvik Nords Senior Associate Council on Economic Policies Zurich and rebro UniversityRead More +