Until we know what the game is about, cyber strategy must be stewarded by the civilian authorities
George F Kennan, whose views shaped US foreign policy towards the Soviet Union in the aftermath of the Second World War had this to say in 1996.
“My thoughts about containment were of course distorted by the people who understood it and pursued it exclusively as a military concept; and I think that that, as much as any other cause, led to [the] 40 years of unnecessary, fearfully expensive and disoriented process of the Cold War. [CNN/John D Clare]
Around the same time, the US Strategic Air Command acquired tremendous influence over nuclear weapons policy, and believing that these new weapons worked the same way as the conventional munitions they were so used to, ultimately ended up building mindnumbingly large arsenals. The Soviets followed suit. If there was ever a risk of total annihilation of the world it was (and still is) due to the United States and the Soviet Union (now Russia). It was only in the 1980s that the Cold War superpowers realised that the utility of nuclear weapons lay not in warfighting, but in deterrence. But there was a time when both countries were designing warheads for battlefield use—including, at one point in the form of artillery shells. [See my review of Richard Rhodes’ book in Pragati]
The story of the Cold War and nuclear weapons holds an important lesson for us as we behold the advent of cyberweapons. It is this: do not let the military establishment take control of policy before it is clear what the game is all about. In the case of cyberweapons, as we discussed at yesterday’s Takshashila roundtable, there is a lot that we do not know. Cyber strategy is in its infancy. The conceptual framework is not clear—are cyberweapons similar to conventional weapons, chemical & biological weapons, nuclear weapons or in a class by themselves? What are the moves available to players in the game? Who indeed are the players? Is the concept of cyberwarfare overhyped, as Bruce Schneier argues? As fundamental as the questions are, there are few satisfactory answers.
Handing over cyber strategy to military establishments at this stage is not a good idea. In the United States, the Obama administration risks repeating the mistakes of the Truman and Eisenhower administrations. It is all very well to say that the US Cyber Command is responsible only for “dot-mil” domains, but given its budget, clout and operational mandate, the military establishment is quite likely to dominate cyber warfare policy-making. Unfortunately, over in China, the United States’ primary strategic adversary, it is the People’s Liberation Army that is in charge of cyber warfare. That raises the risk of a perhaps avoidable cyber arms race between the two.
There is no doubt that the Indian government must ensure that India’s interests are protected in an age of cyber warfare (See Takshashila’s new discussion document, and Pragati articles by Rohan Joshi and Srijith Nair). This requires the pushing of intellectual boundaries—to develop a new discipline of cyber strategy—as much as it requires instituting competent authorities to develop, implement and oversee policy.
While the Indian armed forces must equip themselves with the knowledge, skills and equipment required to engage in cyber warfare, for the time-being, it is prudent to avoid letting the military establishment dominate policy-making. India did well to prevent the undue militarisation of its nuclear weapons policy. That experience should inform New Delhi’s moves in the domain of cyber strategy.