cyber strategy – The Acorn

The internet is freest in US hands

Internationalising internet governance will abridge liberty and restrict free speech

Edward Snowden’s revelations have strengthened demands for “extricating the internet from US control.” This is not a new phenomenon. Ever since Jon Postel died in 1998, governments and non-government organisations have been engaged in a long, complex and meandering process of somehow taking control over the internet. However, while outfits like ICANN and assorted United Nations forums have gotten into the act of “internet governance”, much of the internet remains in US hands. China might well be the country that has more internet users, but it has locked its citizens behind the Great Firewall and effectively created its own national intranet.

Mr Snowden’s revelations are grave, but shouldn’t surprise anyone familiar with national security issues or the communications infrastructure business. So while a lot of international reaction is properly in the Captain Renault (“I’m shocked, shocked to find that gambling is going on in here!”) category, there are some attempts by governments to secure greater control over internet. China, Russia and Brazil are expected to raise the pitch in the coming months.

It would be terrible thing if they succeed. Whatever the imperfections, whatever the US government’s transgressions, we are better off with as much of the internet coming under the US Constitution than the UN Charter.

Why so? Because there is no better political system—the constitution, separation of powers, civil society and citizens—than the United States today that can protect liberty and free speech. Start with Mr Snowden. Where is Russia’s Snowden? Where is China’s Snowden? Where is Brazil’s Snowden? The United States has strong and vocal free speech and privacy advocates who can hold their government accountable without fear of harm. It has a judicial system that is sufficiently independent as to overrule the executive if found violating the US constitution. Despite what cynics in the United States and detractors around the world say, the US system works. To the extent that it does, it protects everyone’s liberties (albeit to a lesser degree than it protects the liberties of US citizens).

For those who contend that this isn’t good enough, consider the alternative. The vast United Nations system that is accountable to exactly no one. The General Assembly has almost two hundred nation-states as members with varying degrees of commitment to upholding liberty. The Security Council reflects the balance of interests its permanent members, where such paragons of free speech as Russia and China have a veto. Let’s say that the UN creates a brand new UN Internet Governance Council to sit at the helm of internet governance. What is to prevent it from going the way of the UN Human Rights Council, where you don’t need any commitment to human rights to be a member, and where you can rule that free speech shouldn’t defame religion.

Now, those who argue that national governments must control the internet because they must exercise their sovereignty over their ‘territory’ of cyberspace have a logical argument when they call for the internationalisation of internet governance. However, it is unfathomable why proponents of free speech and liberty would want the world’s authoritarian regimes to have a say on how the internet is governed.

Calls for “extricating the internet from US control” are effectively facades for authoritarian states to further abridge the liberties of the world’s citizens. That is why they must be resisted. Indians are much better off putting their faith in their freedom-loving American counterparts than participating in grandiose international internet governance schemes.

What should India do about US snooping?

How do you solve a problem like Maria?

According to reports in The Guardian—based on information illegally divulged by NSA contractor Edward Snowden—we know that India is among the top ten countries that the United States snoops on. In March 2013 alone, one of NSA’s programmes collected 6.3 billion pieces of information from India. (Yes, all the hoopla in the US about spying is limited to outrage over the US government spying on its own citizens. Spying on other countries’ citizens is somehow acceptable to many freedom- and privacy-loving Americans.)

What should the Indian government do about this? Here are some options:

1. Do nothing. High officials can express their disapproval. The foreign ministry can register a strong written protest. The US ambassador can be told in no uncertain terms that New Delhi is displeased with the snooping. Essentially, nothing actually changes.

2. Take defensive measures. It is incredibly hard to defend Indian communications networks against the kind of surveillance that the NSA is carrying out. It is impossible to harden all networks—although the government can attempt to move its employees onto more secure platforms. When so many government employees still use Gmail, Hotmail and Yahoo for correspondence with people outside government, there is a lot that the government can do to make official communications more secure. This still leaves public communications heavily vulnerable to snooping by one and all.

3. Attempt to achieve a balance-of-snooping. Start snooping on ordinary Americans (okay, suspected terrorists only) until the US government gets concerned. Then negotiate a truce to control snooping, much like arms control deals that managed arms races. Even if cyberspace offers asymmetric opportunities, the gap in capacities between India and the United States are mindbogglingly large. It will takes years of sustained investment and effort for the Indian government to do anything that’ll worry the US government enough to want to negotiate. The Chinese might be able to pull this off, though.

4. If you can’t stop them, join them. Use the India-US strategic partnership to collaborate with the United States in the cyber-surveillance and intelligence domains and use the collaboration to acquire skills, capabilities and technology that India does not currently have. Once such capabilities are acquired, India will have more options.

Update: I make some of these points in an NDTV programme.

Cyber security to Cyber strategy

Plans and implementation

India’s National Security Council Secretariat (NSCS) has announced a roadmap of action on the cyber security front, involving partnership with the private sector. (See the recommendations of the joint working group and related media reports)

In an op-ed in Indian Express I make two sets of arguments. The first set points out that the government has realised that it needs expertise from outside its cloisters to address contemporary policy challenges and must reform itself in order to be able to use it.

The second set distinguishes three aspects of information policy in the geo-strategic and national security context: cyber security, addressing physical threats that emerge from cyber space and finally cyber-strategy. Much of the emphasis in the government’s plan is on the first of the three. It ought to place adequate emphasis on the other two. Without debating and evolving a new balance on the bounds of government in cyberspace, it will be difficult to manage the threats that emerge from it. Without investing in intellectual inquiry into the fundamentals of cyber conflicts, it will be difficult to shape a cyber strategy that protects and promotes India’s national interests in the international arena. Also, India ought to be wary of both premature and delayed militarisation of cyber strategy. You can read the whole essay here.

Subimal Bhattacharjee’s op-ed in Mint presents another perspective. Mr Bhattacharjee argues that while institutionalising cyber security management in a joint working group under the NSCS is a good thing “the key point is the cohesive functioning of the permanent JWG and the implementation of these recommendations.”

Related Link: My Takshashila colleagues, Srijith Nair & Rohan Joshi responded to the draft national cyber security policy in May 2011.

Premature militarisation

Until we know what the game is about, cyber strategy must be stewarded by the civilian authorities

George F Kennan, whose views shaped US foreign policy towards the Soviet Union in the aftermath of the Second World War had this to say in 1996.

“My thoughts about containment were of course distorted by the people who understood it and pursued it exclusively as a military concept; and I think that that, as much as any other cause, led to [the] 40 years of unnecessary, fearfully expensive and disoriented process of the Cold War. [CNN/John D Clare]

Around the same time, the US Strategic Air Command acquired tremendous influence over nuclear weapons policy, and believing that these new weapons worked the same way as the conventional munitions they were so used to, ultimately ended up building mindnumbingly large arsenals. The Soviets followed suit. If there was ever a risk of total annihilation of the world it was (and still is) due to the United States and the Soviet Union (now Russia). It was only in the 1980s that the Cold War superpowers realised that the utility of nuclear weapons lay not in warfighting, but in deterrence. But there was a time when both countries were designing warheads for battlefield use—including, at one point in the form of artillery shells. [See my review of Richard Rhodes’ book in Pragati]

The story of the Cold War and nuclear weapons holds an important lesson for us as we behold the advent of cyberweapons. It is this: do not let the military establishment take control of policy before it is clear what the game is all about. In the case of cyberweapons, as we discussed at yesterday’s Takshashila roundtable, there is a lot that we do not know. Cyber strategy is in its infancy. The conceptual framework is not clear—are cyberweapons similar to conventional weapons, chemical & biological weapons, nuclear weapons or in a class by themselves? What are the moves available to players in the game? Who indeed are the players? Is the concept of cyberwarfare overhyped, as Bruce Schneier argues? As fundamental as the questions are, there are few satisfactory answers.

Handing over cyber strategy to military establishments at this stage is not a good idea. In the United States, the Obama administration risks repeating the mistakes of the Truman and Eisenhower administrations. It is all very well to say that the US Cyber Command is responsible only for “dot-mil” domains, but given its budget, clout and operational mandate, the military establishment is quite likely to dominate cyber warfare policy-making. Unfortunately, over in China, the United States’ primary strategic adversary, it is the People’s Liberation Army that is in charge of cyber warfare. That raises the risk of a perhaps avoidable cyber arms race between the two.

There is no doubt that the Indian government must ensure that India’s interests are protected in an age of cyber warfare (See Takshashila’s new discussion document, and Pragati articles by Rohan Joshi and Srijith Nair). This requires the pushing of intellectual boundaries—to develop a new discipline of cyber strategy—as much as it requires instituting competent authorities to develop, implement and oversee policy.

While the Indian armed forces must equip themselves with the knowledge, skills and equipment required to engage in cyber warfare, for the time-being, it is prudent to avoid letting the military establishment dominate policy-making. India did well to prevent the undue militarisation of its nuclear weapons policy. That experience should inform New Delhi’s moves in the domain of cyber strategy.

The answer to Global Times’ why

Investing in cyber warfare capacity comes at a cost

Criticising the blacklisting of several Chinese telecommunications equipment manufacturers by the Indian government, the Global Times asks:

It is understandable when the Indian government does this to promote its own industry, especially in certain manufacturing areas that have not grown strong enough to compete with international rivals.

But in the recent case of telecom equipment procurement worth $2 billion, how come other foreign brands were let in while Chinese products alone singled out for exclusion?

Here’s why.

Related Link: In today’s FT, Stephanie Kirchgaessner and Paul Taylor report similar concerns in the United States where “Huawei’s push to expand in the US through acquisitions and contracts with telecoms groups could come at a high cost for the Chinese equipment maker, including structural changes that are already under consideration by the company.”

Vyuha – a new blog on The Indian National Interest

Perspectives on cyber strategy

Srijith K Nair joins us on INI, with Vyuha where he:

aims to explore the cyber security strategies (and to a lesser extent, the overarching information security aspects) that are of paramount importance to India in this networked 21st century and beyond.? Towards this end we will be covering important events and developments that shape this area while expounding our views on the issues. In doing so we hope to influence, ever so slightly at the least, the doctrines and the key players involved in promulgating them. [Vyuha]

Srijith is fellow for cyber strategy at The Takshashila Institution’s national security programme. The new blog will feature posts by Srijith and his colleagues at the cyber strategy policy research team.