In a 2018 report to India’s National Security Council Secretariat (NSCS), an unprecedented 35 percent of cyber attacks against the country were attributed to China. Although such attacks have not generated a catastrophic impact in terms of damaged infrastructure, knocked down power grids and any related casualties, China’s cyber policy against India could undermine the country’s conventional power in a future military conflict.
Despite the risks India’s response has been one of restraint, or what might amount to turning the other cheek. While puzzling, such posture is not uncommon among countries embedded in enduring international rivalries. India’s defensive posture is a rational, albeit short-term, response to an ongoing series of cyber attacks, but its current efforts to ramp up cyber defenses would have a better, long-term deterrent capability if the country joined forces with other countries that China has targeted in Asia to bolster cyber cooperation against a common foe.
China’s Cyber Threat
While China’s investment in cyber warfare began in 1997 in large part to offset its conventional weakness against the United States and Russia, the country now uses cyber operations to target its other rivals. That it focuses heavily on India is not surprising. The two are so-called enduring rivals, countries with a long history of militarized disputes that dates back to the 1962 Sino-Indian War. Most recently, in 2016, India entered Doklam territory in Bhutan, a plateau of strategic significance, to stop Chinese forces from constructing a road in the area. Today, India’s concerns also involve the sea. As China makes its move to dominate the South China Sea and expand its naval power, it is in India’s interest to keep international seas free.
For China, there are undoubtedly even bigger concerns that motivate its cyber strategy. Regional dominance becomes difficult when your competitor is forging closer military cooperation with the world’s military hegemon. Whether it’s the joint U.S-Indo air forces exercises in 2018, the boost in U.S. arms sale to India over the past decade, or the annual bilateral Malabar naval war games in the Bay of Bengal that have become a trilateral exercise since Japan became a permanent partner in 2015, the expansion of India and the United States’ strategic partnership has resembled a counterbalancing effort to China’s growing influence in Asia.
Between 2010-2018, China’s main goal in targeting India was to gain access to sensitive information from the government and the private sector (over 55 percent of cases), followed by disruption of daily activities as was seen in 2010 when China’s use of Stuxnet worm to compromise India’s communication satellite led to the loss of TV signal for many. Intrusion with the use of malicious software such as Trojans to enter the target’s network or software program has been the most common form of method in cyber attacks during this time period. Such intrusions are particularly dangerous. They can remain dormant for a long time only to emerge at a later date.
India’s Restrained Response
At first, India’s somewhat muted response to China’s cyber attacks seems surprising. In the world of realpolitik where the balance of power is at stake, one might expect a counter threat or equivalent retaliation. Neither has happened.
At the 2012 Munich Security Conference, the clear takeaway was that India’s efforts to manage incoming cyber attacks were disjointed and not serious. To mitigate the crisis, the government was set on developing a preventive solution aimed at developing indigenous microprocessors and reducing the country’s imports of military software, which have accounted for nearly 70 percent of all such software. In 2012 there was also a proposal to create a command control center for monitoring critical infrastructure and responding to breaches.
Yet even these preventive attempts have been slow to materialize. In 2017 cyber security expert Rahul Tyagi explained that India continues to import most of its hardware from China, making it vulnerable to attacks. A CEO of a private defense company who spoke anonymously in 2018 dubbed the “Make in India” push as “virtually a nonstarter.” The country, according to Tyagi, needs more time and money to improve defensive cyber capability and can’t even contemplate using cyber as an offensive weapon.
While India’s handling of incoming cyber attacks has been lethargic, in the short term it could be considered a rational response to threat management. Restraint is a feasible policy due to the uncertainty connected to cyber attacks. Attribution remains a problem in the cyber domain, making escalation more risky. While attacks have been traced to hackers operating in China, the Chinese government has repeatedly denied responsibility for the actions. Unlike with the use of conventional weapons that are the domain of the country’s military, a government can deny its connections to hackers. In this context, the targeted country must proceed with caution.
There is also the question of how to respond to a cyber attack when a country lacks credible offensive cyber capability that it could use as a deterrent. Should it turn to conventional weapons? Such a move comes with high costs. The enemy might perceive a conventional response as too escalatory in proportion to a cyber attack and escalate the conflict even more, edging dangerously close to an all out war. After all, China’s cyber attacks have not created any damage to India’s infrastructure or resulted in casualties to justify a more provocative conventional response.
Relying on restraint as a strategy becomes even more critical when considering the broader political context in which the attacks take place. Countries that are embedded in a long-term rivalry and that also happen to have other enduring enemies — the case for India and its other rival Pakistan — simply cannot afford to escalate most of the crisis situations. Enduring rivals experience frequent militarized disputes. To manage resources effectively, they must prioritize the urgency of threats and exercise caution to avoid escalation on multiple fronts. By prioritizing conventional threats from Pakistani militants over cyber attacks from China, India has recognized the complexity of threat management.
Yet there is an inherent risk when the short-term strategy of restraint transitions into a long-term policy of buying time while hoping for the best. Restraint, when practiced for too long, can encourage the enemy to simply continue with more attacks. And this has the potential to seriously undermine national security. Consider, for example, the 2009 incident in which Chinese hackers stole classified intelligence from India’s military on missile systems as well as intel on India’s security situation in its various states. In case of a military conflict, such info might be used by the Chinese military not only to exploit systems’ weaknesses but also to identify an appropriate window of opportunity to strike when the country is most vulnerable politically. An even more worrisome scenario could involve using a sleeper worm that could be activated to infiltrate and damage military technology. The People’s Liberation Army (PLA) has long envisioned the use of computer-networked operations as critical to its success in the early stages of a conflict and a series of cyber attacks allows it to effectively gauge the weaknesses of Indian systems.
A Multination Cyber Coalition: A Defense Partnership for the Future
A robust response to this conundrum would be to make serious improvements in India’s cyber posture, as the country has recently started to do. The announcement in March of this year that India will have a Defense Cyber Agency that will rely on existing capability from the armed forces to better respond to cyber attacks is a promising start. But such an initiative may be insufficient to deter China given the meager spending devoted to cyber defense. Moreover, it is not entirely clear how relying on existing capabilities from the armed forces can limit attacks that have been undeterred by such capabilities. Part of the problem is that India is trying to go at it alone, aiming for an internal capabilities buildup that lags behind China’s investment in cyber weapons’ capacity to infiltrate defenses.
The country would benefit from leading an effort to create a multination cyber coalition (MNCC), a common defense partnership for countries in Asia at the highest risk of cyber attacks from China. Such countries could most likely include China’s other enduring rivals such as Japan. The MNCC countries would harness their collective cyber capabilities and knowledge to better identify and respond to cyber attacks. Such an initiative could resemble NATO’s approach to cyber defense more so than the Association of Southeast Asian Nations’ new efforts to develop cyber norms and confidence building measures in Asia Pacific. While countries are still responsible for their own cyber defenses, NATO supports its members by sharing real-time intelligence on threats and best practices for handling such threats. Investments in education, training, and exercises are key aspects to strengthening capabilities. The MNCC could offer similar benefits to its members as well as the opportunity to receive assistance from rapid reaction defense teams that could respond to more severe threats.
Creating such an initiative would be equivalent to bolstering countries’ deterrence by denial strategy simply by making it harder for China to achieve the key objectives behind its cyber attacks thanks to more robust defenses. The added benefit of the multinational approach is that it would discourage China from responding aggressively to any individual state that joins the initiative as embracing even more escalatory posture against all members could risk the kind of international crisis that might not be in China’s interest. Furthermore, the MNCC’s focus would be defensive in nature, leaving the development of offensive cyber capabilities for each state to pursue individually. This would improve deterrence by denial while reducing China’s likely negative reaction to what would be a defensive rather than an offensive initiative.
Leading the effort to establish a multination cyber coalition might be India’s best bet for developing a robust, long-term cyber prevention strategy for the future that promotes national security while concurrently reducing the possibility of conflict escalation.