Can Offensive Cyber and Information Control Capabilities Be Simultaneously Measured?
The Belfer Center for Science and International Affairs at the Harvard Kennedy School recently published a detailed report on a National Cyber Power Index 2020 (NCPI), which creates a ranking system for the “cyber power” of 30 countries. The NCPI defines cyber power as a function of the country’s intent and capability using a set of 32 intent indicators and 27 capability indicators developed by the researchers. The indicators are grouped under seven broad objectives that countries pursue using cyber means, including surveillance, defense, offensive capability, manipulation of the information environment, intelligence, commercial and industrial growth, and norms.
India ranks 21st in the overall NCPI ranking. It did not
make it to the top 10 in any of these categories and is classified as a
“low-intent, low capability” cyber power — certainly not good news for
strategists in the most cyber-attacked nation in the world. Additionally, faced
with an ongoing uncertain environment at India’s borders, with aggressive
Chinese posturing turned into an occupation of territory Beijing has not
disputed before, China’s ranking as a top contender to displace the United
States’ technological superiority should undoubtedly be the most worrying for
India.
Before policymakers tasked with formulation of India’s
much-awaited National Cyber Security Strategy rush back to the drafting table
in dismay, let us take heart in the observation that Israel too is suspiciously
low in the rankings for cyber capability. This is despite Israel’s formidable
prowess in the cyber and intelligence domains, now (in)famous in India, courtesy
the NSO Group’s Pegasus spyware controversy. The Belfer Center report
acknowledges that Israel’s low ranking on cyber capability is an anomaly and
points to the use of only publicly available open-source information, which
does not reveal much about covertly conducted cyber operations. This anomaly
opens up the analysis and rankings to broader criticism.
In this article, I identify certain points of tension within
the chosen criteria, to illustrate the inherent difficulties in measuring cyber
power accurately in a context where information controls deployed by the state
to hide capabilities function effectively.
As a preliminary objection, technologists would very likely
point to the difficulty of separating cyber defense from cyber offense and intelligence
in practice as an inherent weakness in considering these separately in any
analysis. Further, if we deconstruct the rankings across objectives studied to
deduce which elements of the cyber power playbook are being prioritized by a
particular country, the logic of the indicia adopted starts to break down.
India ranks relatively high on norms, intelligence,
commerce, and defense (in descending order) but lowest on information control,
offense, and surveillance (in ascending order). Defense appears to sit in the
middle of India’s cyber power priority list. India’s overall ranking on the
NCPI suggests that India has low cyber capability weighed down by even lower
intent.
With respect to India’s cyber capabilities, it is very
surprising to see India ranked the lowest in the Cyber Capability Index on both
information control and surveillance. For rankings on these two objectives
under intent, India ranks significantly higher for surveillance, but is at the
bottom of the ladder in information control. This appears to be starkly at odds
with the on-ground reality of surveillance and information control in India.
It seems intuitive, even simplistic, to state that publicly
available information is extremely limited, especially on strategically
sensitive matters like cyber defense, cyber offense, and especially information
control. But the effectiveness of information control measures to prevent
leakages of such sensitive information, especially covert operations in many of
the jurisdictions studied, could introduce distortions in perceptions of power
and its analyses. These distortions would, in theory, be proportionate to the degree
to which information control measures prove effective in preventing leakage of
sensitive information into the public domain. The challenge thus lies in the
near-total non-observability of the effectiveness of information control
measures. In this manner, the inclusion of information control as an objective
of a cyber power appears to militate against accurate readings of data gathered
with respect to indicators for other objectives.
A recent blink-and-miss regulatory development in India’s
export control regulations, for instance, suggests that there is a lot more to
cyber policy and cyber power than meets the eye.
On June 11, India’s Directorate General of Foreign Trade
(DGFT) amended certain items listed in a Schedule appended to the “Indian Trade
Classification based on Harmonized System of Coding,” better known as the
ITC-HS classification system. One of the insertions made by this amendment in
the Schedule falls under Category 6 (Munitions) of the Special Chemicals,
Organisms, Materials, Equipment and Technologies (SCOMET) export-control list.
One item, numbered as 6A021 in this list, explicitly referred to software
“specially designed or modified for use in military offensive cyber
operations.” VoilĂ ! India’s first official acknowledgement of offensive cyber
capabilities. Given that the executive documents that vest legal authority in
India’s external intelligence agency, the Research and Analysis Wing (R&AW)
as well as India’s technical intelligence agency, the National Technical
Research Organization (NTRO). remain classified, chancing upon this little
piece of OSINT seemed too good to be true.
On July 10, we published a brief update about this
regulatory development, juxtaposing it with a quote from an interview of
India’s National Cyber Security Coordinator, where he asserted that India has
no plans to procure “cyber weapons or anything like that.” A few days, perhaps
weeks later, an updated and sanitized version of the same regulations was
uploaded on the DGFT website, which erased this terminology from the text
altogether. The text of the original amendment can be accessed at the end of
this piece.
When attempting to answer the question whether India has
offensive cyber capabilities based solely on publicly available information,
there are several plausible explanations and interpretations of this chain of
events.
Depending on one’s perspective and distortions in perception
at play, one may believe this to be clear evidence of India’s acquisition of
offensive cyber technologies (whether indigenously developed or imported
remains unclear) that are now restricted for export outside India. If this is
the case, the change signals a failure of intra-government information controls
followed by a rather clumsy restoration of those controls. On the other end of
the spectrum, one could attribute the initial reference to “offensive cyber”
simply to bureaucratic lethargy — made
evident by the use of terminology imported from another jurisdiction’s export control
regulation — as an inadvertent error that was later corrected.
For researchers of cyber policy, this necessitates a finer
dissection and critical analysis of the constituent elements of cyber power,
its indicators, and their prioritization in relation to one another, as well as
the publicly available information relied on in the construction of the NCPI.
Comments
Post a Comment