Cyber attacks are frequent and universal these days with an ever-expanding Internet of things (IoT). In order to avoid suffering damaging attacks, it’s crucial to stay ahead of the curve rather than be reactive.
Offensive security has become a significant element in a country’s cyber space today. It is a proactive and adversarial approach to protecting computer systems, networks and individuals from attacks. Offensive security measures are focused on seeking out the perpetrators and in some cases, attempting to disable or, at least, disrupt their operations.
Offensive security represents a new age of proactive measures for security. India has the ability to go on the offensive to prevent cyber attacks. However, in the absence of a national policy in this regard and in the absence of crystal clear dedicated agencies, India has not been able to really demonstrate its offensiveness in preventing cyber attacks.
In an exclusive chat with The Voice of Nation, Pavan Duggal, leading expert on cyber security and cyber law, expressed his concerns as well as his insight. “I completely agree that cybersecurity is not just a governmental responsibility alone, it has to be a collaborative approach between the government and the private sector. There is a need for far more open approach on cybersecurity.
“We cannot, as a nation, afford to sit back and be a spectator while Indian critical information infrastructures are continuously being made targets of cyber attacks. The Indian approach of being reactive in the direction of only reacting to cyber attacks and critical information infrastructure has to give way to far more proactive approaches. India needs to go after all state and non-state actors who target Indian computer systems, networks as also India’s sovereignty, security and integrity and India’s sovereign interests in cyberspace. For that, there is a need for crystal clear political will and adequate enabling legal frameworks which can help facilitate India to achieve this position.”
Mr Duggal elaborated: “In the event of an all out conflict, India does have some brilliant minds and we do have in pockets and isolated buckets, the ability to target the critical information infrastructure of an adversary. However, India does not yet have a dedicated cyber army in place. There is a need for a holistic cybersecurity strategy which can effectively not just plan but implement the various levels of targeting the critical information infrastructure of an adversary. Currently, however, India is not yet prepared in this regard. India does not have a cybersecurity law, and also does not have an appropriate national policy in this regard. The national policy on cybersecurity has just been a paper tiger and there is a need for far more cohesive holistic approach towards cybersecurity.”
India currently does not have a documented policy on offensive cybersecurity as per information available in the public domain. As such, it is hard to comment whether India officially maintains the first-use or no-first-use policy on offensive cybersecurity.
He pointed out, “Offensive cybersecurity does fall in place under the legal framework, but it needs to be supported by enabling legal frameworks which can help support such an activity. In today’s scenario, where countries are increasingly focusing on protecting and preserving cybersecurity, having in place adequate effective legal frameworks which can help offensive cybersecurity operations would definitely assist countries, especially India. It is very important, India as a nation has to quickly realize that it is going to be one of the biggest IT super powers. However, not much work has been done in terms of protecting India’s cyber sovereignty. India has the right to protect its space by preventing a potential attack.”
India as a nation does not have a dedicated approach on critical infrastructure protection. No wonder, India does not have a dedicated law on protection and preservation of critical information infrastructure. India also does not have a national critical infrastructure protection policy. This is potentially likely to prejudicially impact India and its sovereign interests in the coming times. This is so because large chunks of critical infrastructure are not just in governmental hands but also in private hands. Hence, there is an absolute necessity for identifying the various roles and responsibilities of different stakeholders in the direction of critical infrastructure protection in India.
“India’s offensive cyber capability should be built-up along with reliable and effective cybersecurity as a national strategic imperative. India has to quickly realize that its future as an IT superpower is dependent upon protection and preservation of cybersecurity. India needs to take all steps possible to not just protect and preserve but also expand the scope, ambit and applicability of its cyber sovereignty. For that, India requires a holistic national legal approach on cybersecurity which is missing. India has not yet activated and implemented the National Security Polity of 2013, which has only remained a paper tiger.”
On China, Mr Duggal said, “As per information available in the public domain, China does have offensive ability; India needs to definitely be taking that into consideration. This is so given the state of the relations between India and China. India does not need to be scared, but needs to definitely keep in mind their offensive ability and come up with appropriate response mechanisms to give fitting reply in the event India is targeted. India must take all steps possible in its power and position to protect and preserve its sovereignty, security and integrity and to ensure that its cybersecurity and its cyber ecosystem, as also cyber sovereignty, is well protected and preserved in the coming times.”