'Lack of consensus hampering holistic action on cyber security' (Book Review)
Book: Securing Cyberspace - International and Asian Perspective; Editors: Cherian Samuel & Munish Sharma; Publisher: Pentagon Press; Pages: 346; Price: Rs 1,295/$34.95
"There is a lack of consensus in the international community on the norms of behaviour in cyberspace" and this is leading to ad hocism and preventing the issue being addressed in a holistic manner, writes noted security expert Arvind Gupta in the opening chapter of this book, which is a compilation of 24 presentations made at the 18th Asian Security Conference hosted by the Defence Ministry-funded think-tank Institute of Defence Studies and Analyses (IDSA).
Gupta believes that we are at a stage where technology is far ahead of cyber laws and cyber norms. While the UN Group of Government Experts (UNGGE) has proved to be a useful platform to discuss these issues, the absence of "a broader representative platform where contentious issues can be hammered out and consensus arrived at" is absent.
"Ad hoc groups adopting ad hoc procedures to deliberate over ad hoc cyber-security agendas will not necessarily build a consensus," he writes.
Gupta, incumbent Deputy National Security Advisor and a former IDSA Director General, says the global community needs to come together to discuss how to deal with growing threats in cyberspace, and serious reflection is needed on whether the world needs a Cyber Convention on cyber-security.
"Unlike the other commons, namely the land, sea and space, wherein international law has grown immediately, cyberspace is still largely lawless. Sustained discussion by international experts is necessary to generate ideas on the way forward towards building a consensus on cyber-security issues," contends Gupta.
Closer home, India also faces the "daunting task" of stopping and preventing cyber-attacks on its networks.
India will, in fact, have to study the evolution of the idea of cyber deterrence. To build an effective cyber-deterrence capability would require robust networks "that can be defended, encouraging comprehensive R&D in the area of cyber-security and strengthening indigenous manufacturing of ICT products". Not to speak of strong cyber diplomacy "to ensure that India is not at the receiving end of the emerging ICT Export Control regime under the Wassenaar Agreement".
Gupta maintains that there is a need to analyse the patterns of cyber-attacks against India so as to adopt suitable counter-measures, "including the capability to conduct cyber operations, if required". The country must internalise the "increasingly assertive cyber-security doctrines that are being adopted by other countries" as it works out its own cyber-security doctrines.
Holding that cyber-attacks cannot be seen in isolation, Gupta says that cyberspace today has close links to "other domains of warfare, namely, land, water, air and space".
This implies "that cyber-attacks will not be seen merely as that. The retaliation in non-cyber form, i.e., retaliation through non-cyber means, including possibly military means, cannot be ruled out. Cyber-attacks, as means of warfare, would only enlarge the battle domain. Cyber-warfare may induce states to opt for full-spectrum deterrence".
The book has been divided into two sections -- International Perspectives on Cyber-security and Asian Perspectives on Cyber-security.
Among its highlights: Sanjeev Relia, a serving Colonel in the Indian Army, seeks a clear delineation between the different non-state actors. In the first instance, there are the good non-state actors, like companies and nonprofits who are largely responsible for the creation and maintenance of cyberspace. The bad non-state actors can be sub-divided into those who form part of radical organisations such as the ISIS and Al-Qaeda; also referred to as cyber-terrorists.
There also are the cyber militia -- a group of volunteers willing and able to use cyber-attacks or other forms of disruptive cyber actions on behalf of a nation state in order to achieve a political goal. Increasingly, state agencies are co-opting such militia to carry out terrorist activities in cyberspace.
The book's editors, Cherian Samuel and Munish Sharma (both with the IDSA), hold that as an economic and geopolitical organisation of eight countries, the South Asian Association for Regional Cooperation (Saarc) can play a pivotal role in capacity-building as well as coordinating cyber-security efforts of all the members facing non-traditional security threats, such as cyber-terrorism and cyber-crime, from non-state actors to both their populace and businesses.
Nandkumar Saravade, a former IPS officer who has served as CEO of the Data Security Council of India, points to a rather grim scenario: India lacks the necessary structures and capabilities within the country to understand complex cyber-security issues, and the government has to build the necessary frameworks to engage in consultations with the key stake-holders and develop a position on key cyber-security issues.
Liam Nevill of the Australian Strategic Policy Institute's International Cyber Policy Centre holds that cyberspace can be a force-multiplier in tackling the many problems of the Asian region: From lowering traditional barriers to development and providing access to health and education resources. It provides an easy way for the advanced economies to help the less developed, in the process improving connectivity as well. However, none of this would be possible without a stable and secure cyberspace.
Comparing the American and Chinese perspectives on cyber-security, Cuihong Cai, an Associate Professor of International Relations at the Center for American Studies at Shanghai's Fudan University, contends that over-interpretation of cyber-security risks strengthens the threat cognition, which results in conflicts and control-oriented security practices. It further leads to trust-deficit and weakening of rules, resulting in the self-fulfilling prophecy of heightened cyber conflicts.
In sum, this is definitely a "must have" volume.
(Vishnu Makhijani can be contacted at firstname.lastname@example.org)