Cybersecurity Governance in South Asia: India and Pakistan
Across the world, an increasingly complex and sophisticated cybersecurity architecture and accordingly growing threats and attacks require States to continuously advance and invest in cybersecurity defense mechanisms as well as offensive capabilities. The terms cybersecurity and cyberwar have become ubiquitous when it comes to current conflict dynamics, in response to which we can observe increasing multilateral efforts (attempt to) regulate and govern the cyberspace. Already in 2013, the Tallinn manual, published by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), provided a flagship study that addressed cyber operations and examined the applicability of the international legal framework to cyber conflict, indicating the global threat emanating from cyber warfare (Robinson et al., 2015).
In the wake of the war in Ukraine, the Council of the European Union has recently highlighted the cyberspace as an “arena for geopolitical competition” (Council of the European Union, 2022) and adopted conclusions on the Union’s cyber posture; and the UN has kicked-off negotiations on a global treaty on cybercrime, a process that was instigated by Russia prior to the beginning of the war in Ukraine (Tennant & Walker, 2022). Moreover, the COVID-19 pandemic has further exacerbated the reliance on digital technologies, and therefore also led to greater vulnerability to cyberattacks and a corresponding hype about cybersecurity. This shows that efforts to govern cyberspace are not solely a result of increasing and untannable digitalization but also heavily connected to current geopolitical events.
Studies about how the cyberspace should be secured and governed have also increased accordingly, whereby in particular the links between digital technologies and the military have captured scholars’ attention. These discussions have gained new momentum in light of the Ukraine war, which has set an alarming precedent: Already in 2016, the cybersecurity company Mandiant has called attention to cyberattacks on Ukrainian power systems (allegedly) carried out by the Russian cyber-military unit “Sandworm” (Tech Accord, 2022). The company has established three (primary) stages of cyberoperations that have been instigated against the Ukraine:
“Stage 1: Strategic cyber espionage focused on Ukraine and EU/NATO government bodies, Stage 2: Prepositioning of disruptive cyber effects in critical infrastructure, and Stage 3: Persistent cyberattacks as part of kinetic operations throughout invasion” (Tech Accord, 2022).
Whether these cyberattacks, also called cyber effect operations (intended to disrupt/destroy an opponent’s assets), must be seen as a sophisticated version of traditional warfare or as a military revolution thereby constitutes a general dividing line between cyber enthusiasts and more moderate perspectives that have been noted by experts in the field (Solar, 2020). However, all future global conflicts are expected to have a strong cyber component.
The combination of the words cyber + war, attack, defense, conflict, force, operation, security, crime, etc. thereby allows for seemingly endless possibilities to describe what digital technologies have allowed for and to consequently securitize the cyberspace (Deibert & Rohozinski, 2011; Douzet, 2020). However, while more than 40 States have publicly established some sort of military cyber command over the course of the last decades (Smeets, 2022), most studies have focused on cybersecurity in the western hemisphere. This article attempts to shed light on the complex dynamics of cybersecurity governance and cyber defense in the South Asian region, namely between India and Pakistan. The 2019 Pulwama attacks are thereby taken as an entry-point into the discussion about cyber capabilities and the importance of cybersecurity governance for conflict-States. Following an overview of different approaches and frameworks around cybersecurity by India and Pakistan, potential future trajectories to cybersecurity governance will be discussed.
Rising tensions and shifting power relations: The Pulwama attacks
On February 14, 2019, a suicide bomber killed 40 Indian Central Reserve Police Forces in Pulwama, marking the deadliest terrorist attack on Indian Security Forces in Jammu & Kashmir since 1989 (BBC News, 2019). Following the Pulwama attack on Indian paramilitary forces - for which Pakistan-based Islamist terrorist group Jaish-e-Mohammed claimed responsibility - tensions between India and Pakistan reached a new peak, resulting in the 2019 India-Pakistan border skirmishes. While many observers have focused on the risk of a new, intensified kinetic conflict, the attacks have also yielded consequences in the cyber realm. Malware and phishing attacks (aimed at stealing classified information) between India and Pakistan increased massively during that time, and US-based tech company Netscout has tracked six Indian and three Pakistani advanced persistent threat (APT) groups, assumably State-backed hackers from both countries (Farmer, 2019). Moreover, US agencies have supported India in retrieving WhatsApp messages by involved Jaish-e-Mohammed cadres, resulting in a shift to more secure messaging applications in the aftermath of the Pulwama investigations (Pandya, 2022).
While the Pulwama attack presented a new stage of escalation both in the cyber sphere and on the ground, with the cyber sphere often being neglected in political analysis, these trajectories have been a long time in the making. Developing from 2010 onwards, when “Kashmir witnessed the undercurrents of internationalization in several ways” (Pandya, 2022), the Internet Era led to the rise of encrypted communication providers and applications, including WhatsApp, Telegram, Signal and the Turkish messaging application BiP (The Kashmir Monitor, 2021), which in turn led to dramatic changes in (counter-) terrorism operations in South Asia, which Pandya (2022) describes as a shift from human intelligence to technical intelligence. The arrival of the infamous Pegasus software developed by the Israeli company NSO Group led to the widespread use of technical intelligence in counterterrorism operations by Indian security forces, and thus significantly altered the nature of counterterrorism operations. Pegasus spyware was thereby able to exploit iOS and Android phones by harvesting information from apps, ultimately allowing users to read text messages, track locations, collect passwords and access the target’s microphone and camera, leading to a cat and mouse spy game between terrorist organizations and State actors, with terrorist groups moving messenger apps and using the dark web to hide their operations and make it difficult to monitor them.
The incident has shown that extensive cyber capabilities have the potential to significantly shift power relations in complex power struggles, such as the one in Jammu & Kashmir. Not only do terrorist groups make use of encrypted communication and technological advances to disguise their operations, they can also advance their offensive capabilities. Since the low entry-costs for cyber warfare benefit actors with less resources, cyberattacks offer a comparatively cheap way to inflict serious damage from a distance, especially when critical infrastructure is targeted. This means that apart from cyberattacks on critical targets, the cyber sphere also allows for encrypted communication, espionage activities and not least massive disinformation campaigns, all of which have materialized in Jammu & Kashmir. Terrorist groups make use of encrypted communication applications, virtual private networks (VPNs) and The Onion Router (TOR) networks, to plan their operations, and States need to advance their technological intelligence capacities accordingly. The Pulwama attack is an example of the way in which new technologies alter security dynamics and in which battles are increasingly fought in the cyber realm, with States - like in this case India - having to heavily invest and expand in their cyber defensive and offensive capabilities.
India cybersecurity architecture and threats
The cybersecurity architecture of India is complex and difficult to disentangle due to distributed responsibilities and various cybersecurity arms. Several agencies and ministries are involved in the management of cybersecurity issues in India, including the Ministry of Home Affairs, the Ministry of Defence and the Ministry of Electronics and Information Technology, leading to a fragmented approach to cybersecurity by different units within the respective ministries (see Figure 1). Plans for an operational e-surveillance agency, the National Cyber Coordination Centre (NCCC), received approval in 2014 but have remained controversial due to surveillance and privacy concerns (Keck, 2013; Parmar, 2018). The NCCC works under the Indian Computer Emergency Response Team (CERT-In), the cybersecurity division in the Ministry of Electronics and Information Technology, which has powers under the Indian constitution and the 2000 Information Technology Act. While CERT-In is a response agency to cybersecurity breaches and attacks on a national level, the NCCC is tasked with the coordination between law enforcement agencies, information sharing and the development of a cybercrime prevention strategy as well as the review of outdated laws (Ahuja, 2022).
Source: Ahuja (2022)
Some of these institutions and units were already decided upon in 2013, when the government of India formulated its first National Cyber Security Policy under the oversight of the Home Affairs Ministry. In face of a growing Information and Communication Technology (ICT) sector in India, and its pronounced role in the global ICT market, the policy guidelines focused on the provision of a secure computing environment that increases trust in electronic transactions (Luiijf et al., 2013). Despite this initiative, observers have noted that the policy lacks proper implementation until today and that many projects and initiatives have remained “on paper only” (Parmar, 2018). However, India’s cybersecurity governance efforts have also yielded strong results. Jumping 37 positions up, the country was ranked 10th on the United Nations International Telecommunication Union (ITU) Global Cybersecurity Index in 2020 (ITU Publications, 2022).
This expansion of cyber capabilities has become urgently necessary because India is one of the nations most targeted by cyberattacks. Large data breaches of companies such as Air India (BBC News, 2021) and the digital payment provider Mobikwik (The Hindu Business Line, 2021), both attacked in 2021, have disclosed the growing threat exerted by cyber effect operations, which have increased massively throughout the COVID-19 pandemic amongst others due to an increasing reliance on digitization. However, attacks have not only targeted (private) companies, but also critical infrastructure such as the energy sector, thus directly jeopardizing national security (Srinivasan, 2022). In addition, India’s growing nuclear program is integrated with cyber technologies, increasing the risk of attacks and potential sabotage (Mohan, 2021). Already in 2014, scholars have drawn attention to the fact that while the power sector is particularly prone to attacks, no sector specific cybersecurity regulations are in place (Ananda Kumar et al., 2014). Confronted with these new threats aiming to destroy the technical infrastructure of a State, the following section will discuss how these concerns have already started to materialize, most notably in attacks by Chinese-linked hacker groups.
As an additional scheme, India’s Cybercrime Coordination Centre (I4C) -a government initiative directed at cybercrime- functions as umbrella organization under the Ministry of Home Affairs Cyber and Information Security Division, and includes a cybercrime reporting portal (Ministry of Home Affairs, n.d.). Tasked with intelligence coordination, I4C was inaugurated in January 2020 and most notably pushed for a ban of 59 China-linked mobile apps, including TikTok, in June 2020 on the grounds of suspected backdoors that steal users’ data. The formal order to ban the applications was fast-tracked following the Ladakh crisis, a border standoff between India and China in the Galwan valley in eastern Ladakh in May 2020, where Indian-administered Jammu & Kashmir borders Chinese-administered Aksai Chin. The incident resulted in the death of 20 Indian and four Chinese troops (Anbarasan, 2021; Tarapore, 2021) and has severely deteriorated bilateral relations between India and China. Additionally, the incident is another example for the intertwinement between physical standoffs and the struggle for control in the cyber-realm, and thus for the new national security dynamics that increasingly securitize ICT.
When a massive power outage occurred in Mumbai after the Ladakh crisis on October 12, 2020, it was suspected that a malware attack by the Chinese People's Liberation Army (PLA) had caused the problems. Although the malware - targeting electric supply management systems, a high-voltage transmission substation and a coal-fired power plant - was finally not concluded to be responsible for the power cut, the incident has raised awareness about the increasing necessity for cyber preparedness in critical infrastructure (Ahuja, 2022). The US-based company Recorded Future has published a study about the targeting of the Indian power sector by the Chinese-linked RedEcho group, in which they find that the “Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation” (Recorded Future, 2021). Moreover, the conspicuous placement of malware has further been interpreted as a warning and “the newest form of both aggression and deterrence” (Sanger & Schmall, 2021). Opposed to the traditional ultimate deterrent – the nuclear arsenal – cyberattacks give countries a different option that is “less devastating than a nuclear attack, but capable of giving a country a strategic and psychological edge”, while stressing that “Russia was a pioneer in using this technique when it turned the power off twice in Ukraine several years ago” (Sanger & Schmall, 2021). What ultimately becomes clear is that aggressions in cyberspace, although less visible and tangible to a broader public, are intimately linked with, and often precede or promote physical attacks and escalations, and thus deserve close attention and detailed analysis. Especially with regard to Chinese attacks, India’s military experts have further voiced their concerns about the dependence on foreign hardware and software that is crucial for the country's power sector and rail system (Sanger & Schmall, 2021).
Observers like Bhattacharjee (2022) have shed light on the fact that to foster cooperation and cyber diplomacy efforts, an updated National Cybersecurity Policy is necessary to focus on the creation of a consistent, robust cybersecurity framework throughout the country and to control the growing threats in the digital sphere. In 2021 alone, more than 1.15 million incidents of cyberattacks were tracked and reported to India’s CERT-In, with ransomware attacks (Ransomware is a specific type of malware that encrypts the victim’s data and is often used to blackmail entities) increasing by 120% (Ahuja, 2022). India is thereby most worried about strategic adversary China, however, the NCCC under Lieutenant General Rajesh Pant - who served 41 years in the Army Corps of Signals - is also collecting information about the cyber capabilities of neighboring Pakistan, which is suspected to coordinate its cyber-attacks with China (APSM, 2021).
Apart from the ban of Chinese-linked mobile apps, India’s diplomatic approach to cybersecurity governance in the area of telecommunication exhibits a significant difference from the US:
“While the US comes out with negative lists of Chinese tech companies like Huawei and ZTE which are barred from working with US firms, [ National Cyber Security Coordinator Lieutenant General Rajesh] Pant is quietly drawing up a ‘positive’ list, from which Indian entities can choose their partners. This also has enabled India to sail through the world of global commerce without ruffling diplomatic feathers” (Ahuja, 2022).
Additionally, India has undertaken steps to enhance its cyber diplomacy on a regional and international level. This includes bilateral agreements centered on information sharing, cyberattacks and protective measures as well as law enforcement in the cyber realm with the US, Japan, the UK, Australia and Israel. These circumstances show that in order to keep up with the rapid development of China-sponsored groups like RedEcho, Double Dragon (APT41) and Barium, India needs to step up modernization efforts in non-traditional military domains, namely its cyber capabilities, implement a comprehensive national cybersecurity framework and improve cooperation and trust between government agencies and private sector companies in order to enhance a trustworthy cybersecurity architecture that can withstand (terror) attacks and foster the digital transformation.
Digital transformation is a keyword that is also particularly important in the Pakistani context. With a large young population, internet use in Pakistan is on the rise and has increased by 21% between 2020 and 2021 alone (Khan, 2021), hinting at the potential for a digitalized Pakistan and a flourishing ICT sector that many people believe offers the solution for large-scale administrative problems and social issues in the country. Pakistan is thereby increasingly adopting government and economic e-services, despite observers attestation of a lacking cybersecurity readiness (Shad, 2022). Just like India, Pakistan is a nuclear State in an important and contested geopolitical position, and thus also increasingly exposed to cyberthreats. The country has taken preliminary, although limited steps to address conflicts in the cyber realm, and ranked 79th in the ITU Global Cybersecurity Index 2020 ranking (ITU Publications, 2022).
Throughout the years, the Pakistani government has taken sporadic steps with regard to cybersecurity, that are presumably also related to the Edward Snowden leaks that have detailed the US Nationals Security Agency’s (NSA) spying on Pakistan’s civil-military leadership through malware and strained US-Pak relationship (Baig, 2019). In the aftermath of the NSA files, Pakistan started to address information security gaps, for example with the 2016 “Prevention of Electronic Crimes Bill” (PECB) that introduced punishments for cybercrimes such as cyberterrorism and electronic forgery (Zia et al., 2017). The bill attracted various criticism for its vague definition of cybercrimes, the potential undermining of freedom of expression and the lack of comprehensive mechanisms to enforce the bill (Shad, 2022). In addition to the PECB, Pakistan has adopted its first Digital Pakistan Policy, comprising technological infrastructure and institutional frameworks, in 2017, and 2018 saw the creation of the National Center for Cyber Security in order to bridge academia and industry and foster academic research on the legal framework and processes in the realm of cybersecurity, acknowledging that constant monitoring and adaptions have become necessary (Pakistan Ministry of Information Technology and Telecommunication, 2018). Due to the rivalry between India and Pakistan, both countries are suspected of targeting each other by means of cyberattacks, and when mobile phones of senior Pakistani officials were hacked with Pegasus spyware in 2019, Pakistan suggested that Indian intelligence was behind the attack, although these claims could never be proven (Qadeer, 2020).
However, Pakistan’s first National Cybersecurity Policy was only adopted in July 2021 and points out several challenges and associated risks in the realm of cybersecurity, such as a limited governance framework. Shad (2022) explains that “the [previous] absence of a cybersecurity policy has contributed significantly to the country’s low performance in meeting cybersecurity criteria, particularly those related to technical, capacity-building, and collaboration measures”. One of the reasons for the absence of a long-term cyber strategy is the lack of prioritization of cybersecurity governance and political instability in the Pakistani context that has halted developments with regard to cyber preparedness.
Different from India, Pakistan has not yet established a national CERT. Instead, two private bodies provide information on cyberthreats and capacity-building: the Pakistan Computer Emergency Response Team (PakCERT) and the Pakistan Information Security Association Computer Emergency Response Team (PISA-CERT). This means that a centralized and coordinated response to threats in cyberspace remains absent, just as a mandated self-contained organization for cybersecurity (attacks) at the national level. However, the country has established a National Response Centre for Cyber Crime (NR3C) under the Federal Investigation Agency (Shad, 2022) and acknowledged its heavy reliance on imported hardware, software and services (from China). Its National Cybersecurity Policy states that “this reliance, inadequate national security standards, and weak accreditation has made computer systems in Pakistan vulnerable to outsider cyberattacks and data breaches through embedded malwares, backdoors, and chipsets” (Pakistan Ministry of Information Technology and Telecommunication, 2021).
The slow but steady rise of cybersecurity issues on Pakistani policy agendas reveals a change in security thinking, but also a gap in governance and institutional frameworks and human resources to keep up with emerging cyberthreats. As a country prone to foreign espionage, observers point to the fact that Pakistan needs to step up its efforts and investment in strengthened digital infrastructure and strengthen existing initiatives like the NR3C. A possible next step for the development of Pakistan’s cybersecurity governance structure is the identification of relevant organizational, technical and legal requirements for the proper implementation of the National Cybersecurity Policy, and the establishment of a designated organization under the government as central entity for cybersecurity-related measures (Shad, 2022). Due to the absence of such an entity, and the failure to define “critical infrastructure” in the National Cybersecurity Policy, a policy response to such cyberattack is still missing, although highly relevant for a nuclear State with an important geopolitical location and several sources of conflict. Pakistan thus needs to develop a multi-faceted approach to cybersecurity that combines academic, policy and military perspectives in order to address these challenges.
Cyber diplomacy and regional cooperation
Due to the globalized nature of cyber effect operations, also the regional cooperation in the realm of cybersecurity is increasing. Leaders of the Quadrilateral Security Dialogue (QUAD), comprising Australia, India, Japan and the US have pledged to continue cybersecurity cooperation under the Quad Cybersecurity Partnership. Their joint statement acknowledges “an urgent need to take a collective approach to enhancing cybersecurity” and highlights the commitment “to improving the defense of our nations’ critical infrastructure by sharing threat information, identifying and evaluating potential risks in supply chains for digitally enabled products and services” (The White House, 2022).
However, QUAD’s increasing focus on critical and emerging technologies is only one of the cooperation initiatives with regard to cybersecurity. India for example is also part of the UN-premised Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (UNODA, n.d.). While both India and Pakistan are part of the “International Multilateral Partnership Against Cyber Threats” (IMPACT), the cybersecurity executing arm of the ITU, Pakistan has not concluded any international cybersecurity agreements and lacks collaborative public-private partnerships. Although the importance of international cooperation is acknowledged and stipulated in Pakistan’s 2016 PECB, there remains a lack of practical initiatives (Shad, 2022). One possible explanation for Pakistan’s lack of such initiatives and agreements might be its close collaboration with (and reliance on) China regarding the China-Pakistan Economic Corridor (CPEC), that includes deepened cooperation with regard to ICT.
Conclusion and outlook
Governments have increasingly seen ICT as a strategic asset for national security and as a battlefield for strategic conflicts (Parmar, 2018). National security thus needs to be revisited and adapt to new, previously unfamiliar, dynamics and evolving threats as well as expand offensive capacities. A closer look at terrorist attacks like the Pulwama attack and the Ladakh crisis show that (State-sponsored) terrorism and more traditional conflicts between States have gained a new layer, in which cyber conflicts can contribute to or even trigger military conflict. While there have not been any major, large scale cyberattacks between India and Pakistan, the cyber aspects of conflict - while often neglected - have the potential to be a true game-changer in the future conflict dynamic between the two countries. The comparatively low costs of cyber effect operations allow actors with limited military capacities, like terrorist organizations, to cause relatively great damage. This is particularly true if critical infrastructure and State technologies are not well protected and targeted by an adversary State or a third-party ATP group.
Due to the secretive nature of cybersecurity attacks, it is difficult to properly assess countries’ readiness for and involvement in cyber effect operations. What the previous discussion has shown is that for both India and Pakistan, a coordinated and targeted response to cyberattacks is lacking, while it is important to stress that both countries show a different degree of preparedness for cyber effect operations, as indicated by the ITU Global Cybersecurity Index. A closer look at India’s cybersecurity governance structures shows that several different agencies under different ministries are responsible for specific domains of cybersecurity, which can lead to an unclear distribution of concrete responsibilities in case of an attack. The communication between different cybersecurity arms and agencies as well as the immediate reporting of attacks, also by private companies, thereby poses a significant challenge to quick and coherent responses to cyber effect operations. One of the main challenges for India is to identify overlapping responsibilities and to integrate various agencies and cybersecurity arms to achieve a coherent procedure and mechanisms to address cyberattacks. Pakistan’s National Cybersecurity Policy 2021 provides a much-needed direction for cybersecurity, whereas the country now needs to provide the necessary resources to enable the proper implementation and to improve its cybersecurity capacities.
The application of international law in cyberspace thereby plays an important role, looking for example at the breach of Air India data. While data of Air India passengers was stolen, the attack targeted SITA, a Geneva-based air transport company, and thus happened outside of Indian jurisdiction. This has severely limited the influence of Indian cybersecurity experts (Ahuja, 2022), and also hints at the increasing importance of international cooperation, e.g., in terms of international cybersecurity agreements (for improved information-sharing and capacity-building) and public-private partnerships.
Cybersecurity aspects remain understudied due to the abstract nature of the threat posed by them. However, since attacks increasingly target critical infrastructure (including nuclear facilities) and thus threaten to become more and more tangible for citizens, security developments cannot be analyzed without a strong focus on developments in the cyber sphere. What must follow from such analysis is increasing attention by policymakers and the industry to sort out responsibilities and foster a deepened engagement with cybersecurity.
Since the ICT sector has evolved as an important catalyst for economic growth business and governance (in India and Pakistan), cybersecurity must be an integral part of digitalization to ensure citizens’ privacy, trust and safety.
August 2022. © European Foundation for South Asian Studies (EFSAS), Amsterdam