CYBERSPACE GOVERNANCE IN INDIA: TRANSFORM OR PERISH

Part II: India’s Cyberspace Governance Architecture and Global Practices

Introduction
With cyberspace having emerged as a new arena of conflict between nations, the
more agile nations have brought about transformative changes in their cyber defence
organisations. This three-part series analyses the important issue of cyber governance
in India. The first part presented a notional model of our National Cyberspace,
identified the different types of cyber threats from the perspective of organising for
cyberspace defence and discussed several cyber defence strategies which are
relevant in the Indian context.
This part first takes a look at our existing cyberspace governance architecture and
analyses its shortcomings. It then reviews global practices for protecting national
cyberspaces with a view to proposing suitable modifications for best addressing the
national security challenges which we are being confronted with as a consequence of
ever increasing conflicts in cyberspace.

Cyberspace Governance: Existing Set-Up

Stakeholders in Government
Before attempting to analyse the existing cyber governance architecture and
proposing changes to the same, it is pertinent to first identify agencies which by virtue
of their current charter may be called upon to play a role in securing our NII (over and
above the protection of their own cyberspace) from a national security perspective.
These are as under:-
 Ministry of Defence (MoD). As brought out above, military conflicts in the 21st
Century are being fought within a multi-domain battlespace, with cyberspace as
the newest fifth domain. The traditional role of our Armed Forces has been to
defend the Nation’s territorial integrity over land, sea and air. Therefore,
defending assets in the two new domains of space and cyberspace becomes a
natural extension of this charter.
 Ministry of Home Affairs (MHA). From the perspective of national security, the
MHA is responsible for all matters pertaining to Internal Security (IS), except in
certain special scenarios such as the situation in J&K. Thus, defence against
cyber-terrorism and in some cases cyber-hactivism would fall under the preview
of the MHA. It merits mention here that although cyber-crime is also a mandate
of the MHA, this type of cyber threat does not have a direct bearing on national
security.
 Ministry of Electronics and Information Technology (MeitY). MeitY is
responsible for the policy, provisioning, monitoring and regulation of the entire IT
infrastructure in the country, and is hence a significant player involved in the
securing of our National Cyberspace.
 Intelligence Agencies. In addition to the intelligence set-ups within the MoD and
MHA, external intelligence agencies such as Research and Analysis Wing (RAW)
are also involved in strategic cyber operations as a natural consequence of their
mandate.
 2

Cybersecurity Establishments
The various establishments which have been set-up for defence of our National
Cyberspace are as under:-
 National Critical Information Infrastructure Protection Centre (NCIIPC). The
NCIIPC is an organisation of the Government of India created in 2014 under
Section 70A of the Information Technology Act, 2000 (amended 2008). It is
designated as the National Nodal Agency for CII Protection. The NCIIPC is a unit
of the National Technical Research Organisation (NTRO), and functions directly
under the PMO. Its charter includes identification of CII, providing strategic
leadership in cyber threat response, assisting in the development of standards
and protection strategies, issuing advisories on vulnerabilities and cyber audit,
supporting development of relevant cyber technology, organizing training, and
coordinating with other cyber agencies including international cooperation.
However, its charter clearly states that the basic responsibility for protecting the
CII lies with the agency running the CII [1].
 Indian Computer Emergency Response Team (CERT-In). CERT-In is an
organization under MeitY with the mission of enhancing the security of our NII
through proactive action and collaboration. Headed by the National Cyber
Security Coordinator (NCSC), its role includes dissemination of information and
alerts on cyber incidents, emergency coordination and handling of such incidents,
and issuing guidelines and advisories. Broadly speaking, CERT-In looks after the
cyber security issues related to the NCII, while NCIIPC focuses on the CII [2].
 National Cyber Coordination Centre (NCCC). The NCCC is a classified project
of the Indian Government, which works as an operational cyber security and e-
surveillance agency in India. The first phase of the NCCC, set-up under CERT-In
in 2013, handles cyber security intelligence and mitigates online threats [3].
 Defence Cyber Agency (DCA). Originally established as the Defence
Information Warfare Agency (DIWA) and subsequently re-christened to Defence
Information Assurance and Research Agency (DIARA), the DCA has now been
established as a tri-services organisation headquartered in Delhi. Approval was
accorded in 2017 to upgrade DIARA to the DCA, which is a whittled down version
of the Cyber Command, establishment of which was proposed by the three
Services as early as 2012. From the limited literature available in the open
domain, it is assessed that the charter of the DCA is restricted to providing cyber
operations support to the Indian Armed Forces. The DCA is expected to have a
decentralized structure, where the bulk of the Agency will be split into smaller
teams embedded within operational forces in the tri-service commands, with the
command centre in Delhi. It also aims at putting dedicated officers in major
headquarters of the three Services to deal with emerging cyber warfare issues
[4].
 Cyber and Information Security (C&IS) Division, MHA. The C&IS Division of
the MHA deals with matters relating to cyber security, cyber-crime, and
implementation of the National Information Security Policy & Guidelines (NISPG)
prepared by it. It has established an Indian Cyber Crime Coordination Centre
(I4C) under it to tackle cyber-crime [5].
 3

Apex Level Coordination

The National Security Advisor (NSA), who heads the National Security Council
Secretariat (NSCS), is the apex appointment responsible for national security. The
NSA is in charge of the NTRO, with the NCIIPC under it. The NCSC is the nodal officer
at the apex level for issues related to cybersecurity, and functions under the PMO
alongside the NSCS to coordinate with different agencies like CERT-In at the national
level [6].

Absence of Suitable HRD Policies and Cyber Cadre

Cybersecurity expertise is a specialisation within the computer science discipline, and
offensive cyber expertise is a further super-specialisation within the realm of
cybersecurity. Importantly, extensive experience, acquired against the backdrop of
sound theoretical knowledge, is essential for acquiring cyber expertise. Finally,
passion and persistence are vital pre-requisites for carrying out offensive cyber
warfare. All these factors dictate that cyber capabilities can only be developed by
raising a dedicated cyber cadre and implementing well thought out HRD policies based
on the principle of specialisation. As of now, it is only the Armed Forces, notably the
Army Corps of Signals, which has a dedicated cadre and training infrastructure with
requisite grounding in computer science so essential for the development of cyber
expertise. That stated, it is also important to note that although enough job
opportunities are available within the Army for acquiring cyber defence experience,
this is hindered by existing HRD policies which do not support a culture of
specialisation.
Other agencies within the Armed Forces, including its intelligence verticals, possess
neither personnel with requisite computer science background nor the training
infrastructure nor even enough cyber assignments, all of which are essential for the
creation and development of a cyber cadre. The same is true for civilian intelligence
and other cyber agencies. Private organisations, both CIIs and NCIIs, have cyber
security professionals on board, but in general these are small in number and are
cyber defence oriented, consequent to the lack of mandate with private organisations
for carrying out offensive cyber operations.

Analysis
Defence of National Cyberspace: Non-Strategic Character. Although perfunctorily
declared in our defence doctrines as a fifth domain of warfare, the treatment of
cyberspace in doctrinal thought and operational planning is far from being at par with
the physical domains. As an example, while it is undisputed that in the traditional land,
sea and air domains the Defence Forces have the primary mandate to protect every
inch of national territory (and not merely defence assets in these domains), in the case
of cyberspace the current mind-set is that the role of the Defence Forces is restricted
to protecting only the Defence Cyberspace, and does not cover the defence of our
National Cyberspace. This thinking is clearly evident in the governance architecture
currently in existence, where the Defence Forces have no role in the protection of even
our CIIs (leave alone NCIIs), which is the charter of the NCIIPC (an offshoot of a
civilian intelligence agency) across the entire spectrum of conflict. Similarly CERT-In,
the only other apex agency tasked with the defence of National Cyberspace, is under
MeitY. Even the mandate for cyber-offensive appears to rest predominantly with
civilian agencies, with only a limited mandate only recently given (reluctantly?) to the
 4

Armed Forces. It appears that the current strategy is guided more by considerations
of tackling cyber-crime and carrying out and countering cyber-espionage. Thus, the
imperative of addressing strategic threats in cyberspace, which loom large as part of
ongoing multi-domain state-sponsored conflicts, does not seem to have dictated the
structuring of the current cyberspace governance set-up.
CIIs & NCIIs: Fighting Isolated Cyber-Battles. In the present governance
architecture, there is no central cyber force which has been made responsible for the
defence of our National Cyberspace. Both the NCIIPC and the CERT-In are advisory
bodies with no accountability for the protection of CIIs and NCIIs respectively. They
do look for vulnerabilities, issue alerts and advisories, lay down audit guidelines and
carry out training, but are not to be held accountable for any breaches in security.
Agencies running CIIs and NCIIs are solely responsible for the protection of their
respective cyber assets.
DIIs: Centralized Approach and Air-Gapped. Although the Defence Forces do not
have a fully centralized strategy for the protection of the Defence Cyberspace,
nevertheless single point responsibility does exist to a large extent within each of the
three Services for protection of their respective networks. For instance, the
responsibility for the defence of Army Cyberspace de facto rests with the Corps of
Signals, although there are a number of major shortcomings in the existing cyber
governance strategy of the Indian Army (discussion of these is beyond the scope of
this work). The fact that Defence Cyberspace is fully air-gapped from the GII
considerably reduces its vulnerability to cyber-attacks through the GII, but does not
eliminate them, as many mistakenly believe. Also, the strategy of Defence-in-Depth
has been operationalized more effectively by the Armed Forces as compared to the
CIIs/ NCIIs. However, this strategy too needs to be extensively upgraded.
Defensive Approach: A Severe Limitation. Perhaps the weakest link in the current
approach adopted by us for protecting our National Cyberspace is its predominantly
defensive character. We do not have a declared Cyber Deterrence Policy. The
proposal for the raising of a Cyber Command, mooted as early as in 2012, two years
after such a step was taken by the United States and three years before China’s
Special Support Force (SSF) came into being, has been whittled down to a weakly
structured DCA (which is not yet fully operational), with a limited mandate for offensive
actions in cyberspace. There is no concrete and determined effort to transform our
HRD models for facilitating the churning out of a highly super-specialist cadre so
essential for carrying out offensive cyber warfare (as part of a Deterrence/ Active
Defence strategy). In short, existing offensive capabilities within civilian and defence
establishments do not match up to the operational imperatives dictated by our security
environment.

National Cyberspace Protection: Global Practices

Describing the cyber governance architectures of major world players in detail is
beyond the scope of this work. However, a brief overview is as given out in succeeding
paragraphs.

United States
The cyber governance architecture adopted by the United States strikes a synergetic
balance amongst its three primary cyber operations agencies, namely, the US Cyber
Command (USCYBERCOM), the National Security Agency (NSA) and the newly
 5

established Cybersecurity and Infrastructure Security Agency (CISA) under its

Department of Homeland Security (DHS) [7]. It is fairly evident that the US Cyber
Command is tasked with tackling strategic (external) threats in cyberspace, while the
CISA focuses on threats from the perspective of internal security. It is worth noting that
the 13 Cyber Mission Teams under USCYBERCOM, each manned by 64 individuals,
are meant specifically for the protection of CII, with 25 Support Teams (49 individuals
each) providing analytical support [8]. However, it is the DHS which is in the lead for
protection of CII, and the USCYBERCOM can act only when directed to do so. Further,
the authority for the conduct of offensive operations in cyberspace appears to be
vested solely with the Department of Defence (DOD), including deterring adversary
cyber-attacks such as influencing US presidential elections and other democratic
processes [9, 10].

United Kingdom
Another cyber defence architecture to take note of is the recent establishment by the
United Kingdom of the National Cyber Security Centre (NCSC) under the Government
Communication Headquarters (GCHQ). GCHQ is the Intelligence agency which
provides signal intelligence support to the Government and the Armed Forces. The
NCSC subsumed the functions of its erstwhile Centre for the Protection of National
Infrastructure (CPNI), CERT-UK (Computer Emergency Response Team, UK) and the
Centre for Cyber Assessment (CCA). At the same time, its structure enables it to
exploit the capabilities of its Communications-Electronics Security Group (CESG).
It is clear from UK’s National Cyber Security Strategy 2016-21 that active defence is
central to protection of their national cyberspace. Also, although the GCHQ/ NCSC
function under the Ministry of External Affairs, historically GCHQ has a symbiotic
relationship with the Defence Forces, and in fact was originally established post World
War I using personnel from the Defence Forces [11]. The active defence strategy of
NCSC focuses on cyber-crime. For providing cyber deterrence capability at the
strategic level, however, a new National Cyber Force (NCF) is in the final stages of
establishment, sometime this year.
The NCF is a joint venture between the Ministry of Defence and GCHQ and will work
alongside NCSC, with its primary charter being offensive cyber warfare directed
against external state initiated/ sponsored threats in cyberspace [12]. Another new
cyber force which the British Army has launched just this year is the 6 th Division, re-
structured from its earlier avatar of Force Troops Command. This is the largest of UK’s
three divisions, tailored to fight hybrid wars, and is organized to focus on cyber,
electronic warfare, intelligence, information operations and unconventional warfare.
The main motivation for its raising was to address unconventional threats posed by
Russia and ISIS in today’s complex cyber dominated battlespace [13]. In May 2019,
UK’s Defence Secretary stated that the UK MoD was committing £22m funding for the
British Army to set up new cyber operations centres across the country. The centres
are expected to draw heavily on 77 Brigade, a combined reserve and active unit under
its 6th Division (which specializes in information warfare), as well as have contact with
joint and other national security organisations.

Australia
The defence of Australia’s national cyberspace at the apex level is the charter of the
Australian Signals Directorate (ASD). As recently as 2013, this Directorate was known
 6

as the Defence Signals Directorate, and has its roots in the Australian Defence Forces
going back to World War II. The expansion of its charter was carried out to reflect its
whole-of-government role in support of Australia’s national security. In November
2014, Australia’s erstwhile Cyber Security Operations Centre evolved into the
Australian Cyber Security Centre (ACSC) under the ASD as the next evolution of
Australia's cyber security capability. CSOC was a Defence-based capability that
hosted liaison staff from other government agencies. The establishment of the ACSC
saw the co-location of all contributing agencies' cyber security capabilities. On 01 Jul
2018, the ASD was designated as a statutory agency under the Defence portfolio [14].

China
China, our primary adversary, is now very well structured to defend its NII. The recent
raising of the Special Support Force signifies the operationalizing of its well-developed
concept of Integrated Network Electronic Warfare (INEW) as well as the Three
Warfares concept. This transformative re-organisation has resulted in integration of
not only cyber-attack and exploit capabilities but also of cyber, electronic and
psychological warfare capabilities under the PLA, thus considerably enhancing
China’s capabilities as a dominant power in cyberspace [15, 16].

Russia
While details of the cyber governance architecture put in place by Russia are not
readily available in the open domain, the strategic nature of its preparedness in
cyberspace may be gauged by its infamous information warfare campaigns conducted
across the globe in recent years, which have served as a wake-up call for the United
States, the European Union and even China [17]. It has also been establishment
almost beyond doubt that the GRU, the Main Intelligence Directorate of the Russian
military, has been behind the cyber-attack on Ukraine’s electricity grid in 2015, the
devastating 2017 NotPetya cyberattack which affected businesses across the globe,
the interference in US Presidential elections in 2016, the hacking of the French election
in 2017, the cyber-attack on the 2018 Winter Olympics, and the most recent attacks
on the Georgian Government on 28 Oct 2019 [18, 19, 20]. These attacks are mostly
attributed to Sandworm, a hacking team under the control of the GRU.

Conclusion
In the above write-up, our existing cyberspace governance architecture has been
analysed, and its shortcomings highlighted. Thereafter, organisational structures
which have been adopted by major world players for protecting their respective
national cyberspaces have been briefly reviewed.
The concluding part of this three part series proposes several transformative changes
to our own organisational structures and HRD policies, which must be implemented if
we are to adequately mitigate imminent strategic threats to our National Cyberspace.

References
(1) Information Technology (NCIIPC and Manner of Performing Functions & Duties) Rules 2013,
GOI Gazette Notification GSR 19(E), 16 Jan 2014, Accessed 17 Oct 2020.
(2) Information Technology (Indian Computer Emergence Response Team and Manner of
Preforming Functions & Duties) Rules 2013, GOI Gazette Notification GSR 19(E), 17 Oct 2014,
Accessed 22 Apr 2020.
 7

(3) National Cyber Coordination Centre, Wikipedia, Accessed 17 Oct 2020.

(4) Nidhi Singh, India’s New Defence Cyber Agency, Centre for Communication Governance at
NLU Delhi Blog, Accessed 17 Oct 2020.
(5) Cyber & Information Security Division, C&IS Web Page, MHA Website, Accessed 17 Oct 2020.
(6) Comments to the NSCS on the National Cyber Security Strategy 2020, Centre for
Communication Governance, National Law University, New Delhi, pp. 39, Accessed 17 Oct 2020.
(7) Cybersecurity, CISA Website, Accessed 17 Oct 2020.
(8) Mark Pomerleau, Here’s how DoD Organizes its Cyber Warriors, Fifth Domain, 25 Jul 2017,
Accessed 17 Oct 2020.
(9) Defence Primer: Cyberspace Operations, Congressional Research Service, 14 Jan 2020,
Accessed 17 Oct 2020.
(10) Catherine A. Theohary & John W. Rollins, Cyberwarfare and Cyberterrorism: In Brief,
Congressional Research Service, 27 Mar 2015, Accessed 17 Oct 2020.
(11) National Cyber Security Strategy 2016-21, HM Government, Accessed 17 Oct 2020.
(12) Dan Sabbagh, UK to Launch Specialist Cyber Force able to Target Terror Groups, The
Guardian, 27 Feb 2020, Accessed 17 Oct 2020.
(13) Liam, Specialist Brigades Group to Deliver Cutting-Edge Capability, Warfare.Today, 01 Aug
2019, Accessed 17 Oct 2020.
(14) History, Australian Signals Directorate Website, Accessed 17 Oct 2020.
(15) John Costello and Joe McReynolds, China’s Strategic Support Force: A Force for a New Era,
Washington, National Defence University Press, China Strategic Perspectives, No 13, Oct 2018, pp.
11-12.
(16) Lt Gen (Dr) R S Panwar, IW Structures for the Indian Armed Forces – Part III, Future Wars, 14
Apr 2020, Accessed 17 Oct 2020.
(17) Michael Connell and Sarah Vogel, Russia’s Approach to Cyber Warfare, CNA Occasional
Paper, Mar 2017.
(18) Andy Greenberg, Here's the Evidence That Links Russia’s Most Brazen Cyberattacks, Wired,
15 Nov 2019, Accessed 17 Oct 2020.
(19) Danny Bradbury, US and UK call out Russian Hackers for Georgia Attacks, Naked Security, 21
Feb 2020, Accessed 24 Apr 2020.
(20) Abigail Abrams, Here's What We Know So Far About Russia's 2016 Meddling, Time, 18 Apr
2019, Accessed 17 Oct 2020.