by Kartik Bommakanti

Recently, there is an increasing assertion that cyber war will never happen and should not be fought. This claim is borne out since cyberattacks cannot be stopped completely; exclusively defensive measures must be pursued and, therefore, retaliation against such attacks must cease because they are ineffectual. As Ciaran Martin, formerly the United Kingdom’s (UK) Chief Executive Officer (CEO) of the National Security Cyber Centre (NSCS), stated that cyber deterrence was impossible because offensive cyberattacks in retaliation were ineffective. Offensive cyber weapons, Martin maintained, which are basically viruses, are of limited utility because they could rebound to the disadvantage of the side that developed and used them. Viruses that are developed for offensive uses against adversaries can escape and infect one’s own system. Thus, attacking an adversary’s networks have never completely restrained the opponent. Authoritarian states with low levels of digitisation have greater threshold for accepting damage and pain in the digital domain than open societies “…in the event of escalation.”

Consequently, he stated: “That holds even if that sometimes makes deploying our own offensive cyber capabilities harder because a rising tide of security will, to some extent, lift all boats, including adversarial ones.” However, he laid out five specific types of cyberattacks: 1) Cyber operations in pursuit of specific national objectives such as against Islamic State propaganda; 2) adversarial infrastructure destruction, which involves targeted destruction of the adversary’s digital infrastructure; 3) counter-influencing, which involves promoting unhelpful information, “prepositioning” or making intrusions into an adversary state’s digital and information infrastructure; 4) kinetic, which involves offensive cyber operations to create a significant and punitive disruption such as electricity grid or power station in the adversary state; and finally 5) systems-wide, which involves an all-out attack that could command and control nodes, electricity grids, and other critical infrastructure in the midst of active military hostilities. The last three forms of attack are “asymmetrical” actions. The first two are “symmetrical” actions in that they are tailored for specific threats. However, while the first two are important, it is the fourth and fifth that would be very relevant to India’s needs.

Further, cyber weapons produce unintended consequences as the Wannacry virus showcased why they can be deadly not just for the intended victim but several others. Cyber weapons and cyberattacks, according to Martin, do not have any psychological effect in deterring the opponent and, therefore, remain ineffective. The mere possession of cyber capabilities and threat to use them, he avers, does not deter all adversaries. He makes an important point that cyber deterrence is fragile, which has, at best, produced mixed results but overstates his case as we will see below.

Martin’s scepticism about the efficacy of cyber deterrence largely emerged due to the United States of America’s (USA) pursuit of the Defence Forward Cyber strategy, which emphasises offence over defence, although he never quite alluded to it specifically in comments made as part of a lecture in late 2020. Defence Forward was conceived and is executed by US Cyber Command (USCYBERCOM), which requires extra-territorial operations in order to pre-empt opponents by establishing presence in adversary networks. Subsequent to his comment, the SolarWinds cyberattack occurred, which was a massive hack against the American government, believed to have been launched by Russia’s SVR, and confirming for some, as we will see below, that a rigid cyber defensive strategy is the best way forward. There is no such thing as the cult of the defensive, just as there is no such thing cult of the offensive. Offensive and defensive actions are more a function of the nature and scope of the objectives pursued by a belligerent or set of belligerents. The more ambitious a state’s objectives, the more offensive the action. Offence and defence must be in some balance

Inferring from Martin’s assessment, one prominent cyber warfare expert who is advising the Indian government and the Indian armed services advocates the pursuit of a “cult of the defensive”, rather than offensive. There is much that is problematic with this assertion. There is no such thing as the cult of the defensive, just as there is no such thing cult of the offensive. Offensive and defensive actions are more a function of the nature and scope of the objectives pursued by a belligerent or set of belligerents. The more ambitious a state’s objectives, the more offensive the action. Offence and defence must be in some balance. Let us assume a rough balance between offence and defence is also unacceptable, we are still compelled to follow the Clausewitzian line on defence and offence on military strategy, which is wiser. Clausewitz concluded that defence was better than offence observing: “…The defensive form of warfare is intrinsically stronger than the offensive.” Yet, Clausewitz provides an important qualification to this statement. The defence is necessary because it preserves. It allows the side that adopts it to gain strength. However, a pure defence, is no defence at all, because it goes against the idea of war. The time which elapses helps the defence prepare itself, but ultimately defence is primarily passive and a negative object and should be given up for a more positive object in the form of attack. Defence is a relative term and not an absolute one. Nevertheless, the cyber domain does not lend itself to leaving the initiative to the adversary and remaining defensive as it has its costs, simply because exploitable opportunities to attack in the cyber domain are fleeting. Forces are kept in reserve to use in the future works for other domains and weapons systems, not the cyber domain. For instance, today’s cyber tools cannot be used tomorrow. Preparing an attack takes time as it requires constant presence in adversary networks, involving surveillance, intelligence collection, and understanding the operational environment of a given network in cyberspace to deliver an attack. It is one of the principal reasons why the US is compelled to pursue a very offensive course of action in the cyber domain. Exploitable opportunities for offensive action and operations in the cyber domain are “fleeting”. The state in question intending to pursue an offensive action does not have days, months, and let alone years to destroy targets in the cyber network of the adversary.

Exploitable opportunities for offensive action and operations in the cyber domain are “fleeting”. The state in question intending to pursue an offensive action does not have days, months, and let alone years to destroy targets in the cyber network of the adversary.

The Indian expert misconstrues and overinterprets Ciaran Martin’s analysis extrapolating a prescription that apply in all instances. Although Martin’s assessment is more in line with Clausewitz subscribing to a “primacy of defence” and less rigid and dogmatic than a “cult of the defensive.” The latter is categorically inflexible, but even in the case of the former there has to be balance between defence and offence for the reasons stated above. Nor can the “primacy of defence” fully be applied to India or for that matter major powers such as the US or for that matter Russia and China. Despite pursuing a Defence Forward, America’s National Security Agency (NSA) and the US military’s Cyber Command (CyberCom) were found napping as the SolarWinds hack occurred, primarily an espionage mission rather than an actual attack. It highlighted the importance of paying attention to network security and cyber defence. However, it did not imply that offensive action in the cyber domain should never be pursued. Russia’s conduct by way of the SolarWinds hack demonstrated why offensive action will remain an enduring feature of the cyber domain for several reasons as we will see below.

Other Subsets of Weapons – Nuclear And Space

Despite Martin’s claims that cyber deterrence is impossible, “binary outcomes” as far as deterrence is concerned have historically been achieved with only two subset of weapons—nuclear weapons, and to some extent, space weapons. Let us consider the latter one first, which are not very usable given the fragility and natural characteristics of the space environment. Space weapons fall into two categories, kinetic and non-kinetic systems. Kinetic attacks against space borne targets are highly unlikely because of the collateral damage in the form of debris that would be unleashed following the destruction of spacecraft of several countries including those of the country that initiates the attack and will render space potentially unusable for decades, and more extremely, centuries. Albeit more “subtler” non-kinetic forms of attack against spacecraft are very much within the realm of possibility such as signal interference with satellites, jamming, spoofing, and the manipulation of satellites; hacking into spacecraft using cyber technology; damaging the ground segment of a space programme through electronic and cyber means; and employment of Directed Energy Weapons (DEWs) such as microwave and laser weapons against spacecraft which might not damage satellite to the extent of generating a cloud of debris, but leave dead mass in space in the form of a disabled satellite. The latter would still pose a threat in the form of a collision with orbiting spacecraft. The point to underline here is that non-kinetic attacks are certainly conceivable and within the realm of possibility in the space domain. Indeed, space weapons are “conventionalisable”, especially because they are more usable. Apart from usability, cyber weapons are more accessible than nuclear and space weapons and the countervailing costs to prevent their use are not yet so devastating that no adversarial actor would venture to employ them. This brings us to another variable—motivation: It is the prime reason why deterrence collapses.

Whereas with nuclear weapons, there is a “binary outcome” in relation to deterrence to the extent that their non-use begets non-use and threats to use them secures restraint from the adversary. Notwithstanding numerous crises, the Cold War did not turn hot principally because of nuclear weapons

Whereas with nuclear weapons, there is a “binary outcome” in relation to deterrence to the extent that their non-use begets non-use and threats to use them secures restraint from the adversary. Notwithstanding numerous crises, the Cold War did not turn hot principally because of nuclear weapons. After all, with regards to nuclear weapons, as Bernard Brodie, the doyen of American Cold War strategists incisively observed in 1946: “Thus far the chief purpose of our military establishment has been to win wars. From now on its chief purpose must be to avert them. It can have almost no other useful purpose.” This classic and enduring statement is the basis of nuclear deterrence. Nuclear deterrence is the only form of deterrence which has prevailed especially when states have possessed offsetting nuclear capabilities. No rational political objectives could be secured if nuclear weapons were used simply because of their destructive power. Regardless of motivation, it is for this reason that a nuclear war has never been fought. The only qualification to this point is if a state, as the British strategic historian, Lawrence Freedman, noted, has a monopoly over nuclear weapons. A monopolist nuclear weapons power, he added, might find ways or reasons to use them. In fact, the only instance where nuclear weapons were used were by the US against Japan at Hiroshima and Nagasaki during World War II. Japan had no capacity to retaliate, and it remains the only instance when the USA or any state enjoyed a brief monopoly over nuclear weapons. Thankfully, the nuclear taboo has remained intact since and one key reason being that several other states have developed them.

To that extent, even Ciaran Martin overlooks the only weapons that have produced absolute deterrence (at least so far), which are nuclear weapons and space weapons. Although the latter can still conceivably be used following the outbreak of a conventional war between India and China over their disputed boundary and also China and the USA over Taiwan. Even in the case of nuclear deterrence, nobody can categorically vouch it will never collapse involving antagonists in specific conflict dyads, nevertheless nuclear deterrence remains robust. However, no other weapons have remained as unusable as nuclear weapons including chemical and biological weapons, let alone conventional weapons. Non-use or cyber restraint by side A could beget non-use by the adversary side B sometimes, but not all the time. It could also become an invitation for further cyberattacks by side B, because side A’s restraint could be construed as weakness. Thus, a highly motivated and risk-prone adversary is likely to be very tempted to launch frequent attacks. In these circumstances, side A would have to or at least must have the option of mounting a cyber counter-offensive. Unlike the United Kingdom (UK), India is locked in two adversarial relationships against China and Pakistan. They are capable, motivated, and disciplined adversaries right on India’s doorstep. The US also faces motivated adversaries in the form of China, Russia and, to lesser degrees, North Korea and Iran. Likewise, the Russians and the Chinese see the US as a driven cyber adversary. In addition, consider terrorism despite the UK, the US and several Western countries best efforts to prevent terrorism on their soil and against their interests, terrorism particularly of the Islamist type has persisted. Conversely, recurring terror attacks have not stopped the US or the UK from pursuing offensive action using a wide variety of offensive instruments ranging from drone attacks to special operations forces. Deterrence against Islamist terrorism have, at best, been mixed for the UK and the US, just as it is with deterrence against cyberattacks. Whether state-led or non-state—especially criminal activity and terrorist propaganda and recruitment—cyberspace is characterised by fairly pervasive malicious and offensive activity. Indeed, the symmetrical attack options that Martin delineated will have to be exercised with higher frequency against cyber crime, which is fairly rife in the domain, and which reinforces why cyberspace as a medium tends to be offence dominant.

Conclusion

The Government of India (GoI) and the cyber experts who are advising them need to recognise that cost imposition is an important part of any major power’s military strategy. Cyber weapons are important offensive instruments in imposing countervailing costs against an opponent in the middle of a war. For instance, India might want to take out the command network of the Western Theatre Command (WTC) of the Peoples Liberation Army (PLA) in the midst of a Sino-Indian border war and active hostilities. The WTC controls some cyber assets and its command network is dependent on computer software and hardware. The PLA considers the cyber domain to be “offense dominant”. Consequently, how can India adopt a posture of “primacy of defence” let alone a “cult of the defensive”?

In the case of Pakistan, cross-domain responses may be necessary. Cyber need not counter cyber, but cyber could counter non-cyber. For instance, cyberattacks could be indispensable sometimes against Pakistani-sponsored terrorism. In the case of Pakistan, cross-domain responses may be necessary. Cyber need not counter cyber, but cyber could counter non-cyber. For instance, cyberattacks could be indispensable sometimes against Pakistani-sponsored terrorism. Indeed, an Indian foreign policy report Non-alignment 2.0 even recommended it:

“At the lower end of the options spectrum is the employment of cyber and/or air power in a punitive mode. The use of air/cyber power has advantages over any land-based strategy: It could be swift, more precise, and certainly more amenable to being coordinated with our diplomatic efforts. Compared to any land-based options, the use of air/cyber power will come across as more restrained. To be sure, such action could invite retaliatory response from Pakistan. It is essential, therefore, that our coercive strategy not only caters for offensive use of air/cyber power but also for a defensive role.”

In a nutshell, if the Indian armed services, the tri-service Defence Cyber Agency (DCA) and the Indian government writ large were to base India’s cyber doctrine and cyber military strategy on notions likely “cult of the defensive”, they would be well advised and cautioned against a purely defensive cyber strategy. Defensive cyber and network security should be strengthened. However, no national government in India can and should completely divest the country of offensive cyber instruments despite the risks. New Delhi can and should use them and be in a position to degrade the capacities of India’ adversaries and respond to malicious conduct. India’s civilian leaders as well as military leaders need to remember that there are no binary outcomes in the cyber domain as is the case with nuclear weapons. India’s adversaries see the cyber domain as offence dominant. Consequently, India cannot divest itself from offensive cyber instruments.

Further, as Ajay Banga, Executive Chairman at Master Card, put it recently when it comes to cyber security: “We are only as strong as our weakest link”, which underlines the importance of defensive cyber security, but also reflects the offence-dominant nature of the domain. Offensive activity could come in the form of criminal activity as the recent ransomware attacks against Colonial pipeline in the US and also the American counterattack to recover some of the money paid as ransom and prior to that the SolarWinds attack against the US government clearly demonstrated the extent to which the cyber domain lends itself to offensive action. A balance will need to be struck between cyber offence and cyber defence by India’s national security and defence establishment. There will be setbacks for India in that its own digital networks will be compromised sometimes, despite the best defensive measures, but it must also respond and possess the capacity to strike the digital networks of its enemies when the need arises.