This weeks announcement by the National Security Council Secretariat (NSCS),that the government will engage the private sector on cybersecurity,is important for two reasons. The first and the obvious is that the government has recognised that managing threats from cyberspace requires coordination across departments with high-level leadership. For several years now,it has been clear that the approach of individual ministries on dealing with matters within their turf is inadequate,because cyberspace issues do not fall into neat pigeonholes mirroring the governments structure. The more recent practice of forming ad hoc inter-ministerial committees on specific issues is an improvement,but the mileage can vary depending on circumstances. So,placing the subject within an institutional framework under the NSCS is a step in the right direction.
Less obvious,and perhaps more important,the government has realised it cannot develop the capacity to govern cyberspace on its own. The proposal to set up a permanent mechanism for private public partnership that taps into the expertise and human resources available in the country,and not just the government,could pave the way for correcting Indias governance deficit. It is not about giving prominent individuals,NGOs and corporations an advisory or consultative role. It is about nurturing and employing people from the private sector with the appropriate expertise and domain knowledge to address the policy challenges that India faces.
While the proposals outlined by the NSCS encompass security standards,audits,testing,certification and pilot projects,the critical issue is that of capacity. Even if we cast the net wide enough to include Indians outside the government and perhaps outside the country,just where are we to find qualified people in sufficient numbers? Would such people be willing to forgo the salaries,careers and lifestyles offered by the software industry to take up a job in the government? Is the government capable of absorbing such talent with all the necessary procedural,organisational and cultural changes the process demands? While the NSCS has rightly decided to invest in the education and training of cybersecurity professionals in mission mode,without simultaneous reform of the civil services,such measures will deliver less than optimal results.
There are three broad aspects of information policy in the context of geo-strategy and national security. The first is cybersecurity,which is the guarding of Indias communications infrastructure,networks and data from attackers. The bulk of industry investment and expertise goes into this,because it concerns corporations and their customers directly. The incentives for the private sector and the government are largely aligned in the area of cybersecurity.
The second aspect managing physical security threats that emerge from cyberspace is trickier because the interests of the various stakeholders are less aligned. For instance,while the Union home ministry would insist that BlackBerry,Google,Twitter,Facebook and telecom service providers comply with its demands for information or censorship,the corporations have to balance this against other considerations like privacy and free speech which affect bottom lines,contractual commitments and business ethics.
As a number of recent cases show,India needs a debate on a new balance between liberty and national security in the information age. Without achieving this balance,we risk converting the tension between the government on one hand and the private sector and citizens on the other into intractable antagonism. It is difficult to have such a debate today,because of unhealthy levels of intolerance and partisanship. We do not,however,have a choice if we do not debate the bounds of government intervention in cyberspace now,greater connectivity will only plunge us into deeper intolerance and debilitating partisanship.
The final aspect is cyberstrategy,which encompasses but goes beyond cybersecurity and addressing threats from cyberspace. It is both startling and worrisome that the world has adopted the concepts and terminology from traditional warfare without always asking if they make sense (or the same sense) when applied to the cyber domain. In many ways,this mirrors the 1940s and 50s,when it was believed that nuclear strategy was similar to conventional military strategy,causing the Cold War antagonists to develop tactical nukes and vast arsenals. It was decades before the world understood that nuclear strategy is more about strategic deterrence than actual warfighting.
Today,we are witnessing a militarisation of cyberstrategy across the world,led by China and the United States. This poses a dilemma for us: while premature militarisation might be wasteful and risk unintended conflict,delayed militarisation might cause us to repeat the errors of the nuclear non-proliferation treaty (NPT) negotiations. If India had weaponised early and negotiated the NPT as a nuclear-weapons state,we would not have been locked out of the nuclear and high-technology industry for three decades.
Resolving our cyberstrategy dilemma requires us to invest in delving into the fundamentals,building theoretical foundations for information-age conflicts and evolving our own policy approach. How can we attempt this with few top class universities and a moribund higher education scene? The government could make a start by supporting upstream research in the R&D departments of private IT companies and public research institutes.
The writer is founder and fellow for geopolitics at the Takshashila Institution,firstname.lastname@example.org