Respond to the cyber intrusion, within law | Opinion
The news of cyber intrusions into the Kudankulam Nuclear Power Plant, and the Indian Space Research Organisation (Isro) shook the cyber security apparatus. Pukhraj Singh, a cybersecurity expert, tweeted about the incident after alerting the authorities. In his opinion, the intrusion constituted a casus belli in the Indian cyberspace, meaning, an act or situation that provokes or justifies a war.
The factual matrix of this cyber “attack”, however, does not add up to a situation where a sovereign nation may justifiably go to war, in the conventional sense of the term.
In his analysis, Singh is correct to point out the absence of a cyber deterrence strategy, which permitted the malware to linger in protected systems for months after they were first detected. But I disagree with his advocacy for a departure from “rules-based war fighting”, towards “pre-emptive, extrajudicial maneuvering” within the adversary’s battle space.
Inviting as it may seem to follow in the footsteps of former US official, Richard Danzig’s, “defend forward” doctrine, it is apparent that this position advocates action that is overtly illegal in international law. The so-called “right to pre-emptive self-defence” is a creation of American warfighting doctrine and is not a norm of customary international law (CIL).
Due to the hybrid nature of cyber operations and international legal norms in their current form, governments all over the world are grappling with “below-the-threshold” operations in cyberspace. The use of military force is prohibited for States, who remain the principal subjects of the international legal order. According to the United Nations Charter provisions that are also considered CIL norms, a nation State may lawfully resort to the use of force in the exercise of its inherent right to self-defence against an ‘armed attack’ by another state.
According to the Tallinn Manual 2.0, a cyber intrusion or attack is considered an armed attack if its physical manifestations cause damage or consequences that are similar, or at least comparable, to the use of kinetic force. Without physical damage, a cyber theft of data in the eyes of international law, even by a State, does not amount to an armed attack and no right to use kinetic military force in self-defence arises.
However, this does not imply that there is no remedy against what is clearly an invasion of the country’s sovereignty and a dangerous intrusion into our critical information infrastructure. We can lawfully take cautious countermeasures against such intrusions to ensure that the intrusion ceases and leverage domestic laws and institutions to crystallise India’s position on international law norms that we consider non-binding.
The Tallinn Manual is neither a binding document, nor universally considered to be the definitive expression of CIL norms. Yet, it is a valuable resource to identify rules where India’s interests in cyber space demand interpretations that depart from Western interpretations tailored to serve Western interests. India has the prerogative to object to the application of a rule at odds with our national security interests.
Despite speculations that the malware caused the power plant to shut down, the government has maintained that it was due to a mechanical issue. Similarly, some have insinuated that the presence of the malware in Isro systems was temporally proximate to the unsuccessful landing of Chandrayaan–2. However, no such statements have been forthcoming from the government.
Without physical damage or disruption, the harm caused at this stage appears to be exfiltration of data, which falls within the domain of espionage. Espionage, while illegal in domestic law, operates in a grey zone in international law, where it is neither legal, nor illegal. Singh illustrates how a cyber espionage operation can be quickly weaponised into a destructive kinetic attack, depending on the attacker’s intent. However, the same is true of operations that embed spies and covert operatives in foreign territory. Without identifying the attacker, one cannot speculate their intent.
Technical attribution efforts have led to the North Korea-based Lazarus group. However, Singh asserts that false flag operations are all too common, and deeper digging could unearth unusual suspects. He adds that our response must be premised on “full-spectrum cyber attribution”, but this is only possible by carrying out a full-scale investigation that can reveal with some degree of certainty, the identity and affiliations of the intruder. Unless such attribution efforts conclusively point towards a State actor, the intrusion can be treated an act of cyber terrorism, defined under Section 66F of the Information Technology Act, 2000. Depending on the information exfiltrated, offences under the Atomic Energy Act, 1962 can also be made out. If an FIR is registered under these provisions, the National Investigation Agency (NIA) would be charged with this investigation. Such an investigation would be an opportunity to strengthen our counter-intelligence capabilities in cyberspace.
However, the investigation of these acts by the NIA risks exposing fault lines that go deeper than the overlap between various institutions, blurring the line between military and civilian responses to cyber intrusions.
In order to pivot our national security doctrine around cyber offence and defence, we need to legitimise the nation’s intelligence apparatus by law, so that it may act as the bridge between the civilian and the military dimensions of cyber operations. This will serve a dual purpose — first, to clarify the scope and extent of authority of our intelligence agencies within and outside our borders, and second, to provide opinio juris on the legality of State practices considered essential to protect India’s sovereignty in cyberspace.
Thus, before we hasten to abandon rules-based warfighting for pre-emptive, extra-judicial maneuvering, let’s heed the Research and Analysis Wing’s (R&AW’s) motto: The law protects when it is protected.