Indian Cyber-Power: Time for a Recharge

A recent Harvard Kennedy School study reveals India's low ranking in cyber capabilities. It is high time for policymakers to articulate a resilient framework to protect data privacy

The National Cyber Power Index (NCPI) established by Harvard Kennedy School’s Belfer Centre, based on the cyber capabilities and intent of 30 countries, ranks India way below the U.S., China and Israel, categorising it as a “low-intent, low-capability” country. This is of concern since India has been facing a higher number of cyber attacks due to increased digitisation, especially in the light of the pandemic. With the increasing threat of a military conflict with China, a nation well known for its cyber warfare capability, India grows increasingly more vulnerable with every passing day to malware attacks, especially against its strategic assets and critical financial infrastructures.

QUANTIFYING CYBER POWER

The NCPI measures the comprehensiveness of a country's cyber capabilities across seven areas: Surveillance of domestic groups, cyber defences, information control and manipulation, foreign intelligence collection, enhancement of commercial gains, cyber offensive capability and defining international cyber standards and norms. It combines a country’s cyber intent (or potential) with its actual capability.

The Cyber Intent Index (CII) is calculated based on a government’s planning initiatives and national objectives with respect to the seven areas; while the Cyber Capability Index (CCI) measures government output, such as the number of patents filed and security workforce. 

India ranks 21 in terms of overall cyber comprehensiveness, with an NCPI score of roughly 10. The highest score is 50 (U.S.), and the lowest is approximately 5 (Egypt). India ranks relatively high among the 30 countries for defining cyber standards and collecting foreign intelligence. However, it has its work cut out on surveillance, defence, information control, and offence strategies.

Regarding the CII, India ranks 20 and has a score of 34.7 out of 100. China has the highest score of 80.3, while Egypt ranks the lowest, with roughly 16.3. India scored in the mid-range for Commerce and Intelligence, while its scores for Offence, Defence, and Information Control were low. Nevertheless, the study also shows that the Indian government’s current objectives lay emphasis on Information Control, in addition to Commerce, whereas its strategies around Offence and Defence are almost nil.

India’s CCI rank is at 26. India’s capabilities for Defence and Commerce are in the mid-range, while its rank for Norms is in the top 10. However, it ranks the lowest out of the 30 countries for Surveillance and Information Control.

ANALYSIS

While this study claims to provide a holistic approach to measuring cyber power by gauging its indicators in relation to government strategies, it is limited to publicly available data. This could impact the rankings since governments are less likely to reveal their offensive capabilities and information control for strategic purposes. In fact, less available data leading to a country's lower-ranking could also be indicative of strong information control measures. Additionally, the study does not factor in non-state actors and other mercenary groups on cyber attacks.

Regardless, India is yet to develop a well-articulated framework for managing its cyberspace. The 2013 National Cyber Security Policy (Ministry of Electronics and Information Technology) has not been updated to match global standards.  The policy includes objectives such as security, commerce, data protection, global norm-setting and legislative intervention to prevent cyber crimes, but is silent on other areas.

The 2018 National Digital Communications policy issued by the Department of Telecommunications is confined to data privacy and data security terms. While the implementation of these objectives is necessary from a growth standpoint, the study suggests India's vulnerabilities in areas of defence.

The fact that there is no unity of action in this critical field with two different ministries framing their own policies is indicative of the need for creating a single all-comprehensive policy.

Neighbouring China, on the other hand, ranks in the top 5 for nearly all indicators. It ranks number 1 for Defence, Surveillance, and Commerce due to its strict social media monitoring tools and protection of sensitive security information. The U.S. and India have alleged China’s role in cyber attacks and cyber espionage, thus raising the stakes for India’s cybersecurity measures.

POLICY RECOMMENDATIONS

The Indian government’s next steps may depend on (a) long-term national security and commercial goals, (b) expected strategies and outcomes from other areas such as foreign policy, economic goals, and public administration, and (c) issues of immediate concern.

Continuing Commercial Growth.  The current cyber policy mentions building on regulatory reforms in a way that does not restrict innovation and consumer interest. This could explain India’s lower ranking for information control and relatively high ranking for commerce. Due to India’s developing economy, it is important to continue prioritising commercial and consumer growth through technology. India’s rapid urbanisation and digitisation can promote competitive IT start-ups to expand its cyber infrastructure and technical resources. This can be achieved by increasing digitisation in rural areas, developing talent in the tech sector, and increasing government spending on research and development.

Higher Defence and Security.  With higher digitisation, a larger proportion of the population is vulnerable to cyber attacks. India needs to align its policies and security objectives with the technical advances over the last seven years. In the light of India’s antagonistic relations with China and Pakistan, cyber attacks remain a potent threat, especially against government institutions. The government may raise awareness of phishing sites and malware protection while implementing adequate data privacy measures. In addition to legislative measures to counter cyber attacks, the revised policy should specify the steps to address cyber crimes, and the role of IT specialists and officials in combating the same.

Global Cooperation.  India would continue to benefit by participating in global summits and demonstrating its commitment to international cyber standards. With India's large IT sector, it can significantly contribute to and learn from the technological practices of other countries. By attending training workshops, India's technology sector and cyber policymakers can enhance their digital framework to make it resilient to potential attacks while protecting the data privacy of its citizens. 

India is currently formulating a 2020 Cyber Security Strategy, which seeks to increase security, capabilities, and global cooperation. Till then, India relies on the Indian Computer Emergency Response Team (CERT-IN) to tackle digital security issues. Although CERT-IN has provided information and responded to cyber threats, it has not been very effective with prompt responses. As CERT-IN is dispersed across various state government agencies, India still lacks a comprehensive centralised system with specific roles and updated strategies.

ASSESSMENT

  • The Belfer Centre’s NCPI measures the intent and capabilities of countries’ cyber power, but also has limitations due to lack of availability of government and non-state actors’ data. But it does help in flagging critical waypoints towards cyber power.
  • The study ranks India as 21 out of 30 countries for cyber comprehensiveness. India ranks below several western countries, as well as Malaysia, Israel, and China. While India ranked low for Defence and Offence, it ranked relatively high for defining international norms.  To a large extent, due to its large size and steep differences in quality of life, the digital expansion remains far less than desired and needs to be enhanced. This will improve with economic growth, leading to higher cyber comprehensiveness. 
  • India’s 2013 cyber strategy needs to be upgraded on priority to align with modern cyber concerns. The new strategy should specify the role of affiliated bodies, continue India’s focus on commercial growth, while building stronger defensive and offensive capabilities.

Comments