By Rajeswari Pillai Rajagopalan*
While many countries still regard cyber security and space security as ‘future challenges’, or issues that will need to be dealt with in the coming years, India is already tackling them today. Unlike in the more traditional security realm, where a global architecture exists to handle problems as they arise, the cyber security and space security domains are characterised by limited understanding, few accepted global definitions and a lack of clearly articulated norms and regulations. These issues must be addressed in order to articulate sound policy, including at the national level. The space domain is slightly more advanced than the cyber domain: It has some broad agreements in place, although they lack a number of elements, including definitions of key concepts in space security. There is a clear need for new architectures that will fix these anomalies and establish new parameters of responsible behaviour for the long-term sustainable use of these domains.
Cyber security policy: Strengths
A large pool of available talent and capabilities: India’s significant talent and capabilities in cyber security is one of its biggest strengths. With a highly educated, technologically skilled workforce, the country possesses one of the largest talent pools in the world.
An ideal blend of Western and Eastern approaches: One can argue that India has found an ideal blend of Western and Eastern approaches to cyber security. Its approach to cyber security is driven by two factors: national security and social harmony. At the global level, there are two schools of thought regarding cyber security: The Western approach, led by the United States, looks at cyber security through a national security prism. The Eastern approach, driven by China and Russia, emphasizes social cohesion. Until several years ago, India viewed cyber security predominantly from a national security perspective, with its primary concern being the protection of critical infrastructure. Lately, however, it has increasingly emphasized social harmony and cohesion. Thus the Indian view today combines the Western and Eastern approaches.
Lack of a comprehensive policy: The lack of a clear and comprehensive cyber security policy is one of India’s major weaknesses. The Indian government issued a National Cyber Security Policy (NCSP)in July 2013, but the document came under sharp criticism because it did not clearly articulate the policy’s objectives.
Government policy that has been slow in exploiting the available talent pool: The government’s inability to exploit the large pool of available talent in the country is another key challenge. The NCSP’s lack of clarity reflects the inadequacy of talent and innovation in the Ministry of Communications and Information Technology, which was responsible for producing the document.
Lack of a holistic approach: The country also lacks a holistic approach to cyber security. In order to develop a comprehensive policy, it would be important to involve experts from the information and communications technology field as a whole rather than information technology experts alone. India has not done so. Insufficient private sector input, including public-private partnerships (PPPs) that involve only large corporations. The policy-formation process in India does not allow for sufficient private sector input into cyber security policy. The NCSP was also criticized because the government made a minimal effort to obtain input and expertise from other sectors. Although it engaged with industry groups such as the Federation of Indian Chambers of Commerce and Industry, the process was half-hearted at best.
In addition, Indian PPPs tend to involve only big corporations. This excludes an entire pool of talent that is available from India’s many start-up firms, as well as individuals. A true PPP would go a long way towards bringing strengths and talents from across the spectrum to create a comprehensive approach towards cyber security.
Insufficient public input: The policy-making process in India also does not provide for sufficient public input into cyber security policy. The NCSP was also criticised for its lack of public input.Analysts described the Indian government’s proclamation of seeking ‘public comments and suggestions’ for the NCSP as a farce, calling the exercise a mere formality. The participation of civil society groups has been weak as well. An open and transparent process and gaining the support of the public is essential to creating a successful cyber security policy.
Lack of a strong security culture: India lacks a strong security culture. A country’s security culture should permeate all those who are actively engaged in security-related sectors. This is especially important in the cyber security domain, where every individual has the potential to be both a defender and a victim. India must therefore increase the priority it accords security issues in general.
Lack of an institutional and legal framework: India’s institutional framework for dealing with cyber security challenges is at a nascent stage. The lack of a legal framework is one of the biggest gaps in India’s cyber security approach today. As yet, it has no overarching cyber security law to address incidents of cybercrime, cyber attacks and cyber breaches.Space security policy: Strengths
A large pool of available talent and capabilities, including a great capacity for innovation and Indigenization: As in the cyber domain, India has a large pool of talent and capabilities in the space domain, including a highly educated and skilled labour force. Its capacity for innovation and indigenisation is the biggest strength of India’s space programme.
Lack of a comprehensive policy: As in the cyber security domain, the absence of a comprehensive, declared policy concerning space may be India’s biggest weakness in the field. Its space policy has to be pieced together from the statements of Indian officials in Parliament and in multilateral forums such the Conference on Disarmament and elsewhere at the UN. In the past, when the Indian space programme was being challenged by the international community, there may have been benefits to not having a declared policy. Today, however, the situation is drastically different, and the advantages of a declared policy far outweigh the disadvantages: an open policy could alleviate the fears of other states, build confidence in India’s objectives and prevent ambiguity about its intentions. Such a policy could also be an effective tool to send messages to both friends and foes. Most important, a declared policy would bring about greater clarity, improved allocation of resources and better prioritization, enabling an optimal use of resources.
Government policy that has been slow in exploiting the available talent pool, including policy that is driven by technocrats and the scientific bureaucracy: As in the cyber domain, India’s approach to space is driven entirely by the government. But it is driven by technocrats and the scientific bureaucracy instead of by a political leadership that articulates priorities and directions.
Despite the huge technological progress that India has made, successive governments have adopted an ad hoc approach to its approach to space. India should realize that it does not have to match every capability that China may develop and that it should prioritize both from a commercial and a national security perspective. It has to change its casual approach if it wants to emerge as a dynamic player with a strong programme.
Insufficient private sector input: As in the cyber sphere, the Indian space sector is characterized by limited private sector input. The Indian private sector participates in the country’s space programme in that it manufactures almost 80 per cent of key parts and components, but its voice is limited in shaping space policy. It is a source of strength that India has sizeable industry participation in its space programme, and this could be further enhanced if India were to have a dedicated military space programme.
Lack of a strong security culture: As in the cyber domain, the lack of a strong security culture, applicable to both the cyber and the space domains, is something that India must take note of and take steps to improve.
Financial resources that are stretched between shared civilian and military assets: Much as India has emphasised its desire for a peaceful space programme, the security imperatives in its neighbourhood may push it to adopt a more assertive military space policy. Under these circumstances, it would be particularly beneficial to have separate civilian and military assets. This would also mean a clearer institutional architecture that could better cater to growing demand from both the civilian and the military sectors. This in turn could result in better financial allocation as currently, the institutional architecture and financial and human resources are stretched between competing civilian and military needs.
Cyber and space security: The convergence of the cyber security and space security domains presents a complex challenge, yet the severity of the challenge is rarely acknowledged in India. The country has sufficient talent in both the public and the private sector, but the sluggish nature of the Indian bureaucracy and poor synergization have meant that its full potential has yet to be realized. Given the cross-domain nature of challenges in the cyber and space domains, states such as India have to invest in regional and global efforts in order to understand these environments. But this requires significant political direction, which has so far been lacking.
*Dr. Rajeswari Pillai Rajagopalan is a Senior Fellow at Observer Research Foundation, Delhi