Fear of the Known

Antara Jha

As India rapidly digitises its economy and critical infrastructure, it unleashes immense benefits for efficient governance, financial inclusion and societal progress. But greater connectivity also creates strategic vulnerabilities that state and non-state actors actively seek to exploit through cyber intrusions, data theft and potential sabotage in crisis scenarios. India now faces an urgent challenge: how to develop effective cyber deterrence doctrines amid a complex threat landscape.

Yet fundamental paradoxes plague deterrence thinking in the cyber domain. Unlike land, sea or air, cyberspace is inherently interconnected and anonymous. Attributing responsibility for attacks is exceedingly difficult, undermining traditional deterrence based on retaliation. Interdependence between systems also risks unintended escalation from tit-for-tat cyber strikes. Meanwhile, the diversity of state and non-state actors conducting operations generates asymmetry between their motivations and acceptable responses.

As a responsible rising power, India promotes international norms against indiscriminate attacks on civilian infrastructure. It builds domestic resilience while judiciously developing intelligence and response capabilities. But comparable capacity building is urgently required among regional partners such as Sri Lanka, Bangladesh and Nepal, who have interlinked cyberspace vulnerabilities. Creative thinking and mitigation strategies are essential to manage the paradoxes of attribution, interconnectedness and asymmetry endemic to cyberspace.

Anonymity Paradox

A core dilemma facing cyber deterrence is attribution. Responding to and deterring attacks requires identifying the perpetrator beyond reasonable doubt, especially when contemplating counter-strikes. But the multi-layered and anonymous nature of cyberspace operations creates uncertainty in attribution. Sophisticated actors exploit technical means to obscure the origins and mask the motivations of attacks.

For example, the 2020 Mumbai power grid hack that caused widespread blackouts was suspected to have links to Chinese state-sponsored hackers. However, firm attribution never materialised. The attack was routed through servers in Europe and East Asia using advanced techniques to disguise its origins. Hacking groups often lease custom malware from developers on dark web forums, further obscuring attribution. While circumstantial evidence points to China, lacking a smoking gun allows its leadership to maintain plausible deniability and restraint.

This inability to achieve timely attribution inhibits traditional deterrence predicated on unambiguously conveying the certainty of retaliation. Without foolproof evidence, threats of counter-strikes lack credibility. Yet collecting such forensic proof from an inherently slippery domain is challenging, dulling deterrent threats. India faces attribution uncertainty across many reported incidents, from suspected Chinese espionage targeting power sector assets to the Mumbai blackout. Even as defensive measures improve, attribution lag times hinder rapid or pre-emptive responses.

Fundamentally, cyberspace's structure differs radically from physical domain