In interconnected age, one-size-fits-all deterrence is ineffective to tackle cyber threats
Antara Jha
As India rapidly digitises its economy and critical infrastructure, it unleashes immense benefits for efficient governance, financial inclusion and societal progress. But greater connectivity also creates strategic vulnerabilities that state and non-state actors actively seek to exploit through cyber intrusions, data theft and potential sabotage in crisis scenarios. India now faces an urgent challenge: how to develop effective cyber deterrence doctrines amid a complex threat landscape.
Yet fundamental paradoxes plague deterrence thinking in the cyber domain. Unlike land, sea or air, cyberspace is inherently interconnected and anonymous. Attributing responsibility for attacks is exceedingly difficult, undermining traditional deterrence based on retaliation. Interdependence between systems also risks unintended escalation from tit-for-tat cyber strikes. Meanwhile, the diversity of state and non-state actors conducting operations generates asymmetry between their motivations and acceptable responses.
As a responsible rising power, India promotes international norms against indiscriminate attacks on civilian infrastructure. It builds domestic resilience while judiciously developing intelligence and response capabilities. But comparable capacity building is urgently required among regional partners such as Sri Lanka, Bangladesh and Nepal, who have interlinked cyberspace vulnerabilities. Creative thinking and mitigation strategies are essential to manage the paradoxes of attribution, interconnectedness and asymmetry endemic to cyberspace.
Anonymity Paradox
A core dilemma facing cyber deterrence is attribution. Responding to and deterring attacks requires identifying the perpetrator beyond reasonable doubt, especially when contemplating counter-strikes. But the multi-layered and anonymous nature of cyberspace operations creates uncertainty in attribution. Sophisticated actors exploit technical means to obscure the origins and mask the motivations of attacks.
For example, the 2020 Mumbai power grid hack that caused widespread blackouts was suspected to have links to Chinese state-sponsored hackers. However, firm attribution never materialised. The attack was routed through servers in Europe and East Asia using advanced techniques to disguise its origins. Hacking groups often lease custom malware from developers on dark web forums, further obscuring attribution. While circumstantial evidence points to China, lacking a smoking gun allows its leadership to maintain plausible deniability and restraint.
This inability to achieve timely attribution inhibits traditional deterrence predicated on unambiguously conveying the certainty of retaliation. Without foolproof evidence, threats of counter-strikes lack credibility. Yet collecting such forensic proof from an inherently slippery domain is challenging, dulling deterrent threats. India faces attribution uncertainty across many reported incidents, from suspected Chinese espionage targeting power sector assets to the Mumbai blackout. Even as defensive measures improve, attribution lag times hinder rapid or pre-emptive responses.
Fundamentally, cyberspace's structure differs radically from physical domains. Bits flow freely across servers worldwide with no intrinsic regard for borders. Operations can be routed through proxies and utilize advanced anonymity tools to erase the true originating source. This fundamentally cripples traditional deterrence approaches centred on retaliation.
Shared Vulnerabilities
While attribution is difficult, the actual origin of a cyber-attack may be less relevant given the interconnectedness paradox. India and South Asia’s critical infrastructure, economy, and cyberspace are deeply interdependent with potential adversaries such as China. Damage easily spills across borders.
For instance, an attack disabling Chinese financial systems could cripple India’s economy as well given the integration. Critical infrastructure specifically necessitates caution as retaliation, since disruption risks boomerang effects. India’s 2013 National Cyber Security Policy explicitly disavows attacks causing ‘damage to civilian facilities of other states.’ This restraint acknowledges that chaos initiated against another country’s power grids, hospitals or transportation hubs could spiral out of control and harm India as well.
You must be logged in to view this content.