India urgently needs a serious, realist, non-partisan policy debate on the development and governance of national cyber capabilities.
This is an unedited draft of The Intersection column that appears every other Monday in Mint.
Public discourse around the Pegasus reports alleging government surveillance of politicians, media persons, public officials and business people is understandably focused on its political and civil liberties dimensions. Yet the affair also has crucial national security and geopolitical dimensions that must enter the national debate. The 130 year-old governance mindset and administrative processes that the Indian state employs in such matters is no longer tenable in the Information Age. Pegasus is another reminder that the Indian republic is more vulnerable than ever to information offensives by its adversaries.
Information governance in liberal democracies has two high-level goals: first, to protect the fundamental rights (including privacy) of citizens; and second, to strengthen defend the national information sphere from hostile state- and non-state adversaries. These goals are sometimes in conflict. There is a trade-off between liberty and national security. Liberal democracies achieve a balance between the two by codifying the trade-off, placing limits on the state’s powers, defining due processes, and subjecting government actions to parliamentary and judicial review. While the Indian state has managed a constitutional balance in many areas, privacy and surveillance have remained in a grey zone since the Constitution came into force.
Today the need for a governance framework covering surveillance and information operations is not only a civil liberties issue: it is also a national security imperative. Pegasus shows that any country that can afford a few thousand dollars can hack the smartphone of heads of government. The French president commands a nuclear arsenal, and nominally at least, so does the Pakistani prime minister. More sophisticated cyber powers can — and possibly are — snooping on our scientists, industry leaders, civil servants, politicians and intelligence personnel without anyone even being aware of it. The first line of national cyber defence therefore is empowering citizens with strong encryption. At least until a robust governance framework for data privacy in put in place, the government must not insist on weakening data encryption.
All governments do wiretaps. Our problem is that the procedures for doing so are lax. It is common to read about tapped phones and leaked data in newspaper reports. Manoj Joshi, an expert on national security matters, points out that the designated officials just do not have the time to apply their mind to the hundreds of cases for surveillance that are placed before them every day. Again this is more than just a political and civil liberties issue: without tighter control of surveillance, the government itself exposes the more important parts of the national information space to its adversaries.
We certainly need intelligence reform. The Shah Commission made the case in 1977-78 and the LP Singh Committee followed-up with recommendations. These were quietly buried by the Indira Gandhi government when it returned to power in 1980. In 2011, Congress leader Manish Tewari, then a Member of Parliament, introduced a private member’s bill to place intelligence agencies under statute. Government think tanks and committees have recommended this approach. It should enter the government’s agenda. The Modi government has shown that it is capable of ‘hard’ reforms like defence and space. It should similarly push intelligence reforms.
In the meantime, a good way to inject seriousness into the surveillance review process is to require the requesting agency to deposit a refundable financial guarantee along with the application. In a bureaucracy that is more concerned about financial expenditure than the merits of a case, officials with signing powers can be effective gatekeepers.
Beyond national security, the Pegasus revelations highlight a disturbing weakness in India’s cyber warfare capacity. If it is indeed true that Indian government agencies had to purchase a foreign commercial cyber-weapon for their needs, then it shows the upper limit of our national cyber capabilities. The Pegasus list does not feature US, UK, Russia, China and other major powers. This is not because they don’t hack phones, but because they do it much better. Unlike India, they do not have to purchase the tools from foreign vendors. India has advertised a strategic vulnerability, that unless rectified urgently, will be exploited by adversaries.
Another vulnerability arises from the fact that vendors of commercial cyber-weapons can — despite their protestations — get insights as to how their product is being used. This information can be made available to their governments. It is also vulnerable to other governments with superior cyber capabilities. The manufacturer of the imported SiG 716 rifle does not know how the Indian Army is using the weapon. The manufacturer of Pegasus, on the other hand, has a very good idea on what its customers are up to. It can be turned off at will. Even the political costs of being exposed can be used as leverage against the Indian government. In international relations, friendships are never gratuitous, exclusive, or permanent, and certainly offer no guarantees.
There are many more The Intersection columns here
The bottomline is that India lacks offensive cyber capacity and thus is not a credible cyber power. As I wrote in a recent column, the country “punches far below its weight in the cyber power domain….Unless India’s leaders realize that having a big technology industry is not the same as being a cyber power, we are likely to become a big poorly-defended target.”
Polarised politics and tribalised public discourse complicates matters, but let us be clear: India urgently needs a serious, realist, non-partisan policy debate on the development and governance of national cyber capabilities.
First published by Mint
© Copyright 2003-2021. Nitin Pai. All Rights Reserved.