In China, it’s time to consider cyber operations: analysis
Recent border clashes between India and China have led analysts, accustomed to conventional warfare, to compare the relative strengths of the two adversaries in terms of the number of tanks, aircraft, and other military accessories.
It seems that the Indian strategic discourse has once again ruled out cyber operations as an instrument of power projection, which could have offered a certain degree of flexibility in coercing, forcing and imposing costs on the contentious neighbor. This is unfortunate considering how much Indian think tanks have glamorized cyber dominance.
Unlike conventional media, the projection of cyber power exploits the delicate interfaces between society and technology. Such operations are best suited to create a mix of effect and perception.
The Australian Prime Minister’s dramatic public disclosure of an ongoing state-sponsored cyberattack accurately highlights the perception factor. And, as was evident during the hostilities between Russia and Ukraine, shutting down a power grid can generate more panic than a real loss of productivity, thus demoralizing the adversary.
Cyber operations generally fit the template of a hybrid, multi-dimensional offensive waged by the military cautious of violating recognized red lines. This is exactly the case in India and China.
From influencing narratives, interrupting missile launches to breaking nuclear deterrence, the malleability of the cyber option makes it very powerful. Relieve the burden-defending army of maintaining comparable ability fueled by strict number-based assessment.
Each nation’s cyber vulnerabilities are unique, asymmetric, and closely tied to its political body. The rigid socio-political hierarchies of the Chinese state make it increasingly susceptible to information warfare.
After the damning hack of a sensitive database that stores background checks on government employees, the United States (US) had plans to temporarily disrupt Chinese Internet censors such as the “Great Firewall” as a way of reprisal. The totalitarian regime of the Communist Party of China would have considered such a move as a severely existential threat.
The simple act of making previously banned information, already unstable by the coronavirus pandemic, available to the masses would have struck the adversary’s heart. However, it would have carefully skirted time-tested and measurable war thresholds.
The absolute absence of cyber option in Indian discourse is not a surprise. Even during the Balakot climb, this was an item that was noticeably ignored.
On the other hand, the Chinese People’s Liberation Army (EPL) has used cutting-edge cyber operations, endorsing them as the strategic axis of an “informationalized” battle space.
The past two decades have witnessed the impressive formalization of how power accumulates and projects in cyberspace. The Indian cyber apparatus seemed to have wasted that opportunity, thanks to inertia and lack of organization.
Contrary to popular belief, the cyber option cannot be exercised as an afterthought. You cannot prepare a team of hackers to respond in kind. Subversive or punitive actions require years of covert prepositioning in adverse networks and social structures.
That is exactly why a substantive element of cyber power continues to be driven by access. It is not for nothing that the world’s Huaweis are risking their lives and physical integrity to consolidate access to nodal constructions of digital infrastructure such as 5G, in the process that triggers the most bitter world trade war.
There is only one parameter of effectiveness for cyber operations: cohesion or union in military terms. The cyber option requires a strong convergence of consciousness around political, diplomatic and military bodies, rather than conventional ones whose effects are qualified and known.
The United States Naval War College made a crucial observation about “the importance of presidential personalities in determining cyber operations in crisis,” after war games over a seven-year period. Cyber operations require a smooth and fluid command structure directly from the head of state.
It is okay to struggle with the technical complexities of the domain, but its potential and spending power must be carefully crafted as a doctrine. The Indian cyber doctrine, to be launched earlier this year, has not yet seen the light of day.
While China can profess hegemony in access-based operations with its wide commercial reach, India can still muster tremendous capacity with expeditionary cyber maneuvers.
However, expeditionary cyber operations are volatile and intense, and require a degree of risk appetite, rigor, and endurance. Most importantly, a small misstep or overreaction could lead to a spiral escalation, which can lead to ruthless cyber retaliation by China.
As such, Indian doctrine must detail its escalation and declaratory thresholds very clearly to moderate the adversary’s reactions, who might be tempted to behave irrationally. Unlike nuclear deterrence, there is no science available to deduce such thresholds. They need to be calibrated with experience.
India’s institutional memory of cyber operations is literally non-existent. And institutional memory is the institutional capacity in this knowledge-based domain. General James Cartwright, the first cyber commander, had bet that cyber operations could “restore diplomacy”. It is time for India to put that option on the negotiating table.
Pukhraj Singh is a cyber intelligence analyst who has worked with the Indian government and response teams from global companies.
The opinions expressed are personal.