4 min read.Updated: 02 Aug 2021, 01:52 AM ISTNitin Pai
India is vulnerable on the cyber front and needs a policy that balances security and privacy goals
Public discourse around the Pegasus reports alleging government surveillance of politicians, media persons, public officials and business people is understandably focused on its political and civil liberties dimensions. Yet, the affair also has crucial national security and geopolitical dimensions that must enter the national debate. The 130-year-old governance mindset and administrative processes that the Indian state employs in such matters is not tenable in the Information Age. Pegasus is another reminder that the Indian republic is more vulnerable than ever to information offensives by adversaries.
Information governance in liberal democracies has two key goals: first, to protect the fundamental rights (privacy included) of citizens; and second, to defend the national information sphere from hostile state and non-state adversaries. These goals are sometimes in conflict. There is a trade-off between liberty and national security. Liberal democracies achieve a balance by codifying the trade-off, placing limits on the state’s powers, defining due processes, and subjecting government actions to parliamentary and judicial review. While the Indian state has managed a balance in many areas, privacy and surveillance have remained in a grey zone since the Constitution came into force.
Today, the need for a governance framework covering surveillance and information operations is not only a civil liberties issue, it is also a national security imperative. Pegasus shows that any country that can afford a few thousand dollars can hack the smartphones of heads of government. The French president commands a nuclear arsenal, and nominally at least, so does the Pakistani prime minister. More sophisticated cyber powers can—and possibly are—snooping on our scientists, industry leaders, civil servants, politicians and intelligence personnel without anyone even being aware of it. The first line of national cyber defence, therefore, is empowering citizens with strong encryption. At least until a robust governance framework is put in place, the government must not weaken data encryption.
All governments do wiretaps. Our problem is that our procedures are lax. It is common to read about tapped phones and leaked data in newspaper reports. Manoj Joshi, an expert on national security matters, points out that the designated officials just do not have the time to apply their mind to the hundreds of cases for surveillance that are placed before them every day. This is more than a political and civil liberties issue: without tighter control of surveillance, the government itself exposes the more important parts of the national information space to its adversaries.
We need intelligence reform. The Shah Commission made the case in 1977-78 and the LP Singh Committee followed-up with recommendations. These were quietly buried by the Indira Gandhi government when it returned to power in 1980. In 2011, Congress leader Manish Tewari, as Member of Parliament, introduced a private member’s bill to place intelligence agencies under statute. Government think-tanks and committees have recommended this approach. The Narendra Modi government has shown that it is capable of ‘hard’ reforms, as seen in the defence and space sectors. It should similarly push intelligence reforms. In the meantime, a good way to inject seriousness into the surveillance review process is to require the requesting agency to deposit a refundable financial guarantee along with the application. In a bureaucracy that is more concerned about financial expenditure than the merits of a case, officials with signing powers can be effective gatekeepers.
Beyond national security, the Pegasus revelations highlight a disturbing weakness in India’s cyber warfare capacity. If it is indeed true that Indian government agencies had to purchase a foreign commercial cyber-weapon for their needs, then it shows the upper limit of our national cyber capabilities. The Pegasus list does not feature the US, UK, Russia, China and other major powers. This is not because they don’t hack phones, but because they do it much better. Unlike India, they do not have to buy tools from foreign vendors. We have advertised a strategic vulnerability that is bound to be exploited unless rectified quickly.
Another vulnerability arises from the fact that vendors of commercial cyber-weapons can get insights as to how their product is being used. This information can be made available to their governments. It is also vulnerable to other governments with superior cyber capabilities. The manufacturer of our imported SiG 716 rifles does not know how the Indian Army uses it. But the maker of Pegasus has a very good idea of what its customers are up to. It can turn it off at will. Even the political costs of being exposed could be used as leverage against the buyer. In international relations, friendships are never gratuitous, exclusive or permanent, and offer no guarantees.
The bottomline is that India lacks offensive cyber capacity and is thus not a credible cyber power. Polarized politics and tribalized public discourse complicate matters, but India needs a serious, realist, non-partisan policy debate on the development and governance of national cyber capabilities.
Nitin Pai is co-founder and director of The Takshashila Institution, an independent centre for research and education in public policy