The enduring nature of the India-Pakistan rivalry and repeated conflicts create new avenues for increasing competition in cyberspace. While current cyber attacks remain limited in scale, cyber weapons can potentially drive escalation dynamics between the nuclear-armed rivals. Absent consistent dialogue and defined norms, cyberattacks threaten dangerous implications for regional stability, making it imperative for both states to address the future of their cyber-relationship. Going forward, India and Pakistan can rely only on deterring each other through a buildup of offensive capabilities, or they can establish CBMs to bolster deterrence and stability.
Both India and Pakistan are rapidly moving towards digitalization. Such a trend is a double-edged sword. On the one hand, it stimulates economic growth, opening new avenues and possibilities for a state and its populace. On the other hand, it increases vulnerabilities to cyber threats. To protect themselves against cyber risks, states strengthen their cybersecurity and enhance their offensive capabilities.
Pakistan and India can take two pathways – deterrence through an arms buildup or CBMs – to define their cyber relationship. Due to the risks posed by an arms race in cyberspace, it will be advantageous for India and Pakistan to engage more vociferously in cyber CBMs.
Cyber Deterrence and CBMs
Cyber deterrence aims to prevent an adversary’s threatening actions in cyberspace through the threat of punishment, denial by defense, entanglement, and normative taboos. Scholars have considered deterrence by the threat of retaliation as the best possible course of dissuading an adversary. However, given the difficulties of ascertaining attribution in cyberspace, retaliating to cyber-attacks becomes challenging.
Deterrence by denial can play an important role in the cyber domain. If a state has better defense capabilities and an edge over its adversary, the adversary may be dissuaded from taking offensive measures. While the concept of deterrence in cyberspace is less nuanced than in the nuclear sphere, lessons on the importance of CBMs to bolster deterrence are pertinent.
The less nuanced nature of deterrence in cyberspace compared to the nuclear domain has initiated scholarly debates about whether such deterrence can succeed. For example, cyber deterrence cannot fulfill the three Cs of nuclear deterrence – capability, credibility, and communication, complicating cyber deterrence compared to nuclear deterrence.
Attribution is another major problem in the case of cyberattacks. Successful attribution is an important prerequisite for deterrence. In the nuclear domain, states typically demonstrate their capabilities by testing weapons or organizing military parades, which is impossible in cyberspace. Similarly, the bleak possibility of communication of capabilities to the adversary thickens the fog of war. States will have every reason to doubt the accuracy of their adversary’s stated cyber capabilities.
It is, therefore, imperative for Pakistan and India to constructively engage in the cyber domain to safeguard their strategic assets. It will also help in starting a dialogue that has been at an impasse. Pursuing phased cyber CBMs can be more beneficial for both countries because of the challenges posed by cyber deterrence.
According to some reports, four types of such CBMs can be developed by states to establish mutual trust and stability – collaboration, crisis management, restraint, and engagement.
Through collaboration, states can jointly solve issues in cyberspace by policing compliance with established best community practices, conducting joint international investigations into cyber incidents, and applying concepts from international environmental law to cyberspace. Options for crisis management in cyberspace include functional alignment of cyber crisis response teams, a bilateral cyber hotline, and multilateral cyber adjudication, and attribution councils. Restraint can be achieved by limiting target selection and applying legal or political neutrality status for selecting cyber ‘safe havens’ before and during a conflict. Engagement-focused CBMs are based on establishing an organization that will enable technically proficient and unaffiliated actors to use their expertise to safeguard crucial cyberspace areas. Some of the possible CBMs in this regard are identified below.
Creating a Joint Probing Committee: In a crisis, both sides can attribute a cyberattack on the other sans any verifiable proof. The growing importance of cyberweapons in India and Pakistan’s kinetic escalation can be seen in reports showing increased malware and phishing attacks during the Pulwama-Balakot crisis. Attributing the blame for a cyberattack remains a key global challenge. If New Delhi and Islamabad are serious about preventing inadvertent escalation, creating a Joint Probing Committee of experts from both sides can help mitigate crises. However, both sides will be wary of providing transparency into their cyber security infrastructures. Negotiating such measures could be a non-starter at the Track I level. As a first step, India and Pakistan can nominate their former officials and trusted experts to engage on Track II with a clear mandate to offer mutually workable solutions.
Establishing a Cyber Hotline: Islamabad and New Delhi can establish another hotline – in addition to the already existing DGMO hotline – to discuss any urgent cyber-related matter. A similar initiative was taken to establish a hotline between the Foreign Secretaries, but that did not take root for either technical or political reasons. This checkered history should not deter both sides from proactively examining outstanding issues. The cyber hotline should be used regularly and not relegated to the sidelines as the other two hotlines have been. The cyber hotline could be established between Pakistan’s Interior Secretary and their Indian counterpart.
Avoiding Critical Infrastructure: India and Pakistan’s bilateral Non-Nuclear Aggression Agreement, entered into force in January 1991, bars the two countries from attacking each other’s nuclear installations. Even during the worst of crises, both states have never failed to exchange the list of their installations every January 1st. Both countries can identify critical infrastructures related to economic, energy, financial, and security apparatus and pledge not to attack these.
India has ceased substantive strategic dialogue with Pakistan and spurned efforts to build a strategic restraint regime. There is a sense of ‘CBM fatigue’ in Pakistan. Further, Pakistani policymakers see the growing U.S.-India strategic partnership as hurting strategic stability in South Asia. The international environment is also dismal. All technologically advanced states are building their cyber offensive capabilities in the garb of defense. Efforts in the UN General Assembly and elsewhere have been inconclusive.
India and Pakistan can take the lead in building cyber security CBMs for the world to follow. A possible way forward in this situation is identifying areas of convergence between Islamabad and New Delhi, opening avenues of communication, with all stakeholders sharing the burden of this responsibility. Cyber CBMs can help ensure regional stability, paving the way for cooperation and trust-building between Pakistan and India.
Click here to read this article in Urdu.
Image 1: Technology in Cyberspace via Public Domain Pictures
Image 2: India-Pakistan borderlands at night via Flickr