My opinion of the think tank ORF’s cyber policy work

So, a journalist emailed me asking for my opinion of the Observer Research Foundation’s (ORF) cyber policy work. It’s a Reliance-funded organisation and thought to be India’s most prominent think tank. It also hosts the annual Raisina Dialogue on foreign policy with the Indian government, and the CyFy conference on technology and the cyber issues. My reply is pasted below:

The strategic thought in cyber has always been plagued with extreme ambiguity. This ambiguity stems from the very ‘physics’ of the domain itself, the highly elastic nature of ‘cyber operations’ (I use this term very broadly).

This elasticity not just manifests in operational intent but also its strategic interpretation. There has only been a minimal overlap between the vocabulary of strategic affairs and the grammar of cyber operations since the last two decades. And as such, we still haven’t come up with a reasonable taxonomy to even define, say, causality and proportionality in cyberspace.

In fact, most of the conventional precepts of nation-state sovereignty have come under extreme stress in cyberspace, which makes many governments very nervous.

The think tanks, especially in the West, have been caught up in this loop of self-validation — driving them even further from the extant reality of the domain — and that’s why things came crashing down after the Snowden affair.

The ORF and its programme to assess the ramifications of cyber from an international security context succumbed to this ‘path dependency’ from the very beginning.

While the effort is certainly admirable, it has conveniently imported the discursive model promoted by the West that tried smothering cyber power and cyber conflict with old statutes like the Law of Armed Conflict.

Needless to say, that effort failed miserably since cyber operations confusingly manifest as below-threshold incidents or seem to blatantly violate the thresholds (and even create new ones).

It may be worthwhile to add that mapping cyber operations to the conventional thresholds of conflict is extremely challenging in the first place — we don’t have the formulae yet.

Nonetheless, this is the discourse that the Western think tanks promoted internationally (e.g. via the Tallinn Manual and the UN GGE, etc.) up until recently.

In light of the recent revelations as to how the Anglophone alliances of the West exploited this self-perpetuated ambiguity for the widespread and irreparable weaponisation of cyberspace, that mode of argument seemed incredulous and duplicitous — and it has been summarily rejected now.

Consequently so, it actually aided the militarisation and balkanisation of the Internet.

There are two major geopolitical power blocs in cyberspace: the ‘free Internet’ coalition led by the West and the ‘cyber-sovereignty’ menagerie led by Russia and China — the latter is gaining ground at the expense of the former’s self-sabotage.

India’s diplomatic position has been pathetic and schizoid — and it has been declared as a ‘swing state.’

At the heart of it, because the technical and operational facets of the domain are so complex, ‘tactical cyber’ — which produced immediate results and hence, captured the attention of the decision makers — even haemorrhaged internal strategic thought within the US.

It had a global cascading affect — leading to devolution and regression. Offence became structurally dominant in cyberspace as the myopic tacticians ran amok — it has set cybersecurity back by at least two decades.

The ORF’s cyber programme still adheres to that discredited school of thought that is completely divorced from the physics of the domain.

So, a think tank that plies the same old hackneyed position is bound to become inconsequential. I think, the worst punishment for a think tank is that its work is devoid of any consequence. The ORF has had little impact on the domain and its views remain limited to the vaunted ‘travelling circus’ of policy wonks.

The global strategic community has already wiped the slate clean to derive new thresholds and formulae taking into account cyber’s ambiguity and nuance.

We are at a juncture where even the positions of venerable institutions like the EFF and Harvard’s Belfer Center have been invalidated (they did a complete volte-face in the Vulnerabilities Equities Process debate).

More so, the stances of the cyber-sovereignty bloc have now been permanently legitimised — even the West has swallowed this bitter pill evident from the ongoing re-calibration of response by the US Cyber Command.

Many of the transgressions of Russia, China, Iran and North Korea in cyberspace are now to be seen as an effort in norm-setting.

So again, if a think tank still subscribes to the outdated worldview that has been exposed as hegemonic, it may actually weaken India’s posturing in cyber-geopolitics, which is purely a function of realpolitik till now.

Indian think tanks have rarely, if ever, accommodated the views of Russians and Chinese in cyberspace — their borrowed language can’t accommodate them.

Yet, rife with cognitive dissonance, the ORF’s domestic positioning expounds sovereignty but its global outlook seems libertarian.

Such lack of foresight may prove to be very costly, as incremental, not-so-alarming steps towards cyber-sovereignty could be worse than a sudden slide into a dystopia. The ORF’s, as a product of an increasingly corporatised body politic, may adversely affect the strategic fabric.

For example, the threat to India from disinformation is largely internal: a diverse, multi-ethnic society subjected to extreme political polarisation. The political vocabulary you use becomes the technical grammar of your adversary’s cyber operations. And it isn’t just the vocabulary you expend for foreign affairs or other outwardly matters that gets exploited, but even the inward-looking stances on domestic politics.

But the think tank may not be in a position to take that head-on considering its closeness to the powers-that-be.

Another, if not major, foundational problem here is that there are very few real cyber operators who have graduated to the Indian strategic circles.

It is indeed a truism that until you have seen the conflict from the very foxhole — dabbled with the intricate mathematics of exploitation and experienced the offence-defence symbiosis up, close and personal — a lot of your expounded generalisations may just remain inapplicable at best and incorrect at worst. The backgrounds of people at the helm at the ORF’s cyber programme do not instil any confidence.