So, the Indian National Defence University — along with HQ, Integrated Defence Staff (where the newly formed Defence Cyber Agency is located) — is conducting an international table-top cyber wargame. This is quite exciting. I was meant to execute one Red Land scenario, but won’t be able to participate due to other compulsions. I did send my recommendations. Here’s an excerpt:
1.The following scenarios are drawn keeping one thing in mind: to necessitate an interdisciplinary response, which is how most cyber operations manifest in the tactical and strategic realms. Breaking down scenarios as per broad domains of responsibility would be counter-intuitive and may end up undermining jointness, which is the foundational pillar of cyber response.
2. It is strongly recommended that — rather than drawing up end-to-end, elaborate scenarios — focus is paid on incremental escalations which require re-calibration of existing thresholds of response. It is the single most important problem that the cyber components of the militaries are facing today. For years, the US military picturised a ‘Cyber Pearl Harbour,’ when, in reality, it got tested in various below-threshold incidents. The smooth transition from the declaratory to escalatory matrices ought to be the cornerstone of this initiative.
3. The idea of creating composite teams may also need to be reconsidered. The linear approach of defenders has always acted as the Achilles’ heel. As the famous maxim in cyber defence goes: “Attackers think in graphs, but defenders think in lists.” Re-calibration of thresholds requires some demarcation of broad operational responsibilities and mandates. The flux and fluidity of cyber mandates is another architectural problem which unified components must deal with. ‘Assessing capabilities’ — listed as the primary objective of this exercise — can only be realised by first mapping the capabilities in near real-world scenarios.
4. All the scenarios listed here have had some precedents in the past, which ended up creating new thresholds of cyber conflict. As of now, cyber operations go by the Thucydidean paradigm: “The strong do what they can and the weak suffer what they must.” Because nation states have not clearly defined their limits and capabilities in the cyber realm, norm-violation has inadvertently acted as the only catalyst for norm-setting.