OPED By Saba Sattar
The world is in the midst of a significant digital transformation. As international power dynamics shift, disruptive cyber challenges define our future of warfare. Within this quandary is the much-hyped Indo-Pacific region with the fastest-growing information technology (IT) industries, particularly from India and the United States.
As emerging technologies become incorporated into our everyday lives and now in military applications, international legal standards and norms fail to keep up with the proliferation and consequences of network-ready platforms.
China’s rapid economic and military rise defines strategic competition in this space, ranging from its maritime militias around the Spratly Islands in the South China Sea (SCS) to political propaganda campaigns against states that host the Dalai Lama.
But one incident stood out in 2020: the Sino-Indian Himalayan border skirmish in which 20 Indian soldiers were killed. Why?
Cyberattacks Linked To Galwan Conflict?
China’s kinetic action across the Line of Actual Control (LAC) – the demarcation line between the two contiguous neighbors – was complemented by the country’s first-ever direct cyberattack on another nation-state’s critical infrastructure.
The Galwan Valley incident also resulted in the amassment of troops along the longest border in dispute.
And this included a wave of lethal cyberattacks. According to Recorded Future, a private cybersecurity firm, Chinese state-sponsored cybercriminal group Red Echo launched a malware attack against India’s electric utility companies, seaports, and railways. The report concluded that these attacks were directly linked to the border conflict.
Previously, Beijing used state-sponsored cyber-criminals to conduct isolated attacks, similar to Maoist hit-and-run tactics in remote regions. But such incidents, like the time the Chinese ship Haijing 4301 sank a Vietnamese fishing boat in the Parcels in April 2020 or when Philippine President Duterte warned that he would dispatch troops on a “suicide mission” after China deployed hundreds of ships in the Spratly chain.
Anti-status quo powers, like China, recognize that a conventional war could hardly be feasible; instead, they embark upon asymmetric competition between the “limbo land” of war and space – i.e., the gray-zone tactics.
The proliferation of network-enabled technologies, lack of international norms to govern cyberspace, and prospects of misinterpreting cyberespionage for military aggression heighten the chances of strategic miscalculation.
This is why the need to establish norms and regulations in the emerging domain cannot be overstated. The Indo-Pacific needs a regional convention to promote cyber peace and establish “red lines” against such cyberattacks.
The convention can be modeled after the Fourth Geneva Convention, which set forth international legal standards of humanitarian treatment to protect civilians from attacks in times of peace.
Setting International Norms
The idea for a Geneva-style convention was first introduced by Microsoft President Brad Smith. During a talk in 2015, he advocated for a framework that would require vigorous cooperation with the private sector to act as neutral parties and first responders of cyberattacks.
Given the recent turn of events and China’s pursuit of an asymmetric offensive advantage, the need for a convention is more urgent. The IT industry continues to pivot toward Asian economies, and the cyber competition is correspondingly increasing. Beijing is actively preparing for “informatized” wars – i.e., the use of electronic, cyber, computer network attacks, information operations, and deception.
According to Smith, there would be five aspects to the Digital Cyber Convention. First, signatories would not be allowed to target technology-based companies, the private sector, or critical infrastructure.
Second, parties would exercise restraint in “developing cyber weapons and ensure that any developments are limited, precise, and non-reusable.” Third, states would “commit to non-proliferation activities”.
Fourth, limit the use of offensive operations to avoid a mass event. Fifth, the convention would leverage the joint cyber capabilities of like-minded democracies to better identify and establish clearly delineated “red lines” of responses to cyberattacks. These conditions would proceed as norms.
India-Australia Partnership Offers Hope
India’s $12 million bilateral Cyber and Critical Technology Partnership with Australia offers opportunities for a practical framework as the need for a regional convention grows.
The partnership seeks out cooperation in strategic and emerging technologies, such as artificial intelligence (AI), next-generation telecommunications, and quantum computing. Both states champion this mechanism to realize their “shared vision of an open, free, rules-based Indo-Pacific region”.
The significance of the Australia-Indian partnership in cyberspace is that existing bilateral cooperation will enable room for pursuing larger multilateral arrangements between the Quad members.
The much-hyped Quadrilateral Security Dialogue (Quad) also offers a strategic forum to champion a region-wide convention to establish norms of behavior and conduct in cyberspace. Norms create an inherent understanding of expected codes of conduct.
In contrast to other physical domains, cyberspace is artificial, and its rules of engagement are virtually non-existent. The digital space ignores state borders and costs nations a fraction of what conventional military operations require with the added benefit of maintaining plausible deniability.
The strategic cyber challenge must, therefore, be addressed by reaching an international consensus on norms for responsible state behavior and the enforcement of global standards for warfare.
(Saba Sattar is a doctoral candidate of Statecraft and National Security at the Institute of World Politics (IWP) in Washington, D.C. She specializes in the Indo-Pacific region, with challenges ranging across the conflict continuum from low-intensity conflict to Chinese revisionism.)