Introduction

The world is in the state of strategic transformation as it transcends from industrial age warfare to information age warfare. Information Technology is a new normal component of everyone's life. It’s all pervasive nature, rapid induction and exploitation is accelerating this transformation. Consequently, there is a distinct gap between the technology application and legal framework, the lag may be a decade or more long. There is a definite need to reduce this gap and ensure that the procedures, processes and legal framework are made more agile and dynamic. The legal framework, which is generally based on precedence, thus faces an undefined challenge.

The nature of cyber warfare is very similar to naval warfare. All nations having shorelines or owning ships are neighbours. There are no border lines. The area of operation is full of enemies, friends, neutrals and not so neutrals with a fair mix of innocent users of the sea. And like naval forces, cyber forces must abide by a structured legal framework lest they are termed militia/cyber pirates.

For aeons, ancient Bharat had the Chturangi Sena (Quad Services) concept, viz., Thal Sena (Land Forces), Jal Sena (Naval Forces), Nabh Sena (Air and space forces) and Maya (Virtual Power). Therefore, conceptually, cyber war has been an integral part of warfare in Indian scriptures. Cyber war, as warfare in other domains, will be executed within the bounds of the Constitution of India, international laws and treaties where India is a signatory.

Developing norms of state’s behaviour in cyberspace is a challenging task. Cyber weapons such as Stuxnet, DuQu, Flame, WannaCry, Petya, Non-Petya and a long list of Advanced Persistent Threats (ATPs) are early signs of large-scale cyber war.

The Constitution of India and Cyber War

Any legal framework in India has to emerge from the Constitution of India. Article 352 empowers the President, on the advice of the Council of Ministers, to declare an Emergency in part or whole of India in the case of war or external aggression, or the likelihood of war, or the probability of a foreign attack. The declared Emergency should be approved by Parliament within 30 days. Moreover, the proclamation of an Emergency must be renewed every six months. And, at any stage, if more than 10 percent of parliamentarians write to the Speaker of the House, or to the President of India, Parliament has to re-approve continuation of Emergency within 15 days.

The contours and texture of cyber war is complex and difficult to understand. It is also likely that the government of the day may not like to make all details public to prevent panic as well as give the opportunity to the enemy to get a battle damage assessment. It will be a challenge for any government to use Article 352 for any pure cyber war situation. Only when cyber war is used in conjunction with physical war, the government may be able to use this provision of the Constitution. It is in the best interest of the nation that Article 352 is not enforced and all appropriate measures, including limited cyber war and cyber defence are initiated without resorting to declaring a state of Emergency. However, there should be a stage where the government may consider a formal response to any cyberattack, with or without the use of Article 352.

On one side it is felt that there is a shortage of quality manpower, while on the other, outside the US and China, we have the highest number of R&D and analytics centres established by the private sector in India. Therefore, probably there is a reasonable amount of quality manpower in IT and IT Security available within India but is sucked-in by the private sector. The shortage is apparently due to exponential growth in cyber-crime, and private industry is not able to cope with it. However, in case of an emergency arising out of a breaking out of cyber war, Article 51A can be invoked to use this manpower for the quick capacity boosting of cyber warriors. Several attempts have been made since 2005 to establish a resource register to facilitate implementation of Article 51A. This project needs revival and more effective implementation. The proposed Cybersecurity Act may make it mandatory to have structured reports and returns for industry and academic institutions.

Cyber Space Jurisdiction

Sections 1(2) and Section 75 of the IT Act, 2000 states that Indian laws related to Information Technology are applicable within and outside India if cause and action fall within the country’s territorial jurisdiction. Rule 2 of the Tallinn Manual determines the jurisdiction issue of a state on which the concerned authority can prescribe, enforce and adjudicate all matters, including those that are civil, criminal or administrative in nature. The rule of jurisdiction covers the physical or legal presence of a person (in personam) or object (in rem) on its territory. The manual concedes that there is a difficulty in determining jurisdiction to cloud, virtual and grid computing environments. These limitations are arguments for the physical aspects of information technology as far as jurisdictional issues are concerned. Cyberspace now covers not only physical infrastructure but also data and associated information. With cognitive war becoming an integral part of cyber war, the way information is presented to humans and intelligent machines also become relevant. We may call the presentation of information as content. Therefore, jurisdiction over physical infrastructure, data, information and content is important for exercising the sovereignty of the Indian state.

The Indian cyber-physical territory includes but is not limited to the embassies, high commissions, and consulate satellites and systems owned by the Indian Armed Forces such as aircrafts, ships, submarines, tanks or any other ground vehicles. It is, therefore, recommended that India may exercise and pronounce her cyber jurisdiction as follows:

• Over an entity or a person who is engaged in cyber activity on her territory.

• Over the objects related information technology located on her territory

• Over data and content process over her territory.

• Extraterritorial, over data or content which is being stored processed or transmitted belonging to the entity or cyber infrastructure within Indian Territory or legal jurisdiction.

• Extraterritorial over the entity or a person or a cyber infrastructure or data or content which is the source of or abettor of a devastating cyberattack on any object or person or cyber infrastructure based within the jurisdictional Indian cyber territory.

• Extraterritorial in accordance with international laws, treaties and agreements.

Only if such cyberspace area of jurisdiction is defined and any aggression observed in the formally declared jurisdiction, then only it will amount to an act of Cyber War in the International Court. Otherwise it will be like what the United State of America faced during SolarWinds case, where the enemy came in and acted against the Cyber interest of the USA and the only thing the USA could do was issue warnings.

Other relevant articles for state of readiness for Cyberwar are:

(i) Recognising Act of Cyberwar from Cyber Crime – A prerequisite for National Cyber Security

(ii) The Proposed Cyber Security Act of India

(iii) Defining Rules of Cyber Engagement (RoCyE)

-------------------------------------------------------END--------------------------------------------------------