Book Review | India’s Strategic Options in Cyberspace

 By Paranjay Sharma
India’s Strategic Options in Cyberspace by Cherian Samuel & Munish Sharma. Pentagon Press LLP in association with Institute for Defence Studies and Analyses.

Governments worldwide assess their cyber-vulnerabilities and examine all
options for preventing and responding to cyber assaults. Changes in military tactics and
doctrines that factor in demand to raise cyber commands or strategic forces demonstrate
the significance nation-states place on establishing a deterrent force in cyberspace.
Nations are no longer hesitant to develop and train offensive cyber capabilities as part
of a strategy to guard their cyberspace interests. The following book review explores
the content and insights of Cherian Samuel & Munish Sharma titled ‘India’s Strategic
Options in Cyberspace’. This book is an attempt to understand the massive changes in
norm-building processes, emerging notions affecting military thought, critical
infrastructure protection, and the expanding technology realm relevant to cyberspace
and assessing India’s situation. India’s response to a barrage of cyberspace threats has
been delayed, and while progress has been made, there are still fundamental flaws that
prevent cyberspace power from being protected.

The introductory chapter bridges the critical gap in conceptual thinking that has,
until now, lagged due to the narrow interpretation of cyberspace. The authors analyze
the meaning of cyberspace, cybersecurity, cyber warfare, cyber weapons, deterrence in
cyberspace, and critical information infrastructure. The definitions and perspectives
vary from state to state. The authors provide the reader with a comprehensive picture
of the various countries’ and organizations’ versions, thoroughly researching each of

In the second chapter of the book, the author turns our attention to Cyber
deterrence, which is relatively unexplored. Cyber deterrence aims to prevent the enemy
from launching attacks in the future by threatening to attack or attacking their
technology or by more palpable means. Classical deterrence theory rested on two main
prongs – a credible threat of punishment due to retaliation and denial of gains due to a
robust defence mechanism. The authors, drawing a parallel between nuclear deterrence
and cyber deterrence, note that, unlike nuclear deterrence, where both sides are
reasonably aware of each other’s atomic arsenal and means of delivery, cyber deterrence
suffers from a lack of attributability, with multiple actors operating in cyberspace in
complete anonymity. Advocating strongly for a credible deterrence strategy, the authors
point out that as India embarks on a road of digitization and utilizing cyberspace for its
legitimate interests, the ability to prevent cyber-attacks has become critical. This
chapter also looks at the broad concerns that are being debated around the world in building a cyber deterrence concept, framework, or strategy. At the end of the chapter,
the author also explores why cyber deterrence is now the bedrock of cybersecurity
strategies of a growing number of nation-states.

The third chapter explores the process of norm formulation and UN-affiliated
entities such as the International Telecommunications Union and the Internet
Governance Forum in propagating the standard. The author informs the readers how
the development of norms is now being considered as part of the overall framework of
cyber deterrence, cyberspace, which first emerged as a site of geopolitical cooperation
and conflict in 1998 when Russia introduced a draught resolution in the First Committee
of the UN General Assembly calling for a discussion on developments in the field of
information and telecommunications in the context of international security. Other
forums have also been created through the efforts of leading global think tanks and
NGOs as well governments to understand how the norm negotiation process can be
further improved. For instance, the Global Conference on Cyber Space (GCCS), also
known as the London Process, the Global Commission on Cyberspace Stability, and
the World Internet Conference. The Tallinn Manual and the Global Commission on
Internet Governance is also such a one-off endeavour. These forums have had varying
degrees of success in establishing the road rules for a segregated highway system. All
of these forums have had different degrees of success in establishing the laws of the
road for secure and stable cyberspace.

The fourth chapter of the book discusses the concept of active cyber defence,
developed by researchers in the United States and the military and infosec tracks. At its
most basic level, vigorous cyber defence entails four tasks:
1. Obtaining local intelligence
2. Gathering remote intelligence
3. Actively tracing the attacker
4. Actively combating the attacker

It distinguishes itself from the passive cyber defence by taking more aggressive and robust
activities that may fall into a legal grey area. To get a comprehensive understanding of
this concept, the authors cite the distinction made by Tallinn Manual between active
and passive cyber defence. Presently, active cyber defense is a contentious idea since
many of the proposed acts are unlawful under international law. In the Indian context,
active cyber defence as a concept has not been much debated, even though India targets
threats emanating from Advanced Persistent Threat actors. The authors recommend
better coordination between the government and private sector to acquire sufficient
skills and capabilities to attain credibility to show that India can take the lead in cyber

Chapter five discusses the threat to national critical info-infrastructure (CII) and
how the CII is being protected worldwide. The Telecom sector, Satellite Networks, Nuclear Power Plants, Smart Grid forms an integral part of the critical info-
infrastructure. The author emphasizes that any damage or disruption to CII will significantly impact national security, as it is vital to the economy and vital services.
As more industrial control systems become automated and networked, CII security
takes on a new dimension. Critical Infrastructure Protection (CIP) and Critical
Information Infrastructure Protection (CIIP) are now widely recognized as an essential
element of national security policy. The author analyses the stern policy measures
adopted by various governments to develop and implement multi-stakeholder strategies
that include businesses, academia, the private sector, and law enforcement agencies.
The authors suggest that a multi-stakeholder approach and legislation should be
adopted by the Government of India that defines their role in governing and
safeguarding the CIIs. They emphasize the necessity for the country to develop a
framework to handle and manage cybersecurity threats and improve the cybersecurity
posture of the nation’s critical information infrastructure as a whole.

Chapter six discusses the technological challenges that India is facing in the
surging competition for encryption, AI, and quantum technology development.
Globalization, the exponential increase in data volumes in all types of companies, and
the expanding number of varied types of devices connected to data networks all impact
everyday life, the economy, and the overall growth of our country. Democratic setups
worldwide have much debated and adopted strategies around encryption, data privacy,
quantum computing and AI. India must develop these technologies to meet its
operational needs. The government must bring all stakeholders together with the
common goal of creating these technologies as a mission. The author highlights that
late having the advantage of ‘leap ahead’, but delays can have catastrophic
consequences. India has a long way to go in these areas and requires continuous
tracking of evolving technologies globally as well as conformity with the country’s
R&D goals and agenda.

In the seventh chapter, the authors talk about Public-Private Partnership (PPP)
as the way forward since they help combine the best of both worlds and complementary
talents to establish a secure cyber ecosystem. India has PPP models in place in various
areas, including civil aviation, energy and utilities, and road and infrastructure
development. In India, private companies dominate the telecom industry. Similarly, the
private sector is actively involved in banking and financial services, which is at the
heart of the economy. As a non-traditional security domain, cybersecurity would
necessitate a non-traditional method of problem-solving. In this situation, PPP might
assist in the provision of answers to many open problems. The authors also map PPP to
solve collective problem solving integrated with respective strategies in the USA and
Europe. At the end of the chapter, the authors recommend three areas, namely
Operations, Technology Education & Research and Policy Research, where efforts
should be prioritized for PPP to flourish in India.

The book’s last chapter provides specific advice for preparing India to tackle the
cyber threat that looms over the country. Despite its progress in cyberspace operations,
India still faces numerous significant hurdles in developing a comprehensive,
regionally relevant cyberspace operations capacity. The authors highlight that it is
critical to be aware of current trends in cyberspace policymaking around the world and
the implications for cybersecurity. This paradigm shift in thinking necessitates the
implementation of suitable national policies. In essential areas like vital information
infrastructure protection and India’s involvement in the norm-building process, a
realistic appraisal of successes and deficiencies is required. Another crucial area that
requires review is public-private partnerships. During the research and preparation of
the book, the writers met with specialists. They had talks with them and attended
conferences, roundtables, and seminars and did a complete literature review at the end
of the book; the author’s aid nineteen recommendations to rethink capacity building and
strengthen the posture of India in cyberspace.

In a nutshell, this book by Cherian Samuel & Munish Sharma is structured to
serve as a primer for people who want to learn about the strategic issues and essential
concepts in cyberspace, as well as to provide enough pointers for those who want to
learn more about specific topics in-depth revolving around cyberspace. The efficacy of
cyber deterrence, the complex history of norm-making in cyberspace, defending critical
infrastructure from debilitating cyber-attacks, and the practicality of active cyber
the defense as a way of responding to cyber-attacks are among the significant concerns