Last week the Defence Secretary ceremoniously opened the cyber operations centre based at Sri Lanka Air Force Head quarters, which was primarily established to monitor cyber borne threats that are directed towards any institution under the umbrella of the Ministry of Defence. Cyber threats and challenges are increasing in magnitudes that has made even the most advanced defence establishment scrambling for solutions and devising mitigation strategies globally.
Cyber challenges are spread across various domains from the military to the civilian and through public to private sectors. Sri Lanka has been fairly safe from the larger cyber-attacks that has had impacted most countries militarily, economically and politically. Last five years have seen an increase in cyber espionage, cyber-attacks on banks, and critical infrastructures from Saudi Arabia’s oil and gas giant ARAMCO to Power plants in Ukraine. The economic losses as a consequence of cyber attacks are staggering, many states have no real idea of the value of mass transfer of money to cyber criminals and adversaries.
Sri Lanka cannot pretend to be immune from the current regional and global competition for power among big powers. The Indian Ocean as many pundits have serially pointed out is becoming competitive, militarized and strategically pivotal.
Thus sitting amidst all such competition, Sri Lanka is witness to an intense geo political rivalry pitting between China and India, the larger power struggles involving USA, Russia, Saudi Arabia, Iran, Turkey, Israel and North Korea. These contests are spilling out of their regions and most of these global rivalries are intensely articulating in cyber space.
Two major international security concerns are increasing rapidly, the emphasis of nuclear weapons option, the development and expansion of tactical nuclear weapons. Western defence establishments are warning of Russia’s increasing interest in low-yield nuclear weapons with the option to launch limited and selected strikes if its interests are threatened. Russia’s Syrian military intervention has seen an increase of sophisticated Russian weapons platforms in action which has alarmed many Western allies.
This points to a more ambitious Russia, and a more confident Russia, when it comes to flexing its military muscle. In comparison with the United States in 2017, Russia spent US $ 69 billion on defence expenditure while the US has spent 611 billion, with an additional 54 billion pledged by Donald Trump in 2018. Yet the nuclear option levels this discrepancy and possess a significant threat to the United States.
"In a recent observation on creating better cyber security capabilities, the biggest challenge according to a British cyber military commander was ‘people, people and people’ a mantra similar to what geo-political gurus say about Sri Lanka in the Indian Ocean ‘location, location and location’"
Parallel to that the second development is the increasing demand for cyber security and establishment of cyber offensive capabilities. Many defence establishments are looking at using limited nuclear strikes as responses to cyber attacks. These discussions were already in play in the United States when the Sony entertainment company was hacked in 2013.
Sri Lankan policies on cyber have focused extensively on countering cybercrime and the laws have been modified over the years, all tri forces do maintain their own cyber security cells. The new cyber operations centre is a preliminary effort to consolidate all cyber operations under a centralized structure. Globally militaries are adapting to creating cyber security and mission integration capabilities following the US, Cyber command structure that was established in 2010 as a sub unified command and elevated to a unified combat command last year under a presidential directive.
Sri Lankan defence establishment could observe the functioning of US cyber command and focus on cyber security debates that are intensifying in India. India has been looking at developing their own cyber agency since 2012, India unveiled its first cyber security policy in 2013. Analysts and scholars alike are calling for a serious overhaul of this policy. India has witnessed significant cyber-attacks on both its military and civilian infrastructure.
Nearly 30 Indian banks have been subjected to attacks and cybercrime has increased by more than 300% in the last few years. In response Indian defence establishment is seeking to establish a unified command similar to US cyber command named ‘Defence Cyber Agency’ this year.
The key to going about in developing a cyber security approach is to get the overall strategy right, arriving at a cyber strategy that links with the political objectives of the state remains a very difficult task. Cyber has totally displaced the space and time to think through a plan, its effects are always new but consequences far reaching. Coming up with a strategy to cope does take time as the learning process is slow. States have become so vulnerable during this time lag of analysis and action.
Last week Admiral Michael Rogers the current head of the United States Cyber command said to the Senate Armed Forces committee that even the US Cyber command has not been able to prevent or project key threats that has emanated from Russia in the last few years. The cyber command currently has 133 teams working in separate cells and an ever increasing budget yet even for the world’s largest cyber security apparatus dealing with Russia alone has become a difficult task.
Admiral Rogers went on to project Cyber command’s new path in which he highlighted the importance of devising a cyber strategy in consultations with the private sector and academia in his briefing. He said, ‘We intend in the coming year to create an unclassified collaboration venue where businesses and academia can help us tackle tough problems without needing to jump over clearance hurdles, for example, which for many are very difficult barriers’.
"Nearly 30 Indian banks have been subjected to attacks and cybercrime has increased by
more than 300% in the last few years"
If Sri Lanka security establishment plans to have a serious thought about devising a national or security policy leading to a cyber strategy it also could benefit from cross stake holder consultations. The private sector, think tanks and academia is a trinity that could not be ignored. Expertise they bring in from their own fields can act as force multipliers and cyber threats are intimately linked with both private and public network vulnerability. Since the United States presidential elections the society as a whole is viewed as the primary node of vulnerability.
Thus what Sri Lanka needs to quickly create properties of strategic adaptabilities to deal with cyber vulnerabilities, Sri Lanka’s military component of cyber strategy in late 90s evolved as a response to dealing with propaganda and disinformation campaign that was carried out by a multitude of pro-LTTE front organizations.
The military should revisit this experience, much before the American’s started exploring narratives that damaged their democracy and electoral process in 2016, the LTTE was successful in weaving a narrative that got the attention of global media, policy makers, think tanks, civil society activists making it extremely difficult for the Sri Lanka government to counter.
Even in the post war scenario most of these networks still manage to function utilizing the networks built during the war, thus Sri Lanka still faces challenges of weaponised narratives from external adversaries.What we are not realizing is that the social media platforms within Sri Lanka are now becoming spaces for hate speech, most Sri Lankans without fully realizing the damage they can do to the fragile social cohesion we are maintaining are contributing to its destruction.
"Sri Lankan policies on cyber have focused extensively on countering cybercrime and the laws have been modified over the years"
Thus cyberspace is continuously been used by our adversaries from the outside and our political protests and frustrations are leading to an attack on our own national identity from inside. This is what Western scholars now call weaponized narratives that can seriously undermine democratic processes and influence electoral functions.
In a recent observation on creating better cyber security capabilities, the biggest challenge according to a British cyber military commander was ‘people, people and people’ a mantra similar to what geo-political gurus say about Sri Lanka in the Indian Ocean ‘location, location and location’. Thus Sri Lanka today is driven by the ‘location’ mantra but we should create a cyber strategy that could safeguard not just our security networks and infrastructure but political processes thus we also should seriously consider the ‘People mantra’.
This is where cyber policies should include academia and private sector into the state security discourse. A cyber weapon or security institution with no real strategy to back it will be as useless as the mother of all bombs that the US Air force dropped on the Taliban in Afghanistan early last year yielding zero strategic advantage or outcome.
The writer is the Director, Bandaranaike Centre for International Studies (BCIS)