A

Foreign.

B

This is Tommy Wren and I'm here with the Gruk and a special guest for a Between Two, Between Three Nerds. Our special guest today is Joe Devaney, who is a senior lecturer at King's College London in War Studies. And Joe has written a number of papers relating to cyber statecraft and in particular we're talking to him about India, because that's a country both Grok and I are interested in for various reasons, from a cyber perspective. But first of all, I'd like to thank our sponsor, Dropzone AI. I have a discussion out on the podcast channel this week with Edward Wu, who is the founder and CEO of Dropzone, all about how AI can make SOC analysts more efficient and effective. So, Joe, my impression, vague impression of Indian cyber, is that it's a bit of a contradiction in that there's a strong cyber espionage as a service industry, or at least a high profile one at times, yet the state doesn't seem to really, you know, use cyber as a, as a tool of statecraft at all. So am I totally wrong?

C

No, in a way.

A

Next question.

C

Or at least it's not as simple, I guess, as that. Although what I wanted to say first is I'm delighted to be here and thank you very much for inviting me. And as I said before you clicked Record, I'm a big fan of the podcast, so it's really nice for me to get a chance to speak to you both on. On record, on air, if that's the right phrase. So the work that we're going to be talking about is part of a research project that I've been involved in in the last two years. So I've been working alongside Arthur Lodran on our bit of the project, which we'll talk about. But the wider project is called Cyber Statecraft in an Era of Systemic Competition. And the principal investigator is Tim Stevens, a colleague of mine at King's. But it's a project that involves collaborators From Bath & Rusi, the think tank as well, and we are very generously funded. So thank you to our funders by the epsrc, the funding body, and dsdl, the governmental organisation. So we're very grateful for the funders to be able to conduct the research, but obvious inevitable caveats at the top that anything that I say, I'm saying is my opinion and it doesn't reflect the views of anyone else on the project or definitely the funders, but thank you to them for making the work possible. So we were looking at the research question, which was how does cyber statecraft Work in what we were calling, and it wasn't our phrase, the middle ground of countries. And the way that the middle ground is commonly described is it's a group of countries that are neither in the like minded block. So the liberal like minded bloc, the us, the uk, Europe, Australia, you know those countries. And at the other end of the spectrum you have an authoritarian bloc, which essentially you're talking about Russia, you're talking about China, you're talking about a relatively small number of other countries around that orbit. So once you defined what the like minded group are and the authoritarian bloc, you are left with most of the countries in the world. And for want of a better description, they tend to be described as the middle ground for obvious reasons. They're in neither one group nor the other.

A

They can be for us or against us, both states of being.

C

Yeah. Or they could even make decisions, you know, without that being front of mind. And that is our interpretation, our projection onto their decisions. That's right. So there is that quality of are you defining a country on the basis of how you perceive it or how that country perceives what it is doing, what it is trying to achieve in and through cyberspace? So with cyberstatecraft, so conceiving cyber statecraft essentially is using all of the instruments related to cyber, whether that's operational or cyber diplomacy, engagement in multilateral discussions, or cyber capacity building, improving the capacity of other countries as a sort of developmental diplomatic line of effort. How do those countries perceive themselves as cyber actors? And so the starting research question for us on this particular package, it was me and Arthur Lodron, who's not here, but was very much part of this research. What we wanted to look at was how useful is the middle ground, as a phrase for defining the cyber statecraft of India. But also the other two country cases we looked at were Brazil and South Africa. So they're three countries that are obviously very different. They're in different parts of the world, but. But they are often thought of as leading members of this amorphous group that is described as being the middle ground. And the first thing that I think we encountered in looking at India was that its position in cyber statecraft was really different in important respects from Brazil's and South Africa's. And I think each of the three countries that we looked at faced obstacles. But the main difference, I think, between India and Brazil and South Africa. And if you like, the sort of the challenge to the way that you framed the question at the outset is that India has a lot of latent potential Cyberpower, you look at its private sector, its IT services sector, you cannot say that India doesn't have lots of skills, lots of very innovative and very successful companies. And that is a great starting point. If you aspire to be a rising cyberpower actor in the world, which to an extent, I think you could describe India as wanting to achieve that. I think it's more focused on improving its own domestic position and especially its position in relation to its chief security threats. I don't think it has a sort of a grand, expansive, elaborate vision of projecting cyberpower around the world. I don't think that is what India wants, but it certainly does want to improve on its existing position. And I think the way I discuss it with students is to say, you know, if you were to start in 1980 or 1990 and say, you have India, you have China, I want you to think 25 or 30 years into the future and tell me, and obviously they wouldn't understand this question because you're going to ask them in 1980 who's going to have the most cyber power? Obviously, you'd have to explain it. I think a lot of people would have said India and not China in 1990. I think still people probably would have said India and not China. Lots of burgeoning IT industry in India, less so at that time in China. But what you've seen over the last 25 years, people would say China, and it wouldn't even be a question now. So I think what you have is a really interesting difference in trajectory, because on China's side, they have totally pursued this focus of rapidly expanding and building, especially the hard power aspects of cyberpower. And in India, you see a different trajectory. So obviously you've got a very different system of government. It's a democracy, it's not an authoritarian country. So in a sense, things are harder to do in that way because you have to bring more stakeholders along. You also have, I guess, a different threat environment. And this again, is another thing that distinguished India from the other countries that we looked at. So for South Africa and Brazil, they're in a sort of a relatively benign space when it comes to regional cyber threats, or just even just regional state threats, India faces a very different regional strategic context, and that drives the way that it approaches its national security strategy. So for 25 years, well, for a lot longer than 25 years, Pakistan has obviously been a high priority. Obvious reasons why, in terms of various conflicts and contingencies with them, and that, if you look at the literature, has driven India's approach to improving its cyber capabilities. And that's why I mentioned the sort of the 25 year old sort of time period. I think you can date the creation of institutional actors, sort of civilian cyber actors to that time period as a reaction to perceived shortcomings that India had in engagements with Pakistan. So that's why it's unsurprising, I think, that the focus of India's sort of defensive cybersecurity or building cyber institutions was on the classic India, Pakistan sort of security question that would define so much of India's sort of armed forces building military capability and thinking through how they might need to use those capabilities in a conflict. What's changed over the last, I think 10 years and especially over the last five or six, is China. So I think India can be reasonably confident that it has, for want of a better phrase, sort of cyber overmatch in relation to Pakistan. But I think there's an interesting question about the extent to which China might be helping Pakistan. And there is a separate question about how well prepared India is for dealing with the cyber aspects of confrontation with China. And that's sort of, if you like, both in protecting its civilian infrastructure, but also in the cyber aspects of any confrontation between their armed forces. So that has very much been front of mind, I think, for India over the last five or six years. And that's a period that you see some institutional developments in the way that India tries to improve its military cyber capabilities, improving the relationship between those services. So there is a definite sense that they are trying to quickly improve. It's not that they're starting from scratch, but I think it's that they are transitioning from an approach to cyber that was maybe more incremental, was certainly slower in the trajectory of growth than China. And I think that switch in security focus, if you like, from a focus on Pakistan, which to some extent they can't ignore, they can't stop thinking about Pakistan, but they really do now over a period of years, have been focusing on China. That's very understandable considering that they have a border. There have been engagements between Indian armed forces and Chinese armed forces. So there is a very direct and obvious reason to take that seriously, including in cyberspace, which I guess we can go on to talk to about what the Chinese threats to Indian infrastructure are in cyberspace. But that's a sort of a relatively brief sort of starter on what I think is driving India's approach to cyber statecraft, which are the threats that they take most seriously. And the differences, I think, between the Indian case and Some of the countries that you could talk about in the middle ground.

B

Yeah, I think you said cyber overmatch against Pakistan. And both Quack and I obviously pay attention to cyber things. And that's not something that I would necessarily have known. I would have just gone, oh, I don't know. So can you tell us a little bit about, like, what does India's cyber capability from a military perspective look like? And I suppose another question is why don't we hear about it? They just, you tend not to hear about countries because they're good, they're using it against Pakistan.

A

There's nothing to hack.

B

Or there's no English language press. There we go.

A

That's it.

C

Well, I mean, so there is an English language press, but no, those are all really good questions. They're kind of, they're distinct, but they're obviously related on the sort of the India, Pakistan side. If you dig a little bit. What you see is, I mean, the best way I could describe it actually in some of the literature from the Pakistani perspective is almost cyberpanic. There is this sense of India as an outsized cyber actor that has more capability, that is more sophisticated, and against which Pakistan struggles to defend itself, which is very much a narrative that is there in the literature. There's a strand of reporting about essentially relatively low level, tit for tat, the lowest level of cyber operations, if you like, between actors in Pakistan and actors in India, and to say nothing of ultimate sort of institutional attribution. So that is there, you know, that bubbles away in the background and actually literally has done for decades. In terms of the institutional arrangements for cyberpower in India, what you have is very similar to what you're describing. So you've got the military actors who have tried to improve their interservice cooperation, integration in the way that they prove defensive cyber, military cyber capabilities. You do have what you would call the civilian cyber operation, Institutional actor. I think the acronym is the ntro, which sort of sits at the center of Indian government. And that's the one that I think has about 25 years of existence that was brought into existence to solve perceived cyber shortcomings and I guess to focus on the Pakistan threat. And then you have the raw, which is the mainstream intelligence agency, which is understood to have a cyber capability. And I don't know how best to describe that, but it might be that it's a smaller scale version of what we know in the US of the CIA having its own cyber capability separate from cyber command. So you've got cyber capabilities that Sit in an intelligence institutional context, and you've got the military cyber capabilities. So they sort of proceed in tandem. In the project, we were trying to understand what the connections are between these institutional actors, how the authorizations flow, who ultimately is in charge of directing both the development of, but fundamentally the employment of India's institutional cyberpower. And it's just a really difficult question to answer because of this third question that you're asking, which is why do we not know more about it? And if you like, the most consequential, in the kind of Rumsfeldian sense, it's a known unknown. So we know it's a consequential question. We know we don't know enough about it. But how do we interpret that lack of knowledge? So on the one hand, you could say we lack knowledge about it because there's just not a lot there. That would be one inference. We don't see it because actually there isn't much going on. But the alternative interpretation is we don't see it because you wouldn't expect to see that sort of activity. We do see cyber threat intelligence companies talking about Indian threat actors in cyberspace or South Asian nexus threat actors in cyberspace. So we know that there is threat activity emanating from India. But what there isn't a lot of clarity about is what the relationship is between the actors who are responsible for that behavior and ultimately the Indian government. So there is no Indian equivalent of what in China we saw with the Isoon leaks, which gives us this sort of rich, textured sort of insight into the sort of the ecosystem of private sector cyber and how it intersects with the governmental approach to cyber statecraft. And in India, you do have some sort of windows of insight into different aspects of that private sector, for example, the spyware industry. But you really don't have anything that gives you this really deep understanding of whether and to what extent the Indian government uses the private sector as a strategic instrument. Just using lessons from the literature, you would say that it would be prudent for a state that has this capability in the private sector to find a way to integrate it into your strategic approach to using all of the levers of cyberpower that you have to achieve your national strategic objectives. So you would almost say, if they're not using it, why aren't they using it? Because it would make sense for them to do that. But the reason it's a question that's veiled in uncertainty is because India actually has quite a closed national security culture. And the way that I again, the way I sort of describe it. And again, this is very much because of my bias in that I'm from the uk, I'm in the uk and I've done a lot of research on US statecraft as well. So I think of the US as being out there at one end of the spectrum of national security openness, both by accident and design. So there is a more open culture of transparency, of democratic oversight, at least historically or until recent times, a sort of an adversarial relationship between Congress and the executive. So you get congressional oversight revealing interesting information. You just have the outside numbers.

A

They love talking to the New York Times every time they do something. Right. Which is actually super useful for the rest of us.

C

Yeah. So you have two things, right. You have the government using the newspapers of record and increasingly other outlets as well. And there's some really good cyber security reporting. So the government will use that instrumentally, whether that's in a coherent way or in different actors within the system saying what they want to say to different journalists. But if you flip that, actually, the reason for that is that you just have a. A really rich culture of vigorous reporting on national security issues, including intelligence and cyber. And that's just not something that is replicated in a lot of countries. So that's the us and you also just have thousands of people who have security clearance. So that is a problem in its own way, that creates other vectors for openness, like Mr. Snowden. So then you have the UK, which is not like the US. It is a more closed national security culture. It's more open over the last 10, 15 years than it was in the past. You have examples like the National Cyber Forces, Responsible Cyber Power in Practice paper, which is a pretty unusual document that they get, or should get kudos for releasing. Then I would say you've got India, and this is a very loose spectrum. But for India, I would say India is more like the way the UK was just 15, 20 years ago. It is a more closed national security culture. They're more reserved about revealing national security information. There is media reporting about it. But I would say that Indian reporters who cover this beat have a harder job than their counterparts in the us. I think would be fair to say.

A

They are in a different strategic environment, though they are effectively in not necessarily a cold war, but they have regional enemies who do shoot at them every now and then. And it's not like the US is sort of a hegemon alone. Like they can. They can do whatever they want because no one's going to Touch them. Whereas I think if India, like, it does make sense that you would see a more closed approach to things, similar to how things were when the west was, like, facing the same sort of existential threats.

C

Yeah, no, that's right. I'm not saying they're wrong to do it. I'm just saying it is a striking feature of trying to make sense of India's cyber statecraft from the outside, because they are more reserved and as you say, they have reasons to be more reserved as well.

B

I was just wondering that if it weren't for that culture of U.S. transparency, whether you would look back and say that the US was a cyberpower at all. And as you were talking before, I was thinking about Australia and everyone in the field sort of thinks of Australia as a cyber middle power, maybe. But if you look at what we've actually done, there's sort of absolutely nothing that you would say where we'd really.

A

Here's how they've established themselves on the totem pole as this high and this confident.

B

I was thinking more in terms of achieving state strategic goals with cyber. That's just not something we do. And so when you look at the countries that I think do, you've sort of got this rogues gallery of Iran, North Korea, Russia to some extent, and maybe not even Israel. And so I wouldn't call India a rogue. It plays by the rules and it seems to want to accept the international order and work within it, whereas those other countries seem to reject the international order. And so maybe cyber's just not that good if you're playing by the rules.

C

I mean, that's interesting. I mean, definitely. I was just to very briefly pick up on your comment about Australia. Like, literally yesterday in the classroom, I was saying that Australia was a good example of cyber sort of law enforcement capabilities and a sort of a proactive turn in the way that Australia is approaching cybercriminals. And I think that's something very striking and I think that's something that other countries have noticed as a shift in Australia's approach to using cyber instruments to pursue national strategic objectives. And pursuing cybercrime. Definitely, I think, counts as a national strategic objective. Yeah. It's certainly true that India has. I wouldn't say it was a status quo bias in terms of its approach to the international system. I think they are keen to see reform, keen to see the international system working better for states like India than it has hitherto, but to do that in a multilateral context. So cyber diplomacy is important. You're respecting the Multilateral processes is important.

B

So one of the things that both GRAC and I were really interested in is how come China we would call a cyber power, and India we would not. And is there any prospect that that will change?

C

Yeah, again, great questions. I mean, I think the, on the last question, because it's more about sort of forecasting into the future and what time horizon you sort of put on, felt to me in the research that we did that there was an elevated sense of urgency and priority behind this wider process in India of building those capabilities faster and driven by concern about China. So I think that is a process that if you project 10 years into the future, what does that look like? And it probably doesn't look like projecting an assumption based on the 10 years prior to that and assuming a similar trajectory. So I think we could well see India as a more effective user of cyber capabilities in its Cyber statecraft in 10 years time. Obviously with all of the same caveats about precisely how and what we see and how to interpret it and the fact that there are these different institutional actors. And then this question mark essentially about the relationship between the state and private sector actors. On the first question about China as a cyberpower and India as a cyberpower, I think on the one hand you have a pattern of global activity for China. China is clearly doing more in more places. And to the extent that we can make this contrast, given that there's a lot we don't know about India, it does seem to have more of a risk appetite. So if you're looking at all of the stories about pre positioning on infrastructure, you're looking at all of the stories about really significant hacks for espionage. These are cases that we know more about. It's a pattern of activity that just seems to be much larger. What are some of the biases maybe in the reporting? Is it that, for example, the sorts of targets that would align with what we know about Chinese strategy are targets that we are likely to have evidence in Western cyber threat intelligence reporting about. So that is very definitely a possibility. Whereas if you apply the strategic logic that we were talking about earlier, you might expect India to be interested in targets in China and you are not going to have that visibility because Western companies are not going to have the contracts to, you know, to clean those up when, when they happen. There is some Chinese threat intelligence reporting on, again, essentially in Indian threat activity. But again, actually that is very carefully worded and obviously they are operating in a national context where I suppose those reports are very carefully edited about what they say Publicly, for obvious reasons.

A

They're political documents, not necessarily technical documents.

C

Yeah, I mean, to an extent, I suppose all published, all of them are threat intelligence. Yeah, it is. But the equities or the influences are obviously different according to different contexts. So I think that could well be a factor. And that's one of the things that makes it hard to come up with a precise judgment about it. But the broader trends, the broader pattern I think is something that I think we can say fairly confidently.

A

So one of the things I was wondering about just on this topic is that China became good at cyber because it was trying to do like it has this long history of state espionage for industrial espionage stuff. Right. So they wanted to become a manufacturing powerhouse. They wanted to have sort of their own brands and their own skills in that. So a lot of their cyber activity was targeted very much on advancing state interests within that domain. And I wonder if maybe part of the issue is that India doesn't have a similar motivation. They didn't sit down in 2000 or 95 or whenever it was and say let's steal all the stuff from the US and build our own manufacturing arm and beat them at their own game. And to a degree it seems to me that China's more aggressive cyber stuff now is the fruit of all of that industrial espionage skill that was developed by the state purpose of there's a very clear reason they were doing it and it wasn't about having better espionage and better pre positioning and more cyber capabilities. It was like let's make us rich. And then they as a side effect developed these capabilities where it's like, well now let's use this as well elsewhere. And I'm wondering if maybe it's like there was a political will and therefore it happened. And I wonder if maybe India just hasn't had that same will because they just didn't have the same set of motivators.

C

Yeah, I mean, so I think the motivations clearly were different and the political system is clearly different. And I think that has to be a factor as well. From what I understand it, and this is me reading the work of others, this isn't my research, but I think that there is a sense in the literature that if you go back 25 years, 20 years, China perceives a severe relational weakness in cyberpower between it and especially the United States. And I think it's out of a perceived and correctly perceived sense that the US was much superior in cyberspace, that there is this crash course effort to try to close that gap because that.

A

We must not allow there to be a cyber gap.

C

You can see why that's consistent with wider national strategy. So I do think that that effort in large part was motivated by a sense of we are not where we should be in relation to the competitors of the future, and that is a problem. So let's fix that problem and do it as quickly as we can. And the situation for India is obviously different.

A

Well, yeah, but as I was going to say, that should now apply to India when they can now look at the comparative differences and say, okay, we are not where we should be in order to have cyber parity with one of our regional strategic frenemies. And one would assume that they're just going to get better now out of necessity. Like, this is the thing that we were talking about earlier. Just, they've got so much latent talent, they have so much skill, and it feels like they fumbled the ball rather than like it's how come it didn't happen. They had all the ingredients right there for so long, and it's just. It seems to have never actually emerged. I mean, maybe it has and they just, they're sitting on it, not ever using it.

C

So that's the thing about the ambiguity, isn't it? So in a sense, you don't know, maybe there is this capability to hold Chinese infrastructure at threat. Maybe there is that prepositioning that is sort of symmetrical to what you see with China. But if there is, we don't see it. Or maybe that is an aspiration and they're not there yet and sort of either, actually, I think could be consistent with, with what we know to date. But I think it would be reasonable to expect, I guess, that if there is this programmatic effort to improve fast over the next five, 10 years, that that question might be a bit easier to answer in time. But with the same caveat sort of applied to. There are reasons why we might just have less visibility over that kind of hypothetical Indian cyber activity, because it would just be directed at targets that it would just be easier from a Western context to be able to see Chinese activity against US targets, say, than any Indian activity against a Chinese target.

A

I mean, I still think that in order to be a cyberpower, you have to practice. Cyber capability is not a thing that you develop and then warehouse for the day that you need it. It's a set of skills that people have and they maintain those skills by practice. And you can't do all of your practice on the training field or in a cyber range. That's obviously important, but that's not real world. In the same way, sometimes you have problems that you actually can't solve, and sometimes you'll have vague things like the box that you hack into turns out to be the one box that they're decommissioning that afternoon. Things that happen and you just need to learn by doing. Which to me means that there'd have to be enough activity, given the size of the country, like, they'd have to be doing enough, like, cyber activity that there would be something like it. I just, I find it very implausible to be a cyberpower and have absolutely no footprint.

C

So I think, yeah, I mean, that's certainly true. I mean, in the military context, you would expect there to be like more. More experience over time in the cyber defense mission and in the intelligence mission than you would offensively, just because you obviously have to do those two perpetually all the time. And then therefore, on the civilian institutional side, you could assume that there was more experience of conducting operations because there are operations under that threshold. And it's not the case that people looking at the war in Ukraine and looking at the use of cyber in wartime operationally separate from the utility of intelligence. That is a context that doesn't apply for India's armed forces, whereas that sort of sub threshold context does apply every day to civilian institutions that conduct cyber operations. So, yeah, it's a reasonable assumption that there are different levels of maturity because there are different opportunities to practice. So even if, and I think it's a reasonable assumption because they're the armed forces, the India's armed forces have a larger cyber workforce institutionally because there are just more people. That doesn't necessarily translate into more cyber maturity in operations because actually it might just be that different institutional actors have a different tempo of daily activity. Yeah, I think that's definitely pretty persuasive.

B

One of the other things I was wondering about India's history as a kind of exporter of spyware and surveillance services. So there have been a couple of fairly influential, like surveillance or cyber espionage as a service companies that have come out of India. And I think it was an Atlantic Council report, they looked at the hotbeds of those kinds of vendors, and the US was in there, but also Israel, India and Italy. And I was wondering if you had any thoughts about why India. So to me, it seems like the reasons that India is a latent cyber superpower is that lots of people, lots of talent, good education system, lots of technological companies, and it seems to have expressed itself in that kind of dark industry. But Is there anything more to that?

C

That would be my interpretation too, that the existence of that burgeoning activity that is clearly kind of globally competitive is the flip side of having such a vibrant sort of IT services and IT skills context in your country. I don't think, and even actually for, I suppose, cases that have been written about more. So Israel is the obvious example with NSO Group and other companies that people make the argument that these companies have been an instrument that has been useful at various times in creating diplomatic opportunities for the government. But I absolutely don't think that if you track the historical evolution of that market, that is not why those companies took off. Like, I don't think it was sort of a strategically directed sense of, oh, this could be a great strategic instrument for us in our diplomacy. Like, that's not.

A

I don't think that's finally, finally an inroad to Uzbekistan.

C

Great. So I think, and similarly, you know, as for India, and obviously with the caveats that it's like, it seems to be quite difficult, doesn't it, for people to report on, on, on, on this industry in terms of sort of legal challenges to reporting and what have you. So it is, it is a pretty tricky context, but I think it is reasonable to. Yeah, this is private sector sort of innovation, but given that that tells you that there is this latent cyberpower, it sits in a different sector, but it clearly would be possible to use that to your advantage as a state. And just the questions there are just about how that would be done, how open it would be, and the answer, I guess, is not very. So, yeah, I think that potential is there for sure.

B

Great, Thanks a lot. Joe Devanny, senior lecturer from King's College for that. That was fascinating and it was great to have you on.

C

Thank you very much. I really enjoyed it.

A

Thanks for coming.