15 January 2021, NIICE Commentary 6710
Harish S Nalawade
South Asian countries have shown robust economic growth and development in recent years, and hold a likewise prospect in future. Home to nearly one-fifth of humanity, the South Asian nations – comprising of Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan, Sri Lanka as well as Afghanistan – have been rapidly embracing Information and Communication Technologies (ICTs), and decisively marching towards a digital transformation, whether it is through Digital Nepal Framework, Digital India initiative, Digital Pakistan vision, etc. The governance, service deliveries, businesses, commerce, trade, banking, financial transactions, and citizens are now increasingly adopting ICTs.
Cyber Vulnerabilities of South Asia
The South Asian nations have been laggard in adopting cybersecurity components in their digitization efforts. Consequently, the South Asian ICT infrastructures are vulnerable to a wide range of cyber incidents. For instance, India witnessed a serious security breach of its Aadhar-based biometric system in 2018, compromising the data of its citizens. The region is also home to one of the highest malwares-affected computers in the world. According to the Malware Infection Index (2016) released by Microsoft, Pakistan, Bangladesh, Nepal, India and Sri Lanka were the top countries exposed to malware threats in the Asia-Pacific markets. Some of the most recent and pronounced cyber-attacks in these countries with ramifications of crumbling the economies and political institutions are listed in the table.
Geopolitical Implications of Cybersecurity
As much as these incidents seem to be matters of domestic concerns, the cyber-attacks have transnational characters too. The South Asian countries, similar to global cyber events, are also prone to cyberespionage worsening the existing wariness between the nations. The traditional geo-political rivals of Pakistan and India have on numerous occasions implicated each other for causing cybersecurity breaches of their respective governmental and military establishments. The cyber-attacks and following implications have also affected the relations between other nations in the region. When Nepal released a new political map constituting Lipulekh, Limpiyadhura and Kalapani, there were cyber-attacks on the government website of Botanical Research Center in Nepal towards the end of May 2020, which was claimed by the Indian Cyber Troops. It was then followed by a retaliation from the Twitter users of Brahma and Satan, who are believed to be of Nepali origin. In another incident earlier in May 2020, the Maldivian government websites of the Health Ministry and Health Protection Agency were hacked, which was claimed by Guy Fawkes apparently dissatisfied for developing close ties with the Indian government and to send out a message to formulate policies that would benefit the local Maldivian population.
Furthermore, every country intends to protect what it regards as the critical infrastructure, that includes banking, healthcare, energy, etc., which are especially concerning because compromises on these functions can be devastating and can collapse the nations. In fact, there have been strides of cooperation and thorough integration of South Asian countries. Now for instance, an integrated South Asian electricity grid is being contemplated, and if that materializes, any cyber-attack on this critical infrastructure can jeopardize energy security of the entire South Asia, subverting even the cordial relations of the countries.
Attributes of Cybersecurity
The unique characteristics of the cyber incidents can exacerbate these vulnerabilities. In the sense, the cyber-attacks are perceptibly uncertain, sudden, ambiguous and attribution can pose serious challenges. Oftentimes, the hackers mimic and divert the scenarios such that the perpetrators cannot be established with certainty. The perpetrators can be state actors (insider and otherwise), non-state actors, and as a matter of fact, the distinction between state and non-state actors also becomes blurred in the case of cyber-attacks. Neither the actors can be clearly distinguished, nor their motivations, as they can vary from sending out a message, causing harm, bringing down a regime, as well as starting a cyberwarfare.
Additionally, cybersecurity challenges have certain overlapping characteristics with nuclear security. According to Joseph Nye, like the nuclear threats, there is a superiority of offence over defense in the case of cyber-attacks, and that there are prospects for first and second use cases, possibilities of automated responses and the deployment and use of weapons for strategic purposes as a form of response to the activities of the other nations. Moreover, there is ambiguity in the international laws related to the armed conflict with regard to the cyber-attacks. For instance, if there are cyber-attacks from Pakistan against India, should that invite a just cause for India to go into a full-fledged war with Pakistan? Such a scenario can adversely affect the peace, security and prosperity of the region, which is already blemished with traditional security challenges, mutual distrust, disputes and antagonism. The cyber-attack sequel can even bring the countries to the verge of nuclear war, especially in the South Asian region which posits three nuclear-power countries, including China.
Way Forward
There have been evident advances within the countries to secure their cyberspaces. The nations have established Computer Emergency Response Teams (CERTs) internally, and to an extent they have been able to respond to the rising cybersecurity threats. However, an overarching effort at the regional level is missing. Therefore, situating cybersecurity in the South Asian context becomes imperative.
Confidence Building Measures need to be embodied in the South Asian region to reduce the tensions, and to develop an atmosphere of mutual trust and conviction with regard to cybersecurity. At the same time, the South Asian Association for Regional Cooperation (SAARC) that promotes dialogue and cooperation in the region, which is hindered on several occasions, needs to be revived. Cybersecurity is central to many of the discussions that occur at the ASEAN Regional Forum (ARF) and rightly so because it goes a long way to establish trust and confidence between the nations in southeast Asia. Similarly, in the South Asian context, the SAARC can play a key role in conceptualizing and formulating a similar forum where a regular exchange of dialogue occurs between the representatives of the nations on matters related to cybersecurity.
Cybersecurity strengthening efforts are also to be complemented by other diplomatic efforts in the region. Ultimately, the dialogue process is also salient to conceptualize governing principles on the matters of cybersecurity. This is even more pertinent, as the South Asian nations collectively share a dream of sovereignty, equality, territorial integrity, peace, security, stability, amity and progress in the region.