The enduring nature of the India-Pakistan rivalry and repeated conflicts create new avenues for increasing competition in cyberspace. While cyber-attacks remain limited in scale, cyber weapons can potentially drive escalation dynamics between nuclear-armed rivals. The absence of consistent dialogue and an inability to define cyberspace norms can have dangerous implications for regional stability, making it imperative for both states to address the future of their cyber-relationship. India and Pakistan can rely only on deterring each other, which may result in a cyber arms race leading to regional strategic instability, or can concurrently engage in CBMs to bolster deterrence and stability.
Both India and Pakistan are rapidly moving towards digitalization. Such a trend toward digitalization is a double-edged sword. On the one hand, it stimulates economic growth opening new avenues and possibilities for a state and its populace. On the other hand, it increases vulnerabilities to cyber threats. To address cyber risks, states strengthen their cybersecurity and enhance their offensive capabilities. In a regional dyad – consisting of two nuclear adversaries – the absence of any cyber norms can result in a cyber arms race. Pakistan and India can take two pathways – deterrence or CBMs – to define their cyber relationship. However, because of the challenges posed by employing deterrence in cyberspace, it will be advantageous for India and Pakistan to engage more vociferously in cyber CBMs.
Cyber Deterrence and CBMs
Cyber deterrence aims to prevent adversary’s threatening actions in cyberspace through the threat of punishment, denial by defense, entanglement, and normative taboos. Scholars have considered deterrence by the threat of retaliation as the best possible course of dissuading an adversary. However, given the difficulties ascertaining attribution in cyberspace, retaliating to cyber-attacks becomes challenging.
Deterrence by denial can play an important role in the cyber domain. If a state has better defense capabilities and an edge over its adversary, the adversary may be dissuaded from taking offensive measures. While the concept of deterrence in cyberspace is less nuanced than in the nuclear sphere, lessons on the importance of CBMs to bolster deterrence are pertinent.
The less nuanced nature of deterrence in cyberspace compared to the nuclear domain has initiated scholarly debates about whether such deterrence can succeed. Cyber deterrence, however, cannot fulfill the three Cs of nuclear deterrence, i.e., capability, credibility, and communication.
Attribution is another major problem in the case of cyberattacks. Successful attribution is an important prerequisite for deterrence. In the nuclear domain, states typically demonstrate their capabilities by testing weapons or organizing military parades, which is impossible in cyberspace. Similarly, the bleak possibility of communication of capabilities to the adversary thickens the fog of war. States will have every reason to doubt the accuracy of their adversary’s stated cyber capabilities.
It is, therefore, imperative for Pakistan and India to constructively engage in the cyber domain to safeguard their strategic assets. It will also help in starting a dialogue that has been at an impasse. Pursuing phased cyber CBMs can be more beneficial for both countries because of the challenges posed by cyber deterrence.
According to some reports, four types of such CBMs can be developed by states to establish mutual trust and stability – collaboration, crisis management, restraint, and engagement.
Through collaboration, states can jointly solve issues in cyberspace by policing compliance with established best community practices, conducting joint international investigations into cyber incidents, and applying concepts from international environmental law to cyberspace. Options for crisis management in cyberspace include functional alignment of cyber crisis response teams, a bilateral cyber hotline, and multilateral cyber adjudication and attribution councils. Restraint can be achieved by limiting target selection and applying legal or political neutrality status for selecting cyber ‘safe havens’ before and during a conflict. Engagement-focused CBMs are based on establishing an organization that will enable technically proficient and unaffiliated actors to use their expertise to safeguard crucial cyberspace areas.
Some of the possible CBMs in this regard are identified below.
Policy Recommendations
Creating a Joint Probing Committee: In a crisis, both sides can attribute a cyberattack on the other sans any verifiable proof. The growing importance of cyberweapons in India and Pakistan’s kinetic escalation can be seen in reports showing increased malware and phishing attacks during the Pulwama-Balakot crisis. Attributing the blame for a cyberattack remains a key global challenge. If New Delhi and Islamabad are serious about preventing inadvertent escalation, creating a Joint Probing Committee of experts from both sides can help mitigate crises. However, both sides will be wary of providing transparency into their cyber security infrastructures. Negotiating such measures could be a non-starter at the Track I level. As a first step, India and Pakistan can nominate their former officials and trusted experts to engage on Track II with a clear mandate to offer mutually workable solutions.
Establishing a Cyber Hotline: Islamabad and New Delhi can establish another hotline – in addition to the already existing DGMO hotline – to discuss any urgent cyber-related matter. A similar initiative was taken to establish a hotline between the Foreign Secretaries, but that did not take root for either technical or political reasons. This checkered history should not deter both sides from proactively examining outstanding issues. The cyber hotline should be used regularly and not relegated to the sidelines as the other two hotlines have been. The cyber hotline could be established between Pakistan’s Interior Secretary and their Indian counterpart.
Avoiding Critical Infrastructure: India and Pakistan’s bilateral Non-Nuclear Aggression Agreement, entered into force in January 1991, bars the two countries from attacking each other’s nuclear installations. Even during the worst of crises, both states have never failed to exchange the list of their installations every January 1st. Both countries can identify critical infrastructures related to economic, energy, financial, and security apparatus and pledge not to attack these.
Aspiring for peace in the subcontinent requires common interest and political will. However, the current environment between India and Pakistan does not seem appetizing for CBMs that could be considered low-hanging fruit. India has ceased substantive strategic dialogue with Pakistan and spurned efforts to build a strategic restraint regime. There is a sense of ‘CBM fatigue’ in Pakistan. Further, Pakistani policymakers see the growing US-India strategic partnership as hurting strategic stability in South Asia. The international environment is also dismal. All technologically advanced states are building their cyber offensive capabilities in the garb of defense. Efforts in the UN General Assembly and elsewhere have been inconclusive.
India and Pakistan can take the lead in building cyber security CBMs for the world to follow. A possible way forward in this situation is identifying areas of convergence between Islamabad and New Delhi, opening avenues of communication, with all stakeholders sharing the burden of this responsibility. Cyber CBMs can help ensure regional stability, paving the way for cooperation and trust-building between Pakistan and India.
This article has been published in another form at https://southasianvoices.org/cyber-deterrence-and-confidence-building-between-pakistan-and-india/
Abdul Moiz Khan
Abdul Moiz Khan is currently working as a research officer at the Center for International Strategic Studies (CISS), Islamabad.
Abdul Moiz Khan is Research Officer at the Center for International Strategic Studies (CISS), Islamabad.