The Directorate of Indian Defence University organised a two-day Cyber Exercise (CyberEx) on April 29-30, 2019. The exercise had representation from the three Services, National Security Council Secretariat (NSCS), National Technical Research Organisation (NTRO), Computer Emergency Response Team-India (CERT-In), Defence Research and Development Organisation (DRDO), National Informatics Centre (NIC), academia and industry.1 The exercise encompassed incident reporting and response, information exchange, readiness and inter-agency coordination.
Cyber exercises are now a routine feature in military exercises and professional military education. Exercises such as those conducted by the US National Security Agency (NSA) called Cyber Exercise,2 the US Department of Defense’s Cyber Guard,3, and the NATO Cooperative Cyber Defence Centre of Excellence titled Locked Shields,4 test the skills of soldiers on a range of operations relating to cybersecurity, teamwork, planning, communication, and decision-making, to name a few. In general, cyber exercises help in assessing intangible organisational attributes such as strategic decision making, inter-agency coordination, incident response procedures and reporting guidelines, etc. as well as in evaluating the effectiveness of security processes and procedures, measuring attack detection, response, mitigation and recovery capabilities.
The cyber domain calls for a broad mandate for the armed forces, including defending own networks and building capacity to exploit those of the adversary. In the military realm, cyber exercises serve multiple purposes. They test technical knowledge in the form of “catch the flag” challenges or train strategic thinkers on how to play the “cyber” card, using simulations, “live-fire” exercises and war gaming scenarios. In the “table-top” format, cyber exercises examine the efficacy of communications under cyber contingencies, which includes the collection and dissemination of incident information for enhanced situational awareness among stakeholders. Being simple and easy to convene, the table-top exercise format is a preferred choice, but it cannot simulate real world decision making experiences. Cyber exercises, at different levels, could be either technically oriented for network attack or strategy-oriented to provide a decision making experience in a simulated environment. They have emerged as an important tool, especially when armed forces utilise cyberspace for a wide spectrum of operations, ranging from C4ISR, weapons control, logistics, supply chain management and in various routine administrative functions.
Cyber exercises are a means to both test the preparedness of cyber formations and as a signalling mechanism to strengthen deterrence in cyberspace. They are part and parcel of military training now. For instance, Cyber Defense Exercise, known as NSA Cyber Exercise, has been testing the skills of cadets and midshipmen of the US Service Academies since 2001. With a broader scope and mandate, the Cyber Guard and Cyber Flag exercises – led by the US Cyber Command and in their seventh edition now – put to test both whole-of-nation defence in a simulated disaster, as well as defensive and offensive capabilities of Cyber Command across all phases of conflict. In China, the People’s Liberation Army (PLA) is known to have cyber operations components in its various exercises since the Kuayue and Lianhe exercises in 2009 and 2011, respectively.5 The 2017 edition of the PLA’s largest exercise at Zhurihe involved land forces, aviation forces, the rocket force, and cyber and electronic warfare units from the Strategic Support Force.
CyberEx appears intended to catch up with these global advances and fill an existing void in India. There is no information in the public domain on cyber exercises conducted by any of the three services – individually or together – at this level. It is worth mentioning that cyber formations are relatively well-placed to conduct cyber exercises as they have the necessary mandate and wherewithal. CyberEx is an initiative under the aegis of the national defence university, while the exercises discussed above are driven by empowered civilian and military organisations and formations, be it cyber command, technical intelligence agency or strategic forces. Going forward, CyberEx may have to migrate from the Indian Defence University to the recently established Defence Cyber Agency (DCA). If, however, CyberEx has been envisaged as, and is intended to, maintain its present character under the auspices of the Indian Defence University, the DCA will have to initiate a concurrent cyber exercise in line with its mandate and technical competency.
In general, cyber exercises would prove to be much more relevant and constructive when the armed forces successfully integrate “cyber” with training, professional military education, military doctrine and, most importantly, war fighting. Nevertheless, the formidable challenge is to bring the cyber exercises of the Indian Armed Forces to the maturity level of international military cyber exercises, if not in terms of scope, at least in terms of content. The real test for cyber exercises, therefore, would be to mature as a simulation driven or live-fire exercise from the existing table-top format of CyberEx. It may continue to remain a table-top exercise primarily for senior officers, but a technical one may be productive in aggregating cyber operations, doctrine and strategy. It would be much more effective if the three services – independently as well as under the DCA – have technical and operations oriented cyber exercises, which complement CyberEx rather than being discrete endeavours.
A lot of effort goes into a Cyber Exercise, in terms of planning, human resources and strategic thinking. Building real world scenarios, simulating classified networks, designing catch-the-flag challenges, scenario controls etc., need months of meticulous planning. An annual or biennial cyber exercise warrants dedicated resources for the whole process, and substantial exposure to international cyber exercises. It cannot afford to remain an ad hoc military function or a tick-off in the checklist. Cyber exercises also require ardent support of the military leadership and enthusiasm among participants to make substantial improvements in each successive iteration. Likewise, cyber must be a part of the curriculum and war-gaming exercises at the war and staff colleges.
Down the road, a cyber exercise – whether CyberEx or its successor – should be developed as a platform for practitioners and thinkers to test their conceptual and technical skills under near-real-world whole-of-nation scenarios of cyber contingencies. Most importantly, it should be tri-Service-driven in terms of planning and not just participation or representation. A world-class cyber exercise is needed to demonstrate the true competence and prowess of the DCA. Together, the DCA and a joint cyber exercise on this scale would be an acknowledgement that India intends to maintain its freedom of action in cyberspace, whether the situation calls for a defensive or an offensive response.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.