<< The first comprehensive study on cyber security and information warfare was undertaken in India in 2002. Ten years after, India has no National Cyber Security Policy. This article recommends a course of action in this regard and suggests ways to sustain it >>
Enough has been written about the imminent threat of cyber war, however, to India’s peril, it is still considered a distant probability and has still not received attention. The many ‘wakeup’ calls have gone unattended and India is woefully unprepared. Our visual media, which has been very active in recent months on political and social issues, has chosen to stay silent on this vital issue which can threaten the existence and stability of the nation.
Attacks in 2013
As reported, the frequency of attacks has increased in 2013. The onslaught on the South Korean banking systems on March 20 is a manifestation of the mayhem, destruction and lack of public confidence that these can cause. The US Department of Homeland Security recently announced that an American power station, which it did not name, was crippled for weeks by cyber attacks. In January 2013, The New York Times reported that it had been struck, for more than four months, by a cyber attack emanating from China. The Wall Street Journal and The Washington Post reported similar attacks on their systems especially when they published some articles considered anti-Chinese.
On March 13, DNA had a report, ‘India’s secrets are in Guangdong’. The report went on to say, “A successful Chinese hacking attack has caused what is arguably the biggest security breach in India with systems of hundreds of key DRDO and other security officials being compromised and leading to the leak of sensitive files related to the cabinet committee on security (CCS), the highest decision-making body for security issues of the government of India. The other stolen files recovered so far belong to the governments of the United States, Russia and South Korea. The leak was detected in the first week of March as officials from India’s technical intelligence wing, National Technical Research Organisation (NTRO), working with private Indian cyber security experts cracked open a file called “army cyber policy”. The file had been attached to hacked email accounts of senior DRDO officials that quickly spread through the system in a matter of seconds.”
All this is merely the proverbial ‘tip of the iceberg’. Anyone in the cyber world would know that for an espionage to be successful, it must never be detected. Being lulled into a false sense of confidence in a system is possibly the biggest vulnerability. Such naiveté is an anathema in today’s environment. While hackers, industrial spying, cyber crime are part of everyday life, the difference comes when nation states use it as a means of war.
Changing Nature of War
The 21st century has seen its transformation from fourth to fifthgeneration in the cyber domain. With competition over resources and markets, nations will use cywar’s potential to secure national interests. Cywar forms a part of Information Warfare (IW) which extends to every form of media and inter alia includes aspects of propaganda and perception management. Cyber though technically restricted to internet, is now increasingly linked by convergence to every communication device. With greater connectivity, this divide is narrowing and every citizen or aspect of life is vulnerable. It is also a vital constituent of ‘No Contact War’ (NCW). The scope for reach and exploitation by inimical elements ranging from innocent hackers to criminals, terrorists, non-state actors as also nation states is thus unlimited. The damage could be immense and many countries are pressing ahead and taking steps to build capacities for defending themselves as also taking offensive action in cyberspace.
The Institute of Defence Studies and Analyses published a seminal report in March 2012 titled India’s Cyber Security Challenge. The report undertook a holistic survey and having identified the allencompassing nature of the threat, made cogent recommendations. Amongst others, it emphasised that this was a challenge which could only be met by public-private partnership. National Security Advisor Shiv Shankar Menon mentioned in January this year that the National Security Council (NSC), the nodal agency of the Government of India, had approved the architecture in principle.
The first comprehensive study of cyber security and IW was undertaken by the NSC in 2002. Amongst others, this led to the creation of NTRO. Eleven years have gone by yet a National Cyber Security Policy (NSCP) or doctrine has not been issued. Dependency on the internet has increased exponentially with resultant enhancement in threat. Cyber war looms and means to counter it or take pro-active action are still unclear.
The USA in 2010 was the first country to formally declare cyber as the fifth domain warfare after land, sea, air and space. They have also formally classified its use as a ‘force’, a euphemism for offensive capability. The Chinese adopted the concept of ‘informationalisation’ in the mid-90s and have relentlessly built up structures and operations in this domain. Consequent to the raising of the US Cyber Command (USCYBERCOM), South Korea created a Cyber Warfare Command in December 2009. This was also in response to North Korea’s creation of cyber warfare units. The British Government Communications Headquarters (GCHQ) has begun preparing a cyber force, as also France. The Russians have actively been pursuing cyber war. In 2010, China overtly introduced its first department dedicated to defensive cyber war and information security in response to the creation of USCYBERCOM. The race is thus on.
At a Cyber Security Summit held in October 2012 at Delhi, Lt Gen Harry Raduege, USAF (Retd), elaborated on how the USA had set up USCYBERCOM. He explained that with the democratic process, legal stipulations, norms of privacy laws – building such structures took over a decade. Cywar being a grey area, specific details are not available, however, what is evident is that the USA is taking determined steps in this regard. The New York Times in February 2013 reported, “A secret review based on America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the US detects credible evidence of a major digital attack looming from abroad”. It further elaborates, “That decision is amongst others several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules on how the military can defend, retaliate, against a major cyber attack. New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the US and, if the president approves, attack adversaries by injecting them with destructive code – even if there is no declared war.”
These rules are highly classified and similar to those governing drone strikes. It was reported that these have come about as a result of greatly increased cyber attacks on American companies and critical infrastructure. China has been mentioned as the main threat. The implications of such statements are ominous and need to be taken note of.
The Indian Scenario
India in the current geo-strategic environment is a target and incidents of sensitive government and military computers being attacked and information stolen are on the increase. There is enough evidence to suggest that this is the result of actions of nation states either directly or through proxies. The draft NCSP published in 2011 mainly covers defensive and response measures and makes no mention of the need to develop offensive capacity. A report in the Business Standard on March 19, 2013 mentions that it is under issue. This is necessity if India is to ensure capability for self defence granted under Article 51 of the UN Charter. It thus leads to the question as to what is cyber war?
There is no formal definition. It could be defined, “actions by a nation-state or its proxies to penetrate another nation’s computers or networks for the purposes of espionage, causing damage or disruption.” These hostile actions against a computer system or networks (NWs) can take two forms – firstly, cyberexploitation; which in a manner is non-destructive and includes espionage. Cyberexploitation is usually clandestine and conducted with the smallest possible intervention. It does not seek to disturb the normal functioning of a computer system or NW. The other actions are those which are destructive in nature. These could be deliberate acts of vandalism or sabotage – perhaps over an extended period of time – to alter, disrupt, deceive, degrade or destroy an adversary computer systems or NWs or the information and programmes resident in or transiting these systems or NWs. For easier understanding, the domains of cyber war could broadly be classified as:-
- Espionage: Intelligence gathering and data theft. Examples of this were Titan Rain & Moonlight Maze. These activities could be by criminals, terrorists or nations as part of normal information gathering or security monitoring.
- Vandalism: Defacing web pages, or use directed denial of service (DDOS) to take them down. Such actions were evident in Estonia or Georgia.
- Sabotage: This has the most serious implications and includes DDOS, destruction of data, insertion of malware and logic bombs. It also encompasses actions in war such as those taken for preparation of the battlefield. The Stuxnet is a recent example.
According to Spy Ops, by the end of 2008, nearly 140 countries possessed varying degrees of cyber attack capabilities. In addition, an unknown number of extremist groups and ‘Non-state actors’ have developed or acquired cyber weapons. Some commercially available products are flexible enough to be classified as dual purpose – security testing tools and weapons of attack. Each nation works on its own. An assessment of cyber warfare threat matrix by the USA which covered over 175 countries and organisations made a watch list in which the top ten in order of priority were – China; Russian Business NW; Iran; Russia tied with France; Extremist/Terrorist Groups; Israel; North Korea; Japan; Turkey and Pakistan.
India on its growth path is vulnerable, under serious threat and constant attack. All institutions and organs of the state along with the private sector must therefore jointly work to counter this challenge. All this has to be coordinated under the aegis of the NSC. Within this, lead agencies for executing offensive cyber operations inter alia could be the NTRO, CIDS and the DRDO.
Defining Objectives and Doctrine:
Application of such measures must be in accordance with clearly defined objectives which would be in keeping with customary international law and practice. The primary objective would be to garner knowledge to find how systems are breached and thus provide the ability for defensive measures to be developed and put in place. The further argument is that it must be visible as an armour of self defence so as to deter an attack. While this capability will be ambiguous, subtle signals and clear definition of objectives will lend credibility. Moral arguments stand thin in face of realities. There is therefore a need to lay down the objectives and include them in the NCSP or issue a doctrine in this regard.
Proactive Cyber Defence: These constitute actions taken in anticipation to prevent attack. As opposed to the current practice of passive defence, it provides a via media between purely offensive and defensive action; interdicting and disrupting an attack, or an adversary’s preparation to attack, either pre-emptively or in selfdefence. The most compelling reasons for a proactive defence can be couched in terms of cost and choice. Decision makers will have a few choices after an impact and all of them are costly to start with. Proactive defence is thus the key to mitigating operational risk. The USA had set up a ‘Proactive Pre-emptive Operations Group (P2OG) in 2002. Such actions thus find international acceptability.
Critical Infrastructure: Section 70 of the IT Act lays down the need to protect critical infrastructure security. National Critical Information Infrastructure Protection Centre (NCIIPC), under NTRO is being declared as the nodal agency for the protection of Critical Information Infrastructure of India; and issue of Gazette notification is underway. This needs greater speed in implementation.
Legal Provisions: The IT Act of 2008 covers all actions in this domain and there is a need to work within these provisions. The Law of Armed Conflict (LOAC) provides the primary legal framework within which one can analyse constraints for offensive cyber operations. Immunity for actions taken against another nation, institutions, hostile group or individual is possible within the realm of LOAC or for self-defence under Article 51 of the UN Charter. The cyber domain with scope of non-attributable actions as also ease of deniability provides immense scope for exploitation. So far, there are no international cyber laws or treaties and the Tallinn Manual on International Law Applicable to Cyber Warfare, 2013 seeks to define a cyber war code. Though not an official document, it reflects the opinion of 20 researchers and practitioners of international law and was commissioned by NATO. It is the beginning of a deliberate process which would eventually produce an electronic version of the Geneva Conventions. What is evident from The New York Times report quoted above is that nations can authorise protection in this regard.
War Situation: While cyber war is an ongoing activity during peacetime, there is an urgent and dire need to develop this capacity for a warlike situation. It will form an essential part of preparation of the battlefield in any future conflict. Such attacks may also precede the kinetic war. As explained, building this capability will take time and must remain covert and ambiguous. It could also form part of the strategic deception process. This should be the responsibility of the Armed Forces (HQ IDS) along with the DRDO and other experts. Detailed discussions and consultations in this regard require to be initiated.
Raising of Cyber Command: India must raise a Cyber Command. This will comprise not only the three services but personnel from the DRDO, scientific and technological community. It could function within the space command as many aspects overlap and would economise on resources. It will oversee all activities undertaken during peace time and also plan for offensive cyber operations as required to include preparation of the battlefield. It must work in close concert with the NTRO. To determine the structure, it would be prudent to study the mission and objectives of USCYBERCOM.
Cyber Command Structure for India: The US evolved its structure based on experience as also that it functions as an open democracy. India already has the Strategic Forces Command which could be augmented by both the Space and Cyberspace Wings. These may be of smaller size to start with and will develop in accordance with threats and needs. Each service has its own requirements; the structure therefore has to be need based and flexible. The various elements of this could be:-
- Army, Navy and Air Force CERTS. They could also be charged with protection of critical infrastructure of each service. The structure thus envisages a Defence CERT.
- Intelligence and information operations. A Defence Intelligence Agency exists under HQ IDS.
- Defence communication NWs.
- Cyber operations which are required for preparation of the battlefield. This again would be a tri-service organisation with additional experts from the DRDO or any other such institution. This would include R&D.
- Territorial Army (TA) Battalions for Cywar. While cyber war is ongoing, there are periods of heightened threat. There is therefore a need to create and maintain a ‘surge capacity’ for crisis or warlike situations. Young IT professionals constitute a vast resource base and a large number would be willing to loyally serve the nation when required. This resource must be capitalised by raising cywar TA battalions similar to those for Railways and ONGC which could be embodied when required. In addition to purely ‘defence’ requirements, these could also provide for protection of critical infrastructure.
- Perception Management and Social NWs. In the current age of ‘democratisation’ or instant availability of information and growth of social NWs, there is tremendous scope for perception management and manipulation of information. 2011 saw its extensive use during the ‘Arab Spring’ and London Riots. Post the Bodoland agitations in August 2012, the mass exodus of Northeasterners from different parts of India was driven by this. It therefore must be seen as a potential tool for psychological and NCW, and form a part of any offensive or defensive action.
Capacity building is vital. It must also be sustainable and of larger benefit. There is a need to create a R&D base and institutions.
Growth forecasts of internet usage especially with e-governance, will create an employment potential ‘Cyber Doctors’ and sleuths. Just as 26/11 created a whole new dimension of requirement of physical security, protection of internet usage and transactions will create millions of jobs in the near future. It will be a seller’s market for which India, with its human resource (HR) base, must be ready. Consequently, the government must accelerate this process. Some thoughts in this regard are:-
- Partnerships: India cannot do it alone. Various past attempts have not been of much success. It has to be seen as a global issue and capacities developed.
- HR and R&D: The Dept of IT has set up the Information Security Education and Awareness Programme. Other options include the Chinese models. They set up four universities in 1999. Security of data for the BPO industry has brought up the necessity for such institutions. Talent spotting with competitions is an easy option. Programmes and competitions such as ‘Cyber Patriot’ in USA need to be followed up in schools and educational institutions. These could be self financed. Army Training Command as also the other two services must take the lead in partnership with the private sector.
- Testing and Certification: The outsourcing model has affected testing and certification. Hardware and HR in this regard has to be Indian. This can then be adapted for pro-active defence.
- Innovation: The key in the internet is innovation. Funding in this regard should not be a problem. Here too, the PPP model needs to be exploited.
- Language Training: HR trained in language of our potential adversaries is a must. This must be provided suitable incentives and permanence of employment.
- Legal Capital: Legal aspects of developing capacities, understanding use of cyber as a ‘force,’ implications of the UN Charter, negotiating international laws and treaties, all needs trained personnel.
- Understanding Vulnerabilities: Study of vulnerabilities both of own systems as also those of our potential adversaries must be undertaken to prevent intrusion and exploit weaknesses.
- Identification of Technologies: There is a need to identify technologies in this regard. These should also include isolation of NWs within the country, close monitoring of gateways and backbone, identification of ‘zero day’ vulnerabilities, protection of power grids, secure communications for defence and critical services, penetration et al.
Understanding the threat of cyber war and developing capacity for offensive actions in this domain is a sine qua non. Nations, nonstate actors, terrorist groups and individuals pose a challenge to growth which is increasingly going to be dependent on the cyber domain. Cyber war will also be central to any hostile or conflict situation. Clearly defined objectives and national doctrine in this regard along with supporting structures and matching capabilities are thus essential. Does this have to be driven by a cyber 26/11 or can India wake up?