<< The discovery of cyber weapons like Stuxnet and Flames demonstrated how a nation’s assets can be targeted or destroyed without indulging in any bloodshed. Call it cyber terror or cyber attack, the fact is that cyber world would play a decisive role in future wars. India too needs to prepare for the future >>
Seven F-15 aircraft of Israel Air Force entered into the Syrian airspace, destroyed an upcoming nuclear enrichment facility at Al-Kibar and returned home at Ramat David Airbase unhurt because Syrians did not fire a single shot in self defence. Syrian air-defence system had been infected by a malware designed by Israeli Signal Unit 8200 and the kill-switch was activated at the right time to subdue the Syrian airdefence network. This is not a fiction but part of Operation Orchard conducted by Israel in September 2007.
It was the first example of deft use of combination of cyber weapon with real-world war-machinery. Many skeptical people, who maintained that cyber weapon cannot lead to bloodshed, were proved wrong.
On November 12, 2011, Maj. Gen. Moghaddam, architect of Iran’s missile programme, was showing a new type of warhead for nuclear weapon capable missile Sejil 2 to a group of experts, at a site which is about 50 km from Tehran. Warhead was connected to a computer for simulation which was being watched on a big screen; but instead of simulation, the actual warhead went off, pulverising the site. Explosion was so powerful that it could be heard in Tehran. Initially, the Iranian government refused to accept that there was any such explosion, however, it later conceded that 17 officers of Revolutionary Guards lost their lives (though 36 funerals took place) in the blast. The site was damaged so badly that neither could anyone escape alive to narrate the incident nor any credible evidence could be obtained from it. Revolutionary Guards (IRGC) investigation pointed at two probabilities – infiltration by a Mossad operative; or computer controlling the missile was infected with a cyber weapon. The second probability was considered much more likely in view of the three well-known cyber infiltrations using cyber weapons – Stuxnet, Duqu and Flame (the three were used to stall Iran’s nuclear ambition). The incident is historic, probably because it was for the first time, a cyber weapon was used to cause real world explosion or kinetic attack. The involvement of the US in this cyber attack was later confirmed by Roger Cohen in The New York Times. He wrote that this attack was part of new US cyber and drone attack doctrine – Doctrine of Silence. In this case also, like Stuxnet attack, the US neither confirmed nor denied its involvement.
In view of the significant developments in weaponisation of cyberspace, the attack on Estonia in 2007, where government websites were defaced and many services denied to citizens, appear as Stone Age attack methods. Defacing causes least of the problems; website can be refreshed at the click of a button. Enhanced bandwidths and enormous processing powers through cloud computing has made Denial of Service (DoS) a retreating threat.
War and cyber war
To understand the real meaning of cyber war, it is necessary to understand the meaning of war and its import on governance and diplomacy. The British Parliamentary Committee in its report after Iraq war noted that war is a term that has both popular and legal connotations. Colloquially, war embraces conflicts between the armed forces of states and, occasionally, major internal conflicts such as the British or the American Civil Wars. War as a legal institution is a feature of both international and national law. In international law, the distinguishing characteristic of war is the legal equality of the belligerents and the special status of those states not taking part in the conflict (neutral states). The condition of war could be brought about by a declaration of war. Also, states could choose to regard a conflict between them as war and apply the legal rules accordingly, or neutrals could insist on respect of their rights. War as an institution of domestic law did require a declaration, made in the Monarch’s name by the Prime Minister, acting under the prerogative. This action triggered domestic consequences — nationals of the opponent state became ‘enemy aliens,’ liable to measures of restraint including detention, seizure of property and so on.
Unlike cyber crime which is a law enforcement issue, cyber war is a politico-military issue. Various international laws and treaties especially of Paris and also Charter of United Nations prohibit use of threat or use of force in international relations. Prior to these developments post 1945, declaration of war was a standard practice, but today no one officially declares war to the international community. However, internally a nation state has to declare war, whether limited in scope or a fullfledged one. This is necessary to activate appropriate structures; authorisation to force commanders to use Rules of Engagement (RoE) for conflict; activate provisions of War-Book; freezing of assets of enemy aliens; mobilisation of resources; suspension of local laws against the enlisted personnel engaged in war; and even enforcing emergency in a country. Thus a war whether declared or otherwise is a ‘structured-response’ to a conflict which is expected to result in subjugating an enemy to the will of a nation.
What constitutes an act of cyber war?
It is necessary to define what would constitute a cyber-attack serious enough to precipitate into politicomilitary counter offensive. For a country like India, it is important to define this line in an open stated policy so that in case of any military retaliation, the international community stands by it. However, defining this Lakshman Rekha is not easy. If the threshold is kept too low then breaches will become a norm and finding exception to those norms wherein counter offensive becomes necessary, in a transparent manner, would be difficult. And if the threshold is kept too high then a nation can be bled by thousand wounds rather than one massive attack and no formal retaliatory force can be used.
Another challenge is attribution. Cyber attack may appear to have originated from one or multiple countries but actual culprit may be a third country. In April 2012, National Informatics Centre (NIC) stated in a press meet that some unknown third country has used its servers to attack other countries including China. The statement had two immediate adverse impacts on our cyber war preparedness. First, it exposed our vulnerabilities to the outside world, that is, India does not have an ability to identify originating country. Second, it provided a perfect excuse to our enemies to attack us and deny ownership of such attacks. Can we now blame China for attacks on Indian cyberspace? Thus, attribution is critical for an appropriate response. In its Annual Report 2011-2012, Intelligence and Senator Committee of UK termed cyber attack as a ‘Tier One threat to UK.’ It directed the government to develop capabilities of cyber attack without detection (or at least without attribution). The UK government has allocated funds equivalent to Rs 5,720 crore over the next three years for National Cyber Security Program. The programme will prepare the country for cyber attacks.
Cyber war has also challenged some of the basic tenets of armed conflict. What is the use of men in uniform when the opposing forces are not going to be physically present in front of each other? How would belligerent forces know that attacking party is enlisted or a civilian? What if major critical data of one of the belligerent nations is encrypted and made unusable – will the data, which may be very vital for the survival of the population, be called ‘prisoner-of-war?’ If collision of trains takes place due to intentionally introduced malfunctioning of signalling system, leading to death of hundreds of innocents, will it amount to war crime?
Stuxnet, the first ever known cyber weapon, needs to be studied from warfare perspective than just from technical viewpoint. The politico-military objective was to delay and, if possible, deter Iran from going nuclear. The work on this cyber weapon was initiated in 2005 by NSA of US and Signal Unit 8200 of Israel. HUMINT was used to gather inside info about the work culture at nuclear enrichment plants in the country. For example, through HUMINT, it was gathered that Iranians working at the plants were in the habit of carrying pen-drives with them which they would use to listen to their favourite music. Also, there was an air-gap between network of office and network controlling Programmable Logic Controllers (PLC). However, both these networks had a shared network printer. The ‘Siplus Extreme’ machines of Siemens were used by Iran for programming the PLC of centrifuges of enrichment plants. Based on this intelligence, the weapon was designed by a multi-disciplinary group which had a deep understanding not only of the Information Technology but also about Siemens PLC. Cooperation of Siemens is also not ruled out. Original digital certificates were used for authenticating the malware. Mysteriously no complaint of loss of these digital certificates was lodged. The designers had also taken due care to ensure that there was no need for the user to click on anything to activate the malware. To avoid fratricide, the malware was hard-coded with the message that it would not infect the system if it came across marker ‘19790504.’ Probably that was the reason for limited infection in Europe and Americas; intriguingly Russia and China were also not affected by Stuxnet; while India was the third most infected nation.
The weapon was launched by infecting a compromised worker’s pen-drive. After infecting the system, the malware would search for one specific data block and two code blocks. In case, it did not find these blocks, it would continue to spread to other systems of the network. It was for the first time that memory block of common network printer was used to jump from one intranet to other. When the targeted PLC programming computer was infected, this information was shared with the Command and Control server. It then manipulated the revolution rates of centrifuges of enrichment plants to cause permanent physical damage, while the operator was presented a fake output on the screen so that he would not suspect anything wrong till the damage was actually done. According to IAEA reports, Natanz centrifuges operations in Iran had mysteriously declined from about 4,700 to about 3,900.
Preparation for cyber war
Armed forces across the world prepare regularly for war. The preparation involves intelligence and surveillance, placement of weapon launch pads, identification of targets and appropriate weapons for defeating the targets, continuously evolving strategies, doctrines and tactics for developing an ability to attack as well as defend, and very importantly methodologies for battle damage assessment. Research and development is an integral part of all of them. The regular exercises not only ensure war preparedness but also improvement of the weapon system. The same process should be followed for cyber war as well.
To built cyber war capabilities, the United States of America has issued presidential directive, doctrine and rules of engagement for cyber war. NATO routinely undertakes cyber war exercises. European Union, though for cyber crime, also undertakes several exercises every year. China is following an established policy of Informationisation of Warfare.
In April 2010, China diverted almost 15 per cent of the internet traffic through a single router. Many experts believe that the move led to a gathering of large amount of data for intelligence purposes by China. However, if the information was sensitive then it should have been encrypted in the first place. In fact, China rather than copying information has demonstrated to the world that it has technological superiority, where its routers and servers can process extremely huge data without collapsing. What it translates in real terms is that India with just about one per cent of Internet IP addresses allocated to it, has no ability to launch Denial of Service (DoS) attract on critical servers of China, even if all the computers in India are simultaneously used. This incident has also substantiated that China has brute power to process extremely huge data it routinely steals from its victims.
Recently, National Technical Research Organisation (NTRO) discovered that thousands of country’s Top Secret documents have been stolen by a China based server. The latest Mandiant’s report on China says, “Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organisation behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.” China has established its foothold in all countries including India; and these are not only restricted to stealing information but also can be the launch pads of cyber weapons in case of any cyber conflict.
India needs cyber offensive capabilities
Warfighting cannot be learnt from books or seminars. Several years of experience to manage complex warfighting mechanics is necessary. Therefore, it may not be appropriate to make someone, without any military experience, responsible for managing the cyber war capabilities. Indian Computer Emergency Response Team (CERTIN) was established in 2004 to provide defence to non-critical IT sectors of the country. National Critical Information Infrastructure Protection Centre is getting the final touch. While a formal structure under Joint Intelligence Committee (JIC) is required for intelligence and surveillance, Indian armed forces must be tasked with building cyber offensive capabilities, without further delay, as the task involved can take several years.
Some of the suggestions for developing national cyber war fighting capabilities are:
- Declare National Information Security Policy (inclusive of policy on cyber war) after wide consultation with all the stake holders. Such a policy should be, as much as possible, technology neutral, overarching and long lasting;
- Evolve cyber warfare doctrine and develop an ability to implement such a doctrine;
- Modify necessary orders (War- Book) to deal with situation when nation may go for cyber war, clearly defining changes in structures required to synergise national war efforts;
- Define rule-of-engagement for cyber war to prevent unintended escalation of war;
- Several war objectives, scenarios and targets should be defined to develop appropriate cyber weapons;
- Cyber weapons have very short shelf-life and once exposed, its defensive mechanism can be developed in a very short time. Therefore, cyber weapon research work is a non-stop continuous process;
- Several penetration tools must be developed indigenously;
- Establish close coordination amongst agencies and defence forces;
- Maintain database of capable persons who can be enlisted or used as militia for cyber war;
- Develop capabilities to synthesis of cyber-intelligent inputs on grand scale.
- Establish cyber-operation centres.
- Allocate area of responsibility in cyberspace to avoid fracticide and waste of efforts.
- Maintain presence in socialmedia for psy-ops and intelligence gathering.
- Undertake major educational campaigns at college level to build human resource capacity.
- Do not undermine requirements of cyber-battle-damageassessment and build capacity for artefact analysis accordingly.
Cyber war is politico-military issue and it requires far more integration not only between political heads and military but also with the other organs of the government and importantly with the civilian IT sector. India should gear up to fight proactively in this new virtual dimension, because cyber wars are not imaginary but real.