Indian Defence Review

The capability of India’s matchless troops in on-the-ground, blood-and-guts fighting is legendary. But if operational logistics is compromised in advance by a hostile military, wars may be lost even before engaging in battles and such battles as engaged in, will prove costly in terms of soldiers’ lives lost due to inadequate generalship. Ineffective military cyber security is a military shortcoming and reduces the deterrence capability of India’s military. Is there a disconnect stemming from ignorance or hubris at the top military echelons regarding cyber vulnerability and its effect on military capability? Historically, the failure of military strategy notwithstanding, the boldness and raw guts of junior leaders have won battles. But this cannot work in cyber warfare. Offensive cyber capability has to be built up along with reliable and effective cyber security as a national strategic imperative.

National defence is central to protecting the territorial and political sovereignty of our republic. This defence is primarily provided by the military (Army, Navy and Air Force), with its soldier-and-weapon capability. In present time, military operations and logistics use command, control and weapons systems which are enabled by information technology and military teaching is about Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (C4ISR) with cyber warfare as a distinct branch.

The effectiveness of military operations is finally based on the backup that the nation provides with its infrastructural, economic and political resources. Boots-on-the-ground in real-time combat situations cannot succeed without cyber-dependent operations and logistics. Thus there is a need for both offensive and defensive cyber capability and this is intimately linked with the cyber capability of the nation.

The larger picture requires that data systems which include the bits and bytes which every civil and military computer stores, uses and processes, the enabling software, the basic hardware and the human resources which are the final users, are secure against loss, corruption, theft and infiltration. Thus, there are real threats to national security from loss, leakage or corruption of data whether due to ignorance, inadvertence or cyber attack. This calls for policy and coordination at the highest level, namely, the National Security Council (NSC).

Security of data at government or military levels is not unlike the privacy of personal data at the level of the individual. When the government stores and handles personal data of millions of its citizens in a national database, a cyber attack on such a database is an attack on national sovereignty.

Threats to Inter-connected Databases

In an age of exploding data, information and knowledge, both human and machine, cyber security is as much a necessity for personal privacy as it is for internal and external national security or for day-to-day economic activities and operation of social and economic infrastructure systems. Cyber security also constitutes the defensive part of modern warfare which is intimately connected with the blood-and-guts, on-the-ground military operations. Thus, the threats to privacy and to national security from loss, leakage or corruption of data whether due to ignorance, inadvertence or cyber attack, need to be understood clearly.

Vulnerability to cyber attack is a function of the inter-connectedness of personal and institutional computer systems and the integrity and quality of cyber defences at every level. Data has no geographical or political borders. The border for data is essentially the physical border formed by the physical infrastructure of installed hardware and the electronic boundary of the IT system or database within which the system manager has control.

Cyber attack has come into public space precisely because of increasing inter-connectedness between systems or autonomous data silos, as internet users proliferate at the staggering rate of eight new internet users every second. This is even while there are allegedly 250,000 new computer viruses being created every day, which have the potential to infect private and institutional systems from around 300,000 infected websites, which can and do change every day. That gives an idea of the threat lurking behind every single keystroke of every computer which is connected to the internet.

Cyber Criminals

Cyber criminals are not only professional in their capabilities, but are well organised and even advertise their profession. There are ads for hacking services, which can be purchased by a business person to knock out business competitors by obtaining information or disabling systems for a critical period or effectively making the system inoperable by deliberately overloading it with inputs – called DDOS, standing for Deliberate Denial of Services. DDOS can cost the purchaser of the hacking service $5 to $100 per hour or more depending upon the built-in security of the system, the risk of discovery and the benefit that the customer would get out of the DDOS to his business rival.

While hacking into a system to extract (copy), corrupt or delete data, is fraught with the risk of being traced, arranging DDOS is perhaps relatively safer. Alternatively, the hacker can be employed to infect a target system with malware. Such advertised services are themselves difficult to trace to a physical address, since the operators are skilled geeks who could be a next door neighbour or living on another continent.

Reportedly, malware sales and distribution to potential and in-practice cyber criminals, is a thriving business. For example, a package named Black Hole Exploit Pack complete with full technical support and documentation enables a newcomer to set up his own malicious hacking server. Further, computer systems can be invaded by planting or embedding hardware at some stage of the manufacturing process or inserting malware during system installation. This provides a so-called ‘backdoor’ to the system, unknown to the user, permitting individual criminals, corporate competitors, intelligence outfits or deep state actors unauthorised, and often undetected, entry to the system for their respective nefarious purposes.

Software firewalls can prevent unauthorised entry into systems, but it must be understood that an engineer working in even a reputed firewall vendor company could have illicit and secret association with a hacking facility at the individual level. Even otherwise, hacking is a part-time or full-time occupation which is open to the very young, even as young as eight years of age. Some hackers do it for kicks – supposedly harmless – or to deliberately harm some particular person or organisation, while others do it for making money.

All it requires for hacking a system is some self-acquired skill on computers (not very difficult for today’s youngsters born to the keyboard), motivation to hack (monetary incentives or personal satisfaction aims) and time (part-time after school or work is adequate) to succeed. The world over, cyber experts admit that a system is safe only until it is hacked and the truth of this admission is that very high security systems such as NASA, CIA and FBI have been hacked or have had malware injected into them.

Hard Truth

Thus, a cyber attack can be on an individual computer, a system, a network or a server. But the threat is not only through the internet. There are many software devices and tools for physically gaining access to a system or database. Most cyber criminals skilfully cover their tracks to escape detection and arrest. It helps them that most cyber security laws are national in scope whereas the internet is not limited to national political or geographical boundaries, being borderless and international. Furthermore, countries do not agree with each other on cyber security and privacy.

Backdoors and Built-in Threats

The IT infrastructure, meaning critical high-end hardware and software (‘equipment’, hereinafter), in most, perhaps all, central and state government ministries, departments and organisations is purchased from international vendors. These vendors are not the Original Equipment Manufacturers (OEMs), since OEMs have limited global marketing capability. The purchaser enters into a contract with the vendor who procures the infrastructure from the OEM and installs it. In most cases, the vendor is also contracted for life-cycle technical support since the design and details of the equipment are protected by the OEM under IPR.

Further, the OEM, operating under an export control regime, insists on the purchaser providing end-use certification. The nexus between the IT OEMs and the intelligence community needs no highlighting. It is this nexus which permits the OEM to secretly embed targeted hardware and/or software in the equipment, including detecting and suiting the geographical location of the end-user.

Regarding the life-cycle technical support of the equipment, the vendor is often contracted for online support. This means that the purchaser actually hands over the entire live system to the vendor’s systems engineer who may be physically located anywhere in the world for updation, upgradation and rectifications. At this stage, one or more of the following could happen:

•  If a backdoor was not installed at time of supply and installation, this can be done,

•  If a backdoor was installed at time of supply and installation, data can be downloaded,

•  A new or updated backdoor can be installed.

Online technical support by the vendor may be preferred because it is cheaper than having a vendor’s engineer visit the site, and also because security clearances for physical visits could be problematic especially in high-security installations.

Click to buy: Jan-Mar 2018 (Vol 33.1)

The point here is that critical IT hardware and software infrastructure is purchased from the international market, for end-use in defence, home, finance and banking operations, energy including oil, education, health, social welfare, electric power, nuclear power, railway operations, air traffic control, rail and air passenger reservations, public or private sector industry including UIDAI’s Central ID Repository (CIDR).

Thus vulnerability to cyber attack is substantial when every single item of critical hardware and software is purchased from international vendors especially those who also provide technical support as part of the contract.