It has always been maintained that there is nothing like total cyber security. However, in August 2017 the Chinese satellite ‘Micius’ beamed “hack proof” messages to earth, that were received by two Chinese receiver stations atop mountains – one 645km and the other 1200 km away.
The Quantum Experiments at Space Scales (QUESS) ‘Micius’ is the first quantum satellite in the world that China launched on August 15, 2017.
The beamed messages were protected by exploiting quantum physics; since any attempt to eavesdrop on it would be detected and lead to changes automatically. Complicated optics on the Chinese satellites protects messages with entangled photons; sub-atomic particles of light manipulated so that some of their key properties are dependent on each other. By encoding a key to encrypt data using entangled photons, it becomes possible to send messages, confident that they have reached a recipient free of interference. A month later in September 2017, China announced it had set up its first “commercial” quantum network in its northern province of Shandong for exclusive use by more than 200 government and official users, with “hack proof” communications.
Quantum networks would provide massive strategic advantage in military and civil applications. Our R&D would do well to focus on such technology, even though given the pace of technological advancements, how long these will remain hack-proof to what percentage is anyone’s guess
In May and June this year, the WannaCry ransomware struck world over. In the second such attack on June 27, not much damage occurred in India though one terminal of the Jawaharlal Nehru Port Trust near Mumbai was affected by the malware attack, disrupting operations.
Interestingly, the Moscow-based cyber security firm ’Group IB’ traced the origins of the malware and hackers to a code developed by the US National Security Agency (NSA) that was leaked and then used by WannaCry ransomware attackers.
In August this year, a leading Indian infrastructure company discovered that hackers had gained remote access to some of the most sensitive information on its IT systems for a fairly long period of time. Cyber security experts engaged by the firm said Chinese hackers were behind the breach. But then several Indian government offices, organizations and institutions, as well as private companies have been subjected to cyber attacks originating from China; the PMO, MEA, MHA, NIC, DRDO, atomic installations, and military websites suffer hacking attacks periodically. In one instance, according to the Toronto based Munk Centre of International Studies, GhostNet, a Chinese network, had infiltrated networks of the Indian Government as well as of the Dalai Lama. These Chinese cyber attacks are mostly through proxy servers in countries like North Korea, Africa, Eastern Europe and even Russia, which are difficult to trace.
Without doubt cyber attacks and malware will continue in the foreseeable future but prevention and mitigation measures to reduce the risks posed by cyber-related threats, network segregation included, can and must be put in place.
Just two months before demonetization last year, as many as 32 lakh debit cards belonging to various Indian banks were compromised resulting in the loss of Rs 1.3 crores, with one source indicating this was due to malware infected ATM of Yes Bank. Also, while ‘Digital India’ is increasingly networking the country including critical infrastructure like transportation networks, power grids and financial institutions through on-line integration, with more and more official data stored on-line, requisite levels of cyber security apparently could not be catered for in the project because the costs would have gone up exponentially. This gives the opportunity to our enemies, radicals and terrorists to undertake cyber attacks.
There is also the controversy over the Aadhaar Card, and official statement ranging for it to be ‘secure’ and ‘being made secure’. But according to media reports of April this year, personal details of a million pensioners, including bank information, were leaked in Jharkhand. Then, in August 2017, Abhinav Srivastava, IIT-Kharagpur alumnus, gave a six hour step-by-step demonstration to the Bengaluru police showing them how he hacked into Aadhaar data stored on a ‘government website’.
While right to privacy is under discussion, Aadhaar database being leaked, which gives complete details of the individual and his / her family members including demographic and biometric information, provides opportunity for powers inimical to Indian interests to target, blackmail and recruit moles. There is need to make Aadhaar Database fully secure.
The good news is that India is ranked 23rd out of 165 nations in the commitment of nations to cybersecurity; Global Cybersecurity Index (GCI) released in July 2017 by the UN agency International Telecommunication Union (ITU). The top 10 most committed countries as per the GCI are Singapore, United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada. Russia is ranked 11th. India is ranked 23rd on the index with a score of 0.683 and has been listed in the “maturing” category, which refers to 77 countries that have developed complex commitments to cybersecurity and engage in cybersecurity programs and initiatives.
The surprise is China ranked at 32, but then China has its own operating systems and with its more than rigid firewalls does not require doing much towards cybersecurity.
China is a cyber-super power adept in refined skills to undertake, cyber espionage and sabotage. China’s cyber warfare strategy focuses on controlling the information systems of the adversary during critical periods of confrontation and this is how China plans to negate superior US technology and obtain advantage in the physical battlefield.
In India, cyberspace is being looked after primarily by the National Technical Research Organization (NTRO) operating under R&AW. The Indian Computer Emergency Response Team (CERT) set up in 2004 under Department of IT is the nodal agency for responding to computer security incidents. In addition, the National Critical Information Infrastructure Centre (NCIIC) carved out CERT in 2013 is to protect assets in critical sectors like energy, banking, defence, telecom, transportation etc. In addition, we continue to face the mamaoth problem of virtual terrorism.
The NSA is to oversee a public-private partnership to set up a cyber-security architecture. Logically, this would also be on the lines of the Counter Extremism Project (CEP), a non-governmental initiative, launched in 2014 with Israeli assistance to confront the growing threat from extremist ideology; seeking to refute social media messaging, and compile world’s biggest database of extremist networks. CEP works with governments exploiting the internet to, mobilize social media to counter extremist ideology by exposing the threat of extremists and mounting a global counter narrative.
Post the recent visit of Gulshan Rai, National Cyber Security Coordinator, to Israel, India-Israel collaboration in this field is being institutionalized and should soon be taking off provided we can get rid of the proverbial red tape. At the same time, it is ironic to note that our cyber laws need to be defined in a much more focused manner.
The rapid strides in cyberwarfare may be gauged from the fact that according to a recent WikiLeaks report, 85% of global smart-phones have been weaponized by the CIA by using the Android operating system (OS) for spying and that a surveillance technique called ‘Weeping Angel’ infiltrates smart TVs, transforming them into microphones. India would do well to establish Centres for Infrastructure protection, information sharing, information assurance and IT Product Security Test at national level under one single advisory council: National Coordination Centre for Information Sharing and Analysis as an independent unit that defines the meta data and data standards for information sharing between the NCIP, the intelligence agencies and the public and private sector industry, and; National IT Product Security Test Centre for operating and maintaining a National Evaluation and Certification Scheme for IT Security.
In the above context, it is also pertinent to note that the cyber warfare programs in the US and China are led by respective militaries, whereas in India this is not the case. There are some nascent steps being undertaken for setting up a Cyber Division, with MoD insisting on a two-star set up in contrast to the Cyber Command recommended by the Naresh Chandra Committee. But these being superfluous considerations, the vital question is how will this new organization be integrated into the national cyberwarfare program, given the obsession of keeping the military away at arms’ length, not so much for fear of any coup but because of remote maneuvering by those who want India to remain chaotic – not ‘strong’.
Military’s integration in the national cyberwarfare set up is more significant with international analysts concluding that the Sukhoi fighter aircraft of IAF that crashed close to the Line of Actual Control in May 2017 was due to a cyber attack that originated from China. India needs to take a cue from the recent US decision to elevate its Cyber Command to that of a Unified Combatant Command, sending a strong signal to entities and countries inimical to its interests to recalibrate their security calculus. Additionally, India must acknowledge and examine emulating the tremendous operational advantage enjoyed by China’s newly constituted Strategic Support Force that combines the functions of intelligence, technical reconnaissance, electronic warfare, cyber warfare and space warfare.
The UN Group of Governmental Experts (GCE) and organizations like the ‘Global Commission for Stability in Cyberspace’ are struggling questions how to find consensus in the international community, how existing international law should apply in cyberspace, whether we need a ‘Digital Geneva Convention’, and if so, how effectively can this be implanted. But given the nuances of cyberwarfare, including ambiguity in pinpointing the attacker, nothing much is likely to change on ground. The propagators of virtual and on-line terrorism, particularly terrorist organizations, will continue to remain unaccountable anyway.
In addition, there are cybersecurity companies playing the ‘double game’ and foreign intelligence units masquerading as Risk Consultants, while the Internet features highly complex array of stakeholders; all of which makes cybersecurity highly complex with a keystroke taking only 300 milliseconds to travel halfway around the world.
According to some experts, that Chinese hackers may even be using social media platforms, such as Facebook, to create, change and manipulate opinions of Indians just as they do domestically; targeted propaganda over social media and other modes of mass communication.
There is no doubt that manipulating public opinion and perception management as non-kinetic tools of modern warfare is gaining increasing prominence; the playground being the minds of the indigenous population, population of the target country and the international community. It is in this context the recent reports of the PLA learning Tamil and Malyalam languages should also be viewed.
The Guardian reported in 2015 that British Army is setting up its 77th Brigade as Facebook warriors responsible for non-letal warfare; skilled in psychological operations and use of social media to engage in unconventional warfare in the information age. With a strength of about 1500, the 77th Brigade was to come into being in April 2015.
The move was seen partly the result of experience in counter-insurgency operations in Afghanistan, as also as response to Russian actions in Crimea, and ISIS takeover of large swaths of Syria and Iraq. Israeli Defence Forces have established state military engagement with social media, with dedicated teams operating since its war in Gaza in 2008-9. These teams are active on 30 platforms including Twitter, Facebook, Youtube and Instagram in six languages. This aspect should also be part of Indo-Israeli cyber-security cooperation.
Cyber attacks are vital ingredient of the hybrid warfare that is ongoing globally and what we have been facing past decades. Hence, focus must be maintained on this non-contact strategic asset. We need to invest heavily in IT protection, least we become easy targets for adversaries, terrorists and criminals. Many institutions in India are running courses in hacking. So, the basic capability is very much there, but what is needed is harnessing the youth talent, a well-thought out roadmap and most importantly its implementation.
Any amount of focus on cyber-security is warranted as it is directly linked to our national security, economy and development.