Indian Defence Review

As the world gets more and more inter-connected in the cyber space, the Indian armed forces are no laggards. Today our Army, Navy and Air force are getting networked by more and more sophisticated networks. This has lead to an increase in irreversible dependence on Computer systems to take critical and faster decisions.

Today the armed forces are faced with an ever changing set of challenges in maintaining cyber security from the threat of attack. Rapid evolution in technology is forcing governments and industry alike to continually develop secure systems that remain one step ahead of the enemy.

As cyber systems become increasingly integrated the requirement for a multi-layered, adaptive and self learning security system becomes imperative. With the prevalence of electronic communications, the growth of social media, a widespread access to mobile networked devices the cyber threat to today’s defence sector has never been more apparent. The ‘cyber landscape’ is both dynamic and borderless and forces us to address our security in terms of technology, international cooperation as well as individual user awareness.

Unfortunately in the Indian context all the computers, the servers, the operating systems being used in the country have been procured from other countries. The chief manufacturer of these Hardware systems is China. Despite the number of policies existing to limit the procurement of hardware from China for sensitive systems it is not possible to do so. It doesn’t matter who supplies the hardware, be it HP, IBM, Dell etc, all the Systems have most of the components manufactured in China. The remaining items could come from the world over. Malware could easily be embedded into the hardware. This malware could be triggered based on some conditions or certain commands coming over the network or using some radio signals.

At present India does not have any hardware forensics lab that can check for malware embedded into the computer systems. Similarly most of the software like the operating systems, the server operating systems, the antivirus software, firewall software, the software used in routers and switches used by the Armed forces comes from other countries. It is impossible to get to the exact origins of the software. Again most of these are closed systems that are we do not have access their source code. So finding out if they have any malware embedded in them intentionally it is impossible to locate it.

As per Reuters reports NSA paid massive computer security firm RSA $10 million to promote a flawed encryption system so that the surveillance organization could wiggle its way around security. Similarly it has been found that most of the commercial encryption algorithms being used have some flaws deliberately inserted into them so that intelligence agencies could spy on the encrypted transmissions.

In 2011, a computer virus had infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. Eventually the virus was traced to the hardware chips procured from China. These bugs discovered are just a tip of the iceberg of malware existing in the systems that we keep procuring from various countries.

So given this scenario, how do we protect ourselves? Some of the suggestions that many people suggest is to have our own hardware, own software. The investment required to develop any one operating system, or a chipset is humongous and would make it impractical. So is there an alternative. The answer to the question is yes. We can achieve it by using multiple systems procured from various hardware vendors. We should not depend only on Intel or AMD based systems but do mix and match.

Similarly in the back bone Network we must procure from multitude of vendors from various countries. This would ensue that any malware embedded in one system will not be able to traverse through the entire network. Similarly in the choice of operating systems one could use a mixture of Linux, Windows, Unix based operating systems without revealing the machines and operating systems where our confidential data lies. The integration systems and the application layer software must be custom developed using our vast IT pool.

Just like the DOD of USA provides funding to various Cyber security related programs if our MOD could provide funding to various cyber security projects that could enhance the Cyber security potential of our armed forces. Can we fund some Open source initiatives in the field of operating systems, Antivirus software, firewalls etc?  This would provide some leverage and ensure that there is no malware embedded in the software. Security in the cyber world is temporary and fleeting. To be secure one must continuously invest and innovate in research.