Weapons of Mass Disruption Lessons for India
Edward Joseph Snowden disclosed that the National Security Agency (NSA) of USA had developed a capability that allowed it to intercept almost any communication. With these capabilities, the vast majority of human communications are automatically ingested without targeting.[i]Snowden described that the US hacked everyone everywhere whether they were at war or not with these countries. What is significant in his revelation is the capability of cyber and information war. No network irrespective of security layers and firewalls is safe from organisations such as the NSA of US, the Government Communications Headquarters (GCHQ) of UK, System of Operative-Investigative Measures (SORM) a technical system used by the Federal Security Service of the Russian Federation and Unit 61398/Unit 61486 of PLA.
What is at risk? Information, private and official, through cell phones, laptops, Facebook, chats, wi-fi communication and traditional communication networks are at risk. It allows the cyber watchdogs to build a detailed profile of a target and anyone associated with them. Snowden revealed that the capabilities developed by NSA are even beyond imagination. NSA and GCHQ work in tandem with each other (though they keep a tab on each othertoo!); for example the UK is connected to 63 countries on fibre optics and GCHQ through these countries can gain access to all those countries with whom the target country is connected. Willy-nilly every possible human being and installation is 24×7 under digital surveillance.
Snowden turning rogue was a huge loss to the US and UK, as a result, a large number of projects and capabilities were compromised. The loss was in terms of project cost, business and compromise of vital information. Importantly China and Russia has been able to gain a ring side view of projects undertaken by the US and UK to fight a borderless war with weapons of mass disruption. In addition, these countries were able to take precautions in hardening the targets. The US and UK had to abandon some of their high-end projects andto work on different models and modules.
Cyber Space Weapon of Mass Disruption and Cyber Deterrence
If we revisit history, Internet was developed as a tool to connect and provide communication and to become one of the cheapest and most profitable business medium. But there were others who were working to use it for the purposes other than business as well. There are more people connected to exploit the potential of cyber technology as a potent weapon to disrupt, degrade to weaken target nations economically and militarily. China, Russia, Israel, the UK and the US are the pioneers in gaining expertise in developing cyber capabilities as a weapon of mass disruption in a borderless war. Systems are being developed to counter even nuclear attacks by cyber-attacks. The danger is that mass slaughter, mass disruption and mass manipulation are no longer a state monopoly. These capabilities have leaked into the hands of trans-national and sub-national non-state actors.[ii]
China has two agencies working separately to defend and monitor global networks through the Golden Shield programme and Unit 61398/Unit 61486. Similarly, Russia has SORM. Systems that were originally were originally created for businesses, however, in the current scenario it is exploited immensely and being used as tools against nations, corporate sector and individuals for the purposes other than what they were originally intended.
Former US Defence Secretary Leon Panetta described that simultaneous attacks on “critical infrastructure” in the future, could result in a “Cyber Pearl Harbour”. Conventional forces and Nuclear weapons have increasingly become unusable weapons because they cannot be used in an undeclared war; however, cyber or information weapon is being used in an undeclared war that has the potential to disrupt and bring a nation to stand still without declared war. Own systems can turn rogue and can become subservient to an adversary. Critical infrastructure, systems and command centres can be disabled and disrupted at a time of criticality both during peace and war. It has the potential to generate false intelligence of missile attack, inaccurate target designation to shield vital objectives and create a digital signature of CBRN attack as well. At the same time it has the potential to paralyse electric grids, create navigational blackout and direct/divert airborne aircraft in different directions. Railway networks can be disrupted causing disruption in the mobilisation of forces. Weapons of mass disruption are far more lethal than nuclear weapons because it is being used every day and will be employed with much greater impact with deniability of wrongdoings.
There is need to calibrate and employ cyber capabilities as deterrence. The military gives that edge thata civil agency is not capable of doing. Military component is an essential part of deterrence and while planning an overall information warfare strategy, it should be recognised that target information systems change rapidly and will change fundamentally in the near future.[iii] Therefore, India should develop:-
- Robust attack technologies capable of on-demand use against a range of target technologies/systems.
- Leverage intelligence community parallel technologies to access and process targets.
- Pursue long-term expert based study on improved techniques for computer attack, which increase on-demand effectiveness with reduced manpower investment.
- Pursue development and use of intelligent agents for attack mission.[iv]
Security is imperative because future targets in war and terror strikes will also be at the cyber centres, communication centres, the physical infrastructure of cyber and information warfare and human resource engaged on critical projects.
Imperative to Keep Cyber Agencies under Military Control
Cyber-attack capabilities are nothing less than weapons of mass destruction that can “skip over the battlefield” to target civilian life. That sort of threat, like nuclear weapons, calls for a multi-tiered response: treaties, transparency, beefed-up defences and a focused concern on rogue states.[v] It needs a secrecy and security of a very high order, the identity of people working in such projects should be confidential, physical and digital control for access and a close monitoring of staff and system. No matter how much control is exercised and elaborate standard operating procedures are put in place, security always remains a question. India needs to take a look at how other cyber powers have ensured a strict regime.
One aspect that is common among all cyber super powers is that apex cyber organisations are headed by military commanders and more sensitive programmes are handled by uniformed personals in the US, UK, Russia, Israel and China. NSA is headed and staffed at top echelon by military commanders, China has uniformed laptop warriors under PLA and same is the case with Russia and Israel. After the Snowden leak, it has been realised that individuals on contract can either turn rogue or can be lured by rival agencies. Military control brings in responsibility, confidentiality, discipline and a sense of loyalty due to regimentation. A physical separation is maintained by virtue of living and working in secured cantonments. But same cannot be said about a civilian professional on contract or even employed regularly.
Where is India on this front ? The bureaucracy wants this organisation to be headed by a civilian instead of military commander and such a move would be catastrophic. Misuse and exposure of such capability by rogue individuals like Snowden intentional or unintentional could wreak havoc on national reputation, breach of security and compromise future plans .
Why is military control imperative? To develop and maintain confidentiality it is important to have a system that has tight control by an papex political authority. The Strategic Forces Command has been a successful model which is directly controlled by the PMO. Whatever name the overnment wants to give, it must be having the tight control that bypasses bureaucracy and ministerial red tape. Such organisations cannot be run indirectly through file notings because of the sensitive nature of tasks and the responsibilities. Political leadership may find it easy to have civilian control over this agency but in the long term, it will turn out to be another CBI that is open to political manipulation and blackmail. Cyber and information are high impact weapons with catastrophic outcomes. Therefore, such systems should not be kept out of military control. Given the knowledge base and pool of human resource available in India, it should have been one of the best systems in the world but it is still struggling without an indigenous network and own servers. India is still being supported by a network that has servers located in foreign lands. China has developed its own operating system with the capability to deny access to Google and Facebook.
Such an authority that has long term impact on national security, economic well-being and development of a national power needs long term investment, national strategy, doctrines, the concept of operations, training of staff and R&D. To ensure such a regime, it has to be an organisation that can function in a structured military regimented regime.
How should this organisation be staffed? Should it have uniformed regimental military personnel or a different cadre governed by Army Act? A recommended option is to have warriors, not in uniform but governed by an Act of Parliament similar to Army Act to instil discipline. Heads of offensive and critical capability development should be preferably military officers with the dedicated cyber stream. They need not be located in the Capital city but spread over five to six places in the country with the infrastructure such as the circular complex of GCHQ of UK.
Twenty-First Century cyberspace contributes to the world fraught with a range of perils previously unseen[vi],because modern technology wields the incredible disruptive power to attack a nation from any part of the globe. Cyber deterrence capabilities can come only by a structured organisation with clear objectives and concept of operations. It must be visible, credible and capable. Adhoc, ragtag and fractured response is neither here nor there. India needs to be aware that global chaos could result from unchecked cyber-attacks and the cyber domain is perfect breeding ground for political disorder and strategic instability.[vii] Therefore it should not be allowed to remain outside military domain.
[i]Ewen MacAskill, Edward Snowden, NSA files source: ‘If they want to get you, in time they will’, theguardian.com June 10, 2013.
[ii]General Graeme Lamb, (Former Director Of Special Forces), Threat now is from weapons of mass disruption, https://www.theguardian.com/uk/2011/may/30/weapons-of-mass-disruption-cyber-attack, May 30,2011.
[iii]Bytes: Weapons Of Mass Disruption, Air War College Air University, April 2002, Accessed on February 18, 2017 from http://www.au.af.mil/au/awc/awcgate/awc/lamb.pdf.
[v]Andy Greenberg, Weapons Of Mass Disruption, Forbes, April 08, 2010.
[vi]Robert Mandel, Optimising Cyber deterrence: A Comprehensive Strategy for Preventing Foreign Cyber Attacks, Georgetown University Press, 2017, P 26.
[vii]Ibid, P 26.