Indian Defence Review

Sub-Critical Equipment

Cyber vulnerability is not only from critical hardware; sub-critical hardware is also vulnerable when purchased from international vendors. Sub-critical hardware is essential for operation of IT systems and routers are one such item used for communication, data handling and transfer. Routers are sub-critical hardware which route data within and between IT systems. Routers are much like postmen who collect snail-mail from post boxes and post offices and deliver it to the addressee, hopefully without reading the communications or extracting anything from the mail. However, for digital data security, data is coded and voice communication is scrambled. The software for some routers is regularly updated by security patches and this, as in critical equipment, is a source of substantial cyber threat.

Open Market Purchase

IT equipment purchased from the open market overcomes the disadvantage of revealing the end-use and prevents the installation of targeted backdoors. Cyber threat is minimised, but not eliminated because, for example, a motherboard or a hard disk or the microprocessor could have secretly embedded devices which can be activated remotely. Notwithstanding, this is a ‘safer’ route. However, this route of open market purchase calls for increased levels of hands-on IT competence for system design, integration and implementation. Such talent is not difficult to find in our country, but sadly this is not encouraged because of reliance on foreign vendors who exercise influence at the highest levels of state and central governments.

Security Evaluation

Criteria for IT-product security evaluation is done under a framework of evaluation assurance levels from 1 to 7. EALs 1 to 4 are relatively easily dealt with, but levels 5 to 7 involve checks ranging from investigation into the source of the hardware and software, to the checks for embedded hardware and/or software, to silicon-chip-level testing to check whether the device performs only the task for which it is purchased and none other. As EALs increase, the level of expertise, infrastructure required and time-and-cost required for conducting evaluation grow exponentially. These need to be assessed according to the assessed risk of cyber attacks, the extent of non-acceptable consequences, and the capability and time-frame for restoration after attack. Infrastructure planning and provision should be done accordingly.

Effects of Cyber Attack on National Databases

Cyber attack by a foreign power or a criminal group on a national database by one of the means mentioned above can be disguised to appear as internal system failure. Simultaneous attack on multiple databases can bring the economy to a grinding halt. The ability to enter multiple data silos or systems almost simultaneously is provided by an ‘entry-point’ which is common to them.

Such an entry-point could be through a database which provides a digital entity that is linked to multiple databases. Several experts consider UIDAI’s Aadhaar number, which is linked to multiple databases, as providing a hacker with entry into multiple databases. That is, if CIDR is hacked, it can be a clandestine route for entry into linked databases. In fact, UIDAI naively created and implemented the CIDR by contract with an international vendor which had intimate links with the intelligence community of the vendor’s country. Hence, the danger of backdoors having already been installed cannot be ruled out. It is a moot point whether Aadhaar is UIDAI’s self-goal by unwittingly planting a cyber-crime bomb, notwithstanding their unconvincing protestations. A law to protect data would not hinder a determined aggressor from hacking into the CIDR. It would appear that cyber security with national security consequences was apparently not a priority with the architects of UIDAI’s Aadhaar and hence justification for alleging naivety.

In international politics, a cyber attack is an act of war, justifying reactive military response. However, when a cyber attack disables multiple databases which affect military logistics and operations, it can restrict or limit the scale or speed of military response.

Capability for Cyber Security

As mentioned earlier, India has virtually zero production of critical hardware and software even in core sectors such as defence, home, finance, energy (especially oil) and transportation, all of which impinge immediately and directly on the daily economic life of individuals and the state. Total dependence on international vendors for critical IT hardware and software is the bitter truth. The attitude of successive governments to this truth has been denial, finger-pointing or targeting whistleblowers by trolling or legal action – Tribune journalist Rachna Khaira being the most recent instance or ‘shooting’ the messenger or adopting an ostrich-head-in-sand policy. It is not surprising that the problem has not gone away. Rather, the risk has increased from military, political and economic perspectives.

Focussing on data protection at database levels is inadequate since data is simply digital alpha-numeric strings divorced from real-time situations and real-life people. Privacy, cyber security and national security, which are at the core of individual sovereignty and national sovereignty, need to be covered both by actionable policy and law. A degree of assurance for cyber security can only be had by using national human and material resources drawn from India’s public and private sectors. This is obviously a process which will take years, and planning for this can only be effective after the risks and consequences of cyber attack are accepted and realistically assessed at state and centre government levels and policy and law on data and cyber security are formulated. All this needs to be with policy and time-bound action plans cleared at the level of the National Security Council.

National Security

The government’s e-governance initiatives will inevitably shift every aspect of national functioning into the cyber domain. As it gains momentum, the concomitant risk will be its increased vulnerability as a cyber target. Since cyber security compromised in one sector gives an aggressor access to associated sectors that use linked data, cyber security cannot be effective unless it encompasses the entire linked databases of knowledge-information-data across administrative and procedural demarcations. Only holistically architectured security can reduce vulnerability to cyber attack, limit or contain damage to databases and speed up recovery in case of a successful attack.

A national database such as the UIDAI’s Aadhaar CIDR was created without laws to safeguard it or the data that it contains. Even after a law was passed in 2016, reports of leaked data are eliciting defensive responses from UIDAI, indicating the governments’ casual approach to cyber security. A law to protect data can fix responsibility for invasion of databases and prescribe legal action. It would be ineffective when the attacker is outside India’s political boundaries and cannot take cognisance of the larger aspect of cyber security at the national level. That would call for holistic policy at the National Security Council (NSC) level, with action plans for time-bound, phase-wise implementation.

An effective cyber strike on the day-to-day governance of a nation could be catastrophic, impinging on national security and also compromising national sovereignty. Being in a state of denial with respect to cyber security, as in the UIDAI’s case, will only take our country closer to the edge of a precipice beyond the point of no return. We need to think beyond feel-good, band-aid solutions like formulating a law on data protection. Political-diplomatic-trade tie-ups with countries which promise assistance in security may further compromise security, since the critical IT hardware and software which we use are all imported and we may even facilitate the foreign intelligence agency’s access. Surely, the NSC has its task cut out.

Military Cyber Security

The critical IT hardware and software used by the military for its operations and logistics is no different from that used by the rest of India’s official machinery and is similarly at risk of penetration. Imported weapons systems subject to end-use certification include the concomitant risk of pre-installed backdoors and/or malware capable of remote activation. Until the NSC works out policy and phased action plans for indigenous production of reliable IT equipment, the military will continue to be dependent on foreign sources for its critical IT hardware and software and its operations and logistics will remain open to interference from countries which have well-defined strategies and superior cyber warfare capability.

Military vulnerability will obviously be more vis-a-vis a country which supplies critical hardware and software. There is all the more reason to carry out EALs to the highest level for equipment acquired from such a country, for there is no such thing as a ‘safe’ supplier in the cloak-and-dagger world of cyber warfare. The present status of India’s military logistical inadequacy would be well known to hostile as well as ‘friendly’ foreign militaries through conventional intelligence sources as well as through cyber backdoors, as part of their cyber warfare preparedness. In the IT-centric warfare of tomorrow and in the absence of plans regarding overcoming the military’s cyber dependence on imported critical cyber equipment, what is India’s real-time military capability, notwithstanding statements that we can fight on two-and-a-half fronts?

Click to buy: Jan-Mar 2018 (Vol 33.1)

The capability of India’s matchless troops in on-the-ground, blood-and-guts fighting is legendary. But if operational logistics is compromised in advance by a hostile military, wars may be lost even before engaging in battles, and such battles as engaged in, will prove costly in terms of soldiers’ lives lost due to inadequate generalship. Ineffective military cyber security is a military shortcoming and reduces the deterrence capability of India’s military. Is there a disconnect stemming from ignorance or hubris at the top military echelons regarding cyber vulnerability and its effect on military capability? Historically, the failure of military strategy notwithstanding, the boldness and raw guts of junior leaders have won battles. But this cannot work in cyber warfare. Offensive cyber capability has to be built up along with reliable and effective cyber security as a national strategic imperative.