India moves towards greater digitisation of its economy and government services, but many vulnerabilities remain in the area of cyber space.
This has to be rectified before escalating a response to China, an acknowledged cyber power.
For more than a month now, India, China and Bhutan have been locked in a tense stand-off at the tri-junction of their borders in the strategic Chumbi Valley in the Indian state of Sikkim. The trigger was China’s attempt to construct a road through the Doklam plateau.
This road will allow China to neutralise India’s defences and expose the Siliguri corridor (or the Chicken’s Neck), which connects India’s north-eastern states to the rest of the country.
The analysis in the media of tactics and military hardware has been shrill and narrowly focused, taking no consideration of the danger that China poses if the current stand-off escalates into cyber space, the fifth spectrum of contemporary warfare.
Prime Minister Narendra Modi had hinted at this two years ago, suggesting that it could impel a bloodless war and that he dreamed of an India where cyber security was an integral part of national security.
China has targeted India’s cyber space and networks for years, allegedly mounting attacks also from Pakistan, its ally. Such incidents numbered 50,362 in 2016, rising from 44,679 in 2014, according to the Indian Computer Emergency Response Team (CERT-In). It is clear that the Indian authorities learnt no lessons from the hacking of Ministry of Defence computers in 2010 that took place despite there being a cyber security policy since 2008.
Hitachi Payment Services Systems, which provides banking automation products, and ATM and point-of-sale services, was breached between May and July 2017: malware infiltrated more than three million Indian debit cards. The hackers took away an “unascertainable” amount of data, but neither the Indian government nor Hitachi was able to establish the origin of the attack, the identity of the hackers or how the securely self-destructing malware was created.
The Indian economy, which is increasingly technology-dependent, is more vulnerable than ever before. Telecom, smart phones and internet-based commerce are now a part of daily life even as the government is going full steam ahead on the front end of digitisation too, beginning with demonetisation in November 2016 to the continued migration of government services to e-services. But at the back end, most local law-enforcement agencies in India have had only limited success investigating and prosecuting cyber crimes for want of experience.
Even the Joint Doctrine Indian Armed Forces, released earlier this year, disappoints in this regard. It refers to the importance of cyber space in winning the next war and recommends setting up a new defence cyber agency – similar to the one in the United States of America (US) – but it does not detail how the new entity will differentiate itself from the existing Defence Information Assurance and Research Agency, which is tasked with addressing the cyber security needs of the three services and the defence ministry.
It also discusses cooperation of the armed forces with civilian agencies through the National Cyber Coordination Centre, an institution that is yet to become operational. Until then, cooperation between military-civil forces will fall to the personal initiative of the Cyber Security Coordinator.
The option of ambiguity
Will it then be wise for India to keep its tactics deliberately ambiguous – so that potential adversaries can only guess at its real ability to retaliate, and hence, choose not to take the cyber offensive route?
The US, to an extent, adopts that approach, using guarded terminology to describe its cyber forces while creating a halo around their capabilities through the media. For instance, neither the US, nor Israel, its ally, which was suspected to have helped develop the Stuxnet computer worm, acknowledged responsibility for the attack on Iran’s nuclear centrifuges. Enough information percolated into the media to create a sensation and force most potential adversaries to rethink a strike.
On the other hand, China has been upfront about its views on cyber attacks and has made rapid strides in purveying information and practising cyber warfare.
Its Science of Military Strategy (SMS) of 2013, a document considered as an official reflection of the thinking in the Chinese military, outlines a force structure, based on three concentric circles, involving both military and civil forces. At its core is the military cyber force. The next ring constitutes ‘authorised forces’, situated in various departments of the government, while the purely ‘civilian forces’ form the outermost layer, volunteers who can be commandeered into action in times of crisis.
Then in 2015, in the White Paper on Military Strategy, China stated that space and cyber space were the “new commanding heights of strategic competition” and it intended to focus on winning “informationised” local wars. Leading Chinese strategic authors have written on the necessity to destroy China’s enemies’ core information systems, or confuse them through altering information in their systems and so on to win the conflict.
It is therefore difficult to imagine how India will be served by staying strategically ambiguous about its cyber capabilities. It has to try and catch up – quickly.
The government and private sector have to come together in times of crisis to immediately plug basic gaps, such as applying pending software patches and threat scans and co-opting the military in the effort: India’s CERT-IN issued a threat advisory to computer users in the country within a few hours of the global spread of the WannaCry ransomware attack, while industry bodies, such as the Data Security Council of India, worked with the private sector to ensure that the required security patches were applied urgently. It also hosted a webinar on the subject for the benefit of IT professionals.
In the long term, India must transform its greatest asset, its large pool of skilled IT professionals, to become part of an ecosystem that creates its cutting-edge software to power India’s technology rather than depend on the imported kind. The locally developed software is a strategic asset since it ensures that the source code that runs the programme and the machinery does not grant access to foreign firms or governments. Reputed domestic cyber security companies, such as Quick Heal Technologies or Net Protector, which have created a niche for themselves in a market dominated by foreign security firms, such as Norton, Kaspersky and AVG, can be tapped to create customised solutions that match India’s security needs.
Hackathons and bug bounty programmes ought to be organised frequently to locate the talent that can develop, and also test software for cyber vulnerabilities, and lead projects to strengthen the cyber space around India’s sensitive economic systems, such as power grids, oil refinery pipelines and water pumping stations. This latter task is one that the National Critical Information Infrastructure Protection Centre alone handles currently.
Before this can happen, awareness about science, technology and its impact on national security has to be aggressively propagated: events, such as the US-based Maker Faire, though still held only in metro cities and IT hubs, such as Bengaluru, are an important part of this exercise.
This article was originally published on Gateway House and has been republished here with permission.