Cyber Security

Already into World War-3, Undoubtedly

by Prasad Nallapati

Delving into the unfolding “no-hold barred” third World War featuring cyber warriors from the state and non-state domains, the author, a security sleuth, offers an 12-point strategy to India, which, he avers, is still unprepared to face the challenge despite being the world leader in software.

Looking through the invisible “dark world”, I am convinced that we are already into the dreaded Third World War. Many may not realize it because they are looking for signs of it at wrong places. Some think that it would begin in the Middle East and some others think of it as East Asian conundrum.

But, it is already engulfing the whole world; through “invisible” Cyber field. It is getting murkier and murkier involving not just major powers but also smaller ones as well as `non-state actors’.

Unlike the other two World Wars, the current one is not fought between `axis’ and `allied’ powers. Everybody is “hacking” everybody. There are no `friends’ nor `foes’, all are targets. This might prove to be much worse than the previous wars as no one is in control and it, therefore, can be more devastating than a nuclear attack.

U.S. vs Russia
US Intelligence reports of Russian hacking of the Democratic Party server systems to influence American Presidential elections and Moscow’s counter allegations of compromising its cyber security officials are just an iceberg of deeper battles being fought in the `dark world’.

According to reports in Moscow, two of Russia’s top Federal Security Bureau (FSB) cyber security officials, Sergei Mikhailov, and, Dmitry Dokuchayev, have been arrested and are charged with ‘treason’ for working with the CIA.

Mikhailov was deputy head of Centre for Information Security; Dokuchayev was his assistant. Several other arrests have also been made. They include Ruslan Stoyanov, head of the computer incidents investigations unit at cybersecurity firm, Kaspersky Lab, and Vladimir Anikeev, believed to be the ring leader of Shaltai-Boltai, “a group of hackers, who have become notorious for leaking the emails of Kremlin officials online,” according to British daily, The Guardian.1

It is not yet clear whether these arrests are related to the information passed on to the CIA about alleged Kremlin involvement in hacking the Democratic National Committee (DNC) servers. But the `calibrated’ release to the WikiLeaks of the hacked emails of those close to Hillary Clinton, the Democratic candidate, was said to be the work of Kremlin to influence the US Presidential elections.

“Russian President Vladimir Putin is trying to undermine the West by spreading lies and attacking critical infrastructure with hackers,” said British Defense Secretary Michael Fallon in a wry comment, according to a Reuter report.2

U.S. and World
Such mutual allegations are just “crocodile-tears”, as they are not just hacking each other but everyone else, including their own citizens.

Revelations by American whistle-blowers like Edward Snowden demonstrate hitherto unknown cyber programs of the US and UK to carry out massive surveillance across the globe including friendly western allies, such as Chancellor Angela Merkel of Germany. American citizens are not spared either.

A joint `virus’ program, Stuxnet, reportedly launched by the US and Israel to disrupt Iran’s nuclear program, has played havoc not just in the Islamic Republic, but also affected centrifuge operations in many other countries.

Iran has responded developing its own cyber-weapons targeting the U.S. and its other adversaries alike. And made Saudi Arabia and the Gulf countries to enter into strange working relationships with Israeli cyber companies for counter attacks.

The cyber weapons are also being trained on domestic opposition to neutralize them.

In their book, “The Red Web”, Andrei Soldatov and Irina Borogan point out that the Russian spy agencies have the ability to snoop on emails via Sorm, a sophisticated system first developed by the KGB to eavesdrop on phone calls.

“The successor agency, FSB, got a new and powerful weapon, DPI- deep packet inspection. This allows the agency to read everyone’s emails and to weed out websites belonging to those it deems to be politically unacceptable,” say the Moscow-based journalists in their book which has become a must read.3

Dragon’s Net Control- Overwhelming
A much larger creeping threat comes from the Peoples’ Republic of China, which in recent years, has perfected an “unprecedented campaign of information warfare using both massive cyber-attacks and influence operations aimed at diminishing what Beijing regards as its most important strategic enemy,” writes American scholar, Bill Gertz, in his latest book, “Chinese Information Warfare: The Panda That Eats Shoots and Leaves”.4

One of the most damaging Chinese cyber-attacks against the US was the theft of federal employee records in the Office of Personnel Management (OPM) in 2015.

Earlier, the Chinese hackers, linked to its Peoples Liberation Army, (PLA), have reportedly stolen secret designs of American military hardware, including the latest F-35 aircraft.

Says Bill Gertz, “Chinese cyber-intelligence services had developed technology and network penetration skills allowing them to control the results of Internet searches conducted on Google’s world-famous search engine.”5

The Pentagon’s J-2 intelligence directorate has recently warned against using equipment made by China’s Lenovo computer manufacturer amid concerns of cyber spying against its military networks.

One official involved in the investigations said that Lenovo equipment in the past was detected “beaconing” – covertly communicating with remote users in the course of cyber intelligence gathering.

Intelligence services in the United States, Britain, Australia, Canada and New Zealand strictly prohibit the use of Lenovo computers over concerns about the potential for cyber espionage, says the Australian Financial Review.

About 27 per cent of Lenovo Group is owned by the Chinese Academy of Sciences, a government think-tank. In April 2016, a Chinese Academy of Sciences space imagery expert, Zhou Zhixin, was named to a senior post in the Chinese military’s new Strategic Support Force and made in-charge of space, cyber, and electronic warfare unit.

New World Hackers, a hacker group from China and Russia claimed responsibility for a massive cyber-attack via Twitter that caused outages on popular websites from the US east coast to Europe and Asia on October 21, 2016.6

India is living in a world of `blissful ignorance’ as the organizations which are supposed to monitor and prevent any cyber-attacks have no clue to the extent of penetration into its systems. A former federal IT Minister said that government networks had been attacked by China but `not one attempt has been successful’.7

Punching holes in this confident assertion, a US-Canada team has disclosed that a Chinese gang, most likely from its prestigious southern University of Electronic Science and Technology, had accessed the Indian Defense Ministry’s vast array of computers and stole designs and technical details of several Indian missile systems.

The Chinese cyber warriors accessed documents relating to the security outlook of Nagaland, Assam, Tripura, and Manipur states of India on the country’s border. The gang also targeted systems of the Ministry of External Affairs and its embassies abroad besides top corporations.8

Cyber-security firm, Kaspersky Lab, has confirmed these findings. Its tracking in May last year showed that a Chinese cyber espionage group, called Danti, had penetrated Indian government systems through its diplomatic entities.9

It was in the very same month of May last year, leading cyber-security firm, Symantec, also traced breaches of several Indian organizations to a cyber-espionage group called Suckfly.

The targeted systems belonged to the Federal Government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, according to Symantec. The espionage targeted the economic infrastructure of India.10

Bhabha Atomic Research Centre, (BARC), mail server was hacked and email communications were reportedly stolen by an international group after India’s nuclear tests in 1998. Passwords of official emails of top government officials were hacked and stolen from servers of the National Informatics Centre, (NIC), which is the mainstay of Indian cyber communication network.

Chinese attempts to penetrate Indian computer systems began very early in the year 2000 when private service providers were allowed to offer internet services in the country.

One such company called, “Now India” distributed a CD program containing a `malicious’ remote access tool.

The fact was not revealed to either the Indian regulator, Ministry of Telecommunications, or the users.

The main server, through which “Now India” traffic was routed, was located in Hong Kong. The company was owned by a Chinese offshore firm linked to top military officials based in Beijing. As we now know, they have more sophisticated ways of penetrating Indian systems.

India’s vulnerability to Chinese cyber-attacks is clear from what a colonel rank officer from People’s Liberation Army (PLA) informed Swarajya (Indian publication) contributing editor Ramanand Sengupta.

“India’s cyber infrastructure to protect its stock markets, power supply, communications, traffic lights, train and airport communications is so ‘primitive’ that can be overwhelmed by the Chinese in less than six hours”, he was quoted as saying.

So, if there is a second India-China War, India’s adversary does not need to send troops to the trenches of the Himalayas. Its cyber warriors can cripple India’s security infrastructure from their cool air-conditioned computer rooms thousands of miles away from the border.11

It may not be a mere boasting as cheaper Chinese computer systems and accessories such as routers are widely used across India, even at the Defense Service HQs and its field stations. Chinese smart cell phones have become ubiquitous by capturing over 50 percent market share since last year.

Indian ability to monitor social networks and eliminate possible threats to the country’s security is also very weak.

A sympathizer of the terrorist group, Islamic State in Iraq and Levant (ISIL), also known as Daesh, has recently used social media networks for recruitment and raising funds under the very nose of Indian security agencies, and thus exposed the inadequacies of Indian cyber security architecture.

Bangalore-based Mehdi Masroor Biswas was the most prolific jihadi tweeter on behalf of the ISIL. His existence came to light only after British journalists tracked him down and informed the Indian authorities, who then had arrested him.

In one of the biggest data breaches in the Indian financial sector in 2016, millions of debit cards of several banks were compromised. A lot more cyber-attacks go unreported making it difficult to estimate the scale of such hacker operations from India’s adversaries.

There are no signs that India has learnt lessons. Most governmental departments and private corporations simply refuse to accept such attacks have ever happened, thus making it difficult to convince them of the need to introduce more strict cyber security measures on their computer systems.

It is quite surprising that India despite its status as a world leader in software development cannot protect its own cyber infrastructure sufficiently and counter adversarial attacks.

Does India have the capability to analyze hardware and attached software entering into the country so as to be able to certify their safe usability at least in our critical infrastructure?

Sadly the answer to this question is a resounding no.

According to a 2015 report of the Australian Strategic Policy Institute (ASPI) on the cyber maturity of the Asia Pacific region, India scores 4 out of 10 on each of the four critical aspects of cyber security, well below the scores of China, Japan and Singapore.

It is a matter of grave concern, more so since India is moving fast into digitalization. It must urgently put in place an 12-point strategy to safeguard the systems. None of the existing organizations or newly proposed ones to address the issue evoke any confidence though.

Strategy for Cyber Security

  1. Develop ‘Made in India’ cybersecurity capabilities
  2. Develop capability for offensive operations
  3. Become a net exporter of cyber security equipment and programs.
  4. Forensics Division with hubs in all the four regions for safety certification
  5. Standardize cyber equipment and software program on PPP mode
  6. Regular technical auditing like financial auditing, penalties for violators.
  7. Recruit young geeks offering with easy mobility into private sector.
  8. Promote Symantec like firms as a competitive, profit-oriented entities.
  9. Computer Emergency Response Team under NTRO or a similar agency
  10. Place NIC under specialized organization like NTRO
  11. Clear cut information flow-path to cyber coordinators & decision makers.
  12. Universalize `best practices’ developed by agencies like Telangana Police

Why this strategy?
Develop ‘Made in India’ cybersecurity capabilities: India has signed agreements for cooperation in cyber security with a number of countries, including US, UK, EU, Russia, and Israel. India could immensely benefit from their expertise. However, it would not serve our purpose as no one would give away their “real” tools of profession. On top of it, these countries stand to gain an easy access into Indian cyber-practices in the name of cooperation. Hence, it is imperative that India build its own unique capabilities. No alternative to ‘Made in India’.

Develop capability for offensive operations: It is often said that offense is better form of defense. It is not enough to just build defenses and wait for attacks to happen, knowing fully well that cyber-attacks are difficult to anticipate, much less prevent.

Hence, one has to build the capability for offensive operations to collect intelligence on adversaries and also foil any of their preparations to attack us. International cooperation is of very limited utility in this area of activity.

It is also not enough to get people from different governmental departments on deputation to run a confidential operation. While it is important to build a cadre of smart specialists from existing personnel, authorized government agency should access top universities and attract the best talent with flexible terms of service and easy mobility.

Net exporter of cyber security equipment: The security of the country will be better served when we convert ourselves from being a `net’ importer of cyber security equipment and programs to a `net’ exporter of such products and services.

Indian IT industry must quickly adopt to such a new role and give up their current `servitude’ to western cyber security enterprises. That would generate more prestige and business not only from these companies but also from the rich countries in the Gulf and Southeast Asia. India shall strive to be such a leader to be a winner in the Third World War.

Recruit young geeks: Indian IT industry is currently catering to provide more of cheap services akin to Chinese mass production of cheap manufactured goods, with little innovation of international reputation. Lack of appetite and governmental encouragement have made them to limit themselves to supportive role for foreign enterprises. Most of the smart IT geeks are happy either to be picked up by Silicon Valley or settle down as low-level service providers.

Some of these companies, working in India or abroad, with proven expertise are a good material to tap.

The government, like in other countries, must devise imaginative recruiting policies to take in smart young geeks through flexible, innovative and non-straight jacket service conditions and financial terms. Needed are short-term and medium-term contracts with easy mobility into private sector where they can excel as entrepreneurs or specialists who can further contribute to build leaders in IT industry.

Forensics Division for safety certification: Every equipment or program that is imported into the country from any source, either friendly country or not, should be thoroughly examined to certify their safety and compatibility for Indian users. Hence, the need is for a strong Forensics Division, jointly funded by the government and Industry in the form of public-private participation, in which experts are drawn from both the government and private sector but managed by the industry.

Currently, the Ministry of Electronics and Information Technology is responsible for this but they have severe limitations in discharging such functions. Such Forensics hubs can be set up in all the four regions of the country to test and certify every equipment and program entering the markets.

Standardization cyber protocols: Private-Public participation should be geared to create two sets of standardization of cyber equipment and software programming: One for the protection of Critical Infrastructure which also includes top governmental agencies and defense organisations; Second for Public Limited corporations which are the backbone of the country’s economy.

Regular Tech Audit: Regular technical auditing should be part of larger financial auditing to be carried out by recognized expert auditor companies, as per the standards established, and to certify compliance. Violators should be penalized.

Computer literacy, hence, needs to be promoted not just across the departments and companies maintaining `critical infrastructure’ but also among wider population of the country to comply with cyber security procedures.

Promote Symantec like firms: India is dependent on foreign companies for even minor protective ware such as firewalls, and anti-virus programs. So, it must quickly set up cyber-security organizations comparable to global companies like Symantec, and Kaspersky not only to produce own programs of international repute but also to study the tactics and background of hacker groups besides the vulnerabilities they are exploiting. Again this has to be through public-private participation with industry mainly funding and managing the company as a competitive, profit-oriented enterprise.

CERT under NTRO or a similar agency: Computer Emergency Response Team (CERT) is a very important component of ensuring security of the networks on real time basis. They would monitor hacker attacks and recommend immediate patches or solutions for protective shield.

The CERT dealing with critical government cyber infrastructure needs be operated by NTRO or a similar security organization. It is presently with the Ministry of Electronics & IT which has severe limitations due to its structural weaknesses.

The CERT dealing with public corporations can be located and operated by a specialist academic organization like the IIT- Mumbai or IIT -Kharagpur. Students from these institutions would form the backbone of the CERT guided by experts drawn from the industry and academics.

New Role for NIC: As of now, National Informatics Centre, NIC, under the Ministry of Electronics & IT, is responsible for providing a number of functions including official communications and producing programs for the government.

While it has made great contribution, its structural problems have left a lot of issues open for easy exploitation. Since it is providing support for critical infrastructure, it has to be brought under a security focused organization like the NTRO to make it more effective.

Ministry of Electronics & IT should limit itself to a regulatory role implementing the standards set for the public and private corporations.

Info Flow: Appropriate reporting methods are essential for cyber security- both offensive and defensive. So much so India must devise very clear-cut paths for flow of information from individual companies/departments to cyber coordinating authorities and decision makers. This will enable prompt actions.

Universalize Home Grown Techniques: Notwithstanding severe limitations natural to a government department, some of the security agencies at the Centre and in the States have demonstrated an ability to innovate in using cyber techniques to monitor and prevent terrorist activities. Telangana Police and Kerala Police have many success stories, for instance. Their best practices deserve to be spread across the country to enable all the state police forces to work in tandem to secure the country.



(Prasad Nallapati is President of Centre for Asia-Arica Policy Research and former Additional Secretary to Govt of India)