Cyber Security

We are already into Third World War….

Looking through invisible “dark world”, I am convinced that we are already into the Third World War.  Many may not realize it because they are looking for signs of it at wrong places. Some think that it would begin in the Middle East and some others think of it in East Asia.  

But, it is already engulfing the whole world; through “invisible” Cyber field.  It is getting murkier and murkier involving not just major powers but also smaller ones as well as `non-state actors’.  Unlike the other two wars, the current one is not fought between `axis’ and `allied’ powers.  Everybody is “hacking” everybody.  There are no `friends’ nor `foes’, all are targets.  This might prove to be much worse than the previous wars as no one is in control and can be more devastating than a nuclear attack.  

The United States vs. Russia
US Intelligence reports of Russian hacking of the Democratic Party server systems to influence American Presidential elections and Moscow’s counter allegations of compromising its cyber security officials are just an iceberg of deeper battles being fought in the `dark world’.  

According to reports in Moscow, two of its top Federal Security Bureau (FSB) cybersecurity officials have been arrested and are facing charges of `treason’ for working with the CIA.  Sergei Mikhailov, was deputy head of the internal security agency’s Centre for Information Security and the other was his assistant, Dmitry Dokuchayev.  In addition to the two, others who were arrested on similar charges include Ruslan Stoyanov, head of the computer incidents investigations unit at cybersecurity firm Kaspersky Lab, and Vladimir Anikeev, believed to be the ringleader of Shaltai-Boltai, “a group of hackers who had become notorious for leaking the emails of Kremlin officials online,” according to the British paper, the Guardian. (1)

While it was not clear whether the arrests were related to passing information to the CIA of Kremlin’s involvement in hacking the DNC servers, the `calibrated’ release to the Wikileaks of the hacked emails of those close to Hillary Clinton, the Democratic candidate, was alleged to be the work of Russian authorities to influence the Presidential elections.  British Defense Secretary Michael Fallon commented, “Russian President Vladimir Putin is trying to undermine the West by spreading lies and attacking critical infrastructure with hackers,” according to a Reuter report. (2) 

The US and World 
Such mutual allegations are just “crocodile-tears”, as they are not just hacking each other but everyone else, including their own citizens.  Revelations by American whistle-blowers like Edward Snowden demonstrate hitherto unknown cyber programs of the US and UK to carry out massive surveillance across the globe including friendly western allies, such as Chancellor Angela Merkel of Germany.  American citizens are not spared either. 

A joint `virus’ program, Stuxnet, reportedly launched by the US and Israel to disrupt Iran’s nuclear program has played havoc not just in the Islamic Republic, but also affected centrifuge operations in many other countries. Iran developed its own cyber-weapons targeting not just the US, but also its other adversaries like Saudis and Gulf countries, which led them to making strange working relationships with Israeli cyber companies for counter attacks. 

The same weapons are also being trained at domestic opposition to neutralize them.  Andrei Soldatov and Irina Borogan, revealed in their book “The Red Web”, that Russian spy agencies have the ability to snoop on emails via Sorm, a sophisticated system first developed by the KGB to eavesdrop on phone calls.  The Moscow-based journalists also stated, “The successor agency, FSB, got a new and powerful weapon: deep packet inspection or DPI.  This allows the agency to read everyone’s emails and to weed out websites belonging to those it deems to be politically unacceptable.”  (3)

Dragon’s overwhelming control of Internet
A much larger creeping threat comes from the Peoples’ Republic of China, which in the recent years perfected an “unprecedented campaign of information warfare using both massive cyberattacks and influence operations aimed at diminishing what Beijing regards as its most important strategic enemy,” according to a latest book, Chinese Information Warfare: The Panda That Eats Shoots and Leaves by American scholar Bill Gertz. (4) 

One of the most damaging Chinese cyberattacks against the US was the theft of federal employee records in the Office of Personnel Management (OPM) in 2015.  Earlier, Chinese hackers, linked to its Peoples Liberation Army, have reportedly stolen secret designs of American military hardware, including the latest F35 aircraft.  Bill Gertz says, “Chinese cyber-intelligence services had developed technology and network penetration skills allowing them to control the results of Internet searches conducted on Google’s world-famous search engine.”  (5)

The Pentagon’s J-2 intelligence directorate recently warned against using equipment made by China’s Lenovo computer manufacturer amid concerns of cyber spying against its military networks.  One official involved in the investigations said that Lenovo equipment in the past was detected “beaconing” – covertly communicating with remote users in the course of cyber intelligence gathering.  Intelligence services in the United States, Britain, Australia, Canada and New Zealand strictly prohibit the use of Lenovo computers over concerns about the potential for cyber espionage, according to a report in the Australian Financial Review.  

About 27 per cent of Lenovo Group is owned by the Chinese Academy of Sciences, a government research institute.  In April 2016, a Chinese Academy of Sciences space imagery expert, Zhou Zhixin, was named to a senior post in the Chinese military’s new Strategic Support Force unit in charge of space, cyber, and electronic warfare. 

New World Hackers, a hacker group from China and Russia claimed responsibility for a massive cyber attack via Twitter that caused outages on popular websites from the US east coast to Europe and Asia on October 21, 2016.  (6)

India is a victim but `denies’
In India, we are living in a world of `blissful ignorance’ as the organizations which are supposed to monitor and prevent any cyber attacks had no clue to the extent of penetration into our systems.  A former federal IT Minister had said that government networks had been attacked by China but that `not one attempt has been successful’.  (7)

Contrary to this ignorant assertion, a US-Canada team disclosed a Chinese gang, most likely from its prestigious southern University of Electronic Science and Technology, had accessed the Ministry of Defence’s vast array of computers and stole designs and other technical details of several Indian missile systems. They accessed documents relating to the security outlook of Nagaland, Assam, Tripura, Manipur, and other Indian states.  The gang also targeted systems of the Ministry of External Affairs and its embassies abroad besides top corporations. (8)

This was re-confirmed by another cyber-security firm, Kaspersky Lab, which announced in May last year that it too had tracked at least one Chinese cyber espionage group, called Danti, that had penetrated India government systems through its diplomatic entities.  (9)

In the same month, yet another cyber-security firm Symantec stated that it had also traced breaches of several Indian organizations to a cyber-espionage group called Suckfly.  The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company.  The espionage activity began in April 2014 and continued through 2015, Symantec said.  The espionage was targeted at the economic infrastructure of India.   (10)

Bhabha Atomic Research Centre mail server was hacked and email communications were reportedly stolen by an international group after the 1998 nuclear tests.  Passwords of official emails of top government officials were hacked and stolen from servers of the National Informatics Centre (NIC).

Chinese attempts to penetrate Indian computer systems began very early in the year 2000 when private service providers were allowed to offer internet services in the country.  One such company called, “Now India” distributed a CD program containing a `malicious’ remote access tool.  The fact was not revealed to either to the Indian regulator, Ministry of Telecommunications, nor its users.  The main server, through which traffic was routed, was located in Hong Kong.  The company was owned by a Chinese offshore firm linked to its top military officials.  As we now know, they have more sophisticated ways of penetrating Indian systems. 

India’s vulnerability to Chinese cyber attacks could be judged from the fact that “a colonel rank officer from People’s Liberation Army informed Swarajya contributing editor Ramanand Sengupta that India’s cyber infrastructure to protect its stockmarkets, power supply, communications, traffic lights, train and airport communications is so ‘primitive’ that can be overwhelmed by the Chinese in less than six hours.” So if there is a second India-China War, India’s adversary does not need to send troops to the trenches of the Himalayas but to ask its cyber warriors to cripple India’s security infrastructure from their cool air-conditioned computer rooms.   (11)

Our ability to monitor social networks and eliminate possible threats to our security has also been very weak.  A recent incident of a sympathizer of the terrorist group, Islamic State in Iraq and Levant (ISIL), using social media networks to recruit and funding under the very nose of Indian security agencies proves the inadequacy of our cyber security architecture.  Bangalore-based Mehdi Masroor Biswas was the most prolific jihadi tweeter on behalf of the ISIL and his existence came to be known only after British journalists tracked him down and informed Indian authorities, who then had arrested him.  

In one of the biggest data breaches in the Indian financial sector last year, millions of debit cards of several banks were compromised.  A lot more cyber attacks go unreported making it difficult to estimate the scale of such hacker operations from our adversaries.

There are no signs that we have learnt lessons.  Most governmental departments and private corporations refuge to accept of such attacks have ever happened, making it difficult to convince them of the need to introduce more stricter cyber security measures on their computer systems.  

It is quite surprising that a world leader in software development cannot protect its own cyber infrastructure sufficiently and counter adversarial attacks.  India is moving fast into digitalization without adequate preparation to safeguard the systems.  None of the existing organizations or newly proposed ones evoke any confidence.  According to a 2015 report of the Australian Strategic Policy Institute (ASPI) on the cyber maturity of the Asia Pacific region, India scores 4 out of 10 on each of four critical aspects of cyber security, well below the scores of China, Japan and Singapore.

Cheaper Chinese computer systems and accessories such as routers are widely used in India, including in the Defense Service HQs and field stations.  Chinese smart cell phones dominate Indian market, capturing over 50 per cent of the share last year.  Do we have the capability to analyze such hardware and attached software entering into our country so as to be able to certify their safe usability at least in our critical infrastructure?  

Policy Recommendations
1) India has signed agreements for cooperation in cybersecurity with a number of countries, including US, UK, EU, Russia, Israel, etc.  They are leaders in the field and India could immensely benefit from their expertise.  However, this has tremendous limitations as no one would give away its “real” tools of exploitation and on top of it they gain an easy access into our cyber-practices in the name of cooperation.  Hence, it is imperative that we build our own unique capabilities which can be built up over a period of time.

2) Private-Public participation is the key to develop our own capabilities as all other successful countries do.  Two sets of standardization of cyber equipment and software programming needed to be developed right away, one for the protection of Critical Infrastructure which also includes top governmental agencies and defense organisations, and the other for Public-Limited corporations which are the backbone of the country’s economy.  Regular technical auditing shall be part of larger financial auditing to be carried out by recognized expert companies as per the standards established and certifying compliance with violators being penalized.

3) Indian IT industry is currently catering to provide more of cheap services akin to Chinese mass production of cheap manufactured goods, with little innovation of international reputation.  Lack of appetite and governmental encouragement made them to limit themselves to supportive role for foreign enterprises.  Some of these companies, working in India or abroad, with proven expertise are a good material to tap.  Most of the smart IT geeks are picked up by either silicon valley or satisfied themselves working for low-level service providers.  The government, like in other countries, shall devise imaginative recruiting policies to take these smart young personnel through flexible service and financial terms unlike the usual strait-jacketed non-innovative bureaucracy.  These could be short-term and medium-term contracts with easy mobility into private sector where they can excel as entrepreneurs or specialists who can further contribute to build leaders in IT industry.

4) Every equipment or program that is imported into the country from any source, either friendly country or not, needs to be thoroughly examined to certify their safety and compatibility for our users.  Hence, the need for a strong Forensics Division, jointly funded by the government and Industry in the form of public-private participation, in which experts are drawn from both the government and private sector but managed by the industry.  Currently, the Ministry of Electronics and Information Technology is responsible for this but they have severe limitations in discharging such functions.  Such Forensics hubs can be set up at all four parts of the country and they would test and certify every equipment and program entering into markets.  

5) We are so dependent on foreign companies for even minor protective ware such as firewalls, anti-virus programs etc.  India needs to set up cyber-security organizations like Semantec, Kaspersky, etc. not only to produce own programs of international repute and also study activities of hacker groups to analyze their tactics, vulnerabilities they are exploiting, and identifying their background.  Again this has to be public-private participation with industry mainly funding and managing the company to run as a competitive, profit-oriented enterprise. 

6) Computer Emergency Response Team (CERT) is a very important component of ensuring security of the networks as they would monitor hacker attacks and recommend immediate patches or solutions to protect against any such attacks.  The CERT dealing with critical infrastructure is much more secretive and hence needs be operated by NTRO or a similar security organization, rather than the current practice of the Ministry of Electronics & IT which demonstrated severe limitations due to unavoidable structural weaknesses.  The CERT dealing with other public corporations can be located and operated by a specialist academic organization like the IIT, Mumbai or Kharagpur.  Students from these institutions would form the backbone of the CERT guided by experts drawn from the industry and academics.  

7) NIC, functioning under the Ministry of Electronics & IT, is responsible for providing a number of functions including official communications and producing programs for the government.  While it made great contributions, its structural problems left lot of issues open for easy exploitation.  Since it is providing support for critical infrastructure, it has to be brought under a more specialized organization like the NTRO to make it more effective.   Ministry of Electronics & IT shall be more of a regulatory authority implementing the standards set for the public and private corporations. 

8) Appropriate reporting methods are to be devised with very clear-cut paths of flow of information from individual companies/departments upwards to cyber coordinating authorities and decision makers for prompt actions.

9) It is often said that offense is better form of defense.  It is not enough to just build defenses and wait for attacks to happen, many of them are difficult to be anticipated and prevented.  Hence, one has to build the capability for offensive operations to collect intelligence and also foil any of their preparations to attack us.  International cooperation is of very limited utility in this area of activity.  It is not enough to get people from different governmental departments on deputation to run a confidential operation.  While it is important to build a cadre of smart specialists from existing personnel, authorized government agency shall recourse to top universities and attract the best through flexible service and financial terms as suggested above. 

10) Notwithstanding some severe limitations of the governmental departments, there are very successful stories of some of the security agencies in the Centre and States who have demonstrated proven technical capabilities to use cyber techniques to monitor and prevent terrorist activities.  Best practices devised by these agencies, such as Telangana Police and Kerala Police, could be a `model’ for other states to work in tandem to secure the country. 

11) The security of the country will be better served when we convert ourselves from a `net’ importer of cyber security equipment and programs to a `net’ exporter of such services.  Indian IT industry must strive to convert itself to such a new role rather than their current `servitude’ to western foreign enterprises.  That would generate more prestige and business not only from these companies but also from those of rich smaller countries in the Gulf and Southeast Asia.  India shall strive to be such a leader to be a winner in the Third World War.