Think national security and the first thing that comes to mind is the soldier sitting at the border, arms in hand, firing shell after shell to protect his sovereign country come what may. The images might be largely correct, but then long gone are the days of mechanised warfare fought on land with guns and tanks alone.
Armed forces throughout the world are now equipping themselves to fight a new kind of unseen war. These are ones fought behind computer screens, but those that have the ability to disrupt countries in ways that don’t just lead to bloodshed of a few at the border. They can trigger mass shutdowns, affecting the lives of common people in ways unimaginable a decade ago.
Cyber warfare—referred by the armed forces as fifth-generation warfare—is now a reality. It can be starkly seen in moves that have targeted Iranian nuclear reactors through a mass-spread virus, allegedly launched by the Israeli and American armed forces in 2012. Stuxnet, as it’s called, caused substantial damage not only to Iran, but other countries too. India has been the third-largest effected country using this attack, raising speculations that the malicious computer-work alone led to the shutdown of the country’s ISAT-4B satellite following a power failure in 2010. (ISRO later rubbished the claim.)
Intelligence officials privy to tactical info are barely given basic drills on checking themselves against computer attacks or phishing.
Such being the growing military space, India—as the world’s fourth largest military superpower—is expected to possess cutting-edge technology to protect its military as well as its people. Yet, dig a little deeper and the cracks in protection begin to widen. India lies in a strategic position, with disputed borders between both China and Pakistan—the biggest threat to security.
China is considered one of the biggest powers in cyber security and is known to openly support and assist Islamabad in attacks directed towards India. Last year, it was uncovered that the Pakistani army was using a malware by the name of SmashApp to snoop into defence personnel’s personal mobiles and computers in order to retrieve sensitive information such as details on deployment and movement of troops as well as counter-terrorism operations. It still remains unclear to New Delhi what exactly and how much information was siphoned off and how it may be used against India.
The game of espionage—retrieving and using intelligence to one’s advantage—has taken a new turn, as military decisions, information as well as strategising have moved to occupying the internet. According to a high-ranking officer in the Indian armed forces, cyber warfare in the country is looked at with a multi-stakeholder perspective that involves the government, private sector and civil society. This is to say the country doesn’t at the moment have a one-point place for command for cyber security. “Most armies in the world, including ours, recognise cyber warfare and the need for a separate cyber command,” he says. “Yet, we are still at the initial stages of putting together a military cyber agency that will give way to a command in the future.”
India’s ability in cyber offensive remains mostly rudimentary. According to a high-ranking army official, “We have built capabilities to withstand cyber attacks by adversaries.” So, does India have offence capabilities? Well, “at the moment, we possess deterrence capabilities”, he says, but beyond that the armed forces have done “very little” in the area.
India has had a cyber security policy since 2008. Two years thence, computers with the country’s defence ministry were hacked. Yet, the steps taken by the government often fall short of the complexities and immediacy required in fighting the growing cyber domain. At the moment, India has only small cyber security cells in each arm to defend attacks, while offence capabilities are next to nil. Incidents of cyber threats and attacks have increased to 50,362 in 2016 from 44,679 in 2014, according to the Indian computer emergency response team, CERT-IN.
Several issues remain in the ways of constituting a defence cyber agency. There is still no clarity within the government or the three forces on the formation and direction of a special operations directorate that is to be a clandestine tri-service warfare arm. Obscurity continues to shroud the direction of the command and control structure and, more importantly, on the resources to create an integrated cyber defence agency. Still unclear are the methods to hire civilian experts in such an agency under the country’s Information Technology Act and their required number.
The United States already possess an integrated cyber command, while China, arguably India’s biggest adversary, possesses a Strategic Support Force Command and specialised cyber warfare units. The East Asian giant is also said to have a 10,000-strong force of civilian cyber warriors who have the jobs of mounting attacks and creating gateways for future attacks by planting dormant bugs in operating systems of other countries. The Indian government is in the process of implementing an Information Security Education and Awareness project to train individuals and government employees, but so far only 11,000 individuals have been trained in basic cyber security.
The issue of fighting the impending threat from cyber warfare is two-fold in the country, according to cyber security analyst Sameer Patil of Gateway House, a think-tank. Firstly, while there is awareness amongst the bureaucracy about cyber threat, there is no estimation on its extent. This makes laws and measures half-scaled. “The policymakers in such organisations are more wrapped up in bureaucratic rivalries and turf wars within organisations meant for cyber security,” he says.
The result is a failure to sense the focus of such laws and the narrative of the fine print. Patil gives the example of the creation of the post of cyber security coordinator by the government in 2015. “The cyber security coordinator was appointed to deal with cyber security issues. But his focus remains unclear,” he says. “What will be his role when there is an attack on military infrastructure? What is his focus? Which organisations report to him? There are simply no answers to such questions.”
The second biggest issue in military cyber security is that the knowledge and technical knowhow to deal with and prevent such attacks are concentrated with a handful of people within the armed forces and pertinent government organisations. In a recent incident, a journalist asked the state director of the DRDO about the threats the Indian army faces from the ‘dark web’. The word, which means internet content that needs special software or authorisation for access, flummoxed the director, who had anyway no answer to the question.
Stuxnet virus caused major damage not only to Iran but also to other countries, including India—the world’s fourth largest military power.
Recent phishing and honey-trapping instances from the Pakistani intelligence arm in India points to chinks in India’s cyber security. According to an officer with the cyber arm of the integrated arms forces, these have been growing into a big security issue. “Officers and other personnel privy to intelligence or tactical information about the armed forces are barely given basic training in protecting themselves from cyber attacks or phishing efforts,” he says. Also, the sheer number of people within the armed forces makes it difficult to impart this training in an accelerated manner.
The armed forces have thus taken to banning external electronic devices altogether within the premises of offices and other tactical areas. “This proves to be helpful to a very limited extent,” the officer says, “considering that the personnel could also send out this information by mistake outside of active working hours like we have seen in the several instances of honey-trapping by the Pakistani army where intelligence information was stolen.”
The Indian army has also implemented a social media advisory that prohibits armed personnel from disclosing their identity on social media. This needs to be complemented by raising awareness within the ranks for healthy security practices for online communication. For instance, the US army has issued a social media handbook detailing steps to be taken besides the standard operating procedures to be followed its personnel and their families. The Chinese People’s Liberation Army regularly organises lectures on responsible social media behaviour, for personnel and their families.
The Indian defence forces have taken measures to protect information systems that store tactical information such as deployment of troops, formations and war strategies. The most recent measure in this regard was the development and deployment of the Bharat Operating System Solution (BOSS) to guard the armed forces communication and information networks from espionage by foreign players. The software, developed by CDAC Chennai, is already functional in the northern command of the army, but has shown little promise. “BOSS has been tested by the army, but it’s still in very nascent stages,” says an officer of the Navy on condition of anonymity. “Its use has highlighted several bugs in the system that we are patching as and when a situation arises.” Retired army officer D.P.K. Pillay, who is a Fellow with the Institute of Defence Studies and Analysis, adds to this that BOSS is still not state-of-the-art and needs a lot of work to make it actually impenetrable.
Needless to say, cyber security goes beyond stored information and computer systems. Bugs or interference with signals or operating systems can also lead to disabling of a planes navigation system, resulting in a crash or the computation of the position of a satellite or missile launcher that can compromise the ability of a country to fight a war. This, according to experts, makes it extremely important from countries to possess indigenous technologies in the cyber space. “If the software, hardware, operating system and the missile technology that we use have been sourced from outside, it makes them more susceptible to attacks since other countries are privy to the technology used in such systems,” points out Lt Col Pillay.
Military cyber security, according to experts in the field, is a tricky domain. Unlike nuclear power, which functions on an interwoven mesh of international diplomacy and a show of hard power, it has the potential to wreck a country without providing for attribution or accountability. This means no country can authoritatively claim to know the extent of capabilities another possesses.
While intelligence-collecting tactics have shown to a certain extent the capabilities of each country in the cyber world, it is a well-protected secret. Take for example the recent crash of a Sukhoi aircraft in Assam earlier this year. Speculations within the forces and other agencies suggest that the May incident at Nagaon district was a well-crafted attack by the Chinese cyber command. (They remain conjectures, since the origin of the attack is mostly not attributable.) An official statement though claims that a high-level committee appointed to find the cause of the crash negated the involvement of the Chinese cyber command on the basis that Beijing still does not possess the technical ability to get into the Indian system to launch such a complex attack.
A military cyber security analyst who wishes to remain unnamed suggests that the inability to establish attribution for cyber attacks also makes it almost impossible to know the extent of Indian capabilities in launching offensives. “While the official narrative is that we have very little offensive capabilities, the armed forces think it’s best to leave knowledge on the subject fairly opaque. This is also because of a lack of a comprehensive cyber policy or even guidelines in the international forum. “There is absolute lack of direction or guidelines on cyber security or offensives within the international forum. This makes cyber capabilities and their possession by different countries even more dangerous since there is no international agreement on how and when they can be used like in nuclear warfare,” he says.