The Cyber Security Conundrum

October 17, 2017 By Lt. General P.C. Katoch (Retd) Illustration(s): By Anoop Kamath / SP Guide Pubns
By Lt. General P.C. Katoch (Retd)
Former Director General of Information Systems, Indian Army


India has been ranked 23 out of 165 nations in the commitment of nations to cyber-security; Global Cyber-security Index (GCI) released in July 2017 by the UN agency International Telecommunication Union (ITU). The top 10 most committed countries as per GCI are Singapore, United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada. Russia is ranked 11th. India is ranked 23rd on the index with a score of 0.683 and has been listed in the "maturing" category, which refers to 77 countries that have developed complex commitments to cyber-security and engage in cyber-security programs and initiatives. The surprise is China ranked at 32, but then China has its own operating systems and with its more than rigid firewalls doesn’t require doing much towards cyber-security. The Cyberspace Administration of China has effectively ended online anonymity by making Internet companies responsible for ensuring that anyone who posts anything is registerd by their real name. It has cracked down on the VPN (virtual private network) systems that netizens have used to jump the firewall and evade censorship. China has dramatically expanded controls over private online chat groups, making anyone who sets up a chat group legally responsible for its content and requiring Internet companies to establish systems to rate and score the online conduct of users, ensuring they follow the Communist Party line and promote “socialist core values.” China is a cyber-super power adept in refined skills to undertake, cyber espionage and sabotage. China’s cyber warfare strategy focuses on controlling the information systems of the adversary during critical periods of confrontation and this is how China plans to negate superior US technology and obtain advantage in the physical battlefield. It may be recalled that on June 27 this year, the WannaCry ransomware struck world over. Not much damage occurred in India but one terminal of the Jawaharlal Nehru Port Trust near Mumbai was affected by the malware attack, disrupting operations.

In August this year, a leading Indian infrastructure company discovered that hackers had gained remote access to some of the most sensitive information on its IT systems for a fairly long period of time. Cyber security experts engaged by the firm said Chinese hackers were behind the breach. But the PMO, MEA, MHA, NIC, DRDO, atomic installations, and military websites suffer hacking attacks periodically. In one instance, according to the Toronto based Munk Centre of International Studies, GhostNet – a Chinese network, had infiltrated networks of the Indian Government as well as of the Dalai Lama. These Chinese cyber attacks are mostly through proxy servers in countries like North Korea, Africa, Eastern Europe and even Russia, which are difficult to trace. Just two months before demonetization last year, as many as 32 lakh debit cards belonging to various Indian banks were compromised resulting in the loss of Rs 1.3 crores. There have been instances of Aadhaar database leaks too. According to media reports of April this year, personal details of a million pensioners, including bank information, were leaked in Jharkhand. Then, in August 2017, Abhinav Srivastava, IIT-Kharagpur alumnus, gave a six hour step-by-step demonstration to the Bengaluru police showing them how he hacked into Aadhaar data stored on a government website. Such leaks can be exploited by our adversaries to target, blackmail and recruit moles. Ignoring these aspects will be adverse to national security. Airport security check-in systems crash across the world on September 28, London's Heathrow and Gatwick, Charles de Gaulle in Paris, Zurich, Melbourne, Johannesburg, Changi in Singapore and Washington DC's Reagan Airport due to the Amadeus Altea software used by 125 airlines and appeared to also have hit some online check-ins. Described as IT glitch, it could well have been a virus. Post the recent visit of Gulshan Rai, National Cyber Security Coordinator, to Israel, India-Israel collaboration in this field is being institutionalized and should soon be taking off. At the same time, our cyber laws need to be defined in a much more focused manner. It is pertinent to note that the cyber warfare programs in the US and China are led by respective militaries, whereas in India this is not the case. Some nascent steps are being undertaken for setting up a Cyber Division but the vital question is how this new organization will be integrated into the national cyber warfare program. Military’s integration in the national cyber warfare set up is more significant with international analysts concluding that the Sukhoi fighter aircraft of IAF that crashed close to the Line of Actual Control in May 2017 was due to a cyber attack that originated from China.

India needs to take a cue from the recent US decision to elevate its Cyber Command to that of a Unified Combatant Command, sending a strong signal to entities and countries inimical to its interests to recalibrate their security calculus. While the UN is grappling with cyberspace, given the nuances of cyber warfare, including ambiguity in pinpointing the attacker, nothing much is likely to change on ground. The propagators of virtual and on-line terrorism, particularly terrorist organizations, will continue to remain unaccountable anyway. In addition, there are cyber-security companies playing the ‘double game’ and foreign intelligence units masquerading as Risk Consultants, while the Internet features highly complex array of stakeholders; all of which makes cybersecurity highly complex with a keystroke taking only 300 milliseconds to travel halfway around the world. According to some experts, Chinese hackers may even be using social media platforms, such as Facebook, to create, change and manipulate opinions of Indians just as they do domestically; targeted propaganda over social media and other modes of mass communication. There is no doubt that manipulating public opinion and perception management as non-kinetic tools of modern warfare is gaining increasing prominence. It is in this context the recent reports of the PLA learning Tamil and Malyalam languages should also be viewed. The British Army has raised its 77th Brigade as Facebook warriors responsible for non-lethal warfare; skilled in psychological operations and use of social media to engage in unconventional warfare in the information age. Israeli Defence Forces have established state military engagement with social media, with dedicated teams operating since its war in Gaza in 2008-9. These teams are active on 30 platforms including Twitter, Facebook, Youtube and Instagram in six languages. This aspect should also be part of Indo-Israreli cyber-security cooperation. On balance, any amount of focus on cyber-security is warranted as it is directly linked to our national security, economy and development.