India Should Strengthen its Cyber Security Mechanism

Abstract: There is growing concern in India that military establishment are falling prey to organised cyber-espionage originating from a variety of sources, over information and communications networks operated by private entities and government agencies.   As such, there is a strident clamour to tighten the cyber-security network mechanism in the country to obviate the security threat inherent in cyber-attacks. The need for a cyber-security command under the control of the Defence Ministry has been highlighted time and again.

After outer space, it is the turn of cyberspace to emerge as a potential theatre of the ancient art of warfare. With cyberspace all set to become the fifth dimension of warfare, countries around the world are busy preparing to face the threat of cyber war where attackers remain incognito. By paralysing the enemy through an attack on his infrastructure and utilities, as well as the financial nerve centres, half the battle can be won at a very negligible cost and without an elaborate preparation normally associated with a conventional warfare.  There is no denying the point that a cyber-war can instantly cripple a nation without a single shot being fired at the enemy. Anonymity is perhaps the biggest advantage associated with cyber-attack.

By all means, the stunning and crippling effect of cyber invasion could be a nightmare for security agencies and military establishments as cyberspace remains a “borderless and impersonal entity”. Clearly and apparently, cyber spies have no physical boundaries to negotiate while giving a practical shape to their “evil designs”. What’s more, even satellites designed for communications, navigation, earth observation and many other end-uses could be paralysed and put out of commission through manipulation and degradation of their software. As it is, the detection of a threat or a potential threat plays a major role in ensuring cyber security. At present, there are no formal rules of engagement in cyber warfare at either international or multi-lateral levels.

Since cyber communications is in a state of infancy and in the process of dynamic evolution, there is no fool-proof firewall to ensure the safety and security of computer networks. Even the Pentagon has found it difficult to ward off cyber-attacks. Perhaps the most disturbing aspect of the multi-billion dollar business of cyber-attack is that hackers always manage to stay ahead of the security devices engineered to protect the information networks. In recent years, social media sites have emerged as vulnerable platforms for the hackers to break into the information they are looking for. It is not for nothing that Pentagon has projected the view that social media has the potential to change the nature and dynamics of the cyber warfare in the future.

Indeed a most recent report from the internet security company, FireEye, reveals that cyber warriors, most probably based in Mainland China, have been actively targeting the information and communications networks operated by governments and businesses in India and south-east Asia. “Such a sustained, planned development effort coupled with the hacking group’s regional targets and missions led us to believe that this activity is state-sponsored, most likely the Chinese Government,” said the FireEye report.  On its part, China has stoutly denied the involvement of its government or nationals in the cyber espionage reported from various parts of the world.

In the context of China’s People’s Liberation Army (PLA) preparing in a big way for cyber warfare, the Indian military establishment has every reason to set up a cyber command even as the formation of a tri-service aerospace command awaits the approval of the Indian Government. Many countries have already set up cyber commands as part of their defence establishment. The Indian defence set up should put in place a well-equipped cyber command by taking into account its own threat perception and futuristic developments in cyber warfare strategy. Meanwhile, India’s Ministry of Defence (MOD), as part of the move to prevent cyber espionage, has restricted the use of internet on official networks. MOD has already sounded alarm over the move of some foreign intelligence agents to gather top secret information from Indian defence personnel privy to classified information.

Elaborate research  studies on China-based cyber hackings, by  internet security outfits,  have  revealed that a campaign under the codename Shady Rat engineered by cyber warriors based in mainland China  had targeted  the networks of the Asian Governments, corporates  and institutions. Cyber networks of Indian Government agencies, military establishments as well as media and business organisations in the country did face the heat of cyber intrusion carried out by hackers based in mainland China. Significantly, Chinese cyber-attacks are known for their frequency and sheer brazenness. Chinese hackers are known to have stolen classified information from Google, Adobe and other Silicon Valley companies. There is sufficient proof to show that Chinese Cyber warriors had broken into the networks of US defence aerospace and defence giant Lockheed Martin and defence sub-contractors involved in the development of F-35 Joint Strike Force (JSF).     

Meanwhile, India has expressed its serious concern over the move to amend the Wassenaar Arrangement, a global agreement on arms control with a view to include cyber security technologies under its scope. Such a step was prompted by the fact that western intelligence agencies are worried over such technologies falling into the hands of adversaries including terrorists. According to official sources in New Delhi, “These changes could have severe impact on India’s cyber security programme—both hardware and software—as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisations”. Arms exporting nations have agreed to extend the export control regime that limits the proliferation of military products to include internet surveillance technology. The arrangement came into being in 1996 to limit the proliferation of weapons and dual use items after the disintegration of the Soviet Union.

Worried over a flat 40% year on year increase in the incidence of cybercrimes in the country, Home Minister Rajnath Singh  has given as go ahead for the setting up of a  five member expert panel to prepare the ground for  facing  the threat of cybe attacks. “India with a fast growing economy is susceptible to international and domestic cyber-attacks and there is a need to ensure cybercrime free environment,” said a statement from the Indian Home Ministry. As envisaged now, this expert team will prepare a road map for effectively tackling cybercrime and come out with a range of suitable suggestions on possible partnerships with the public and private sectors. According to legal experts specializing in IT acts and cyber laws, the Indian IT Act is obsolete and long outdated. Pointing out that India was yet to formulae a policy on how to deal with cyber terrorism indoctrination, the cyber law experts expressed the view that Section 66F of the IT Act that prescribed life sentence for cyber terrorism was introduced in 2008.   

According to Rohit Mahajan, Senior director and Head Forensic at Deloitte Touche Tohamatsu India “Cyber security is becoming a key concern for most boards and directors  should consider becoming more proactive in evaluating  cyber threat  risk exposure as a fraud risk management issue and not to  limit it to be an IT concern.” The widely held perception is that although many firms and organisations are well equipped with latest security systems, they may still be unable to manage risks. The first line of defence against any cyber threat is increasing perception and awareness of the impending attacks. According to the British Government’s Centre for the Protection of National Infrastructure   a twin track approach could be helpful in coming out with adequate cyber response .On one hand, it would be  highly appropriate to put in place a small, well-endowed  government group supported by appropriate industry contractors  aimed at protection of networks and infrastructure assets of national   importance. This should be supported by a broader-based group of assets, provided and managed by industry, aimed at providing appropriate levels of response to less sophisticated but more frequent cyber-attacks.

The biggest worry for nations bracing to face up to the threat of cyber intrusion is that non-state actors, including terrorist outfits, have been exploiting cyber space to give a practical shape to their devious plans. In US defence parlance, cyberspace is defined  in the context of the second (logical) and third (physical) layers as “a global domain within the information environment consisting of  the inter-dependent network of information technology infrastructure including the internet, telecommunications networks, computer systems and  embedded processors and controllers”.  Evidently, attacks in cyber space involve little risk to the life of the attacker compared to military kinetic attacks in which risk to troops is very much palpable.

The ability to come out with cyber weapons cheaply and quickly is the most striking advantage of cyber war. The Chinese view is that the attainment of information dominance is a key component for attaining victory in a war. As part of its offensive approach ,China is  busy  building the capability  to combine computer network attacks, electronic warfare  and kinetic  warfare strategy with   a view to paralyse communications systems  and information systems of  the targeted  adversary and create vulnerable blind spots that can be exploited to stay at the winning edge of the battlefield. It is high time that India’s military establishment took cognisance of the various dimensions of China’s Cyber warfare strategy and devise an efficacious mechanism to insulate the country against the possibility of cyber-attacks in all its manifestations.

The author is a freelance writer on subjects related to national security and technology. Views expressed are personal.