U.S Response to Cyber Attacks: Lessons for India

The US national security advisor Susan Rice was in Beijing from 28-29 August 2015 to meet senior Chinese officials and "consult on a range of bilateral, regional, and global issues" ahead of Chinese President Xi Jinping's visit to Washington in September. Significantly on the agenda was cyber-security. The White House has been alarmed not only by the perceived Chinese territorial grab in the South China Sea but also their links to cyber attacks on US commercial interests and sensitive government personnel records- the OPM breach.[1]

The US military on its part believes that hackers connected to Russia were behind the recent intrusion into a key, unclassified email server used by the office of the Joint Chiefs of Staff even though, as was in the OPM case, the evidence is not conclusive.[2] The spear phishing attack into the email of the Joint Chiefs of Staff “successfully penetrated the server at multiple points and exposed a new and different vulnerability," which the US cyber teams had not encountered in the past.

Investigations into these cyber-security incidents, which have come to light over past several months, found imprints leading investigators to conclude that the suspected attackers were possibly associated with countries such as Russia and China on one hand and to the more unlikely North Korea, on the other end of the geopolitical spectrum. The US also feels that Russia and China are acting in tandem and collaboration.[3]

The US, since then has launched some far reaching initiatives to meet the challenges posed by gaps in its cyber-security protocols. There is also the worrying realisation that cyber-attacks are going to be at the vanguard of Hybrid conflicts and the capability to counter them will be crucial. This article looks at some of these initiatives, which are likely to provide invaluable pointers for India as it looks to ratchet up its defence (including cyber) preparedness and crank-up its defence manufacturing under the ‘Make-in-India’ programme.

SOS to Silicon Valley

On 28 August 2015, the US Defence Secretary Ash Carter was in Silicon Valley to recruit ‘outside’ help as he felt that the intrusion into the Joint Chiefs of Staff computer network was an indication that the military did not have the requisite cyber defences. The trip, in the quest to shore up the nation’s cyber-defence,  was his second and in the footsteps of his predecessor, Chuck Hagel.

The US has been looking for game-changing innovations that would empower it with decisive (security/combat) advantage over its adversaries in the decades ahead. In November 2014, US Defence Secretary Chuck Hagel announced the Defence Innovation Initiative to find/develop/fund such game-changing innovations within a long-term plan to “offset,”[4] or effectively neutralize, the technological advancements of other rival nations. Hagel had indicated his Department’s focus on “robotics, autonomous systems, miniaturization, big data, and advanced manufacturing, including 3-D printing.” Hagel had also outlined four components of his approach:  more use of modular and open system architectures; providing industry with draft requirements earlier; removing obstacles to procuring commercial items and; finally, improving technology search and outreach in global markets. Now Ash Carter is looking to leverage cyber technology.

On 23 April 2015, Ash Carter on his first trip to the Silicon Valley, had delivered a lecture, "Rewiring the Pentagon: Charting a New Path on Innovation and Cyber-security," at Stanford University, California and gave out Pentagon's new cyber strategy and innovation initiatives. The new or the second Cyber Strategy is an update of the original strategy released in 2011 and a guide for the development of Pentagon’s cyber forces. It seeks to strengthen cyber defences and posture on cyber deterrence.[5] Deterrence is a key part of the new cyber strategy, and calls for a national set of capabilities to deter cyber-attacks. There are three major drivers of the new US cyber strategy. First, is the increasing severity and sophistication of the cyber threats; second, the US presidential directive of 2012 and lastly the need to provide guidance for the development of a 6200-strong Cyber Mission Force (CMF).[6]

Innovation Unit

The Pentagon has set up an office in Silicon Valley,[7] which besides building new partnerships and identifying “game-changing” emerging technologies, will clarify to the technology community measures Pentagon takes online to protect the nation. This Defence Innovation Unit Experimental, or DIUX, will mark the DoD’s first permanent outreach presence in the in the Silicon Valley and will be staffed by an elite cadre of serving military and civilian personnel, complemented by reservists. They will focus on “scouting emerging and breakthrough technologies and building direct relationships with DoD.”

The DoD will also establish a pilot programme to “tap into the creativity of startup ventures identify promising technologies with defence applications” which have traditionally not been accessed but have the potential of being likely game-changers. The Pentagon will also make an investment in In-Q-Tel, the CIA’s venture capital unit, to support new capabilities in nano-electronics, software and applications. Yet some tech firms have been wary of the Pentagon’s outreach on issues such as intellectual property rights, privacy issues, snooping by the government etc.

HR Aspects

Carter is ultimately looking to forge what has been called the “Force of the Future” to focus military leaders in reshaping the DoD to position it better to counter modern threats, especially in cyber security. The Pentagon will also establish a branch of the US Digital Service, a technology initiative and upgrade its Corporate Fellows program. Established in 1994, the programme sends 15 to 20 officers to top commercial companies every year for a period of about 11 months to learn private sector best practices.[8] Following their tenure in the private sector, “fellows are assigned to a part of DoD where they can apply their experience with the industry.” Now the DoD will expand the programme into a two-year assignment.

Besides the more obvious imperatives of mutual trust, close cooperation and sustained coordination between the military-industrial complex, the measures being taken by the US to beef up its cyber security hold the several lessons for India. First and foremost is the requirement to put in place a framework based on a long term vision and in-depth understanding, which is capable of synergising national cyber resources to respond within the short time-windows of cyber threats. Two, the defence and tech sector cooperation has to move on to a more proactive ‘pull’ system based on Defence outreach from the existing vendor based ‘push’ model responding to Defence specifications. The defence outreach in terms of identifying potential ideas has to go beyond corporates to start ups and even educational institutions. These ideas in turn should influence defence specifications. Lastly, HR management is key; while India has struggled to synergise cooperation between the military and its defence research institutions, the cyber defence framework goes a step further to demand commonality of thinking and processes between the military and the private sector R&D.

Conclusion

Cyber defence is a complex multi-faceted issue and deterrence is an important component. Therefore, the Obama administration, to deter state-sponsored cyber-attacks, is planning to  issue a major response[9] in terms of  "unprecedented"  sanctions against the rising wave of ­Chinese and Russian[10]  cyber-intrusions, who officials say have “stolen everything from nuclear power plant designs to search engine source code to confidential negotiating positions of energy companies." India could do well to see the writing on the wall.