There are no breaking news at the moment

 

cyber-warfare

Ransomware worm WannaCry struck at and crippled UK’s National Health Scheme, causing a national emergency of sorts. The operations systems of British Airways, Lufthansa and Air France were targets of cyber attack on passenger handling, causing economic loss but fortunately no accident. All this is cause for concern in India, because of India’s huge vulnerability to cyber attack. Now [“India’s Su-30MKI likely downed by China’s Cyber Weapons”; http://www.defencenews.in/article/Indias-Su-30MKI-likely-downed-by-Chinas-Cyber-Weapons-262280 , an Indian Air Force Su-30 Mk-I jet fighter aircraft is suspected to have been downed by China’s cyber attack on its avionics system, without firing a shot. Is China checking out Indian military cyber vulnerability?

Worms are perhaps the mildest of threats, but there are other threats including human hackers, who break into systems to steal (copy) data or corrupt it, making data inaccessible temporarily or permanently, or infiltrate the operating system itself. These threats affect systems connected to the internet. Breaches of national or security databases are attacks on the nation and its sovereignty.

Defence

The word “defence” is usually connected with the armed forces, namely, the army, navy and airforce, the formal defence sector together referred to as the military. The primary task of India’s military is to protect the nation’s territorial and political sovereignty and integrity, with appropriate use of military force.

Military operations are based upon seven parameters, namely, command, control, communications, computers, Intelligence, surveillance and reconnaissance, shortened to C4ISR. Every one of these parameters is dependent upon computers and information technology (IT), and information warfare (IW) is a distinct branch of military operations. Cyber attack on military systems can neutralize one or more of the components of C4ISR, and adversely affect military operations, reflecting upon our nation’s sovereignty.

The downing of IAF’s Sukhoi fighter should be the trigger for India’s military to urgently work towards totally indigenous cyber security and then build on it. Also India’s inter-Services communications interoperability and security needs to be urgently established even as India is on the verge of signing CISMOA for communications interoperability and security with the US military.

Beyond the military

The national economy functions on the basis of the five parameters of C4ISR, excepting surveillance and reconnaissance. Cyber attack on the national economy will have severe consequences on the effectiveness of its military. For example, a cyber attack on the railway operations computer system will at least temporarily halt railway movements to shift military units or military stores. Such a cyber strike at the transportation system will also lead to incalculable financial and economic loss.

Similar scenarios are possible for attacks on electricity power grids; telecommunications grids; police and internal security; banks, stockmarkets and trade-and-finance; petroleum sector; civil aviation; governance nodes; water supply; etc., all critical sectors affecting public order, safety and health.

A cyber strike on multiple sectors can cripple the economy and create public chaos. Realistic security should consider such worst-case scenarios, in which sovereignty will be the most serious casualty. Hence national defence concerns the critical sectors of the national economy in addition to military defence.

Cyber attack and sovereignty

Every computer operating system and its database are vulnerable. Experts in IT-IW aver that a system is safe only until it is hacked. Defence against attack is regular but a periodical change of passwords, data-encryption using secure algorithms and keys, firewalls, malware protection systems and other end-point security systems. Equally important is the hardware secretly embedded in computers or peripheral hardware at the chip- or silicon-level. “Back-doors” in computers, embedded transmitters in data routers and modems, implanted hardware or software in TVs or set-top boxes effectively making a TV into a surveillance camera, are known threats, for which we have no remedies.

It is vital to provide real-time protection to computers and systems in government offices and establishments. This is only possible if critical software involving data encryption, firewalls, etc., and critical hardware are actually made in India with in-house control and oversight by Government of India (GoI).

India’s most all-encompassing database is UIDAI’s Aadhaar Central ID Repository (CIDR), the creation of which was unfortunately contracted to a foreign firm linked to the intelligence community, giving it from-birth vulnerability. Its deliberate connection to all other databases makes it a prime target for hackers. A successful attack on UIDAI’s CIDR by Pakistan or China (or for that matter by USA, whose NIA has already successfully snooped on India and even its own NATO partners) would be a matter of national shame for a nation which prides itself on its indigenous competence.

It is necessary to note that at present, all items of critical hardware and software in GoI and state government offices and establishments (including the military and Aadhaar) are purchased from vendors in the market, and national safety and security are entirely dependent upon contractual penalties in the breach. Thus, cyber safety and national security is reduced to demanding monetary compensation subject to litigation in courts of law.

The foregoing amply demonstrates that indigenous production of critical IT hardware and software including know-how and know-why, is as much a national defence requirement as indigenous production of critical military hardware and critical expendables (ammunition). When the military human resource (the soldier) has to be 100% Indian, the human resource employed in production of critical defence hardware and software also needs to be under GoI control. This can happen only when production is by a PSU under GoI’s watch.

The way ahead

Given time, any system can be hacked. There is no 100% safety, especially in the IT field. Cyber safety is a dynamic concept, since cyber attackers take advantage of new and hitherto unrecognized vulnerabilities even as system safeties are updated.

Indigenization in its holistic sense means building indigenous capability for concept, design, development and production of assets of national strategic value. Indigenous production of critical items without GoI control may create jobs, but cannot provide security or protect sovereignty.

There is no substitute for indigenously produced and GoI-monitored critical IT hardware and critical software for systems and databases of national importance, which are central to C4I for governments and C4ISR for the military. The present total dependence on business houses for critical hardware and software must be phased out as a part of national strategy.

PSUs under GoI oversight and control need to produce critical IT hardware and critical software. Rather than privatizing PSUs and losing R&D and production infrastructure and trained human resource, GoI would do well to examine how existing PSUs can be reorganized, re-jigged and re-tooled, existing human resource re-trained and competent human resource inducted, to meet the need for indigenous research and production of critical IT hardware and software in the interest of national security and sovereignty. Where necessary, private agencies should of course be contracted to supply PSUs with sub-critical systems, with GoI retaining overall control on policy and production of critical items and systems. National defence, which clearly goes beyond military capability, deserves a very careful review.

Production of critical defence needs is not a matter of business strategy. It is an imperative of national strategy. National sovereignty cannot be subordinated to efficiency of PSUs. If a PSU is deemed inefficient, it is government’s responsibility to set it right in the national interest. Losing control over policy and production of critical hardware and software through disinvestment or privatization of PSUs as business strategy, is clearly not in the national interest. GoI and State governments need to stop looking at security through the narrow tunnel of business and economic growth, as at present.

Are State and Central Governments listening? Hopefully India’s military is alive to its cyber vulnerability, and is doing something about it.

Major General S.G. Vombatkere, VSM, retired as Additional DG Discipline & Vigilance in Army HQ AG’s Branch. With over 550 published papers in national and international journals and seminars, his area of interest is strategic and development-related issues. E-mail: sg9kere@live.com

  • K SHESHU BABU

    Advanced technology has the vulnerability of being attacked with even more advanced techniques. Computer systems are affected by the attacks more frequently causing hacking of data and loss of privacy. Recent leakage of aadhar numbers shows the gravity of the situation. Hence the government should take urgent steps to save data, specially relating to defence systems, immediately and safeguard peoples information

  • rashokkumar

    India is like the rest a society of specialists. As Wendell berry states: in living in this world by his own will and skill, the stupidest peasant or tribesman is more competent than the most intelligent worker or technician or intellectual, in a society of specialists. The conclusion is that modern civilisation will destroy life which end is the opposite of what karma achieves . Karma is the offering in return which causes the Genesis and support of beings.