Edward Snowden's Wake Up Call: Cyber Security, Surveillance And Democracy
21 June, 2013
Edward Snowden, in his courageous, principled expose, has brought out how USA's National Security Agency (NSA) has been spying on most nations in the world. This spying is clearly to establish or strengthen USA's political, economic and military global clout. India is the fifth-most spied-upon nation, even more than China and Russia. Considering that India is USA's strategic partner, spying on India is breach of faith. Iran tops the list (14 billion pieces of intelligence); then come Pakistan (13.5 billion), Jordan (12.7 billion), Egypt (7.6 billion), and India (6.3 billion). [Ref.1] It is piquant that India, USA's strategic partner, is in the “club” of Iran, Pakistan, Jordan and Egypt, where USA perceives “threat” to its global hegemony. USA has other strategic partners and doubtless they too are being spied upon, and many national leaders, notably of Turkey, Germany and Russia, have raised serious objections. But India is USA's junior and subservient strategic partner due to the long-term, built-in subservience of India's political and bureaucratic architects of the strategic alliance.
There has been no official Indian protest and there is unlikely to be even a squeak on this sovereignty issue. However, people's voices have been raised, especially from within USA, against USA's presidentially-sanctioned, global electronic spying and surveillance. These voices are directed simultaneously at demanding recognition and protection of individual privacy rights, calling for accountability and transparency of U.S presidential and Congress decisions, and attempting to influence USA to pardon whistleblower Edward Snowden who is still in hiding.
Snowden's expose on the heels of the commencement of the trial of that other courageous and righteous prisoner-of-conscience whistleblower Bradley Manning, is a grievous blow to the pride of NSA and the U.S establishment. Thus these whistleblowers are “traitors” who need to be punished severely because they have weakened USA against its “enemies”, self-created and self-imagined. Added to the list of “traitors” are the courageous people in The Guardian and Washington Post, like Laura Poitras and Glenn Greenwald, who actually brought Snowden's leaked information to public glare. It is now clearer than ever before that USA's official enemy is not this country or that, not Al Qaeda or Taliban, not this religion or that, but the spread of peace and real democracy, and the demands for human and civic rights, all of which threaten the pre-eminence of the military-industrial complex MNCs which run USA from behind a teflon curtain.
Like all colonial powers of the past, this pre-eminence is based heavily on political, economic and military intelligence. In modern times it calls for surveillance and access to data and information from within and outside USA. Thus, U.S intelligence agencies would be particularly interested to access databases of various kinds, and real-time data as it is being created by land, ocean, aerial and space surveillance devices. With the kind of super-computing capability, global intelligence experience, and unparalleled military power and reach that USA possesses, this collated intelligence can be used for hegemonic aims. These are stated in the Project for a New American Century (PNAC) created in 1997 by a group of conservative American politicians, academics and policy brokers. PNAC aims to “shape a new century favourable to American principles and interests” and “make the case and rally support for American global leadership” [Ref.2].
Thus it is the business of every country to protect its databases from hackers, sleuths, mercenary spies and intelligence agents, who try to obtain intelligence by one or more of several fair or foul means.
System and data security
The damage that can be wreaked by deliberate corruption or destruction of programs or data, or lifting of data without the knowledge of the rightful owner of the data, by illegal access into the operating system is enormous. For example, if the computer system of Indian Railways is tampered with, goods and passenger trains across the country can be brought to a halt, causing huge economic loss, with heightened accident risk. Or if, like NSA's Stuxnet program destroyed Iran's nuclear enrichment centrifuges, our nuclear power plants' systems are broken into, it can result in a nuclear disaster. Government of India (GoI) has listed“the civil aviation sector (ATC), railway passenger reservation system and communication network, port management, companies and organizations in power, oil and natural gas sectors, banking and finance and telecom sectors” as critical, apart from certain “strategic government departments such as space (ISRO), External Affairs Ministry (passport database), the Home Ministry's police and intelligence networks,.... the Prime Minister's Office (PMO), the NSCS and the Cabinet Secretariat”. [Ref.3].
Security of government data and data concerning its citizens is vital for any government. Government and private intelligence agencies (the services of the latter purchasable by the highest bidder) are engaged in acquiring or “mining” information from their own country and from other countries which are competitors in the political, economic or military senses. It is standard security practice, for instance, that computers which are connected to the internet are not connected with the LAN, so that there is no access to the system through the internet. Other security measures are physical security to ensure that data is not tampered with or copied by individuals who work within the system or obtain physical access to the system. However, for systems which are necessarily connected to the internet for their functioning (e.g., internet banking), it is a mere combination of motivation – money, display of capability, ideology, etc – and time-on-the-job, for an experienced hacker to crack firewall codes and find passwords to gain access to programs and data. This has been demonstrated by hackers, detected and punished or not, who have broken into systems as varied as banks, strategic, military, scientific, technical or industrial databases around the world. Another method is to plant viruses or clandestinely embed special-purpose hardware and software into commercially supplied hardware devices and software systems to transmit data that passes through the system. Routinely, firewalls to prevent unauthorized access into systems, regular change of passwords at all levels within the system, and restricting physical access to system terminals are time-tested methods for system and data security.
Rudderless national security ?
It is known that GoI intelligence or infotech agencies have not indigenously created, tested and certified a firewall for system and database security. The GoI firewalls in use are purchased commercially from international infotech vendors. It is no big deal for an employee of an infotech corporation which has designed GoI's firewalls, to part with key information for personal gain, to any person or intelligence agency who wants to break into GoI systems without even being observed.
India's apex security body, the National Security Council (NSC), admits that India's cyber security strength is “grossly inadequate to handle cyber security activities in a meaningful and effective manner”. Therefore, “Now, India is also setting up its own 'cyber security architecture' that will comprise the National Cyber Coordination Centre (NCCC), ... the Cyber Operation Centre, ... and National Critical Information Infrastructure Protection Centre (NCIIPC) ...”. [Ref.3]. This pathetic admission, clearly after exposure of NSA's spying success with India as a preferred target, indicates institutional failure of India's intelligence organizations, and worse, failure of NSC itself to comprehend strategic imperatives. If this is considered an unduly harsh statement, consider that in 15 years of its existence, NSC, headed by none less than the Prime Minister of India, has not brought out a national security strategic document. NSC's post-Snowden awakening to India's gross inadequacy in cyber security appears to be a knee-jerk reaction rather than part of a strategic plan.
Corporations in intelligence and surveillance
One of India's premier science institutions, The Indian Institute of Science (IISc), Bangalore, signed an agreement with Huawei Technologies Corporation, to set up a telecom laboratory. The data that Huawei would have access to, would not only be that of IISc research but also of its projects financed by GoI, and access through internet and other means to the GoI agencies with which IISc has data exchange and correspondence. Since Huawei has close links with the Chinese government, the Indian intelligence community expressed disapproval of this transaction, obviously because data security was a concern.
However, according to the Unique ID Authority of India website (UIDAI is the creator of India's grandiose national information infrastructure “Aadhaar”), several U.S firms have been awarded contracts to provide goods and services to implement the Aadhaar project. For example, Ernst & Young was contracted for setting up UIDAI's Central ID Data Repository (CIDR), and L-1 Identity Solutions Inc., a U.S-based intelligence and surveillance corporation, for technical support and biometric capture devices. Also, Accenture Services Pvt Ltd which works with U.S Homeland Security, was contracted for implementation of biometric solution. Thus, U.S firms with known links to U.S intelligence are in a position where they can directly or indirectly, by contract or clandestinely, access India's national database owned and operated by UIDAI.
Surely this was known to data system designers in UIDAI and to India's intelligence organizations. Also surely known is the fact that U.S legislation makes it mandatory for U.S firms to provide to the U.S administration on demand, any or all data or information that they may acquire in the course of their operations. Thus, the fact that the Indian intelligence community was strangely silent on the UIDAI contracts, leads an impartial observer to view this as another sign of India's subservience to U.S diktat, not necessarily unconnected with corruption at some individual level. Whatever the reason for this, there can be no excuse for compromising India's data security.
India also imports electronic hardware from China (e.g. data routers, which handle data within networks), Japan and South Korea, which is used in government departments. There is little if any systemic method by which these hardware devices with embedded software can be checked for their ability to access the data which they are only meant to handle.
Enabling U.S cyber hegemony
Linked with Snowden's expose is the report that U.S president Obama has authorized drawing up a list of potential targets for Offensive Cyber Effects Operations (OCEO), to advance “U.S national objectives around the world”. This could be in pursuance of the PNAC. An intelligence source with extensive knowledge of NSA's systems told the Guardian, that with both defensive and offensive cyber operations being central to U.S strategy, “ ... America had participated in offensive cyber operations and widespread hacking – breaking into foreign computer systems to mine information”. OCEO by the U.S military is also very much on the table. [Ref.4]. Thus the hegemonic cyber-power of USA in political, economic and military spaces is frighteningly real.
UIDAI's Aadhaar program aims to provide a unique identity to all Indian residents including non-citizens, by providing a unique 12-digit number based upon biometric records of every individual, to form India's flagship database. The Aadhaar number will be used by various government, quasi-government and non-government systems across India to establish the identity of any person who wishes to receive a service or derive benefit from it. Breaking into the Aadhaar database can provide an individual's primary personal data (e.g., biometrics, name, age, sex, relation, address, mobile number, bank account, etc), thus violating his/her privacy. [Ref.5].
Thus, access into UIDAI's CIDR and associated programs due to UIDAI's contracts, provides reach into personal information of all India's residents. Compromising an individual’s personal data affects only that person, but when the personal data of many millions of people is involved, there is potential for all kinds of use of data for corporate gain or for misuse for profiling people on the basis of caste, religion, language, etc. This would be an unmitigated national disaster not merely because of loss of security and the resulting disgrace, but also because it will effectively allow foreign control of India's flagship database.
The Indian establishment may publicly rubbish the foregoing, but that is only to be expected from a political-bureaucratic-intelligence set-up that has possibly colluded to award sensitive contracts concerning India's strategic interests to U.S corporations specializing in intelligence and surveillance. This is not to suggest that USA will launch offensive cyber operations against its strategic partner, but to point out that with the strategic upper hand, USA will be in a position to dictate policy and action to India, exacerbating its subservience besides compromising sovereignty. That the U.S military, already organized into six commands that straddle the globe [Ref.6] has expanded its Cyber Command, should sound alarm bells in the Indian military, unless the canker of subservience has affected it too.
Ownership of databases
Data is the new property. An executive notification of the Planning Commission dated January 28, 2009, stated among other things, that UIDAI “shall own and operate” the Aadhaar database. [Ref.7]. The Technical Advisory Group for Unique Projects (TAG-UP) chaired by UIDAI Chairman Nandan Nilekani, envisages formation of National Information Utilities (NIUs) which would be “private companies with a public purpose: profit-making, not profit maximising”, with at least 51% private ownership and at least 26% government shares. TAG-UP envisages that when the Aadhaar system attains a “steady state”, the database will be taken over by a NIU and government, which set up the Aadhaar system at enormous public cost, will take the role of a “paying customer”. Indeed, the TAG-UP states, “Once the rollout is completed, the government’s role shifts to that of a customer“.
Apart from the sheer audacity of TAG-UP's proposal of government funding the start-up of private companies, the data-security risks of private companies owning and handling strategic databases appears to have been overlooked. Data security of Indian citizens and other residents would be compromised, simplifying the task for NSA. Purchasing the desired data from an entity which has it or has access to it, is so much more elegant, risk-free and cheaper that hacking into a system! This is not to suggest that only USA (through its NSA, CIA and FBI) would be interested in hacking into India's critical information infrastructures. Surely China, Pakistan, Russia, Israel, Britain, France, Iran, Bangladesh, Sri Lanka and Myanmar at the very least, would have reasons to obtain data and information from India for political, economic and military purposes.
Impending death of democracy
India's new Centralized Monitoring System (CMS) has, like UIDAI before it, been created by executive fiat. CMS is a wide-ranging surveillance programme that will give its security agencies the ability to tap directly into e-mails and phone calls without oversight by courts or parliament. Security agencies will not need to seek a court order for surveillance. CMS will provide government unfettered access to all landline and mobile phone calls (900 million subscribers), SMSs, e-mails, web browsing (120 million internet users), video-conferencing, multi-media streaming and even video games. [Ref.8]. This has been planned and put into place without any legal safeguards and procedures concerning who or what will be surveilled, who will authorise surveillance, the period of surveillance, etc. In typical obfuscation, junior minister for Information Technology, Mr.Milind Deora, said the new data collection system would actually improve citizens' privacy because telecommunications companies would no longer be directly involved in the surveillance - only government officials would.
The purpose of UIDAI's Aadhaar project was stated to be reaching government benefits and programs to the poor by direct benefit transfer (DBT). If that was indeed so, then there was no need to coercively enrol the non-poor into Aadhaar as has been done, and to link up rights like salary and pension to the Aadhaar number. Thus, with plans to hand over strategic databases to private entities (NIUs), there is little doubt that UIDAI's Aadhaar project will be an enabler in the CMS plan. The doubt is only whether it was planned to be the enabler, to facilitate surveillance.
The operationalization of CMS together with UIDAI's Aadhaar operating in corporate (NIU) hands will make India into a police state under unfettered capitalism of corporate control. The power of the people by electing representatives to legislatures will be meaningless as legislators are themselves corporate honchos or increasingly under the influence of corporates. Those who are not, will be silenced with information obtained by CMS investigation.
The strategic subservience of India to USA and the latter's PRISM, will ensure that India's chief executive (prime minister) will toe the U.S line, not unlike USA's imposition of dictators in the countries of South America in the 1970s and 1980s. This was done to impose neo-liberal economic policies according to Milton Friedman, through political shock doctrine methods. These include harassing, arresting or “disappearing” dissenters, objectors, political opponents, trade union leaders, whistleblowers, intellectuals, and all those who are foolish or courageous enough to demand social justice, equity and democracy, because locating and targetting them through Aadhaar and CMS will be child's play. [Ref.9].
1. Tom Engelhardt; “The Making of a Global Security State”; <http://www.countercurrents.org/engelhardt180613.htm>; Countercurrents.org; June 18, 2013.
2. Zia Mian, “America's Time and Place”; Economic & Political Weekly; Vol.XL, No.16, April 16, 2005.
3. Sandeep Joshi; “Waking up now, India to up cyber security strength”; The Hindu, Bangalore, June 19, 2013, p.14.
4. “Obama orders US to draw up overseas target list for cyber-attacks”; The Guardian; <http://www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overseas>; June 9, 2013.
5. Indulekha Aravind; “Criminals will be able to crack UID system easily: Jacob Appelbaum”; <http://www.business-standard.com/article/economy-policy/criminals-will-be-able-to-crack-uid-system-easily-jacob-appelbaum-113053100728_1.html>; Business Standard, Bangalore, June 1, 2013.
6. Vombatkere, S.G., “The US War Machine – Yesterday, Today and Tomorrow”, Mainstream, New Delhi, Vol XLVIII No 17, April 17, 2010, p.25-30.
7. Usha Ramanathan; “Your data, going on sale soon”; <http://www.thehindu.com/opinion/op-ed/your-data-going-on-sale-soon/article4733606.ece>; The Hindu; May 13, 2013.
8. Shalini Singh; “India's surveillance project may be as lethal as PRISM”; The Hindu; June 21, 2013; p.1.
9. Naomi Klein; “The Shock Doctrine: The Rise of Disaster Capitalism”; Random House, Toronto, 2007.
Major General S.G. Vombatkere retired as the Additional Director General, Discipline & Vigilance in Army HQ, New Delhi. The President of India awarded him the Visishta Seva Medal in 1993 for distinguished service rendered over 5 years in Ladakh. He holds a PhD degree in Structural Dynamics from IIT, Madras. He is Adjunct Associate Professor of the University of Iowa, USA, and is a member of NAPM and PUCL. He writes on strategic and development-related issues.: Email: firstname.lastname@example.org
Comments are moderated