For more than a month now, India, China and Bhutan have been locked in a tense stand-off at the tri-junction of their borders in the strategic Chumbi Valley in the Indian state of Sikkim. The trigger was China’s attempt to construct a road through the Doklam plateau. This road will allow China to neutralise India’s defences and expose the Siliguri corridor (or the Chicken’s Neck), that connects India’s north eastern states to the rest of the country.
Analysis in the media of tactics and military hardware has been shrill and narrowly focused, taking no consideration of the danger that China poses if the current stand-off escalates into cyber space, the fifth spectrum of contemporary warfare. Prime Minister Narendra Modi had hinted at this two years ago, suggesting that it could impel a bloodless war, and that he dreamed of an India where cyber security was an integral part of national security. [1]
China has targeted India’s cyber space and networks for years, allegedly mounting attacks also from Pakistan, its ally. [2] Such incidents numbered 50,362 in 2016, rising from 44,679 in 2014, according to the Indian Computer Emergency Response Team (CERT-In). It is clear that the Indian authorities learnt no lessons from the hacking of Ministry of Defence computers in 2010 that took place despite there being a cyber security policy since 2008.[3][4][5]
Hitachi Payment Services Systems, which provides banking automation products, and ATM and Point of Sale services, was breached between May and July 2017: malware infiltrated more than 3 million Indian debit cards. The hackers took away an “unascertainable” amount of data, [6] but neither the Indian government nor Hitachi was able to establish the origin of the attack, the identity of the hackers, or how the securely self-destructing malware was created. [7]
The Indian economy, which is increasingly technology-dependent, is more vulnerable than ever before. Telecom, smart phones, and internet-based commerce are now a part of daily life even as the government is going full steam ahead on the front end of digitisation too, beginning with demonetisation in November 2016 to the continued migration of government services to e-services. But at the back end, most local law enforcement agencies in India have had only limited success investigating and prosecuting cyber crimes for want of experience.
Even the Joint Doctrine Indian Armed Forces, released earlier this year, disappoints in this regard. [8] It refers to the importance of cyber space in winning the next war and recommends setting up a new defence cyber agency[9]—similar to the one in the U.S.—but it does not detail how the new entity will differentiate itself from the existing Defence Information Assurance and Research Agency[10], which is tasked with addressing the cyber security needs of the three services and the defence ministry.
It also discusses cooperation of the armed forces with civilian agencies through the National Cyber Coordination Centre[11], an institution that is yet to become operational. Until then, cooperation between military-civil forces will fall to the personal initiative of the Cyber Security Coordinator.
The option of ambiguity
Will it then be wise for India to keep its tactics deliberately ambiguous—so that potential adversaries can only guess at its real ability to retaliate, and hence, choose not to take the cyber offensive route?
The U.S., to an extent, adopts that approach, using guarded terminology[12] to describe its cyber forces while creating a halo around their capabilities through the media. For instance, neither the U.S., nor Israel, its ally, which was suspected to have helped develop the Stuxnet computer worm, acknowledged responsibility for the attack on Iran’s nuclear centrifuges. Yet, enough information percolated into the media[13] to create a sensation and force most potential adversaries to rethink a strike.
On the other hand, China has been upfront about its views on cyber attacks and has made rapid strides[14] in purveying information and practising cyber warfare.[15]
Its Science of Military Strategy [16] (SMS) of 2013, a document considered as official reflection of the thinking in the Chinese military, outlines a force structure, based on three concentric circles, involving both military and civil forces. At its core is the military cyber force. The next ring constitutes ‘authorised forces’, situated in various departments of the government, while the purely ‘civilian forces’ form the outermost layer, volunteers who can be commandeered into action in times of crisis.
Then in 2015, in the White Paper on Military Strategy, China stated that space and cyber space were the “new commanding heights of strategic competition”[17] and it intended to focus on winning “informationized”[18] local wars. Leading Chinese strategic authors have written on the necessity to destroy China’s enemies’ core information systems, or confuse them through altering information in their systems and so on to win the conflict[19].
It is therefore difficult to imagine how India will be served by staying strategically ambiguous about its cyber capabilities. It has to try and catch up—quickly.
The government and private sector have to come together in times of crisis to immediately plug basic gaps, such as, applying pending software patches and threat scans, and co-opting the military in the effort: India’s CERT-IN issued a threat advisory to computer users in the country within a few hours of the global spread of the WannaCry ransomware attack, while industry bodies, such as the Data Security Council of India, worked with the private sector to ensure that the required security patches were applied urgently[20]. It also hosted a webinar on the subject for the benefit of IT professionals.
In the long term, India must transform its greatest asset, its large pool of skilled IT professionals, to become part of an ecosystem that creates its own cutting-edge software to power India’s technology rather than depend on the imported kind. Locally developed software is a strategic asset since it ensures that the source code that runs the programme and the machinery do not grant access to foreign firms or governments. Reputed domestic cyber security companies, such as, Quick Heal Technologies or Net Protector, that have created a niche for themselves in a market dominated by foreign security firms, such as Norton, Kaspersky and AVG, can be tapped to create customised solutions that match India’s security needs.
Hackathons and bug bounty programmes ought to be organised frequently to locate the talent that can develop, and also test, software for cyber vulnerabilities, and lead projects to strengthen the cyber space around India’s sensitive economic systems, such as power grids, oil refinery pipelines and water pumping stations. This latter task is one that the National Critical Information Infrastructure Protection Centre alone handles currently.
Before this can happen, awareness about science, technology and its impact on national security has to be aggressively propagated: events, such as the U.S.-based Maker Faire, though still held only in metro cities and IT hubs, such as Bengaluru, are an important part of this exercise.
Aditya Phatak is Senior Researcher at Gateway House.
This article was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.
For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in.
© Copyright 2017 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.
References
[1] Speeches, Narendra Modi, Text of PM’s Remarks at the launch of Digital India week, 1 July 2015, <http://www.narendramodi.in/text-of-pm-s-remarks-at-the-launch-of-digital-india-week-175130>
[2] Ministry of Electronics and Information Technology, Government of India, STATEMENT REFERED TO IN REPLY TO LOK SABHA STARRED QUESTION *16 REGARDING CYBER ATTACKS, 16 November 2016, <http://164.100.47.194/Loksabha/Questions/QResult15.aspx?qref=40475&lsno=16>
[3] Press Release, Ministry of Defence, Government of India, Hacking of Security Information, 27 July 2010, <http://pib.nic.in/newsite/erelease.aspx?relid=0> (Accessed 3 August 2017)
[4] Ministry of Defence, Government of India, CYBER SECURITY, 26 November 2012, <http://164.100.47.194/Loksabha/Questions/QResult15.aspx?qref=130302&lsno=15>
[5] Air gapping is a process in which a computer or computers with sensitive information are kept separately from other machines and are not connected to the internet.
[6] News Release, Hitachi Payment Services, Final investigation report completed; Hitachi Payment Services suffered breach due to sophisticated malware attack in mid-2016, 9 February 2017, <http://www.hitachi-payments.com/src/HPY%20Press%20Release_V9.pdf>
[7] ibid
[8] Press Release, Ministry of Defence, Government of India, Admiral Sunil Lanba, PVSM, AVSM, ADC, Chairman COSC & CNS Releases Joint Doctrine Indian Armed Forces, 25 April 2017, <http://pib.nic.in/newsite/PrintRelease.aspx?relid=161274>
[9] ibid
[10] Ministry of Defence, Joint Doctrine Indian Armed Forces, April 2017, <http://bharatshakti.in/wp-content/uploads/2015/09/Joint_Doctrine_Indian_Armed_Forces.pdf>
[11] Ministry of Electronics and Information Technology, Government of India, Ministry of Electronics and Information Technology (MeitY) launches Cyber Swachhta Kendra – Botnet Cleaning and Malware Analysis Centre, 22 Februray 2017, <http://pib.nic.in/newsite/printrelease.aspx?relid=158620>
[12] Department of Defense, Government of the United States of America, The DoD Cyber Strategy, April 2015, pp. 5, <https://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf>
[13] Zetter, Kim, ‘An unprecedented look at Stuxnet, the world’s first digital weapon’, Wired.com, 3 November 2014, <https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/>
[14] Congressional Testimonies, Office of the Director of National Intelligence, Statement for the Record Worldwide Threat Assessment of the US Intelligence Community Senate Armed Services Committee, 23 May 2017, <https://www.dni.gov/index.php/newsroom/congressional-testimonies/item/1764-statement-for-the-record-on-the-worldwide-threat-assessment-of-the-u-s-ic-before-the-senate-armed-services-committee>
[15] Justice News, The United States Department of Justice, U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage, 19 May 2014, <https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>
[16] Qui, Mingda, ‘China’s Science of Military Strategy: Cross-Domain Concepts in the 2013 Edition’, University of California San Diego, September 2015, <http://deterrence.ucsd.edu/_files/Chinas%20Science%20of%20Military%20Strategy%20Cross-Domain%20Concepts%20in%20the%202013%20Edition%20Qiu2015.pdf>
[17] Campbell, Caitlin, ‘Highlights from China’s New Defense White Paper, “China’s Military Strategy”’ U.S.-China Economic and Security Review Commission, 1 June 2015, <https://www.uscc.gov/sites/default/files/Research/Issue%20Brief_Highlights%20from%20Chinas%20New%20Defense%20White%20Paper_Campbell_6.1.15.pdf>
[18] Press Briefing, Ministry of Defence, Government of the People’s Republic of China, China’s Military Strategy, 26 May 2015, <http://eng.mod.gov.cn/Press/2015-05/26/content_4586805.htm>
[19] Wortzel, Larry M., ‘China’s Approach to Cyber Operations: Implications for the United States’, U.S.-China Economic and Security Review Commission, 10 March 2010, <https://www.uscc.gov/china%E2%80%99s-approach-cyber-operations-implications-united-states>
[20] Media, NASSCOM, NASSCOM-DSCI Has Alerted Members On Cyber Outbreak WannaCry Ransomware, 15 May 2017, <http://www.nasscom.in/press/nasscom-dsci-has-alerted-members-cyber-outbreak-wannacry-ransomware>