Israel started it, with its Talpiot Unit 8200 programme, by recruiting teen hackers and math wizards. Over the decades, it became an intelligence entity that snooped on data collected by friends and foes alike, and it is widely believed to have created the Stuxnet computer worm in 2010 that infected many industrial computers around the world, including Iran’s nuclear facilities. “Cyber defence and offensive capabilities go hand in hand. You can’t have attacking strength and pretend all is well. Sometimes, the best defence is offence. India has to keep that in mind and work faster. Otherwise, it will learn the hard way,” says a former Unit 8200 expert, now employed with an MNC in the US, with a chuckle. “I guess India has been damn slow, and has to now make up for lost time,” he declares.
Certainly, he is right about India. Asked about India’s cyber offensive capabilities, a Home Ministry official says, “There is none.” Vinay Mohan Kwatra, joint secretary in the Ministry of External Affairs responsible for counter terrorism and cyber security, says that India has become a land of ‘no resistance’ for hackers. Jokes a former head of an ambitious intelligence project that is yet to take off: “If a Pakistani militant sends a Skype message to his India- based agent outlining a detailed plan to assassinate the Prime Minister, our guys can’t intercept it.”
True, cyber security has long been an alien concept for the Indian Government. Not anymore.
ON THE FAST TRACK
According to at least two officials privy to information, the Narendra Modi Government plans to go on a discreet ‘recruitment spree’ across schools and engineering colleges to hire “potential hackers who can safeguard and if required target projects aimed at destabilising India”. This will complement New Delhi’s efforts to bolster its cooperation on the cyber security front with countries such as the US—which, ironically, was found to be snooping on the activities of Indian ministers and senior officials—to combat common threats such as China. Says Danzig: “I am very supportive of India-US cooperation on cyber-security. There are several governmental and non-governmental dialogues between our two countries on this topic, many involving your National Security Adviser’s (Ajit Doval’s) office. We face common vulnerabilities, both nations have the skills [needed] to contribute to common efforts, and the actions of one of our countries can affect the other. We should work together more.”
An official of India’s Defence Research & Development Organisation reveals that India is actively pursuing Israel to help train cyber security divisions in India for cyber warfare, given that cyber terrorism, unlike conventional warfare, is like a hydra-headed monster—constantly adapting and changing form.
The problems that India faces in cyberspace are far too many. Not long ago, Chinese hackers broke into sensitive naval computer systems in the headquarters of the Eastern Naval Command at Visakhapatnam with the apparent intention of accessing secret Naval documents and gathering information on India’s nuclear submarine programme. Similarly, Israel, too, has been keeping an eye on the technology of India’s Klub cruise missiles, a variant of the Russian Yakunt missiles that Iran has. In recent years, cyber attacks emanating from overseas locations have been on the rise: sensitive computers at India’s space department have been hacked into; there were also reports of explosions being caused in gas pipelines in various parts of the country by Stuxnet-like malware, as well as attempts to sabotage power supply systems.
The greater dangers that many experts warns of are: blackouts caused by power grid failures, transport systems such as Metro services getting crippled, stock exchanges and banks being hacked and mauled, law and order problems triggered by disinformation (such as what caused an exodus of northeastern students some time ago from Bangalore), and so on.
The new plans are not really new. But the earlier Government wasn’t able to sustain some of its bold experiments in strengthening its cyber security infrastructure. Nearly 10 years ago, the country’s military intelligence team got on board a few bright young people to work on a special assignment that involved what’s now termed ‘hacking’, a word that was unheard of back then. According to a person who was part of the team, vouched for by a Defence Ministry official, these wunderkinds were put to top-secret work; they accessed the Pakistan government’s networks and also snooped on the US embassy’s network in Islamabad, retrieving what news portal Rediff—which reviewed the ‘hacked’ documents—called the ‘US road map for Pakistan’. The leaked documents had the entire US gameplan in the region and dwelt upon various sensitive subjects, including Kashmir. According to reports, these documents also revealed an American plan for what South Asia Tribune, a US-based online newspaper, termed ‘clipping General Pervez Musharraf’s wings’ by 2004. The US, for its part, denied the existence of such any such plan. Yet, as a hacking job, it was a success. As a military intelligence official tells Open, “That experiment showed that our boys can do it.”
Dr Gulshan Rai, Director General of Indian Computer Emergency Response Team (CERT-In), too, maintains that India’s cyber-capabilities are not all that bad. However, internecine wrangling among various cyber agencies has been an obstacle to a coordinated action in cyber security. Rai was tipped to become the first National Cyber Security Coordinator, which would require him to coordinate the efforts of various agencies involved in cyber security, but the friction between these departments meant he wasn’t named for the job. A senior National Technical Research Organisation (NTRO) official confirms that “for sure, there is a turf war”.
Thanks to such bickering and concomitant delays, India’s cyber capabilities are not good either. India, according to experts in both the private sector and the Government, has so far not been able to fight off cyber attacks from outside the country. Rai admits such shortcomings: “Cyber attacks originate from different locations in the world. Indian cyberspace is also penetrated by a number of perpetrators from the cyberspace of other countries. Their cyber technology offers [them] complete anonymity and virtuality, and it is difficult to pinpoint the original location of the attacks. Based on the footprints of the attacks observed in Indian cyberspace, one can only say that ‘these attacks are coming from the cyberspace of so and so country’. In reality, these attacks may not have originated from the country whose footprint we see in India. It is therefore difficult to attribute any attack to any particular country.”
Rai continues, “Newer and newer technologies are being introduced in the world, and at the same time, newer vulnerabilities are being observed in existing hardware and software. Therefore, keeping all such scenarios [in mind], steps… have been taken to strengthen the security posture of IT infrastructure in India.”
A former senior official of the National Technical Research Organisation (NTRO), which along with the Defence Intelligence Agency focuses on cyber offensive warfare, says that unless large-scale hiring is done to tap the young, India will remain vulnerable to cyber attacks from rogue states and commercial intelligence gatherers. Rai agrees: “The young generation need to be involved. Steps have been initiated, as outlined, to create awareness, upgrade skills and engage them in R&D in the area of cyber security.”
YOUNG, BRIGHT AND RESTLESS
An engineering graduate from Delhi, now based in London, left India because he found “commercial opportunities” overseas. Before departing, he had dabbled in Indian corporate life and made “some money” as an ethical hacker, tracking ‘weak points’ in computer systems and programmes used by various top companies. The 30-year- old wanted to work with the Government “to help it stay ahead of the global cyber race” and to “combat crippling attacks from China” and other countries keen on cyber espionage. “We could have done it,” he says, “But I knocked on many doors and then decided to leave India when I met a guy at an international hackers conference who offered me a job that requires me to work for democracies elsewhere and earn a hefty sum.” He is cautiously optimistic about the Modi-led Government’s plans to re-equip the national cyber security apparatus. “I am told that the new NSA Ajit Doval means business,” he says, “I am ready to help if I am asked to.”
An NTRO official says that this time round, the Centre plans to actively hire whiz kids from schools and IITs. “I am told this time the Government will, while training, inculcate a sense of patriotism in these children so that they don’t go ahead with plans to make money, like how it happened in China,” he says.
With 62,189 cyber security breaches reported in India and 9,174 local websites hacked in the first five months of 2014 alone, both the Government and the private sector would need 23-year-old Saket Modi and his ilk to safeguard their systems.
As a high-school teenager, Saket Modi, who was weak in chemistry, had hacked into his school system to steal an exam question paper. He did succeed, but overcome by guilt, confessed his theft to his school teacher. Today, he is CEO of Lucideus, a firm that offers ‘ethical hacking’ services. “We are the good guys,” he says. His team comprises cyber analysts and security experts, all in the age group of 18-30, and claims to provide web space security to customers that include—a list that Open could not verify—the Ministry of Corporate Affairs, Ministry of Defence, Ministry of Home Affairs, Criminal Investigation Department, Reserve Bank of India, IBM, Microsoft and various other Central and state investigative agencies. Modi could be an asset for India’s cyber security.
“We would certainly go for those in their twenties, but ideally we would look for kids younger. That is the age to catch them,” says a government official. Rai has said that the country needs close to 4,00,000 professionals to address its cyber security needs. Currently, India has only about 32,000 such experts. “The situation is grim, and hence this drive to catch them young. Especially in protecting critical infrastructure,” says another official. He adds that malware like Stuxnet, Flame, Uroburos/Snake, Blackshades, FinFisher and so on can wreak havoc on critical installations.
What’s crucial in the ongoing plan, says a Defence official, is that the Government should not consider cyberspace any different from land, sea and air. In modern wars and skirmishes, cyber warfare offers an edge even to militarily weak opponents. For instance, the Gaza-based Hamas has had cyber troublemakers hack into phone systems of individuals in Israel and send panic-inducing messages to all those on their contact lists. Israel managed to neutralise such attacks thanks to its preparedness.
Notes Gabi Siboni, Director, military and strategic affairs and cyber warfare programs, at Israel’s Institute for National Security Studies: “Ours is a country that [has been] on its guard since the day it was founded. In the rapidly developing field of cyberspace, there are both risks and opportunities for Israel. Similar to other developed nations, cyberspace exposes Israel to significant fundamental risks, including damage to critical infrastructure, the defence establishment, the economy, and so on. Unlike many countries, Israel faces enemies driven to cause it as much harm as possible. There are a number of significant milestones in the country’s preparations for securing cyberspace; TEHILA—a Hebrew acronym for ‘Government Infrastructure for the Internet Era’—established in 1997 in the office of the Accountant General in the Ministry of Finance, was intended to provide secure browsing services to government ministries and institutions.”
Similarly, North Korea has often used its pool of young hackers to target American websites and installations, besides international gaming sites, as part of efforts to rake in millions that go into the nuclear programme of the communist dictatorship.
THE CHINESE MENACE
By all accounts, Narendra Modi hit it off well with Chinese President Xi Jinping last week at the BRICS summit in Brazil, thanks to their mutual admiration. Modi, who has been gung-ho about China’s growth story for years, is an admirer of China’s leap to the big league of global power. He also wants to emulate that country’s model of infrastructure development in India. Xi, on his part, is reportedly deeply impressed by Modi’s mantra of ‘skill, scale and speed’ and his efforts to draw more Chinese investment to India.
However, cyber experts warn that none of that camaraderie is going to stop volunteers of the People’s Liberation Army from trying to access India’s military and administrative secrets. Beijing has already been quite successful at that. It has also managed to penetrate the American establishment for classified files. The secret of China’s success is a topic that Siboni has studied closely. According to him, China, which started focusing on cyber security around the same time India did, has made impressive advances in the area thanks to its young spies and whiz kids. In an exhaustive research paper he co-authored, titled ‘What Lies Behind Chinese Cyberwarfare’, Siboni explains that Beijing’s plan stems from an awareness that its armed forces are structurally inferior to those of the West. Therefore, along the lines of Sun Tzu’s key instruction in his classic The Art of War, the Chinese decided to “avoid strength and attack weakness”. According to Siboni, China knew that it had to confront an enemy with an edge in the flow of information.“The assumption is that during a confrontation, the ability to damage the flow of information would allow China to attain an advantage in the physical battlefield,” he says.
The major cyber attacks of recent times attributed to China include Operation Aurora, meant to gain access to Google’s password mechanism. Another is Operation Nitro, aimed at US utility companies. Others included The Night Dragon and Shady Rat attacks, which targeted government organisations, energy companies, communication networks, security and financial firms on foreign soil. The pivotal role of its attacks was played by China’s Skypiot programme, which, like Israel’s Talpiot, has units manned by teens. As of now, the strongest countries in terms of cyber military capabilities are the US, UK, China, Russia, Israel and Iran.
THE BIG CHALLENGES
Traditional military powers appear to be at their wits’ end trying to grasp the threat of cyber warfare. This is why the US statement that it would launch military strikes on countries that opt for cyber warfare against it evokes laughter among cyber security experts. “I am sure they know what they are saying. They are just resorting to posturing,” says a US military expert.
Typically, these cyber warriors infest spaces in the cyber sphere that are difficult to track, and they communicate with one another on the ‘Dark Net’. “One can’t afford to wage a war against them from outside cyberspace,” says Yoram Schweitzer, a Tel Aviv-based expert on terrorism and low-intensity warfare. “Cyber offence has the potential to change society’s balance of power because it empowers those engaged in asymmetrical conflicts [and] operate from a position of inferiority, especially terrorist organisations,” he says, “Already today global jihad terrorist organisations are making use of cyberspace, though still in a limited fashion.”
“We often underestimate the power of terrorism over the cyberscape,” says the London-based hacker of Indian origin. Agrees a Defence Ministry official: “Currently they may be using it for collecting information and for communicating with each other and raising funds. They will do it in such a fashion that you wouldn’t know until you are struck.”
“Unfortunately, many of the ethical hackers are looking for more money. Once they taste the pleasure of a quick buck, they can’t stop. They may end up working for anyone, from government to terrorist bodies, both ethically and unethically,” says the London-based hacker, “A hacker, you see, can select the place and timing of the attack, and a defender has to be everywhere.”
The American military historian says that while a first strike offers a significant advantage, like in traditional warfare, it never decides who wins the war. Which is why, he reasons, countries should create both cyber defence and offensive strengths, but recognise that they can’t win by virtue of attacks alone. “You have to invest much more resources in protecting yourself than in launching an offensive,” he concludes, “Otherwise you don’t win a war.”
“It is true,” says the Defence Ministry official, “Cyber defence is of utmost importance, but then having offensive capabilities helps, too, especially in acting as a deterrent.”
Author Sunil Khilnani, professor of politics at King’s College, London, who has written extensively about cyber warfare, offers a word of caution on being sure of the “right group from which to recruit”. Indeed, as the Government goes ahead with its plans and scours the country for whiz kids, a judicious hiring policy could make all the difference to the country’s cyber security.
(With additional reporting by Shruti Vyas)