India Hacked! Part III – Building Shadow Armies

Ulrik McKnight

By Ulrik McKnight

In Part I of India Hacked, The Extent of the Compromise, we explored the extensive hacking of corporate and political India. Part II, Cyberwarfare – The New Battlefield, looked at the national security implications.

Here, we examine what India is doing and examine suggestions from experts as to what more might be done.

As security expert Dmitri Alperovitch told The India Site, in cyberwarfare: “The advantage always goes to the adversary.”

.

.

.

.

Building Shadow Armies

India’s Shadow Army – More A Shadow Than An Army?

Shaken up by massive data losses, the Indian government has begun to take action. As NTRO Officer on Special Duty Pukhraj Singh told The India Site in an exclusive interview: “Recent developments include the public release of a cybersecurity policy by the Ministry of Communications and IT. Also, CERT-IN, NIC and ministers managing the IT portfolio have become more active.”

Pukhraj Singh points out that several groups within the Government work on cybersecurity. They are naturally hesitant to share details of their operations, but public sources provide some insight.

NTRO, the National Technical Research Organisation, functions at the highest level from within the Prime Minister’s Office. NTRO is thought to be building an exceptional team with access to high-end technology. But reports suggest it isn’t progressing smoothly. A much needed draft cybersecurity policy enforceable by law (or an executive directive) was lost in a sea of bureaucracy and not implemented. Worse, NTRO is embroiled in scandal after an audit by the Comptroller and Auditor General reportedly found large-scale irregularities in procurement. NTRO chose to defend itself by invoking national security as an excuse not to share information on this.

CERT-IN, the Indian Computer Emergency Response Team, is a central agency built to respond to computer security incidents. It is reportedly a small, underpaid organization dependent upon contract employees rather than permanent staff.

In addition, the Army-CERT, the National Informatics Centre (NIC), police department cyber teams, guidelines from the Ministry of External affairs, and a Government Crisis Management Plan all contribute to the Government’s attempts to strengthen India’s cybersecurity. The fact that multiple organizations are tackling the same problem isn’t, however, as reassuring as one might expect. Territorial squabbles and a lack of coordination could make security worse.

Dmitri Alperovitch

After the Stuxnet attacks, the anti-virus firm McAfee found that without clear government policy, Indian companies and ministries were left on their own to implement measures. This splintered approach made security worse.

Security expert Dmitri Alperovitch leads McAfee’s Internet Threat Analysis Group and has worked with the Indian government. He told The India Site: “India’s defenses are not keeping up with the threats. The advantage is definitely on the side of the adversary, who can pretty much get into any network it chooses to.”

The attacks against many prominent Indian targets are actually quite preventable. As anti-virus firm F-Secure’s Chief Research Officer Mikko Hypponen told us: “Many of the tools used in the attacks are fairly basic.”

Singh reinforces the point: “Even run-of-the-mill attacks work against India.”

While government cybersecurity activities are secret, the evidence showing repeated security failings indicates that whatever the plan is, it isn’t working.

A system that has allowed nearly every institution, from think-tanks to embassies to state guests, to be compromised does not inspire confidence. Politicians and bureaucrats still use Gmail, something a solid security policy would flag and put an immediate end to. And even with NIC’s focus on preventing website defacement, the hacktivist group Anonymous claims that it took them less than three minutes of work to deface NIC’s own website.

Stumbling Blocks

With proper funding and political will, India can be expected to build an exceptionally strong offensive capability – there is already an assumption in the security community that the NTRO is doing just that. Defending existing systems is a different matter, as it takes massive effort and expenditure.

Security expert Sahir Hidayatullah told The India Site: “The problem is defensive capabilities. The government’s existing IT assets are dispersed, and lack proper security. With so many systems to secure, it’s natural they’ll be compromised”

Even more difficult to overcome than flawed systems are the people who use them. A government insider told us: “Success is not a technical issue. Like any other problem in India, it’s systemic. Ask any honest senior intelligence operative about the biggest national security threat we face and the reply is immediate—corruption.”

Expert Advice

Speaking with security experts in India and around the globe, several themes emerge as to what more India should be doing. They are briefly summarized here:

EYES WIDE OPEN

A recurring point was that the government and bureaucracy have not understood what they’re up against, and need to start taking the threat seriously. There are clearly pockets of excellence in the battle, but they have at times been betrayed by the mindset of the very people who should be supporting them. As a government insider said: “Our cyber agencies have had some major offensive successes, but the bureaucracy used them for their own short-term gains.”

There is a school of thought that cybersecurity actually requires an entirely new framework to be understood. Harvard and MIT have been working to build the new discipline of “Cyber International Relations” for just this purpose.

Pukhraj Singh suggests how this might apply to India:

“This domain should be considered an extension of state intelligence, military and diplomatic machinery. India currently lacks the expertise to see the big picture; understanding it needs the amalgamation of geo-strategy, politics and diplomacy with domains as diverse as technology, crime and economics.”

A QUESTION OF POLICY AND CO-ORDINATION

The solution is not purely technical – an empowered coordinating agency and government policy are critical to success.

The founder of Kaspersky Labs, the renowned cybersecurity expert Eugene Kaspersky described the importance of a coordinating agency: “A single national agency is required, which must receive information about all attacks. You cannot fight these attacks alone – information sharing is critical.”

Rather than trying to protect all cyber assets, some argue that to deter adversaries the government must increase the cost of attacks, even if that means responding to a cyber attack with conventional warfare.

This philosophy is born of the asymmetrical cyber threat that many countries now face. For example, North Korea’s cyber army could severely damage the extensive cyber assets of the US, but they have very few cyber assets of their own for the US to counter-strike. This has led the Pentagon to publicly adopt the policy that a cyber attack may be considered an act of war, warranting traditional military retaliation. As an unnamed military source told The Wall Street Journal “If you shut down our power grid, we will put a missile down one of your smokestacks.”

India, a nation rich in both cyber assets and adversaries, also faces asymmetrical threats. Alperovitch says: “India needs policy responses to state-sponsored espionage. Secure the crown jewels, and for everything else respond in force when national sovereignty is compromised. Proportionality of response is important – figure out what your adversaries care about and retaliate appropriately, using not just cyber but also kinetic resources.

INVESTMENT AND EDUCATION

Cybersecurity requires investment in people and systems. India has an abundance of raw IT talent that can to be channeled for this type of work.

Hypponen told us: “Western countries on the forefront of defense have set up research units, started academic research innovation, and run full-scale cyberattack rehearsals. So must India.” According to Hidayatullah: “To build a cadre of elite security technologists we need to promote hardcore computer science education in our technical institutes, not just in the IITs. We also need to foster hacking talent and get hackers into the system. There are geniuses out there. We need to find them. This is exactly what the US is doing.”

India has been thoroughly and repeatedly compromised by ongoing cyber-attacks. Many of these attacks are state-sponsored, and are in fact cyberespionage against the highest levels of the Indian government, military and economy. Even with increasing awareness and counter-measures slowly being put in place, lax security remains the norm. It is almost certain that at this very moment compromised government computers in multiple departments are quietly sending confidential data to anonymous servers in China–embassy correspondence, defence deployment plans, military personnel records, weapon blueprints, or perhaps ever your passport or visa information.

India is not alone in facing these problems. Every developed nation is struggling with the same issues. The solution is not easy, and there are well qualified people who are doing their best to fix it.  But if these people face a lack of policy, vision and funds from the government, denials of there being a problem, technical illiteracy amongst decision makers, and corruption, what are the chances they will succeed?

The Fifth Domain of War

After similar or worse attacks to those India has faced, other countries are confronting cyber-espionage head on and building their own shadow armies.

North Korean military parade

The US is pouring billions into cybersecurity, North Korea’s cyber army is estimated at 30,000 ‘soldiers’, China is at 30,000 ‘soldiers’ and has another 150,000 civilian hackers to support them. Germany publicly announced that Chancellor Merkel’s office was hacked and advised German companies working with China to encrypt all correspondence and never leave a laptop unguarded. Russia has 7,000 ‘soldiers’ in its cyber army, and Iran claims to have the second largest cyber army in the world. Even the Australian government acknowledges they’re under attack and proactively involves corporates in cyber-defense.

Whether India succeeds in securing its cyber borders or not, cyber warfare is the new global reality. It is the fifth domain of war – the other four being land, sea, air and space – and it is the only domain to have been invented by humans. As Hypponen put it: “If you look back at how large a technological revolution we went through since WWII until today, I believe that we’re seeing the beginning of an equally large revolution, which is the cyber warfare revolution.”

Ulrik McKnight co-founded and ran BackOps Engineering, a Mumbai-based internet enabled company, and now works with tech firms in the US, India and Europe. He is a regular contributor to The India Site (including the article “Fast Enough to Follow, But Not Fast Enough to Lead”). You can follow him on Twitter: @umcknight