CYBERTECH INDIA 2018
Cyberspace, a domain created not by nature but by human beings, has emerged to provide tremendous benefits, but also to present new risks. Technologically driven methods are used to gain unauthorised access to computer resources for most cyber operations, regardless of the intended purpose: crime, terrorism, industrial espionage, military espionage, or warfare. Indeed, novel cyber attacks on critical national infrastructure are likely to severely disrupt social activities if successful. Cyber security has thus become a national security issue.
To address the important issue a seminar on the subject was conducted by South Asia Defence and Strategic Review in concert with CENJOWS on 27 and 28 Jun at the DRDO Bhavan, New Delhi. The first such event, conducted by us in 2012, did not draw the kind of attention that was warranted; evident from the fact that only two service officers attended and that too in civies.
However, this year’s seminar was a far departure from the first one as the COAS graced the occasion and there were representatives from all the three Services, DRDO, Industry and CAPFs. There was a galaxy of subject matter experts who enlightened the audience, which was enthusiastically participatory and in consequence some very interesting discussions were generated.
The aim of the seminar was to assess our preparedness for cyber war and to chart out a practicable way forward.
The proceedings were initiated by Lt Gen Vinod Bhatia PVSM, AVSM, VSM (Retd), Director CENJOWS, who spoke about the rapid changes in technology, shifting nuances in the nature of warfare and the need to dominate cyberspace. In his welcome address Air Marshal PN Pradhan, AVSM, DCIDS (Ops) emphasized that the importance of cyber security is poorly understood and gave examples of Wiki Leaks and Cambridge Analytica and went onto state that cyber security is the biggest challenge of the 21st Century. Lt Gen Satish Dua, PVSM, UYSM, SM, VSM, CISC, spoke about emerging threats in the cyber threat landscape, in view of increase in E Commerce and E Governance and therefore the need to tweak our strategies accordingly. General Bipin Rawat, UYSM, AVSM, YSM, SM, VSM, COAS lauded the initiative of the Northern Command of the Indian army to shift to BOSS OS and for developing an indigenous network security overlay which he pointed out were pioneering steps for setting up an indigenous ecosystem for cyber security. The COAS desired that we develop niche capabilities to defeat the enemy and that we should be proactive in our use of cyberspace against the enemy rather than be defensive. Lt Gen DS Hooda, PVSM, UYSM, AVSM, VSM **, Former GOC-in-C, emphasized the need to develop a doctrine and have a cyber command with a coordinator well versed in cyber warfare in the PMO controlling matters related to cyber space. He further brought out that the constitutional provisions on the defence of India mandate that the MoD is responsible. He also cautioned the military leadership about this responsibility and said that they should not be found wanting.
After the Opening Session there were sessions and panel discussions which covered various important facets of the issue. The topics were as under: -
• Session I: Cyber Warfare & Cyber Threat Landscape
• Session II: Building a Cyber Secure Nation
• Session II: Cyber Laws and Policies, International Cooperation and Best Practices
• Session IV: Critical Information Infrastructure Protection
• Session V: Internet of Things: The Changing Cyber Security Landscape
• Panel Discussion: Cyber Analytic Capabilities, Strengthening the Organisation through Skills, Policies and Systems
Evaluation of Preparedness. We need to evaluate the levels of our preparedness for countering threats posed by Cyber Space. Securing online borders is as important as safeguarding the air, land and sea boundaries. It is only after we identify our strengths and weaknesses that we will be able to move forward in the right direction.
Policy. There is a need to chart out a comprehensive cyber security policies. It is imperative to have policies and they must be worked out by taking advise and inputs from technologists and domain experts. Having policies will help only if we ensure that they are implemented in right earnest. Policies must explicitly delineate measures for protection of CII. We must demonstrate leadership and commitment towards CIIP.
Strategy and Wherewithal. We must have appropriate offensive as well as defensive strategies to wage a cyber war as well as defend ourselves against cyber attacks. We must have the ability to bring to bear effective cyber deterrence on our adversaries. And last but not the least we need to develop capabilities and infrastructure which provide adequate cyber resilience to the country. We must also come together to formulate strategies to effectively counter online and offline violent extremist narratives to protect national security.
Structures. It is absolutely of the essence that we have appropriate structures in place to ensure cyber security of the nation. It is well neigh impossible to take on the challenges posed by cyber threats without having the appropriate structure in place and ensuring that all constituents of the said structure work in concert with each other as also have the required levels of cooperation and synergy.
Skills. We need to develop appropriate skills in the work force involved in the cyber space. Awareness and strategic educational initiatives must be strongly encouraged. In addition, multidisciplinary research and development needs to be accelerated involving the academia and industry.
Develop IT Competence. Cyber space provides a vast canvas for waging war and advances in technology such as AI, IOT and Cloud Computing etc. have made it a lethal battlefield with immense possibilities. Therefore, we need to develop the requisite IT competence, which helps integrate security aspects with technology and thus enables us to gain a competitive edge.
Need for Indigenous Technology. The importance of creating indigenous technical infrastructure in the country cannot but be over emphasised. Having home developed products will certainly help reduce the reliance on foreign hardware and software which is one of the major sources of cyber security breaches as it gives a freeway and backdoor entry to various types of spyware. Policies like ‘Make in India’ should be highly encouraged and implemented on a wider scale.
Legislative Measures. We must have appropriate legislative measures in place to make the cyber security framework effective and strong. Legal framework must be enforced to develop a better cyber security culture that adopts a multi-disciplinary and multi-stakeholder approach.
Need for International Laws on Cyber Security. There is a need for cogent International Laws in the sphere of cyber security. These should be universally acceptable and ratified by all concerned. Cyber norms and international laws should be harmonized globally. Threats can be categorized into three categories: National threats, Economic threats and attacks impacting individuals. We need to have adequate cross border cyber laws for all threats and vulnerabilities arising due to cross border flow of data.
Data Privacy. Everyone using the internet must be aware of their rights and responsibilities while sharing any data on social media platforms. Data privacy is a serious concern that must be dealt with due care. Caution exercised in this regard will pay rich dividends. In addition, Data Privacy and Data Localisation plays crucial role while processing data. Countries like Russia, China, Singapore and Vietnam have their own data localisation laws. There is need for such cohesive laws in India as well.
Attitudinal Shift to Change. Wider adoption of the internet and newer technology has also led to an increase in cyber attacks, instilling a fear in our minds and thus creating a defensive mindset because of which we impose unwarranted restrictions and caution on ourselves. We are therefore unable to exploit the systems to their full potential. We should instead adopt a proactive approach and integrate the required cyber defense mechanisms which can facilitate full exploitation of systems by providing the necessary security.
Encourage Startup Culture. We must encourage the creation of a startup culture in India that encourages young minds to come up with innovative solutions in the domain of cyber security. Hindustan Aeronautics Limited (HAL) and Bharat Electronics Limited (BEL) are scouting for defensestartups to build a culture of innovation and harness the solutions provided by them. As technologies like AI, robotics, drones, and advanced cyber security tools gather prominence, startups in the defense sector, and early-stage technology companies as well as SMEs are well-positioned to contribute to the defense industrial base.
Making the Digital Footprint Smaller. It important to hide our identities in cyber warfare as long as possible, for which we need to reduce our digital footprint. This will also reduce the chances of our adversary knowing our progress. R&D with the involvement of both Academia and Industry should exploit the areas of AI, quantum computing, private tactical player computing, etc. with the aim to reduce the digital footprint not only in the physical domain but in digital domain as well.
Risk Based Security Management. Risk-based cyber security management, where organizations continuously need to check if they are at risk and that if they are prepared for any eventuality which may compromise security, must be implemented. Once a breach is detected, the organization needs to get prepared for future events and also after the first attack the likelihood of another attack is quite high, which is why continual risk management is required.
Identity & Access Management. This is the need of the hour because the lack of multi-factor authentication and reliance on device-based authentication leads to difficulty in identifying the attackers.
Intelligence. Adversary Intelligence, Machine Intelligence, Victim Intelligence and Campaign Intelligence should be collectively used to create a cogent picture to fully understand the attacker(s).
TTP. People need to understand various tactics, techniques and procedures (TTP) to safeguard their assets from various threat agents in the cyber space. This is vital to the cause as threat agents have continued to use old and proven exploits to carry out attacks. Conventional methods for security in cyber space may consume significant amount of time. Therefore, focus should be upon early detection of such attacks along with quick response in real time. Every organization should do threat modelling from an active-attacker perspective.
Public and Private Partnership. Multi-disciplinary research needs to be encouraged in partnership between public and private sector. We need to have collaborations between trusted public and private players to develop incident response capabilities to gain better security controls and thus enhance CIIP.
Modify IoT Architecture. The IoT architecture needs to be modified. A three-tier architecture would serve as appropriate IoT solution. Instead of IoT devices to be directly connected to the cloud, we can have another layer in between the devices and the cloud to simplify, scale, and to add security.
Automation of Policy Compliance Check/Audit: Policy compliance checks and auditing takes a lot of time and human effort. Automation can help ensure better accuracy and efficiency in a far lesser amount of time. It is more effective in picking out non-compliances to the security policy in large networks (e.g. Defence Networks). It uses log records as evidence to verify policy compliance. There are various challenges for this system like the large volume of logs and varied formats from heterogeneous devices and applications.
Use of End Point Security and Tools. We must introduce end point network security solutions. Various apps and software are available for the purpose. In addition, there are several tools available for cyber monitoring and defence. Use of these tools must be done to minimize security breaches.
Cyberspace besides providing immense advantages and benefits to mankind comes with concomitant risks. Due to the attendant risks it has become a national security issue. The risks manifest themselves through unauthorised access to computer systems with a view to indulge in financial/other crimes, terrorism, gain corporate intelligence, military espionage and last but not the least help in waging war. Attacks on critical infrastructure are an ever-growing concern as the functioning of the infrastructure is heavily reliant on digital systems. Cyber-attacks on critical infrastructure have the capability of creating serious disruptions which can throw normal life of a nation out of gear.
Cyberspace has indeed evolved as the fifth dimension of warfare where the lines in different phases of peace, crisis, conflict and post conflict are blurred and calls for a de-novo approach to develop the strategies and tactics for this domain. The centre of gravity of this new form of warfare in fifth dimension has shifted to data and networks. The outcome of operations in this virtual domain could be tangible or intangible, but there is no denying its immense potential. Innovation and creativity to exploit technology and outwit the adversary in cyberspace to damage his capability to fight will remain the decisive factor.
Cyberspace, besides the interconnected information technology infrastructure to include social media has new constituents like artificial intelligence (AI), which obviously would be a double-edged weapon with the ability to give advantage to either side.
A number of definitions of cyber warfare have been proposed, with no single definition being widely adopted internationally. One definition states that it is ‘actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.’ In these types of attacks, nation-state actors attempt to disrupt the activities of organizations or nation-states, especially for strategic or military purposes and cyberespionage. Other definitions include non-state actors, such as terrorist groups, companies, political or ideological extremist groups, hacktivists, and transnational criminal organizations. There are three main components of cyber warfare – deter, defend and attack.
Cyber Threat Landscape
The world is becoming a global village with much of its connectivity attributed to the internet. In India, there are 1 billion mobile devices out of which 30% are smartphones. It is also estimated that there are 400 million internet users in India. It is this connectivity which brings in its wake several threats and vulnerabilities, which will continue to grow exponentially with the wider adoption of technologies like AI, IOT, cloud computing, blockchain technology etc.
We need to evaluate the effects of the cyberspace and warfare on the critical systems of our country. It is time that we test our resolve and capabilities in fighting against the threats posed by cyber warfare. Examples of such threats include perception management, hacktivism, misuse of drone technology, blocking air defense, targeting essential systems like Supervisory Control and Data Acquisition (SCADA) systems etc. The adversaries waging such attacks against our nation can be both state and non-state actors such as perpetrators of cyber terrorism, cyber espionage and radicalization. The spectrum of cyber security threats covers a wide range. They range from petty theft/crime (email ids, bank details) to organized crime like Ransomware, DDOS, industrial espionage etc. Then comes the nation-state sponsored non-commercial intent, like strategic/government information collection, critical infrastructure targeting etc. The motives behind the cyber attacks can be political, commercial, military and even for exploratory purposes.
Social media has become a convenient source of propagating malevolent intent over the cyberspace. The radicalization of Burhan Wani and the exodus of the North East people from Bangalore are classic examples. It has been found that training and online recruitment of extremists is carried out using cyberspace. Many more anti-national activities are carried out over the internet. Risks in the cyber domain need to be identified and a strategic approach must be adopted by the nation to counter cyber attacks. IT and Defense must work hand in hand to develop solutions that are at par with international standards and prove effective in fighting against cyberspace threats.
Cyber Deterrence and Cyber Resilience
Deterrence in cyberspace is a very complex issue. Nuclear deterrence works because there is clarity on the capability of adversaries and the humungous cost of a nuclear conflict. Cyber warfare is characterized by an absence of clarity. We can never be certain about the capability of the other side (there are no warheads and missiles to be counted) and the chances of success if we launch a cyber counterstrike. However, if we do nothing to deter cyber attacks, we are only encouraging more of them. Therefore, deterrence by imposing cost on the adversary is an important strategy. This cost imposition is not only by a cyber vs cyber attack but includes a whole range of options from military response as well as diplomatic and economic responses. While carrying these out, we must also be prepared for escalation of the conflict to the conventional warfighting domain. There are two main principles of deterrence. The first, denial, involves convincing would-be attackers that they won’t succeed, at least without enormous effort and cost beyond what they are willing to invest. The second is punishment: Making sure the adversaries know there will be a strong response that might inflict more harm than they are willing to bear.
There are three things we can do to strengthen cyber deterrence: Improve cybersecurity, employ active defence and establish international norms for cyberspace. The first two of these measures will significantly improve our cyber defence so that even if an attack is not deterred, it will not succeed.
Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack.
On the other hand, cyber resilience looks at a wider scope where it comprises cyber security and business resilience. Cyber resilience focuses on the preventative, detective, and reactive controls in an information technology environment to assess gaps and drive enhancements to the overall security posture of the entity. Cyber resilience is an evolving perspective that is rapidly gaining recognition. The concept essentially brings the areas of information security, business continuity and (organizational) resilience together.
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. Offensive and defensive networks, air-gapped networks and cyber militia are three mainstays to create the triad. A nation is resilient enough when all these three aspects are into a good place.
Cyber defence is a computer network defence mechanism which includes response to actions and critical infrastructure protection and information assurance for organizations, government entities and other possible networks. Cyber defence focuses on preventing, detecting and providing timely responses to attacks or threats, so that no infrastructure or information is tampered with. With the growth in volume as well as complexity of cyber attacks, cyber defence is essential for most entities in order to protect sensitive information as well as to safeguard assets.
When it comes to acting against attackers, there are many ways to monitor, identify and counter adversary cyber attacks. These active cyber defenses are similar to air defense systems that monitor the sky for hostile aircraft and shoot down incoming missiles. Network monitors that watch for and block (‘shoot down’) hostile packets are one example, as are honeypots that attract or deflect adversary packets into safe areas, where they do not harm the targeted network, and can even be studied to reveal attackers’ techniques.
Another set of active defenses involves collecting, analyzing and sharing information about potential threats so that network operators can respond to the latest developments. For example, operators could regularly scan their systems looking for devices vulnerable to or compromised by the Mirai botnet or other malware. If they find some, they can disconnect the devices from the network and alert the devices’ owners to the danger.
Active cyber defense does more than just deny attackers opportunities. It can often unmask the people behind them, leading to punishment.
The connotation of cyber attacks herein is the offensive operations that will be conducted by us to target the opponents’ computer information systems, critical infrastructure, networks or personal computer devices. These could be standalone operations or part of our deterrence or an integral part of military operations. In the event of a conventional war or a near war like situation we will carry out offensive cyber attacks to disrupt command and control systems, networked platforms and weapon systems, accompanied by an information campaign to spread disinformation, create confusion and attempt to lower morale of the opponent. However, the launch of offensive cyber operations requires extensive planning and preparation during peacetime, there will be a requirement to gather prior intelligence of targets, develop the cyber tools necessary and then integrate cyber operations with battle plans e.g. the area of our planned offensives will decide the specific communication and command and control networks to be targeted.
Critical Infrastructure Protection
Information Technology Act Section 70(1) defines Critical Information Infrastructures (CII) as a ‘computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety’. These include information infrastructures, which support essential components vital to a national economy. CII is the pillar on which modern nation functions. Many components of the critical infrastructure such as radars, electronic devices, smart grids, SCADA systems etc. reside in the cyber domain, if an attack is carried out on these devices, the amount of damage done will be severe. Therefore, the need for Critical information infrastructure protection (CIIP) against cyber attacks must be given top priority. Given the scale and scope of the challenge, responsibility must be shared by both public and private sectors.
Hence, we need to develop optimal and proactive capabilities for cyber security and safety to protect our nation from this rapidly emerging threat. Tele communication and network security addresses network structures, transmission methods, transport formats and security measures, which are used to provide availability, integrity and confidentiality. The ‘Athens Affair’ is a case in point where there was a major telecom failure in protecting data; an attacker hacked into Vodafone’s ‘lawful intercept’ system, the phone company’s mechanism of wiretapping all phone calls. And then there are Edward Snowden’s revelations about National Security Agency (NSA) and its British partner GCHQ hacking into ‘Gemalto’ the largest SIM card manufacturer in the world.
To ensure security we must have Information security good practices that constitute clear policy and guidelines, right approach consistent culture, support and commitment from leadership, understanding through risk assessment and management. In addition, appropriate training, education, and awareness are mandatory.
In India this task has been given to the NTRO and they are working towards providing the required solutions. The military has been kept out the NTRO mandate and will look to secure their own networks.
Cyber Security Structures
The existing structure in India is not adequate to deal with cyber warfare scenario, as it obtains. The agencies, presently charged with the responsibility, do not work in a coordinated manner, resulting in duplication of work and lack of the required synergy. Besides there are attempts, for obvious reasons, to keep ahead of one another. Thus, the need of the hour is to coordinate and synergise cyber domain activities to enhance security. A central agency, which could be called the National Cyber Security Commission needs to be set up.
The Commission should be a statutory body, with a coordination cell in each ministry. The existing structures in the ministries should be subjected to minimal disturbance. All matters related to cyber security and cyber warfare must be the responsibility of the said Commission.
It is proposed that the National Cyber Security Commission be headed by the National Cyber Security Coordinator (an appointment that is also presently there), who should report to the NSA.
The responsibilities that should be assigned to coordinators of various ministries are as follows: -
• PMO Coord -Cyber Intelligence gathering and analysis.
• MHA Coord- Internal security coordination, crime control, investigation and internet intelligence.
• MeitY Coord-Media, internet, telecom information technology and e-governance security information.
• MIB Coord - Monitor website blogs and social media.
• MoD Coord- Responsible for national security and intelligence collection from Army, Navy and Air Force.
• MoF Coord -Control economic offences i.e. monitor and control funding to cyber terrorists and criminals.
• MEA Coord -Responsible for coordination and information exchange. It will also take care of the Global Cyber Issue Cell.
The commission should also have NTRO and defence forces coordinators. There is also a need to create an ecosystem for academia, industries and start-ups for R&D in cyber operations.
There is an opinion that the cyber commision will only add another layer of bureaucracy on the present structures and will not be suitable for war which is a command function with military responsibilities and the preserve of the military the world over. An alternative option, on the basis of constitutional provisions which mandate the defence of India to the MoD, is to raise a Cyber Command as a part of the military with clear allocation of resources and responsibilities for the conduct of warfare, comprising cyber as well as kinetic operations or a combination of both. The Cyber Command would also need coordinators from various ministries as in the first option.
Increasing role of Artificial Intelligence in Cyberspace
AI, also sometimes referred to as machine intelligence, is intelligence demonstrated by machines, in contrast to the natural intelligence displayed by humans and other animals. Though there is no generally agreed definition of AI, in a generic sense it is accepted that it is the capability of a machine to simulate activities thought to require human intelligence.
The latent capability of AI—to include its ability to enhance the speed and accuracy of things ranging from information availability and thus decision making as also logistics is making militaries around the world see immense potential in AI applications to be applied in all the three dimensions.
The need of AI technologies in the context of warfare being well-accepted, the mechanisms of how to realise an AI system requires the establishment of the Sense-Plan-Act cycle which naturally maps to the OODA (Observe-Orient-Decide-Act) loop familiar to the military.
There are several possible AI applications for the military. It has already been tried out during training. The British Royal Navy in partnership with a number of NATO navies hosted Information Warrior 2017, a training exercise to counter threats and challenges arising from cyber warfare. The exercise involved 35 platforms including warships, submarines, fixed wing aircraft and helicopters, belonging to the navies of US, Norway, France, Denmark, Germany and Belgium. During the exercises, the Royal Navy introduced a new AI system called STARTLE designed to enhance situational awareness, monitor and evaluate potential threats and response times to various insecurities at sea. The STARTLE comprises complex sensors suite that uses AI for a fitting response. Importantly, the software of the system is designed to perform the way the human brain works and reacts to ‘human fear’. In essence, it is a ‘digital colleague’ that allows the ‘command team to make more informed decisions, at a much faster rate, thus saving vital seconds in combat’. Further, AI would enable platforms to be “safer and more effective in fast-moving, war-fighting situations” and fight in a high risk cyber environment. The ability of software to understand photos and videos, could greatly help in processing the mountains of data from surveillance systems or for surveillance. Facial recognition AI systems are developing rapidly.
However, there will also be negative consequences from AI adoption by the military. The military's current validation process is meant for software and is not suited to AIs that learn. Fudged data provided by opponents might have dangerous consequences.