India's Cyber Vulnerability: Defence Goes Beyond Military Capability
S.G.VOMBATKERE
MYSURU: The operations systems of British Airways, Lufthansa and Air France have been hit by cyber attack causing economic loss and passenger suffering. Ransomware worm WannaCry struck at and crippled UK's National Health Scheme, causing a national emergency of sorts. Reportedly, the WannaCry worm has not affected India seriously, but that is small consolation considering India's huge vulnerability to cyber attack.
Now [“India's Su-30MKI likely downed by China's Cyber Weapons”; <http://www.defencenews.in/article/Indias-Su-30MKI-likely-downed-by-Chinas-Cyber-Weapons-262280>], Indian Air Force's Su-30 Mk-I jet fighter aircraft is suspected to have been downed by China's cyber attack on its operating system, without firing a shot.
Worms are perhaps the mildest of threats, and may be only about making money. There are other threats including human hackers, who break into the system to steal (copy) data or corrupt the system, making data inaccessible temporarily or permanently. These threats affect systems connected to the internet. Breaches of national or security databases are attacks on the nation and its sovereignty.
Defence
The word “defence” is usually connected with the armed forces, namely, the Army, Navy and Airforce, the formal defence sector together referred to as the military. The primary task of India's military is to protect the nation's territorial and political sovereignty and integrity, with appropriate use of military force.
Military operations are based upon seven parameters, namely, command, control, communications, computers, Intelligence, surveillance and reconnaissance, shortened to C4ISR. Every one of these parameters is dependent upon computers and information technology (IT), and information warfare (IW) is a distinct branch of military operations. Cyber attack on military systems can neutralize one or more of the components of C4ISR, and adversely affect military operations, reflecting upon our nation's sovereignty.
The national economy functions on the basis of the five parameters of C4ISR, excepting surveillance and reconnaissance. Cyber attack on the national economy will have severe consequences on the effectiveness of its military. For example, a cyber attack on the railway operations computer system will at least temporarily halt railway movements to shift military units or military stores. Such a cyber strike at the transportation system will also lead to incalculable financial and economic loss.
Similar scenarios are possible for attacks on electricity power grids; telecommunications grids; police and internal security; banks, stockmarkets and trade-and-finance; petroleum sector; civil aviation; governance nodes; water supply; etc., all critical sectors affecting public order, safety and health.
A cyber strike on multiple sectors can cripple the economy and create public chaos. Realistic security should consider such worst-case scenarios, in which sovereignty will be the most serious casualty. Hence national defence concerns the critical sectors of the national economy in addition to military defence.
Every computer operating system and its database are vulnerable. Experts in IT-IW aver that a system is safe only until it is hacked. Defence against attack is regular but aperiodical change of passwords, data-encryption using secure algorithms and keys, firewalls, malware protection systems and other end-point security systems. Equally important is the hardware secretly embedded in computers or peripheral hardware at the chip- or silicon-level. “Back-doors” in computers, embedded transmitters in data routers and modems, implanted hardware or software in TVs or set-top boxes effectively making a TV into a surveillance camera, are known threats.
It is vital to provide real-time protection to computers and systems in government offices and establishments. This is only possible if critical software involving data encryption, firewalls, etc., and critical hardware are actually made in India with in-house control and oversight by Government of India (GoI).
But at present, all items of critical hardware and software in GoI and state government offices and establishments (including the military) are purchased from vendors in the market, and national safety and security are entirely dependent upon contractual penalties in the breach. Thus, cyber safety and national security is reduced to demanding monetary compensation subject to litigation in courts of law.
The foregoing amply demonstrates that indigenous production of critical IT hardware and software including know-how and know-why, is as much a national defence requirement as indigenous production of critical military hardware and expendables (ammunition). When the military human resource (the soldier) has to be 100% Indian, the human resource employed in production of critical defence hardware and software also needs to be under GoI control. This can happen only when production is by a PSU under GoI's watch.
Given time, any system can be hacked. There is no 100% safety, especially in the IT field. Cyber safety is a dynamic concept, since cyber attackers take advantage of new and hitherto unrecognized vulnerabilities of updated system safeties.
Indigenization in its holistic sense means building indigenous capability for concept, design, development and production of assets of national strategic value. Indigenous production of critical items without GoI control may create jobs, but cannot protect sovereignty.
There is no substitute for indigenously produced and GoI-monitored critical IT hardware and critical software for systems and databases of national importance. The present total dependence on business houses for critical hardware and software must be phased out as a part of national strategy.
PSUs under GoI oversight and control need to produce critical IT hardware and critical software. Rather than privatizing PSUs and losing R&D and production infrastructure and trained human resource, GoI would do well to examine how existing PSUs can be reorganized, re-jigged and re-tooled, and existing human resource re-trained, to meet the need for indigenous research and production of critical IT hardware and software in the interest of national security and sovereignty. Private agencies should of course be employed to supply PSUs with sub-critical systems, overall control remaining with GoI.
Production of critical defence needs is not a matter of business strategy – it is an imperative of national strategy. National sovereignty cannot be subordinated to efficiency of PSUs. If a PSU is deemed inefficient, government needs to set it right in the national interest. Losing control over policy and production of critical hardware and software by privatization of PSUs as business strategy, cannot be in the national interest. National defence clearly goes beyond military capability. Are State and Central Governments listening? Hopefully India's military is alive to its cyber vulnerability, and is doing something about it.
(Major General S.G. Vombatkere, VSM, retired as Additional DG Discipline & Vigilance in Army HQ AG's Branch.)