The need for a cyber warfare strategy
DECEMBER 24, 2008. Barely a month after the 26/11 attacks, a group calling itself “Whackerz Pakistan” hacks into the Indian Eastern Railways website, defacing it with a series of threats against Indian financial institutions and Indian citizens. Earlier that year, hackers from China attacked the Ministry of External Affairs (MEA) website. Despite official denials, at least one website reported that the hackers stole login identities and passwords of several Indian diplomats. In May 2008, the National Informatics Centre (NIC), the primary IT infrastructure support organisation of the Union Government, was attacked by GhostNet, a large, China-based cyber-spying organisation. In 2008 alone, over 4,000 Indian websites, including almost a 100 Indian government websites were defaced by cyber attackers.
An understanding of the terms “information operations” and “information warfare” is important to distinguish the two from generic cyber attacks. In a document entitled “Joint Doctrine for Information Operations” (1998), the United States Joint Chiefs of Staff defined information operations (IO) as “actions taken to affect adversary information and information systems, while defending one’s own information and information systems” and information warfare as “IO conducted during times of crisis or conflict (including war)…” The terms “information warfare” and “cyber warfare” are essentially synonymous and related to the term “cyber terrorism”, which is the use IO to intimidate or coerce a government or its people, to further political, social or ideological objectives.
The definition of cyber warfare as actions conducted during times of conflict is important because it lends light to the fact that India and Pakistan have been in a state of cyber war since the coming of the Internet age. The use of cyber terrorism against India by Pakistani hackers, then, is only a natural extension of the real world unconventional war waged by Pakistan against India.
The first true example of cyber war was perhaps the Russia-Estonia conflict in 2007. However, the use of computer technology to undermine an adversary’s military operations is not new. For example, in the Persian Gulf War in 1990, a group of teenagers from the Netherlands hacked into the United States Department of Defense (DoD) systems and obtained data such as US troop locations, weapons and exact movement of US warships. They then tried to sell the information to Saddam Hussein, who, thinking it was trap, declined the offer!
The South Ossetia War in July 2008 was the first major international military conflict during which cyber warfare was integrated with conventional military offensives. Russia’s cyber attacks were launched as a precursor to the full blown land, air and sea assault on Georgia, through distributed denial of service (DDoS) assaults. The attacks both defaced and rendered inoperable several government and mass media websites, greatly affecting the Georgian government’s ability to communicate and disseminate information to its citizens, military and to the outside world.
India’s vulnerability to cyber warfare is evident in the statistics presented earlier. The proliferation of information technology in India, coupled with low levels of security awareness (at personal, corporate and government levels) means that this vulnerability to attacks from hostile national and sub-national entities will only increase. A May 2008 report in The Times of India identified botnets as the primary mode of attack. Botnets, also known as “zombie networks”, are armies of compromised computers, controlled externally to co-ordinate attacks against other networks. The more than 50,000 operational botnets in India could be employed to render inoperable government and military communication networks and wreak havoc on command and control during military conflict. The concept of employing botnets to overwhelm and render inoperable a country’s network infrastructure was successfully demonstrated by the Russians in the Estonia conflict.
So what apparatus has India set up to counter the surge of cyber attacks against the nation? The Information Technology Act (2000) was passed into law in response to the need to regulate the use of electronic media. The act provides a broad framework to govern the use of information technology in India, but fails to address key areas with national security implications, including tackling the issue of cyber terrorism and the use of computers or other electronic media to threaten the integrity and sovereignty of India. Some issues were addressed in the Information Technology (Amendment) Act 2008, but the amendment, passed by both houses in December 2008, is not yet “notified” and therefore is yet to come into force. The amendment, in any case, fails to specifically address the use to telecommunications equipment, electronic devices and networks in assisting, planning or executing physical acts of terror in India.
The Information Technology Act (2000) provided for the creation of a Computer Emergency Response Team (CERT-in) to address cyber security incidents, but falls sort of establishing an operational body for proactive defence of India’s information and electronic assets. CERT-in functions in the same capacity as CERT’s around the world—collecting and analysing information on cyber threats, and issuing alerts, guidelines and advisories on potential and current threats—but doesn’t provide an “in the trenches” response to ongoing incidents that impact national security.
Countries around the world are realising the importance of information technology on national security. China has formulated a official cyber warfare doctrine within the framework of its integrated national plan and conducts cyber warfare simulations as part of routine military exercises. Pakistan, although lacking in a coherent cyber warfare strategy, has a well trained, mostly volunteer cadre of hackers and programmers, who regularly target India under the auspices of the Pakistani government. In addition, Pakistan maintains well trained and motivated operatives within its Inter Services Intelligence (ISI) who are adept at IO.
The robustness and maturity of China’s IO capability, particularly as evidenced against the backdrop of its breach of the fifth-generation F-35 “Joint Strike Fighter” program, has forced the US to accelerate plans to establish the United States Cyber Command (USCC). In India, the nascent Defence and Information Warfare Agency (DIWA) is responsible for aggressive IO. However, the agency’s capability for co-ordinated IO action against adversaries is unknown and untested.
The existence of DIWA, however, doesn’t reduce India’s vulnerability to cyber attacks. If anything, an argument can be made that aggressive IO will attract further retributive attacks, particularly given our low levels of security preparedness, and the lack of an operational mechanism to defend against such attacks. The consequences of dragging one’s feet in the ever changing world of technology can be far reaching. The Indian government must ensure that adequate measures are in place to govern the use of information technology, and provide protection to the nation’s information assets.
Firstly, the government must move forward with enacting the Information Technology (Amendment) Act 2008. Further, it must evaluate the feasibility of establishing a body dedicated to the proactive defence of India’s information assets to mitigate the obvious operational risks they face at the hands of our adversaries. Also needing attention is India’s revealed weaknesses in the field of cyber forensics—a fact that was evident when it had to rely on the FBI to trace the 26/11 email allegedly sent from Hyderabad by the so-called ‘Deccan Mujahideen’, to Lahore, Pakistan.
As part of an overall security preparedness strategy, all infrastructure and networks supporting government, military and essential services must go through security hardening procedures, and must include regular security audits. The government also must educate and encourage security awareness training across the board to anyone that accesses sensitive information electronically, including ministers, military personnel and our diplomatic corps.
The rapid adaptation of new technologies in today’s world presents challenges that India, and other nations, will be forced to address. Due to the nature of cyber warfare and cyber terrorism, no nation can truly be invulnerable to attacks. Indeed, cyber attacks will continue to weapons of choice to many, given issues of jurisdiction in brining offenders to book, relative anonymity of operating over the Internet, and the negligible cost associated with mounting a cyber attack (and indeed, each incremental cyber attack) against a specific adversary. However, India can, to a large extent, effectively manage many of these risks by establishing a robust mechanism to govern the use of information technology in the nation; providing for a centralised structure for proactive defence of information assets, aggressive IO, and cyber forensic analysis; establishing a process to regularly evaluate information technology risks with national security implications, and the state of preparedness; and encouraging education on information security awareness issues at personal, corporate, military and government levels.
International negotiations to prevent cyber attacks have been proposed by Russia but the United States has been opposed to an international treaty on the lines of the Chemical Weapons Convention. The European Union and China have begun to assert their own positions with regard to cyber war and international law. It is yet unclear whether the Indian government has allocated any diplomatic bandwidth on this front. It is important for India to shape the rules in a manner that its interests are protected.