12 November 2019

What the cyber attacks on Kudankulam and Isro show | Analysis

Pukhraj Singh

On September 3, I notified the National Cyber Security Coordinator about network intrusions into the Kudankulam Nuclear Power Plant (KKNPP) and Indian Space Research Organisation (ISRO), after being tipped off by a third-party. It was right around the time of Chandrayaan-2’s final descent.

I made a responsible disclosure on social media on October 28, after the technical indicators of the attack started trickling into the cybersecurity community at-large. It seemed that the infection was still prevalent, nearly two months after the notification.

I did, however, post a cryptic tweet on September 7, which hinted at a “casus belli” – an act of war – in Indian cyberspace.

Public attribution of the attack led to the North Korean threat actor Lazarus and its intrusion toolkit DTrack. It is said to have commanded a persistent presence in Indian networks, also linked to the 2016 breach of a debit card database.


Issue Makers Lab – an expert group of malware analysts based in South Korea – have strengthened DTrack’s linkages to Lazarus. In the case of KKNPP, Lazarus seemed to be after cutting-edge nuclear technology. But Issue Makers Lab claims that DTrack also undertook a destructive attack on a South Korean nuclear installation.

Over the years, nation states have realised that an act of war in cyberspace – unlike the conventional domains of land, sea and air – is not governed by the notion that an attack must be physically destructive or kinetic. The spatial redlines of conflict like border and territory have given way to more perceptive or cognitive parameters.

It is exactly why President Obama vowed a “proportional response” when a seemingly inconsequential film studio Sony Pictures was hacked by Lazarus. It was an act of power projection by the North Korean regime.

Governments are struggling to grapple with the below-threshold nature of hybrid war and how power manifests in cyberspace.

Richard Danzig, an advisor to two American presidents, had set the following minimum threshold for response: “The US cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the US unwilling to make a decision or unable to act on a decision fundamental to our national security.”

It is that simple. Governments need to do an inward-looking appraisal of their limits of tolerance, and not seek them within the law of armed conflict or international rules-based order.

However, such an appraisal necessitates that – to deal with emerging hybrid threats posing an existential danger – the whole of our national security doctrine is strategically pivoted around cyber offence and defence.

Take the case of two cardinal dimensions of cyber conflict: intent and attribution.

Unlike a conventional munition, the intent of a “cyberweapon” doesn’t reside in the code or innards of a malware. An ongoing espionage operation – like the one which affected KKNPP and ISRO – could easily be weaponised into a destructive attack in a matter of seconds – as was done at a South Korean nuclear facility.

Intent, too, resides in the mind, that of the adversary. It is exactly why the US Intelligence Community relied on moles within the Kremlin to put forth a high-confidence assessment that it was indeed the Russians who interfered in the 2016 national elections. This, despite the fact that the US fields multibillion-dollar cyber counter-intelligence programs.

The stakes are so high that you simply can’t escalate matters based merely on technical evidence – your complete intelligence strategy must converge around full-spectrum cyber attribution.

Even technical attribution or a whodunnit generally requires decades-long efforts which methodically study a cyber actor’s remit, incentives, budgets, operational fluctuations, concept of operations, and boundaries of knowledge. It took Microsoft and Google many years and many millions to build a strategic cyber intelligence apparatus rivalling that of nation states.

Last month, the UK government disclosed that hackers linked to Russian state masqueraded as Iranians, by planting “false flags” within their offensive infrastructure. Cyber deception is way too trivial. And it has the potential to trigger inadvertent wars.

Endorsing the public narrative that it was the North Koreans without informed, methodological and clinical intelligence assessment may only aggravate the fog of war. And fog of war in itself signifies defeat in cyberspace.

That is what Danzig tried to address with his baseline declaration and what the US Cyber Command is deterring with its new Defend Forward strategy. A cyber operator doesn’t battle with the adversary but uncertainty.

Defend Forward replaces cyber power projection based on rules-based warfighting with more pre-emptive, extrajudicial manoeuvring within the adversary’s information battlespace. Such actions could be highly escalatory without a deterrence strategy in place.

While intrusions at KKNPP and ISRO seemed to be focusing on technology theft, they weren’t destructive because the actor decided against it. We were at its mercy.

It’s not about how safe our critical infrastructure is; it’s about the complete absence of a deterrence framework.

As access was gained over extended periods of time, what all the attackers subverted at such critical installations becomes a vague exercise in probability and conjecturing. We may never really know.

The long-awaited reforms of India’s cyber apparatus should be hastened. The National Critical Information Infrastructure Protection Centre needs to be fully bifurcated from the National Technical Research Organisation (NTRO) – as per the former’s expressed mandate. There should be just a one-way umbilical cord between the two.

The cyber offence mandate needs to be consolidated and then split between the Defence Cyber Agency (DCyA) and NTRO. Other agencies should only act as the consumers of intelligence, defining targeting priorities. NTRO may work on the development of offensive toolchains (elaborate intelligence software).

The targeting criteria – the most crucial component of a cyber apparatus – ought to be controlled by DCyA. Our cyber doctrine, too, needs to be spelt out clearly and unequivocally. Let’s establish a framework for both deterrence by denial and deterrence by punishment.

Espionage and effect-based operations need to be carefully managed as well via a unified, integrated command structure. Strategic military jointness should be inculcated as a software mechanism, not as inter-agency bonhomie.

DCyA could supersede as its imperatives are far more crucial.

Cyber conflict follows the Thucydidean paradigm, “The strong do what they can, and the weak suffer what they must.” Let’s be strong.

Pukhraj Singh is a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me

The views expressed are personal

No comments: