16 January 2016

Cyber: The War India Never Fought, But Los

http://www.huffingtonpost.in/pukhraj-singh/cyber-the-war-india-never_b_8961996.html
Posted: 14/01/2016 
As the year drew to a close, the cybersecurity industry was abuzz with a sensational disclosure whose geopolitical ramifications largely went ignored. With India so typically caught in the seasonal slumber, the global hacker community, which has never seen a dull day, tore into the networking hardware giant Juniper (its components power and protect the core of the Internet in many nations, facilitating the efficient routing of packets across networks).

The $10.5 billion American company coughed up a press release pointing towards the presence of "unauthorized code" within its line of firewalls --security devices deployed on the network boundaries -- which attackers could leverage to gain remote access or decrypt the Virtual Private Network (VPN) connections. VPN is generally used by teleworking employees to log into the internal network of an organisation via an encrypted channel. As sceptical researchers reverse engineered the software patches supplied by the vendor, the bits and bytes unfolded the sordid saga of state-sponsored subversion that had flopped quite terribly.
A recent trove of classified documents uploaded by journalist Glenn Greenwald has a map with pockmarks over India, depicting the many active "implants" of the NSA.
Sifting through the fog of plausible deniability under which the National Security Agency (NSA) operates, it is almost certain that the devices were backdoored at its behest. Ridiculous as it may sound, a theoretically unbreakable encryption algorithm was made weak by seeding it with known mathematical values, thus making the output predictable. The NSA must have arm-twisted Juniper.

However, this twist will go into the annals of cyberwar, as another actor lured the monster into its den when the backdoor was first detected and then covertly altered by a third-party. It modified the very seed number, like changing the combination key to an existing lock. To put it colloquially, the hacker got hacked. There's a reason why Juniper made the issue public in the first place. As the Federal Bureau of Investigation butts in, it is most likely at the "third party" was a rival country that trumped the US.

Honestly, this is not the story. The story is how a government agency, in its quest to attain god-like sentience, has put the security, economic stability and sovereignty of many developing nations into jeopardy. The story is how India's growth has been irreparably sabotaged by a spate of cyber-espionage attacks, an enormous loss that its institutions are not even equipped to quantify.

As Juniper lost hundreds of millions dollars in the market after the exposé, it seemed like a really tough call for the operators of the NSA who outweighed its own strategic imperatives over the economic interests of the US. But then, most of the vendors leading the global technology trade have indeed been appropriated. Cisco and RSA got their own stories to tell. Symantec just signed up for NATO -- a move that would befuddle our geriatric strategic affairs analysts, who would rarely imagine a technology company enlisting for a military alliance.


This critical departure of the digital epoch would be called the post-Snowden era. A recent trove of classified documents uploaded by journalist Glenn Greenwald has a map with pockmarks over India, depicting the many active "implants" of the NSA. However, it's not the just the US that has bludgeoned us. Thousands of cyber-attacks by nation states and other actors are continuously exfiltrating sensitive information and intellectual property out of India. And the majority of these are not sophisticated intrusions, but run-of-the-mill malware wreaking havoc over our poorly protected infrastructure. Yet, all of them do carry the hallmark of an intelligence operation with a targeted focus on high-value assets.
We ought not to worry about net's neutrality, rather its neutering.



Another essay in this month's issue of Foreign Affairs gives a very dangerous ethnocentric spin to cyberwar. Its authors, two young American political scientists, propose a Faustian deal to placate the European Union: "...a comprehensive institutional infrastructure that could protect the privacy rights of European and U.S. citizens alike, creating rules and institutions to restrict general surveillance". And they conveniently forgot the rest of the world. If such a ratified and hegemonic cyber-regime does get established, it could pose a serious threat to global security. Information is the only true ideological catalyst now, and its hoarding or corruption is a perfect recipe for another Huntingtonian conflict of cultures, between the digital haves and have-nots. The cyberspace should now remind one of the Balkan peninsula of the 19th century. We ought not to worry about net's neutrality, rather its neutering.


Among the flurry of hands that get raised in India when we talk about cybersecurity, none have the wherewithal to pursue this national security issue. Nasscom, a premier Indian lobbying body representing the software industry, shies away from summoning the co-opted foreign vendors. The defence and intelligence agencies are caught in a paralysing mix-up of mandates. The policymakers are dumfounded by the nuances of the domain, while the technical professionals are screaming within their echo chambers.

In a closed-door caucus on national security held recently in Pune, one thing that was abundantly clear is that India needs to start thinking of setting up its own cyber-military industrial complex, if it is to ever survive the information age.

A year-ender by The Wall Street Journal laid bare the cyber skirmishes between the US and Israel, as they jostled each other over nuclear negotiations with Iran. Talking points were received by the leaders of the competing governments before they were even discussed. This is not an exception but a norm -- this is information dominance 101. We need to learn from the Israelis, who pocketed a whopping 10% of the global cybersecurity trade amounting to $6 billion.
India needs to start thinking of setting up its own cyber-military industrial complex, if it is to ever survive the information age.



So much so for the Yuletide gaiety, the US hurriedly amended its Constitution on 15 December, passing the Cybersecurity Information Sharing Act -- formalising an efficient way to share cyber threat intelligence across verticals and sectors. It had become that crucial after one of its most sensitive federal databases was purloined. The approach works on the premise that attack data ought to be swiftly relayed to important organizations in a standardised and distributed manner, so that their security systems could build adaptive defences.

A handful of national security functionaries in India also left their New Year parties early, catching the red-eye flights to Pune, for a second iteration of the caucus. A proposal for automated cyber-defence was submitted -- a productised platform to be developed jointly by public and private bodies, working on similar lines as that of the US, allowing the sharing of cyber-attack indicators across the chaotic and loosely coupled digital ecosystem system of the country. Nonetheless, it remains to be seen how soon our institutions and interlocutors would wake up to the spectre of a militarised cyberspace that completely undermines all the diplomatic trudges of the government.

The writer helped set up the cyber-warfare operations centre at the National Technical Research Organisation, India's technical intelligence agency.

No comments: