Beyond the Military

India’s Cyber Vulnerability

S G Vombatkere

Ransomware worm Wanna Cry struck at and crippled UK’s National Health Scheme, causing a national emergency of sorts. The operations systems of British Airways, Lufthansa and Air France were targets of cyber-attack on passenger handling, causing economic loss but fortunately no accident. All this is cause for concern in India, because of India’s huge vulnerability to cyber-attack. Indian Air Force Su-30 Mk-I jet fighter aircraft is suspected to have been downed by China’s cyber-attack on its avionics system, without firing a shot. Is China checking out Indian military cyber vulnerability?

Worms are perhaps the mildest of threats, but there are other threats including human hackers, who break into systems to steal (copy) data or corrupt it, making data inaccessible, temporarily or permanently, or infiltrate the operating system itself. These threats affect systems connected to the internet. Breaches of national or security databases are attacks on the nation and its sovereignty.

The word “defence” is usually connected with the armed forces, namely, the army, navy and air force, the formal defence sector together referred to as the military. The primary task of India’s military is to protect the nation’s territorial and political sovereignty and integrity, with appropriate use of military force.

Military operations are based upon seven parameters, namely, command, control, communications, computers, Intelligence, surveillance and reconnaissance, shortened to C4ISR. Every one of these parameters is dependent upon computers and information technology (IT), and information warfare (IW) is a distinct branch of military operations. Cyber-attack on military systems can neutralise one or more of the components of C4ISR, and adversely affect military operations, reflecting upon nation’s sovereignty.

The downing of IAF’s Sukhoi fighter should be the trigger for India’s military to urgently work towards totally indigenous cyber security and then build on it. Also India’s inter-Services communications’ interoperability and security needs to be urgently established even as India is on the verge of signing CISMOA for communications interoperability and security with the US military.

The national economy functions on the basis of the five parameters of C4ISR, excepting surveillance and reconnaissance. Cyber-attack on the national economy will have severe consequences on the effectiveness of its military. For example, a cyber-attack on the railway operations computer system will at least temporarily halt railway movements to shift military units or military stores. Such a cyber-strike at the transportation system will also lead to incalculable financial and economic loss.

Similar scenarios are possible for attacks on electricity power grids; telecommunications grids; police and internal security; banks, stock markets and trade-and-finance; petroleum sector; civil aviation; governance nodes; water supply; etc., all critical sectors affecting public order, safety and health.

A cyber strike on multiple sectors can cripple the economy and create public chaos. Realistic security should consider such worst-case scenarios, in which sovereignty will be the most serious casualty. Hence national defence concerns the critical sectors of the national economy in addition to military defence.

Every computer operating system and its database are vulnerable. Experts in IT-IW aver that a system is safe only until it is hacked. Defence against attack is regular but a periodical change of passwords, data-encryption using secure algorithms and keys, firewalls, malware protection systems and other end-point security systems. Equally important is the hardware secretly embedded in computers or peripheral hardware; software at the chip or silicon-level. “Back-doors” in computers, embedded transmitters in data routers and modems, implanted hardware or software in TVs or set-top boxes effectively making a TV into a surveillance camera, are known threats, for which people have no remedies.

It is vital to provide real-time protection to computers and systems in government offices and establishments. This is only possible if critical software involving data encryption, firewalls, etc., and critical hardware are actually made in India with in-house control and oversight by Government of India (GoI).

India’s most all-encompassing database is UIDAI’s Aadhaar Central ID Repository (CIDR), the creation of which was unfortunately contracted to a foreign firm linked to the intelligence community, giving it from birth vulnerability. Its deliberate connection to all other databases makes it a prime target for hackers. A successful attack on UIDAI’s CIDR by Pakistan or China (or for that matter by USA, whose NIA has already successfully snooped on India and even its own NATO partners) would be a matter of national shame for a nation which prides itself on its indigenous competence.

It is necessary to note that at present, all items of critical hardware and software in Gol and state government offices and establishments (including the military and Aadhaar) are purchased from vendors in the market, and national safety and security are entirely dependent upon contractual penalties in the breach. Thus, cyber safety and national security is reduced to demanding monetary compensation subject to litigation in courts of law.

The foregoing amply demonstrates that indigenous production of critical IT hardware and software including know-how and know-why, is as much a national defence requirement as indigenous production of critical military hardware and critical expendables (ammunition). When the military human resource (the soldier) has to be 100% Indian, the human resource employed in production of critical defence hardware and software also needs to be under Gol control. This can happen only when production is by a PSU under Gol’s watch.

Given time, any system can be hacked. There is no 100% safety, especially in the IT field. Cyber safety is a dynamic concept, since cyber attackers take advantage of new and hitherto unrecognized vulnerabilities even as system safeties are updated.

Indigenisation in its holistic sense means building indigenous capability for concept, design, development and production of assets of national strategic value. Indigenous production of critical items without Gol control may create jobs, but cannot provide security or protect sovereignty.

There is no substitute for indigenously produced and Gol-monitored critical IT hardware and critical software for systems and databases of national importance, which are central to C4I for governments and C4ISR for the military. The present total dependence on business houses for critical hardware and software must be phased out as a part of national strategy.

PSUs under Gol oversight and control need to produce critical IT hardware and critical software. Rather than privatising PSUs and losing R&D and production infrastructure and trained human resource, Gol would do well to examine how existing PSUs can be reorganised, re-jigged and re-tooled, existing human resource retrained and competent human resource inducted, to meet the need for indigenous research and production of critical IT hardware and software in the interest of national security and sovereignty. Where necessary, private agencies should of course be contracted to supply PSUs with sub-critical systems, with Gol retaining overall control on policy and production of critical items and systems. National defence, which clearly goes beyond military capability, deserves a very careful review.

Production of critical defence needs is not a matter of business strategy. It is an imperative of national strategy. National sovereignty cannot be subordinated to efficiency of PSUs. If a PSU is deemed inefficient, it is government’s responsibility to set it right in the national interest. Losing control over policy and production of critical hardware and software through disinvestment or privatisation of PSUs as business strategy, is clearly not in the national interest. Gol and State governments need to stop looking at security through the narrow tunnel of business and economic growth, as at present.

Are State and Central Governments listening? Hopefully India’s military is alive to its cyber vulnerability, and is doing something about it.

 S G Vombatkere

Vol. 49, No.50, Jun 18 - 24, 2017