Thinking offensively! – The Seminar Magazine18 minutes read

Published in the Seminar magazine: http://www.india-seminar.com/2013/650/650_pukhraj_sing.htm.

IF one were to believe the stream of news stories emerging while the dust of 26/11 was just settling, the key functionaries from India’s security establishment were all huddled together in a crisis room of sorts, as the attack was underway, to explore retaliatory options that would send a stern message to the perpetrators. During those tense moments, one of the viable alternatives discussed was undertaking surgical strikes on the safe houses and the training camps of Jamaat-ud-Dawa (JuD). A consensus was almost reached, up until an embarrassing realization that the conventional sources of intelligence active within Pakistan over the years didn’t have the geographical coordinates to facilitate the offensive.

Reams of tactical information overflowed from the Taj and Oberoi hotels, where the terrorists were holed up, wolfed by the operatives from various agencies. Technical intercepts laden with confusing buzzwords like ‘VoIP’ (Voice over Internet Protocol) added to the fog of war. The incident literally and figuratively drove home the point that ‘cyber’ was another disruptive addition to an already asymmetric game that is terrorism.

The creeping determinism that came with the bias of hindsight offered particular relief to me, as I scoured through the publicly available charge sheet and final report on the 26/11 investigations produced by the Mumbai Police. The technical evidence cited in them provided a glimpse into the elaborate web of intrigue machinated to obfuscate the footprints that could have led to any kind of attribution. Via the physical or logical endpoints, mobile phones to be precise, this nefarious chatter happening in real time piggybacked on top of a VoIP exchange purchased from an American company, divulging a legitimate money trail and an email address.

The email address, access details of which were legally pursued from Yahoo!, acted as a dead drop, to use espionage parlance, for the preparations of an attack. It was opened from various Internet Protocol (IP) addresses – the globally unique identifiers for network connections – spread across the US, Russia and Pakistan. These IP addresses, however, could easily and very well have acted as proxies: the jumping points that hid the actual locations of the computers retrieving the account. Although such measures of evasion required only basic technical knowhow, the fact that the access details threw up some interesting locations within Pakistan suggested that the perpetrators gave some leeway to laziness.

An IP address from Pakistan-occupied Kashmir (PoK), a sanctuary for JuD, blipped on the radar. It belonged to the Special Communication Organization (SCO) – a government controlled Internet Service Provider (ISP) managed by retired and serving Pakistani military officers – the only one allowed to operate within the sensitive region until the telecom deregulation in 2006, thus boasting of a sizeable presence. Every ISP has to mandatorily provide a designated point of technical contact to InterNIC, the global governing body of the Internet, and such databases are open to all. For SCO, it was Lieutenant Colonel (Retd.) Saadat Ullah, possibly a senior systems administrator, responsible for the hundreds of thousands of Internet connections. The charge sheet went on to indict Col. Ullah and a ‘red corner notice’ of the Interpol was summarily issued against him. That was as far as the Mumbai Police could go with legally pursuable avenues of investigation.

 

It put me in a kind of quandary. Whatever might be the notoriety of PoK, it was possible that the Colonel only got caught in the crossfire, and that is why the Pakistani government had vehemently challenged the claims made against him. In between the diplomatic and policy wrangles, a contestation had already infected my mind, and on one of those restless evenings, I scribbled a rough note in my diary: It was quite possible that a bunch of hackers could have supplied the geo-location of JuD’s training camps or safe houses, to facilitate surgical strikes, via a swift and coordinated cyber-offensive operation that, firstly, hacked into the registration, billing and allocation databases of SCO, stealthily and virally spreading its tentacles using advanced exploitation techniques to uncover the substantial portion of the nexus. CYBERINT could have come to the rescue where HUMINT failed.

I would only give a ‘Glomar response’ (neither confirm nor deny) as to whether the Quixote in me actually had a showdown with the proverbial windmill or not, but underpinning that desperation was an idea whose time had veritably come.

 

Just days after 26/11, while the nation’s collective consciousness writhed due to the hurt and infamy, the then National Security Advisor (NSA) M.K. Narayanan donned the mantle of India’s first cyber-warrior. The makings of an unprecedented mandate were percolated right down to the lowermost tiers of the national security echelons. A motley group of hackers and technocrats was assembled under the auspices of the National Technical Research Organization (NTRO), marking India’s advent into the fifth dimension of war.

Tall strides have been made since then. Every single step instigated a government-wide paradigm shift. Cyber got firmly enmeshed with the labyrinthine dynamics of global diplomacy, while I got firmly entrenched into the foxhole of digital conflict.

India’s strategic posturing in cyber defence and offence became congruent to the globally distinct geopolitical imperatives that have shaped its foreign policy and engagement for long. In no way did this technologically disruptive domain necessitate that our policies be tailored to encourage a new kind of brinkmanship that players like China and the US are engaged in. Rather, the power of electrons was silently harnessed, just like we reaped the fruits of the atom, to build a credible cyber deterrent, claim information superiority and make an early entry into the league of cyber powers.

From a purely tactical perspective, cyber has already proven its mettle as a formidable tool for gathering actionable intelligence that bolstered our diplomatic imperatives in South Asia, and in acting as an antidote against another potent asymmetric weapon, terrorism.

The chances are remote that India or, for that matter, any nation would ever be dragged into a full-fledged cyberwar, whatever the term implies. It becomes clear if one closely examines the power struggle and the clash of mandates that have persisted in the American chain-of-command, eventually leading to a policy compromise called the US Cyber Command (USCYBERCOM).

 

In May 2010, the Director of the National Security Agency (US-NSA), General Keith B. Alexander, was ‘dual-hatted’ as the Commander of USCYBERCOM. For many years, the US Air Force (USAF) had staked claims to this role in light of its enhanced operational cyber capabilities; and for the fact that cyberspace sounded like a natural extension to the ether, air and space, over which it dominates. A provisional USAF Cyber Command was already in existence since 2006 and the organization also unleashed a propaganda war by airing sensational TV advertisements to swing the debate in its favour. These bassy commercials featuring ‘cyber-warriors’ of the USAF hunched over computer monitors in darkened rooms really miffed the Pentagon, which labelled this attempt as a ‘cheap powergrab’.

In parallel, a much more pertinent debate on the separation of powers was compelling the White House to put a reign on its cyber generals. The venerable US-NSA, with more than four decades of experience in technology, was the foremost contender when it came to cyber intelligence and there was a broad consensus that replicating its abilities for cyber-war would serve no purpose. However, the Agency is strictly prohibited from engaging in traditional military activities as per the statutes of the US Code Title 50 and Title 10, which demarcate the boundaries between national security and the role of the armed forces. Amidst all this haggling, Defence Secretary Robert Gates put forth an inventive proposition that the Director of the US-NSA be elevated to a ‘four-star’ position and also be given charge of USCYBERCOM, a ‘sub-Unified Command’ under the Strategic Command.

By giving priority to the intelligence community, the US establishment also expressed a subtle disapproval of the military’s hawkish approach towards cyberwar. The generals wanted ‘to go in and knock them out in the first round’, reminding many old-timers of the eccentricities of the Strategic Forces during the nuclear era. Richard A. Clarke, the US cyber security czar, while recalling his experiences in the book Cyber War, curtly summed up such thinking to be ‘dangerous’, what may escalate the cyber conflict ‘very quickly’, if appropriate defensive measures are not in place.

 

The mission of USCYBERCOM is to ‘conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyber-space and ‘deny the same to adversaries’. Frankly, that’s quite a mouthful. The US Department of Defence (USDoD) also declared that a cyber attack may be designated as an act of war needing retaliation by ‘kinetic’ means. In short, the US won’t mind bombing a computer server to the Stone Age.

An attempt must be made to separate the hype from the reality. The only reason that America needs such a lurid showcase of capability is to counter an emerging threat from China. Ironically, the Asian superpower goose-stepped into cyberspace around a decade ago, wary of American hegemony and might.

 

Did India get dragged into a street brawl between two burly intimidators? There is no denying that a barrage of cyber espionage attacks originating from China has inflicted insurmountable losses on our national security, the actual of extent of which is still to be ascertained. As I wrote in a 2011 paper, ‘Battle-Ready for the Fifth Dimension: Assessing India’s Cyber-Defence Preparedness’, published in the inaugural issue of Jindal Journal of International Affairs (JJIA):

‘Judging from the details available publicly, it is not difficult to estimate that in all certainty, terabytes of information had been exfiltrated from various government organizations including defence, security agencies, ministries, scientific establishments, think tanks, academic institutions, media groups, important individuals and the corporate sector. The scale of such an operation and dimensions of this guerrilla war are simply mind-numbing.

‘One can imagine a nondescript safe house with hundreds if not thousands of geopolitical analysts, linguists, military experts and hackers busy in processing and dispatching this data to various “consumers”, who are probably scouting for potential moles, gauging the implications of a regional development or war-gaming the readiness of India’s defence forces. The case of this being an independent enterprise should simply be ruled out for once and ever – there has to be a tacit patronage from the state.’

But one must exercise considerable restraint in attributing this to be an act of aggression. Such actions are just a subset of the cloak-and-dagger work, the clandestine spy games that nation states play. It also serves to provide a crisp difference between the effectiveness of the cyber medium in intelligence, as compared to offence. A recognized purpose of cyber operations is to accentuate military action by acting as an element of surprise (online attack on the information backbone of the adversary, preceding an actual one), propaganda (psychological operations) and deception (information warfare).

The aforementioned examples fall in the category of covert operations designed to gain actionable intelligence, a grey area where the laws of the land are hardly applicable. When countries like China have deliberately architectured their internet backbone to obfuscate and thwart attribution, international diplomacy can at best do little.

 

While drawing a parallel to the doctrine governing the international control and regulation of nuclear weapons is certainly an interesting one, early admission to an elite club of cyber powers requires building a credible digital deterrent. In this netherworld of bits and electrons, the motive and the identity of the enemy is not easy to ascertain. From a teenager coming to terms with his/her puberty to a non-state actor with disastrous intentions, the countercultural and anarchic nature of this domain is in itself an antithesis to institutionalization and moderation.

It is my feeling that there will be an eventual amalgamation of the technical and geo-strategic aspects of this domain, fostering new research disciplines like the ratification of a ‘global cyber security regime’, ‘cyber arms control’, ‘cyber conflict resolution’ and ‘cyber international relations’. Already, the formulation of the USCYBERCOM has given a new impetus to such a multifaceted discourse. Something on those lines is underway in India as well. A similar path-breaking project on cyber international relations, called ‘Explorations in Cyber International Relations’, funded by the USDoD is already running at MIT and Harvard.

 

In this scenario, the responsibility of honing the discourse lands on the shoulders of able policymakers, strategic affairs analysts and geopolitical experts who can go to the depths of a problem and evangelize to the international security community with a fervent zeal. However, I perceive that there exists a great chasm between the technical security professionals and high-level interlocutors. The special interest groups on information warfare and cyber security lack the contribution of technologists with hands-on exposure, thus succumbing to misdirection and confusion. This could prove to be dangerous at a time when such a recondite and covert form of conflict is altering the course of diplomacy. It is necessary that we inculcate the multifaceted views of such technical professionals in the thought process of contemporary policymakers.

Such were the nuances and the complexities of the policy debate on cyberwar, some of which I have highlighted in the previous paragraphs. My focus has explicitly been the ‘offensive’ side because it was from the deliberations on the cyberwar doctrine at the highest levels, which included the National Security Council and the Prime Minister’s Office, that institutional mechanisms on cyber security were established. The release of the National Cyber Security Policy – 2013 (NCSP) on 2 July marked the culmination of a two-year debate going on in the halls of power. In 2011, NTRO undertook a spectacular counteroffensive against Chinese cyber espionage, widely dubbed as the ‘PMO attack’, with the government finally waking up to the threat, furious about the damage it inflicted on our national security, eventually setting up a high-powered, inter-ministerial task force from which most of the seminal policy decisions, including the NCSP, were born. That M.K. Narayanan, who didn’t even give a single interview during his tenure as the NSA, spoke at length about the PMO attack with the British newspaper The Times just days before his retirement, leisurely and confidently indulging in the highly technical hacking jargon, was in itself a feather in the cap of India’s ether ninjas.

 

National Cyber Security Policy also envisages a role for the National Critical Information Infrastructure Protection Centre (NCIIPC). It would be worthy to mention that the genesis of what would be an extremely crucial national security organization in the times to come was catalyzed by a minor incident that could easily have been ignored, but for the eagle’s eyes of the cyber-warriors of NTRO. The computer worm Stuxnet, which almost destroyed the Iranian Uranium enrichment programme, supposedly a joint US-Israeli operation, was also a moment of reckoning for us. To quote my paper for JJIA:

‘Little known is the fact that with this single incident, the discourse on critical information infrastructure (CII) protection in India was turned on its head… The first and foremost problem to be reckoned with was developing a consensus on what the definition of CII implies and how far should India’s cyber-preparedness strategy be stretched in order to safeguard the assets not directly under the control of the government. Stuxnet resolved all this and much more.

‘As the incidence response teams found that a majority of the hosts compromised by the Stuxnet attack were from India, a strenuous effort was undertaken to assess its motive and origins. However, this investigation actually resulted in the eye-opening revelation that India’s industrial control systems are susceptible like that of any other nation. It was indeed a matter of grave concern that the only known and documented attempt to compromise SCADA (supervisory control and data acquisition) systems at a widespread scale had a substantial impact on India, including the organizations manning the utilities like power, hydroelectric and gas, etc.’

I often reminisce fondly how a single Excel sheet fomented the most important debate on cyber security and led to the creation of a whole new organization, NCIIPC, which is bound to become the sole bastion of India’s information infrastructure.

 

The recent exposés by the whistle-blower Edward Snowden also lay bare the duplicity of the existing cyber powers when it comes to respecting the sovereignty of other nations and the digital civil liberties of individuals, including their own. In a bid to make South Asia a neutral and nonaligned hub for moderation on the cyber security regime, I got the opportunity to interact with premier non-profit organizations from the US and Canada, known to be the harbingers of online privacy and hacktivism (a portmanteau of hacking and activism coined by Oxblood Ruffin). But much to my dismay, these groups, which I hesitate to name, well-known for their work on cyber espionage against Tibetans, only acted the frontends of their paymasters, the very agencies involved in the infringement of rights. There was not even a single word of assurance from them after the Snowden debacle.

To end this article, let me throw open a challenge to the technologists and the security establishment of India, supposedly an ‘IT superpower’ in the making. While our forefathers never hesitated in expressing displeasure over unwarranted snooping by countries like America, even though the fledgling nation was highly dependent on their dole, the schizoid response on the Snowden affair undermines our own technical prowess that has taken years to nurture. Just days ago, a helicopter flew over the US Embassy in Frankfurt at the orders of Chancellor Merkel’s chief of staff Ronald Pofalla – who was infuriated over the recent disclosures on US-NSA blatantly violating German privacy laws – mainly to send a message, but to also undertake a reconnaissance sweep of the surveillance equipment, the antennas and the interesting carrier signals beamed from the compound. That gave me an idea.

 

In 2011, I delivered a talk at the Indian hacker conference NullCon, mentioning the names of many classified American cyber-warfare projects, almost unknown till then, ingeniously culled through the job listings requiring security clearances, posted on the websites of defence contractors. To engage the regional hacker community in a healthy debate and postulations on the subject, a single slide of the presentation divulged the project names, including those of XKEYSCORE and MARINA, which have come into public scrutiny after the leaks by Snowden. After collating the tidbits of information gathered through these listings, a fair idea on the purpose and the architecture of these programmes was attained.

It must be noted that XKEYSCORE is only a data mining and analytics platform, completely compartmentalized from the real exploitation frameworks being managed by the Special Source Operations division of the US-NSA. And being an engrained bureaucracy that the Agency is, this Internet-wide cyber offence and espionage architecture was built and scaled upon the legacy global digital-intercept network of the Cold War era, the ECHELON – in terms of its operational, topological and physical underpinnings.

 

Rummaging through the old archives of the earliest-known whistleblower website, cryptome.org, where some hardware blueprints of ECHELON were leaked, one could ascertain that the US-NSA possessed the ability and the resources to perform application specific integrated circuit (ASIC) based voice recognition for global telecommunications in the ’70s, a considerably advanced and futuristic technology even by today’s computational standards.

From the top secret presentation on XKEYSCORE released by Snowden, it becomes clear that this framework is exfiltrating terabytes of data, if not more, from countries including India, its presence acknowledged in the specific slide ‘Where is X-KEYSCORE?’ Damning, to say the least!

It is quite safe to assume that this tap is relaying such large amounts of data to the US-NSA facilities in almost real time. Considering the gargantuan scale of this operation and the noise it might generate, it is for certain that the network is completely compartmentalized from the existing communication channels, including the internet and other global circuits.

The bandwidths required for this operation can only be met with a dedicated optical fibre cable network, but it would be too susceptible physically, passing through unguarded and unsecured territories. And the existing or publicly known satellite based data-link technologies simply cannot handle such scales of transfer, with my limited knowledge on the subject.

One can make a bold assumption, however, that the US-NSA has implemented a yet-to-be-known, classified relay mechanism. This is further strengthened by the fact that the map in the slide ‘Where is X-KEYSCORE?’ lists 25 mysterious red dots in the southern hemisphere, seeming more like a logical diagram of the topology than a geographical one, as it won’t be possible to install these nodes in the depicted way. The number 25 is of certain interest here. It might point towards an unknown sensor technology based on satellites, 25 of which are sufficient enough to provide a global coverage, in case they are low orbiting ones.

 

The ground based transceivers might be placed in the US Embassy compounds or other such secure locations, possibly being fed by more sensors spread throughout and installed covertly in the targeted networks.

A joint effort by our signals, electronic, cyber and cryptographic intelligence experts in sweeping Indian airspace to locate a suspicious carrier signal or a fat-pipe can provide more resolution on this interesting relay architecture. Being a futuristic technology that it might be, such an operation may help shorten the technology learning curve and could also reinforce our own security infrastructure. Compare it to stumbling upon an alien technology. More than that, it is also a matter of prestige!

 

* The author ([email protected]) has worked with NTRO and commercial threat-intelligence teams across the globe. He also runs a non-profit initiative, Abroo, aspiring to empower the downtrodden and the weaker sections of Punjab.