Fifty Shades of Offensive Defence – LinkedIn5 minutes read

Published on LinkedIn:

I see a strange paradox in front of me. The world has never been this safe – the end of the Cold War brought forth a global resolve to taper conventional arms and weapons of mass destruction. Yet, there exists a threat so looming and persistent that it is fundamentally altering the international economic order at light speed.

That paradox is starkly evident in India more than it is elsewhere. Breaking away from the shackles of socialism, the heady growth over the past 25 years rests on the laurels of the private enterprise. While India has dithered from being completely laissez-faire – which calls for strict non-interference of the government – the autonomy of the private enterprise has inadvertently become the biggest national security risk.

Liberalisation also changed the way nations look at their natural resources – they auction coal mines and radio spectrum nowadays. It is, however, information that really fuels the modern free-market economy.

Nations are now placed on different sides of the information, and not economic, divide. Data remains the last untapped natural resource. And private enterprise has become a foot solider in a new kind of war.

Not just India, but liberal economies worldwide share the same fate. Take the case of the Cybersecurity Information Sharing Act (CISA) of the US, hurriedly passed by the Obama administration during Christmas holidays in 2015. Auguring a blanket cyber intelligence metadata sharing regime covering the public and private sectors, it is probably the most invasive of regulations to ever meddle into the affairs of the American business enterprise that prides itself on being feisty and independent.

It is truly a litmus test for the information economy. Cybersecurity has acquired its place amongst the existential threats that can wipe out a nation.

But CISA is merely a gear in a larger machine that is bracing for the next big attack. The modern war – fought for information superiority – is largely pivoted around the military-geopolitical doctrine of offensive defence, benignly called active defence. Imagine the enterprise as a private militia playing its part in a conflict, not out of nationalistic fervour, but a desperation to survive.

Indeed, all of this is very murky and questionable, but that is how things are panning out to be. On one side, the limited cyber defences of an enterprise are meant to withstand a gust of wind, not a Category 4 hurricane – which is what a state-sponsored actor is in cyberspace. On the other, the enterprise is also a weapon of choice, an extra-judicial assassin in cyberwar.

Please keep in mind that active defence is not just “hacking back”, but a slew of intricately interwoven political, diplomatic, policy and technological counter-measures to deceive, undermine, expose or neutralise the cyber adversary.

Gartner is gaga about the host of security start-ups that have mushroomed in Israel touting active defence – that nation is also the progenitor of this doctrine, used first in the Arab-Israeli conflict of 1973.

American companies like Endgame and CrowdStrike controversially boast of para-dropping cyber commandos into the affected networks, enveloping the talent of maddeningly smart hackers in a popular business model.

Considering the lack of fine demarcation between offence and defence in cyber, it is perfectly reasonable for a state intelligence agency to tiptoe into both. It is for the same reason that the National Security Agency (NSA) of the US uses its global active-passive collection programmes, and endpoint and midpoint exploitation frameworks like TUTELAGEQFIRETURBULENCE and QUANTUMBOT for dynamic deception, attribution and defence. But the unchecked incursion of the cybersecurity industry into it is extremely risky as there are no de facto rules of engagement, and conflict escalation or de-escalation. Despite the prevalent thinking, there is a fair bit of judicial oversight when active defence is undertaken by a state agency, like the case of Operation Buckshot Yankee immaculately documented by The Washington Post.

prescient paper by the Centre for Cyber & Homeland Security of the George Washington University (GWU) clearly captures the extent of active defence’s popularity in the private sector and the hubris surrounding it. Everyone from Google, Microsoft, Cisco, McAfee to Kaspersky has indulged in it like a guilty pleasure.

But vendors taking sides in geopolitical skirmishes sets a very bad precedent. I am not talking about simple hack-back operations, but the selective exchange of intelligence between them and the allied nation states. How ethical is it of, say, Cisco to participate in the takedown of a Chinese cyber operation, and then to make loud claims about its commitment to the same market?  Or the fact that its alleged collusion with the NSA has had a detrimental effect.

Alarming is the role of many non-profit organisations as well. During a cyber counter-intelligence operation I undertook while working for the Indian government, I came across confirmed inputs on the interactions of groups like The Citizen Lab with the NSA. Many others like The Shadowserver Foundation – professing to be the vanguards of civil liberties in cyberspace – behaved quite meekly after the recent deluge of leaks on illegal American surveillance. Their tone would have been remarkably different had it been a Middle Eastern or South East Asian nation.

I am not interested in muckraking but merely emphasising the doctrinal philosophy of jus in bello – that war without an ethical interface is simply unjust.

That being said, the responsibility of defending a connected sovereign society would fall equally, and maybe a little unfairly, on both the public as well as the private sectors. The paper by the GWU I cited earlier is a commendable first step urging nation states to come up with legally vetted frameworks for active defence.

Security pundits like Dave Aitel have sparked an intimidating discourse on cyber militias under the ambit of the US Constitution. The Indian Computer Emergency Response Team, the National Critical Information Infrastructure Protection Centre, the National Cyber Coordination Centre or whoever is assigned with the task of defending national cyberspace must issue guidelines and set up a policy framework for it.

While deterrence is pretty much a fluke in cyberspace, I am honestly getting a little tired of posting the gory details of strategic Indian installations getting compromised by foreign actors every other day. The deafening silence must give way to a more hawkish and forward-looking appraisal of our national cyber resilience and the accountability of the mandated agencies.