India’s Cyber Readiness: Former Deputy NSA Arvind Gupta’s New Book

Former Deputy National Security Advisor Dr. Arvind Gupta’s new book How India Manages Its National Security was released a few days ago. It has dedicated a chapter to ‘Cyber Security Challenges’ and fills a major gap in my understanding of the NDA government’s manoeuvring on cyber.

Beyond the glib and the rhetoric, very little has come out on the qualifiable and quantifiable assessment of nation’s cyber readiness and how the principals of the establishment perceive it. By design or accident, the UPA government actually had a more accessible interface to the then fledgling cyber apparatus, aided by press briefings, dossiers and, occasionally, media leaks – or this may very well reflect my own bias as I was a part of the system then.

The said chapter is a study in contrast, compared with the fascinating peek into the American cyber statecraft offered by David E. Sanger’s latest produce The Perfect Weapon. My own yet-to-be-released 40,000-word essay on gluing cyber operations with geo-strategy also takes a crucial departure from the extant outlook of the Indian system.

That said, Gupta seemed to be at the helm of cyber strategy during his tenure as his interest in the domain got reflected from many of his speeches – some of which were, to put it mildly, technically divergent.

If you follow Dr. Jacquelyn Schneider’s seminal study of wargames at the U.S. Naval War College, you may realise that, more than the science of the domain, it’s the leadership that becomes the pivot of cyber superiority during a conflict. In that sense, Gupta’s exposition is vital not only to our understanding, but to our national posturing as well.

I feel that Gupta started on a very tepid, hackneyed note. Cyber dependency has hardly been a function of developmental variables like digital penetration. Even a decade or two ago, when India wasn’t brimming with mobile phones and computers, it was the fifth-largest target for the Five Eyes. Why?

If there’s anything that makes you a (more or less) lucrative target than others, it’s geopolitics. The political vocabulary you use becomes the technical grammar of your adversary’s cyber operations. And it isn’t just the vocabulary you expend for foreign affairs or other outwardly matters that gets exploited, but even the inward-looking stances on domestic politics.

I say this with certainty because any imagined Rubicon around cyber got crossed a while back. If there’s a newsworthy event right now, it’ll have to have a certain tenuous linkage with the domain. Be it the external interference in the elections of a superpower or the mass-manipulation of domestic opinions abetted by online disinformation.

Your internal fault-lines around community, caste and other such demarcations may already be getting weaponised in some nondescript safehouse, laying waste to the strategic monoliths created by generals and hawks.

It’s for no small reason that Gen. Valery Gerasimov’s uttering – war is everywhere – is recited as an incantation by the Western media (it’s another story that the person who coined the term “Gerasimov Doctrine” regrets doing so). Hybrid war knows no peace or ceasefire.

And then there’s economic cyber espionage, dubbed as the greatest transfer of wealth in history by Gen. Keith Alexander. It may have easily shaved off a couple of percentage points from our GDP.  I’ve seen its debilitating impact up, close and personal.

Or what about the growing indistinguishability between crime, espionage, war and defence in cyber? There could have been many good starts to this chapter, but Gupta is due his artistic licence.

That’s a fairly decent explanation except for the password bit.

An outdated argument. Victim shaming as a convenient excuse for breaches has long been debunked. Enterprises and users are meant to withstand a gust of wind, not a Category 4 hurricane – which is what a state-sponsored actor in cyberspace is. No one can possibly blame Sony Pictures for not standing up to North Korea. Moreover, the defenders are fighting at the intersection of a Venn diagram where the capabilities of a state actor meet the finances of a non-state actor – and that gap is closing in fast.

We’ve many precedents from the past to know that data breach laws have never worked. In fact, as pointed out by Sanger, the U.S. federal institutions have been the biggest violators of the mandatory notification laws.

Testing standards like Common Criteria’s EAL, largely prescriptive, have done little to improve the resiliency of software. It’s exactly why famed hacker Mudge, who was slated to become Trump’s cyber czar, started the Cyber Independent Testing Lab – something more descriptive, but nothing more than that.

The problem is intractable. Vulnerabilities don’t exist in isolation but are spawned by interactions of a product within a heterogenous system. Their nebulosity is as overwhelming as the behaviour of a biological organism. It’s exactly why researchers borrow from biology to describe the guaranteed insecurity of a complex system – the emergent property.

There’s more to it. What Gupta may know but not understand is that the internet was founded on Transitive Trust across its hundreds of millions of layers of abstraction. As Ken Thompson posited way back in 1984 in his paper ‘Reflections on Trusting Trust’, the trust model, too, is defeated by the emergent complexity above a certain threshold. Mind-bogglingly, it breeds both trust and distrust at the same time.

And there is no such thing as critical infrastructure – either everything is critical, or nothing is. Is a film and entertainment company critical, because the U.S. gave a “proportional” response to the hacking of Sony Pictures? Is an accounting firm critical, because Ukraine labelled the interdiction of M.E. Doc’s online supply chain as an act of cyberwar? The demarcations around non-state actors, both in defence and offence, have pulverised.

I won’t be so sure. The Five Eyes have long maintained a declaratory dominance over cyber – more compulsively than nuclear – purely because it’s an instrument of war. That’s why all cyber policy like the UN GGE dialogue, which Gupta frequently alludes to, is merely the Clausewitzean continuation of cyberwar by other means.

This thought process is the source of many problems: the wishful thinking that some norms of behaviour in cyberspace would eventually emerge.

Col. Gary D. Brown, a former staff judge advocate of the U.S. Cyber Command (USCYBERCOM), elaborated that nation states not defining their limits and capabilities in cyber is an impediment to norms. Bolstering offence by systematically weakening the internet – and then expecting other governments to not do so due to a vague commitment to global cyber stability – is the kind of cognitive dissonance that nation states will always indulge in.

The GGE dialogue was a diversionary tactic to ensnare international diplomacy. The Indian national security establishment has been overly influenced by mandarins over the last decade. When your hammer is ‘dialogues, negotiations and ratifications,’ all geo-strategic problems would look like nails.

Gupta again harks back to the GGE dialogue. Cyber diplomacy adheres to the Thucydidean paradigm – the strong do what they will, the weak suffer what they must. Let me state this clearly, from 1998 to the 2007 Russian DDoS against Estonia, the U.S. abused the GGE dialogue to maintain a sovereign prerogative on cyber offence.

Later, Russia – having tasted blood with the merger of cyber operations with Active Measures – leveraged the power imbalance with impunity.

The Indian interlocutors – rather than gazing inward to bolster our own capabilities – preferred to exhaust their energies on mindless initiatives. They resorted to the familiar ease of diplomatic negotiations than domestically nurturing a strategic discourse on cyber.

Norms, as we imagine them, are derivable around weapons whose intent is objectively calculable – bombs, tanks and nuclear weapons, etc. We also believe that the law of armed conflict (LOAC), an essential ingredient of the Geneva Convention, could somehow be enforced upon cyber operations. The LOAC was only meant to deal with kinetic incidents where the damage is physically observable – in cyberattacks that is rarely the case. It’s exactly why the Tallinn Manual remains such a dud.

A malware could pulsate the objectives of espionage, attack or defence at a rate beyond human comprehension. When the equations of causality falter, the impact can be easily subjected to a miscalculation.

Workable norms may never ever happen.

I don’t expect Gupta to be technically proficient, but he’s referring to the DNS here, which is just one gear of the internet that is decentralised in theory, but not so much in practice.

What Mudge is trying to say is that we may have no idea what a critical choke-point of the internet is until a cascading failure actually occurs.

Here’s a good read by former NSA operative Dave Aitel: Why a global cybersecurity Geneva convention is not going to happen.

India’s firm entrenchment within the global supply chain is a crippling vulnerability, but also an opportunity. Aitel calls India the “glue of the global software supply chain”. He mentions how all Microsoft patches for new vulnerabilities are tested in Hyderabad before their release.

Certification of foreign products is calling for a new licence-inspector raj in tech.

Interesting. National Cyber Security Coordinator (NCSC) Dr. Gulshan Rai’s flagship project hasn’t even come out with a clear specifications framework till now. I may need to annotate this later with references, but the earliest press releases on the National Cyber Coordination Centre (NCCC) talked about a sectoral approach leveraging the SOC-of-SOCs architecture (where SOC stands for the Security Operations Centre). That was unfeasible, so doubts had risen even then. Without much public deliberation, the approach was reworked and the NCCC was later touted as a national situational awareness platform.  That’s a complete U-turn.

Right, like the regressive decision of issuing a blanket ban on cryptocurrency.

I’ve been urging the civil liberties activists for long that without a comprehensive debate on cryptography, the enactment of a rock-solid privacy framework isn’t even possible. The government may take the high road to ‘security through obscurity’ which will be disastrous for our national security. Nation states have come a long way from deeming cryptography as munition — restricting it under export control — to funding weak, breakable ciphers that now run the whole internet and the blockchain.

The activists here have never fought a crypto war, yet they have things to say about encryption. We’ve no idea what the esoteric Scientific Analysis Group does, or the kind of insular research the RC Bose Centre has fostered. Do you know that the NSA has already broken into the encrypted communications of the Indian nuclear command-and-control? This issue is bigger than privacy – it’s existential. Activists have the perfect excuse to make the research on encryption transparent, accountable and robust, but they prefer to skim the surface.

Only a passing mention to the NTRO. I may need to explain this in detail, but the NCIIPC doesn’t need to exist under the NTRO. I’m also surprised that Gupta has failed to emphasise even a little on offensive capabilities. There’s no need to be so hush-hush; even Gen. Michael Hayden labels cyber as “hideously over-classified”. Offence is going to be the mainstay of our national defence. A streamlined cyber offensive framework that cuts through all the echelons of the security establishment isn’t a hawkish expectation, but mere prelude to effective defence.

Even North Korea has asserted its presence with barebones machinery. The USCYBERCOM is actually making its cyberweapons more attributable to instil fear in the adversaries.

Matthew Monte, a former cyber operative of the CIA, goes to the extent of declaring cyber defence having no overlap with offence as ineffective. Most of what Russia and China do in cyberspace is called pre-positioning – testing their counter-offence against hostile actions. Whether Olympic Games or Nitro Zeus were offensive operations or precursors to a defensive strategy may remain a matter of interpretation. We still haven’t come up with a comprehensive and reflexive offence-defence strategy across escalatory and declaratory matrices, which is why the NTRO is mentioned just once by Gupta.

Major cyber powers are already marking an end to the declaratory dominance of cyber offence. Slowly and steadily, it’s moving to the escalatory ladder.

Gupta dedicates a whole section to CERT-Fin, which has no reason to exist. The sectoral philosophy has become outdated because defensive perimeters of an enterprise have totally dissolved.

As The Grugq once famously said, “The perimeter is not boundary of your network, but the boundary of your telemetry.” The inventory of an enterprise is now scattered throughout the internet and asset discovery still remains broken.

Read Aitel’s article on how the circulatory cyber arteries of big organisations like banks touch almost everything.

If the NCCC is indeed the hammer of the NCSC then the aforesaid “conditions”, too, are the veritable nails. Most nationwide cyber situational awareness programmes operate in complete passivity – in the technical sense of the term – requiring no enhancement of the mandate.

The umpteenth reference to the GGE dialogue. No, the discussions weren’t esoteric but grounded in the physics of the domain.

Frankly, this is a bit jarring. Unfortunately, cyber sovereignty can’t be pursued in a ‘non-aligned’ way. You’re either in or out. The middle-path may not augur well for the citizenry and has the potential to balkanise our side of the internet.

On the other hand, not being fully appraised of the physics of the domain only strengthens the hegemonial position of the selected few. Careful what you wish for, as all roads of data sovereignty lead to a dystopia.

Here’s the thing: As the national security kahuna Richard J. Danzig postulated that cyberspace remains a contested territory. Thomas Dullien, the legendary malware reverse engineer who now works for Google, stated at this year’s Nato CyCon conference that ‘possession’ and ‘control’ in cyberspace necessarily don’t overlap. Aitel goes to the extent of declaring that offence-defence is the wrong dichotomy: it should be control and non-control. “Think about it for a moment – we share the same network with our adversaries,” exclaimed George Tenet exactly 20 years ago. This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned even a bit.

It’s exactly why many of the modalities of fighting an insurgency are relevant to cyberwar. Offence is not merely a fitment in the matrix of dominance but of order and control – so the Department of Defence leads the way in cyber and not the Commerce or State departments.

All dovish norm-setting initiatives in cyber are stillborn because of this disruptive interleaving. Policymaking then becomes a mere instrument to perpetuate hegemony.

I don’t want to end on a sorry note but have no choice. It’s my prerogative to offer solutions if I’m so vocal about my protestations. But for that, you may have to wait for the publication of my essay.