Lessons from Kudankulam – Part II: Targeting, jointness & offensive toolchains4 minutes read

I may (or may not) do a series of quick posts highlighting the strategic challenges encountered while investigating a cyberattack like Kudankulam. They would be filed under the ‘lessons-from-kudankulam‘ tag. Since our agencies were literally caught napping, this is a good primer for understanding what nation-state-level cyber capabilities entail:

Some dumbified excerpts from my dispatches to the government:

Targeting

I have talked a lot about targeting frameworks. Targeting is not only the most crucial function of your cyber offensive capability, but also the most expensive. It defines your concept of operations, tooling and everything else. 

“In 2012, the NSA got 36,000 pages of target requests from consumers like the state, defence, agricultural and commerce departments…and the NSA does not cherry pick.”

— Richard “Dickie” George, NSA

The way you define and retain your targets could have huge implications in terms of time, attention and money. Secondly, if cyber operators do not get optimal targeting — if bureaucrats don’t understand cyber well — they may make decisions on their own. Most of the accountability issues stem from there.

Targeting is the pivot between intelligence and strategy. The qualifier of a good target is that it tells you what other targets to compromise.

Maintaining access to a target — be it for event-based (like military effects) or presence-based (like espionage, pre-positioning or keeping the battlefield primed) operations — is where costs escalate.

Our Multi Agency Center and Joint Intelligence Committee have been ineffective. These should not be post-retirement sops for once-a-month paper pushers. MAC should coordinate targeting. JIC needs to come up with 5-year National Intelligence Estimates.

Offensive toolchains

Would you ever outsource a surgical strike to a private contractor? To a bunch of fly-by-night operators with no background checks? Those who also duplicate their collection and re-sell it to many agencies?

Any state-affiliated intrusion into a foreign military network could be deemed as an act of war as per international law.

Secondly, during heightened tensions, if these contractors do something impulsive on foreign networks, it could lead to an inadvertent escalation. We may not have any control over the command-and-control or rules of engagement. Such contractors could have more power than the generals.

Thirdly, these glorified mercenaries do not even have a bare minimal understanding of our geopolitical imperatives or foreign policy. Would we ever accommodate such risk or ignorance in any other domain of war?

Lastly, many of these operators generally end up in murky nexuses of middlemen and fixers — fostering corruption, opportunism and nepotism among the bureaucratic mid-management.

In cyber, institutional memory is institutional capability. The only difference between us and Unit 8200 is that the latter has painstakingly inculcated an institutional memory of its operations within generations of cyber operators.

It makes natural sense that these Israeli operators turn out to be highly successful entrepreneurs — because they carry the generational wisdom of hacking into the hardest of targets. It is in fact a kind of unchecked proliferation of knowledge, originally belonging to Unit 8200.

CV Raman, Homi Bhabha and Vikram Sarabhai carved a distinct scientific lineage. Cyber offence, like mathematics, too, has a lineage, as it is purely knowledge-based.

We know what lineage the Chinese, Americans or North Koreans have. But can we recollect what we did just one year ago — not in files or dossiers but as empirical evidence? For example, the first joint cyber operation was launched by IAF and NTRO in 2012. Yet, we are still only discussing jointness.

A good cyber capability allows you to respond at a place and time of choosing. What we possess is suited for abrupt, tactical reactions, not something systematic as deterrence. You could say that we do not have a cyber capability.

If anyone tells you that cyber offence is all about atomic stuff like exploits, zero-days and vulnerabilities, then that person is misleading you. Offensive toolchains are full-on SIGINT software where every stage of the kill-chain is productised. 

Imagine, it being a rocket program. With a massive command center, multiple stages of the rocket, and the final payload.

“You need a lot of people to have a small number of hackers hacking.”

— The Grugq

Only 20-30% of an offensive toolchain manifests over adversarial infrastructure. Rest — targeting, telemetry, correlation, analysis, infrastructure mutation, and operational security, etc. — mostly happens at the backend.

So, next time, if someone says that to build offensive capability, we need to buy million-dollar zero-days, you know that is just a sales pitch.

An exploit is like the mere tip of a rocket. Craft all other stages first. And in most cases, you do not need a zero-day.

Matt Monte of CIA has defined three cardinal dimensions of offence: humanity, access and economy. Good offence has non-technical origins.

Some agencies like the CIA even have separate toolchains for separate imperatives — that’s a lot of dedication and commitment to operational security.

And we need to manage toolchains in-house. What you could really outsource to the contractors is development, not the operational part.

Check out the “Adversarial configurations & field observations” section from “Draw me like one of your French APTs.