Fifty Shades of Offensive Defence – LinkedIn

Published on LinkedIn: https://www.linkedin.com/pulse/fifty-shades-offensive-defence-pukhraj-singh/.

I see a strange paradox in front of me. The world has never been this safe – the end of the Cold War brought forth a global resolve to taper conventional arms and weapons of mass destruction. Yet, there exists a threat so looming and persistent that it is fundamentally altering the international economic order at light speed.

That paradox is starkly evident in India more than it is elsewhere. Breaking away from the shackles of socialism, the heady growth over the past 25 years rests on the laurels of the private enterprise. While India has dithered from being completely laissez-faire – which calls for strict non-interference of the government – the autonomy of the private enterprise has inadvertently become the biggest national security risk.

Liberalisation also changed the way nations look at their natural resources – they auction coal mines and radio spectrum nowadays. It is, however, information that really fuels the modern free-market economy.

Nations are now placed on different sides of the information, and not economic, divide. Data remains the last untapped natural resource. And private enterprise has become a foot solider in a new kind of war.

Not just India, but liberal economies worldwide share the same fate. Take the case of the Cybersecurity Information Sharing Act (CISA) of the US, hurriedly passed by the Obama administration during Christmas holidays in 2015. Auguring a blanket cyber intelligence metadata sharing regime covering the public and private sectors, it is probably the most invasive of regulations to ever meddle into the affairs of the American business enterprise that prides itself on being feisty and independent.

It is truly a litmus test for the information economy. Cybersecurity has acquired its place amongst the existential threats that can wipe out a nation.

But CISA is merely a gear in a larger machine that is bracing for the next big attack. The modern war – fought for information superiority – is largely pivoted around the military-geopolitical doctrine of offensive defence, benignly called active defence. Imagine the enterprise as a private militia playing its part in a conflict, not out of nationalistic fervour, but a desperation to survive.

Indeed, all of this is very murky and questionable, but that is how things are panning out to be. On one side, the limited cyber defences of an enterprise are meant to withstand a gust of wind, not a Category 4 hurricane – which is what a state-sponsored actor is in cyberspace. On the other, the enterprise is also a weapon of choice, an extra-judicial assassin in cyberwar.

Please keep in mind that active defence is not just “hacking back”, but a slew of intricately interwoven political, diplomatic, policy and technological counter-measures to deceive, undermine, expose or neutralise the cyber adversary.

Gartner is gaga about the host of security start-ups that have mushroomed in Israel touting active defence – that nation is also the progenitor of this doctrine, used first in the Arab-Israeli conflict of 1973.

American companies like Endgame and CrowdStrike controversially boast of para-dropping cyber commandos into the affected networks, enveloping the talent of maddeningly smart hackers in a popular business model.

Considering the lack of fine demarcation between offence and defence in cyber, it is perfectly reasonable for a state intelligence agency to tiptoe into both. It is for the same reason that the National Security Agency (NSA) of the US uses its global active-passive collection programmes, and endpoint and midpoint exploitation frameworks like TUTELAGEQFIRETURBULENCE and QUANTUMBOT for dynamic deception, attribution and defence. But the unchecked incursion of the cybersecurity industry into it is extremely risky as there are no de facto rules of engagement, and conflict escalation or de-escalation. Despite the prevalent thinking, there is a fair bit of judicial oversight when active defence is undertaken by a state agency, like the case of Operation Buckshot Yankee immaculately documented by The Washington Post.

prescient paper by the Centre for Cyber & Homeland Security of the George Washington University (GWU) clearly captures the extent of active defence’s popularity in the private sector and the hubris surrounding it. Everyone from Google, Microsoft, Cisco, McAfee to Kaspersky has indulged in it like a guilty pleasure.

But vendors taking sides in geopolitical skirmishes sets a very bad precedent. I am not talking about simple hack-back operations, but the selective exchange of intelligence between them and the allied nation states. How ethical is it of, say, Cisco to participate in the takedown of a Chinese cyber operation, and then to make loud claims about its commitment to the same market?  Or the fact that its alleged collusion with the NSA has had a detrimental effect.

Alarming is the role of many non-profit organisations as well. During a cyber counter-intelligence operation I undertook while working for the Indian government, I came across confirmed inputs on the interactions of groups like The Citizen Lab with the NSA. Many others like The Shadowserver Foundation – professing to be the vanguards of civil liberties in cyberspace – behaved quite meekly after the recent deluge of leaks on illegal American surveillance. Their tone would have been remarkably different had it been a Middle Eastern or South East Asian nation.

I am not interested in muckraking but merely emphasising the doctrinal philosophy of jus in bello – that war without an ethical interface is simply unjust.

That being said, the responsibility of defending a connected sovereign society would fall equally, and maybe a little unfairly, on both the public as well as the private sectors. The paper by the GWU I cited earlier is a commendable first step urging nation states to come up with legally vetted frameworks for active defence.

Security pundits like Dave Aitel have sparked an intimidating discourse on cyber militias under the ambit of the US Constitution. The Indian Computer Emergency Response Team, the National Critical Information Infrastructure Protection Centre, the National Cyber Coordination Centre or whoever is assigned with the task of defending national cyberspace must issue guidelines and set up a policy framework for it.

While deterrence is pretty much a fluke in cyberspace, I am honestly getting a little tired of posting the gory details of strategic Indian installations getting compromised by foreign actors every other day. The deafening silence must give way to a more hawkish and forward-looking appraisal of our national cyber resilience and the accountability of the mandated agencies.

Hurdles to Military-Grade Cyber Attribution – The Quint

Published by The Quint: https://www.thequint.com/voices/blogs/achieving-military-grade-cyber-attribution.

I have been pondering over this for months now.

In the wars of the future, how would the armed forces of a nation decide that reasonable thresholds have been crossed and that an offensive or retaliatory action is merited? What if the incursions or transgressions of the adversary only happen within our sovereign information space, which is as sacrosanct as our real border?

What if we underestimate the damage a saboteur or subversive could cause with a cyber operation, which, in turn, may require a physical or kinetic response? How and with what certainty would we eventually lock in on the targets with mathematical precision if the perpetrators hide behind layers of anonymity or deniability?

To put it simply – how much money and what resources would be needed to create a global, military-grade attribution capability?

A Painstaking Process

Attribution is the meticulous and painstaking process that retraces the footprints of an adversary in cyberspace, which – to borrow the terminology of Russian Chief of General Staff Valery Gerasimov – could also be called the intelligence-information space.

These questions do not belong to some aimless roundtable of strategic pundits or think tanks, but in the war room of our government. With the amount of coverage that cyber operations are getting in geopolitical news cycles across the world, I think the Rubicon has already been crossed for us to start painting targets on the map.

A military without systematic and substantive attribution proficiency is like a blind man with a sniper rifle (no offence to my visually impaired friends).

Just see the lengths to which nation states go to guarantee it.

Sharing Hacking Evidence

The Office of the Director of National Intelligence of the United States (US) declassified a highly redacted report right after the 2016 presidential elections, putting the blame of hacking squarely on Russia. Nothing in the dossier hinted at the intelligence tradecraft of the world’s most elaborate eavesdropping apparatus used to reach such a grim conclusion.

No one, not even the infuriated American polity, could convince the US Intelligence Community to reveal how the spies had managed to convince the incumbent president Obama to cause the biggest escalation against the Russians since the Cold War.

So much secrecy, when it is publicly known that the National Security Agency (NSA) has the most expansive counter-hacking program. Widely termed as offensive defence, it is the ingenious methodology by which one piggybacks on the very conduits of the hacking operation to exploit its attack staging infrastructure, acquiring a crucial opportunity to unmask the actors.

 There was a lot of reluctance to share even a part of the hacking evidence related to Russia’s involvement in the US elections. (Photo: iStock Photos)
There was a lot of reluctance to share even a part of the hacking evidence related to Russia’s involvement in the US elections. (Photo: iStock Photos)

To quote from another essay of mine, Cyberspace as A Theatre of ‘Non-Linear War’:

DEFIANTWARRIOR devours signals from the electronic dragnets run by the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the US), the mid-point exploitation frameworks of the General Communications Headquarters (the British counterpart of the NSA), and a worldwide active-passive collection platform worth half-a-billion dollars called TURBULENCE (or QUANTUMBOT) [9] [10]. The seamless, 360-degree and back-and-forth transition from the hostile cyberspace to its own that DEFIANTWARRIOR allows serves as a case in point for the massive efforts and resources required to guarantee foolproof attribution.

A Means to an End

Despite an expansive counter-hacking program, there was a lot of reluctance to share even a part of the hacking evidence.

And then, an odd set of events transpired in Moscow. Right after the swearing-in of Donald Trump, operatives from the Russian intelligence agency FSB arrested one of their own, the head of the cyber operations division. Sergey Mikhaylov wasn’t just detained, but unceremoniously dragged out of a meeting covered with a black mask. Days later, a senior researcher from the antivirus giant Kaspersky was picked up, too. The message was loud and clear – Kremlin was cracking down on a nexus of double agents.

I would not even begin to join the dots – as investigative journalist Brian Krebs has already drawn some breath-taking conclusions – but this was a secret so damning that the US was willing to keep it at any cost. The final shred of evidence, the veritable last nail in the coffin against the hacks, didn’t come from the US’s full-frontal attribution capability, but from the oldest known trick in the book – human intelligence.

In matters of risk assessment, it was the correct thing to do – you just can’t go on the biggest diplomatic offensive based on the inputs gained solely from technical intelligence, regardless of the billions you may have spent on it. Alarming is the fact that the Russians got a whiff of the identities of the double agents – it ought to result in a serious internal probe in the US.

And that’s the strategic lesson to be learnt on attribution. It’s an indispensable component of a military doctrine, but ultimately just a means to an end. However, not building such capabilities in the first place is like clipping the wings of a bird before it can even fly.

India Has Lessons to Learn

The US is truly an exception with its enviable hegemony over the global communications infrastructure. Nimble nation states like ours may learn a lesson or two from Israel: Their surveillance footprint increases every time an Israeli defence, intelligence, cybersecurity or communications vendor bags a contract in a conflicted part of the world.

While dealing with them, one doesn’t even realise where the lofty ambitions of the vendor end and the tacit overtures of the government begin. It’s like a 50-year strategic roadmap for information dominance.

As Indian Armed Forces mull over the transition to integrated theatre commands, information-enabled initiatives would rest solely on the pivot of attribution. It is scary to even imagine that an offensive capability, kinetic or cyber, is expended without fully illuminating the adversary behind the curtain. In a tense subcontinent, a wily third-party may even machinate a perfect false-flag operation that brings the sparring neighbours to brinkmanship.

(The writer helped set up the cyber-warfare operations centre at the NTRO, India’s technical intelligence agency. This story was first published in his personal blog and the views expressed above are the author’s own. The author can be reached on Twitter@mleccha. The Quint neither endorses nor is responsible for the same)

Cyberspace as A Theatre of ‘Non-Linear War’ – DEFCOM, a journal of the Indian Army

A paper for DEFCOM India, a prestigious journal of the Indian Army, edited by the Corps of Signals.

Vol 3 No 1 2017

Abstract – This paper explores the hypothesis that any modern information operations (INFOOPS) framework must understand the symbiotic, reflexive and inter-disciplinary arrangement between offence and defence. It postulates that information or intelligence, by its very technical nature, is of dual use and the key to an effective paradigm of strategic depth in cyberspace is to minutely understand the transitional nature of the domain. By citing emerging doctrinal approaches of other military powers, this paper highlights the problems that hinder seamless situational awareness across highly fluid informational spaces and cyber-geopolitical boundaries.

 

Keywords :  Information operations, cyber defence, situational awareness and strategic depth.

_________________________________________________________________________________

 

  1. INTRODUCTION

1.1    Most INFOOPS frameworks inherit the rigid binaries around offence and defence that are generally applicable to the contemporary theatres of war. The kinetic nature of other informational spaces has also influenced the doctrinal approach towards cyberwar – wherein actions and counter-actions are seen through the lens of cause-effect, friendly-hostile, deterrence, proportional response, territoriality and other such conventionalities of military operations.

 

1.2    This paper builds upon the argument put forth by the Russian Chief of General Staff Valery Gerasimov that with the advent of “mobile, mixed-type groups of forces, acting in a single intelligence-information space”, the states of war and peace are now virtually indistinguishable. Gerasimov’s premise of a ‘non-linear war’ has captured the imagination of the Western strategic punditry, which has obsessively clung to the essence of his observations that ‘war is everywhere’.

1.3    Within the transitory realm of global geopolitical shape-shifting, cyber-capability has become an indispensable commodity of power. By briefly studying the competing frameworks of cyber offense and defence – and the subtle interpolations between the two – this paper arrives at the tenets for India’s own posturing in the arena.

 

  1. IN THE KAFKA-LAND OF OPSEC & ATTRIBUTION

2.1    Never in the history of American politics has the schism between the United States (US) administration and the Intelligence Community been subjected to so much public scrutiny than it was during the presidential election of 2016 [1]. In a battle of perspectives, various arms of the US establishment pitted themselves against each other – the Federal Bureau of Investigation struggled with the allegations of partisanship and the Central Intelligence Agency felt so isolated that it feared losing the confidence of the incoming President – as the very legitimacy of the electoral process started getting questioned [2].

 

2.2    The pivot of a seemingly uni-polar world came under tremendous strain, all because of a trivial hack of the Democratic National Convention’s (DNC) computer network. A rather unsophisticated spear phishing attack compromised the email accounts of the key functionaries of the DNC’s campaign team. Knowing well that people are more prone to their impulses over fast-paced online communications, the hacker selectively leaked some of the emails in a series of long-drawn, well-timed public disclosures. The uncensored chatter in an extremely dynamic situation got permanently etched into the public consciousness – doing incalculable damage to the candidacy of the DNC’s two front-runners, Hillary Clinton and Bernie Sanders.

Picking on the trail of slip-ups in the attacker’s operational security (OPSEC) measures, premier cyber counter-intelligence teams from the private sector were the first ones to point fingers towards the Russian intelligence apparatus [3]. But it wasn’t until the outcome of the election that the US administration officially acknowledged the roles of the Russian Federal Security Bureau and Glavnoye Razvedyvatel’noye Upravleniye (its military intelligence agency).

 

2.3    In an unprecedented move amidst the growing public and political pressure, The Office of the Director of National Intelligence and the National Cybersecurity and Communications Integration Centre of the US declassified two separate reports [4] [5]. These dossiers walked a very thin line between establishing the credibility of the investigative findings and the concealment of the intelligence tradecraft in doing so.

But whistle-blower Edward Snowden had already tweeted that XKEYSCORE – the National Security Agency’s (NSA) all-encompassing signals intelligence (SIGINT) search engine – facilitates the tracking of cyber-espionage campaigns, actors, botnets and exfiltration channels [6]. He also claimed to have used it to home-in on Chinese operations, expressing that “[cyber counter-intelligence] being the only case in which mass surveillance has actually proven effective.”

 

2.4    The way the internet has been designed, hacker attribution remains the most pressing of challenges and an investigation can come to a grinding halt in the very initial stages. Putting all your bets on the OPSEC mistakes of the adversary is a risk which intelligence agencies simply can’t afford to live with – it is also a recipe for a perfect false-flag operation. The US Government’s (USG) reports on Russian hacking must have fused the inputs of multiple human and technical sources from various offensive and defensive espionage functions – transcending the cyber-physical divide –  making them feel confident enough to issue sanctions against specific individuals and organisations [7].

 

2.5    A 2010 presentation from the trove of classified documents leaked by Snowden reveals the workings of one such counter-hacking program codenamed DEFIANTWARRIOR [8]. Run by the Tailored Access Operations (TAO) – a highly-specialised Computer Network Exploitation unit under the NSA – it leverages the multifaceted SIGINT capabilities of many platforms for just one task: undertake the hostile takeover of foreign botnets.

 

2.6    DEFIANTWARRIOR devours signals from the electronic dragnets run by the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the US), the mid-point exploitation frameworks of the General Communications Headquarters (the British counterpart of the NSA), and a worldwide active-passive collection platform worth half-a-billion dollars called TURBULENCE (or QUANTUMBOT) [9] [10]. The seamless, 360-degree and back-and-forth transition from the hostile cyberspace to its own that DEFIANTWARRIOR allows serves as a case in point for the massive efforts and resources required to guarantee full-proof attribution.

 

  1. WAR IS EVERYWHERE

3.1    If the assertions of the USG are correct, then this incident also provides a fascinating peek into the changing narrative of war. While there is no publicly available proof or postulation to make one believe that the Russian establishment endorses a specific military doctrine, a strikingly candid article written by its Chief of General Staff Valery Gerasimov has kept the pundits intrigued [11].

3.2    Written for Voenno-promyshlennyi kur’er (Military-Industrial Courier) – a mouthpiece so inconsequential that it belies the attention garnered by the article with an equally ambiguous title: The Value of Science of In Prediction. Yet, the Western strategic community has deconstructed its every sentence and punctuation many times over, hoping that it will reveal itself like some esoteric Kabbalahscript. So much is the popularity of the piece, that someone even re-christened it as the ‘Gerasimov Doctrine’.

 

3.3    To assume that it speaks for the whole of the Russian defence establishment may be farfetched; nevertheless, it does serve as a pointer to the prevalent schools of thought. Gerasimov summarily and impressively observes that just like the “blurring [of] the lines between the states of war and peace” the “differences between strategic, operational, and tactical levels, as well as between offensive and defensive operations, are being erased”. He goes on to propose the paradigm of what the pundits prefer to as the ‘non-linear war’:

 

3.4    These days, together with traditional devices, nonstandard ones are being developed. The role of mobile, mixed-type groups of forces, acting in a single intelligence-information space because of the use of the new possibilities of command-and-control systems has been strengthened. Military actions are becoming more dynamic, active, and fruitful. Tactical and operational pauses that the enemy could exploit are disappearing. New information technologies have enabled significant reductions in the spatial, temporal, and informational gaps between forces and control organs. Frontal engagements of large formations of forces at the strategic and operational level are gradually becoming a thing of the past. Long-distance, contactless actions against the enemy are becoming the main means of achieving combat and operational goals. The defeat of the enemy’s objects is conducted throughout the entire depth of his territory.

 

3.5    For a nation that is economically the size of Italy – crippled by international sanctions and shrunk by the price drop of its major export, crude oil – this may appear to be a very valid militaristic worldview. As the analysts say, it perfectly falls in line with Russia’s geopolitical trumps in Ukraine and Syria.

 

3.6    The media commentators have also used it to conjecture why the DNC hack played out the way it did [12]. However, the only takeaway from all the theorising is that when ‘war is everywhere’, the limelight mainly falls on cyberspace. This applies to all the nations claiming a stake in the future.

 

  1. GOOSE-STEPPING THE INDIAN CYBERSPACE

4.1    The challenge for emerging military powers like India is to see beyond the ambit of the ‘kinetic mindset’. Aggression or hostility may not precede the application of force. The notions of cause-effect, deterrence, proportional response, territoriality and other such conventionalities of military operations may not be applicable anymore.

 

4.2    The first tenet that needs to be enshrined is that information or intelligence by its very nature is of dual use. Any INFOOPS paradigm must understand the symbiotic, reflexive arrangement between defence and offence, also deducing the transitional stages where there is no realisable difference between the two.

 

4.3    It’s a lesson that the US military learnt well from its failings and has been harmonised with its chain of command. In 2008, the US Department of Defence had discovered another trivial cyber-attack on its infrastructure. A run-of-the-mill computer worm ended up infecting thousands of systems belonging to classified networks that are physically and logically separated (air-gapped) from the internet. The INFOCON –  the threat level classifier for the American cyberspace – was elevated to three. The Pentagon launched an exhaustive clean-up operation called Operation Buckshot Yankee that lasted for fourteen months.

 

4.4    Though not the first of such outbreaks, it received the unprecedented response of being seen as an attack on the US soil [13]. With its enhanced situational awareness, the NSA could trace the malicious pings to certain actors. In an ingenious use of its offensive capability for defence, TAO exploited foreign systems to look for potential variants and weed them out. But the NSA stepped into a grey area as it was not authorised to undertake military operations. On the other hand, the Pentagon’s cyber-offensive unit – Joint Functional Component Command, Network Warfare – was grappling with legal ramifications of neutralising non-military systems in friendly foreign cyberspace. To further aggravate the crisis, none had the mandate to probe into domestic civilian networks.

 

4.5    This seminal deadlock led to the creation of the US Cyber Command (USCYBERCOM). But seeing the synergistic nature of offense and defence, it was co-located with the NSA at Fort Meade to tap into its phenomenal active-passive collection infrastructure. The Director of the NSA also became the ‘dual-hatted’ chief of the USCYBERCOM.

 

4.6    The second tenet that the Indian Armed Forces must imbue is that the theatre of cyberwar can’t be clearly demarcated. Even to this day, its cyber-defence frameworks are built on the arcane notion of air-gapping. There are documented public instances where TAO-authored malware like the Equation Group have penetrated physically isolated networks in India with ease, remaining persistent for decades [14]. It may be accomplished in a variety of ways – by exploiting the human component or by merely piggybacking on the pervasive super-set that is the electromagnetic spectrum [15]. COTTONMOUTH is one example from the NSA’s play-set to jump the air-gap, the interdiction of Cisco and Juniper routers to install implants and backdoors in them is another [16] [17] [18]. Even the unanticipated radio signals emanating from the systems and its thousands of components open a space for exploitation – a fact known to the NSA since the Cold War [19].

 

4.7    The third tenet applies to all the policy-making arms of the Indian Government. Pulverising every node of adversary’s information backbone, much before a kinetic action, is not a tale of science fiction but the stark reality staring right at us. Like the NSA Operation Nitro Zeus which planted a logical time-bomb in all of Iran’s critical infrastructure, a futuristic foe may already be knocking at our doorsteps [20]. Any outward looking INFOOPS initiative to use cyber as an instrument of strategic depth should also peek inwardly into the existential threat it poses. Every act of compromise paves the technical way for a counter-attack to piggyback upon it. It was evident when the NSA’s cyber-attack staging servers were infiltrated by a mysterious hacking group and its toolkits released to the public [21].

 

4.8    Intuitively, the NSA’s own OPSEC methodologies can come to the rescue. The exfiltrated data from compromised systems is routed from the Low Side (the insecure internet) to the virtual Listening Posts on the NSA’s High Side (a logically different network operating on a set of secure protocols) [9]. It uses interfaces called data diodes (uni-directional hardware security gateways) codenamed SURPLUSHANGAR and HANGARSURPLUS to facilitate ingress and egress flows to and from the High Side.

 

  1. CONCLUSION

5.1    Largely driven by geopolitical imperatives, the powers-that-be have wilfully propagated a broken internet, but this mine may soon run out of gold if the odds to sustain it become too high [22] [23]. How and when would a piece of chip or a line of code open a window of vulnerability may remain unknown until the Rubicon is crossed. The millions of permutations and combinations leading to the exploitable attack paths increase exponentially with every added interface, and there are thousands of it in a single computational system.

 

5.2    The challenge for India is to allocate billions of dollars and create a ten-year roadmap for information dominance that covers everything from indigenisation, manufacturing, staffing, real-time situational awareness, cyber resilience, a policy and command structure, and covert expeditionary operations to a full-spectrum INFOOPS framework covering the political, diplomatic, economic, social, and military dimensions. The unclear and overlapping demarcations between an aberration and an attack, between prevention and response, and between friendly or hostile and domestic or foreign informational spaces must be waded through elegantly, if not commandingly.

 

REFERENCES

  1. K. Gilsinan and K. Calamur, “Did Putin Direct Russian Hacking? And Other Big Questions,” The Atlantic, 6 Jan 2017. [Online]. Available:   https://www.theatlantic.com/international/archive/2017/01/russian-hacking-        trump/510689/.
  2. H. D. Parton, “Spy vs. spy: The CIA says Russia hacked the election to help Trump – and we know the FBI did,” Salon, 12 Dec 2016. [Online]. Available:           http://www.salon.com/2016/12/12/spy-vs-spy-cia-says-russia-hacked-the-   election-to-help-trump-and-we-know-the-fbi-did/.
  3. T. Rid, “How Russia Pulled Off the Biggest Election Hack in U.S. History,” Esquire, 20 Oct 2016. [Online]. Available: http://www.esquire.com/news-      politics/a49791/russian-dnc-emails-hacked/.
  4. National Cybersecurity and Communications Integration Center & Federal Bureau of Investigation, ” JAR-16-20296: GRIZZLY STEPPE – Russian      Malicious Cyber Activity,” 29 Dec 2016. [Online]. Available: https://www.us- cert.gov/sites/default/files/publications/JAR_1620296A_GRIZZLY%20STEPP      E-2016-1229.pdf.
  5. Office of the Director of National Intelligence, USA, “Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The           Analytic Process and Cyber Incident Attribution,” 6 Jan 2017. [Online].         Available: https://assets.documentcloud.org/documents/3254237/Russia-          Hack-Report.pdf.
  6. S. Biddle, “TOP-SECRET SNOWDEN DOCUMENT REVEALS WHAT THE NSA KNEW ABOUT PREVIOUS RUSSIAN HACKING,” The Intercept, 29 Dec    2016. [Online]. Available: https://theintercept.com/2016/12/29/top-secret-          snowden-document-reveals-what-the-nsa-knew-about-previous-russian-     hacking/.
  7. US Department of the Treasury, “Issuance of Amended Executive Order 13694; Cyber-Related Sanctions Designations,” 12 Dec 2016. [Online].     Available: https://www.treasury.gov/resource-center/sanctions/OFAC-          Enforcement/Pages/ 20161229.aspx.
  8. National Security Agency, “20150117-Spiegel-Overview on the NSA Use of Bots and the DEFIANTWARRIOR Program,” 24 May 2010. [Online].       Available: https://www.eff.org/document/20150117-spiegel-overview-nsa-use-    bots-and-defiantwarrior-program.
  9. R. Sesek, “Unraveling NSA’s TURBULENCE Programs,” Robert Sesek’s Homepage, 15 September 2014. [Online]. Available: https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html.
  10. L. Constantin, “The NSA not only creates, but also hijacks, malware with Quantumbot,” ComputerWorld from IDG, 29 Jan 2015. [Online]. Available:           http://www.computerworld.com/article/2871687/the-nsa-not-only-creates-but-          also-hijacks-malware-with-quantumbot.html.
  11. M. Galeotti, “The ‘Gerasimov Doctrine’ and Russian Non-Linear War,” In Moscow’s Shadows, 6 Jul 2014. [Online]. Available:           https://inmoscowsshadows.wordpress.com/2014/07/06/the-gerasimov-    doctrine-and-russian-non-linear-war/.
  12. M. K. McKew, “Putin’s Real Long Game,” Politico Magazine, 1 Jan 2017. [Online]. Available: http://www.politico.com/magazine/story/2017/01/putins-         real-long-game-214589.
  13. E. Nakashima, “Cyber-intruder sparks response, debate,” The Washington Post, 8 Dec 2011. [Online]. Available:           https://www.washingtonpost.com/national/national-security/cyber-intruder-      sparks-responsedebate/2011/12/06/gIQAxLuFgO_story.html?utm_term=           .3b5bdf971058.
  14. D. Goodin, “How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last,” ArsTechnica, 17 Feb 2015. [Online]. Available: http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-    nsa-hid-for-14-years-and-were-found-at-last/.
  15. National Security Agency, “The SCS Cyber Advantage,” Duncan Campbell’s Website, [Online]. Available: 
  16. National Security Agency, “ANT CATALOG: USB,” GOV1.INFO, [Online]. Available: https://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html.
  17. S. Gallagher, “Photos of an NSA “upgrade” factory show Cisco router getting implant,” ArsTechnica, 15 May 2014. [Online]. Available: http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory- show-cisco-router-getting-implant/.
  18. K. Zetter, “New Discovery Around Juniper Backdoor Raises More Questions About the Company,” Wired, 8 Jan 2016. [Online]. Available: https://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-        raises-more-questions-about-the-company/.
  19. REDACTED, “TEMPEST: A Signal Problem,” National Security Agency, 27 Sep 2007. [Online]. Available: https://www.nsa.gov/news- features/declassified-documents/cryptologicspectrum/assets/files/tempest.pdf.
  20. P. Szoldra, “The US could have destroyed Iran’s entire infrastructure without dropping a single bomb,” Business Insider, 7 Jul 2016. [Online]. Available:           http://www.businessinsider.in/The-US-could-have-destroyed-Irans-entire-       infrastructure-without-dropping-a-single-bomb/articleshow/53089295.cms.
  21. P. Singh, “The ‘Shadow Brokers’ & The NSA Hack: Some More Wild Conjecturing in A Wilderness of Mirrors,” Bhujang, 17 Aug 2016. [Online]. Available: https://bhujang.net/blog/the-shadow-brokers-the-nsa-hack-some-      more-wild-conjecturing-in-a-wilderness-of-mirrors/.
  22. C. Timberg, “Net of insecurity: The real story of how the Internet became so vulnerable,” The Washington Post, 30 May 2015. [Online]. Available: http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-    1/.
  23. J. Wallen, “Zero Days: Why the disturbing Stuxnet documentary is a must- see,” TechRepublic, 31 Jul 2016. [Online]. Available: http://www.techrepublic.com/article/zero-days-why-the-disturbing-stuxnet-           documentary-is-a-must-see/.

India: Cyber-Readiness at a Glance – Potomac Institute

 

Melissa Hathaway led a task force on cyber in the Bush administration and was a member of Obama’s National Security Council.

I have particularly followed her writings since 2009, while she was a contributor to Project Minerva — a US Department of Defense funded initiative to create a new geopolitical taxonomy for cyber.

Hosted at Harvard and the MIT, it made path-breaking contributions to the strategic discourse, touching upon the inter-disciplinary impact of cyberspace on foreign policy, international relations, military doctrine and the nature of conflict.

Melissa is currently a Senior Fellow at the Potomac Institute for Policy Studies, where she has taken it upon herself to give an objective marker to the cyber readiness of various nation states. It’s a painstaking, laborious and admirable exercise.

This year, her team has come up with a report on India. It was truly a pleasure to contribute to it.

Without further ado:

India: Cyber Readiness At A Glance (PDF)
http://www.potomacinstitute.org/images/CRI/CRI_India_Profile.pdf

Digital India’ Needs To Be Cybersecurity Ready – BusinessWorld Disrupt

Published by BusinessWorld Disrupt: http://bwdisrupt.businessworld.in/article/Digital-India-Needs-To-Be-Cybersecurity-Ready/09-01-2017-110980/.

While the details of a computer breach that compromised 3.2 million Indian debit cards are feeding the frenzy, a trained security professional remains more concerned about the incidents that pass below the radar.

The technology industry silently suffers from the agony of knowing that a majority of the cyber attacks would go unnoticed. Any connected society is perpetually at war now – waged by the faceless hacker, conspicuous yet paradoxically absent, who understands that the denial or access to information can break nations and economies.

In the last two months itself, I have tracked computer intrusions that threatened fair elections in a democracy, pilfered classified documents from a defence contractor with connections to India, undermined the civil liberties of individuals globally and hampered the growth of promising Indian startups. The laundry list simply too long, but the gist is clear.

The hacker here is, what the conventional strategic theorists term, an asymmetric threat. To put it simply, a bunch of motivated actors with an internet connection can completely neutralise the defences of a nation, by poisoning its most essential resource, information. The scales of this online conflict are so misaligned that government organisations still make the mistake of assuming that force, deterrence or legality have some kind of importance in cyberspace.

Sometime ago, I assisted Melissa Hathaway, who was a cybersecurity advisor to Obama and Bush, in preparing a Cyber Readiness Index for India. The report, which would soon be released to the public, undertakes the complex job of calculating the resiliency of Indian cyberspace, that should now be seen as an extension of its sovereign territory. It states that India faces a herculean task of improving upon all markers of its cyber health like national strategy, incident response, e-crime and law enforcement, information sharing, investment in R&D, diplomacy and trade, and defence crisis and response.

Yet, an important takeaway gleaned from comparing India’s Cyber Readiness Index with that of other nations is that the underlying challenges and opportunities remain pretty much the same, regardless of the levels of their economic advancement. Ill developed technology, oddly, even in this case, acts as the great global equaliser.

The one tenet which should be enshrined in the charter of ‘Digital India’ is that sharing is caring. The internet is going to remain shaky for the coming many decades as its foundational mechanisms were engineered for efficiency, not security. Its each and every communication interface, operating in a logical silo, requires an additional layer of oversight and monitoring. This fragmentation, also affecting cybersecurity products, still impedes fully reflexive defence.

So countries like the US have institutionalised open and collaborative frameworks to share cyber threat intelligence across organisations in an automated way. They allow indicators of suspicious activity to be disseminated within a matter of seconds, allowing the participating entities to build dynamic defences. The relayed intelligence only comprises of privileged technical metadata, devoid of any personal information.

Another logic which drives this concept is that a typical cyber attack generally exploits similar infrastructure and entities within different organisations. The inter-dependencies between them also become the blind spots for security. The breach of Indian debit cards is a perfect case in point, where, possibly, a single strain of malware affected multiple banks or one of their exchange points.

While the vantage point of each bank was shallow, sectoral collaboration might have helped in stopping the leak sooner.

In any case, this idea is way better than the older alternative of monitoring internet traffic at key gateways that rightfully became a rallying cry for the privacy activists.

While India has shown considerable interest in the sharing of such standards, evident from the second Indo-US Cyber Dialogue held in October, the focus should mainly be inward [Indian domestic affairs]. A relentless engagement at the policy, regulatory and technological levels – to nurture a synergistic, multi-stakeholder arrangement covering the private and public sectors – could be the possible next step. The National Cyber Coordination Centre led by nation’s first cybersecurity chief, Dr. Gulshan Rai, could become its agency.

The Reserve Bank of India recently appointed its first information security officer and has already formalised a sectoral sharing interface called Indian Banks – Centre for Analysis of Risks and Threats (IB-CART). The irony being that while the financial services sector in the US commendably spearheaded the adoption of sharing standards, the IB-CART still disseminates the intelligence manually.

Cyber investigators, like their traditional counterparts, have always followed the money. Online heists carry much more potency and visibility when its sensational details become public, so this may be an apt juncture to spawn a nationwide movement encouraging cyber resilience. Cyber Readiness should also join the list of India’s primary social development indices, permanently engraving it in our national ethos.