Home > 2017 > India’s Cyber Vulnerability and PSUs

Mainstream, VOL LV No 29 New Delhi July 8, 2017

India’s Cyber Vulnerability and PSUs

GOVERNMENT MUST RETAIN CONTROL OF CRITICAL SECTORS

Tuesday 11 July 2017, by S G Vombatkere

Ransomware worm WannaCry struck at and crippled the UK’s National Health Scheme, causing a national emergency of sorts. The operations systems of British Airways, Luf-thansa and Air France were targets of cyber attack on passenger handling, causing economic loss but fortunately no accident. All this is cause for concern in India, because of India’s huge vulnerability to cyber attack. Now [“India’s Su-30MKI likely downed by China’s Cyber Weapons”; <http://www.defencenews.in/article/I...> ], an Indian Air Force Su-30 Mk-I jet fighter aircraft is suspected to have been downed by China’s cyber attack on its avionics system, without firing a shot. Is China checking out Indian military cyber vulne-rability?

Worms are perhaps the mildest of threats, but there are other threats including human hackers, who break into systems to steal (copy) data or corrupt it, making data inaccessible temporarily or permanently, or infiltrate the operating system itself. These threats affect systems connected to the internet. Breaches of national or security databases are attacks on the nation and its sovereignty.

Defence

The word “defence” is usually connected with the armed forces, namely, the Army, Navy and Air Force, the formal defence sector together referred to as the military. The primary task of India’s military is to protect the nation’s territorial and political sovereignty and integrity, with appropriate use of military force.

Military operations are based upon seven parameters, namely, command, control, communi-cations, computers, intelligence, surveillance and reconnaissance, shortened to C4ISR. Every one of these parameters is dependent upon computers and information technology (IT), and information warfare (IW) is a distinct branch of military operations. Cyber attack on military systems can neutralise one or more of the components of the C4ISR, and adversely affect military operations, reflecting upon our nation’s sovereignty.

The downing of the IAF’s Sukhoi fighter should be the trigger for India’s military to urgently work towards totally indigenous cyber security and then build on it. Also India’s inter-Services communications interoperability and security needs to be urgently established even as India is on the verge of signing the CISMOA for communications interoperability and security with the US military.

Beyond the Military

The national economy functions on the basis of the five parameters of the C4ISR, excepting surveillance and reconnaissance. Cyber attack on the national economy will have severe consequences on the effectiveness of its military. For example, a cyber attack on the railway operations computer system will at least temporarily halt railway movements to shift military units or military stores. Such a cyber strike at the transportation system will also lead to incalculable financial and economic loss.

Similar scenarios are possible for attacks on electricity power grids; telecommunications grids; police and internal security; banks, stockmarkets and trade-and-finance; petroleum sector; civil aviation; governance nodes; water supply; etc., all critical sectors affecting public order, safety and health.

A cyber strike on multiple sectors can cripple the economy and create public chaos. Realistic security should consider such worst-case scenarios, in which sovereignty will be the most serious casualty. Hence national defence concerns the critical sectors of the national economy in addition to military defence.

Cyber Attack and Sovereignty

Every computer operating system and its data-base are vulnerable. Experts in the IT-IW aver that a system is safe only until it is hacked. Defence against attack is regular but aperiodical change of passwords, data-encryption using secure algorithms and keys, firewalls, malware protection systems and other end-point security systems. Equally important is the hardware secretly embedded in computers or peripheral hardware at the chip- or silicon-level. “Back-doors” in computers, embedded transmitters in data routers and modems, implanted hardware or software in TVs or set-top boxes effectively making a TV into a surveillance camera, are known threats, for which we have no remedies.

It is vital to provide real-time protection to computers and systems in government offices and establishments. This is only possible if critical software involving data encryption, firewalls, etc., and critical hardware are actually made in India with in-house control and oversight by the Government of India (GoI).

India’s most all-encompassing database is the UIDAI’s Aadhaar Central ID Repository (CIDR), the creation of which was unfortunately contracted to a foreign firm linked to the intelli-gence community, giving it from-birth vulnera-bility. Its deliberate connection to all other data-bases makes it a prime target for hackers. A successful attack on the UIDAI’s CIDR by Pakistan or China (or for that matter by the USA, whose NIA has already successfully snooped on India and even its own NATO partners) would be a matter of national shame for a nation which prides itself on its indigenous competence.

It is necessary to note that at present, all items of critical hardware and software in the GoI and State Government offices and establish-ments (including the military and Aadhaar) are purchased from vendors in the market, and national safety and security are entirely dependent upon contractual penalties in the breach. Thus, cyber safety and national security is reduced to demanding monetary compen-sation subject to litigation in courts of law.

The foregoing amply demonstrates that indigenous production of critical IT hardware and software including know-how and know-why, is as much a national defence requirement as indigenous production of critical military hardware and critical expendables (ammu-nition). When the military human resource (the soldier) has to be 100 per cent Indian, the human resource employed in production of critical defence hardware and software also needs to be under GoI control. This can happen only when production is by a PSU under the GoI’s watch.

The Way Ahead

Given time, any system can be hacked. There is no 100 per cent safety, especially in the IT field. Cyber safety is a dynamic concept, since cyber attackers take advantage of new and hitherto unrecognised vulnerabilities even as system safeties are updated.

Indigenisation in its holistic sense means building indigenous capability for concept, design, development and production of assets of national strategic value. Indigenous production of critical items without GoI control may create jobs, but cannot provide security or protect sovereignty.

There is no substitute for indigenously produced and GoI-monitored critical IT hard-ware and critical software for systems and databases of national importance, which are central to the C4I for governments and the C4ISR for the military. The present total dependence on business houses for critical hardware and software must be phased out as a part of national strategy.

PSUs under the GoI’s oversight and control need to produce critical IT hardware and critical software. Rather than privatising PSUs and losing R&D and production infrastructure and trained human resource, the GoI would do well to examine how existing PSUs can be reorganised, re-jigged and re-tooled, existing human resource re-trained and competent human resource inducted, to meet the need for indigenous research and production of critical IT hardware and software in the interest of national security and sovere-ignty. Where necessary, private agencies should of course be contracted to supply PSUs with sub-critical systems, with the GoI retaining overall control on policy and production of critical items and systems. National defence, which clearly goes beyond military capability, deserves a very careful review.

Production of critical defence needs is not a matter of business strategy. It is an imperative of national strategy. National sovereignty cannot be subordinated to efficiency of PSUs. If a PSU is deemed inefficient, it is government’s responsi-bility to set it right in the national interest. Losing control over policy and production of critical hardware and software through disinvest-ment or privatisation of PSUs as business strategy, is clearly not in the national interest. The GoI and State governments must stop looking at security through the narrow tunnel of business and economic growth, as at present.

Are the State and Central governments listening? Hopefully India’s military is alive to its cyber vulnerability, and is doing something about it.

Major General S.G. Vombatkere, VSM, retired as the Additional DG, Discipline and Vigilance in the Army HQ AG’s Branch. With over 550 published papers in national and international journals and seminars, his area of interest is strategic and development-related issues.

ISSN : 0542-1462 / RNI No. : 7064/62