Managing our porous digital frontlines

FROM Mongolia to the United States, Prime Minister Narendra Modi has inked a cybersecurity pact with nearly every country he has visited.

 

Laying out the grand plan of a ‘Digital India’ this July, lavishly spattered with tech jargon, he drew attention to the “global threat of a bloodless war”. The cautionary tone eerily reminded me of novelist William Gibson – largely credited for popularizing the term “cyberspace” – and his anxieties of a dystopian future. 

 

At the deliberations of NASSCOM’s Cyber Security Task Force, I, too, stressed upon the creation of a “cyber military industrial complex” to prepare for a digital onslaught. 

 

As the new government took over the reins, it summarily appointed Dr. Gulshan Rai as the country’s first cybersecurity czar.

 

These razor-sharp strategic impetuses mark the culmination of an internal policy churn within the national security establishment as it treaded the road of information dominance over the last five years.

 

It was immediately after the 26/11 attacks that the national cyber-warfare doctrine got institutionalised under the National Technical Research Organisation, with peripheral involvement of the Indian Armed Forces and the National Security Council (NSC). 

 

As the offensive teams started pricking and prodding adversory networks, there was a sudden epiphany on the irreparable damage to our national security that had happened from within. The “Red Team” soon got engrossed in counter-intelligence as it scoured through the domestic networks, looking for the telltale signs of cyber espionage.

 

Over the wire, we saw the awful spectre of gigabytes of nation’s classified documents getting purloined – memories of which still pain my heart – becoming a solemn undertone to the Prime Minister’s alarmist portrayal of cyberspace.

 

Some seminal policy patches have been applied since: the National Critical Information Infrastructure Protection Centre (NCIIPC), the National Cyber Coordination Centre (NCCC) and the National Cyber Security Policy.

Yet, between the unclear modalities of the bilateral pacts and our schizoid denial of ongoing threats, a chasm exists mired with confusion.

 

In just the last two months, security vendors have disclosed five cyber campaigns targeting highly sensitive Indian establishments and corporations, stealing tons of government documents and intellectual property over many years. However, the nodal agencies responsible for containment had nothing to say.

 

The post-Snowden era marks the departure of the Internet from a territory of commerce to a battlefield balkanised to the extreme. From the thousands of “implants” of the National Security Agency sucking the marrow out of India’s sovereignty to a multibillion dollar global cybersecurity industry whose players have been co-opted, it seems as if almost everyone has taken sides. From the misdirected attention towards the Huaweis, the conspiratorial silence of the Ciscos and the RSAs on product backdoors to the selective disclosures of the Symantecs, Fireeyes and Kasperskys, who seem to detect every new attack vector but of their own nation’s, the liberal dream of a neutral cyberspace has been goose-stepped upon and mauled.

 

Standing on such porous digital frontlines, the Prime Minister sounded the bugle of cooperative, ratified cyber-defence.

 

It is for certain that foreign vendors could never be trusted fully again. The global security community, known for open information exchange, is already shutting the doors. The nation states are tempted to leverage the asymmetric potential of this domain by picket-fencing it with the restrictions of the Wassenaar Arrangement, exercising export control on sensitive technologies.  Indigenisation of cyber-defence, thriving on a robust entrepreneurial ecosystem and the unbridled support of the military, is the need of the hour. The NSC has already allocated Rs. 1,000 crores for that. Bilateral technology transfer initiatives should be undertaken to facilitate the process. Notable are the successes of Israel that has captured a massive $6 billion of the global cyber market.

 

The funny thing is that even the Goliaths can’t see what passes between their legs. The US government got hit by the largest ever data breach in its history, the Office of Personnel Management (OPM) hack. A prized database that kept the most closely guarded secrets of 21 million government employees and contractors now lies scattered on the bed of an enemy state like a pirate’s plundered wares, ripe for elaborate blackmail and espionage.

 

However, remarkable was the response and the swiftness of attribution. Some sweeping changes are being undertaken. The US is at the cusp of a cyber-intelligence revolution. One of the major reasons why sophisticated attacks, generally called Advanced Persistent Threats, slip through the radar is because the varied commercial security products rarely ever talk to each other. Every vendor greedily holds on to the threat intelligence in an industry that heavily thrives on marketing the fear psychosis. The little information that came from specialized services was meant to be interpreted manually. It generally led to delays in incident investigations that require broadened situational awareness.

 

Realizing this loophole, the Department of Homeland Security spearheaded an industry-wide, threat intelligence sharing model, whose key standards are Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). These open protocols, which allow attack indicators to be shared across multi-vendor platforms in milliseconds, will form the backbone of civilian cyber-defence in the US. Almost all companies have lapped it up with Information Sharing & Analysis Centres for each of the verticals (e.g. healthcare, finance & energy, etc.) becoming the nodal bodies for such an exchange and rapid response. These are in the process of getting recognised by the American National Standards Institute, which may indirectly pave the way for global cyber intelligence regimes, not to mention a lucrative threat analytics market.

 

It is about time that India also got its act together. If the NCCC is indeed the agency responsible for civilian cyber defence, then national threat intelligence sharing needs to become its sole focus. Also, the NCIIPC – a pivotal organization in terms of mandate, now stymied by red tape – ought to undertake an earnest effort to define our cyber borders with the same feverish intensity as that of the Prime Minister.