Without offensive cyber capabilities it is impossible to defend the nation's information sphere.
This is an annotated, unedited version of my The Intersection column that appears every other Monday in Mint.
A century ago, the declaration of war was a formal business. Diplomats in frock coats would turn up at chancellories to first serve ultimatums and subsequently, to hand-deliver notices of war. Some would even insist on reading them out aloud for the benefit of the bemused recipients, who would then make arrangements for the safe departure of the enemy’s embassy. These age-old courtesies were abridged by the time of the Second World War and terse telegrams replaced the frock coats. The advent of the Cold War, nuclear weapons and proxy wars of the 20th century put an end to the custom of formal declarations. In recent times, an incoming missile or fighter aircraft announces war. Even so, we are used wars that have a start date and an end date.
Not anymore. Information warfare is an ongoing affair. Cyber warfare, its technical aspect, has already been militarised. It is global and continues regardless of whether or not states are in armed conflict. We cannot pinpoint the date, month or even year it started. And unfortunately we also cannot say when, if ever, it will end. States have no choice but to wage it. Gloomy as this sounds, at least so far the pursuit of politics through these other means has avoided large scale bloodshed that characterised industrial age conflicts.
In previous columns I have argued that India cannot consider itself a cyber power merely because it has a big tech industry, and that it must develop its own cyber weapons to defend its information space. It is therefore encouraging to see media reports suggesting that Indian government-connected entities have demonstrated some of the kind of capabilities of this nature.
Citing studies by a Russian cyber security firm, Forbes magazine’s Thomas Brewster reported last week that hackers associated with the Indian government (designated ‘Bitter APT’ by the industry) used commercially available zero-day exploits to break into Chinese and Pakistani government linked computers. According to an Indian private cybersecurity expert I spoke to, these hackers most likely used indigenously-developed tools to exfiltrate data from target devices. The American firm that sold the zero-day exploits has indignantly cut off the Indian government entity from its customer list, for misusing its services. Dispassionate observers will not fail to notice that the righteous indignation is coming from a company that provides zero-day exploits to the US government and its allies, who presumably use it only for the anodyne business of updating their anti-virus software.
In TechDirt, Tim Cushing takes the dubious self-righteousness of the cyber weapons firms to the cleaners.
The hypocrisy of commercial cyber weapon vendors apart, the reports about Bitter APT’s exploits tells us of two important developments. First, that Indian cyber actors have moved up from using phishing methods to gain footholds in target devices to exploiting zero-day vulnerabilities. In other words, instead of relying on someone to click on a malware-loaded website or document, they are exploiting unknown software bugs to gain entry into target computers. Zero-days sell for upwards of a million dollars in the international market, but the Bitter APT hackers allegedly got them off a $250,000 a year subscription service, and developed them further.
Second, the highly-sophisticated software used to exfiltrate data appears to have been built indigenously and went unnoticed for several months before being detected in February 2021. From the information that is publicly available, the Bitter APT hack was used for cyber espionage, not for disruption. Even so, it is a public indicator of the level of India’s offensive cyber capability.
My working notes on conceptualising information warfare
Credible offensive cyber capability is necessary for at least two reasons. First, India presents attackers with a vast, sprawling target sphere, large parts of which are unguarded and perhaps even unguardable. It is thus not feasible to rely solely on perimeter security — the equivalent of stationing troops all along the border — as a strategy for cyber defence. It becomes necessary to deter adversaries from attacking in the first place. Deterrence in information warfare is a multi-layered concept, but requires the possession of effective cyber weapons to be credible.
See my old blog post for how the NPT ended up punishing India for its good behaviour, while proliferators let each other off and legitimised themselves.
The other reason to possess — and be seen to possess — cyber weapons is to ensure a place at the high table as a “cyber have” should countries eventually get down to negotiate arms control. The cyber generation must learn from its nuclear predecessor, when India was designated a non-nuclear weapon state in perpetuity for the only reason that it had held off testing before an arbitrary date.
There are many more The Intersection columns here
If Bitter APT is indeed an Indian state-actor, then its actions are a step in the right direction. The episode shows the importance of adopting both make and buy for zero-day exploits. Remember though, that any advance in cyber has an expiry date. Unlike conventional and nuclear weapons, the need for continuous investment in talent and technology in offensive cyber capability is acute and relentless. There is no doubt a lot of urgent work India must do at a doctrinal level to craft a national strategy for information warfare, but the development of more advanced cyber weapons must take place in parallel.
© Copyright 2003-2021. Nitin Pai. All Rights Reserved.