Nitin Pai
A century ago, the declaration of war was a formal exercise. Diplomats in frock coats would turn up at chancellories to first serve ultimatums and subsequently to hand-deliver notices of war. Some would even insist on reading them out aloud for the benefit of bemused recipients, who would then make arrangements for the safe departure of the enemy’s embassy. These age-old courtesies were abridged by the time of World War II and terse telegrams replaced frock coats. The advent of the Cold War, nuclear weapons and proxy wars of the 20th century put an end to the custom of formal war declarations. In recent times, an incoming missile or fighter aircraft announces war. Even so, we are used to wars that have a starting point and an end date.
Not anymore. Information warfare is an ongoing affair. Cyber warfare, its technical aspect, has already been militarized. It is global and continues regardless of whether or not states are in armed conflict. We cannot pinpoint the date, month or even the year it started. And, unfortunately, we also cannot say when it will end, if ever. States have no choice but to wage it. Gloomy as this sounds, at least so far the pursuit of politics through these other means has avoided large scale bloodshed that characterized armed conflicts of the Industrial Age.
In previous columns, I have argued that India cannot consider itself a cyber power merely because it has a big tech industry, and that the country must develop its own cyber weapons to defend its information space. It is therefore encouraging to see media reports suggesting that Indian government-connected entities have demonstrated some capabilities of this nature.
Citing studies by a Russian cyber security firm, Forbes magazine’s Thomas Brewster reported last week that hackers associated with the Indian government (designated ‘Bitter APT’ by the industry) used commercially available zero-day exploits to break into Chinese and Pakistani government-linked computers. According to an Indian private cyber- security expert I spoke to, these hackers most likely used indigenously-developed tools to exfiltrate data from target devices. The American firm that sold the zero-day exploits has indignantly cut off the Indian government entity from its customer list for misusing its services. Dispassionate observers will not fail to notice that this righteous indignation is coming from a company that provides zero-day exploits to the US government and its allies, which presumably use it only for the anodyne business of updating their anti-virus software.
The hypocrisy of commercial cyber weapon vendors apart, the reports about Bitter APT’s exploits tells us of two important developments. First, that Indian cyber actors have moved up from using phishing methods to gain footholds in target devices to exploiting zero-day vulnerabilities. In other words, instead of relying on someone to click on a malware-loaded website or document, they are exploiting unknown software bugs to gain entry into target computers. Zero-days sell for upwards of a million dollars in the international market, but the Bitter APT hackers allegedly got them off a $250,000-a- year subscription service and developed them further.
Second, the highly-sophisticated software used to exfiltrate data appears to have been built indigenously and went unnoticed for several months before being detected in February 2021. From the information that is publicly available, the Bitter APT hack was used for cyber espionage, not for disruption. Even so, it is a clear public indication of the level of India’s offensive cyber capability.
Credible offensive cyber capability is necessary for at least two reasons. First, India presents attackers with a vast, sprawling target sphere, large parts of which are unguarded and perhaps even unguardable. It is thus not feasible to rely solely on perimeter security—the equivalent of stationing troops all along the border—as a strategy for cyber defence. It becomes necessary to deter adversaries from attacking in the first place. Deterrence in information warfare is a multi-layered concept, but requires the possession of effective cyber weapons to be credible.
The other reason to possess—and be seen to possess—cyber weapons is to ensure a place at the high table as a ‘cyber have’ should countries eventually get down to negotiate digital arms control. The cyber generation must learn from its nuclear predecessor, when India was designated a non-nuclear weapon state in perpetuity for the only reason that it had held off testing a nuclear device before an arbitrary date.
If Bitter APT is indeed an Indian state-actor, then its actions are a step in the right direction. The episode shows the importance of adopting both ‘make’ and ‘buy’ tactics for zero-day exploits. Remember, though, that any advance in the cyber realm has an expiry date. Unlike conventional and nuclear weapons, the need for continuous investment in talent and technology in offensive cyber capability is acute and relentless. There is a lot of urgent work that India must do at a doctrinal level to craft a national strategy for information warfare, no doubt, but the development of more advanced cyber weapons must take place in parallel.
No comments:
Post a Comment