A special column for the 35th anniversary issue of the Business World magazine.
Digital India 2035: Cyber threats are a spanner in India’s growth engine
When I was enlisted into a government organisation as a cyber warrior, the mandate was crisp and explicit. The 26/11 attacks had just overwhelmed the security establishment, as keywords like encryption and hacking entered the vocabulary of a new-age war.
A handful of us were tasked to burrow deep into the rabbit hole of cyberspace, sniffing for information intimate to the adversary, bolstering our own intelligence collection cycle in return. Yet, within a year, the focus shifted inwards. With the gradual awareness that came from realizing the vulnerability of the internet, we saw that our own organizations were teeming with spyware and implants.
It was in 2010 that a cyber-espionage attack was etched into the institutional memory of the Indian government when we detected intrusions into the most sensitive establishments.
Six years wiser — though a lot has probably been done to secure our networks — the only marked difference is that rather than us painting the doomsday scenarios, it appears we have left it to the hackers to spell the impending chaos. Say, for example, a group called The Legion which bragged about a series of high-profiled hacks of Indian politicians and journalists, claiming to be capable of much more. There was a cursory mention of ‘reverse engineering’ NEFT and RTGS in one of their interviews, the transaction protocols that are the backbone of Indian banking. Portraying themselves as drug-fuelled anarchists with a death wish, their delinquency should not be taken lightly. While they perfectly fit the counter-cultural profile of the hacker archetype, it could very well be a campaign of elaborate disinformation.
On the other side of the world, a wily actor has just destabilized the electoral process of the world’s last contemporary superpower with a few flicks of the keyboard. That is the Russian intelligence’s information warfare doctrine called Kompromat. NBC News has cited months of research and incontrovertible evidence to claim that the Russian president had personally commandeered the hack of the Democratic Party of the US, altering the outcome of the 2016 elections.
Welcome to the fog of the ‘hybrid war’, as the pundits term it. Here, one really can’t differentiate between the raging hormones of a teenager or the rambunctiousness of a foreign spy agency. The spectrum of this conflict is so wide and the attack surfaces so abundant that the conventional defences of a nation won’t even trip. Information, the life blood of an economy, is the only currency of global dominance now.
Cyberwar is a monster that feeds on ‘asymmetricity’ – a small action producing an exponentially large outcome. Neither the laws, nor the traditional doctrines of deterrence or proportional response are applicable to it. You can’t wage a surgical strike in cyberspace. The information that has ceased to be under your control can’t be reannexed like a lost territory. Attribution, the technical process of unmasking the attacker, is mathematically impossible on a system that encourages complete anonymity.
The internet as we know is fundamentally broken. It will require trillions of dollars and remarkable geopolitical will to fix this virtual battlefield. While we reluctantly inch towards that, nation states are truly enjoying the exercise of absolute power that it facilitates.
Political theorist Steven Lukes says there are three faces of ‘invisible power’. The first creates the favourable conditions to win an argument, the second relies on covert manipulations to set a winnable agenda in the first place and the third subverts the underlying constructs that a society never even reaches the stages of discord. Or to put it differently, you make people act against their own will by conditioning what they want.
In that way, cyberspace is truly its third face. Its foundational insecurities not only threaten the fabric of governance, but the very sovereignty of a connected society.
The National Security Agency of the US seems to have foreseen it decades ago. In the Indian context, piecing together the puzzle left by the whistle-blower Edward Snowden, I have found that every communication interface, every chip, every line of code powering the Indian cyberspace could have been manipulated or prone to it. The information that went out, and still is, has probably set back our national security by decades and shaved a couple of percentage points off the GDP.
Till then, just game the probable geopolitical outcome of cyber-surveillance dragnets: classified documents on national security exfiltrated, compromise of VVIP communications infrastructure, backdoors in battlefield command-and-control, pre-empting the posturing on global issues and rigging of the financial system.
With this premise, I bootstrapped my venture Bhujang with a likeminded group of decorated faujis and defence entrepreneurs. Building homegrown cybersecurity systems is not a business priority, but an existential necessity.
With the clarion call of ‘Digital India’, we are literally riding a wounded tiger. Time moves so swiftly in cyberspace that 2035 feels like eternity. Whether this century belongs to us would probably be decided in the coming decade. The knowledge economy that we seek to build can come to a grinding halt if systemic changes are not undertaken in our cybersecurity architecture. It is time that ‘cyber readiness’ joins the list of India’s primary social development indices, to permanently engrain it in our national ethos.