An opinion piece published in The Quint. The third in a series, originally titled ‘The Travails of an Indian Cyber Warrior’. I reason with the Deputy National Security Advisor, Dr. Arvind Gupta, to never equate cyber deterrence with nuclear deterrence, ever again. Here’s the text with hyperlinks and references:

As I exited the South Block, its magisterial domes carved in cream and red sandstone were a mere silhouette on that dim, foggy morning. Thought to be the finest specimens of Indo-Gothic architecture, the dizzyingly tall ceilings and wide spaces projected the vastness of a young, burgeoning republic that has often pursued diplomacy with a certain meditative detachment, almost emblematic of its spiritual heritage.

At Vijay Chowk, a missile launcher got stuck at the turn, as motorised tableaux depicting the lives and cultures of many Indian states made their way to the rehearsal of the Republic Day parade. A nation relishes the conventional symbols of authority, with spatiality and symmetry defining their grandeur. It’s a primal trait among our societies to equate power with presence.

 

Concluding my meeting with a senior functionary of the Ministry of External Affairs (MEA), it was the conspicuous absence of a dimension of power – both in the colonnades of diplomacy and the parade outside – that left me amused, if not surprised.

Cyberspace, where all the known equations of spatiality or symmetry fail, is a parallel universe with its own causal laws.

And like gravity, it tears through our physical reality even in its feeble but extremely influential form. Shaking my head, I remembered that it wasn’t the first time I had visited this nerve centre of the government with some reluctance, stemming from the futility of making such efforts. I have tasked myself to highlight a gap which, if left unaddressed, could affect our global posturing. It’s not a gap that can be bridged by the mere convergence of disciplines; it would require the creation of altogether new ones.

My earlier visits to the South Block involved the sanitisation of the computer of a Vice Admiral, while I was a foot soldier of the government, which was infected with an espionage malware and was leaking secrets from his office. And the next time was to create a cybersecurity policy, triggered by our report on the snooping of the Prime Minister’s Office (PMO).

The notion of time does exist in cyberspace, but its irreversibility is even starker and the destruction caused can be absolute and undeterminable. Dave Aitel, a hacker-turned-entrepreneur, picked up by the National Security Agency (NSA) at the age of eighteen to work as a scientist, had this to say:

I think this may be one of the distinguishing characteristics of the cyber domain – time is split inside it the same way it is in a ship traveling at near the speed of light. Things happen either very very fast, or very very slow, and they connect at both ends in weird ways the way particle physics connects to black holes.

And so, as I overwhelmed the MEA bureaucrat with expositions like, “the biggest asymmetric threat is not the al-Qaeda or the ISIS, but the global hacker counterculture”, a societal archetype that resounded with anti-establishment sentiments, anarchy and humanism in the digital age was regimented by the state. Traits that were inborn got mass-produced to fill the armies of information warfare. That’s the reason why the information security visionary Dan Geer, speaking for the whole American hacker community still shaken by the Snowden affair, titled his 2014 RSA Conference keynote address We Are All Intelligence Officers Now.

Is There Even an Actor in a Cyber Attack?

Indeed. A hacker is either a severe national security threat or a vital asset. There are no go-betweens anymore.

As the bureaucrat listened intently, my forewarning to not apply the expired taxonomy of the conventional strategic affairs discourse to cyber seemed providential in hindsight. I told him to request the geopolitical pundits to“never equate cyber deterrence with nuclear deterrence ever again”. But just last week itself, the Deputy National Security Advisor Dr Arvind Gupta spokeat length about “a theory and practice of ‘cyber deterrence’ on the lines of nuclear deterrence”. That’s the extent of the disconnect.

A cyber-attack deemed successful leaves no one to be deterred. There’s no present in cyber, only the past or the future, so nothing remains to be deterred. How does one apply the idea of proportional response to the most disruptive form of asymmetric warfare? For proportionality, one needs scale, while there’s none online. When the underlying architecture of the Internet is so broken that the actor – and I mean the real actor, not the hacker – can completely evade attribution, who’s going to bear the deterrence?

 

The most important question that arises: Is there even an actor in the first place?

The dull traditionalism of strategic doctrines fails to fathom that the destructive utility of cyber extends from a bored teenager to a nation state, with no prejudice towards either – and on this axis, the marker is constantly moving to-and-fro. It’s that subjective an assessment. There are no prisoners to be taken, no territories to be annexed – immutable neutralisation doesn’t apply to an act which targets entities rather than infrastructure. A “kinetic” action in the netherworld of cyberspace would be like exploding a bomb underwater – a certain dud.

Rather, equate it, if you will, to the art of counterintelligence, where no asset, living or otherwise, is trusted and all interfaces are assumed to be compromised. Every cyber-attack, even the most crippling, has the hallmark of an intelligence operation. There’s reconnaissance, exploitation, persistence and the penultimate objective, which could be exfiltration or sabotage. However, this attainment of the objective is merely the finale of an elaborate act that leaves tell-tale signs. That’s how it works.

So divergent are the dynamics, the dimensionality and causality of this conflict that the US Department of Defense had to think about creating a new humanities discourse – called the Explorations in Cyber International Relations – to understand its geopolitical potential.

Allow me to explain.

As a team leader investigating cyber-espionage of the Prime Minister’s Office in 2009, the certainty of it being a Chinese operation, even if the communications originated from there, was a rudimentary statistical calculation, highly subjective by any measure. But due to the paucity of time and resources, that’s the best we could come up with. Imagine the impact such uncertainty would have on statecraft.

The then National Security Advisor gave a rare interview to the media, days before retirement, talking about PDFs, botnets and the rest of the technobabble derailing the visit of the Chinese Premier. That’s the beauty and horror of asymmetricity.

There are only a couple of ways for reliable attribution. You tap and backdoor the core of the Internet like the NSA does, fusing it with the full spectrum of intelligence gathering. You engage in offensive defence, launching counterattacks on adversary’s command-and-control. Or you wait for their OPSEC (operations security) measures to fail and leak some clues. How would the institutions habitual of waging doctrinal warfare survive amidst such crudity?

My repartee at the MEA concluded with the invocation of a negative utopia, kind of like what Aldous Huxley imagined in Brave New World. I was hired to undertake offensive operations in the government, but so engrossing was the effort to protect our national assets in the first place that I spent the majority of time in counterintelligence. I even experienced a subliminal and perverted form of politicisation of cyberspace.

While containing an infection on the National Security Advisor’s personal laptop, I witnessed that the malicious traffic headed towards the botnet’s mother ship was actually getting redirected to a Canadian university. A compromised computer is called a bot. A host of them falling prey to the same espionage operation would form a botnet. It is generally managed by the perpetrator through a handful of peering servers acting as the Command-and-Control (C&C). In that specific case, the C&C was a domain ending with “.net”. The American company Verisign manages the registry for this suffix globally. If a domain is abused, the company has the discretion to hand over its control to a third party for investigation – a simple technique called sinkholing. Yet, despite our repeated requests, they didn’t provide us the control; rather they sinkholed it for a Canadian research group.

The memories of that encounter have enforced a belief in me that aggressive multilateralism, and not neutrality, is the way to move forward in cyber diplomacy – a bunch of Davids stacking up against the Goliath to form a Non-Aligned Cyberspace. That’s my ambitious proposition, submitted as a foreign policy brief to the MEA.

Aggressive multilateralism, and not neutrality, is the way to move forward in cyber diplomacy. (Photo: iStockphoto)
Aggressive multilateralism, and not neutrality, is the way to move forward in cyber diplomacy. (Photo: iStockphoto)

Export Control and Technology Transfer Restrictions

Then there’s the leaking umbrella of export control and restriction on technology transfer so loved by the hawks and the think tanks. Phil Zimmerman, the Prometheus of privacy who brought strong encryption to the common masses by creating Pretty Good Privacy, was criminally charged by the US government in 1995 for violating the Arms Export Control Act. Up until recently, ciphers beyond a certain strength were deemed as munitions by the American law at the NSA’s bidding, since computing capacity to crack them wasn’t readily available. It sparked a huge digital civil liberties debate, back in the halcyon days when the cyberpunk counterculture was still alive and kicking (I called it Hackers Sans Frontières). Dubbed as the “classic example of civil disobedience”, activists printed the banned algorithms on their t-shirts, exiting the airports in plain sight to speak at international hacker conferences. Veritably so, Zimmerman was inducted into the Internet Hall of Fame. Even the first widely-used web browser, the Netscape Navigator, had to create a separation edition of the software with weak encryption measures for international users.

The US courts have regularly panned the NSA on myopic export control since then.

In fact, statist technology restrictions have failed so ridiculously that they have only ended up making the cyberspace secure and the hackers resolute.

Take the case of the fabled Technology Alert List (TAL). The US Department of State maintains a classified list of technology skillsets that are deemed threatening to national security. The only way to know what’s on it is by applying for a US visa, like I did for an interview with Microsoft at Redmond.

The very mention of my profession as a cybersecurity professional threw the whole process off-track. The passport went into “advanced processing”. It took me three months to retrieve it, for a visit that was meant to last for only a couple of days.

The contents, modalities and updates to TAL are classified as well, and the focus seems squarely on the “state sponsors of terrorism”. Some chatter on online forums made the mention of the archaic Comprehensive Test Ban Treaty and India’s refusal to sign it leading to our inclusion into the infamous club (a vague childhood memory of the state media of our pre-liberalised country chest thumping the decision). We know how the anticipated additionof cyberweaponry to the Wassenaar Arrangement, an international arms control treaty, is going to end up: As another blooper of the military minded.

Jargon is the Refuge of the Clueless Punditry

To critically understand how the American establishment has fumbled its way to a nuanced posture on “cyber deterrence”, deconstruct its discourse over the last two decades. In 2012, Secretary of Defence Leon Panettaproposed the use of military force to retaliate against a cyber-attack. Experts hailed it as the breaking of the “kinetic barrier” in cyberspace. But it reminded me of goofy American generals like Curtis LeMay back then, who tried applying strategic conventionality to deal with emerging asymmetric threats, vowing to bomb a computer to the Stone Age. The tenor is much restrained and simplistic now, evident in Obama’s Cybersecurity National Action Plan (CNAP) released last week and NATO’s charter on cyber defence. There’s a hint that the US has at least publicly forgone the idea of a neutral cyberspace.

For a free market economy, it takes a lot of gumption to promote the Cybersecurity Information Sharing Act, uniting the public and private sectors in a massive cybersecurity metadata sharing program, bound to have commercial implications in the most profitable sector of technology trade. Rick Howard, the Chief Security Officer of Palo Alto Networks, rebutted the think tank jesters clamouring for deterrence once again after CNAP, with the following sublimity:

Just because you hit back hard in cyberspace does not mean that the target of your aggression immediately decides to choose a new career. Instead, those adversaries are most likely to redouble their efforts against you. This will escalate. Unless we are prepared to bring the world to its knees, I suggest that there may be other ideas.

Howard’s firm was praised by Obama as he signed the executive order to institutionalise sectoral cyber intelligence sharing after a damning breach of its most sensitive database from the Office of Personnel Management.

The larger conclusion to be derived from it is that jargon like cyber deterrence and export control is the refuge of the clueless punditry that refuses to accept that their pedagogy is too outdated for the times.

Having understood that which India perceives as the strategic horizon could be an abyssal precipice – our own digital Vietnam, Afghanistan or Pearl Harbour – let me touch upon a raw nerve here. On the denial of the establishment, the scientific community, the thought leaders and those collectives who front India, Inc. On the deliberate confusion created by certain vested interests to cash in on cyber. On the existential threat that has stripped and bared our knowledge economy. These are not mere anecdotes but devilish whispers beside the ear of a nation, lulling it to sleep, while I remain sleepless.

Zero Days, a documentary released last week at the Berlin International Film Festival, has some new operational revelations on Stuxnet, the US-Israeli worm that sabotaged Iranian nuclear centrifuges. It rekindles my old grudge against the German contractor Siemens, the betrayal of its India office and how the corporates choose to become pliable accessories of war.

It’s a well-known fact that Siemens bent over backwards to share the vulnerabilities with the US that were later exploited by Stuxnet. Zero Days disclosed that the worm went out of control, spreading to more networks than it ought to, because of Israeli callousness. Little known is the fact that its third largest infection was in India, compromising many of our industrial control systems. I wrote the report for the government back then.

A single Excel sheet containing the list of compromised Indian systems was transformed into an extensive dossier that became the wake-up call for the country to inventory and assess its Critical Information Infrastructure.

It led to the creation of a constitutional body, the single-most important government entity on cybersecurity ever, the National Critical Information Infrastructure Protection Centre, now struggling under a floundering leadership.

But I get heartburn remembering that when we wrote a letter to Siemens India, seeking the details of local organisations to whom the vulnerable software was sold, they flat out refused to share. Be mindful that this software generally handles extremely sensitive automation functions of oil, gas, power, transportation and other vital sectors. It’s another matter that the company pleaded deniability for the Stuxnet subterfuge. However, the way it handled the response was not only pathetic but detrimental to our national security. I still wonder whether the vulnerable organisations were ever notified.

Wouldn’t it be justified to summon the vendor to a parliamentary committee or impose liabilities for a possible clean-up exercise otherwise costing hundreds of crores, as it was the oversight of Siemens that left India defenceless? That was my policy pipe dream: To hold the co-opted foreign firms accountable.

Where India Stands Right Now

It should be permanently etched in the collective consciousness of our country that the multinational technology vendors have signed up for their respective unilateral cyberwars. They are the fronts, the platform for machinations, intrigue and betrayal. I would not fail to repeat this feverishly at every given chance.

While it should form the basis of another article, but the very harbingers of information security and privacy like Nasscom and the Data Security Council of India are tacitly guilty of ignorance, if not siding with the rogues. In this litany, let me also make a brief mention of hallowed Cisco to weed out the last iota of doubt that this is an all-out war. Since last September, I have been chasing a University of Michigan team that scanned the complete IP address space to look for the presence of an “implant” on Cisco routers that was covertly redirecting traffic to a third party – a badly kept secret that it was one of the orchestrations from the NSA’s global surveillance program. India was a prominent target.

I shudder to think about the motivation behind it and the kind of networks it might have infiltrated.

Whether any Indian agency officially approached the team at Michigan, I am not sure. Was there an assessment of the kind of data that might have gone out is left to the imagination of the reader. But one thing is for certain: Cisco acted as the henchman. It is inevitable that such backdoors would soon fall into the wrong hands. Developing countries like Brazil have perceived the existential threat that such duplicitous vendors pose.

This is particularly alarming when our very first cybersecurity czar isreported to have approached foreign companies for national cyber defence. When the messages get so lost in translation, completely muddling up till they reach to the top, that even “cyber terror” is put in the same basket as cybersecurity, then one starts questioning the need for a policy structure that revolves around a single man.

So, this is where India stands right now. While the war wages on, we prefer to shoot in the dark. And a bit like the protagonist of the film Interstellar, helplessly stuck in the warp of a black hole, I stare at the phantasmagoric cyberspace whose relativity extends beyond time and space, witnessing the wasted future of a nation, a future that paradoxically never was.

Written by Pukhraj Singh