Must read article on the state of Cyber readiness.
Tehelka - India is a Sitting Duck in the Cyber Battlefield
WHEN THE Stuxnet cyber attack temporarily took down the Iranian nuclear facility at Natanz in 2010, it made few waves in India. However, shocking details have now emerged that barely a few months after the computer worm created problems in Iran, critical infrastructure in India too was infected by the tactical cyber weapon developed in Israeli laboratories.
In June 2010, ONGC oil rigs using SCADA (Supervisory Control and Data Acquisition) industrial systems were found to be infected by the same worm. The oil major, whose control systems are run by ABB, didn't face an immediate threat because the worm was programmed to target Siemens systems. However, with 247 onshore production facilities, 11 offshore processing complexes, 74 drilling rigs and 7,000 wells, all run by a centralised control system, an attack could have taken out India's entire oil production for days, if not weeks.
Just a few weeks after that shocking discovery, Indian investigators also stumbled upon massive infections in a mega power project in Gujarat using SCADA systems controlling the generation and transmission network in western India. Investigators pieced together the evidence and launched a probe into other vulnerable systems that revealed facts that were too sensitive and complex to be made public. They discovered that the same attack was perfectly capable of knocking off signal and control systems on Delhi Metro's crucial links, throwing the capital's most used public transport system into chaos.
Earlier, cyber security investigative researcher Jeffrey Karr had shocked ISRO when he proved that India's INSAT 4B satellite was taken down by Stuxnet to serve Chinese business interests. On 7 July 2010, INSAT 4B's power glitch forced India's leading DTH providers such as Sun Direct, Doordarshan and Tata Teleservices to shift to ASIASAT-5, a satellite owned by the Chinese government. INSAT 4B was using the same Siemens software that was responsible for activating Stuxnet to make the Iranian nuclear facility go haywire.
Despite the fact that cyber security is being breached every day, there seems to be little urgency in devising a National Cyber Security Policy that could provide not just a security blanket against future attacks but also a framework for offensive capabilities that enables India to retaliate and launch attacks against enemy nations.
.
.
.
After the Stuxnet attack, NTRO hackers actively used 'sink holing' to trace massive infections in India. But NTRO bigwigs prematurely declared the detection as complete despite being warned by the professionals that some critical controls and commands that had been infected with Stuxnet had not been completely neutralised. "That poses a grave danger to critical infrastructure in the near future. NTRO officials did no in-depth checks on Stuxnet, which means the worm is still dormant in many important systems in the country," says ethical hacker Ginish Venkataraman.
There had been reports that Prime Minister Manmohan Singh had approved the formation of a National Cyber Command on the lines of the USCYBERCOM. But that too has not yet seen the light of day even though the gravity of attacks this year has seen an increase in intensity and frequency. Moreover, even the draft Cyber Security Policy has been dismissed as being too focussed on doing a clean-up job rather than preparing India to gain a decisive edge in the emerging field of cyber warfare.
The entire thrust of the draft is on "rapid identification, information exchange, and remediation" to thwart destabilising and malicious cyber attacks while ignoring the need to build up a credible deterrent that prevents enemies from tinkering with India's national security.
"It is like the race for nuclear warheads. Those who started early had the advantage of dictating the rules of nuclear warfare and early starters like US and Russia still hold the world's biggest nuclear arsenals," says Sreeram Chaulia, dean of Jindal School of International Affairs. "In the age of cyber warfare, those nations who start developing attack capabilities early will be in a position to prevent others from making much headway in cyber warfare. The time has come to have a cyber war doctrine with a specialised cadre that is capable of making sense of the information gathered from the servers of other nations and outfits. We need to have a two-tier structure — a group of hackers who are the foot soldiers reporting to tech-savvy bureaucrats who can think beyond a territorial mindset and know how to make sense of the intelligence provided."
The armed forces too have their own Cyber Emergency Response Teams (CERTs) but the presence of the Defence Intelligence Agency again raises the question of where the buck stops and just who is responsible for collecting and acting on virtual data. The CERTs have been unable to thwart some mind-boggling attacks on its infrastructure, according to a Canadian investigation into defence hacking titled Shadows in the Cloud.
Documents pertaining to the deployment of the 21 Artillery Brigade in Assam were exfiltrated by hackers backed by the Chinese government along with sensitive documents detailing aircraft deployment at the Indian Air Force base in Vadodara apart from sensitive details from the Air Force Station in New Delhi.
But the real shocker came when the army realised that important documents relating to Project Shakti were stolen. Project Shakti is a $300 million effort by the army to link all its artillery guns to a central command — exactly the kind of centralised operating playground that was exploited by the powers behind Stuxnet. Security experts say that details of the network would enable enemies to devise a worm or virus that would circumvent security and be used to induce malfunctions in the artillery system. Moreover, details about the Pechora missile system were stolen, apart from files relating to India's observations on the Iron Dome missile shield, which it is planning to buy from Israel.
.
.
.
Given the imminent threat, there is an urgent need to establish an agency for cyber warfare that deals not just with security but can also retaliate and initiate attacks on others. India has established itself as an IT superpower whose software firms have been instrumental in helping global corporations cut costs using cheap and skilled labour.
Tragically, India finds itself unable to get enough talented people to fill the void in its intelligence and offensive set-up in cyberspace. The failure to leverage this headstart to secure our strategic interests might only prove costly in an age where State-sponsored cyber attacks can achieve mass destruction without directly taking lives.