Thursday, July 26, 2012

Preparing for Cyberwar - A National Perspective


Commander Mukesh Saini (Retd.)

On November 12th, 2011 Maj. Gen. Moghaddam, the "architect" of Iran's missile program, was showing a new type of warhead for nuclear weapon capable missile Sejil 2, to a group of experts for their comments, at a site about 50 Kms from Tehran. Warhead was connected to computer for simulation which was being watched on a big screen. And instead of simulation the actual warhead went off pulverising the site. Explosion was so powerful that it could be heard in Tehran. Initially Iranian government refused to accept that there was any such explosion however later conceded that in the explosion 17 officers of Revolutionary Guards have lost lives (though 36 funerals took place). Explosion was so powerful that no one was alive to narrate the incident and nothing was left at the site to provide evidence. Revolutionary Guards (IRGC) investigation pointed at two probabilities; (a) infiltration by a Mossad operative or (b) computer controlling the missile was infected with Stuxnet (like) worm. The second probability was considered much more likely after two well-known cyber infiltrations using Stuxnet and Duqu to stall Iran’s nuclear ambition. Probably this incident is historic as for the first time cyber weapon was used to cause real world explosion or kinetic attack. (Israel Insider, 2011)

Introduction

Cyberspace has changed many old concepts. In this globalised world everyone is neighbour of other. There is no established concept of boundaries. Identification of targets and what is under threat or need to be attacked in case of Cyberwar is important to segregate the facet of Cyberwar from wars using other form of attacks on ground, air and as Sea. What needs to be secured is what needs protection. Therefore definition of Cyber security will give fair idea about the scope of Cyberwar and its targets. The Information Technology Act 2000 (India) defines Cyber Security which means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. Richard A. Clark in his book Cyber War defines "cyberwarfare" as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption. However things are not as simplistic and materialist but a game of mind and perception also.

To understand the real meaning of Cyberwar, it is necessary to understand the meaning of War and its import on governance and diplomacy. The British Parliamentary Committee in its report after Iraq war noted that “War” is a term that has both popular and legal connotations. Colloquially, “war” embraces conflicts between the armed forces of states and, occasionally, major internal conflicts such as the British or American Civil wars. “War” as a legal institution is a feature of both international and national law. In international law, the distinguishing characteristic of “war” is the legal equality of the belligerents and the special status of those states not taking part in the conflict (“neutral” states). The condition of “war” could be brought about by a declaration of war but one was not necessary (nor, where there was a declaration of war, were hostilities inevitable). Additionally, states could choose to regard a conflict between them as “war” and apply the legal rules accordingly, or neutrals could insist on respect for their rights. “War” as an institution of domestic law did require a declaration, made in the Monarch’s name but by the Prime Minister, acting under the prerogative. This action triggered domestic consequences—nationals of the opponent state became “enemy aliens”, liable to measures of restraint including detention. Property of enemy aliens was liable to seizure. Statute provided for emergency measures—for the call up of troops, the sequestration of property and so on. (Constitution, 27 July 2006)

To fit this definition of War the only Operation Orchard fits the bill were Air Defence System of Syria was made ineffective by Israel during their attack on alleged nuclear plant of Syria. In all other cases be it cyber-attack on Estonia, Georgia or Operations Titan Rain, Night Dragon Shady Rats etc may not be termed as the acts of war. The case of explosion at Iran’s missile site lacks affirmation and evidence.

War has International Ramifications

Various international laws and treaties especially of Paris and also Charter of United Nations prohibit use of threat or use of force in international relations. Prior to these developments post 1945, declaration of war was a standard practice, but today no one officially declares war to the international community. This is nothing but just masking because internally a nation state has to declare war, whether limited in scope or a full-fledged war. This is necessary to activate appropriate structures; authorisation to force commanders to use Rules of Engagement (R.o.E) for ‘conflict’; activate provisions of War-Book; freezing of assets of enemy aliens; mobilisation of resources; suspension of local laws against the enlisted personnel engaged in war; and even enforcing ‘Emergency’ in the country. Thus a war whether declared or otherwise is a ‘structured-response’ to a conflict which is expected to result in subjugating the enemy to the will of a nation.

National Information Security Policy & Doctrine of Cyberwar

It is necessary to define what would constitute an “attack” serious enough to precipitate into military counter offensive. It is necessary to define this line in an open stated policy, so that in case of any military retaliation, the international community can be with India. However defining this Lakshman Rekha is not easy. If the threshold is kept too law then breaches will be norm and finding exception where counter offensive becomes necessary in a transparent manner would be difficult. If the threshold is kept too high then nation can be bled by thousand wounds rather than massive attack and no formal retaliatory force can be used.

Another challenge is attribution. Cyber-attack may appear to be originated from one or multiple countries but actual culprit may be a third country. Recently in April 2012, National Informatics Centre has told the press that some unknown third country has used its servers to attack other countries including China. (Joseph, 2011) This statement had two immediate adverse effects on our cyber war preparedness, firstly it has exposed our vulnerabilities that we do not have sufficient capacity to identify originating country despite servers and logs are under our control and secondly it has provided a perfect alibi to our enemies to attack us and deny ownership of such attacks. Can we now blame China for attacks on Indian cyberspace?

Thus attribution is critical for appropriate response. In fact noting this fact, Annual Report 2011-2012 by Intelligence and Senator Committee of UK has termed cyber attack as a ‘Tier One threat to UK and has direct to government to inter-alia develop capabilities of cyber-attack without detection ( or at least without attribution). The UK government has been allocation of funds equivalent to Rs. 5720 Crores over next 3 years for National Cyber Security Program to prepare for cyber-attack. The committee has also advised the intelligence agencies to not to use such technologies against own citizens except with specific approval. (Intelligence and Security Committee, UK, 2012)
In 2005, after 2 years of extensive deliberations between 21 ministry/departments of the government and industry confederations, National Information Board under NSA Sh. JN Dixit had approved the draft National Information Security Policy (NISP), it is yet to be approved by the government. In the mean while Department of Electronics & IT drafted another NISP (apparently without wider consultation) and sought public opinion in 2011. Nothing has been heard of new NISP since then. Due to this intervening period on this front we moved from leader to laggard. Without such policy defining Information Warfare Doctrine for nation (not a doctrine by Armed forces) will be distant dream. Therefore to fight as well defend against future cyber-attacks, it is paramount that a good quality and well consulted over-arching NISP is finalized and formally declared. And based on this IW Doctrine for India (inclusive of Intelligence Services as well as private sector) be developed.

Amendment to National War book

Once as a policy India declares the existence of cyber war and its contours, and also develop cyber war doctrine, the war book required to be amended accordingly. The role and responsibility required to analyze and articulated to prevent confusion and fratricide at the time of war. It is also essential for efficient and effective conduct of war including cyber-war. The war book therefore needs to specify as how to maintain no-contact cyber war and when the government decide to go for full-contact or partial-contact war then how cyber war will be integrated to meet overall war objectives. The war is the only place which mandates the change in command and control structure and transfer of certain powers to military. It is the war-book which will clarify the intra-government relationship and any failure to do so can lead to turf war and chaos at the time of crisis.

Rule of Engagement

The offensive Cyber operations by the enemy will be swift and paralyzing. Therefore central control of conduct of cyber war may not be the good idea. It is necessary to define as unambiguously as possible Rule of Engagement for cyber warriors (whether uniformed or militia). Uncontrolled offensive can not only hurt in retaliatory fire against unplanned defensive measures but also can isolate us in community of nations. The role of diplomatic cadre can therefore never to be underestimated in events leading up to full scale cyber war. The National Internet Exchange (NIXI) is up and running to defend our intra-India Internet in case of worst situation, isolation but poor defensive mechanism, lack of capacity can paralyze us and can cause loss of our will to fight back. Therefore it is necessary to coordinate not only with in the government and armed forces but also with private sector as well as patriotic hackers outside the government and RoE for everyone should be articulated. While preparing RoE the issues highlighted in following paragraphs must be addressed.

According to RoE of most of the Armed Forces of the world, Line of Communication and nodes which directly or indirectly supports military operations of belligerent nations are valid military targets. By this Rule of Engagement all telecommunication and internet service providers are legitimate targets during any Cyber war. However when the Hague rule (1923) of Air warfare article 24(2) was prepared the dependency of life of masses on communication structures was not as heavy as it is today. Not even at the time when in 1956 New Delhi Draft rules were prepared, which clearly established that “The objectives belonging to the following categories are those considered to be of generally recognized military importance: ... (7) The installations of broadcasting and television stations; telephone and telegraph exchanges of fundamental military importance.” there was no Internet. Now technically it is possible to mount unbearable misery on masses through attacking on Critical Information Infrastructure. The question is that if such an attack is undertaken, will it amount to war-crime?

While dealing with IHL /LOAC, the British Parliamentary Committee felt, “The situation is different, however, in the case of breaches of IHL. The Minister of State for the armed forces told us that “once a conflict actually begins, whatever the legal basis for this participation, it is conduct by all participants as required by the body of law in rules known as the International Humanitarian Law. The four Geneva Conventions of 1949 are a part of that IHL. The United Kingdom is also bound by a number of other conventions and protocols, such as the first additional protocol to the Geneva Conventions ... Those are not our laws. We apply them. Those have been defined elsewhere and we simply live within them, so to speak”. Mr. Ingram added that “all of our personnel are so trained in understanding the basis upon which they are having to conduct themselves in a conflict situation and it is very much part of the whole training process”. Individuals (and in some cases their commanders) suspected of violations of IHL such as killing prisoners of war, the ill-treatment of detainees in occupied territory or the use of prohibited weapons must be considered for prosecution in national courts. The Government has said, in the context of the ICC, that all allegations of this kind would be stringently investigated and, where appropriate, criminal proceedings instigated. This duty, which mainly derives from the Geneva Conventions, has gained in importance following the United Kingdom’s acceptance of the Statute of the ICC. The prosecution of those alleged to be responsible for serious violations of IHL is within the jurisdiction of the ICC, but only where the proceedings in national law have been unsatisfactory or non-existent. The Government’s position has been that there will never be prosecutions against British servicemen before the ICC because there always will be adequate national investigations, followed, where required, by prosecutions. (Constitution, 27 July 2006)

Need for Coordination and Control

The cyber-attack on Iran in form of Stuxnet, Duqu and Flamer are just peek into the future. US President has repeatedly stated that cyber-attacks are most serious economic and national security challenge that America faces. To meet this challenge US has introduced Cyber security Act 2012 in Senate on 20th July 2012. (BBC, 2012). US conducts exercise ‘Cyber Strom’ every alternate year. NATO, Australia and many European countries undertake extensive cyber security exercises to improve command, control and coordination. A formal Cyber command and control structures have been established in most of the first world countries and China.

Unlike military war, the non-state actors such as terrorist organization, large corporate houses, hacktivist, cyber privateer and cyber insurgents have capacity and will to take on nation states. Wikileaks, Anon, Luzesec were some of the non-state players who have challenged the might on nations including the United States of America. Large organizations such as Intel, Microsoft, Huawei, etc can also play role to support their respective government. In case of ‘Flamer’ virus original Microsoft Digital Signature was misused. (Adhikari, 2012; Adhikari, 2012).

It is myth that hackers will win or lose the cyber war. Hackers (with due respect) are just foot soldiers, and wars are fought by General who are visionary, know their forces, understand enemy forces as well as mind of their commander, can coordinate with other wings of the government and first of all finest leader who draws respect from his soldiers (Hackers).

In India we are yet to formally recognize the dangers, not because it is not so recognized in the power circle but just because it is so recognized as one of the most powerful tool that everyone wants to play the lead role and turf war has broken out. Institute of Defence Studies and Analyses has attempted to give some course correction to this rudderless situation through its recently released book ‘India’s Cyber Security Challenges’. (IDSA, 2012; IDSA Task Force, March 2012) However overall paralysis is continuing and well planned structure such as CERT-IN, NTRO and NSCS are being consistently undermined. It is therefore necessary the National Information Board (a board of score of secretary ranked officer) be resuscitated and board meeting be held at least every quarter till things stabilise and we as nation become competent to defend our cyberspace.

Role of Defence Forces

Role of defence forces in case of Cyber war is limited. They are required to protect only its own domain and at the most government domain such as .gov.in, .mil.gov.in, army.in etc. But if this control is not practiced in peace time same cannot be undertaken in war time. In fact probably intelligence agencies and CERTs are better positioned to take on such tasks. However IHL and LOAC neither cover nor envisaged to cover the activities of Intelligence agencies. Similarly for offensive operations, intelligence agencies that had undertaken surveillance of enemy networks and probably placed backdoors and spybots in the target network may be more suitable for offensive action. For example if National Security Agency of US have deployed the launch pads of cyber weapons then NSA alone will be in better position to arm and launch cyber weapons from these pads. In case of Duqu probably some intelligence agency was controlling the Command & Control centres of Duqu. Non applicability of IHL / LOAC on such agencies is a glaring flaw in scheme of things for containing any Cyberwar. And also launching Cyberwar on other nation without adequately protecting own cyberspace will be similar to MAD (Mutually Assured Destruction / Disruption) of nuclear war.

Cyberwar also challenges some of the basic tenet of armed conflict. What is use of fighting personnel to wear uniform when the opposing forces are not going to be physically present in front of each other? How would belligerent forces know that attacking party is enlisted or a civilian? Suppose all major data of one of the belligerent nations are encrypted and made unusable, will the data which may be very vital for the survival of the population amount to prisoner-of-war? If collision of train takes place due to intentional malfunctioning of signalling system leading to death of masses, will it amount to War Crime?

Conclusion

War is serious matter which involves lives of all citizens. Even if external declaration of war has become redundant, this is required internally to divert resources for fighting the war. When war get (internally) declared there are changes in organisational structure of governance; War Book comes into force; Rules of Engagement changes; financial allocation made; civilian criminal laws stand suspended for actions taken in pursuance of war; and National Emergency may be declared. These are too profound changes which cannot be taken lightly. Therefore every cyber-attack does not amount to cyber war. Involvement of defence forces along with enlisting of hackers and allocation of cyber-targets for proper coordination is required. The international treaties and conventions such as IHL and LOAC come into force. Wars are not limited to action on ground but diplomatic struggle also begins. Non-state actors have the ability to stand winnable chance against a nation state. Therefore it recommended that Cyberwar be looked at with all seriousness and following steps should be take-up in double quick time to prepare our nation for Cyberwar:

a. Declare National Information Security Policy after wide consultation with all stake holders. Such policy should be as much as possible technology neutral, overarching and long lasting;

b. Evolve Cyber warfare doctrine and develop capacity to implement such doctrine;

c. Modify National War-Book to include this new form of war and its peculiar characteristics such as no-contact war and role of non-actors;

d. Define Rule-of-engagement for Cyberwar to prevent unintended escalation of war and unintended Human Rights violations;

e. Establish command and control structures for efficient and effective conduct of Cyberwar and prevent turf war within during the period of crisis.

f. And to do all this and much more, National Information Board should meet at frequent interval; else Cabinet Committee on Security should find an alternative.

Bibliography

Adhikari, R., 2012. Flame Singes Microsoft Security Certificates. [Online]
Available at: http://www.technewsworld.com/story/75289.html [Accessed 20 June 2012].

BBC, 2012. News Technology. [Online]
Available at: http://www.bbc.co.uk/news/technology-18928854 [Accessed 21 July 2012].

Constitution, S. C. o. t., 27 July 2006. Waging war: Parliament's role and responsibility Volume I: Report,London: HOUSE OF LORDS.
Hague Convention V, 18 October 1907. Hague Convention V. [Online]
Available athttp://avalon.law.yale.edu/20th century/hague05.asp [Accessed 05 May 2012].

IDSA Task Force, March 2012. India's Cyber Security Challenges, New Delhi: Institute of Defence Studies and Aanlysis. IDSA, 2012. India's Cyber Security Challenge. First ed. New Delhi: IDSA.

Intel Technology Brief , 2011. Protect Laptops and Data with Intel® Anti-Theft Technology. [Online] Available at: http://www.intel.com/technology/anti-theft/anti-theft-tech-brief.pdf [Accessed 24 May 2012].

Intelligence and Security Commitee, UK, 2012. Annual Report 2011-2012, London: Controller of Her Majesty's Stationery Office.
Israel Insider, 2011. Suspicion in Iran that Stuxnet caused Revolutionary Guards base explosions. [Online]

Joseph, J., 2011. Govt servers used for cyber attacks on China, other countries' networks. [Online] Available at: http://timesofindia.indiatimes.com/tech/news/internet/Govt-servers-used-for-cyber- attacks-on-China-other-countries-networks/articleshow/10760699.cms [Accessed 24 July 2012].

Quintin, K. J. a. A., 18 November 2011. The Internet in Bello: Cyber War Law, Ethics & Policy. Berkeley, UC Berkeley School of Law.

No comments:

Post a Comment