The Counter Cyber Warfare Strategy

Published Date: 02 Nov 2017

1. Cyber security is a serious issue and the realisation is fast dawning in India too. We cannot afford to be reactive in our approach towards information security, responding to stray attacks on our information infrastructure. In an increasingly networked environment, the need is to be proactive in our approach towards securing a wired India. A national strategy on Cyber Security should issue guidelines and determine mandatory practices for government, defence, industry and individuals. Organisations in turn should be accountable with well-defined security policies, catering to their current and future requirements. This can be enforced only through compulsory computer security audits as done in the case of financial audits. Cyber Security is an ongoing process and needs constant updating of policies of technology. Even the IT Act 2000 needs updating on various issues like digital signatures and Public Key Infrastructure (PKI) to enable e-commerce transactions on the net.

2. The basic concept behind counter cyber warfare strategy would be to protect critical information infrastructure and at the same time develop a stronger offensive cyber warfare capability. But if every country aims to achieve this there could be more disorder and chaos as each nation is in the race of acquiring offensive cyber warfare capability with an aim to damage adversaries cyber infrastructure. So it could be better if India joins the world in building a stronger and reliable cyber environment. But this again would be an idealistic thought unless consensus is achieved and that is not easy. The above mentioned concept would help India achieve a secure, safe and resilient cyber space.

3. The strategic or the basic counter cyber warfare strategy has two components, first one is defensive that includes protecting India’s critical information infrastructure, which can be achieved by:-

(a) Reducing the Exposure to Cyber Risk. This can be achieved by undertaking under mentioned measures:-

(i) Avert Threat. A nation requires to curtail the capability of international as well national criminals including malicious insiders and foreign adversaries to impair, exploit, destroy or deny access to critical cyber infrastructure through implementation of national cyber security protection system.

(ii) Identify and Harden Critical Information Infrastructure. It is impossible to provide adequate protection to all information and cyber system. Identification of those critical infrastructure which is most likely to compromise national security, national economic wellbeing and national safety or health care and then take adequate measures to harden these to reduce the threat. The critical areas in the Indian context should include banking and finance (including NSE and BSE), energy (power, oil and natural gas), transportation (railways, National Highways Authority of India (NHAI), civil aviation and ports), defence, telecommunication and space (including telephone and media services) and vital public conveniences (water supply, hospital and emergency services).

(iii) Relentlessly Pursue Architectural, Operational and Technical Innovations. Effort be made to develop new ways and means to counter existing problems and find solutions to counter the security threats.

(b) Ensure Priority Response and Recovery. Unity of effort to jointly react to and speedily recover from any significant cyber incidents that is detrimental to national security or economy. There is also a need for being prepared for any contingency.

(c) Maintain Situational Awareness. Situational awareness is the key to reducing exposure to risk and ensuring priority response and recovery.

(d) Increase Resilience. It means having ability to carry out and maintain important operations in a degraded environment.

(e) Reduce Vulnerability. This can be done by designing, building and operating information and communication technology to reduce the occurrence of exploitable weakness. It means enabling technology to sense, react to and communicate changes in its security or its surroundings in a way that enhances or preserves its security posture.

(f) Training. Security is based on three aspects: people; systems and procedures. The well-proven cliché, "you are as secure as the weakest link", underscores the predicament of Cyber Security professionals. Hackers have successfully exploited the 'weakest link' and infringed some of the best-protected computer systems in the world, which include NASA, CIA, Pentagon and Microsoft. As systems and procedures are developed by people, human resources are the key to cyber-security initiatives. It is important that those operating the critical infrastructure are adequately trained to follow security measures and in case of contingency are capable of limiting and reporting the damage or loss.

(g) Legislation . India was the 12th nation in the world to legislate on cyber law, adopting an IT Act, and has also brought about amendments to the Indian Penal Code (IPC) and the Indian Evidence Act to aid in cyber crime investigation. The cyber crimes are technology driven and with changing technologies new crime needs to be addressed. The IT (Amendment) Act, 2008 which came into beingwith effect from october 2009 has special provisions for checking new form of cyber crimes like phishing, identity theft, data privacy etc. [1] However these acts provide legal framework to meet the the present generation of cyber crimes and need constant revision. The government has made efforts towards putting in place an NCSP that addresses several areas related to cyber security, particularly incident response, vulnerability management and infrastructure security.

(h) Policy. Organisations need to control their employees' access to information and this can be done only when information is clearly categorised or classified (as in the case of the military). Restricting access to the Internet and relying on isolated mainframe computers to store vital information resources are a few measures that should be incorporated in an organisation's Cyber Security policy. In the corporate sector, unfortunately, a majority of the security breaches go unreported, fearing loss of customer confidence.

(j) Technology. Customised security solutions comprising smart cards, firewalls, intrusion detection devices, encryption algorithms and biometric systems (e.g. fingerprint and retina scan) are commercially available today, albeit at a cost. While the best of firewalls can be circumvented and encryption codes cracked by hackers, technology itself cannot provide the answer to a fool-proof security system.

(k) Defence Mechanism. Information systems have many potential weaknesses, but whatever they are if they don’t operate there is a problem. It is the scale of this problem that determines the importance of such system and necessary security measures to protect it. Minimising the risk of such problem or the scale of it requires security measures that cover all the potential initiators of the problem. Here security experts tend to differentiate three main categories, although some security measures are in more than one and there is no clear definition which security measure belongs where.

(i) Physical Security. For thousands of year’s people, goods, towns or states were protected by physical security measures starting with stone walls up to nuclear bunkers. But no matter how smart or good the defense was there were always ways to get through. Therefore combination of each category is necessary to prevent the accident.

(ii) Logical Security. This is the main cyber-security battlefield where digital information is being exchanged or stored. Every security measure that is performed by a non-human device in the digital world is a member of this group. There are many sub fields which includes encryption, network security, system security, application security and security monitoring/auditing.

(iii) Organisational Security. Even if information is sealed behind the blast doors there might be a risk that somebody would open the door and let the attacker take it. That is why security procedures are in place to ensure that in case other security measures fail people would know what to do and by following procedures ensure the safety of the information. Very often in stressful situations with lack of expertise people tend to do more mistakes than ever. Procedures are there to help people do the right thing even if they don’t know what to do these guidelines would show them how to prevent the worst.

4. Defensive measures to secure own critical information infrastructure may not be adequate to prevent cyber attacks. There has to be means to deter the enemy about the similar or severe repercussion for undertaking any misadventure in the cyber domain. "History teaches us that a purely defensive posture poses significant risks… when we apply the principle of warfare to the cyber domain, as we do to sea, air, and land, we realise that the defence of the nation is best served by capabilities enabling us to take the fight to our adversaries when necessary to deter actions detrimental to our interests." [2] For India, which is acknowledged information technology giant it would not be a difficult task to possess retaliatory offensive system and it is also a well known fact that Chinese networks are very porous. [3] Point to note here is that china is equally if not more vulnerable to such attacks as it is more dependent on information systems than India. However there is a problem and the problem is of identification. As discussed earlier it is difficult to identify the source nation. The defender must not only convince itself but should also convince the world or retaliate discretely.