India in the Era of Cyber Wars

31 july 2019

Alexey Kupriyanov - PhD in History, Senior research fellow, The Institute of World Economy and International Relations (IMEMO) of the Russian Academy of Sciences, RIAC Expert

Resume: India has a solid and well-deserved reputation as one of the leaders in the global IT industry. This makes it all the more surprising that, until recently, Indian authorities had paid relatively little attention to introducing cyber technologies in the country’s governance system and using them to combat cyber threats posed by hackers acting out of personal, economic, and political motives.

A lackadaisical cyberwar

There are several reasons for this. The main factor is that India’s leadership has underestimated the scale of confrontation in cyberspace, believing that other great powers limit themselves to negligible operations that aim to collect information at best.

Serious difficulties have emerged due to the specific features of Indian governance as such; it is characterized by an extreme abundance of red tape and inertia in areas that are not considered a priority. While India’s bureaucracy exhibits its best qualities in priority areas such as ensuring the rapid concentration of resources, personnel mobilization and motivation, minimizing expenses, and a high level of oversight, thus making it possible to achieve outstanding successes with minimal expenses (India’s space program is a prime example), areas believed to be of secondary importance are plagued by chronic problems.

Until recently, cybersecurity was not one of the Indian government’s top priorities, and consequently, the relevant departments in state agencies were, as a rule, staffed residually. Since work in this area was not considered important or prestigious, employees working in IT security were paid relatively little and their in-house status was lower than those of employees working in other departments. As a result, these positions were filled with underqualified and poorly motivated people. A positive discrimination system intended to advance members of lower castes had an adverse effect in this regard; underqualified employees hired to fill the quotas were placed with cybersecurity departments.

Consequently, many agencies outsourced their cybersecurity while hiring specialized organizations to handle those matters. Since India does not have enough specialized organizations, foreign organizations were brought in, in particular, American ones, which, for obvious reasons, was not conducive to strengthening cyber protection. Since Pakistan and China were traditionally considered to be India’s principal adversaries on the cyber front, this state of affairs was considered acceptable.

The American challenge

India’s first serious attempt to respond to challenges in cybersecurity date back to 2012. At the Munich Security Conference, Indian specialists stated they were working on creating their own microprocessors and planning to cut imports of military software, instead of channeling money into domestic R&D (the share of imported military software in India is currently about 70%). Additionally, in the same year, a proposal was made to create a command and control center to monitor critical infrastructure and eliminate breaches in cybersecurity.

The next year, the situation began to change significantly. The necessary impetus came from actions of the U.S., which had previously stated on multiple occasions that it wanted to cooperate with India in cybersecurity. After 2013, when Edward Snowden publicized documents demonstrating that U.S. secret services were surveilling foreign citizens around the world, politicians in New Delhi were amazed to find out that U.S. secret services had been waging cyber warfare not only against their country’s probable adversaries, but also against countries they believed to be allies or at least friendly powers, and that included India: the NSA conducted cyber ops against India to learn more about its principal strategic and commercial interests. This revelation generated public outrage, and India hastily adopted its National Cyber Security Policy, which was developed by the Department of Electronics and Information Technology. The policy provided a clear definition of cyberspace and formulated the ultimate objective: protecting the personal information of India’s citizens as well as financial and bank information and data that are of critical significance for state governance and security against theft and cyberattacks. It required the creation of a reliable cyber ecosystem in the country and reliable work among IT systems that were being introduced on a large scale in all economic sectors; this, in turn, required creating a consistent mechanism to assess threats and risks in cybersecurity and ensuring an appropriate response. To meet the demand for the necessary personnel, plans were made to train 500,000 professionals within the next 5 years.

However, this did not happen. This is partly attributable to the fact that a year later, the Indian National Congress lost the elections, Manmohan Singh’s government resigned, and Narendra Modi’s new government focused on handling internal economic objectives. It was also partly due to the fact that there were no mechanisms to implement the program and it was clearly not feasible in such a short period.

To date, the situation has not changed. The networks of both public and private organizations are extremely vulnerable, there are no DLP systems in place, and users and administrators themselves often turn off firewall and antivirus software. It is common for IT department employees to be absent from their work stations with doors to their rooms left open. It is quite a telling fact that only 8% of Indian IT managers consider their employees to be sufficiently competent to combat threats in cybersecurity. Overall, Indian IT specialists in relevant departments spend about one-third of their work time combating cyber threats; the results, however, are still quite modest due to insufficient funding as well as a lack of qualified personnel and cutting-edge technologies. About 81% of Indian IT department heads believe that the funds their organizations allocate to combat cyber threats are not sufficient.

The situation is somewhat more optimistic in cyber offensives. Nearly all Indian secret services, including foreign intelligence and domestic security agencies, the Ministry of Home Affairs, the executive office of the National Security Advisor, and the military intelligence have departments that engage in cyber ops. Their effectiveness is hard to assess; it is known, however, that they face the same problems in ensuring cybersecurity as do other governmental agencies. Moreover, high-ranking Indian officials in general mistrust new computer technologies, including work on artificial intelligence. In May 2018, Chair of the Defence Research and Development Organisation (DRDO) S. Christopher said that particular caution should be taken when developing AI technologies since “the cure may be worse than the disease.”

The Indian defense

In July 2018, it was announced that a military agency on cybersecurity was being formed; the agency will be working in close cooperation with the executive office of the National Security Advisor (a position that was established in 2015). Plans for the agency call for over providing some 1,000 experts who will ensure the cybersecurity of the military, the navy and the air force as well as conducting offensive operations in cyberspace. In the future, this agency should be transformed into a full-fledged cyber command.

The newly-created body was called the Defence Cyber Agency (DCA). Rear Admiral Mohit Gupta was appointed as its commander. At present, its head and his executive office are working on developing a cyber ops doctrine. Thus far, it is hard to say how effective the DCA will be, given the traditional autonomy of the navy, the air force, and the military, which are reluctant to share operational information with each other and the difficulties of developing their own software. A previous attempt to introduce a specialized operating system called Bharat Operating System Solutions (BOSS), which was developed by the Centre for Development of Advanced Computing, ended in failure and the Indian military was forced to go back to using Windows OS.

Given the absence of the requisite products created by governmental organizations, the Indian authorities will have to turn to private firms. Back in 2018, the Central Reserve Police Force (CRPF) and the Border Security Force (BSF) signed a contract with Innefu, a start-up headquartered in New Delhi. This company’s products had previously passed a test of sorts: the company was given about 1,500 documents, including social media profiles of protesters and posts about planned actions. Based on this data, Innefu managed to trace connections between protesters, determine the nature of their interaction, and predict possible actions very soon.

Innefu now offers a complete set of ready-to-use solutions called Prophecy. It includes several tools that monitor social media, which provide big data analytics, facial recognition, and object identification, and detect faces and objects in real-time.

Thus, Indian IT specialists have created a product that may be used to process massive amounts of information for the purposes of intelligence and counter-intelligence. It has already been tested: according to the Indian media, police used it to successfully prevent several protests by analyzing the social media activity of certain individuals and to find roughly 3,000 children missing in New Delhi. There are plans to complete the development of a new cybersecurity strategy by 2020; it is intended to ensure the protection of important data given the introduction of 5G technology which, according to Lt. Gen. Rajesh Pant, the National Cyber Security Coordinator on the National Security Council, will radically change the state of affairs in this regard.

A war on three fronts

Now India’s leadership has acknowledged possible threats and is developing the necessary response means that take into account the realities of cyber warfare that is being conducted without regard for existing borders and for pacts and treaties regulating military action; cyber warfare also allows states to conceal their complicity in a cyberattack against another state. The Indian authorities are paying more and more attention to conducting defensive and offensive operations in cyberspace while striving to reduce the country’s dependence on tools developed aboard and giving preference to forward-looking India-made products.

At present, Pakistan, China, and the U.S. are India’s key adversaries in cyberspace. Pakistan’s capabilities for waging cyberwar are fairly limited: as a rule, Pakistani secret services either hack the websites of Indian agencies and companies connected with the government (such operations cause relatively little damage), or they pose on the Internet as young girls wishing to meet young officers in order to recruit current employees of Indian law enforcement, military, and secret services.

China is conducting large cyber operations against India which have reached such a scale that some analysts characterize them as a full-fledged cyberwar. This war takes on various forms: from hacking Indian networks to providing various rebel groups with hosting services on China’s servers; nonetheless, the large-scale cyber ops have not prevented Beijing and New Delhi from strengthening their political and military relations.

Relations with the U.S. are complex. On the one hand, Washington publicly calls India its key partner in the Indian Ocean region; on the other hand, U.S. secret services continue to conduct cyber ops that threaten India’s national security.

Russia is one of the few great powers that has interests in the region and does not attack India in cyberspace. This is due primarily to the fact that there is no conflict between the two countries as well as Russia’s general interest in establishing cooperation with Eurasian states to form a common trade space. Thus, Russia currently has a favorable opportunity to bolster its interaction with India in this regard and conclude a cyberspace non-aggression pact and, in the future, coordinate efforts with New Delhi to this end.

RIAC

} Page 1 of 5