In order to offer a convincing defence of retaliatory cyber measures against Pakistan, India requires coordinated planning.
Likely to be among the options weighed by India’s National Security Adviser in response to Pakistan’s alleged complicity in the Uri terrorist attack is coercive cyber action. On at least one previous occasion, India has seriously considered a retaliatory attack on Pakistan’s digital networks. In theory, a cyber attack could be swift, minimise the risks of causalities, offer plausible deniability and likely to inflict serious damage on Pakistan’s economic infrastructure. In reality, however, the picture is more complicated. Any assessment by New Delhi of this option should account for the following:
- India’s offensive cyber capabilities,
- The defensibility of such action under international law, and
- The desirability of coercive cyber measures against Pakistan’s networks.
Capacity
Coercive cyber measures, like any military option, should be the culmination of extensive assessment by India of its intelligence and technical capabilities. Take as two possible targets, the Hub Power Station in Karachi and the Karachi (now Pakistan) Stock Exchange. The Hubco plant is among the largest thermal power-generating projects in Pakistan, capable of “generating over 10% of the country’s electricity.” The KSE (now Pakistan Stock Exchange) is its premium financial trading platform. To mount a cyber attack against either installation, military planners should be supported by intelligence inputs from the ground, providing valuable information about:
- Personnel who may (wittingly or otherwise) introduce a vulnerability into the facilities, and
- The physical location of computers or servers which form part of the network to be infected.
Both require an assessment of the installation that goes well beyond aerial or satellite reconnaissance. Without strengthening India’s intelligence networks in Pakistan, therefore, a serious attack on its digital networks will be difficult to conceive or execute.
Then there is the matter of the “cyber weapon” itself. Not many government agencies in India, including the National Technical Research Organisation, have the in-house expertise required to build and exploit vulnerabilities that can manipulate or destroy the integrity of electronic data. India’s armed forces fare marginally better, having deployed “red teams” that do penetration testing to protect their own networks. But the military too may not be in a position to create a sophisticated cyber-weapon designed for the specific purpose of bringing down, say, Pakistan’s electricity grid.
It is worth remembering that Stuxnet was the product of an inter-agency effort involving the United States and Israel. Stuxnet owes its origins in no small part to the United States’ well-developed bug bounty programme, which invites hackers to identify vulnerabilities in operating systems and communications platforms. Having a bug bounty programme (which in the US is tightly regulated by the White House) contributes to a strategic culture that can co-opt technical expertise in India into the national security narrative. There is no reason why New Delhi should shy away from a programme for its defence and intelligence agencies, given the talented pool of computer scientists in the country. In fact, internet giants like Facebook and Google routinely rely on Indian citizens to identify fixes and flaws in their products through their own bug bounty schemes. Today, Indian agencies rely on private expertise on an ad hoc basis, or buy zero-day vulnerabilities from the ‘dark net’.
No comments:
Post a Comment