‘Need to understand cyber threats before fighting them’

(From left to right) Sushant Singh, Associate Editor, The Indian Express; Lieutenant General D S Hooda (retd), former Northern Army Commander; Sanjeev Tripathi, former Chief, R&AW; Abhinav Kumar, IG Operations, Western Command, BSF Chandigarh; and Sandesh Anand, Cyber Security Consultant, Synopsys Inc at the IEThinc event on ‘National Security and the Growing Threat from Cyber Space’ in New Delhi. (Express Photo: Praveen Khanna)

The confluence of national security and cyberspace is a dark area. A panel of experts — comprising Abhinav Kumar, IG Operations, Western Command, BSF Chandigarh; Sanjeev Tripathi, former chief, R&AW; Lt Gen. D S Hooda (retd), former Northern Army Commander; and Sandesh Anand, Cyber Security Consultant, Synopsys Inc — discussed the implications and challenges it poses. The discussion was moderated by Sushant Singh, Associate Editor, The Indian Express. Edited excerpts

What exactly does cybersecurity/ cyberspace mean? How has the nature of cybersecurity changed in India? What is the future trajectory and vulnerabilities?

Sandesh: We often joke that we should stop calling it cyber and start calling it cider, as none of us know the actual history behind it; where the word came from. I think the commonly accepted definition of cybersecurity is any information that you store or use in a digital format. It could be social media profile, a website a company runs and a database of the information the government has, among others. When you have this information stored, the process of securing it could be loosely called cybersecurity. The threats can come from many different places. We need to understand who are these people that are a threat to us. I want to classify the threats into three or four broad categories. There are many ways of categorisation. The way I will do it today is by motivation of the so-called hackers. In the technical world, the first is the script kiddie amateurs or curious individuals who spend time on the internet and are not a threat to the nation but they may become dangerous. The second category is that of actual cybercriminals. They have criminal motives to cause financial fraud or personality damage and make profit out of it. The third are the hacktivists or people with a message and a political viewpoint, and the way they propagate their viewpoints is through breaching security of various organisations. Fourth is nation-states trying to further their agenda using cyber attacks. With the Brexit, the definition of cyberattacks has gone up. When we spoke of stuxnet virus, few years ago, it was hardcore subverting of technical systems to gain information. But what happened in the US elections last year is influencing voters’ mind to change voting behaviour.

The internet we use is some software being used by someone. Traditionally, the way software was used is to develop it or to outsource your development activity to a company and they would write the software for you. The way the world has moved over 5-7 years is about 80 per cent of the source code that is being used on your website is not actually written by you. It could be a third-party software or an open source, as we do not know the owner of it or piggybacking on another person’s software.

Radicalisation from cyberspace remains a big challenge for societies like India particularly with the onset of digital tools as boundaries of national security have completely collapsed. But radicalisation has been a threat to india even earlier, as the hardware and software would be nothing without the human-ware. As someone who has dealt with it at very close quarters, how does radicalisation work in India? How should we view role of internet in it & how do we view the possibility of cooperating with other countries or global internet giants to deal with this problem?

Tripathi: In the last 15-20 years, with the IT revolution, the pace of radicalisation has increased by leaps and bounds. Earlier, it was confined to a particular segment of poor people in rural areas, now propagation of ideology through social media is expanded to urban areas and educated Muslim youth are getting affected. It gained momentum after the US action in collusion with Pakistan to counter Soviet influence in Afghanistan and US action with NATO allies in Iraq, Syria and Libya. While the action in Afghanistan led to the formation of Taliban, that strengthened Al-Qaeda, the dismantling of Saddam regime in Iraq and weakening of the Assad regime in Syria led to the rise of ISIS. Strangely & subsequently, the US had to take military action in Afghanistan to overthrow them, marginalising Al-Qaeda and killing their leader. And also in Iraq & Syria, they are fighting against the ISIS. The rise of ISIS and Al-Qaeda should be seen in a wider perspective as growth of radical Islamic ideology or jhadi terrorists in different parts of the world. Various jihadi groups have similar ideologies and common objectives such as Bokoharam in Nigeria,

Al Shabab in Somalia, Jemaah Islamiya in Indonesia, TTP in Pakistan and Abu Sayal group etc. They have to be defeated militarily, financing needs to be checked, they are using latest means of communication which should be checked by intelligence organisations.

How do you view the threat from cyber to national security? How vulnerable is India?

Hooda: The threat is very serious. In 2007, Estonia as the whole country had to be electronically shut down, Russia and Ukraine is a classic example of how you make use of cyber warfare. Misinformation, propaganda. Russia annexed Cremia leaving NATO and the US confused about what their response should be. Another dimension is that we can take measures only if we understand the complete nature of the threat. I think we are looking at it mostly in one part, cyber crimes/espionage, protecting critical assets, power, banking system but the part we need to look at is human part. Every time we are connected via internet, a lot of data is being collected about us. It is expedited as the cost of storing data is halved every 15 months. For instance, in 2011, there was an Austrian law student, namely Max Shrim. He asked Facebook for all his personal data that was stored about him. So, a legal battle ensued, but the EU lost it. He was given a CD with 1,200 pages of PDF, that’s the kind of data that is being stored about all of us by Google, Amazon and FB. You say, how can one look at such huge amounts of data and that is where machine learning comes in. It uses and analyses this data properly. It’s called psychographic profiling. So the governments and commercial companies know everything about you — preference, ideological leanings, friends, relatives and children, among others. In India, we have no control over data. There are no privacy laws and you don’t own your data. Google and FB are the owners and they can use it anywhere in the world without paying any royalty. For a legal problem, a court in California has to be accessed is the clause given. That’s one are we need to look at when we talk of cyberspace and national security. It is here that individual security intersects with the security of a nation.

Taking on from where Gen Hooda left, maintenance of law and order, internal security threats are increasingly emanating from cyber tools. You are in Chandigarh you saw what happened in Baba Ram Rahim case. And it goes pure hackers as Sandesh said. We also have the Russian example and I was astonished to learn of 2 fake profiles created to organise actual protests in the US where people came out & protested for 2 different ideologies. As Gen Hooda said is this a growing danger in India? The external meddling influencing Indian politics? Spreading socio-economic disaffection and as a senior police official, what is the conversation? What is the discussion on the subject? Among peers, how are you looking at critical, social & economic subversion among communities?

Kumar: The fact that cyber space will be any less dysfunctional than the real world is a misplaced expectation. Cyber space is going to be a mirror of the real world with all its warts, fissures and all. We should be prepared for that. On threat related to the cybersecurity, the first question in my mind is what is its analogue in the real world. When you have ransomware, what is its counterpart in the real world. Similarly, impersonation, theft, robbery, or using cyber tools to influence elections or political opinion… step back a bit. Do we think it did not happen earlier? I think not. Right through the 50s & 60s during the height of cold war, the game was played using different tools. Now, it is being played with digital tools. I see cybercrime as a sub-set of cybersecurity, which, I believe, is a larger issue. Police forces across the country are struggling to adapt. It is not going to happen overnight. We need a radical change in the way we recruit & train our forces if we want to meaningfully counter the threat of cybercrime and cyber security. Also, I think without serious investment in basic policing, I don’t think cyber policing or cutting-edge policing would succeed. Lot of capacity building in basic policing is needed.

Although you say that there are parallels about what has happened in the physical world but there are defining characteristics why those parallels fail at certain points. One is sovereignty issues. Companies that are operating may not be under the nation’s sovereignty, as physical contact is not required. Secondly, the accelerated speed at which information travels. Example of Kashmir after Burhaan Wani’s death is due to the speed of information travels which is not happening in the real world. So, with these changes, what are the kind of systems, institutional changes that police would require to tackle this situation?

Kumar: Almost all police forces have set up cyber crime cells at least at the headquarters level. Slowly, the more progressive police, especially in the southern states, are rolling out cybercrime cells at district levels also. Ideally, I would like to see that all police stations have a cell like we have PCR vans attached with each station. The spread of online, internet activity, the smart phones shows it has to be integrated with mainstream policing.

Tripathi: Many of these things have been happening from earlier times like cyber operations. Now, better tools are available which are being used. For example, dismantling of USSR was done by cyber operations only. Similarly, growth of radical ideology was happening earlier too but now with better tools, the interested parties are making better use than the authorities to counter that.

Is shutting down internet the only response? Darjeeling, 45 days? Kashmir, 30 days? And India is No. 1 for international shutdowns in the last three years. Is this the only response the establishment has?

Tripathi: I don’t think it should be. There should be a counter-narrative available. It should not appear as a government propaganda.

Hooda: The internet shutdowns, I think the problem is that we have not been able to develop a counter-narrative. So, social media is used to spread all kinds of anti-government, anti-security forces propaganda to mobilise crowd.

When you were in Kashmir, when all these incidents were happening, were you recommending the shutdowns in time? And what was the role of cybercrimes in radicalisation and spreading violence in Kashmir in real terms?

Hooda: The classic case is of Burhan Wani, an absolute creation of the social media. I don’t think he had committed a single crime. But on social media, the way his messages were sent out he became such a big hero that his death led to one of the biggest protests in Kashmir in recent times. So, you see that happening with other terrorists today. Zakir Musa, for example. Every time he gives a 3-4 min video message, it goes viral in valley.

But what can an ordinary citizen, companies, organisations and governments do to protect their technology assets? What do you recommend?

Sandesh: I will add a 4th dimension: As a society, what can we do. First of all, there is no replacing the government or state action. There are few things a citizen can do. Basic training and skill building. As we become more digital and people begin using these tools, they can be educated on how to protect data. As a citizen, the onus is on us to learn this. As informed citizens, we can demand better of our service providers. If you are using websites from your telecom providers or banks that are insecure and you know them to be insecure, please make noise about it.

Are our laws modern enough? Do we again and again need IPC or CrPC, a new Ranbir Penal Code? Is that also a problem, as you have constantly written about it?

Kumar: Experience of our police forces with IT Act has not been a happy one. We have attracted a lot of flak & most of them quite justified from civil society because of mindless application of 66A of the IT Act. I don’t think that was the original intent of the framers of the Act. I am sure they didn’t visualise some enterprising SHO wanting to curry favour with local political dispensation decides this is how I want to build my credibility of ruling party’s man. IPC is a comprehensive act in terms of dealing with a range of human behaviour. So, how to adapt it to digital world will remain a challenge. Given the proclivities & problems of grassroot policing, I would say that we need to tread carefully. There is always a demand from a section of society for tough laws for emerging problems. Nirbhaya problem we introduced death penalty, has it made any dent? I think we need to tackle digital illiteracy on a war footing. Some counties in California have introduced teaching of coding to primary class.

The Ministry of Defence has announced formation of a cyber agency, initially planned to be a cyber command. There is low moral threshold for doing cybercrime activities besides intelligence gathering, covert operations, poll warfare, low-intensity provisions. So, what role do you see? Would it be offensive capabilities the cyber division would have? What would it really do? For example, in the last scenario, where there was a Chinese threat and Pakistan threat. What would the agency do?

Hooda: Today, structurally it is required. The NTRO (National Technical Research Organisation) was mandated to look after critical infrastructure in India, less defence forces. So, it looks after everything else less defence forces. So, one is protection of critical infrastructure of MoD, the 3 services is required to be undertaken today by some agency. I think the cyber agency will do this, there is little bit of weakness here as all 3 services are individually looking at it. So, that’s the defensive part and certainly, secondly, you have to develop offensive tools to counter or carry out cyber attacks when you are threatened. There is also a larger role, cyber threats are actually a sub-set of information warfare. Tools have now changed. How you will use information, deny it to adversary, protect it, will depend on an amalgamation of intelligence agencies government agencies, military, & that’s the ultimate role I see for the cyber command & not looking purely at cyber threats.