In present times, actual combat in war calls for the deployment of the Army, the Navy and the Air Force—the military, in short—in joint operations under a chief of defence staff (CDS), a commander superior in rank to the three service chiefs. The CDS would also be the single point of military advice to the Prime Minister. At present, India does not have a CDS.
War-readiness involves maintaining the weapons, ammunition and equipment of the military and acquiring materiel to compensate for routine losses and obsolescence. It also involves engaging in the inevitable “arms race” for deterrence, to match or exceed the capability of weapons acquired by existing or potential adversaries.
Apart from on-the-ground military capability for deterrence, defence or offensive operations, the economic, financial and political support and the capability of the nation are vital for war.
Military operations involve using command-and-control and weapons systems that are increasingly dependent upon information technology and based upon C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance), with cyber warfare as a distinct branch. Wars in present times, in a South Asia context, are likely to be short and intense, with military gains (or losses) in the initial stages of engagement being more significant from the political-diplomatic angle. Hence the military has to be capable of rapid movement, deployment and action. Offensive cyber capability is a strategic asset for deterrence or to pre-empt enemy military action.
About one-third of the Army (the boots-on-the-ground arm of India’s military) is deployed in internal security (IS) duties. The war-readiness of this significant component is compromised to the extent of the time required for their re-equipping, retraining and redeployment to the committed theatre of military operations, especially the possibility of a two-front war.
In this scenario, the need for large-scale military airlift, excellent rail, road and signal communications, and effective C4ISR capability for the movement of troops, weapons and equipment, is self-evident. This is almost entirely dependent upon computers on the desks of officials and in the control rooms of various national and State-level executive agencies and service providers.
The deployment and adequate use of air power, especially in short, sharp conflicts, is likely to take time-wise precedence over the inevitable ground operations. Assuming that India will not initiate combat operations, including pre-emptive attacks, the Indian Air Force has a critical role in deterrence as well as defence and close air support to ground forces in mountainous and plain regions. Keeping the air force fleet up to par in numbers and type/quality of fighter aircraft may be at the core of India’s military capability. Notwithstanding these factors, cyber capability may be the most important of all.
National defence is central to protecting territorial and political sovereignty. The combat capability of the armed forces is honed by the motivation and training of troops, along with logistic wherewithal and support. However, even if the vital logistic wherewithal is available (which is not the case, at present), it is nowhere near sufficient. The factor which fills in the sufficiency requirement is defensive and offensive cyber capability.
Weapon systems for conventional on-the-ground, in-the-air and at-sea fighting, as also cyber operations, are largely, if not entirely, dependent on the computing power of number-crunching information technology (IT) machines and the networks of such machines, in the form of special-purpose computers and general-purpose computers, with the associated software. The dependency of the nuclear industry and nuclear weapons and their (missile) delivery systems on computers is complete.
These IT machines are run by hardware and purpose-made software, and there are critical components in these as indeed in every other area. Perhaps the most critical hardware component is the core central processor on the assembled motherboards of computers and servers. If there is clandestinely inserted malware on the motherboard or in the central processor, the working of the computer can be monitored, even controlled, by the entity that inserted the malware. This compromises the security and integrity of the databases on which the system is based and the operation of the system itself.
The critical IT hardware (processors, servers, mother boards, data diodes, and so on) and critical software (firewalls, operating systems, crypto systems, and so on) that are at the core of military and civilian IT infrastructure are purchased from international vendors. Since most of our critical IT hardware is manufactured in countries over which the United States or China have the capability of influence on production processes, there is no such thing as a “safe” supplier in the cloak-and-dagger world of cyber warfare. The position with regard to critical software is identical.
There are real threats to national security, which are not limited to military capability. These could be owing to loss, leakage or corruption of data in critical economic, infrastructure and governmental command-and-control systems, in turn owing to ignorance, inadvertence, deliberate human factor (secret agent) interference or cyberattack.
Cyberthreats
The seriousness of cyberattacks has come into focus as Internet users proliferate at the staggering rate of eight new Internet users every second. This, even as there are allegedly 2,50,000 new computer viruses being created every day, which have the potential to infect private and institutional systems from around 3,00,000 infected websites. That gives the reader an idea of the threat lurking behind every keystroke of every computer which is connected to the Internet.
Critical systems are “air-gapped” so that they cannot be interfered with through the Internet. But even air-gapped systems are at risk from embedded malware in the core hardware or software of the system.
Further, computer systems can be, and are being, invaded by planting or embedding hardware at some stage of the manufacturing process or inserting malware during system installation. This provides a so-called “back door” to the system, permitting individual criminals, corporate competitors, intelligence outfits or “deep state” actors undetected entry to the system for nefarious purposes.
While software firewalls can prevent most unauthorised entries into systems, it is possible that an engineer working in a reputed firewall vendor company could have an illicit and secret association with a hacking facility at the individual level.
Built-in threats
The critical hardware and software in most, or perhaps all, central and State government Ministries, departments and organisations, including the military, is purchased from international vendors. These vendors are not the original equipment manufacturers (OEMs), since the manufacturers have limited global marketing capability. The purchaser enters into a contract with the vendor who procures the equipment from the OEM and instals it. In most cases, the vendor is also contracted for life-cycle technical support, since the design and details of the equipment are protected by the OEM under intellectual property righs (IPRs).
The OEM, operating under an export control regime, insists on the purchaser providing end-use certification. The nexus between the IT OEMs and the international intelligence community needs no highlighting. It is this nexus which permits the OEM to secretly embed targeted hardware and/or software in the equipment.
In a recent instance, a microchip was clandestinely embedded in server motherboards built in the U.S. during the manufacturing process, affecting some of the world’s biggest commercial corporations. China’s corporate telecom giants Huawei and ZTE Corporation are suspected to be involved, although they have denied involvement. This back door enables the manipulation of the core operating instructions and altering the server’s functioning, including reporting code to anonymous computers elsewhere with the IT managers being none the wiser. Clearly, the focus would be high-priority targets, including advanced commercial technology and the computers of rival militaries. (Robertson, Jordan and Michael Riley: “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies”; Bloomberg Business Week , October 4, 2018).
With regard to the life-cycle technical support of the equipment, the vendor is often contracted for online support. This means that the government department (including a military user) actually hands over the entire live system to the vendor’s engineer—who may be physically located anywhere in the world—for updation, upgradation, rectifications, and so on. At this stage, one or more of the following could happen: (1) If a back door was not installed at time of supply and installation, this can be done; (2) If a back door was installed at time of supply and installation, data can be downloaded or manipulated; (3) A new or updated back door can be installed.
Online technical support by the vendor is often preferred because it is cheaper than having the vendor’s engineer visit the site, and also because security clearances for physical visits could be problematic, especially in high-security installations.
The point here is that critical IT hardware and software are purchased from the international market for end-use in defence, home, finance and banking operations, energy including oil, education, health, social welfare, electric power, nuclear power, railway operations, air traffic control, rail and air passenger reservations, public or private sector industry, and so on.
Vulnerability to cyberattack is substantial when every single item of critical hardware and software is purchased from international vendors, especially vendors who also provide technical support as part of the contract.
IT equipment purchased from the open market overcomes the disadvantage of revealing the end-use and prevents installation of targeted back doors. Cyber threat is minimised but not eliminated because, for example, a motherboard or a hard disk or the microprocessor could have secretly embedded devices which can be activated remotely. Nevertheless, this is a “safer” route.
Open market purchases call for increased levels of hands-on IT competence for system design, integration and implementation. Such talent is not difficult to find in India, but sadly this is not encouraged because of reliance on foreign vendors who exercise influence at the highest levels of State and Central governments.
Cybercrime
Cybercrime may be planned by individuals, non-state agencies, or governments. Such crimes are executed by persons who are professional in their capabilities and are well-organised. Openly advertised hacking services can be purchased by non-state entities, while some governments have skilled hackers on their payroll for intelligence purposes. A hacker can extract (copy), corrupt or delete data or disable systems for a critical period or effectively make the system inoperable by deliberately overloading it with inputs, called deliberate denial of services, or inject malware into the database or the operating system.
Successful hacking is possible by almost anybody who has some self-acquired skill in computers (not very difficult for today’s youngsters), the motivation to hack (monetary incentives or personal satisfaction), and time (part-time after school or work). The world over, cyber experts admit that a system is safe only until it is hacked, and the truth of this admission is that very high-security systems such as the U.S.’ National Security Agency (NSA), Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and so on, have been hacked or had malware injected into them, and the NSA has been routinely monitoring or surveilling vital systems of several countries, including India.
Military computer systems which are purchased from international vendors are no less open to hacking attack or to malware inserted at the purchase or installation stage of equipment or inserted at the maintenance or upgradation stage during service.
Military cyber security
The speed and effectiveness of military deterrence in threat situations and actual combat operations in rapidly changing situations, is dependent upon secure, reliable and swift communications, and on the capacity to quickly and efficiently shift reserves across operational theatres as and when required. All this is dependent upon the security and integrity of computer systems which control databases, networks and communications.
Enemy interference by hacking or otherwise attacking databases, can stall or hamper not only the military effort but also the national political command-and-control system under which the military functions, and the national economy which supports the military.
Until there are policy and time-bound action plans for adequate indigenous production of critical components of IT hardware and software, the operations and logistics of our military remains open to interference from countries which have well-defined strategies and superior cyber warfare capability.
In the present ambience of warfare and combat operations, ineffective cyber security is a military weakness and compromises deterrence capability. The Indian military’s dependence on imported critical cyber equipment calls for an immediate, deliberate review of its real-time power for IT-centric warfare, which is becoming increasingly central to international politics, even rivalling economic power. Inadequacy in cyber capability results in cyber vulnerability, and its effect on overall military capability can have serious consequences.
The effectiveness of military operations is finally based on the back-up that the nation provides with its infrastructural, economic and political resources. In war or real-time combat situations, there is no “runner-up” position, and success cannot be ensured without cyber-based operations and logistics. Thus there is a need for both offensive and defensive cyber capability, and this is intimately linked with the nation’s cyber capability.
The larger picture requires that data systems—which include the bits and bytes which every civil and military computer stores, uses and processes, the enabling software, the basic hardware and the human resources who are the final users—are secure against loss, corruption, theft, infiltration and so on. There are real threats to national security from loss, leakage or corruption of data due to cyberattack.
Cyberattack is an act of war, justifying reactive military response. However, when cyberattack disables multiple databases which affect military logistics and operations, it can restrict or limit the scale or speed of military response.
Indigenous initiative
In the field of critical hardware, the Shakti Processor Project in Indian Institute of Technology Madras (IITM), has recently made a path-breaking development for the manufacturing of a “controller class” processor chip, the first of six in a series of industry-standard microprocessors. This will form the core for the so-called Internet of Things (IoT), smart cards, and so on, and is a significant step forward to cyber security through indigenisation. The target is to produce “server class” chips meant for motherboards in applications such as artificial intelligence (AI), machine learning (ML) and high-end computers. However, the macro-issues of time, finance, security and commercial arrangements involved for large-scale production, integration into systems and replacement or substitution of vendor-purchased critical hardware, need to be addressed.
In international affairs there are no permanent friends or enemies, only permanent interests. Some strategic experts opine that China is unlikely to start a shooting war with India, because China’s People’s Liberation Army has superior offensive cyber capability which can be deployed to neutralise India’s military effort.
India’s present cyber vulnerability has military, economic, commercial and political implications for other nations, whether friendly or otherwise. The National Security Council (NSC) has a well-defined task of determining threat perception, policy and coordination in the cyber security area. However, time is not on our side at least insofar as military cyber security is concerned.
Major General S.G. Vombatkere, VSM, retired as Additional Director General, Discipline & Vigilance,in the Army Headquarters Adjutant General’s Branch, New Delhi.
COMMents
SHARE