India should invest in ever more sophisticated cyber weapons
A century ago, the declaration of war was a formal exercise. Diplomats in frock coats appeared in the chancelleries to serve first ultimatums, then hand delivery war notices. Some would even insist on reading them aloud for the benefit of the perplexed recipients, who would then arrange for the safe departure of the enemy embassy. These centuries-old courtesies were cut short by the time of World War II, and laconic telegrams replaced frock coats. The advent of the Cold War, nuclear weapons and proxy wars of the 20th century ended the custom of formal declarations of war. In recent times, an incoming missile or fighter plane announces war. Even so, we are used to wars that have a starting point and an end date.
Not anymore. Information warfare is a lifelong affair. Cyber ââwarfare, its technical aspect, is already militarized. It is global and continuous, whether or not States are in armed conflict. We can’t determine the date, month, or even year it started. And, unfortunately, we also can’t say when it will end, if ever. States have no choice but to do so. As gloomy as it may sound, at least so far, the pursuit of politics by these other means has avoided the large-scale bloodshed that characterized the armed conflicts of the industrial age.
In previous columns, I argued that India cannot see itself as a cyberpower just because it has a large tech industry and the country needs to develop its own cyber weapons to defend its information space. It is therefore encouraging to see reports in the media suggesting that entities linked to the Indian government have demonstrated some capabilities of this nature.
Citing studies from a Russian cybersecurity firm, Thomas Brewster of Forbes magazine reported last week that hackers associated with the Indian government (referred to as “Bitter APT” by the industry) were using commercially available zero-day exploits. to break into computers linked to the Chinese and Pakistani governments. . According to a private Indian cybersecurity expert I spoke to, these hackers most likely used locally developed tools to exfiltrate data from target devices. The US company that sold the zero-day exploits indignantly cut the Indian government entity from its customer list for abusing its services. Neutral observers are sure to note that this just outrage comes from a company that provides zero-day exploits to the U.S. government and its allies, who presumably only use it for the trivial matter of updating their government. antivirus software.
Aside from the hypocrisy of commercial cybernetic weapons vendors, reports of Bitter APT’s exploits tell us about two important developments. First, Indian cyber actors have moved from using phishing methods to gain a foothold in target devices to exploiting zero-day vulnerabilities. In other words, instead of relying on someone to click on a malware-laden website or document, they exploit unknown software bugs to gain access to target computers. Zero-days sell for over a million dollars in the international market, but the Bitter APT hackers reportedly took them out of a $ 250,000-a-year subscription service and developed them further.
Second, the highly sophisticated software used to exfiltrate the data appears to have been built locally and went unnoticed for several months before being detected in February 2021. According to publicly available information, the Bitter APT hack was used for the cyber espionage, not for disruption. Even so, this is a clear public indication of the level of India’s offensive cyber capacity.
A credible offensive cyber capability is necessary for at least two reasons. First, India presents attackers with a large and sprawling target sphere, large parts of which are unguarded and perhaps even unmonitored. It is therefore not possible to rely solely on perimeter security, the equivalent of stationing troops all along the border, as a cyber defense strategy. It becomes necessary to deter opponents from attacking in the first place. Deterrence in information warfare is a multi-layered concept, but requires the possession of effective cyber weapons to be credible.
The other reason for owning – and being perceived as possessing – cyber weapons is to secure a place at the high table as a âcyber assetâ if countries were to ultimately negotiate digital gun control. The cybergeneration must learn from its nuclear predecessor, when India was designated a non-nuclear weapon state in perpetuity for the sole reason that it delayed testing of a nuclear device by an arbitrary date.
If Bitter APT is indeed an Indian state actor, then its actions are a step in the right direction. The episode shows the importance of adopting both “make” and “buy” tactics for zero-day exploits. Remember, however, that any advancement in the cyber field has an expiration date. Unlike conventional and nuclear weapons, the need for continued investment in talent and technology in offensive cyber capability is acute and relentless. There is a lot of urgent work that India needs to do at the doctrinal level to develop a national information warfare strategy, no doubt, but the development of more advanced cyber weapons needs to take place in parallel.
Nitin Pai is co-founder and director of The Takshashila Institution, an independent center for public policy research and education
Never miss a story! Stay connected and informed with Mint. Download our app now !!