The secret wars

India needs to prepare for aggression in cyberspace

Modern military doctrine sees cyberspace as a fifth theatre of war along with land, air, sea and space. Every nation’s infrastructure is vulnerable to cyber-assault. Almost every 21st-century artefact, from children’s toys to pacemakers to credit cards to sewage disposal systems and power grids, has an embedded infotech component. Modern military systems are, of course, utterly dependent on information technology (IT). Given that, the widely reported claims in David Sanger’s new book, Confront and Conceal: Obama’s Secret Wars, seem credible. Mr Sanger says the US and Israel cooperated to create the Stuxnet computer worm that carried out cyber-attacks against Iran’s nuclear infrastructure. Since 2010, when Stuxnet escaped into the wild after sabotaging thousands of Iranian centrifuges, programmers have insisted that it was too large and sophisticated to be written by a rogue hacker. Government involvement in the creation and propagation of the newly discovered Flame virus has also been reported to be probable. Stuxnet and Flame would have taken many millions of programming man-hours to write and debug. Flame is even more sophisticated than Stuxnet: while Stuxnet interfered with the chips that control centrifuges, Flame has been sucking data off computers since at least 2007. The focus of Flame’s infection is West Asia and North Africa. The majority of infected systems are owned by governments in that region. Israel is apparently absent from the list of infected nations.

Stuxnet may have been a clandestine, deniable and relatively painless act of war. But it was an act of war, nevertheless. It was deployed when Iran wasn’t technically in a state of armed conflict with anyone. This sets a precedent likely to be emulated by other nations. Earlier policy was more defensive, with a focus on preserving one’s own assets and on gathering information. Since cyber-attacks are deniable, less likely to cause loss of life, and potentially crippling in impact, the temptation to launch such attacks aggressively is understandable. The Defence Advanced Research Projects Agency’s (DARPA’s) Plan X will enhance America’s capacity to carry out such assaults. China, too, has stated its intention to militarise cyberspace and use it aggressively.

India is at least as vulnerable as Iran to cyber-assault, perhaps even more so because it has extensive IT penetration and ambitious plans for e-governance. It needs to rapidly develop a doctrine that offers both defensive shielding and offensive capability. Obviously, any such efforts will need to be classified. But this would need to involve the skill sets and capabilities of the private sector, as DARPA has always done in its programmes. It isn’t only a matter of protecting military assets. Modified Stuxnet variants could knock out the power and telecom grids, while Flame-style viruses can turn state secrets into open books. Indeed, some security consultants allege that India has already suffered terabytes of data being hacked off official servers. There are large unknowns and perils in this new theatre of war. There are asymmetries — a rogue hacker or terrorist could cause a lot of damage while staying hidden. India will need to evolve a new cyber-doctrine quickly and it will need to be flexible to deal with changes in the environment.