Any thoughts on this recent article by Brahma Chellaney
"A new war, a new frontier
India’s abilities to ward off attacks on its computer networks and other infrastructure are basic at best
Brahma Chellaney Mint, January 22, 2010
Even though India showcases its world-class information-technology and knowledge skills and civilian space assets, it lags far behind China’s cyberspace capabilities. Worse, it has developed no effective means to shield its rapidly expanding cyber infrastructure from the pervasive attacks that are now being carried out both in search of competitive intelligence and to unnerve the Indian establishment.
In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.
The cyber threat is at two levels. The first is national, as manifest from the attacks already carried out against India’s National Infomatics Centre (NIC) systems, the office of the national security adviser and the ministry of external affairs. By scanning and mapping some of India’s major official computer systems, China has demonstrated a capacity to steal secrets and gain an asymmetrical advantage. Cyber intrusion in peacetime allows China to read the content and understand the relative importance of different Indian networks so that it knows what to disable in a war situation.
The second level of cyber threat is against chosen individuals. Such targets in India range from functionaries of the Tibetan government-in-exile and Tibetan activists to Indian writers and others critical of China. The most-common type of intrusion is an attempt to hack into the e-mail accounts. The targets also can face the so-called Trojan horse attacks by e-mail that are intended to breach their computers and allow the infiltrators to remotely remove, corrupt or transfer files.
To be sure, it is not easy to identify the country from where a particular cyber attack originated if it is camouflaged. Through the use of so-called false flag espionage and other methods, attacks can be routed through the computers of a third country. Just as some Chinese pharmaceutical firms have exported to Africa spurious medicines with Made-in-India label — a fact admitted by Beijing — some Chinese hackers are known to have rerouted their cyber intrusion through computers in Russia, Iran, Cuba and other countries. But like their comrades in the pharmaceutical industry, such hackers tend to leave telltale signs that allow investigators in the victim countries to trace the origin of the disguised attacks to China. Then there are many cases where the attacks have directly originated in China.
So the reasonable supposition at the highest levels of the Indian government is that most cyber attacks have been carried out from China. That is also the conclusion Google reached when it reported “a highly sophisticated and targeted attack on our corporate infrastructure originating from China” and threatened to end “our business operations in China.” Cyber strikes are just the latest example of how China’s actions — from manipulation of the renminbi’s value to the large-scale dumping of artificially cheap goods — are beginning to rankle other nations, undercutting its claims of a “peaceful rise.”
Let’s be clear: If China can carry out sophisticated cyber attacks on at least 34 U.S. companies, including Google, as part of a concerted effort to pilfer valuable intellectual property, it certainly has the capability to outwit the elementary safeguards found in most Indian computer systems. Google today is crying foul but it was instrumental is aiding online censorship controls in a country that is most fearful of the free flow of information. It custom-built for China a search engine that expurgates the search results of references and Web sites that Beijing considers inappropriate. Now, Google itself has become a victim of China’s growing cyber prowess, in the way the appeasement of Hitler had recoiled on France and Britain.
Hackers in China have been carefully studying different software programmes to exploit their flaws. For example, hackers have found openings that allow them to infect victims’ computers through booby-trapped documents stored in the Acrobat Reader format. Opening such a document allows the hackers to automatically scan and transfer computer-stored files to a digital storage facility in China as part of a vast surveillance system dubbed “Ghostnet” by Canadian researchers. This is what happened when computers of the Tibetan government-in-exile in Dharamsala were methodically attacked last year. Officials in Germany, Britain and the U.S. have acknowledged that their government and military networks also have been broken into by Chinese hackers.
It seems unlikely that the hackers, especially those engaged in systematic cyber espionage and intimidation, are private individuals with no links to the Chinese government. It is more likely that the hackers are tied to the People’s Liberation Army. In war, this irregular contingent of hackers would become the vanguard behind which the regular PLA divisions take on the enemy.
India already is on the frontlines of one mode of asymmetrical warfare: Terrorism. That type of warfare has traumatized and bled India for long, with the country exposing itself as a soft state through the absence of an effective response. Now a new frontier of asymmetrical warfare is being opened against India, not by state-sponsored non-state actors but by state actors. It cannot fight two asymmetrical wars simultaneously, one against terrorists and extremists and the other against a state flouting international norms and wedded to cybercrime. The two asymmetrical wars indeed are a reminder that unconventional threats cannot be defeated through conventional forces alone. That is why India should treat the growing cyber attacks as a wake-up call to plug its vulnerabilities by developing appropriate countermeasures on a priority basis.
Brahma Chellaney is professor of strategic studies at the Centre for Policy Research in New Delhi. Comments are welcome at theirview@livemint.com"
Chinese cyberwarfare and indian response
Re: Chinese cyberwarfare and indian response
There appears to be a computer security caste system in India. The IT companies have robust security and the "itvity" crowd are generally aware. But everything else is not just potentially infected with malware - it is actually infected. All you need to do in India is to insert (just insert and remove, do nothing else) a pen drive into any public computer or college computer and then look at the contents of the pen drive in a Linux machine and you will find that some Windows files have been inserted on to the pen drive and those files cannot be seen or cannot be deleted under Windows.
What really surprised me was to find that my own medical college which has zero security related information but has savvy enthusiasts has robust security for its computers whereas every engineering college computer in Bangalore is clearly infected with malware.
For a nation that thinks that it is god's gift to IT, our average awareness of security is mind bogglingly meager. It's not that engineering college computers are leaking security information. They only add to the infections of privately owned laptops and desktops. And every day there is a minister's son or a babu's daughter who is using Papa's laptop for games and college work - who then infects the same. That babu/minister sends his chaprasi to the neighboring building to get some files on his pen drive and spread the malware around. Some of this malware is not identified by anti-virus software.
The people I meet in Bangalore think that anti virus software is a magic mantra that one only needs to carry around. They will say "No problem - i have anti virus software" - like the man who wore a condom on his thumb (as demonstrated to him) every time he went to a whore. The word "firewall" is usually unrecognised. Firewall? Why? In India we have brick walls. They don't burn.
My only concern is whether government and security depts are any more savvy than the mango Bangalorean. Nothing that I see gives me any confidence that they are. "INTEL inside, idiot outside" seems to be the rule.
Most Indians I meet think that Microsoft Windows is like Mercedes Benz. You buy a Merc - you buy a product whose robustness, refinement and reliability are taken for granted. Windows itself is a huge security hole. Using Windows is like sharing needles with a crowd of drug addicts.
I have in my possession copies of expensive software that were bought by a young friend in Shanghai at a dollar per CD. Indians are grateful to the Chinese for making expensive software such as Adobe Premiere or AUTOCAD available for public use. I note that engineering colleges in India encourage the use of programs such as AUTOCAD, but nobody actually buys the software. It is always shared. And with the Chinese being the fountain of software piracy, it is highly likely that tens of millions of computers are already infected.
Thank you for letting me have my rant. I have been having this rant for a decade now and it is not at all clear to me that Indians have learned anything. We are basically a nation of naive and trusting simpletons. Computer security is not for us.
What really surprised me was to find that my own medical college which has zero security related information but has savvy enthusiasts has robust security for its computers whereas every engineering college computer in Bangalore is clearly infected with malware.
For a nation that thinks that it is god's gift to IT, our average awareness of security is mind bogglingly meager. It's not that engineering college computers are leaking security information. They only add to the infections of privately owned laptops and desktops. And every day there is a minister's son or a babu's daughter who is using Papa's laptop for games and college work - who then infects the same. That babu/minister sends his chaprasi to the neighboring building to get some files on his pen drive and spread the malware around. Some of this malware is not identified by anti-virus software.
The people I meet in Bangalore think that anti virus software is a magic mantra that one only needs to carry around. They will say "No problem - i have anti virus software" - like the man who wore a condom on his thumb (as demonstrated to him) every time he went to a whore. The word "firewall" is usually unrecognised. Firewall? Why? In India we have brick walls. They don't burn.
My only concern is whether government and security depts are any more savvy than the mango Bangalorean. Nothing that I see gives me any confidence that they are. "INTEL inside, idiot outside" seems to be the rule.
Most Indians I meet think that Microsoft Windows is like Mercedes Benz. You buy a Merc - you buy a product whose robustness, refinement and reliability are taken for granted. Windows itself is a huge security hole. Using Windows is like sharing needles with a crowd of drug addicts.
I have in my possession copies of expensive software that were bought by a young friend in Shanghai at a dollar per CD. Indians are grateful to the Chinese for making expensive software such as Adobe Premiere or AUTOCAD available for public use. I note that engineering colleges in India encourage the use of programs such as AUTOCAD, but nobody actually buys the software. It is always shared. And with the Chinese being the fountain of software piracy, it is highly likely that tens of millions of computers are already infected.
Thank you for letting me have my rant. I have been having this rant for a decade now and it is not at all clear to me that Indians have learned anything. We are basically a nation of naive and trusting simpletons. Computer security is not for us.