India following China’s art of cyber warfare to give shape to an IT infrastructure setup (September 2010)
Brig. Arun Sahgal (retd)
On 7 April 2010 several national daily newspapers carried an article, reporting that a Chinese Cyber Spy Ring had hacked ‘scores’ of Indian military establishment’s computers. The Chinese hackers had succeeded in stealing over 300 documents from the National Security Council Secretariat, Military Intelligence Directorate and other Military Institutions. The source of this information was quoted as a recent report by a Canadian quasi government establishment which is a joint venture of a private firm — SecDev and the Munk School of Global Affairs (University of Toronto), Canada who have carried out a yearlong investigation into the hacking of the Tibetan Government in exile and the personal office of his Holiness — The Dalai Lama. The Tibetans had complained that their systems had been attacked, following which the investigation was undertaken as a case study.
The Canadian firm in collaboration with the Munk Centre for International studies, University of Toronto, in a public– private partnership set up the International Warfare Monitor — a research centre which claims to track the cyber space, which is emerging as a strategic domain. Between June 2008 and March 2009, the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community.
The investigators had named the Malware Cyber Espionage Network as GhostNet. The GhostNet system directs infected computers to download a Trojan known as gh0st RAT (Remote Access Tool) that allows attackers to gain complete, real-time control. These instances of gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan, People’s Republic of China. Investigation reveals that GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras. This investigation culminated in Mar 2009. The findings of these investigations are as under:
- Apart from the entire cyber environment existing in His Holiness the Dalai Lama’s domain in India, the study revealed that over 1295 systems in 103 countries were found to be infected.
- Systems targeted were Political, Diplomatic, Commercial and Military owned systems.
- GhostRAT traced to commercial internet accounts located in the Island of Hanain (PRC).
- Approx 300 million which is nearly 1/5th of the global users of internet are in China. There has been a 1200 per cent increase in internet usage within the period 2000-2008 in China. Hence the rise in the instances of Chinese Oriented Malware.
- Investigations at Dharamshala, led to the discovery of four Control and six Command servers used in controlling the GhostRat Trojan and the GhostNet.
- Most of the Control Servers traced to IP addresses located in China.
- Off the 986 IP addresses infected, 53 were in India, 113 in USA — average duration of infection was for 145 days, longest infection was for a period of 660 days.
The second phase of the investigation led to the release of a second document by the same company on 06 Apr 2010, which has been named as ‘Shadows in the Cloud — Investigating Cyber Espionage 2.0’. As against the initial investigation into the GhostNet, the Shadows in the Cloud has revealed that off the IP addresses compromised, India had the maximum compromised IP addresses. This is a stark difference from the earlier strategy of the Chinese hackers. Possibly the GhostNet exercise on the Tibetan Government in Exile in India, was a test bed to penetrate Indian networks and carry out reconnaissance of our gateway monitoring systems. The report has traced the origins of this cyber episode to a hacker community in Chengdu. This is the first instance wherein mention of mainland China has been made. The pattern of penetration has graduated from NGOs to Government establishments. Incidentally, Chengdu is also the home to the PLA’s Technical Reconnaissance Bureau tasked with SIGINT (Signal Intelligence) Intelligence acquisition via interception and other electronic methods. Hence, the direct involvement of the PLA cannot be ruled out and even suggests to the activity being state-sponsored.
The second report of the Canadian consultancy should be a cause for serious concern in India. The enormity of the situation needs no emphasis, it would suffice to say that, by compromising our IP addresses in bulk, the adversary has a capability to neutralise our net works, as and when they decide to.
China’s Cyber Militia
Chinese hackers operate both through government agencies, as we do, but also by sponsoring other organisations that are engaged in this kind of international hacking, both directly or surreptiously. It’s a kind of cyber-militia and it comes in volumes that are just staggering. Chinese Hackers had breached the computer systems of utility companies outside the United States and that they had even demanded ransom. It is suspected that some of the hackers had inside knowledge of the utility systems and that in at least one case; an intrusion caused a power outage that affected multiple cities in the United States. The Intelligence agencies in the US didn’t know who launched the attacks or why, but all involved intrusions through the Internet.
In addition to disruptive attacks on networks, officials are worried about the Chinese using long established computer-hacking techniques to steal sensitive information from government agencies and US corporations. Large American companies whose strategic information was obtained by its Chinese counterparts in advance of a business negotiation. A delegation from the company gets to China and realises, that the Chinese counterparts on the other side of the table know every bottom line on every significant negotiating point. They could have got this only by hacking into the company’s systems.
Cyber War Doctrine
In another five to ten years, China will develop much greater depth and sophistication in its understanding and handling of Information Warfare techniques and information operations. With Indian society becoming increasingly dependent on automated data processing and vast computer networks, India will also become extremely vulnerable to such information warfare techniques. The fact that it can
be practiced from virtually any place on the earth even during peacetime makes acupuncture or paralysis warfare even more diabolical. India can ill-afford to ignore this new challenge to its security. India should adopt inter-ministerial, inter-departmental, inter-Services, multi-agency approach in dealing with emerging cyber warfare threats and must develop appropriate responses. No single agency in India is charged with ensuring cyber and IT security. A nodal agency must be created to spearhead India’s cyber war efforts under a National Cyber Security Advisor who should report directly to the NSA. The armed forces must be part of the overall national effort from the very beginning so that emerging tactics, techniques and procedures can be incorporated into doctrine and training. Consequently, India too needs a Cyber Command to lead efforts within the military to safeguard computer networks from hackers and cyber attacks.
The strategy must be defensive to guard India’s vulnerable assets, such as military command and control networks and civilian infrastructure dependent on the use of cyber space, as well as offensive to disrupt the adversary’s C4I2SR systems and develop leverages that can be exploited at the appropriate time. With some of the finest software brains in the world available to India, it should not prove to be an insurmountable challenge. This is too important a field to allow the traditional Indian approach — digging heads into the sand while waiting for the threat to go away — to hold sway and react only when the enemy has reached Panipat and is knocking on the gates of Delhi. In this case, the nothingness of cyberspace connects China’s laptops warriors directly with Delhi, Mumbai, Kolkata and Chennai and other Indian cities.
Borrowing a page from China’s art of cyber war, India’s government is giving shape to an IT infrastructure setup manned by a small army of software professionals to spy on the classified data of hostile nations by hacking into their computer systems. IT workers and ethical hackers who sign up for the ambitious project will be protected by law, says the proposal being discussed by senior government administrators. The expertise of these professionals will be used to go on the offensive or pre-empt strikes by breaching the security walls of enemy systems. The strategy of takingthe fight to hackers was drafted at a high-level security meet on July 29 chaired by National Security Advisor.The meeting was attended by the director of Intelligence Bureau as well as senior officials of the telecom department, IT ministry and security agencies.
The government is worried about spying and sabotage from neighbouring countries, particularly China and Pakistan, after a spate of assaults on its computer systems in recent times. According to the government proposal, the National Technical Research Organisation (NTRO) along with Defence Intelligence Agency (DIA) will be responsible for creating cyber-offensive capabilities. NTRO is a key government agency that gathers technical intelligence while DIA is tasked with collating inputs from the navy, army and air force intelligence. The NTRO will also suggest measures to ensure legal protection to recruits, a move that is expected to coax software professionals into joining the government. “Even if the offence is done on a computer on foreign soil, it is punishable under Indian laws,” says cyber lawyer Pavan Duggal, adding that the IT Act will have to be changed for ‘patriotic stealth operations’. Duggal welcomed the efforts to establish a hacker group, pointing to the explosive growth in assaults on Indian systems recently.
In conclusion, it needs to be underscored that India faces Cyber threat both from China and Pakistan and what is even more important in collusion. There is no option for India to upgrade its defensive as also offensive cyber capabilities. It should be apparent as India grows and becomes an economic competitor of China, that it will be subjected to increased cyber attacks from inimical countries.
It is also important to recognise that all most all countries faced with this challenge are creating capacities as well as capabilities to deal with the same. India needs to adopt a twin track approach; first there is a need to understand the nature of challenge and create awareness at the grass roots level regarding security loopholes and vulnerabilities. Second, and even more importantly there is a need for creation of cyber command for inter-agency coordination and stop the stove piping approach based on desire to protect respective domain. It is equally important to create at the earliest the office of national cyber security advisor to advice the NSA on all cyber security issues including desired capability building both technical and personnel. Challenge is huge and it is now. We cannot afford to waste any more time as it would be at the cost of our national security?
Ghost of ’62
Where the mind is without fear and the head is held high
Visitors must be baptised by rain, landslides and blinding fog
A limited war will not be to China’s advantage
Debates and Delusions
Military build-up in Tibet provides China with multiple strategic advantages
War for Water
Water may turn into a defining bilateral issue
My First Responsibility is to Ensure that the Men Under my Command are Physically Fit and Battle-worthy
General Officer Commanding, 5 Mountain Division, Major General Anil K. Ahuja, VSM
BRO is the best and cheapest organisation for road-building in difficult terrains
Role of air power in India-China relationship
The Myth of India-China Economic Interdependence