Warning: Creating default object from empty value in /nfs/c03/h01/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | drdo

‘Tis the season for hacking

Cyber-security asymmetries 101: Hacking is easier than defending.

Indian and Pakistani hackers are out defacing websites of each others’ countries.  On the second anniversary of the 26/11 attacks in Mumbai, an Indian group calling itself the “Indian Cyber Army” (ICA) carried out an attack on 36 Pakistani websites, including the websites of the Pakistani Navy, the National Accountability Bureau (NAB) and Ministry of Foreign Affairs.

In response, a group called Pakistan Cyber Army (PCA) launched an attack on about 200 Indian websites, including the CBI (littering it with trash-talk that should, quite frankly, embarrass the hackers more than the compromise should, the CBI).  The very next day, Indian groups retaliated by hacking Pakistan’s Oil & Gas Regulatory Authority (OGRA) and a Pakistani Army recruitment website.

A review of the list of 200 websites hacked by the PCA reveals that a majority of sites were private small-business websites.  Embarrassing perhaps, but of low strategic value.  The goal of any large-scale defacement is to hurt the reputation of the victim.  If PCA’s victim was the Indian state, then its targets were poorly chosen.

Yes, websites owned by Indians were hit, but they are hardly representative of the Indian state in the same way that the government or the military is. This could indicate that the attack itself was poorly planned and motivated more by a desire to show that Pakistani hackers could retaliate quickly, by hitting out at low-hanging fruit, than an orchestrated attempt to deliver the same quality of response as ICA did on 26/11.  By all measures, compromising the website of Khanna Constructions isn’t remotely of the same strategic value as defacing the Pakistani Ministry of Foreign Affairs website.

But the world of cyber-security is faced with certain asymmetries.  Hacking is easier than defending.  For any government to be able to defend its “universe” of websites requires it to have three things — an appreciation for the challenge it faces, determination to address the challenge, and good counsel on how to address the challenge. If the first two are absent, the third is almost irrelevant.

It is no secret that the first two are almost entirely missing in India. In an apparent response to the hacking of the CBI website, we were given this bit of information from DRDO, via PTI:

Close on the heels of hacking of the CBI website, Defence Research and Development Organisation (DRDO) on Sunday said it was developing a mechanism to make websites hacking-proof. “It is always better to use indigenously developed systems than using others’ designs,” he said. The DRDO chief expressed optimism that its engineers could certainly develop hacking proof devices. [NDTV] (Credit: Parth Bakshi)

That’s just brilliant. Not only do they not know what they are talking about, they also don’t know what hit them nor how to defend against it.

And pray, what is a “hacking-proof” website?

Based on the attack on the CBI website, we know that a vulnerability management program isn’t in place right now.  The CBI attack was a standard SQL-injection exploit.  Out-of-the-box solutions (some, even free) exist today that assess whether websites are susceptible to SQL-injection and other attacks.  Even a basic vulnerability management program would have detected and alerted those responsible for security about the existing vulnerability.

That dovetails nicely into my closing question: who owns the security of India’s websites and supporting infrastructure, across the Centre and State? The answer is no one. And everyone. The blind lead the blind. With that being the case, there really is no reason not to believe that Indian websites will continue to get hit over the coming days and months, just as they have over the past many years.  Cyber-security is uphill battle to begin with. With the current levels of apathy and ignorance to such issues prevalent in our government, we should be prepared for nothing less.

Read full story · Comments { 2 }

Nuclear Arithmetic, Deterrent Calculus

K Santhanam sent the Indian media into a flutter with his statement that the thermonuclear device (Shakti-I) tested in 1998 during Pokhran II was not completely successful and did not produce the anticipated (and reported) yield of 40-45 kT.  He put this apparent failure in the context of the Comprehensive Test Ban Treaty (CTBT), advocating that we do not sign or ratify the treaty until India’s thermonuclear capability can be successfully demonstrated.

Notwithstanding denials from APJ Abdul Kalam, Admiral Sureesh Mehta, R Chidambaram and Brajesh Mishra, the vast differential in the reported vs. observed yield is no secret.  International nonpartisan sources, such as the Federation of American Scientists (FAS) indicated 10  years ago that yield of Shakti-I was between 12-25 kT.  Indeed, Santhanam’s statements were also corroborated by both former AEC chairman PK Iyengar, and national security expert Bharat Karnad.

However, this admission does not change India’s nuclear posture much, either with regard to Pakistan or China.  Nuclear weapons are a deterrent force and Pakistan will neither be emboldened nor hindered by the admission of this yield differential, in the event that it is contemplating a nuclear attack against India, in the face of rapidly deteriorating circumstances during a conventional war.

A nuclear bomb is a nuclear bomb. Indeed, the credibility of Pakistan’s own nuclear tests in Chagai were marred by reports of a significant divergence between reported vs. observed yields.  While Pakistan reported tests of six nuclear devices (two in the kT range, and four in the sub-kT range) with a total yield exceeding 36 kT, nonpartisan sources indicate the May 28, 1998 tests produced a total yield of between 9-12 kT.

However, despite such reports, Pakistan’s arsenal consisting largely of tactical nuclear weapons (TNW) acted as a very credible deterrent against possible Indian offensives across the LoC during Kargil.  Additionally, had Pakistan’s “diminished” nuclear capability been a factor, India’s responses to the December 13, 2001 Parliament attack and the recent 26/11 Mumbai attacks would have been very different indeed.

The nuclear calculus also doesn’t change much with regard to China.  India’s current nuclear posture continues to be incongruous to its “No First Strike” nuclear doctrine.  The nuclear triad, a corollary to the “minimum credible deterrence” and “No First Strike” policies remains unfulfilled, with two of three legs of the triad not currently being operational (with respect to China).  While India has taken the first step in the development of nuclear-powered submarines, the first of these, INS Arihant, will not be operational for sometime.

The most serious challenge to India’s “minimum credible deterrence” is its crippled missile program.  India’s longer range Agni-III IRBMs are as yet incapable of hitting strategic targets such as Beijing or Shanghai. The development, production and weaponization of the Surya-I and Surya-II ICBMs have experienced delays exceeding 10 years, as a result of high-technology denials by the US and the sloth-like inertia of DRDO.

Without true ICBM capability and bereft of an operational nuclear-powered submarine, India’s deterrence against Chinese aggression remains challenged; a 12 kT fission bomb or 50 megaton hydrogen bomb changes nothing under these circumstances.

The low yield of Shakti-I alters neither Pakistan’s perception of Indian retaliatory capability in the event of a Pakistani nuclear first strike, nor does it hurt any further, India’s credibility in being able to deploy nuclear payload to strategic targets in China, should the need arise.  Shakti-I changes nothing with regard to Pakistan; however, if looked through the prism of maintaining a credible deterrent against China, should reignite a debate  on the sorry state of India’s delivery systems and the credibility and logic behind our “No First Use” posture.

Read full story · Comments { 3 }