In his first address during the Combined Commanders’ Conference in 2014, Prime Minister Narendra Modi talked about his vision of a Digital Armed Force and the increasing importance of dominating the cyber space. The next year, aboard the INS Vikramaditya, he asked the senior military leadership to prepare for rivalries in cyber space. The other recurrent theme in these two conferences was the role of the services in encouraging the development of domestic capabilities.
The first part of the prime minister’s vision is on its way to realisation. The government has sanctioned the raising of a cyber agency that will steer the planning and conduct of cyber warfare in the military. Hopefully, once the doctrine has matured, the cyber agency will be expanded to a much-needed cyber command.
The other theme remains disappointingly unfulfilled. Building domestic capability for the manufacture of sophisticated weapons and equipment is obviously a major challenge. However, the same cannot be said for the hardware and software being used in the military information technology (IT) infrastructure. Despite Indian products being available, a concerted effort to use indigenous solutions is conspicuously absent, with the Army being the most laggardly in this regard.
The existence of the PRISM programme, under which the United States National Security Agency (NSA) collected data from internet communications, was revealed by Edward Snowden in June 2013. The scale of the programme was staggering. Leaked documents showed the very close involvement of US technology companies like Microsoft, Google, Yahoo, Facebook and Apple in the programme. According to the documents, the NSA was collecting data directly from the servers of US service providers.
Further revelations, disclosed by The Guardian showed that Microsoft had actively helped the NSA to circumvent its own encryption of web chats on Outlook.com. Microsoft also permitted PRISM to access its cloud storage service SkyDrive, and monitor Skype chats. Microsoft denied these allegations, but the evidence was overwhelming.
More NSA documents, released with Glenn Greenwald’s book No Place to Hide, detailed how NSA employees intercepted Cisco routers, intended for organisations targeted for surveillance, and implanted them with backdoors before shipping them on. America is not the only country that uses these practices. A recent Bloomberg report pointed out that China’s intelligence services had ordered subcontractors in China to plant malicious chips in Supermicro server motherboards bound for the US.
Faced with these dangers, countries have moved to restrict foreign products from use in critical networks. In 2014, Beijing banned government offices from buying Microsoft Windows, and security software from Symantec and Kaspersky Lab. One year later, the ban was also applied to Cisco and Apple products. In August 2018, President Trump signed a bill banning the use of Chinese Huawei and ZTE technology by the US government. This followed a 2017 ban on the Moscow-based Kaspersky Lab.
In India, though, we seem oblivious to the vulnerabilities that exist in our critical networks due to foreign hardware and software. Over 60 per cent of software and hardware being used by BSNL is sourced from either Huawei or ZTE. This is despite Huawei being probed for hacking a BSNL network in 2014. In September 2017, BSNL signed a memorandum of understanding with ZTE for research and commercialisation of future 5G technology. Even Australia, with a billion lesser population than India, has banned Huawei from supplying equipment for 5G mobile network, citing national security risks.
The Air Force Network (AFNET) was launched in 2010. Present on that occasion was the Cisco country head because his company was a major supplier of equipment for AFNET. The army’s latest communication backbone, Network for Spectrum (NFS), also uses Cisco equipment. Rather than looking at indigenous equipment, The Quint, in a 2016 report, had revealed that the request for proposal for NFS equipment had been manipulated to favour Cisco.
The story is similar when it comes to software. The Indian Army mostly uses the Microsoft Windows operating system on its official computers. Windows is an outstanding system but is a closed-source software owned by a company that is bound by US laws and historically tied to the American intelligence community. And India is a prime target for American spying; in the overall list of countries targeted by PRISM, India stood at the fifth place.
In 2015, the Northern Command of the army decided to adopt the Bharat Operating System Solutions (BOSS) for all its official computers. BOSS is an indigenously developed open-source system by the Centre for Development of Advanced Computing, an R&D organisation of the Ministry of Electronics and Information Technology. At the start, there were many teething problems. The user-friendliness of Windows could not be replicated and re-training of a generation that had grown up with Windows was not easy. However, we persisted because we were convinced that national security cannot be subordinated to the ease of making a PowerPoint presentation.
Three years later, the army is still debating the merits of BOSS, and the arguments are still centered on simplicity of usage, not security of networks. Instead of supporting BOSS, there is a push to return to Windows. Despite the clear dangers in cyber space, we remain inexorably tied to past practices and show little desire to make changes that are essential to protect our national interests.
In an article in the Christian Science Monitor, James Mulvenon, a founding member of the Cyber Conflict Studies Association, is quoted as saying, “Here’s the problem — it’s 1946 in cyber. So we have these potent new weapons, but we don’t have all the conceptual and doctrinal thinking that supports those weapons or any kind of deterrence.” An essential element of this doctrinal thinking is for the Indian military to take the lead in indigenising its IT infrastructure.
The prime minister is known for taking bold decisions like the surgical strike of 2016. A policy decision to indigenise our cyber space will have greater and more far reaching national security implications.