List of Contents
Synopsis: India’s offensive cyber capability appears to have increased but we should aim to achieve deterrence.
The advent of the Cold War, nuclear weapons and proxy wars of the 20th century put an end to the custom of formal war declarations. In recent times, an incoming missile or fighter aircraft announces war.
What is ‘bitter APT’ episode?
Recently, media reports suggested that Indian government-connected entities have demonstrated some cyber capabilities of offensive nature.
For instance, hackers associated with the Indian government (designated ‘Bitter APT’ by the industry) used commercially available zero-day exploits to break into Chinese and Pakistani government-linked computers.
According to an Indian private cyber- security expert, these hackers most likely used indigenously-developed tools to exfiltrate data from target devices.
Why’s this development significant for India?
Increased offensive capabilities: The Indian cyber actors have moved up from using phishing methods to gain footholds in target devices to exploiting zero-day vulnerabilities. Now, they are exploiting unknown software bugs to gain entry into target computers.
Also, the highly-sophisticated software used to exfiltrate data appears to have been built indigenously and went unnoticed for several months before being detected in February 2021. From the information that is publicly available, the Bitter APT hack was used for cyber espionage, not for disruption.
Why India needs to develop credible offensive cyber capability?
Vast cyber space: India presents attackers with a vast sphere, large parts of which are unguarded and perhaps even unguardable. It is thus not feasible to rely solely on perimeter security.
Deterrence: Deterrence in information warfare is a multi-layered concept, but requires the possession of effective cyber weapons to be credible.
Global position: to ensure a place at the high table as a ‘cyber have’ so that countries eventually get down to negotiate digital arms control. The cyber generation must learn from its nuclear predecessor, when India was designated a non-nuclear weapon state in perpetuity for the only reason that it had held off testing a nuclear device before an arbitrary date.
Cyber warfare: cyber space has already been militarized. It is global and continues regardless of whether or not states are in armed conflict.
No political discussion: At least so far, the pursuit of politics through has avoided large scale bloodshed that characterized armed conflicts of the Industrial Age.
Reduce dependency: The American firm that sold the zero-day exploits has cut off the Indian government entity from its customer list for misusing its services.
Hypocrisy of commercial cyber weapon vendors: the righteous step of cutting off the Indian government entity from its customer list came from a company that provides zero-day exploits to the US government and its allies, which use it only for the anodyne business of updating their anti-virus software.
What is the way forward?
First, there is need for continuous investment in talent and technology in offensive cyber capability.
Second, there is a lot of urgent work that India must do to craft a national strategy for information warfare, no doubt, but the development of more advanced cyber weapons must take place in parallel.
Source: This post is based on the article “India should invest in ever more sophisticated cyber armaments” published in Livemint on 27th Sep 2021.