Last month,i.e. Nov 2015 in a long speech carried by Xinhua, Mr Xi gave a rather detailed report on the planned reforms. for the military Mr Xi asserted: “Under the leadership of the Communist Party, our military has gone from small to big, from weak to strong, from victory to victory. On this road, reform and innovation steps have never stopped.” Reuters commented: “The troop cuts are part of long-mooted reforms to simplify and further professionalise the military, especially command and leadership structures that are still largely run along Soviet lines.” What is the objective of this exercise apart from cutting the corruption rampant in each department? The declared purpose of the exercise is to have, by 2020, a military setup ‘capable of winning information-age warfare’.
So what is this ‘information age warfare’ Chairman Xi was talking about ? Who is he planning to fight such a war with ? Will we a neighbour with a largely undemarcated and contested boundary be vulnerable ?
I am appending a document by the Standing Committee On Information Technology (2015-16). This gives you an approximate idea of where our nations cyber preparedness and the issues which with the nations cyber security boffins wrestle with. A deliberate reading of the document highlights the following deficiencies.
(a) We have no national cyber security strategy. We do have a National Cyber Security Policy document and there is a very significant difference here. Except for a mention in page 5 para 8 where it states ‘to encourage entities to adopt guidelines for procurement of trustworthy ICT products and provide for procurement of indigenously manufactured ICT products that have security implications.’ and on page 6 para C wherein it mentions Encouraging Open standards. The rest of the document is standard industry jargon and practices for any large organisation. Now how these two points will be implemented has not been mentioned, have the procurement guidelines been changed, tax regimes favourable for promoting domestic manufacture etc to promote innovation, R&D and entrepreneurship is what needs attention.
(b) Our entire preparedness and future plans are driven on the assumption that foreign vendors can be trusted for our network appliances, hardware as well as software. (The evidences of they being not trustworthy keep piling up every day and continue to be ignored.)
(c) Since we continue to trust all and sundry software and hardware, our training and capacity building is also focussed and driven by MNC’s and their barely veiled marketing strategies. (Symantec and their representative bodies like NASSCOM announcing their plan to train cyber warriors etc. http://www.cxotoday.com/story/addressing-the-it-security-skill-gap-effectively/) Such policies and training programmes other than perpetuating semi skilled operators of the products made by the MNC’s will not protect our national security interests.
(d) The aim of our establishment is to police our cyber space and concentrate on cyber crime investigation is very well documented. That this helps our software service industry and not our national security interests stand testimony to the clout of their industry bodies in dictating our national cyber security narrative.
(e) This document brings out the setting up of a Indian Common Criteria Certification Scheme STQC and a full fledged lab at Kolkata. (With a capability for testing and certification of security of IT Products as per International standards, ISO/IEC 15408, based on Common Criteria Standards up to EAL4. Presently, evaluations are undertaken for certification of IT products like operating systems of routers, switches and firewalls; security appliances upto EAL4. The Committee are happy to note that India has become 17th ‘Authorizing Nation’ under Common Criteria Recognition Arrangement (CCRA) and that henceforth the product tested and certified under Common Criteria Certification Scheme up to Assurance Level 4 (EAL4) are acceptable not only in India but also in other member countries of CCRA without re-testing under the mutual recognition arrangements. ) This paragraph hides a lot namely :-
- Evaluation is a costly process (often measured in hundreds of thousands of US dollars) – and the vendor’s return on that investment is not necessarily a more secure product.
- Evaluation focuses primarily on assessing the evaluation documentation, not on the actual security, technical correctness or merits of the product itself. For U.S. evaluations, only at EAL5 and higher do experts from the National Security Agency participate in the analysis; and only at EAL7 is full source code analysis required.
- The effort and time necessary to prepare evaluation evidence and other evaluation-related documentation is so cumbersome that by the time the work is completed, the product in evaluation is generally obsolete.
- Industry input, including that from organizations such as the Common Criteria Vendor’s Forum, generally has little impact on the process as a whole.
- To sum this up, for the average reader this basically means the setting up of this infrastructure contributes very little to the National Cyber Security Posture for the following reasons:-
(a) Lack of control over the actual production of the products once they are certified.
(b)The absence of a permanently staffed organizational body that monitors compliance.
(c) The idea that the trust in the Common Criteria IT-security certifications will be maintained across geopolitical boundaries especially after the Snowden revelations. (A case in point is the recent backdoors inserted by Juniper Networks in their firewalls.)
(d) In actuals what this will achieve is an entry barrier for domestic manufacturing. As all our procurement agencies will insert STQC compliance in their tender documentation. Only MNC’s with very deep pockets will attempt this and they will do it from their national labs.
(e) In an environment where constant updates both for software and hardware is the norm. Whether all this actually matters is another point the strategic community needs to ponder over.
Other tokenisms like setting up of various bodies, token funds for R&D, lip service to PPP models sum up our preparedness. Now to complete this dismal picture, nowhere does plans for the military defence of our cyber space find mention. A place where 100 percent of our economy is supposed to migrate to by 2020. How is our nation preparing for the defence of our cyber space? Can advisories and patches from foreign OEM’s do this. Will training and penetration testing of hardware and software or compliance to ISO27001 standards help. Will a 24 *7 manned response be able to deal with a nationally orchestrated cyber attack ?
Although the answers are self evident – the promotion of a indigenous manufacturing ecosystem. I have yet to see the signs of a framework which can nurture and handhold this.
Standing Committee On Information Technology (2015-16)
Scorpion submarine leaks vindicate your views. As a quote aptly sums up,”one leak will sink ship”. It’s high time our people in power took note and got their act together to protect the country from cyber menace.
Awesome blog you have here but I was wanting to know if
you knew of any user discussion forums that cover the same topics talked about in this article?
I’d really like to be a part of online community where I can get feed-back from other experienced people that share the same
interest. If you have any recommendations, please let me know.
Thanks!