Archive | US RSS feed for this section

GoI bars international vendors from National Optical Fiber Network project

Afte the Centre for Development of Telematics (C-DoT) submitted a memo to the Government of India to to bar Chinese network vendors  Huawei and ZTE from bidding in the Rs 20,000-crore  roll out of a national optical fiber network (NOFN) project, the Government has decided to heed the advice and bar all international vendors from the project.

The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed  components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

Comments { 1 }

Stuxnet – chickens come home to roost?

General William Shelton, who heads Air Force Space Command and oversees the Air Force’s cyber operations, comments that Iran will be a “force to be reckoned with” in the future after it has perceivably strengthened its cyber defence and offense capabilities after the Stuxnet attacks.

“The Iranian situation is difficult to talk about,” Shelton told reporters. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Has the chickens come home to roost or is this just more war mongering to get yet more defense buget share?

Comments { 0 }

Use of private companies in cyber operations

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by  Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy  etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost  being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Comments { 1 }

Secrecy of Cyber Threats Said to Cause Complacency?

Secrecy of Cyber Threats Said to Cause Complacency? Oh please! First of all, ignorance or unawareness is not the same as complacency. Furthermore, while the bill concerned, Cyber Security Public Awareness Act, is itself a boon, especially for researchers as well as those who want to hold the government accountable, the central theme of the article‘s rhetoric that the awareness among population is low because the attacks on critical infrastructure and government networks are classified just doesn’t add up. Give the high rate of identity theft,
a lot of which has cyber-related cause and the huge amount of existing press on the matter of cyber attacks (China is the new USSR), it is not the lack of information that is preventing the spread of “awareness” (read hysteria). More likely is a combination of:

  • Bigger things to worry about, economy comes to mind
  • Cognitive disconnect between report of incident, its impact and relevance to oneself
  • Knowledge that recent over-the-top war mongering is a part of an elaborate scheme to get more federal budget
Comments { 2 }

Warning shots will only be fired so many times

The US-China Economics and Security Review Commission has just recently submitted its 2010 report to the US Congress (PDF) and the chapter on “China and the Internet” is a particularly interesting read. It touches on various topics including

  • Use of Internet as a ‘‘propaganda and ideological work’’ as well as to ‘‘guide public opinion’’
  • Regulations that provide unfair advantage to home-grown technology companies
  • Standoff between Google and China vis-vis Operation “Aurora”
  • Attack on Indian government
  • Internet traffic manipulation

While I hate fear mongering with a vengeance, it would be stupid to ignore the warning signs emanating from China. Information warfare has been absorbed into Chinese military thinking and philosophy and we will be sitting ducks if we do not take evasive, defensive and offensive actions.

Comments { 1 }

“The case for an India-US partnership in cyber security” – Takshashila Institution discussion document

Takshashila Institution has released a discussion documents authored by me titled “The case for an India-US partnership in cyber security.” The executive summary reads:

The rapid development and the increasing reliance on information and communication technology (ICT) and cyberspace in the last couple of decades have changed the way every aspect of the society works. Countries like India that hope to exploit the power and reach of ICT for their development should at the same time be wary of the vulnerabilities in their systems.

These ICT systems and cyberspace are highly complex, some of whose properties we are just beginning to understand and appreciate. In order to successfully defend against attacks on these infrastructure and systems, India should actively invest in researching and developing cyber security solutions and collaborating with other countries that share similar objectives.

This paper recommends that Indian institutions, both in the private and public sector, should engage with those from the United States in a partnership role to tackle issues related to cyber security and information infrastructure protection.

Please feel free to comment on the topic, find flaws with the logic or discuss anything related to the topic in the comments to this post.

Comments { 0 }

General Keith Alexander speaks cyber security at CSIS

General Keith Alexander, current Director, National Security Agency (DIRNSA), Chief, Central Security Service (CCSS) and Commander, United States Cyber Command, spoke about cyber security and U.S. Cyber Command at the Center for Strategic and International Studies (CSIS). The event was held today at the Center for Strategic and International Studies in Washington DC and his General Alexander’s first public speaking engagement after his recent promotion to the Commander of US Cyber Command.

The video, published on the CSIS web site, is embedded below.

He starts with a brief introduction on events that led to the setting up of the US Cyber Command. He then goes on to define the scope of the role played by Cyber Command as “centralise command of military cyberspace operations, strengthen DoD cyberspace capability and integrate DoD cyberspace expertise.” He mentions the scale of DoD systems – 7 million machines, 15,000 networks, 21 satellite gateways and 20,000 commercial circuits. He mentions that DoD systems are probed by unauthorised people 250,000 times an hour, over 6 million times a day.

General Alexander then goes on to explain a shift in the attack patterns from network penetration targeted at exploiting data to targeting systems for remote sabotage. Cyberspace differs from likes of land and sea in that it is a man made domain and a hotly contested domain. He tries to dispel the concerns of co-locating the cyber command along with NSA, thus involving the intelligence community in securing nation’s cyber infrastructure, by has robust and rigorous procedures to minimise the effect of the intelligence activities on US persons. See the video for more.

From Indian perspective it is interesting that he mentions that cyber command will exercise its power to protect the cyber infrastructure of not just US military but also help allies to do the same. I wonder how much of engagement with India would that translate to and for that matter how much would countries of interest like Pakistan squeeze out of this overture.

Comments { 0 }