India Should Focus on Information Sovereignty, Not Cybersecurity

The premise of diplomacy is negotiation, to sit at the table with a peek into the other party’s mind. In the hustle of bilateral deal-making, balance is an art. Nothing more should be offered than what we think the other party deserves, nothing less than it secretly expects.

If inequity in such a marriage gives rise to the suspicion of infidelity, then India’s misguided pursuit of cybersecurity cooperation with the US is fraught from the very beginning. A landmark cyber assistance framework has been sought from the US.

It would be incorrect to call it a deal as it’s unclear what India has to offer in return. Yet, more alarming is the blinding ignorance of the diplomatic advisers nudging the Prime Minister into a national security quagmire.

My last file noting before I left the National Technical Research Organisation (NTRO) arrived just a few days after the first set of leaks by Snowden. I had appealed for the urgent creation of a multi-agency task force roping in electronic intelligence experts.

These include the Indian Air Force, counter-espionage operators from the Army, cryptoanalysts from the Navy, and hackers from the NTRO. The complete domestic electromagnetic spectrum has become a massive Command-and-Control relaying pried information.

Needless to say, American vendors, bleeding profusely after the Snowden leaks, are regretting their decision to accommodate the “strategic partnership” with the NSA. A preliminary risk assessment would prove that American infrastructure suffers from the same systemic vulnerabilities that the CIA and the NSA have a penchant for exploiting.

What if that information finds its way to even less trustworthy hands? Unbeknownst to us, their risk becomes ours because the information was ours. This is what the strategic community has to take cognisance of – the implicit idea of instability in the digital age. It is impossible for connected societies to remain fully sovereign now.

From the Indian cybersecurity specialists largely employed by multinational corporations, to a cyberspace powered by foreign hardware, government agencies and a private sector that rely on overseas procurement among others, the message is lost in translation by the time it reaches the Prime Minister’s ears.

At one of the seminars organised by FireEye, a wildly popular cybersecurity vendor, its Indian executive headlined a slide explaining the cyber spying nexuses originating from China, Taiwan and North Korea as “The Axis of Evil.

When I questioned the executive as to why their product – reputed for detecting hitherto unknown attacks – had never stumbled upon Western malware, the answer was expectedly vague.

Take the recent disclosure about Suckfly that burrowed deep into multinational enterprises of Indian-origin. The barrage of negative media surrounding the incident severely undermines the confidence of India’s outsourcing industry and its diminishing ability to protect sensitive customer data. In terms of technicality, the attack was rather unsophisticated.

Casually sifting through its details, I found a vital clue that could have possibly led to the identity of the attackers. One of the domains used in the operation was registered with an Indian hosting company, thus allowing easy access to its billing and technical logs. A systematic and timely investigation could have helped set a precedent.

I am dumbfounded that no agency of the government, be it the Indian Computer Emergency Response Team or the National Critical Information Infrastructure Protection Centre, ever responded to the matter.

As this blitzkrieg over the ether sets back our economy and security by decades, blissful ignorance on part of the establishment seems to have become the norm. We haven’t heard anything meaningful from India’s first cybersecurity czar Dr Gulshan Rai since his appointment, two years ago.

The Global Common that is the Internet has been subjected to many uncommon transgressions. India needs to put itself in high gear on the road to information sovereignty, or it may trail further behind in the race for dwindling global resources.

(The writer helped set up the cyber-warfare operations centre at the NTRO, India’s technical intelligence agency. This is a personal blog and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)