By Kartik Bommakanti
Following the cyber intrusion into the administrative network of the Kudankulam Nuclear Power Plant (KKNPP) and the Indian Space Research Organisation (ISRO) in early September 2019, there has been considerable debate about the consequences of the extent of the infiltration into one part of the cyber network of both strategic facilities. There is also analysis calling for a response within the ambit of international law. Retaliatory measures that take the form of an armed attack to an incident of cyber espionage may can come across to many as disproportionate. Will New Delhi’s response be in kind or will it take a different form in both proportionality and domain is still an open question? It may be considered extreme if India were to execute a cyber-attack against a network of the North Korean state rather than conducting cyber intrusions in response to what the Lazarus group did through its DTRACK spyware. Irrespective of the nature of the Indian response, which might not involve a response at all, few however have considered, in the event it is required if there were to be recurring intrusions and more severe attacks, who will do the responding and what should be the scope and nature of retaliatory measures.
India in May 2019 established the Defence Cyber Agency (DCA) to oversee, formulate and manage a range of requirements in the cyber domain for the Indian armed services by working in concert with Defence Research and Development Organisation (DRDO), National Technical Reconnaissance Organisation (NTRO), the Research and Analysis Wing (R&AW) and the National Security Council (NSC). The DCA’s mandate needs greater clarity and expansion. A year before the agency’s establishment media reports did indicate that the DCA would be the response body against cyber-attacks when India’s military or “critical [civilian strategic] infrastructure” are targeted. The clearest aspects of its mandate is that it is a tri-service agency, which will be involved in training, equipping and personnel will be drawn from all three services with cyber units spread across the country located at regional command Headquarters (HQ) and its central HQ based out of the Integrated Defence Service (IDS) HQ in New Delhi. Defining the agency’s functions and role are still a work in progress, it might be opportune and timely to consider what role it might have in developing and delivering responses to the North Korean Lazarus group, which in all probability is an extension of the North Korean state.
Hence, it is imperative for the Government of India (GoI) to determine whether the DCA will play any role in aiding civilian authorities and administration. The Nuclear Power Corporation of India Limited (NPCIL), which is a civilian entity under the Department of Atomic Energy (DAE) has oversight and manages India’s Nuclear Power Plants (NPPs). NPPs represent critical and strategic infrastructure. However, when not just faced with Computer Network Exploiting (CNE) involving surveillance and espionage against the KKNPP and ISRO, but potentially in the future Computer Network Operations (CNO) involving an attack against targets of the same kind. Response mechanisms like in other domains can be defensive and offensive. In military terms, according to the US Department of Defence (DoD)’s cyber operations divide into three specific categories – Defensive Cyber Operations (DCO), Department of Defence Information Network (DODIN) and Offensive Cyber Operations (OCO). Additionally, there are two variants DCO. For instance, DCO-Internal Defensive Measures (DCO-IDM) takes place within one own’ the network affected by a specific threat helping secure the network and restoring it to a completely functional state. DCO-IDM is distinct from DCO-Response Actions (DCO-RA) that mandate responses in an adversary’s network, which extend to applying force against the adversary’s network. DODIN is focused on preserving security of the network through generally passive measures, testing and evaluation by deploying decoy teams to help detect malicious presence in the network, disseminating information and ensuring information integrity to all friendly users. OCO also operates in networks outside of one own network and tackles threats when there are open hostilities or in a national emergency that require the significant destruction of enemy high value targets, command nodes and logistics networks. Although, how DCO-RA differs from OCO is still unclear, but India’s newly established DCA may need to be called upon to carry out DCO-RA or OCO missions in the extreme event India’s strategic civilian infrastructure is targeted. The point to underline here is that there needs to be a designated agency to conduct OCO, which the DCA fits, but its role, missions and functions require clearer delineation.
More generally, the problem of response to cyber espionage and attacks is not unique to India, but a universal challenge that confronts several countries, because cyberspace is an expanding, yet complex domain through which a range of commercial, industrial and civilian activity is conducted, but also military activity. Consequently, the DCA, which is a military command authority geared to protecting military infrastructure may be required to coordinate responses to a cyber-attack against civilian nuclear infrastructure with the DAE, NPCIL, National Critical Infrastructure Protection Centre (NCIIPC) and CERT-In. To be sure, there are cross-domain retaliatory measures that could be considered, however, New Delhi would be well advised to invest in intra-domain cyber preparation, planning, cyber defence and cyber counter-attack. Following discovery and attribution of the source of attack, the DCA may be the most important in the delivery of the latter – cyber offensive action. Indeed, it may have to be empowered to undertake OCO-related missions when needed by India’s civilian leadership. This requires establishing cyber teams that work cooperatively with technical intelligence not just to protect as well as respond by understanding and assessing the adversary network’ Operating Environment (OE). The DCA’s mandate should also include developing weaponised code to deliver attacks against the military infrastructure, Command and Control (C2) structure and digital nodes of the adversary as the DCA mandate is today, but equally when India’s civilian strategic facilities are digitally compromised and attacked.
In addition to the unilateral and domestic measures, New Delhi should consider a response in concert with others such as Japan and South Korea. Tokyo would have considerable experience in tackling cyber threats from North Korea and their expertise in cyber securing critical infrastructure against CNE and CNO missions emerging from the Stalinist regime. India already has a bilateral Cyber Security Dialogue with Japan. The third instalment of the engagement happened in Tokyo in February 2019. Based on the available evidence the latest round of the dialogue covered several germane issues covering cyber-attacks incidents, domestic security measures instituted by both sides, matters pertaining to policy and risks intrinsic to supply chains. As of today, this is an annual dialogue; it should be expanded into a bi-annual dialogue in light of the recent CNE incidents at KKNPP and ISRO. Japan and India should also consider planning and pursuing coordinated cyber operations when the need arises.