Hostile forces frequently launch cyberattacks on Indian projects, infrastructure and websites to violate our security, data, and I.P. and social harmony. In the past, they have used the Internet to incite violence, spread misinformation, harm our digital interests, and incite acts of sabotage against society and promote an environment of terror and confusion in the country. A constant attempt is also being made to recce our defence installations and other sensitive areas to gather information to keep an eye on us.
Adversarial entities are deploying hackers who are well versed in breaking into systems deployed by us. Fake and malicious news reports spread on the Internet during episodes of geopolitical stress or even elections, or some social tensions harm national sovereignty, interests, and security and the rights and interests of organisations and individuals. We know that a nation with adversarial intentions is using the services of social media manipulators well-versed in local languages. Those hired are also better aligned to exploiting differences of opinion prevailing here. When combined with cyberattacks and the spread of malware, misinformation becomes a force multiplier for hackers and their/state/nonstate actors.
COUNTER CYBERATTACKS
The trouble starts with deciding which adversarial hacking activity to counter. There is right now a focus on defending preset silos concerning servers and infrastructure of significance to the country. This strategy has, however, failed to deter or halt the major threats our nation faces. Increasing reports of snooping by our neighbouring nations bent on mischief and to monitor our troop movement bear testimony to this.
Chinese hacking group APT40 is ahead of the curve in this regard. Though having operated as a military intelligence-gathering operation mostly focused on traditional maritime targets since 2013, they have been expanding their operations globally since at least 2017. In this duration, they have managed to compromise numerous systems, including those of universities, to steal high-end research. APT40 has repeatedly targeted engineering firms, research institutions, and defence contractors working on naval technology in the US, probably to help China’s own undersea weapons research catch-up with the West.
This includes theft of original research before it is classified, potentially putting Beijing in a position to out-innovate the US military. China is relying on using US academics’ fundamental research gains to supplement those of their universities. While posing a national security dilemma for the United States, these academics are not in a “critical industry” and are often culturally resistant to security-related oversight that might impede their work. Our strategy to counter them should take into account these factors:
• Time: how soon can we detect and counter these attacks?
• Intent/determination mapping: how do we know why they are attacking us (is there a specific reason or they are just testing the waters?) • Tactics: what exactly are they doing, and how?
• Targets: who or what are they attacking?
• Teams involved: are these state actors on their payroll, or they are mercenaries. Once we have information on these aspects, then we can frame a coherent and timely response. The response should be on these lines:
• Detection and neutralisation of the threat and the associated risk
• The attacks should be graded based on severity and complexity into pre-determined categories
• The response to an attack should be mapped to the above point. The severe the attack, the stronger should our attack be.
• Finally, we should have means to asses the damage caused by our response; at the bare minimum, we should be able to shut down the infrastructure used in the attack.
DIGITAL SOVEREIGNTY
Nations are already acting to curb the movement of fake news within their jurisdiction. They have understood the need to act fast to deter criminals and disruptive elements.
Nations that are facing current and potential risks in cyberspace, have to ensure that the strategies are designed to ensure better management of cyberspace. They should also ensure that the management models remain up to date and aligned to the shifting realities around us.
Germany has approved a Social Media Regulation Law according to which social media services that are unable to control hate speech, harassment, and fake news for any reason can be fined up to 50 million euros. Australia is planning to fine ISPs and social media entities up to 10% of their annual income or up to three years imprisonment for the managers concerned for failing to remove banned content in time. Egypt’s new AntiFake News Law allows agencies to monitor individual accounts on social media having over 5,000 subscribers.
Thailand’s Cyber Security Law mulls seven years of imprisonment for people disseminating fake news. The Philippines considers falsifying news as a criminal act that is punishable by six months of imprisonment and a fine of almost $3,000. Singapore has cleared a Protection from Online Falsehoods and Manipulation Bill, which stipulates that people who spread fake news with malicious intent or to harm the public interest could face imprisonment of nearly ten years and fines of up to 1 million SGD.
The US Department of Commerce can now ban American businesses from doing transactions with foreign companies that seek to harm the US. We must understand that fake news is not just a “government problem”. It is a problem that impacts society as whole and shapes the thinking of the future generations. Several initiatives in a multi-pronged approach across sectors will have to be taken up to prepare our citizens for an extremely dynamic digital landscape. In India, the Press Information Bureau has already set up a unit to counter fake news.
This unit needs to be strengthened. There is an element of crowdsourcing involved in the effort, and that is an encouraging development unless we broad base the project; its effectiveness will always be below potential. At a strategic level, for battling fake news in the country, the government has laid out four principles — find, assess, create, and target (FACT). Initially, the government’s FACT check module is going to be manned by Indian information service officers. The officers will trace online news sources and publicly available social media posts round-the-clock for any potential fake news. They will also monitor posts by social media influencers to ensure that fact-checking hygiene is maintained and adhered to while sharing information online.
MAKE WINNING A HABIT
It must be every Indian’s responsibility to protect our national interests and democracy from fake news assault. To win the game, we need not just have to beat the enemy but also stay ahead of his ability to harm us. This ought to be executed in a consistent and dedicated manner. We also need to be aware of new actors who will emerge on the scene in the future.
The web is a constantly evolving mesh of information and ideas, and just like other human endeavours, this will also have a dark side to it. Our goal should be to shrink the space available for illegal activities by constantly neutralising them. We should secure this space as a platform for innovation and evolution of our stature as a digital superpower with ample room for every Indian citizen to realise her dreams.
Lieutenant General Dattatrey Shekatkar PVSM, AVSM, VSM (Retd) is the former Director General Military Operations, Indian Army. He is currently the Chancellor of Sikkim University and Chairman at Centre for Knowledge Sovereignty.