The recent media revelations of the Pakistan Army snooping on Indian army personnel’s phones and computers, reportedly through a malware called SmeshApp, is the latest instance of the challenges faced by the Indian military in guarding sensitive and classified information such as the deployment and movement of troops and details of counter-terrorism operations like the Pathankot airbase attack in January.
Worse, some personnel were allegedly honeytrapped through fake Facebook profiles to divulge confidential information.
Exactly how much and what kind of information was funneled into Pakistan remains unclear. But it is evident that cyber threats from Pakistan are gradually moving away from website defacing nuisance-value attacks, to serious cyber espionage.
Understanding the challenge
The current revelations come on the heels of the busting of the spy module, which had Indian Air Force and paramilitary personnel who provided national security information to the Pakistan Army’s Inter Services Intelligence. Here too, honeytraps had been used.
Espionage is a game, where any country engaged in harvesting information has to keep upping the ante by constantly inventing new methods and developing new sources to acquire information, by hook or by crook. Therefore, taking a dispassionate view of the tactics of our hostile neighbours will help to better understand this espionage challenge, especially as cyber snooping technology has become sophisticated and social media has opened new avenues for connecting and communicating with strangers.
The Indian Army is not the only institution subjected to these problems:
- In 2014, the Indian Air Force had alerted its personnel with regard to Xiaomi smart phones as the devices were found to be transmitting phone data to its servers in China.
- In 2012, suspected hackers had breached the computers of the Indian Navy’s Eastern Naval Command and planted malware which transmitted confidential data abroad.
Plugging the gaps
The military is taking preventive steps to plug the leakage of any sensitive information, particularly through social media platforms. Banning sites is not an answer, as the Indian Army found when it banned Orkut and MySpace a decade ago, as these are observed more in the breach. And, as serving personnel pointed out, no such ban was imposed on civilian officials working in sensitive security postings, even though those establishments are also exposed. In 2013 for instance, an internal inquiry by the Ministry of Home Affairs on its confidential nationwide information-sharing computer network found that 40% of its computers were connected to the internet, despite written orders prohibiting it.
The Indian Army now has a social media advisory which prohibits Army personnel from disclosing their identity on social media as well as from discussing operational or administrative matters.
This must be complemented by raising awareness within its ranks, especially to emphasise the importance of cyber hygiene, i.e. healthy security practices for online communication. Other countries have taken steps in this direction. For instance, the US Army has issued a social media handbook detailing steps to be taken and Standard Operating Procedures to be followed for its personnel and their families.The Chinese People’s Liberation Army regularly organises lectures on responsible social media behaviour, for personnel and their families.
India does neither – despite being a global IT power. A more thoughtful response is required. Social media is an important tool in the battle of perception. Therefore the military has to avoid the barrage of misinformation put forth by inimical elements as well as make strenuous efforts to avoid public criticism of the political leadership by its personnel.
It is critical that India’s military present a comprehensive response. First, is to augment its technical capabilities through upgrading legacy computer systems, installing firewalls and encrypted communication facilities. Second, it must address the weakest link in the cyber security chain: the human element. For instance, the 2012 breach in the navy computers became possible because of the navy personnel’s careless use of the USB pen drives, despite ban on the use of such devices.
After all, this is the age of information warfare.