Thursday, June 20, 2013

Spare our Constitution, professor!

Professor Saswati Sarkar's opinion piece at NitiCentral about the Ishrat Jehan killing has created a bit of debate. The arguments presented however, are riddled with self-contradictions and flawed assumptions. 

The heart of her piece is a demand that security forces should be allowed to stage encounters to kill terror suspects, including Indian citizens, without a trial.

Why does Prof Sarkar believe that staging encounters is better than a fair trial? Here's her reasoning in her own words: 
1. "The police could surely have arrested the terrorists and produced them in court. In due course, they would be sentenced to jail terms and our consciences satisfied. Not quite, since before the act is perpetrated, the law enforcers rarely have evidences that would stand legal scrutiny."

2. "Corroboration  of the intelligence input in a court of law would violate the anonymity the sources deserve."

Let's look at her second assertion first: a trial in court "would violate the anonymity the sources deserve". 

First, intelligence doesn't only come from human sources. In fact, in the Ishrat Jehan case, which Prof Sarkar bases her entire piece on, information about the planned terror attack came from intercepts of the LeT's communications. This has been stated by none other than Rajinder Kumar, a senior intelligence bureau officer, whose questioning by the CBI has left Prof Sarkar 'troubled'. 
Second, even if the intercepts came from a human source within the LeT, the anonymity of that source can easily be protected by holding an in-camera trial. In fact, closed-door trials have been used in the past in Indian terror-related cases. Most notably, three senior NSG commandos were allowed to depose in-camera during the 26/11 trial to protect the techniques and skills used by them to eliminate the terrorists. There is simply no reason to assume (as Prof Sarkar has) that this protection won't be extended to future terror cases, particularly when it comes to sensitive techniques and sources. 

Now let's look at Prof. Sarkar's first assumption - that law enforcement authorities would "rarely have evidences that would stand legal scrutiny". This is by far the most bizarre and troubling assumption she makes. So let me say this as clearly as I possibly can. 

If, as you say, dear professor, the evidence won't stand up to legal scrutiny, how can you even think about labelling any person, much less a citizen of India, guilty AND have them executed in a staged encounter?! 

So why should we worry about legalities? For starters, the right to a fair trial is guaranteed by the Constitution (and the Code of Criminal Procedure and that pesky Universal Declaration of Human Rights, which India was among the first to ratify). 

But let's not be moralistic in our approach. Here's a more pragmatic concern for pro-'encounter' hawks on the Right. What if a "secular" government one day declared that it had discovered a plot by a "Hindu terror" outfit, and had eliminated its members after utilising the same "checks and balances" that Prof Sarkar prescribes? In fact, what if this was the fate that befell Sadhvi Pragya, who stands accused of one such terror plot? 

How would we know the truth behind the allegations? Would we simply have to take every government's word at face value? Would you be comfortable knowing that tomorrow, any government - BJP, Congress, or otherwise - can drum up terrorism charges against an individual and have them executed without a fair trial?

Prof. Sarkar's prescription also severely undermines a principle of jurisprudence that has, for good reason, been held sacrosanct for centuries: the presumption of innocence. In 2011, the Supreme Court of India held that this is akin to a human right. “It is equally well-settled that suspicion, howsoever, strong can never take the place of proof,” said a bench headed by Justice Dalveer Bhandari.

Prof. Sarkar's tailpiece is also interesting because it raises the oft-repeated canard that there have been no terror attacks directed at the US since 9/11. Perhaps she forgets what happened in Boston. Or what happened on NWA Flight 253, or AA Flight 63 or at Fort Hood or at Times Square, New York. Two of those attacks succeeded. The three that failed had more to do with the incompetence of the would-be terrorists than any action by security agencies to stop them. At any rate, all the attackers were arrested and tried and sentenced. None were executed in a staged encounter like the kinds Prof Sarkar would like to see legalised.

Of course, it would be wrong to suggest that the US has not been far safer than India since 9/11. Primarily, this is because America has decimated the ranks of terrorists leaders and forced others to go underground, making it nearly impossible for them to coordinate large-scale attacks. The result is the lone-wolf attacks like the ones I noted above, the recent murder of a British solider on the streets of London, and the attempted murder of a French solider in Paris just days later.

In response to this point, Prof. Sarkar mentions the killing of Osama bin Laden by US forces in Pakistan. This is a terrible analogy for three reasons. 

One, unlike an Ishrat Jehan (or, heavens forbid, a Sadhvi Pragya), Osama bin Laden was not a citizen of the country he had attacked. He was a foreign terror leader actively engaged in a 'non-state' war against the United States. In fact, the Obama Administration faced a legal challenge in the one case in which it knowingly executed a US citizen without a trial.
Two, bin Laden has claimed direct responsibility for attacks that have killed dozens of US citizens, including the 2000 bombing of the USS Cole in Yemen and the 1998 bombings of US embassies in Tanzania and Kenya. 
Three, bin Laden continued to call for and support acts of terrorism carried out against US citizens, remaining a persistent threat. 

A more apt analogy for bin Laden would be Hafiz Saeed. However, the reasons why India cannot carry out a drone campaign or send special forces teams into Pakistan are well understood. 

Prof Sarkar would do well to re-examine the assumptions she makes in the construction of her arguments. As for her 'cure', as I have noted, it may well be worse than the disease. 

I felt I should add what I believe would close some of the legal loopholes that Prof Sarkar is afraid of with the current system. 

 Certainly, India could use special anti-terror courts. These could have the resources and capacity to rapidly try and sentence terror suspects. Judges and lawyers who work there could receive special training on things such such as terror financing laws, international anti-terror treaties, and they should have an inclination towards security matters. For example, the judges would be sympathetic towards an in-camera trial when intelligence sources are discussed. I think that would make Prof. Sarkar happy as well.

Flooded With Insecurity

This week's floods in North India have once again highlighted the inability of our civilian administration to cope with disasters. Each time, the military gets called out to rescue stranded civilians and repair broken roads and bridges. Of course, the Indian military isn't unique in this regard. From China to the US, armed forces are ordered to assist civilian authorities during major natural disasters. We saw this with the Sichuan earthquake and during Hurricane Katrina.

But in India, the military has become our default option for disasters great and small, when it should be no more than a back-up. This seriously undermines military readiness, because we have now established a predictable pattern, which can be exploited by the enemy. 

Here is an entirely plausible scenario based on events that have occurred in the past.

The People's Liberation Army is planning an assault to capture Arunachal Pradesh. However, India's two new mountain divisions in the region are a major roadblock. It needs to somehow distract their attention and limit their ability to respond before the assault so that it can march past the border unhindered.
It coincides a major theatre-level "training" operation in Tibet with the rainy season. This allows it to move troops into the region without much suspicion. As the rains fall, the dams that China has been building along its section of the Brahmaputra are filled to bursting point, it begins to open the flood gates. The floodwaters hit Arunachal Pradesh and Assam, washing away villages as well as vital roads and bridges that connect forward areas of the state. 
With no information on what's causing the flooding, the Indian government orders to army to begin relief operations. Entire battalions are called away from their bases to find survivors and rebuild broken transport links. Indian force levels protecting this front are diminished and the PLA begins its assault.

The above situation is not entirely imaginary. In June 2000, the Brahmaputra river burst its banks causing flash floods in Arunachal Pradesh. ( 20,000 homes were destroyed and ten people were killed. The flooding washed away villages, roads and bridges, cutting off entire districts. The army and air force were ordered to mount rescue operations in difficult terrain to reach the survivors.

Regions affected by the June 2000 flash-floods are highlighted in pink. (Courtesy: NASA Earth Observatory)

Initially, there was little information about what caused the flooding. One month later, it became clear. An AFP report quoted a Chinese official who confirmed that the floodsoccured after a natural dam in Tibet burst. The official worked for the Water Resources Department of the Tibet Autonomous Region government in Lhasa.

That August, the Indian army asked the Defence Ministry to take up the matter with Beijing. This excerpt is from a Rediff report of the incident:
“Army officials suspect that the Peoples Liberation Army of China may have blasted the dam to experiment the impact of flash floods in the sensitive north-east and to study the damage such a flood may cause on the Indian side.”

To make matters worse, Beijing did not inform Indian authorities about the dam breach, nor did it allow the incident to be reported by Chinese media. India was caught unawares as the water rushed towards villages in the north-east.

China is currently building 39 dams of varying sizes along the Brahmaputra and its tributaries in Tibet. Ostensibly these are for its water and power projects. India and China have not signed any river treaties, although they have created a joint-working group to share data on the Brahmaputra. 

That said, China's lack of transparency about its riparian plans in thisregion doesn't seem to be going away any time soon. This has led to grave concern in the Arunachal government.

The solutions of course are quite obvious. The National Disaster Response Force needs to get more men, training and equipment. Also, instead of regular army units, which should be manning the front, the government could train and involve the Territorial Army much more in disaster relief operations. The main military force should be a fall-back option at all times in such situations. Unfortunately, by making it the default option, we have severely affected our military preparedness.

Saturday, June 8, 2013

A Dangerous New Era of Cyber War

In November 2012, Barack Obama signed into effect "Presidential Policy Directive/ PPD-20". The name makes the document sound bland. Its contents are anything but. Through PPD-20, President Obama tasked a host of US government agencies to be prepared to hack into other countries' computer systems and defend the US from the same.

The breadth of operations defined in PPD-20 is breathtaking. Sample this passage from the document leaked to the Guardian:
"The Secretary of Defense, the [Director of National Intelligence], and the Director of the CIA in coordination with the [Attorney General], the Secretaries of State and Homeland Security, and relevant [intelligence community] and sector-specific agencies shall prepare for approval by the President through the National Security Advisor a plan that identifies potential systems, processes, and infrastructure against which the United States should establish and maintain [Offensive Cyber Effect Operations] capabilities; proposes circumstances under which OCEO might be used, and proposes necessary resources and steps that would be needed for implementation, review, and updates as U.S. national security needs change."
President Obama had ordered his team to draw up a hit-list of cyber targets in foreign countries and develop tools to hack into them, manipulate them, steal their data or destroy them.

This plan has already been put into action. In fact, PPD-20 even required the principals mentioned above to provide an update of their work six months after the directive was approved. Here's what we know has happened since November 2012.

This April, Reuters reported that the US Air Force had designated six cyber tools as 'weapons'. The report quotes Lt. Gen. John Hyten, vice commander of the US's Space Command, which oversees satellite and cyberspace operations. Hyten says the decision to designate certain cyber tools as weapons would help ensure funding. "It's very, very hard to compete for resources ... You have to be able to make that case," he said.

One month later, Reuters (again) reported that the US government had become the world's largest buyer of particularly dangerous cyber tools known as 'Zero Days'. Zero Days help hackers infiltrate a target system by exploiting flaws even the system's developer doesn't know exist. Such an attack gives the victim 'zero days' time to fix the flaw, hence the term. The reason Zero Days are particularly dangerous is they can even get past fully-updated anti-virus software and operating systems, since the flaw that allows them to get in is unknown to everyone except the attacker.

Not surprisingly, hackers who specialise in finding 'Zero Days' are highly skilled and their work does not come cheap. Reuters estimates that the starting rate to buy a zero-day is around $50,000. It adds that the price depends on how widely installed the targeted software is and how long the zero-day is expected to remain exclusive. One former executive at a defense contractor that bought 'Zero Days' from independent hackers and turned them into exploits for government use told Reuters his "job was to have 25 zero-days on a USB stick, ready to go".

If I were to summarise the Guardian and Reuters stories, here's what I'd say. In November, the US President ordered his administration to create hit-lists of foreign cyber assets that will be targeted, should the need arise. By April, the US Air Force, had identified six cyber tools as weapons. This would give it the necessary funds for their development or to purchase them from independent developers. One of the tools is very likely the aforementioned 'Zero Day', which the US is stockpiling in the event it needs to infiltrate a virus on an enemy computer system.

Other tools could include viruses that turn on your PC's microphone and camera to record what is going on and send it back to the attackers. Or viruses that steal information of your hard drive. Or, as was the case with the Stuxnet virus, destroy centrifuges at an Iranian nuclear facility. Unfortunately, Stuxnet also spread to 100,000 computers around the world thanks to a programming flaw (Thankfully, it would only work if it found the highly specific configuration, located only at Natanz).

Imagine if Stuxnet worked on every computer it infiltrated. There would be global chaos. And this where it gets really worrying. We now know that the Obama Administration had ordered the deployment of Stuxnet without a policy framework such as PPD-20 in place. PPD-20 lists several safeguards, including the prescription to hold back if there are "significant consequences" to a US-initiated cyber attack.

Still, it muddies the waters ahead of this weekend's "informal" summit between President Obama and his Chinese counterpart Xi Jingping in California. The US has been a voluble critic of China, whose military it accuses of rampant hacks against US systems. China has accused the US of the same. That's why cybersecurity is one of the main focuses of the Obama-Xi meeting.

The interconnectedness of the Internet means a virus directed against one system could potentially take down 5 others if its coding is not precise. That is why we need an agreement between governments about limits to cyber offensives. Perhaps we may not end up with a treaty on the lines of the ban on Chemical Weapons. At the very least, we need a gentleman's agreement.

Certainly purely civilian infrastructure should be off limits. This includes health and emergency services and food and water supplies. It may even be worthwhile to consider exchanging information about such networks and infrastructure (such as satellites) that enable these services so they can be specifically excluded from cyber attacks.

Perhaps the conversation will shift away from the usual trading of accusations to something far more useful. Thankfully, both the United States and China seem eager to hold such a dialogue. But they shouldn't be the only ones at the table.

Last year, the Indian Prime Minister, much like President Obama, designated two agencies to carry out offensive cyber operations. A team of international researchers believes they uncovered one such Indian operation recently. While the researchers did not specifically blame the Indian government, it is not known whether India has a policy framework to guide its cyber offensive actions, like PPD-20.

At least half a dozen other countries have the resources and talent to launch debilitating cyber operations abroad. This pool is expanding rapidly. That's why every country needs to be at the table when it comes to limiting the fallout of a cyber war.

But state-sponsored hacking isn't the only threat. Independent hackers, the non-state actors of the cyber world, can sit anywhere. Most operate within or on behalf of criminal syndicates. But nothing prevents them from selling their work to terrorist groups.

Identifying such individuals is notoriously hard because they bounce their traffic off multiple servers around the world. Tracing these signals to their origin goes through a minefield of legal jurisdictions. Here, it is extremely important to have a global framework to quickly identify and prosecute such individuals and limit their harm.

The time for all these discussions is now.