Delhi Policy Group

MAY 2013

Does an Indian OS Provide Cyber Security?

Pavan Katkar
Research Associate

Recently, the Director-General of Indias Defence Research and Development Organization (DRDO) Mr. V.K. Saraswat, said that the DRDO in collaboration with some premiere institutions is developing Indias own Operating System (OS) as a response to the growing concern over cyber attacks. He said that it was essential for India to develop its own operating system because today we are dependent on operating systems which are imported whether [they are] based on Windows [or] Linux [they are] likely to [have] malicious worms.i He further added that the DRDOs OS program has already completed one -andhalf-years and that it could take three more years to reach full completion.ii Developing an OS is undoubtedly a massive task. It needs a lot of time, human effort and financial resources. Naturally, when an organisation like the DRDO takes on such a project it could be expected that the investment of time, tax payers money and manpower will translate into better cyber security for India. Will that be the case? Is the development of an indigenous OS an appropriate solution to Indias growing cyber security woes? Is it a reliable cyber security strategy?
DELHI POLICY GROUP Core 5-A, 1st Floor, India Habitat Centre, Lodhi Road, New Delhi- 110 003 Tel: +91- 11- 4150 4646 & 4150 4645 Fax: +91- 11- 24649572 Email: office@delhipolicygroup.com Twitter: @delhipolicygrp Website: www.delhipolicygroup.com

Key Points 1. DRDOs initiative to design an indigenous OS is likely to be a waste of time and resources. 2. An indigenous OS will be as vulnerable, perhaps even more so, to malicious attacks. 3. At best, it will build a Wall of Obscurity, which will be one stolen password or one disgruntled employee away from being breached. 4. Instead, India needs to develop better capability to attribute cyber attacks and intrusions. Cyber attacks are increasing not because it is easy to attack, but because it is easy to get away with attacks. A promising cyber security strategy is to target attackers and make it more difficult for them to get away unpunished. 5. R&D on cyber attack attribution will gain India more importance and credibility in international forums that will decide future cyber norms and laws.

Delhi Policy Group, 2013

Delhi Policy Group

A short answer would be No. An indigenously developed OS is not a good solution to Indias cyber security problems. Rather, it could end up as procrastination over finding a sensible solution to the worrying problem of cyber security. Going by Saraswats rationale, it is easy to accept the argument that an indigenous OS will address concerns over cyber security. Security agencies will have complete autonomy over the OS, and hence there would be little possibility of malicious worms being present that could be exploited by cyber adversaries. However, that argument incorrectly presupposes that the majority of the cyber threats that India faces today are due to maliciously added codes in operating systems. Most computer worms are designed to exploit vulnerabilities that are unknown to a majority of the IT community. are In most Such unknown Day such vulnerabilities vulnerabilities. called Zero cases, presence systems of does vulnerabilities not in operating indict

automatically

Microsoft or Linux but proof of malice aforethought does. Without that vital proof of malice aforethought, the need for an Indian OS remains unjustified since that OS is also as likely to have vulnerabilities as that of Windows or Linux or any other OS. Saraswats rationale, therefore, appears to fall short of sound reasoning. That said, one could still argue that developing an indigenous OS could be an advantage to India in terms of security. It would be difficult for our adversaries to exploit the vulnerabilities in our systems because they (adversaries) will not have knowledge of or access to the internals of an Indian OS. Such a wall of obscurity against the internals of an Indian OS creates an asymmetry which favours the security agencies because those agencies will have autonomous control over the OS. Thus, they could be able to defend the systems better, unlike the cases of Windows or Linux. Simply put, DRDO is trying to achieve better cyber security by far only through increased obscurity. The idea of achieving security through obscurity is not appreciated by computer security experts.iv One of the main reasons why most cryptographic algorithms are not kept secret is that if they are kept secret, their strength cannot be adequately tested. Thus, they cannot be confidently certified as secure. This makes it difficult for users to trust cryptographic systems that employ the algorithms and thereby defeats the purpose. This background must inspire us to ask: Can DRDO ensure Indias cyber security for a

vulnerabilities find their way into operating systems due to unintended design flaws or inadvertent programming flaws. It is preposterous to allege that imported systems are more likely to have malicious worms; indeed Microsoft and Linux would be unlikely to risk such a loss to their reputation, as happened to the Chinese tech giants, Huawei Technologies Inc. and ZTE Inc. A House Intelligence Committee of the US, after a yearlong investigation, concluded that the equipments sold by those two companies posed national security risks to the US.iii Neither the DRDO nor any other organisation under the Government of India has given any proof of deliberate, malicious activities being carried out by Microsoft or Linux. The

Delhi Policy Group, 2013

Delhi Policy Group

longer term through obscurity? Lets face it, our adversaries will just be one stolen password or one disgruntled employee away from getting access to the internals of an Indian OS. Once they succeed in accessing the internals, the asymmetry favouring our security agencies will cease to exist and the security of our sensitive systems will be inevitably jeopardized. In effect, we will be in no better position than we are currently and chances are that we might be in a significantly worse condition since DRDO has no experience of developing full-fledged operating systems. An indigenous OS might therefore end up buying a little extra time from our cyber adversaries, but nothing more. Hence, by adopting such a cyber security strategy, DRDO is, in effect, only postponing the necessary quest for a reliable cyber security solution. Another disadvantage of an indigenous OS is the relatively high cost of development vis-vis the possible security benefits that India could derive. An indigenous OS is not an end in itself. It needs software applications too. Users need applications like word processors, spreadsheets, browsers, anti-virus, databases, CRM, ERP, and industrial automation software, to make productive use of the computers. It should be noted that DRDO will not be able to rely on third party software applications because that would necessitate releasing the details about the internals of the Indian OS so that other companies can develop applications for that OS. Releasing the details will necessarily translate into breaching the wall of obscurity, which is unacceptable if the purpose is to gain the advantage of asymmetry over our adversaries. In effect, this leaves the DRDO with the task of developing all the necessary applications from scratch. Such a task would consume more time, money and human effort. Moreover, users who are accustomed to the usual software products will have to familiarise themselves with the newly developed software products of DRDO which could diminish the productivity of the users. In simple words, DRDOs Indian OS program looks like a massive reinventing the wheel effort that unfortunately cannot promise a reliable cyber security assurance to India. Lastly, OS-based cyber threats are not the only causes of concern. There are many other cyber threats that are essentially OS-agnostic like cyber espionage, Distributed Denial of Service (DDoS) attacks, phishing attacks, insider threats and code injection attacks, to mention but a few. An Indian OS would be of no use in addressing these threats, since they are not specific to any one OS but are generic in nature. The Indian OS program could potentially end up being a colossal investment (rather a waste?) of time, money and human effort that is not likely to provide any paramount cyber security benefits. Some analysts might justify the need for an Indian OS by pointing to Russian and Chinese efforts to develop their own national operating systems. However, it appears that Russia v and Chinavi are developing Linux based operating systems for reasons of software licensing and not for reasons pertinent to cyber security. They believe that depending on Microsoft or Apple will be far more expensive. Hence, they want to harness the economic benefits by depending on Linux based open-source operating systems which are available for free. On the other hand, DRDO is citing reasons of cyber security to justify the development of an

Delhi Policy Group, 2013

Delhi Policy Group

Indian OS that will be independent of any other OS. If the goal is to have a safer cyberspace for India, an Indian OS is not an appropriate solution. What India really needs to develop is better capability to monitor sensitive computer networks to detect cyber attacks and intrusions. More importantly, India needs to research and develop the ability to attribute offensive cyber operations to their perpetrators. Attribution of malicious cyber operations is still an elusive topic. Lack of attribution incentivises adversaries to be more aggressive in cyberspace because they can carry out malicious operations and still get away without being punished. Cyber attacks are increasing in number not because it is easy to attack, but because it is easy to get away with attacks. A good strategy, therefore, should be to make it more difficult for the adversaries to get away without being punished for their actions. Instead of reinventing the wheel with the Indian OS, DRDO should aim to solve the hurdles in attribution of cyber attacks, which is exactly what the US Department of Defense (DoD) appears to be doing. In October 2012, the then Secretary of Defense of the US, Leon Panetta, in a speech to the Business Executives for National Security at New York City said that Over the last two years, DoD has made significant investments in forensics to address [the] problem of attribution and we're seeing the returns on that investment. Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.vii Although Panetta did not disclose any details or provide any proof of US cyber attribution capabilities, his speech was still a concrete indication of the approach being taken by the US DoD to achieve better cyber security. The DoD is trying to deter adversaries by signalling their intent to locate and hold responsible those adversaries and if possible to punish them. This is more feasible strategy to deter state-sponsored cyber attacks. Even though the adversary has the capabilities to attack, he would exercise restraint for fear of a retaliation which may not just be limited to cyber attacks. On the other hand, Indias strategy seems to be that of trying to frustrate the adversary by making it difficult for him to launch a cyber attack. Such a strategy is likely to fall flat in deterring state-sponsored cyber attacks, mainly because such adversaries will have large resources at their disposal, sanctioned by the state. As long as the adversary does not have the necessary capability to launch a cyber attack, Indias cyberspace will be safe. However, once the adversary develops that capability there is nothing that will deter him from launching devastating cyber attacks against India. Furthermore, pursuing cutting-edge research related to cyber attribution is likely to give India more importance and credibility in international forums that will decide the future course of norms and laws on cyber security. An Indian OS, on the other hand, will isolate Indias efforts to attain better cyber security and will keep India out of international efforts on securing cyberspace. In sum, a more promising cyber security approach of India would be to:

Delhi Policy Group, 2013

Delhi Policy Group

a) Move away from a flawed security approach of achieving security through obscurity and b) Instead of trying to reinvent the wheel through an Indian OS, the DRDO should develop strong computer forensic capabilities that could be useful in locating adversaries and holding them accountable for their actions.

Endnotes
i

PTI, Indian OS developed by DRDO likely to be ready in three years, TheEconomic Times, Dec 2012 http://articles.economictimes.indiatimes.com/2012-12-20/news/35933866_1_cyber-security-cyber-crimesdrdo Accessed on 24-Apr-2013 ii ibid. iii Rogers, M., Ruppersberger, D.; Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE, U.S. House of Representatives, Oct 2012. Schmidt, M.S., Bradsher, K., Hauser, C.; U.S. Panel Cites Risks in Chinese Equipment, The New York Times, Oct 2012, Accessed 24-April-2013 iv Briethaupt, J., Merkow, M.; Information Security: Principles and Practice, Pearson Education India, 2007, pp. 54 v Medvedev Russian offer to create a replacement Windows , C News. January 2009, http://open.cnews.ru/news/top/index.shtml?2009/01/15/334523, Accessed 24-April-2013 Dorokhov, R., Russian Windows passes the First Test, Russia Beyond the Headlines, January 2012, http://m.rbth.ru/articles/2012/01/20/russian_windows_passes_first_test_14221.html. Accessed on 24- April2013 vi Holt, R., China develops national open-source operating system, The Telegraph, March 2013 http://www.telegraph.co.uk/technology/news/99.48817/China-develops-national-open-source-operatingsystem.html Accessed on 24-April-2013 vii Full text of Leon Panettas speech http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136 Accessed on 24-April-2013 Delhi Policy Group Delhi Policy Group (DPG) is an independent think tank based in New Delhi, India. It aims to develop non-partisan consensus on issues of critical national interest. The Delhi Policy Group focuses on three research areas: National Security, Peace and Conflict, and Governance. Within this framework, the Delhi Policy Group holds conferences, Round Tables, Working Groups and Task Forces. The Delhi Policy Group publishes books, reports and issue/policy briefs. A list of publications is available at: www.delhipolicygroup.com. Books, reports and briefs can be ordered by mail or by phone.

DELHI POLICY GROUP Core 5-A, 1st Floor, India Habitat Centre, Lodhi Road, New Delhi- 110 003 Tel: +91- 11- 4150 4646 & 4150 4645 Fax: +91- 11- 24649572 Email: office@delhipolicygroup.com Twitter: @delhipolicygrp Website: www.delhipolicygroup.com

Delhi Policy Group, 2013