Académique Documents
Professionnel Documents
Culture Documents
MAY 2013
Recently, the Director-General of Indias Defence Research and Development Organization (DRDO) Mr. V.K. Saraswat, said that the DRDO in collaboration with some premiere institutions is developing Indias own Operating System (OS) as a response to the growing concern over cyber attacks. He said that it was essential for India to develop its own operating system because today we are dependent on operating systems which are imported whether [they are] based on Windows [or] Linux [they are] likely to [have] malicious worms.i He further added that the DRDOs OS program has already completed one -andhalf-years and that it could take three more years to reach full completion.ii Developing an OS is undoubtedly a massive task. It needs a lot of time, human effort and financial resources. Naturally, when an organisation like the DRDO takes on such a project it could be expected that the investment of time, tax payers money and manpower will translate into better cyber security for India. Will that be the case? Is the development of an indigenous OS an appropriate solution to Indias growing cyber security woes? Is it a reliable cyber security strategy?
DELHI POLICY GROUP Core 5-A, 1st Floor, India Habitat Centre, Lodhi Road, New Delhi- 110 003 Tel: +91- 11- 4150 4646 & 4150 4645 Fax: +91- 11- 24649572 Email: office@delhipolicygroup.com Twitter: @delhipolicygrp Website: www.delhipolicygroup.com
Key Points 1. DRDOs initiative to design an indigenous OS is likely to be a waste of time and resources. 2. An indigenous OS will be as vulnerable, perhaps even more so, to malicious attacks. 3. At best, it will build a Wall of Obscurity, which will be one stolen password or one disgruntled employee away from being breached. 4. Instead, India needs to develop better capability to attribute cyber attacks and intrusions. Cyber attacks are increasing not because it is easy to attack, but because it is easy to get away with attacks. A promising cyber security strategy is to target attackers and make it more difficult for them to get away unpunished. 5. R&D on cyber attack attribution will gain India more importance and credibility in international forums that will decide future cyber norms and laws.
automatically
Microsoft or Linux but proof of malice aforethought does. Without that vital proof of malice aforethought, the need for an Indian OS remains unjustified since that OS is also as likely to have vulnerabilities as that of Windows or Linux or any other OS. Saraswats rationale, therefore, appears to fall short of sound reasoning. That said, one could still argue that developing an indigenous OS could be an advantage to India in terms of security. It would be difficult for our adversaries to exploit the vulnerabilities in our systems because they (adversaries) will not have knowledge of or access to the internals of an Indian OS. Such a wall of obscurity against the internals of an Indian OS creates an asymmetry which favours the security agencies because those agencies will have autonomous control over the OS. Thus, they could be able to defend the systems better, unlike the cases of Windows or Linux. Simply put, DRDO is trying to achieve better cyber security by far only through increased obscurity. The idea of achieving security through obscurity is not appreciated by computer security experts.iv One of the main reasons why most cryptographic algorithms are not kept secret is that if they are kept secret, their strength cannot be adequately tested. Thus, they cannot be confidently certified as secure. This makes it difficult for users to trust cryptographic systems that employ the algorithms and thereby defeats the purpose. This background must inspire us to ask: Can DRDO ensure Indias cyber security for a
vulnerabilities find their way into operating systems due to unintended design flaws or inadvertent programming flaws. It is preposterous to allege that imported systems are more likely to have malicious worms; indeed Microsoft and Linux would be unlikely to risk such a loss to their reputation, as happened to the Chinese tech giants, Huawei Technologies Inc. and ZTE Inc. A House Intelligence Committee of the US, after a yearlong investigation, concluded that the equipments sold by those two companies posed national security risks to the US.iii Neither the DRDO nor any other organisation under the Government of India has given any proof of deliberate, malicious activities being carried out by Microsoft or Linux. The
Endnotes
i
PTI, Indian OS developed by DRDO likely to be ready in three years, TheEconomic Times, Dec 2012 http://articles.economictimes.indiatimes.com/2012-12-20/news/35933866_1_cyber-security-cyber-crimesdrdo Accessed on 24-Apr-2013 ii ibid. iii Rogers, M., Ruppersberger, D.; Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE, U.S. House of Representatives, Oct 2012. Schmidt, M.S., Bradsher, K., Hauser, C.; U.S. Panel Cites Risks in Chinese Equipment, The New York Times, Oct 2012, Accessed 24-April-2013 iv Briethaupt, J., Merkow, M.; Information Security: Principles and Practice, Pearson Education India, 2007, pp. 54 v Medvedev Russian offer to create a replacement Windows , C News. January 2009, http://open.cnews.ru/news/top/index.shtml?2009/01/15/334523, Accessed 24-April-2013 Dorokhov, R., Russian Windows passes the First Test, Russia Beyond the Headlines, January 2012, http://m.rbth.ru/articles/2012/01/20/russian_windows_passes_first_test_14221.html. Accessed on 24- April2013 vi Holt, R., China develops national open-source operating system, The Telegraph, March 2013 http://www.telegraph.co.uk/technology/news/99.48817/China-develops-national-open-source-operatingsystem.html Accessed on 24-April-2013 vii Full text of Leon Panettas speech http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5136 Accessed on 24-April-2013 Delhi Policy Group Delhi Policy Group (DPG) is an independent think tank based in New Delhi, India. It aims to develop non-partisan consensus on issues of critical national interest. The Delhi Policy Group focuses on three research areas: National Security, Peace and Conflict, and Governance. Within this framework, the Delhi Policy Group holds conferences, Round Tables, Working Groups and Task Forces. The Delhi Policy Group publishes books, reports and issue/policy briefs. A list of publications is available at: www.delhipolicygroup.com. Books, reports and briefs can be ordered by mail or by phone.
DELHI POLICY GROUP Core 5-A, 1st Floor, India Habitat Centre, Lodhi Road, New Delhi- 110 003 Tel: +91- 11- 4150 4646 & 4150 4645 Fax: +91- 11- 24649572 Email: office@delhipolicygroup.com Twitter: @delhipolicygrp Website: www.delhipolicygroup.com