Maverick's World

Shift in national security priorities

After reviewing data emerging *after* the recent election in India - I am reasonably convinced that a shift in national security priorities is necessary.

Heretofore - national security priorities in India centered on the notion that India was an agrarian economy that needed to transition to an industrial economy that self sufficient in critical resources. This transition needed the development of high-intensity energy resources - i.e. the kind that could power the machines used in new industrial economy. In order to build enough of those energy resources, one needed to build a capital reserve and ensure access to fossil and nuclear fuel supplies that could keep the energy conversion machines running. To that end whatever was needed was to be done. (if that meant turning the youth of an entire state into slaves in a foreign land that accepted payment in rupees for oil - then so be it. If that meant getting in bed with a dictator who wanted rotting rice in exchange for oil - then so be it.... Gandhiji needed enough oil for one kerosene lamp... lighting a billion lamps would require making realistic compromises - or so it was said).

A critical aspect of that older way of thinking was that the energy resources needed for India's transformation were physically quite large. This "large" estimate captured the inefficient nature of resource utilization. A greater portion of the inefficiency was the lack of actionable information. If there was a better way to do things, the people in charge of making the executive decisions were not as informed as they could have been and so bad decisions were made routinely. Additionally a lot of the machines were old - and quite inefficient also.

Over the past three decades in India, there has been significant growth of personal communication and computation devices. This has significantly reduced barriers to information transport inefficiency. This lowering of information flow barriers represents a major advance in managing the shortage in transformative energy resources in India.

The best case scenario would be a secure sharing of mission critical data that results in a gradual increase in energy utilization efficiency and a gradual reduction in the amount of energy resources needed by India to reach a sustainable industrial economic position.

Despite any guidance on best practices, everything is shaped by individuals that make decisions, so in that sense - one has to think of this issue in the widest possible way.

With that in the background, the immediate priority for national security activities becomes clear - the preservation of a secure national mission critical data space.

Data is almost continuously being created, harvested and trafficked over the electronic networks that now span the length and breadth of India. In order to maintain a high level of integrity and reliability in the data streams - one needs multiple layers of security. Essentially - one needs security of the hardware side, software side and use case side.

So far there is little to be comfortable about.

Simplistic approaches like the ECIL EVM though quite effective at scaling in volume are not scalable in time. In fact they appear to be highly insecure* in the light of what is known now. Hardware side security challenges are getting much more complex and difficult to manage (see the case of the Chinese hardware hack). With 5G on the horizon, the entire picture is making most heads spin.

Then beyond that there is issue of the security of the software layers - both at the user accessible front end and at the much deeper layers in the network itself (even down to layers of embedded software that perform a variety of algorithmic data filtering). There is a good bit of knowledge in India on embedded software design on various platforms and the ensuing peculiarities of each platform - unless some sort of position of leverage is reached - it will be very difficult to ensure that mission critical software is not completely filled with backdoors and penetrations by hostile actors (see example of Aadhar fiasco).

And there is the issue of user security culture in India - which as most of you know is a baffling wilderness of encryption, authentication and security consciousness problems. There is no way to easily inoculate the population of India to the dangers here. A disaster will occur, the only hope is to have some bitter medicine handy during the recovery period - that way at least - the lesson is memorable.

One needs to think afresh in the light of current events and what they are really saying.

* A device that breeds a false sense of security is the worst form of device in the world.

PS. If you don't like thinking at this high a level, then perhaps you could think of it in terms of the upcoming discussion with the Chinese on 5G infrastructure deployment in India. and try to answer the following question - what will India hold as leverage over China to preserve its IC's dominance over the large mass of data that these new devices will inevitably harvest?

PPS. And to those of you who love Modi, I ask this - sure today the EC will say nothing is wrong with the "Machine"....(even though everyone can clearly see it is not) but then tomorrow when something else goes wrong the Chinese impose their own will on things - will the EC have the credibility to object? And if it does object, will that not throw into question everything it said before? So will it have an incentive to say anything besides "No No ... everything is fine..."?

posted by maverick @ 7:22 AM