By Sandesh Anand
Cyber offense and Cyber defense have different (often competing) goals. Making the same organization responsible for both leads to a conflict of interest, where at least one of offense or defense may not receive due attention.
Protecting Cyber assets is a daunting task. It involves early detection of vulnerabilities in the system, fixing these vulnerabilities where feasible and building compensating controls otherwise, and responding swiftly to security incidents (or “cyber attacks”). Cyber offense on the other hand, involves finding vulnerabilities in the adversary’s system and exploiting them. A crucial part of Cyber Offense is ensuring (and very often, “hoping”) the vulnerabilities are not remediated so the attack can continue.
While different countries may have varying systems, the underlying technology used to build these systems (or the technology these systems are built on) are vastly similar. Take the example of operating systems. Most software is built on a handful of operating systems (Microsoft Windows and flavors of UNIX being the most popular ones). When a cyber defense agency discovers a vulnerability in such an operating system, it’s first reaction would be to find a way to protect against the possible impact. As a part of the effort, such an agency would also appraise the vendor responsible for the operating system and push them to fix the vulnerability (and hopefully hold them accountable to it). This will ensure future usage of the operating system is secure. On the other hand, when a cyber offense agency discovers such a vulnerability, it’s first reaction would to come up with ways to exploit the vulnerability in adversary systems. In addition, it would do everything in its capacity to keep the vulnerability a “secret”, so the vulnerability is not fixed.
When a single agency handles offense and defense, it is hard to predict how they will react to discovering a vulnerability in softwares used by organizations within the country and adversaries. This is precisely why separate agencies should handle offense and defense. There is certainly a case for information sharing to occur between such agencies, although given the varying the mechanics of such a relationship would be complicated. In their 2011 paper (Chapter 3), Gary McGraw and Nathaniel Fick explain this dilemma for the American context
“The American government should not allow the National Security Agency (NSA) or another part of the intelligence community to dominate U.S. cyber security policy, for two reasons. The first has to do with separation of duties. Spycraft is facilitated by vulnerabilities in software that can be exploited in order to turn electronic devices into eavesdropping platforms. Consequently, an agency charged with spycraft understandably has mixed incentives to promote better software security.”
In the Indian context, it is unclear which agencies are responsible for Cyber Offense. NCIIPC, which is responsible for protecting India’s critical information infrastructure, comes under NTRO, which has also been given the responsibility to develop cyber offensive capabilities (it is not clear, if NTRO is the only agency which works on this). Separation of duties will go a long way in ensuring our national interests in both Cyber Offense and Cyber Defense are maintained.