 Hello and welcome to NewsClick in today's episode of Talking Science and Tech. We have with us Pravee Pulkas that we'll talk about the two recent cyber hacks, major cyber hacks that took place. And one of these was on SolarWinds, a US IT firm, and the other was on the Microsoft Exchange server. And both these companies have blamed Russia and China for these attacks. So Pravee, can you first tell us about the nature of these attacks, the consequences, and also do we really know who is responsible? Well, you know, the board of the company is saying that Russians are responsible or Chinese are responsible. It's more the US government agencies who have been putting this story. And of course, these companies, big companies are more than happy to say it's not our fault. You know, we were hacked and somehow being hacked by enemy countries gives them a certain degree of therefore protection to say we didn't really make a mess of things. We did everything properly, but what can we do kind of thing? If you look at the hacks themselves, this is an area which is increasingly going to be of concern because these are what are called supply chain hacks. How do you look at large software platforms which exist today, which all companies do their work? They're all different sets of components that you get from different places. You assemble it together and then it becomes a part of the deliverables that you have on the platform you have built. Nobody builds everything from scratch. That's not the business that software is in today. Therefore, in a certain platform or any platform, for example, which is complex, which is now being supported by different sets of companies. Therefore, there are a lot of upgrades that take place. So what seems to happen is one component is upgraded and it is upgraded wrongly, meaning somebody has slipped malicious code into what seems to be an upgrade from a server which supplies such upgrades to different sets of companies or different users. Then you are smuggling in under the guise of a normal upgrade. You are smuggling in malicious code. And if that malicious code enters a platform, it can lie dormant for some time. It can penetrate into other networks, internal to the company. It can get into infecting other platforms and so on. So you have got something which is seemingly legit, now becomes the carrier of really dangerous code, which then can be used to provide a backdoor entry into such infected systems or exfiltrate things out of the system and both sets of things are likely to happen. Microsoft Exchange server is slightly different. They had what are called zero-day forms. That means there were things that could be used to hack the system, which are not known to anybody. Microsoft didn't know about it. So these are things, therefore, which if found out by hackers, this can be sold for a very high price because then you can hack into the system and there is no upgrade, there is no protection against it and then you can compromise the systems. So the Microsoft Exchange servers are widely used by small companies, medium-sized companies for azimene servers and so on. So those companies who used Microsoft Exchange servers and there's a huge number of them which got infected, they actually also, perhaps some of them being small, medium-sized, were not so quick to upgrade their software when Microsoft released the patch. Now, one of the criticism against Microsoft was that they were told about this problem, that they had the zero-day vulnerability somewhere in January, but they took about two and a half months, more than two months, to really provide the patches. And this is where it became public, at least to select people, that there is this problem. It has been flagged by somebody and it was known among the quote-unquote select people who follow security that there is a vulnerability, not one, but four vulnerabilities in the Microsoft Exchange servers and the fact that it took more than two months to supply the patch was a problem and when they supplied the patch, it became public and then it seemed to have set a feeding frenzy among people who said, okay, there are 250,000 such servers in the world, let's go and hack some of them and see what we can get. So that seemed to have really expanded the problem quite a bit. So, yes, these are critical systems in the sense for companies or organizations, SolarVin, which was the one that we talked about earlier, where this upgrading the software created the vulnerability, upgrading not as real upgrade, but as a false upgrade. It was hoodwinked into believing it was an upgrade to the system. That was a much smaller number of servers. I think about 40, 25 to 40,000 systems were compromised, but they were bigger systems. They were in US government services of various kinds. So they were really into systems which then could infect or propagate the other vulnerabilities into related internal networks as well. So none of these at the moment we know that this is completely cured, everything is fine, there is going to be no such vulnerability ever. That's not going to happen because this is something now we have to live with, that these vulnerabilities will exist and these are standard methods which hackers will use to hack into such systems. The question that you also asked a related question, do we know who did it? That's the whole issue. If we know who did it, we have to know it in a way that it can be proven. Now, proving that this has been done by country A or a country B or a group A or a group B is looking at the code that has been embedded into the system, the mischievous malicious code that you are seeing and then looking for signatures. Now, the signatures of hacking software are publicly available because these codes are routinely, they become public for various reasons. One of them is when you deconstruct the code, of course you can see the original code. That's how a lot of the software security companies get to know what exactly is happening. So you can look at the machine language code that you have and then try and see to deconstruct what language it was in and it is possible to do it, reverse sort of decompile the software, so to say, so that you can see where, what was actually written. And from that code, you try then and understand what this person is, how does he code, what are the signatures he leaves behind, does he leave some Chinese characters, does he leave the, does he give the time and date such that it is, seems to be from China or from Russia and so on. But the problem is that these code snippets are available everywhere and because they are now widely available, therefore to spoof, duplicate that, put into yours in your code is also quite simple. So choosing methods which are known to be Russian, Chinese or the US, NSA's or CIA's or GCHQ's is possible for any country level hacking team or even sophisticated hackers. The other big problem that we have is both CIA and NSA's tool boxes have become relatively public. And now we know that NSA, for example, had this capability. This has been discussed among experts. They have analyzed what the NSA could do or couldn't do and they have said long back, you know, the NSA had the ability to spoof signatures of other country groups. Therefore, that is the other gray area that at the end of it, we do not know who has done it. In the fact that the CIA, NSA's tool kits are public means those snippets which CIA or NSA would have used are also public. And therefore it's possible that could be incorporated as well. Even if NSA or CIA didn't do it, it is possible for others also to do it. So this attribution as something which one country has declared by itself does not unfortunately prove anything. And that's the big problem in this whole domain that knowing somebody's hacked you does not give you the smoking gun that who has hacked you. Also, what kind of consequences will this narrative have of blaming Russia, of blaming China? And if this leads to some sort of escalation in these sort of attacks, can this also lead to a physical war? But let's get to that a little later because I think that's a much bigger question. What constitutes an offensive which can then be constituted as a physical act of war? In this particular case, what we have seen of the Microsoft Exchange Service or of the SolarWindows hack, it is clear that no physical damage has been done. So by the rulebook that we have, this does not constitute an act of war. It's a constant it at best constitutes essentially something which is malicious, done with a purpose, which could be simply to take over systems or it could be simply get information from such systems. So in getting information, unfortunately, it's called spying and that's all countries do that. That's a business of spy agencies, whether people will like it or not, that does not constitute an act of war. But I think the real question is that, is this something and that's the question we need to ask. Is it something peculiar to Russia or China or is it something that others are also doing? And here we have the clear, the Snowden revelations, if we had any doubts on the score, that the United States was a global leader of hacking other countries. They not only hacked their enemies, they hacked Russian system, they hacked Chinese systems, they hacked even their NATO allies, Belgium, Belgium, you know, was a big internet company which provided support services to even the EU leadership government and so on. That was hacked by GCHQ in partnership with NSA. So public knowledge, there's nothing that I'm saying which is secret. We know again that Angela Merkel's communications were listened to by the United States. Going back a step, there was a Swiss company which used to supply cryptographic equipment to countries and governments. And because it was a Swiss company, people believed it was neutral. Now we know that the CIA had actually infiltrated it, bought it over partly. The German spy agency was also involved in it. And both of them jointly spied on 120 countries who used that cryptographic equipment out of the Swiss company. And in fact, there is enough evidence which shows that they also spied on their NATO allies. They didn't even leave them. So if we look at all of this, suddenly from the US to Claymore, the Chinese and the Russians are the bad guys. And they are stealing all our secrets. If you go down the route of NSA's leaks, revelations that are there, you will find the spy on Dilma Husev, the spy on the oil company in Brazil. So it was commercial spying, the spy on every international treaty that was going on, the spy on the delegations that came, including the Indian delegations that attended some of these international conferences where, for instance, treaties were being discussed, including climate change. So the US side always knew by all of this what other countries' positions were in terms of negotiations. All that is public knowledge. So to suddenly claim that Russia and China are doing something very wicked, while somehow the United States and the NATO allies, all of them are the five eyes, which we know is a very important intelligence time. And they're all on the side of the saints, really beggars this belief. It's a belief that the United States has people have forgotten what happened with the NSA revelations. Five years, seven years, people won't remember. Let's start the small rolling as they wanted to start at that time, saying Russia and China are hacking the world, we are on the side of the ages. And in fact, people's memories are short. So you do see that a lot of the people buying this argument, including that China may have hacked the grid in Bombay. But the Indian government is denying it. The report was put out by some small American security company, and it has become now accepted truth that Chinese hack, and nobody else does, or maybe at best Russians and Chinese hack, the US does not. So they apparently are all on the side of the ages. This is a reassertion, the Cold War mindset, which is being sought to be introduced. I think the basic issue is what even companies like Microsoft are saying, that if nation states try to develop cyber hacking tools, we are all at risk, because this is something we cannot protect against. And we have to have these agencies help us make robust and better software, not hoard our vulnerabilities, use it for hacking us, and hacking different parts of the world who use our equipment. That is the race that will only lead to a destruction of the global interoperable network that has been built. Then everybody will start to separate and say, let us build safe nets. And this is what the United States argument is, that Huawei is unclean. Let's have a clean network, free from Chinese equipment. But then what happens when you use American equipment? We know that American equipment means it comes with back doors. The Americans have said it in so many words so many times. We know it from the NSA documents. We know it from the Switzerland case, Crypto AG case, which is exactly what they did at that time. So what makes people believe that while Chinese are bad, Russians are bad, the Americans are good. And that's the key issue that has to be posed. And that's why finally we have to discuss how do you prevent a cyber war and how to prevent cyber weapons? So despite the dangers that we see, that are clearly there if these sort of attacks are carried out on the level of nation states, why is it that the US has been blocking all attempts for a disarmament treaty of cyber weapons? You know, this issue of cyber weapons being bad was raised by Russia and China quite sometime back. And in 2009, Russia made a proposal in the United Nations that on the lines of the chemical and biological weapon treaties, we should have a cyber weapon banning treaty. Now, it's an interesting issue that biological weapons and chemical weapons are easy to make. They're not that difficult. They can be done actually in reasonable sized labs. And it is also true that between what is legitimate chemical activity of a company or a biological activity of a company and the weapons, the differences in technology are not significant. If you want a vaccine, then you do need to do a certain set of things. And if you do have the capability of doing certain set of things, then you can also prepare biological weapons. Similarly for chemical weapons, you know, preparing a serene gas as the Tokyo Metro example was shown, making was serene was not that difficult. That was what the terrorist group in Japan had tried. So these are the basic issues that if we could have a chemical and biological weapons treaty, which is held in spite of the Second World War, in spite of Nazi Germany, in spite of fascist Europe, they have held for the last almost now in 70, 80 years. So it is the intent that is important, not that is it verifiable or not. If countries have the intent to do it, then it can be done. So the question that when cyber weapons treaty was proposed by Russia, the US side actually had two arguments. One was the political argument, which is what they did not present, but that's what they said in private, that we are so far ahead of them, they're not going to catch up with us for the next 10, 15 years. Why would we give up our superiority as of date? We can penetrate them at will, they can't. They can't do that to us. So this was the same hubris that they had when the nuclear weapons were first developed. They said, we have that bomb, we will have the hydrogen bomb. They cannot catch up with us, except for the fact that four years after Hiroshima and Nagasaki, the Russians did, Soviet Union did also have the bomb. So this whole issue that you have a unsurmountable lead for the next five, 10, 15 years, and therefore you don't need a peace, cyber peace, was the argument with which they went into the cyber weapons treaty discussions. And then they said various things. Oh, you know, internet should be free. What you're asking for is going to make the internet fragmented, et cetera, et cetera. They raised the issue of sovereignty versus freedom of speech, all of these issues and essentially denied the need for a cyber weapon, claiming it was not verifiable, it really wouldn't work and so on. As I said, the same argument holds good for also biological and chemical weapons treaties. The intent was there, therefore it could be executed. The intent is not here, therefore it was not really agreed to. So now that from 2009, if you come to 2021, and we have had the NSA students revelations, we had what is called the Vault 7, which all the CIA tools, what it can or cannot do is also available, WikiLeaks has made that available, not the code, but what it can do. So given all of that, we know what the United States was doing, why he didn't want a cyber weapons treaty. Now the question is, is that gap between Russia, China, Soviet Union, sorry, Russia, China, United States, for instance, countries like India, North Korea, huge. The argument is the gap between China and United States has narrowed greatly. There's a Belfer Institute, which is in the United States. They do what is called cyber capacity, the map offensive and defensive capabilities. They are saying China is catching up. And therefore the need that the United States is not going to be there for too long. The question is, the ability to create a cyber weapon, unfortunately is much easier to reach the defense. So it is like chemical weapons and biological weapons. Defense is more difficult, offense is much easier. And again, you had raised this issue earlier, that when does is this malicious software, when does cyber weapon become a real weapon, which also then be considered as an act of war. And that dividing line, what is an act of war, what is not is if you damage physical equipment. The only case really that we can unequivocally say was a physical damage, was the Stuxnet attack on centrifuges in Iraq. Then everybody agrees was a use of a cyber weapon because it costs physical damage to the centrifuges. But if we take this equation out, that now countries are much closer to each other in terms of what damage they can inflict, not the capabilities they have, but the damage they can inflict. And since cyber weapons are much easier to do, and since nation states have really large resources of high technically qualified teams they can put together, therefore, time has come for us to call a halt to cyber weapons. If we don't, then at some point or the other by misdirection, misintent, not reading the science, well, we can get into a real deployment and use of cyber weapons. And then a real exchange and war could take place. I think that's the biggest danger we face in the 21st century. An unintentional war because of use of cyber weapons and are not being able to understand is it who has deployed it? Is it somebody just somebody crazy who has done it? Or is it real? And then of course, you have a war. Don't forget the first world war was a cost, not by intent, by the countries not being able to reach, read each other well, and you have an unintentional world war that took place. Nobody wanted it at that stage. So I think those are some of the issues we have to think. And how do we get back to the issue of cyber peace? And I think that is the big issue. And talking about how to catch bad guys, how to blame Russia, China, and pretend that we are actually just blessed saints who have done nothing ever wrong, that kind of rhetoric and really what shall we say? Propaganda will not lead us anywhere. I think we need to take a cold hard look on the path we are going. And what you've said is right, that unless we have a program for cyber peace, and that means at the end of it treating cyber weapons like we have treated biological and chemical weapons, unless we treat that path, I think we are going to be in rather difficult times in the future. So thank you for being for joining us today on this, for this discussion. That's all the time we have. Keep watching you skip.