A recent ANI panel discussion and a follow-up post on X by one of the panellists put on centre stage the state of information security in the armed forces. The podcast episode highlighted the security threat from a memorandum of understanding (MoU) signed by the Indian Air Force with Uber, which said it would provide “reliable, convenient, and safe transportation services for IAF personnel, veterans and families.” The Indian Navy had signed a similar MoU with the cab aggregator service in 2023.
A large number of X users and media reports expressed concerns about data security and military personnel’s location tracking. While the veteran community criticised the contemptuous, colourful, and crude language used in the podcast, it nonetheless upheld the security concerns.
One of the panellists released an apology video while unequivocally reiterating the threat to security. Another panellist, probably piqued by the criticism, posted a letter addressed to the defence minister with copies to PMO and CAG, highlighting direct breaches of security in all three services. The movement of military personnel wearing smart watches or carrying smartphones in highly classified defence installations was tracked by the fitness app Strava and shared in the public domain.
Surprisingly, the armed forces chose to remain silent about the controversies, compounding people’s apprehensions. Are the armed forces diligent about threats to their critical information structure, in which the cyber domain is omnipresent? Is the likely exploitation of public services like Uber a serious enough threat to warrant absolute exclusion?
Information security in armed forces
As the instrument of last resort, the armed forces have traditionally been extremely conscious about information security. However, it is an ongoing battle due to advancements in snooping technology and open source intelligence.
Most of the basic intelligence about the military can be collected through open source intelligence. This includes satellite imagery/maps, media reports, military tenders for infrastructure development, contracts for equipment/weapons/supplies, and international trade information on military hardware. Militaries do take precautions to safeguard basic information but their real challenge is to safeguard critical information—“when, where, and how” resources are employed. This is true for even the world’s most advanced militaries.
The internet is flooded with military information gathered through open source intelligence. Newsweek, CNN, and other publications have published open source satellite images of Chinese nuclear submarines. Military satellites would have picked up many more details. Similarly, the permanent locations of US carrier groups, their sailing out information, and the names of commanding officers are readily available in the public domain. The information on their operational deployment and employment is, however, safeguarded.
The permanent locations of the People’s Liberation Army (PLA) formations in Xinjiang and Tibet Military District were well known, as was the area of their field exercises. Indian Army had the requisite satellite and drone-based surveillance. Yet, by safeguarding the “when, where, and how” through deception, rapid movement and due to some complacency on the armed forces’ part, the PLA achieved strategic and tactical surprise for its offensive manoeuvre to intrude across the Line of Actual Control in five areas in April-May 2020 to secure territory of 1,000 sq km.
Electronic and cyber security of the Indian armed forces is managed by highly qualified domain experts most of whom are postgraduates from IIT. The present National Cyber Security Coordinator, MU Nair, is a retired Lt Gen and former Signal Officer-in-Chief. His predecessor, Lt Gen Rajesh Pant was also a veteran. A number of serving officers and veterans are part of the National Critical Information Infrastructure Protection Centre and the National Technical Research Organisation.
The armed forces have elaborate policies to safeguard information security covering physical, electronic, and cyber information denial and countermeasures. Policies on the use of social media have been refined gradually and have withstood the test of time. The armed forces have their own secure communications and cyber networks that predominately use optical fibre, and dedicated indigenous satellites. Even field communications are encrypted. Military computers use secure and exclusive service intranet.
How then do security breaches take place? There are two reasons: negligence by the personnel and the safeguards not keeping pace with snooping or open source intelligence technology. In the Russia-Ukraine war, the negligent use of smartphones and uncontrolled electronic emissions resulted in a large number of avoidable casualties. Initially, Russian electronic warfare created a communication blackout in Ukraine but it was soon overcome by the underground optical fibre network and SpaceX’s Starlink service.
In a nutshell, the armed forces have to prevent security breaches and keep pace with snooping technology. The former can be prevented through training programmes, strict protocols, and ruthless enforcement. The latter requires upgrading encryption technology, passive and active countermeasures, and cocooning of critical activity to safeguard the “when, where, and how”.
Uber and Strava controversies
The public and media concerns over the MoUs signed by the Indian Navy and the IAF with Uber, a foreign entity, are valid in principle, especially concerning the disclosure of individual profile information and live location of military personnel and their relatives. By inference, the concern extends to all multi-national corporations like Amazon, Google, and Zomato. All these services require users to provide personal details such as name, mobile number, email, and home address.
The threat of data being compromised due to sophisticated snooping is as applicable to a foreign entity as it is to an Indian entity, including government services. Internet search engines, cyber security, and encryption software market is dominated by US companies. For the internet connection and network routers, security is provided by Cisco or Reddit. These practices are universal. Hence, Uber using foreign encryption technology is par for the course. Cyber security is never 100 per cent; the use of safeguards is based on risk management analysis.
To expect a friendly American government, with which we have signed the Communication Compatibility and Security Agreement (COMCASA), to force Uber to part with encrypted data or to snoop into data stored in servers located in the US, would be stretching one’s imagination. Where a threat exists, the government can exercise its prerogative to restrict the operations of a company as in the case of Huawei.
The details of defence installations appearing in the public domain due to inadvertent mapping by defence personnel using the Strava fitness app is, by all yardsticks, a security breach. It has taken place due to personnel carrying mobile phones and smart watches into sensitive areas and sharing data with other Strava users. The matter needs to be investigated and necessary disciplinary action initiated where necessary.
What must be done
Unfortunately, the armed forces have issued no clarifications on the security safeguards built into the MoUs with Uber. I only hope the rumours of them being cancelled are not true as it will only validate the sensational and generic security concerns that do not withstand scrutiny, raised by critics who aren’t domain experts. This not only puts the information security structure of the armed forces up for ridicule but could also result in the loss of public confidence.
Moreover, it will open a Pandora’s box calling for military personnel to stop using many other essential services which by implication are as vulnerable as Uber with respect to data being compromised, if not more. In my view, the MoUs may be reviewed but must not be cancelled.
There is an urgent need for the armed forces to restore public confidence with respect to the state of information security in the armed forces. The matter is serious; the Chief of Defence Staff and the Service Chiefs and the National Cyber Security Coordinator must clarify the issue.
Domain experts from the Integrated Defence Staff must formally brief the media, giving an overview of the state-of-the-art information security structure of the armed forces. They should also highlight the security risk management measures while using cyber-based public and government services. Self-styled experts on social media must not be allowed to ridicule the armed forces and hold their time-tested information security structure to ransom.
Lt Gen H S Panag PVSM, AVSM (R) served in the Indian Army for 40 years. He was GOC in C Northern Command and Central Command. Post-retirement, he was a Member of the Armed Forces Tribunal. Views are personal.
(Edited by Prasanna Bachchhav)