Extrapolating Pegasus attacks into Cyberwarfare domain: Offense-Defence Equalized?

 By Rahul Jaybhay

The emerging technologies and various emerging domains are adding new dimensions to the nature of warfare. In that regard, cyber domain unbridled exploitable opportunity to both state and non-state actors in international politics. Cyberweapons – in the form of malware – are created to inflict damage on the adversary and more importantly, target the “critical assets” of the states. Such attacks are becoming more prominent and ubiquitous, intended to pursue objectives in both the domestic and international spheres.

Pegasus Spyware: Issues and Implications

Pegasus spyware unleashed an era that normalizes state surveillance through the act of snooping. Snooping involves bug penetration into the mobile sets, excluding computers, without requiring to click on malicious links and utilizes the “zero-click infection” method to install infectious code without any conscious activity by the user[ii]. Such abilities give the government leeway to target phones or devices to ensure a constant eye on their perceived enemies. Originally, Pegasus was developed in 2008 for troubleshooting customer’s IT issues, and later it attracted clients through its products anchored to “skirt” the circumscribing effects of encryptions, thereby dodging the encoding which preserves communication privacy[iii]. Apparently, the clients are government agencies who sought to circumvent the “going dark” phenomenon and desired to leave footprints into digital devices to justify prying to avert any unlawful mischiefs related to “major crimes and terrorism”.

Given remarkable snooping capabilities, the Pegasus is picked up by the authoritarian government to spy on their citizens, human rights activists and essentially to whosoever that challenges the legitimacy of the government. Not surprisingly, the bits of Pegasus was first traced to the mobile phone of an Emirati Activist named Ahmed Mansoor, which was forensically investigated by Citizen lab[iv]. Interestingly, the Pegasus spyware is owned by the NSO group and operationalized by sovereign states which must pass a certain diligent “review process” to get access to NSO’s “well-tailored” services[v]. Additionally, the sovereign states need to pass the regulatory filters imposed by the governments of Israel, Belarus and Cyprus, where the operations of the company are based, as the supplementary layer of the vetting process[vi].

Superficially, licensing process for granting Pegasus spyware creates an impression of a strict regime that is followed to grant permission, but the underlying process is fraudulent, as none of the countries who applied, so far, for the license ever got rejected[vii]. NSO Group’s first Transparency and Responsibility Report, however, claimed to have denied sales to over $300 million dollars of spyware products to sovereign states over the issue of human rights violations. A dispassionate review reveals that NSO ignored pieces of evidence of human rights violation exposed by Amnesty International and Citizen labs, resulting in blindly giving licenses to states indulging in human rights offences [viii]. The controversy erupted when NSO claimed that it does not operate the spyware, instead bestows license to govt agencies to operationalize it. However, the company’s own report implies that it maintains oversight over the users of the Pegasus to determine whether they qualify to access their services or not. The most disturbing aspect relates to the issue of state legitimacy, where the government is sharing the responsibility to maintain vigilance over the citizens with the private entity thereof suggesting the limiting state’s obligation towards its citizens.

Malware: Repercussions for “Inter-state” Cyberwarfare Domain.

The extrapolation of the Pegasus scenario to the international sphere, where different states via private entities undermine the sovereignty of each other is the essential starting point to imagine how international politics will manifest in the cyber domain. A brief analysis of the data involving cyber-attacks by Kaspersky[ix] is corroborated using evidence provided by Council for Foreign Relation[x] and the Center for Strategic and International Studies[xi], evinced an overlapping pattern of the regular occurrence of cyber espionage and cyber sabotage activities. Major cyber-attacks pertain to compromising control systems in the target state’s nuclear power plants, electricity grids or financial systems. However, no major incident involving undermining of strategic assets like military systems or compromising nuclear weapons is yet known.

Nonetheless, a survey of active cyber threats (Cosmicduke, Nettraveller, Equation, Turla), particularly for India, highlights the capability of this malware to attack the military establishment. Major incidents on the Indian military date back to 2008 with ensuing attacks in 2010, 2011 and 2013 which hacked Indian military systems, IDSA and DRDO respectively[xii]. These attacks are attributed to China with the intention to steal confidential data and paralyze servers or networks. Our policy response was benign and only confined to the “denouncement” of those attacks. However, the only reported cyber-attack sponsored by India was launched in 2013 namely Patchwork targeting Pakistan and supposedly Bangladesh and Sri Lanka with the motive to indulge in cyber espionage[xiii].

Indian response has primarily been defensive, even when New Delhi possesses the capability to inflict substantial damage on the adversary in both conventional and sub-conventional domains. A 2019 report commissioned by the Indian government to a New Delhi-based think tank emphasized developing offensive cyber capabilities, but not to demonstrate such capabilities however, an active demonstration of cyber offensive capabilities is more effective than obfuscation of the same[xv]. It creates the possibility of using the cyber weapon to respond in retaliation and inflict unintended damages. Such a threat to use the offensive capabilities could make the attacker quite hesitant to initiate the aggressive behaviour. Deterrence is strengthened when transparency is maintained in clearly informing the adversaries about the requisite capabilities. Any attempt to hide could embolden the attacker with the perceived assumption of no retaliation from the victim.

Such policy measure is also alluded to by the MP-IDSA report which prescribed using “deterrence” as a policy response to thwart any major cyber offense against India[xvi]. Yet the policy suggestion may not work, since deterrence could only work if the source of the attack can be credibly determined. Theoretically, locating attribution in cyberspace is a gamble, as states use different mechanisms like routing and spoofing techniques to hide their origin while planting the “logic bomb” from other state’s servers[xvii]. Such challenges in cyberspace make it difficult to respond in a similar fashion.

Offense-Defence Balance – Offense Saturation and Defence Acceleration.

Cyber capabilities, theoretically, revolutionized the field of military affairs. Analysts point significant edge could be gained by employing aspects of cyber elements in warfare scenarios. Cyber capabilities entice initiation to gain first-mover advantage, hence tipping the balance in favour of offense on the battlefield. In other words, cyberspace is always ripe for being exploited. Besides the military domain, commercial cyberspace creates its own vulnerability. For instance, Verizon, a wireless American network enterprise, published a report in 2015 titled “Data Breach Investigation” displaying 317 million new malicious codes that was created the year before, 10 new pieces of malware “each second of every day”[xviii]. Such malware is created due to human error, which cannot be avoided. Thus, a defensive mechanism must be devised to mitigate the impact of this malicious code.

In commercial cyberspace, where the demand for cyber security measures is surging, finding a vulnerability in the software code and developing an exploit is child’s play. Further, monetization of discovering exploits opened new opportunities. For instance, NSO Group charged their clients a flat $500,000 installation fee, with an additional $650,000 to break in just ten iPhones and Android mobile[xix]. Sprawling exploit market makes it easier to penetrate commercial systems as they mostly prefer using the same operating system.

However, the same procedure is ineffective against the military systems, especially weaponry. Encroaching a weapon system is a difficult task, as these systems are “air-gapped” (isolated network) mostly[xx]. Nevertheless, such systems are connected to Command-and-Control operators along with navigational systems. Notwithstanding these connections, weapon systems are at least connected to external interfaces like radios, ports and radars[xxi]. Such dependency on any external networks or interfaces, which are designed to streamline organizational operations, compromises safety, as more connected devices increase the chances of infiltrations. Correspondingly, not all devices are immune from virus attacks [xxii]. Breaching into one gadget exposes the whole network and contaminates every device attached to it. Hence, even a weapon system faces dangers of infiltration.

Nonetheless, the propensity of a cyber-attack to achieve dividends is highly debatable, yet its success is highly presumed and overinflated. In the commercial domain, a patch is utilized to fix the error in software code, and hence the vulnerability is resolved. Operationalizing a malicious code is a costly undertaking accompanying large investments to sustain the whole ecosystem[xxiii]. Losing stealth propels repairs, and once patched, the malicious code is no longer an asset. Different vulnerabilities need distinct codes to exploit the system. Additionally, the network slicing mechanism provides end-to-end network isolation, making it feasible to separate the military and public traffic by allocating specific “slices” for distinct purposes, thus making it difficult to pursue cyber-attacks for any strategic purpose[xxiv].

At last, the Pegasus debacle offered an interesting way to look at international politics. Though it was largely concentrated in the domestic politics of a state, projecting its impact and looking at inter-state dynamics in this context reveal interesting insights. In commercial cyberspace, unlike the military domain, the scale of vulnerability creation makes the encroachment highly likely, hence the offense clearly dominates. Since military systems are designed to be isolated, the chances of breaching are simply small, but cannot be negated. Akin to the commercial realm, the availability of patches and strengthening defences could make the military systems immune from cyber-attacks. Hence the policy choice for states like India is to remain aware of the acquisition of new defensive measures. Likewise, the offensive potential of cyberspace is overinflated, since no major cyber-attacks, hitherto, compromised military operations. Hence, to conclude, contrary to conventional thinking, the offensive mechanism and the benefits it accrues are simply balanced out by the defensive measures.



[i] Critical assets are defined as those essential elements, which if compromised, has adverse impact on country’s ability to pursue their internal as well as external strategic interests pertaining mostly to economic, political and security domain. An asset could be nuclear plants, power/electricity grids as well as people with specialized responsibilities like prime minister or national security advisor.

[ii] Perlroth, Nicole. This Is How They Tell Me the World Ends, Bloomsbury, accessed at 01 September 2021.

[iii] Nipun Saxsena. “Is It the Last Flight for Pegasus? [Part-I]”, TheLeaflet, 19 July 2021. Available at https://www.theleaflet.in/is-it-the-last-flight-for-pegasus-part-i/ , accessed on 08 September 2021.

[iv] “Forensic Methodology Report 2021”, Amnesty International. Available at https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/, accessed on 08 September 2021.

[v] “Transparency and Responsibility Report 2021”, NSO Group. Available at https://www.nsogroup.com/wp-content/uploads/2021/06/ReportBooklet.pdf, accessed at 09 September.

[vi] Ibid.

[vii] Nipul Saxsena “Is It the Last Flight for Pegasus? [Part-I]”, The Leaflet, 19 July 2021. Available at https://www.theleaflet.in/is-it-the-last-flight-for-pegasus-part-i/, accessed on 08 September 2021.

[viii] Bill Marczak et al, “HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries”, The Citizen. Available at http://dx.doi.org/10.13140/RG.2.2.33325.95204, accessed on 5 September 2021.

[ix] “Targeted Cyberattacks Logbook”, Kaspersky, Available at https://apt.securelist.com/, accessed at 8 September 2021.

[x] “Cyber Operations Tracker | CFR Interactives”, Council for Foreign Relations, Available at https://www.cfr.org/cyber-operations/, accessed on 15 September 2021.

[xi] “Significant Cyber Incidents”, Center for Strategic and International Studies.” Available at https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents, accessed at 07 September 2021.

[xii] “Cyber Operations Tracker | CFR Interactives”, Council for Foreign Relations, Available at https://www.cfr.org/cyber-operations/, accessed on 15 September 2021.

[xiii] Ibid.

[xiv] “Credible Cyber Deterrence in Armed Forces of India”, Vivekananda International Foundation, Available at https://www.vifindia.org/sites/default/files/Credible-Cyber-Deterrence-in-Armed-Forces-of-India_0.pdf, accessed on 12 September 2021.

[xv] Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks.” Journal of Strategic Studies 38(1–2): 4–37. Available at http://dx.doi.org/10.1080/01402390.2014.977382, accessed on 30 August 2021.

[xvi] Cherian Samuel and Munish Sharma, India’s Strategic Options in a Changing Cyberspace, Pentagon Press.

[xvii] Perlroth, Nicole. This Is How They Tell Me the World Ends, Bloomsbury, accessed at 01 September 2021.

[xviii] Max Smeets, “A Matter of Time: On the Transitory Nature of Cyberweapons.” Journal of Strategic Studies 41(1–2): 6–32. Available at https://doi.org/10.1080/01402390.2017.1288107, accessed on 29 August 2021.

[xix] Perlroth, Nicole. “This Is How They Tell Me the World Ends”, Bloomsbury, accessed at 01 September 2021.

[xx] “Prioritizing Weapon System Cybersecurity in a Post-Pandemic Defense Department”, Center for Strategic and International Studies, Available at https://www.csis.org/analysis/prioritizing-weapon-system-cybersecurity-post-pandemic-defense-department, accessed at 09 September 2021.

[xxi] Ibid.

[xxii] “What Is the Internet of Things (IoT)?”, Cloudflare, Available at https://www.cloudflare.com/learning/ddos/glossary/internet-of-things-iot/, 08 September 2021.

[xxiii] Max Smeets “A Matter of Time: On the Transitory Nature of Cyberweapons.” Journal of Strategic Studies 41(1–2): 6–32. Available at https://doi.org/10.1080/01402390.2017.1288107, accessed on 29 August 2021.

[xxiv] “18/08 | Webinar Invite | Military Applications of 5G”, Center for Land Warfare Studies (CLAWS), Available at https://www.claws.in/event/18-08-webinar-invite-military-applications-of-5g/, accessed on 12 September 2021.