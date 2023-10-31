Multiple opposition MPs (Priyanka Chaturvedi, Shashi Tharoor, Mahua Moitra, Pawan Khera) have now gone public and disclosed that they received messages from Apple about state sponsored attackers compromising their Apple devices. We will probably hear about more MPs soon. A few things:

1. Sophisticated attacks, multiple vectors: such attacks are virtually impossible to guard against, because they could get you to click on a link via any medium: email, sms, WhatsApp message etc. It could be a message posing as a credit card statement, e-commerce package delivery link, anything. It’s social engineering. It could happen to anyone.

2. Android vs Apple: a cybersecurity expert I know said that it’s likely that we won’t know about Android devices being compromised in a similar manner. How does Apple know it’s a state sponsored attack? Probably because of the activity on the device and the nature of the compromise, it’s an educated guess. Such attacks are not easy and the sophistication points towards software mostly available to the state.

3. Who did this? We will never know. What most people don’t realise is that the thing that is virtually impossible to do in these cases is attribution. You can’t ever conclusively prove WHO has attacked someone with such tools because it is virtually impossible to trace the source. It’s possible to guess, and you can do a probabilistic determination. It’s impossible to prove. This is something lawyers often don’t understand. It was the same issue with Pegasus. Lawyers expected that there will be something akin to a murder weapon and technology can find the weapon with fingerprints on it. So they did not push back much against the SC to constituting a “technical” committee, which can never give a deterministic technical outcome.

4. How to solve this? You can only follow the money. Find the money trail for purchase of such software, which is often very expensive to buy and while it can be cloaked under purchases by intermediaries, there are indicators. Secondly, query local ISPs for high capacity bandwidth purchases. Some tools like Pegasus require a dedicated leased line with connectivity to the parent company. Thirdly, investigate trade agreements, because in some cases these purchases of cyber weapons require state sanction. Even then, you’re more likely to end up with a probabilistic outcome, not a deterministic outcome.

5. Can anyone do anything? This, along with electoral bonds, is a key test for the Supreme Court of India. I’m reminded of former Chief Justice N.V Ramana during the Pegasus case, repeatedly saying that the Supreme Court doesn’t want to venture into areas of national security before finally constituting a technical committee, noting that the state will not get a free pass. That committee report is still not public and we haven’t heard of that case since. The Indian government had said then that if they disclose anything related to such tools, it would empower terrorists. The Supreme Court has an opportunity to ring fence surveillance: not just mass surveillance with CMS, Natgrid and Aadhaar linked data collection, but also illegal usage cyber weapons against citizens with tools like Pegasus, Netwire and Predator. That is national interest, and whether it will act or not is anybody’s guess. Fact remains: it should.