25 Nov , 2014
The recent cyber attack originating from Pakistan with regard to the exodus by the people of the northeast and the tepid response from the government are worrying causes for the people of the country. Worst is that our secret documents are being pilfered from India by joint efforts by Pakistan and China via cyber warfare. It seems that India has become a staging ground for Pakistan and other rogue powers as to how to hurt the democratic powers, leaving no trace behind. The evil experiments staged in India by jihadi elements (with pliant China) are duplicated across the globe in the UK and the USA.
…the threat of terrorism has posed an immense challenge in the post-Cold War period. Terror attacks in major cities, towns and tourist resorts across the globe have demonstrated the inadequacy of the State mechanisms to address this challenge.
No surprise, Nasscom’s report “Securing Our Cyber Frontiers” calls for strong cyber infrastructure to deal with online crime. The report also suggests designing and implementing a competency framework and setting up a Centre of Excellence for best practice in cyber security. Besides, it has called for establishing a cyber command within the defence forces. It is worth mentioning that even before the above-mentioned north-eastern episode, the government had been victim of cyber crimes with a number of its websites being hit by cyber attacks. Sachin Pilot, Minister of State for Communications and IT, had revealed that 112 sites including those of Planning Commission, the Finance Ministry and various state government agencies, were defaced by cyber attacks. The Defence Research and Development Organisation also stressed the importance for having more resources to control these cyber attacks in near future. Against this backdrop, it is mandatory on part of the government that it must raise its vigilance especially the cyber intelligence against the disruptive forces coming from abroad and as well as home grown.
Cyber security is a complex issue that cuts across multiple domains and calls for multi-dimensional, multilayered initiatives and responses. It is a challenge for governments because different domains are typically administered through siloed ministries and departments. The task is made all the more difficult by the inchoate and diffuse nature of the threats and the inability to frame an adequate response in the absence of tangible perpetrators. The rapidity in the development of Information Technology (IT) and the relative ease with which applications can be commercialised has seen the use of cyberspace expand dramatically in its brief existence.
In less than two decades, advances in information and communications technologies have revolutionised government, scientific, educational, and commercial infrastructures. Powerful personal computers, high-bandwidth and wireless networking technologies, and the widespread use of the Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity. The types of devices that can connect to this vast IT infrastructure have multiplied to include not only fixed-wired devices but mobile wireless ones. A growing percentage of access is through always-on connections, and users and organisations are increasingly interconnected across physical and logical networks, organisational boundaries, and national borders. As the fabric of connectivity has broadened, the volume of electronic information exchanged through what is popularly known as cyberspace has grown dramatically and expanded beyond traditional traffic to include multimedia data, process control signals, and other forms of data. New applications and services that use IT infrastructure capabilities are constantly emerging.
Given the increasing dependency of the Indian economic and financial institutions on IT, a cyber attack against them might lead to an irreparable collapse of our economic structures.
The IT infrastructure has become an integral part of the critical infrastructures of the country. The IT infrastructures interconnected computers, servers, storage devices, routers, switches, and wire line, wireless, and hybrid links increasingly support the functioning of such critical national capabilities as power grids, emergency communications systems, financial systems, and air traffic- control networks. The operational stability and security of critical information infrastructure is vital for economic security of the country.
Against this back ground it is worth mentioning that the threat of terrorism has posed an immense challenge in the post-Cold War period. Terror attacks in major cities, towns and tourist resorts across the globe have demonstrated the inadequacy of the State mechanisms to address this challenge. Serious attempts have been made by nations to address this challenge by designing counter-terrorism strategies and anti-terror mechanisms. However, most of these are designed in a conventional paradigm, which might be effective in a conventional terror attack. However, there are limitations when it comes to a terror attack of an unconventional nature.
IT has exposed the user to a huge data bank of information regarding everything and anything. However, it has also added a new dimension to terrorism. Recent reports suggest that the terrorist is also getting equipped to utilise cyber space to carry out terrorist attacks. The possibility of such attacks in future cannot be denied. Terrorism related to cyber is popularly known as cyber terrorism.
In the last couple of decades India has carved a niche for itself in IT. Most of the Indian banking industry and financial institutions have embraced IT to its full optimization. Reports suggest that cyber attacks are understandably directed toward economic and financial institutions. Given the increasing dependency of the Indian economic and financial institutions on IT, a cyber attack against them might lead to an irreparable collapse of our economic structures. And the most frightening thought is the ineffectiveness of reciprocal arrangements or the absence of alternatives.
The worrying aspect was the use of modern gadgets bringing out that the terrorist is not only obsessed with IEDs and AK-47 but has also mastered the use of laptops and tablet PCs to give finesse to his nefarious designs.
It is high time, therefore, that an understanding of the nature and effectiveness of cyber attacks making an effort to study and analyse the efforts made by the country to address this challenge and highlight what more could be done.
As the nation became successful in unearthing terrorist networks involved in the recently carried-out terror attacks, the most outstanding feature was the use of the tools of the information age like emails, cell phones, satellite phones etc to stay connected. The worrying aspect was the use of modern gadgets bringing out that the terrorist is not only obsessed with IEDs and AK-47 but has also mastered the use of laptops and tablet PCs to give finesse to his nefarious designs. As terrorist organisations realise its capability and potential for disruptive efforts at lower costs they will become more and more technology-savvy and their strategies and tactics will have a technological orientation. Cyber terrorism is the convergence of terrorism and cyber space. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyber terrorism, an attack should result in violence against persons or property or at least cause enough harm to generate fear, attacks that lead to death or bodily injury, explosions, plane crashes, water contamination or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism depending upon their impact.
This is one of the most comprehensive definitions of cyber terrorism. But even this has a limitation. It states that for an attack to qualify as a cyber attack it should incite violence. This is more conventional. Terrorist may direct an attack only to disrupt key services; If they create panic by attacking critical systems/infrastructure there is no need for it to lead to violence. In fact, such attacks can be more dangerous. The most popular weapon in cyber terrorism is the use of computer viruses and worms. That is why in some cases of cyber terrorism it is also called computer terrorism. The attacks or methods on the computer infrastructure can be classified into three different categories. (a) Physical Attack: The computer infrastructure is damaged by using conventional methods like bombs, fire etc. (b) Syntactic Attack: The computer infrastructure is damaged by modifying the logic of the system in order to introduce delay or make the system unpredictable. Computer viruses and Trojans are used in this type of attack. (c) Semantic Attack: This is more treacherous as it exploits the confidence of the user in the system. During the attack the information keyed in the system during entering and exiting the system is modified without the users knowledge in order to induce errors,
Cyber terrorism is not only limited to paralysing computer infrastructures but it has gone far beyond that. It is also the use of computers, Internet and information gateways—to support the traditional forms of terrorism like suicide bombings. Internet and email can be used for organising a terrorist attack also. Most common usage of Internet is by designing and uploading websites on which false propaganda can be pasted. This comes under the category of using technology for psychological warfare.
Cyber threats can be categorised based on the perpetrators and their motives, into four parts: cyber espionage, cyber warfare, cyber-terrorism, and cyber crime.
Tools of Cyber Terrorism
Cyber terrorists use certain tools and methods to unleash this new age terrorism. These are—(a) Hacking: This is the most popular method used by a terrorist. It is a generic term used for any kind of unauthorised access to a computer or a network of computers–some ingredient technologies like packet-sniffing, tempest attack, password cracking and buffer outflow facilitates hacking. (b) Trojans:
These programmes pretend to do one thing while actually they are meant for doing something different, like the wooden Trojan Horse of the 1z’ Century BC. (c) Computer Viruses: It is a computer programme, which infects other computer programmes by modifying them. They spread very fast. (d) Computer Worms: The term ‘worm’ in relation to computers is a self-contained programme or a set of programmes that is able to spread functional copies of itself or its segments to other computer systems usually via network connections. (e) E-Mail Related Crime: Usually worms and viruses have to attach themselves to a host of programmes to be injected. Certain emails are used as host by viruses and worms. E-mails are also used for spreading disinformation, threats and defamatory stuff. (f) Denial of Service: These attacks are aimed at denying authorised persons access to a computer or computer network. (g) Cryptology: Terrorists have started using encryption, high frequency encrypted voice/data links etc. It would be a Herculean task to decrypt the information terrorist is sending by using a 512 bit symmetric encryption.
Cyber Threats
Cyber threats can be categorised based on the perpetrators and their motives, into four parts: cyber espionage, cyber warfare, cyber-terrorism, and cyber crime. Cyber attackers use numerous vulnerabilities in cyberspace to perpetrate these acts. They exploit the weaknesses in software and hardware design through the use of malware. Distributed Denial-of-Service (DDoS) attacks are used to overwhelm the targeted websites. Hacking is a common way of piercing the defences of protected computer systems and interfering with their functioning. Identity theft is also common. The scope and nature of threats and vulnerabilities is multiplying with every passing day.
The issue becomes extremely complicated because attacks in cyberspace cannot be attributed to an identifiable person and the attacks traverse several computer systems located in multiple countries.
Cyber Warfare
There is no single definition of cyber warfare but it has been emphasised that states may be attacking the information systems of other countries for espionage and for disrupting their critical infrastructure. The attacks on the websites of Estonia in 2007 and of Georgia in 2008 have been widely reported. Although there is nothing that made one believe about the involvement of a state in these attacks, it is widely believed that in these attacks, non-state actors (e.g. hackers) may have been used by state actors. Since these cyber attacks, the issue of cyber warfare has assumed urgency in the global media. The US has moved swiftly and set up a cyber command within the Strategic Forces Command and revised its military doctrine. In the latest official military doctrine, the US has declared cyberspace to be the fifth dimension of warfare after land, air, oceans and space, and reserved the right to take all actions in response, including military strikes, to respond to cyber attacks against it. It is almost certain that other countries will also respond by adopting similar military doctrines.
The issue whether cyber attacks can be termed acts of warfare and whether international law on warfare applies to cyber warfare is being pondered upon grimly. Multilateral discussions are veering around to debating whether there should be rules of behaviour for state actors in cyberspace. The issue becomes extremely complicated because attacks in cyberspace cannot be attributed to an identifiable person and the attacks traverse several computer systems located in multiple countries. The concept of cyber deterrence is also being debated but it is not clear whether cyber deterrence can hold in cyberspace, given the easy involvement of non-state actors and lack of attribution.
However, a debate is going on between those who believe that cyber warfare is over-hyped and those who believe that the world is heading towards a cyber Armageddon. Both sides have valid arguments, but even as that debate continues, cyber warfare as a construct has become inevitable because the number of countries that are setting up cyber commands is steadily growing. These commands have been accompanied by efforts at developing applicable military doctrines. There is, therefore, a pressing need to think about norms for cyber warfare, whether the laws of armed conflict (LOAC) can be adapted to cyber warfare, and how principles like proportionality and neutrality play out in the cyber domain. Current rules of collective security such as Art. 41 of the UN Charter and Chapter 7 are found wanting in the context of cyber warfare, particularly when it comes to the rapidity of cyber attacks, and the inordinate time it takes for decision making and action under these rules.
Cyber Crime
In the contemporary would, we are witnessing ever-increasing number of people hooked to online service, which provides a happy hunting ground for cyber criminals, with losses due to cyber crime being in billions of dollars worldwide. While other countries are reporting enormous losses to cyber crime, as well as threats to enterprises and critical information infrastructure (CII), there are hardly any such reports coming out of India other than those relating to cyber espionage. Though the report of the National Crime Records Bureau (NCRB) for 2010 reported an increase of 50 per cent in cyber crime over the previous year, the numbers were quite small in absolute terms. The total number of cases registered across various categories was 698; but these low numbers could be because cyber laws have proved ineffective in the face of the complex issues thrown up by Internet.
…cyberspace is increasingly being used for various criminal activities and different types of cyber crimes, causing huge financial losses to both businesses and individuals.
As a case in point, though the cyber crimes unit of the Bengaluru Police receives over 200 complaints every year, statistics show that only 10 per cent have been solved; a majority of these are yet to be even tried in the courts; and the cases that did reach the courts are yet to reach a verdict since the perpetrators usually reside in third countries. Even though the Information Technology Act (IT Act) 2000 confers extraterritorial jurisdiction on Indian courts and empowers them to take cognizance of offences committed outside India even by foreign nationals provided that such offence involves a computer, computer system or computer network located in India, this has so far existed only on paper. Similarly, there are relatively few reports of Indian companies suffering cyber security breaches of the sort reported elsewhere. Companies attribute this to the primacy placed on information assurance in the outsourcing business. Industry bodies such as the National Association of Software and Services Companies (NASSCOM) also attribute this to the fact that they have been at the forefront of spreading information security awareness amongst their constituents, with initiatives such as the establishment of the Data Security Council of India (DSCI) and the National Skills Registry.
The Indian government has also aided these initiatives in a variety of ways, including deputing a senior police officer to NASSCOM to work on cyber security issues, keeping the needs of the outsourcing industry in mind. That said, cyberspace is increasingly being used for various criminal activities and different types of cyber crimes, causing huge financial losses to both businesses and individuals. Organised crime mafia have been drawn to cyberspace, and this is being reflected in cyber crimes gradually shifting from random attacks to direct (targeted) attacks. A cyber underground economy is flourishing, based on an ecosystem facilitated by exploitation of zero-day vulnerabilities, attack tool kits and botnets.
The vast amounts of money lubricating this ecosystem is leading to increased sophistication of malicious codes such as worms and trojans. The creation of sophisticated information-stealing malware is facilitated by toolkits such as ZueS, which are sold on Internet for a few thousands of dollars. At the other extreme, components of critical infrastructure such as Programmable Logic Control (PLC) and Supervisory Control and Data Acquisition (SCADA) systems were targeted by the Stuxnet malware that attacked supposedly secure Iranian nuclear facilities. Stuxnet exploited five distinct zero-day vulnerabilities in desktop systems, apart from vulnerabilities in PLC systems, and exposed the grave threat to critical infrastructure such as nuclear plants and other critical infrastructure.
The examples of cyber espionage are quite evident, with regular reports of thousands of megabytes of data and intellectual property worth millions being exfiltrated from the websites of both government and private enterprises.
Cyber criminals are using innovative social engineering techniques through spam, phishing and social networking sites to steal sensitive user information to conduct various crimes, ranging from abuse to financial frauds to cyber espionage. While large enterprises are ploughing more resources into digital security, it is the small enterprises and individuals that are falling prey to cyber crime, as evinced by the increasing number of complaints on consumer complaint forums.
Cyber Espionage
The examples of cyber espionage are quite evident, with regular reports of thousands of megabytes of data and intellectual property worth millions being exfiltrated from the websites of both government and private enterprises. While government websites in India have been hacked, the private sector claims that it has not been similarly affected. It may also be that theft of intellectual property from private enterprises is not an issue here because R&D expenditure in India is only 0.7 per cent of GDP, with government expenditure accounting for 70 per cent of that figure. Companies are also reluctant to disclose any attacks and exfiltration of data, both because they could be held liable by their clients and also because they may suffer a resultant loss of confidence of the public.
As far as infiltration of government websites is concerned, cyber espionage has all but made the Official Secrets Act, 1923 redundant, with even the computers in the government’s sensitive departments being accessed, according to reports. The multiplicity of malevolent actors, ranging from state-sponsored to hactivists, makes attribution difficult. The government currently can only establish measures and protocols to ensure confidentiality, integrity and availability (CIA) of data. Law enforcement and intelligence agencies have asked their governments for legal and operational backing in their efforts to secure sensitive websites and to go on the offensive against cyber spies and cyber criminals who are often acting in tandem with each other.
In the current climate of elevated risk created by the vulnerabilities of and threats to the Nations IT infrastructure, cyber security is not just a paperwork drill. Adversaries are capable of launching harmful attacks on IT systems, networks, and information assets. Such attacks could damage both the IT infrastructure and other critical infrastructures. Cyber security is slowly gaining wider adoption in many consumer products for a variety of reasons, due to appreciation of consequences of insecurity, the need for developing secure products, performance and cost penalties, improved user convenience, need for implementing and consistently maintaining security practices, and importance of assessing the value of security improvements. But consumer and enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of a cyber terrorism, and the pervasiveness of IT uses. Consequently, many in the industry and critical infrastructure organizations have come to recognize that their continued ability to gain consumer confidence will depend on improved software development, systems engineering practices and the adoption of strengthened security models and best practices.
In the current climate of elevated risk created by the vulnerabilities of and threats to the Nations IT infrastructure, cyber security is not just a paperwork drill. Adversaries are capable of launching harmful attacks on IT systems, networks, and information assets.
In order to highlight the growing threat to information security in India and focus related actions, Government had set up an Inter Departmental Information Security Task Force (ISTF) with National Security Council as the nodal agency. The Task Force studied and deliberated on the issues such as
National Information Security Threat Perceptions.
Critical Minimum Infrastructure to be protected.
Ways and means of ensuring Information Security including identification of relevant technologies.
Legal procedures required to ensure Information Security.
Awareness, Training and Research in Information Security.
In line with the recommendations of the ISTF, the following initiatives have been taken by the Government:
Indian Computer Emergency Response Team (CERT-In) has been established to respond to the cyber security incidents and take steps to prevent recurrence of the same
PKI infrastructure has been set up to support implementation of Information Technology Act and promote use of Digital Signatures.
Government has been supporting R&D activities through premier Academic and Public Sector Institutions in the country
Information Security Policy Assurance Framework for the protection of Government cyberspace and critical infrastructure has been developed.
The Government has mandated implementation of Security Policy in accordance with the Information Security Standard ISO 27001
Currently in India 246 organisations have obtained certification against the Information Security Standard ISO 27001 as against total number of 2814 ISMS certificates issued worldwide. Majority of ISMS certificates issued in India belong to IT/ITES/BPO sectors.
Security Auditors have been empanelled for auditing, including vulnerability assessment & penetration testing of computer systems & networks of various organizations of the government, critical infrastructure organizations and those in other sectors of the Indian economy. Nationwide Information Security Education and Awareness Program has been launched.
Understanding the threat of cyber warfare and developing capacity for offensive actions in this domain is mandatory. Nations, non-state actors, terrorist groups and individuals pose a challenge to growth, which is increasingly going to be dependent on the cyber security.
The IT infrastructures significance to the country has gained visibility in the recent years due to cyber attacks and rapid growth in identity theft and financial frauds. These events have made it increasingly clear that the security of the IT infrastructure has become a key strategic interest to the government. Although the industry now making investments in security-related infrastructure, their actions are directed primarily at short-term efforts driven by market demands to address immediate security problems. The government has a different but equally important role to play in cyber security assurance in the form of long-term strategies. In this direction, the deliberations of the National Information Board (NIB), National Security Council (NSC) have stressed the importance of a national strategy on cyber security, development of national capabilities for ensuring adequate protection of critical information infrastructures including rapid response and remediation to security incidents, long-term investments in infrastructure facilities, capacity building and R&D. Governments responsibilities in long-term investment and fundamental research will enable development of new concepts, technologies, infrastructure prototypes, and trained personnel needed to spur on next-generation security solutions.
Hence, the above points make it amply clear that we need to develop cyber infrastructures; the IT infrastructure enables large-scale processes throughout the economy, facilitating complex interactions among systems across global networks. Their interactions propel innovation in industrial design and manufacturing, e-commerce, e-governance, communications, and many other economic sectors. The IT infrastructure provides for the processing, transmission, and storage of vast amounts of vital information used in every domain of society, and it enables government agencies to rapidly interact with each other as well as with industry, citizens, state and local governments, and the governments of other nations.
Understanding the threat of cyber warfare and developing capacity for offensive actions in this domain is mandatory. Nations, non-state actors, terrorist groups and individuals pose a challenge to growth, which is increasingly going to be dependent on the cyber security. Cyber warfare will also be central to any hostile or conflict situation. Clearly defined objectives and national doctrine in this regard along with supporting structures and matching capabilities are thus inescapable.
No comments:
Post a Comment