Cyberspace is too important for its security to be handed over to those who want to lock it up
The recent revelations of Pakistan-based websites unleashing doctored pictures of alleged atrocities against Muslims in order to inflame passions in India has once again drawn attention to the enormous potential of the Information Age to challenge our security assumptions.
The computer is the instrument of our age; cyberspace is the oxygen of the internet. So much in our interconnected, globalised, and technologically advancing world depends on cyberspace. From our mundane emails to social networking to high priority banking services, government systems, communications, transport, and perhaps most important, our military organisations, all increasingly place reliance on the World Wide Web and everything connected to it.
To a layman, cyber security means simple things: a password that is not stolen, a message that remains confidential, a child that is not exposed to a stalker or paedophile online. When they type in a web address, that is where they should go and not to a spam site. When they click a link that looks genuine, they should not be cheated by a plausible fraud. Their work online should not be tampered with, and so on.
But cyber security ranges across wider terrain. The international relations theorist Joseph Nye has discerned four different types of threats to cyberspace. The most dramatic is Cyber War — the unauthorised invasion by a government into the systems or networks of another, aiming to disrupt those systems, to damage them partially, or to destroy them entirely. A specific target is to slow down if not curtail the military systems of the target state: there is no point having excellent missiles and weapons if the delivery systems can be paralysed. And as our military establishments become more and more dependent on sophisticated technologies, the risk of equally sophisticated attacks on them grows.
Nye’s second threat is Cyber Espionage. Governments can invade the systems of their rivals to steal sensitive information that would be useful for their own purposes. These attacks are usually hard to discover and the case of Operation Shady RAT, the world’s biggest hacking ever, is rather phenomenal. For five whole years hackers had access to 70 government and private agencies around the world as they secreted away gigabytes of confidential information, unbeknownst to those at the receiving end. By the time Shady RAT was spotted, 49 networks had been infected in the United States alone along with several others in India, South Korea, Taiwan and elsewhere.
Cyber Crime is the third kind of threat, and the most familiar. While this also has military and political implications, it affects the lives of ordinary Internet users more closely. Just the other day, for instance, a domestic aide of mine, recently introduced to the world of email, came up to me looking rather dazed. He had, he said, just received an email that some lady in Kenya had left him a substantial amount of money. In order to access that money he needed to deposit a relatively small but still significant sum (Rs.40,000 to be exact) at a local bank account here, so that the transfer could be facilitated. Such messages come in daily and there are many who fall prey to them. Cyber Crime also includes pornography, Internet stalking, and personality imitation.
Finally there is Cyber Terrorism. This includes websites spreading extremist propaganda, recruiting terrorists, planning attacks, and otherwise promoting terrorists’ political and social objectives. It also involves the use of hackers by terrorists to debilitate states and governments, much like in Cyber War, with the only difference that this involves a non-State actor. Cyberspace offers a great advantage for the shrouded business of terrorists, making their work murkier than ever to those outside.
Cyber attacks are already happening daily, and as we grow more and more ‘connected’, the threats also become more complex. Symantec, a leading international cyber security company, recorded that in 2010 alone there were three billion malware attacks. Of these one stands out especially, pointing to the possible use by legitimate governments of cyber weapons. This was the case of Stuxnet, which attacked five Iranian organisations, all reportedly connected with their uranium enrichment and nuclear programmes. By early 2011 The New York Times revealed, very plausibly, that Stuxnet was the single biggest weapon used in an attempt to thwart Iran’s nuclear ambitions, and the most sophisticated instrument ever used in cyber space. There is, in a sense, a war constantly on in cyber space, one that is invisible and to which we are all, in the end, inevitably connected.
Earlier this year, a similar highly complicated attack called Flame was discovered in Russia, Hungary, and Iran. Flame had been copying documents, recording audio (including keystrokes!), network traffic, Skype calls, as well as taking screenshots from infected computers. And it was passing all this information collected to the computers controlling it. No security alarm went off on any of the infected computers, which raises the question: are any of our systems really safe? Conventional security measures are all outdated and by the look of it, even the ‘latest’ protections are rendered obsolete sooner than we would collectively desire.
In those cases, the United States is the likely suspect, but though nothing can be conclusively established, China has consistently topped the list of official suspects in the world of cyber attacks. The attacks coming from there do not usually aim to destroy or even debilitate as much as to steal information. The Titan Rain attack, for instance, targeted the U.S. military, National Aeronautics and Space Administration (NASA), and the World Bank. Sensitive information stolen was not only related to military matters but also to markets, trade, and business activities. Similarly GhostNet infiltrated Indian government systems and accessed classified information of our security agencies, embassies, and the office of the Dalai Lama, doing the same with hundreds of government establishments elsewhere in the world.
Social networking websites are also increasingly becoming targets, not only because of the massive databases they provide, but also in order to spread malware that infect computers. On Facebook there are 50 million Indian users and even if a small fraction of them click unsuspectingly on a malevolent but seemingly ordinary link, you have that many computers opened up to risk and infection. Cyber attacks, to state the obvious, can be very personal.
Another use of social networks, seen recently in India, is to spread inflammatory material with a motivated agenda, such as the doctored pictures of alleged atrocities against Muslims in Assam and Myanmar that incited violence in Mumbai and threats of retaliation elsewhere. Though this does not constitute cyber terrorism in itself, it constitutes a new security threat that cannot be ignored.
India’s response system
There are no easy responses to all these phenomena. The U.S. has created CYBERCOM in 2009 as a military command dedicated to cyber warfare. In the civilian arena few countries have a credible equivalent.
India’s own style of dealing with cyber threats leaves much to be desired. It is relatively chaotic and there is a constant insecurity that our cyber-defences are insufficient. This perception has been underscored by frequent reports of successful invasions of Indian cyberspace. Our approach appears so far to have been ad hoc and piecemeal. There are some 12 stakeholders in protecting the cyber defences of India, including the Home Affairs Ministry, the National Disaster Management Authority, National Information Board and a motley crew of others. They are together responsible for the Indian Computer Emergency Response Team, which is the principal national agency. Such a large number of bosses, I would argue, is not conducive to efficiency. We must be vigilant, but we must also ensure our security measures do not compound the threat. As someone once asked, if Tim Berners-Lee had to ask for permission, would the World Wide Web have been invented? Would Google have been perceived as a security threat right at the start and been prohibited? Would Wikipedia have come into existence? The chances are they would not have been allowed.
The freedom of cyber space is just as crucial to the debate as its protection is. This is why policy on cyber security is too important to be left to the cyber security experts and too valuable socially to be left to the police. It is not for the gunsmiths to decide who should use the gun and how. The key to cyber space should never be given to those who would place a lock on it. It should be held by the larger moral force of society.
(The author is a Member of Parliament and former Minister of State for External Affairs.)