Opinion » Lead

Updated: August 23, 2012 08:22 IST

Living with the reality of virtual threats

Shashi Tharoor
Comment (21)   ·   print   ·   T  T  

Cyberspace is too important for its security to be handed over to those who want to lock it up

The recent revelations of Pakistan-based websites unleashing doctored pictures of alleged atrocities against Muslims in order to inflame passions in India has once again drawn attention to the enormous potential of the Information Age to challenge our security assumptions.

The computer is the instrument of our age; cyberspace is the oxygen of the internet. So much in our interconnected, globalised, and technologically advancing world depends on cyberspace. From our mundane emails to social networking to high priority banking services, government systems, communications, transport, and perhaps most important, our military organisations, all increasingly place reliance on the World Wide Web and everything connected to it.

To a layman, cyber security means simple things: a password that is not stolen, a message that remains confidential, a child that is not exposed to a stalker or paedophile online. When they type in a web address, that is where they should go and not to a spam site. When they click a link that looks genuine, they should not be cheated by a plausible fraud. Their work online should not be tampered with, and so on.

Four threats

But cyber security ranges across wider terrain. The international relations theorist Joseph Nye has discerned four different types of threats to cyberspace. The most dramatic is Cyber War — the unauthorised invasion by a government into the systems or networks of another, aiming to disrupt those systems, to damage them partially, or to destroy them entirely. A specific target is to slow down if not curtail the military systems of the target state: there is no point having excellent missiles and weapons if the delivery systems can be paralysed. And as our military establishments become more and more dependent on sophisticated technologies, the risk of equally sophisticated attacks on them grows.

Nye’s second threat is Cyber Espionage. Governments can invade the systems of their rivals to steal sensitive information that would be useful for their own purposes. These attacks are usually hard to discover and the case of Operation Shady RAT, the world’s biggest hacking ever, is rather phenomenal. For five whole years hackers had access to 70 government and private agencies around the world as they secreted away gigabytes of confidential information, unbeknownst to those at the receiving end. By the time Shady RAT was spotted, 49 networks had been infected in the United States alone along with several others in India, South Korea, Taiwan and elsewhere.

Cyber Crime is the third kind of threat, and the most familiar. While this also has military and political implications, it affects the lives of ordinary Internet users more closely. Just the other day, for instance, a domestic aide of mine, recently introduced to the world of email, came up to me looking rather dazed. He had, he said, just received an email that some lady in Kenya had left him a substantial amount of money. In order to access that money he needed to deposit a relatively small but still significant sum (Rs.40,000 to be exact) at a local bank account here, so that the transfer could be facilitated. Such messages come in daily and there are many who fall prey to them. Cyber Crime also includes pornography, Internet stalking, and personality imitation.

Finally there is Cyber Terrorism. This includes websites spreading extremist propaganda, recruiting terrorists, planning attacks, and otherwise promoting terrorists’ political and social objectives. It also involves the use of hackers by terrorists to debilitate states and governments, much like in Cyber War, with the only difference that this involves a non-State actor. Cyberspace offers a great advantage for the shrouded business of terrorists, making their work murkier than ever to those outside.

As weapon

Cyber attacks are already happening daily, and as we grow more and more ‘connected’, the threats also become more complex. Symantec, a leading international cyber security company, recorded that in 2010 alone there were three billion malware attacks. Of these one stands out especially, pointing to the possible use by legitimate governments of cyber weapons. This was the case of Stuxnet, which attacked five Iranian organisations, all reportedly connected with their uranium enrichment and nuclear programmes. By early 2011 The New York Times revealed, very plausibly, that Stuxnet was the single biggest weapon used in an attempt to thwart Iran’s nuclear ambitions, and the most sophisticated instrument ever used in cyber space. There is, in a sense, a war constantly on in cyber space, one that is invisible and to which we are all, in the end, inevitably connected.

Earlier this year, a similar highly complicated attack called Flame was discovered in Russia, Hungary, and Iran. Flame had been copying documents, recording audio (including keystrokes!), network traffic, Skype calls, as well as taking screenshots from infected computers. And it was passing all this information collected to the computers controlling it. No security alarm went off on any of the infected computers, which raises the question: are any of our systems really safe? Conventional security measures are all outdated and by the look of it, even the ‘latest’ protections are rendered obsolete sooner than we would collectively desire.

In those cases, the United States is the likely suspect, but though nothing can be conclusively established, China has consistently topped the list of official suspects in the world of cyber attacks. The attacks coming from there do not usually aim to destroy or even debilitate as much as to steal information. The Titan Rain attack, for instance, targeted the U.S. military, National Aeronautics and Space Administration (NASA), and the World Bank. Sensitive information stolen was not only related to military matters but also to markets, trade, and business activities. Similarly GhostNet infiltrated Indian government systems and accessed classified information of our security agencies, embassies, and the office of the Dalai Lama, doing the same with hundreds of government establishments elsewhere in the world.

Social networking websites are also increasingly becoming targets, not only because of the massive databases they provide, but also in order to spread malware that infect computers. On Facebook there are 50 million Indian users and even if a small fraction of them click unsuspectingly on a malevolent but seemingly ordinary link, you have that many computers opened up to risk and infection. Cyber attacks, to state the obvious, can be very personal.

Another use of social networks, seen recently in India, is to spread inflammatory material with a motivated agenda, such as the doctored pictures of alleged atrocities against Muslims in Assam and Myanmar that incited violence in Mumbai and threats of retaliation elsewhere. Though this does not constitute cyber terrorism in itself, it constitutes a new security threat that cannot be ignored.

India’s response system

There are no easy responses to all these phenomena. The U.S. has created CYBERCOM in 2009 as a military command dedicated to cyber warfare. In the civilian arena few countries have a credible equivalent.

India’s own style of dealing with cyber threats leaves much to be desired. It is relatively chaotic and there is a constant insecurity that our cyber-defences are insufficient. This perception has been underscored by frequent reports of successful invasions of Indian cyberspace. Our approach appears so far to have been ad hoc and piecemeal. There are some 12 stakeholders in protecting the cyber defences of India, including the Home Affairs Ministry, the National Disaster Management Authority, National Information Board and a motley crew of others. They are together responsible for the Indian Computer Emergency Response Team, which is the principal national agency. Such a large number of bosses, I would argue, is not conducive to efficiency. We must be vigilant, but we must also ensure our security measures do not compound the threat. As someone once asked, if Tim Berners-Lee had to ask for permission, would the World Wide Web have been invented? Would Google have been perceived as a security threat right at the start and been prohibited? Would Wikipedia have come into existence? The chances are they would not have been allowed.

The freedom of cyber space is just as crucial to the debate as its protection is. This is why policy on cyber security is too important to be left to the cyber security experts and too valuable socially to be left to the police. It is not for the gunsmiths to decide who should use the gun and how. The key to cyber space should never be given to those who would place a lock on it. It should be held by the larger moral force of society.

(The author is a Member of Parliament and former Minister of State for External Affairs.)

More In: Lead | Opinion

Shashi has hit the nail on the head.!! More people should be made aware about this by arranging more conferences/print media/TV etc.

Well, about cyber security it can be avoided up to some extent by being alert at each persons level by not replying/not opening any unnecessary links, dont chat with someone whom do dont know, keep updating your antivirus, dont store your personal data/photos/audio clips on internet for long time, keep changing your passwords frequently etc.. In one word, ACT SMART.
Along with above, i strongly agree with Shashi on having a core committee for cyber security. India should train,teach students and hire some experts for the same. In today's world even if you think you are safe from outside world, same may not be the case with insiders..

from:  Ravi
Posted on: Aug 24, 2012 at 16:07 IST

Nice Write up.. Our Government really have to take serious measures to
this coming threat....

from:  Rakshit Tandon
Posted on: Aug 24, 2012 at 10:05 IST

very informative and awareness spreading article

from:  uttam kumar
Posted on: Aug 23, 2012 at 20:52 IST

A well-written article which provides lots of information about the different possible hazardous situations in cyber space.As internet is gaining populariy so does the vulnerability of misusing the facility.One thing is for sure,in the wake of recent internet linked untoward incidents,it has become inevitable to have meeasures to protect cyber space from malicious malevolent attacks.

from:  Pallikunnil Divakaran
Posted on: Aug 23, 2012 at 20:20 IST

India is IT hub of world. We have many IT experts and ethical hackers but still our cyberspace is not safe. Government is needed to strengthen its defense system as well as promote ethical hackers.

from:  Sandeep Singh
Posted on: Aug 23, 2012 at 17:57 IST

Wholly agree with the author. Also, such cyber crimes can be
prevaricated to some extent if proper cyber education is imparted to the
individuals at the school/neophyte level. An awareness campaign will be
an icing on the cake.

from:  Mikhil Kapoor
Posted on: Aug 23, 2012 at 17:46 IST

Excellent article on present cyber security scenario.

from:  Bhagiradh Sista
Posted on: Aug 23, 2012 at 17:44 IST

Excellent article! I have always enjoyed Mr. Tharoor's work, and this is
yet another good write-up from him.

from:  Gayathri
Posted on: Aug 23, 2012 at 16:05 IST

Need to Implementation of Law practically not in papers only.Well Nice Writeup.

from:  Arti
Posted on: Aug 23, 2012 at 14:22 IST

The articles reveals how vulnerable are we Indian net users and the
Government.Till date we were only worried about the attacks by
malwares, i.e computer viruses, worms, trojan horses, spyware,
adware, and other malicious programs. A common woman/man may think
that an anti-virus program and fire wall will protect her/him from
everything. But now it seems that not only the financial world,
government departments, the whole military , the universities etc will
get affected by a cyber war. Suppose our nuclear power plants,
electrical power stations, transport systems, huge factories,
refineries, ports etc become monsters by a trigger of malicious
codes/scripts? The author is a renowned ex-diplomat and MP and so
must take these issues to Parliament.

from:  K.P.Pradeep
Posted on: Aug 23, 2012 at 14:18 IST

intellectuals and liberals like tharoor are kept out of the cabinet
such right thinking individuals opinion should be considered
pity he has to choose a print medium to express his views
he is not in any policy making panels

from:  swaminathan
Posted on: Aug 23, 2012 at 14:07 IST

Being a person from Cyber Security, I know how much it is easy for us to
dupe the naive people on internet and then use that resources to do
something illegal and unacceptable. There should be a body which will
not only work towards security of cyber crime in Govt. and Militant
organization but also work towards enforcement of awareness of cyber
crime. It is always better to take precautions.

from:  Hemant
Posted on: Aug 23, 2012 at 13:57 IST

Very good article. Yes, increasing usage and utility of online mandates strong security otherwise there is a great danger.

from:  Sudheer
Posted on: Aug 23, 2012 at 13:57 IST

Four threats very succintly summarised by Sashi. Why can't this be given wide publicity as an awareness measure? The policy makers should wake up. Like in the rela world we have criminals, spies, pranksters and terrorists, the virtual world is no better. The march of time is blurring the line dividing the two worlds and safety has to be ensured if the push into the virtual world continues at this pace. Thanks to Sashi!!

from:  P Sen
Posted on: Aug 23, 2012 at 13:50 IST

We need to pay attention to possible reasons why some attacks happen to prevent attacks in future. It is surprising that this article does not mention Israel as they are one of the leaders in cyber atacks.
The recent national power grid failure and this mass hysteria by emails could be the work by Israelis to test their hardware before attacking Iran. Stuxnet and other viruses have already been shown to have affected Indian industries and so it is a very likey possibility. It is important for media and government to think of these possibilities rather than reflexively say it is the work of Pakistan. This may also be aimed at India supporting US and Israeli attack on Iran. I am a US citizen and or Indian origin and the current war mongering by Israel is definitely not in India's or US interest.

from:  Ramesh
Posted on: Aug 23, 2012 at 13:16 IST

A very well written article. I hope the policy makers are listening..

from:  Satyajit Borah
Posted on: Aug 23, 2012 at 12:54 IST

This view of the the World wide web by the author is overtly generalistic and borders on scaremongering. Apart from Social networking sites and end-consumer transactions (online banking, online trading and shopping) the world wide web in the form that we know is barely used by sensitive operations like high priority banking, government or defence communication and transport (air and rail). They all use their own private, secure VPN or Wide area networks, and not connect over the open internet. The threat levels for breach of these sensitive networks is similar to the oppurtunities of physical breach of one of their offices and the organizations have already taken steps to secure their networks. The notion should not be given to the readers that the security in these networks is similar to the security you have while posting a tweet. Its far more robust. Is this an attempt to create a smokescreen to allow FB and twitter shirk their social and corporate responsibility and go scot free?

from:  Jagadeesh
Posted on: Aug 23, 2012 at 12:00 IST

This article is a masterpiece in the sense that it infuriates a sense of
responsibility among citizens.It would rather help eradicate the wrong
sense prevailing in our society at large,aided by social networking

from:  Gautam Tibrewal
Posted on: Aug 23, 2012 at 11:19 IST

In the information age we can not lock our cyberspace because it is among one of the main tool for the sustainable development of the state.But curbing of cyber attack in any form either cyber war or putting illegitimate material on the web has rally become necessary around the globe.Though we are having strict policies but still we are not guarding our information web properly and which causing recent NE exodus type events.
For this firstly we have to be aware of accessing or rejecting any information from the web which is against the security codes of the state.Secondly law makers should make strict laws for non state actors included in this kind of crime and most importantly implement them.
We can not isolate our self from this but can make a safe distance to access genuine information.
And parallely system need to strict its security norms so that any state against information and data is not in the reach of common citizen of the country.

from:  Mayank Kanga
Posted on: Aug 23, 2012 at 11:03 IST

This was indeed a great article which helps in making the people aware of the "cyber threat". India really requires proper systems to be adopted in order to be safe or else this might really create big disasters in the future.

from:  V Likhit Patnaik
Posted on: Aug 23, 2012 at 10:09 IST

Many of the people who does this assumes that they do this with a false sense of anonymity. The law is there to prevent this, but enforcement is far from satisfactory.

from:  Prof Mohandas
Posted on: Aug 23, 2012 at 07:10 IST
Show all comments
This article is closed for comments.
Please Email the Editor



Recent Article in Lead

Delhi Chief Minister Arvind Kejriwal shakes hand with Lt. Governor Najeeb Jung, after taking oath of office as new Chief Minister. File Photo: R.V. Moorthy

More constitutional than political

A reasonable case can be made that the Delhi Lieutenant Governor’s discretionary powers do not extend to the appointment of the Chief Secretary without the ‘aid and advice’ of the Chief Minister and his Council of Ministers »