About Sudeep Divakaran

Author Archive | Sudeep Divakaran

Mapping Cyber Security in the broader field of National Security – IV

As the cyberspace playing field grows, so does the cyber assets, vulnerabilities and potential threats.

Security cannot be guaranteed and the task of securing a nation is hard. On the other hand, threats to National Security are many. Amongst these threats, in an ever-expanding interconnected world, threats via cyberspace are getting more serious, with each cyber attack giving tantalizing clues of worse things that could happen. In the previous blog in this series about the Cyber Security, a brief introduction to the terms National Security and Cyber Security were given. These days, we also come across several other terms related to cyberspace like Information Security, Data Security, IT Security, ICT Security and so on. Quite often, there is a lack of clarity on the scope of each.

 

Cyber_AVT_pic2With the increasing risks of cyber attacks due to the widespread reach of cyberspace, it is clear that measures taken to secure the assets and people of the nation will have to be enhanced and adapted with time. To define an effective strategy, it is essential to understand

  • the various types of cyber-linked Assets that need to be protected and how they can be classified
  • the Vulnerabilities that exist which could be taken advantage off by adversaries
  • the various Threats possible and how they can be classified
  • what measures are needed to Protect these assets, how to Prevent and Deter such attacks and appropriately Respond to, if an attack occurs.

In the broader realm of National Security, assets of a nation can be classified into two types:

  • Tangible Assets (Critical Infrastructure, Banking Institutions, Food, Water, etc)
  • Intangible Assets (Identity, Privacy, Reputation, Governance, Public Confidence etc)

To classify the subset of assets whose protection fall within the purview of Cyber Security strategies, one good approach could be to split the assets first based on whether they are information and non-information related. Borrowing the methodology adopted by Rossouw von Solms and Johan van Niekerk as explained in their paper titled From information security to cyber security, information can further be divided into Digital and non-Digital. The latter includes information that is stored in print or writing, for example, books, files, art works, etc. Digital information corresponds to information stored in digital forms like memory disks or memory drives. The scope of Information Security covers protection of information of all kinds, be it digital or not, and that of systems, tools, objects and various means that are used to store them. It also includes aspects like authorized access, secure transmission and usage of information.

Digital data rely on special hardware and software for its storage, processing and transmission. These are typically grouped together under Information and Communication Technology (ICT), which include hardware assets (like personal computers, servers, data storage units, and telecommunication networks), software assets (like software programs) and associated application databases and services. Protection of ICT assets is a subset of Information Security and normally comes under the scope of ICT Security or IT (Information Technology) Security. It also includes protection to ensure authenticity, non-repudiation, accountability and reliability of digital information.

The trend we see is that the reach of ICT technologies to store, process or transmit information is expanding and hence, the scope of IT/ICT Security will soon form a large part of Information Security.

Cyber related information assets are tangible assets. There are also non-information assets that rely on ICT infrastructure for their operations. These include power grids, medical facilities, etc. Cyber attack can not only target ICT systems but can be carried out using ICT systems to wreck operations of other non-ICT systems or infrastructures. In addition to this, there are also intangible assets that are more people-centric like identity, trust, reputation, privacy, brand name, social status, etc. In some cases, the information itself can cause a security threat through subversion or propaganda.

Any adverse impact on these non-information based assets and intangible assets can have direct or indirect financial and non-financial implications. Examples include attack via cyberspace to bring down the power grid, cyber terrorism, hacktivism, etc. Though it is quite often hard to quantify the losses due to cyber attacks on intangible assets, the importance of securing these assets from cyber attacks is paramount. Therefore, the scope of Cyber Security is wider than IT Security. It is not just limited to ICT protection, but also includes protection of people and systems which use or interface with ICT systems (see security boundaries venn diagram below). The scope of cyber security is increasing progressively with time as more and more people and systems get connected to the cyber space (as shown by the red arrows in the diagram).

Security Boundaries Venn Diagram

Hostile attacks via cyber space occur due to Vulnerabilities that exist in the system. Cyber technology is a mix of computer hardware and computer software written to perform a specific functionality. Vulnerabilities that exist in ICT systems are openings for potential cyber attacks. Taking a cue from the Routine Activity Theory (Cohen and Felson 1979) that states that crime rate trend is dependent on the convergence in time and space of three basic elements: Motivated Offenders, Suitable Targets and Absence of Capable Guardians, in cyberspace too, motivated offenders will always be on the lookout for vulnerabilities in the system.

Vulnerabilities need not necessarily have to be in ICT hardware or software systems, it can also be due to bad processes and bad practices by people using it. Quite often, people are the weak link in a secure system. While every effort can be made to make a product secure enough to make it fully resilient from attacks through security audits, exhaustive penetration attack testing, etc, vulnerabilities will exist, which will be known only when some attack exploits it, either as part of some authorized testing or when it was used to perform some malicious attack. Hence, management of vulnerabilities should follow a continuous process of improvement cycle, so that, with each iteration, the count reduces over time.

And with these vulnerabilities, comes Threat of attacks. Cyber Attacks at a very broad level can be classified into two main categories, which overlap each other;

  • Cyber Crime
  • Cyber War

Cyber attacks like Cyber Espionage, Cyber Hacking, Cyber Subversion, Cyber Sabotage fall in the overlap area as they can be classified as acts of cyber war or just cyber crime or both, depending on the actors involved and the objective of the attacks. Crime crimes typically have a legal framework to deal with such incidents, unlike cyber war attacks.

CyberCrime_War

From cyber crime perspective, Wall (2007) suggested a good way to categorize the type of crimes:

  • computer integrity crimes : offences relating to the confidentiality, integrity and availability of information or computer systems
  • computer-assisted crimes : offences assisted by computers
  • computer content crimes : offences that focus on the content of computers

Now, that we have tried to map the various types of assets that have a touch point with cyberspace, the kinds of vulnerabilities that can exist and a classification of the types of cyber attacks, the question that arises in the Indian context is ‘Is India’s National Cyber Security Policy 2013 and the Legal framework able to address the challenges of Cyber Security today and in future?’

In the next blog, we will delve deeper into the different types of cyber crimes and also deliberate, with a few examples, the various cyber conflicts on whether to classify them as acts of cyber war or other. We will also make an attempt to look at what legal frameworks are available in India to deal with such cyber incidents today and what more is needed.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

Cyber Security: It is not about securing the Cyberspace alone – III

The lack of a universal definition of Cyber Security is a challenge. Is it so expansive and dynamic that it is hard to define?

The World Economic Forum highlighted that two out of the top ten global risks in 2015 are Cyber Attacks and Data Fraud or Theft. The priority to secure the nation from such risks is getting bigger. So, the question that arises is, what all do we need to protect and how much should we do?

In the face of these fast moving developments in the technology sector coupled with strong interconnections amongst people and systems via cyberspace, the strategies and procedures for National Security need to adapt continuously. An effective strategy is needed to minimise new gaps that appear due to advancements in cyberspace. To go about this, we first need to look at

  • the various types of Assets that need to be protected and how they can be classified
  • the various Threats and Attacks possible and how they can be classified
  • what measures are needed to protect these assets, how to prevent and deter such attacks and appropriately respond to, if an attack occurs.

National Security at a very broad level covers providing security of all assets that includes critical infrastructures and the citizens, protecting the economy and various operations, ensuring safety and health to public, countering any internal or external attacks, etc. Threats can be of various kinds like war attacks, terrorist attacks, etc. Tallinn Manual defines Cyber Attack as a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.

In all these set of assets, Information and Communication Technology (ICT) forms one key part of assets which need protection. ICT includes all forms of information storing and processing computer systems (hardware/software), electrical and electronic equipment, telecommunication equipment, etc. In cyberspace, in addition to the ICT infrastructure, information that is stored or transmitted is of prime value. Confidential information must be protected from illegal access and manipulation, and all information should be available for access when needed to the person(s) authorised . The goal of Information Security is to ensure the preservation of confidentially, integrity and availability of information stored in any form – be it digital (like in a hard-disk or memory device) or print like books or any other form that is possible. The term Information Security is used more in the corporate side to refer to information in the cyberspace.

CyberSecurity_300p_final

 

To begin with, we can say that Cyber Security applies to security of ICT assets and all information related assets in cyberspace. ISO defines it as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. The Indian National Cyber Security Policy 2013 defines Cyber Security as a measure “To build a secure and resilient cyberspace for citizens, businesses and Government. To protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.”

The paper by Rossouw von Solms and Johan van Niekerk titled From information security to cyber security makes this distinction between Information Security, ICT security and Cyber Security. It also widens the scope of cyber security to include assets like people who could be indirectly impacted due to acts which use ICT-based systems as one of the means to carry out them. The paper argues that all of Cyber Security is not necessarily a subset of Information Security. Instead, there are cyber security threats that don’t form part of the scope of Information Security. Examples highlighted are Cyber bullying, threat to non-information based home assets that are automated, Cyber Terrorism, illegal sharing of data, etc. The Venn diagram shown below gives a high-level picture using the concepts listed above.

Venn_Diag

So, given the wider scope, Cyber Security can be considered as measures adopted

  • to protect the assets (including people), which are part of cyber domain or have links with the cyberspace, from threats of attacks
  • to preserve confidentially of information, integrity and availability of networks and infrastructure and
  • to build a resilient framework to prevent, deter any attacks and accordingly respond to them in any event.

 In the next blog in this series, we will elaborate on the Venn diagram shown above to break-down the various assets and categorise them into different security types. We will also take a closer look at vulnerabilities, types of threats and causes for cyber attacks.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

The penchant to get interconnected is unstoppable – II

Vast interconnections help greater access to information and enable the path to greater knowledge, application and even prediction. Having an edge with a little caution matters!

Communication, data collection and analytics will foster economic growth and for some, it may even help predicting the future. Being able to predict the weather, stock markets, energy supply, prices of commodities, market potential, etc based on various data points and statistical analysis has seen increasing demand. Today, in an interconnected world of cyberspace, a place where we have people-to-people communication, people-to-machine communication and machine-to-machine communications evolving at a tremendous pace, the opportunities opening up are galore. And India, with a vast population and economic potential, cyberspace technologies are key to minimise inefficiencies and to implement effective solutions that can work at scale. On the other hand, highly networked interconnections will also bring along its share of vulnerabilities which can be exploited. In the first part of this series of blogs on Cyber Security topic, the broad definition of Cyberspace was provided together with a brief introduction on the questions around Cyber Security. Before going into the details of Cyber Security, it is essential to look at what are the trends and reach of cyberspace in India.

The TRAI report on The Indian Telecom Services Performance Indicators for the period July-September 2015 showed that newly added broadband Internet subscriber rates are growing faster than narrowband subscribers added, and see a clear indication that Indians are accessing internet more via wireless than wireline technologies. The impact of the challenges faced to lay cables to connect all areas in India, particularly in rural areas, is now to some extent mitigated due to the wireless alternative (e.g. the National Optical Fibre Network project in India initiated in 2011 to connect 2,50,000 Gram panchayats using optical links is facing huge delays). The total number of internet subscribers touched 324.95million at the end of September 2015, with wireless internet subscribers accounting for more than 93% of the subscriptions.

While mobile devices enable faster penetration of internet today, wireline solutions like ADSL, Cable Modem and Optical Fibre to home solutions will also gain traction along the way due to its higher bandwidth capability, lower cost and wider application base (like Audio/Video streaming).

Globally, in the Information and Communication Technology (ICT) sector, we are seeing a massive growth in internet users since 2000. ITU’s ICT Facts & Figures report show that the number of internet users has increased to 3.2Billion in 2015 from just around 400million in 2000. Internet penetration grew seven-fold from 6.5% to 43% between 2000-2015. As per Ericsson’s India Mobility Report June 2015, India is one of the fastest economies using mobile for accessing the internet. The number of smartphone subscriptions is expected to grow at a CAGR of 35% from 2014 to 2020, reaching 750million subscriptions. The total data traffic is expected to touch as high as 2800PetaBytes per month in 2020, which is a 55% CAGR growth compared to figures in 2014. The usage of mobile data services is seen in all segments like Audio/Video streaming, Social Networking, E-Commerce, Instant Messaging, Banking and Finance, Emails, etc. Globally, India grew the fastest in terms of net subscriber additions in Q3 2015.

From Digital India to Smart Cities, technologies like Internet-of-Things will bring more devices connected to the internet (not limited to PCs and Mobile phones, but also household appliances, automobiles,  homes, etc) and enhanced services via cloud based technologies. The cyberspace environment is going through a transformation which will make it very complex. Cisco predicts that there will be 50billion devices connected to the internet by 2020, that is an average of ~6.58 devices per person. And if we consider only the actual number of internet users in 2020, this figure would be much higher.

However, the increasing interconnections will raise the chances of increasing vulnerability in the system, hence making users more prone to security risks. Given that the benefits of connecting to Internet outweigh the economic costs of cyber attacks, nations need to focus more on how to tackle the challenges of cyber security. ITU’s Global Cyber Security Index report released in April 2015 made an evaluation of India’s Cyberwellness profile. Interestingly, India was ranked 5th in the Global Cyber Security Index (ps. rank was shared with six other countries). While this may be commendable, the word of caution to take note (also mentioned in the report) is that this ranking is based on data concerning the commitment and preparedness of the country and not really taking into account the detailed capabilities and possible vulnerabilities in the cyberspace systems – which is also critical.

In this information age, the question that arises is how prepared is the nation to handle cyber attacks? Do we know the vulnerabilities in the systems we use and are able to take appropriate actions immediately? What level of cyber security awareness do users have? What are all the key critical assets that need to be air-gapped to prevent any catastrophic impacts due to cyber attacks? With the ever increasing value of information of a billion people and with ability to control critical infrastructure and business/household systems from remote locations, do we have the right capabilities and capacities to protect the citizens and systems and to respond swiftly to minimise impact of an attack and also, have in place appropriate measures to prevent or deter such attacks?

In the next blog in this series, we will look further into the scope of cyber security in the context of National Security and beyond.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

From Cybernetics to the web of Cyberspace – I

A look at the origins of the word ‘Cyberspace’ and questions around it.

Is Science a boon or a bane?” – a topic for essays in the past! Today, topics of more interest are “Is Cyberspace a boon or a bane? How about Machine Learning and Artificial Intelligence?” Perhaps, in future, one can just ask the machine for an answer!

Without going too far into the future, it is interesting enough to look at cyberspace today and follow the influence of cyber technologies in society. Clearly, no surprise when we read reports of teenagers born in the internet age fearing of a life without internet. While the pros-and-cons of cyber technologies are being analysed by policy makers, it is obvious – Cyberspace is here to stay.

What is “Cyberspace”?

CyberSpace_1

It was André-Marie Ampère who first introduced the word cybernétique in French in his book Essai sur la Philosophie des Sciences in 1834. However, the word cyber got closer to its current meaning in the 1940s, from the word Cybernetics, coined by scientist Norbert Wiener in his book Cybernetics, or Control and Communication in the Animal and Machine. Cybernetics originated from the Greek work ‘kybernḗtēs’  (also spelt kubernetes), which meant ‘steersman’ or ‘rudder man’ The verb version meaning ‘to control’ or ‘to steer’ was used in the context of the new science of controlling machines and even people, using a set of interconnected control and communication systems.

A decade later, the shortened form of ‘cyber’ started getting prefixed to form new words like cyber-punk, cybernetic organism (which later got shortened and popularised as ‘cyborg’), etc. It was only in the 1980s, the word ‘cyberspace’ was popularised by William Gibson in his science fiction novel ‘Neuromancer’ in a very imaginative way as “A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts . . . A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non space of the mind, clusters and constellations of data. Like city lights, receding….

The compound word Cyberspace is also sometimes used differently with a hyphenation like ‘cyber-space’ or with cyber as a prefix as ‘cyber space’. Based on sources from Google Ngram Viewer, the compound word ‘cyberspace’ is more commonly used.

The International Organisation for Standardisation (ISO) defines cyberspace as a complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. The Indian National Cyber Security Policy 2013 defines cyberspace as a complex environment consisting of interactions between people, software, and services, supported by worldwide distribution of information and communication technology (ICT) devices and networks.

Based on various definitions by different countries and organisations like that initiated by New America, Cyberspace can be summarised as:

  • It is a complex environment comprising of a global network of interdependent IT infrastructures, telecommunication networks, storage systems and computer processing systems, which form a part of the Internet
  • It enables exchange of information and interaction of people and machines like computers where information can be created, deleted, stored and processed
  • It is a mix of public and private virtual space without borders

Every node that is connected to this cyberspace, be it a machine which works independently or a human connected to it through some device, is reachable from another node located anywhere. Access to the node depends on the access permissions and security walls built around it. Due to the exposure to malicious attacks and cyber-related crime, security of data and identity are becoming crucial. Do we have sufficient data about cyber incidents and able to measure the economic cost of such incidents?

Cyber Security is gaining importance over the past decade. In the World Economic Forum’s Global Risks 2015 report, cyber risk is one of the top ten global risks. Many other related terms are often used in the context of Cyber Security like Cyber attack, Cyber crime, Information Security or IT Security, Data Security, Cyber Defence, Hacktivism, Cyber bullying, etc. What do they all mean and how different is each from the other? Is there a common definition used globally for all?  What is its trade-off with Privacy and Freedom of Expression?

Moreover, efforts are being made to analyse how the new dimensions of such extensive real-time connectivity without borders is changing the way people go about with their decision making. What do studies in cyber sociology teach us about the behavioural changes seen in people when using or interacting in cyberspace?

Cyberspace technologies have helped transform businesses and have fuelled economic growth during the last 15 years. The extent of its reach is expedited with increasing adoption of mobile devices, giving instant access to the internet both indoors and also outdoors. Social media and social networks are changing the way people interact and get access to information and respond. How are social media and networks influencing governance, balance of power, social and political stability?

In this new series of blogs on Cyber Security and related topics, we will explore the above questions. In the next part, I will provide an overview of the penetration of internet in India and also, broadly define Cyber Security, Cyber Crime and Cyber Defense in the context of National Security.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }