As the cyberspace playing field grows, so does the cyber assets, vulnerabilities and potential threats.
Security cannot be guaranteed and the task of securing a nation is hard. On the other hand, threats to National Security are many. Amongst these threats, in an ever-expanding interconnected world, threats via cyberspace are getting more serious, with each cyber attack giving tantalizing clues of worse things that could happen. In the previous blog in this series about the Cyber Security, a brief introduction to the terms National Security and Cyber Security were given. These days, we also come across several other terms related to cyberspace like Information Security, Data Security, IT Security, ICT Security and so on. Quite often, there is a lack of clarity on the scope of each.
With the increasing risks of cyber attacks due to the widespread reach of cyberspace, it is clear that measures taken to secure the assets and people of the nation will have to be enhanced and adapted with time. To define an effective strategy, it is essential to understand
- the various types of cyber-linked Assets that need to be protected and how they can be classified
- the Vulnerabilities that exist which could be taken advantage off by adversaries
- the various Threats possible and how they can be classified
- what measures are needed to Protect these assets, how to Prevent and Deter such attacks and appropriately Respond to, if an attack occurs.
In the broader realm of National Security, assets of a nation can be classified into two types:
- Tangible Assets (Critical Infrastructure, Banking Institutions, Food, Water, etc)
- Intangible Assets (Identity, Privacy, Reputation, Governance, Public Confidence etc)
To classify the subset of assets whose protection fall within the purview of Cyber Security strategies, one good approach could be to split the assets first based on whether they are information and non-information related. Borrowing the methodology adopted by Rossouw von Solms and Johan van Niekerk as explained in their paper titled From information security to cyber security, information can further be divided into Digital and non-Digital. The latter includes information that is stored in print or writing, for example, books, files, art works, etc. Digital information corresponds to information stored in digital forms like memory disks or memory drives. The scope of Information Security covers protection of information of all kinds, be it digital or not, and that of systems, tools, objects and various means that are used to store them. It also includes aspects like authorized access, secure transmission and usage of information.
Digital data rely on special hardware and software for its storage, processing and transmission. These are typically grouped together under Information and Communication Technology (ICT), which include hardware assets (like personal computers, servers, data storage units, and telecommunication networks), software assets (like software programs) and associated application databases and services. Protection of ICT assets is a subset of Information Security and normally comes under the scope of ICT Security or IT (Information Technology) Security. It also includes protection to ensure authenticity, non-repudiation, accountability and reliability of digital information.
The trend we see is that the reach of ICT technologies to store, process or transmit information is expanding and hence, the scope of IT/ICT Security will soon form a large part of Information Security.
Cyber related information assets are tangible assets. There are also non-information assets that rely on ICT infrastructure for their operations. These include power grids, medical facilities, etc. Cyber attack can not only target ICT systems but can be carried out using ICT systems to wreck operations of other non-ICT systems or infrastructures. In addition to this, there are also intangible assets that are more people-centric like identity, trust, reputation, privacy, brand name, social status, etc. In some cases, the information itself can cause a security threat through subversion or propaganda.
Any adverse impact on these non-information based assets and intangible assets can have direct or indirect financial and non-financial implications. Examples include attack via cyberspace to bring down the power grid, cyber terrorism, hacktivism, etc. Though it is quite often hard to quantify the losses due to cyber attacks on intangible assets, the importance of securing these assets from cyber attacks is paramount. Therefore, the scope of Cyber Security is wider than IT Security. It is not just limited to ICT protection, but also includes protection of people and systems which use or interface with ICT systems (see security boundaries venn diagram below). The scope of cyber security is increasing progressively with time as more and more people and systems get connected to the cyber space (as shown by the red arrows in the diagram).
Hostile attacks via cyber space occur due to Vulnerabilities that exist in the system. Cyber technology is a mix of computer hardware and computer software written to perform a specific functionality. Vulnerabilities that exist in ICT systems are openings for potential cyber attacks. Taking a cue from the Routine Activity Theory (Cohen and Felson 1979) that states that crime rate trend is dependent on the convergence in time and space of three basic elements: Motivated Offenders, Suitable Targets and Absence of Capable Guardians, in cyberspace too, motivated offenders will always be on the lookout for vulnerabilities in the system.
Vulnerabilities need not necessarily have to be in ICT hardware or software systems, it can also be due to bad processes and bad practices by people using it. Quite often, people are the weak link in a secure system. While every effort can be made to make a product secure enough to make it fully resilient from attacks through security audits, exhaustive penetration attack testing, etc, vulnerabilities will exist, which will be known only when some attack exploits it, either as part of some authorized testing or when it was used to perform some malicious attack. Hence, management of vulnerabilities should follow a continuous process of improvement cycle, so that, with each iteration, the count reduces over time.
And with these vulnerabilities, comes Threat of attacks. Cyber Attacks at a very broad level can be classified into two main categories, which overlap each other;
- Cyber Crime
- Cyber War
Cyber attacks like Cyber Espionage, Cyber Hacking, Cyber Subversion, Cyber Sabotage fall in the overlap area as they can be classified as acts of cyber war or just cyber crime or both, depending on the actors involved and the objective of the attacks. Crime crimes typically have a legal framework to deal with such incidents, unlike cyber war attacks.
From cyber crime perspective, Wall (2007) suggested a good way to categorize the type of crimes:
- computer integrity crimes : offences relating to the confidentiality, integrity and availability of information or computer systems
- computer-assisted crimes : offences assisted by computers
- computer content crimes : offences that focus on the content of computers
Now, that we have tried to map the various types of assets that have a touch point with cyberspace, the kinds of vulnerabilities that can exist and a classification of the types of cyber attacks, the question that arises in the Indian context is ‘Is India’s National Cyber Security Policy 2013 and the Legal framework able to address the challenges of Cyber Security today and in future?’
In the next blog, we will delve deeper into the different types of cyber crimes and also deliberate, with a few examples, the various cyber conflicts on whether to classify them as acts of cyber war or other. We will also make an attempt to look at what legal frameworks are available in India to deal with such cyber incidents today and what more is needed.
Sudeep Divakaran is a Research Scholar at Takshashila Institution