Tag Archives | Cyber Security

India needs a Guccifer of its own to play in the big leagues

Russian influence campaign against US 2016 elections shows the need for India to develop its own information warfare capabilities, not only to protect itself from foreign influence, but also to launch offensive operations to protect its national interests.

During the 2016 US Presidential election race, Wikileaks leaked over 19,000 emails and 800 attachments from the members of the US Democratic National Committee (DNC), the governing body of the US Democratic Party. The leaked information shed light into the some of the DNC member’s “corrupt and bias” nature of their actions acting against Bernie Sanders while in support of Hillary Clinton. Consequently, four of the DNC members, including the Chairperson, resigned their positions due to their involvement in the scandal.

The DNC leak was the smoking gun that significantly influenced public trust in the democratic process of the country, pushing away lot of educated voters from voting for Clinton.

The hacker Guccifer 2.0 was behind the data theft and penetration of the DNC email networks. The name Guccifer 2.0 is named after a legacy left by a Romanian hacker called Guccifer, currently serving sentence in US prison, who victimized numerous US politicians and celebrities with many scandals. The list included Colin Powell, George Bush’s sister, Sidney Blumenthal (the former aide to Bill Clinton), and members of Council on Foreign Relations.

Per the recent joint Intelligence report by CIA, FBI & NSA, leaking DNC’s sensitive information was part of the Russian sanctioned influence campaign to interfere with the 2016 US elections, and get Trump elected. In addition to the data leak, Russia supposedly deployed anti-Clinton propaganda via its international media channels and social media, mostly via RT news and Sputnik, to sway public opinion.

In other words, Russia launched a massive information war interfering with the US elections, and helped Trump, who is supposedly pro-Russia, get elected. This level of foreign interference in other countries’ governance systems isn’t something new. The whole of cold-war can be simplified as an information warfare between US and Russia to attain global dominance. The US itself has been behind many military coups and regimes changes post World War II, notably Iran, Guatemala, and Chile.

This shows the significance and the need of enhancing one’s information warfare capabilities. Not only to protect oneself from foreign bias and interventions, but also to be able to launch offensive operations that protect our national interests, economic development and international relationships.

Hence, as India emerges as a global economic power, we need to step up our information warfare capabilities. We need our own Guccifers that can launch sophisticated cyber operations and gather information on our counterparts. We need our own RTs and Sputniks that can bolster our image and neutralize foreign bias against us.

Comments { 0 }

A breach notification strategy for cyber attacks is needed

By Sandesh Anand

While a strong focus on preventing India’s cyber assets is required, it is a reasonable assumption to make that there will be more cyber attacks in 2017. These attacks will lead to sensitive information leakage, lack of availability of your favorite internet services and other disruptions common during a cyber attack. It is hence important to deliberate on a breach notification policy framework.

Currently, many regulators (such as RBI) and CERT-in lays down many rules to ensure companies report certain kinds of cyber incidents. However, there is no policy which requires entities to report breaches to you and I, the consumers. This means, if (say) a bank get’s hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance), the bank is under no obligation to inform the consumers about the extent of the breach and explain what steps are being taken to prevent such incidents in the future. This means, consumers are in the dark about the status of their data and cannot take corrective steps. For instance, if a consumer knows that her credit card number is compromised, she can contact her bank, cancel the card and get a new one issued.

Here are some questions to ponder while we design such a policy:

What type of breaches should be notified?

Agencies like CERT-in require companies to report any “significant” breach, however, attacks which are “significant” may be irrelevant for a consumer. For example, does the consumer really need to be notified if an attack caused internal network outage internal to an organization? How about if only employee details were leaked? On the other hand, attacks which lead to leakage of consumer PII (personal identifiable information) certainly warrants a consumer notification. It is important to make it easy for organizations to distinguish between breaches which need to be notified and otherwise.

Who should be notified?

The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).

Should notifications be enforced? If yes, who should enforce it?

It is important for the policy to define if it merely “recommends” notification or enforces it. If the latter, the policy needs to define who the enforcer should be. Options include central government, state governments (such as in the USA) or industry regulators.

What should be the nature of the notification?

It will be useful to define the nature of the notification as well. While some flexibility can be provided to the breached organization, broad  guidelines should be provided. The absence of such a guideline might lead to a organization notifying a breach through a small column on page 16 of a local daily.

When should the notification take place??

While it makes sense to provide breached organizations with some time to investigate the breach, it is important to have a deadline by which the organization has to notify the consumer. For example, the US state of Florida mandates that such a  breach be notified within 30 days of determination of the breach.

A robust breach notification policy is a requirement as we move rapidly towards a digital economy. While some companies may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much needed transparency to the myriad world of cyber attacks.

Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans

 

Comments { 0 }

Attributing Cyber-attacks: The cyclic nature of it

The cyclic nature of cyber-attack attribution and maintaining anonymity online presents a conundrum to the security industry.

A few days ago, the Indian Congress vice-president Rahul Gandhi’s Twitter account appeared to be hacked, followed by dozens of offensive tweets being posted. Within minutes of the first hack, the Twitterati engaged in a game of ‘whodunit?’ On one hand, people accused PM Modi’s followers for the hack, and on the other, some called it a staged drama by the Congress Party. Premature at best, the accusations were baseless and lacked evidence, highlighting the challenging nature of attribution.

Attribution

The most common factor leading the attribution dialogue today is the un-traceability of a cyber-attack. Attacks do not come with a return address. Tools available to obscure an attack’s origins are becoming more and more sophisticated by the day. Even if an attack can be traced to a system, there are chances of it being a deliberate misdirection.

Anonymity

Anonymity online is crucial for legitimate reasons, privacy at the heart of it, and also being able to voice concerns against strict government rules without reprisals, which is a basic right under any democratic government. There are sophisticated ways to maintain anonymity; you can mask your IP address, use fake accounts, virtual machines, strong encryption, etc.

The Cyclic Natureattribution_cycle

Better tools for anonymity consequently lead to either lack of attribution or improper attribution on cyber-attacks. The lack of proper attribution gives way for increased cyber-attacks, consequently leading to improved techniques for better attribution from the “anti-anonymity” group. Hence, to continually thwart the efforts of anti-anonymity groups, pro-anonymity groups come up with better technological capabilities to maintain their anonymity. This shows a recurring nature between the need to fight against anonymity and the need for anonymity. The recurring nature is the status quo.

Conundrum

This status quo of recurring nature begs the question: Why waste time on attribution when those resources can be better spent on enhancing one’s security and capability?

In his article about attribution, Lital Asher-Dotan, the founder of cyber security company Alfa Tech, argues that the security industry spends too much time and resources in attributing cyber-attacks, which is highly inefficient. According to him “a company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks”

While I agree with Lital that attributing is highly inefficient, I disagree with the notion of not giving enough significance to attribution.

Let’s take the extreme version of this where we do not spend any time or energy into answering the “Who did it” and that time and energy is spent on enhancing security systems. The other side of this coin is that, the lack of attention to attribution leads to a counter response with increased cyber-attacks without fear of reprisals; more creative and dangerous attacks at that. The likelihood of successfully infiltrating a security system increases with disastrous consequences. So, this extreme version of scenario does not yield well.

Even if attribution may not yield to anything, it is an essential aspect of cyber-security. Eliminating attribution is not a logical option. It acts as a deterrence. Hence there is a heightened need to strike the right balance between energy spent on attribution and defending cyber-attacks, where one does not need to compromise resources from the other.

 

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution

Comments { 0 }

Beware the security risks before you jump onto digital payments bandwagon

Deficit in cash flow has forced users into digital payments. Without proper precautions and security policies, the highly reactive nature of cyber security leaves us vulnerable to cyber-attacks.

chaiwalla-paytmImage source: DNA India

The whole demonetization of currencies has shaken our country to its core. In the past week, we saw how it affected people at all levels and how they were coping with it, hoping for the better in the near future. While the challenges still persist, it has nudged people towards digital transactions even for their daily needs using virtual wallets, PayTM and others. Companies that enabled digital payments acted as buffers soaking up some of the pressure. In fact, there was a surge in digital payments hitting records high over the past week; PayTM saw a 200% increase in its mobile application downloads and a 250% increase in overall transactions. MobiKwik saw an increase of 200% in its application downloads within few days. Other companies within this domain such as, Oxigen and PayU have also seen a rise in their service usage.

Resultant trend maybe vulnerable to security threats

This new trend is certainly heading in the right direction towards digitization, however there is risk of casting a blind eye towards the security aspect in the whole process of adapting to this digitized lifestyle. The Nordea Bank Fraud incident that occurred in 2007 is a classic example of e-banking cyber-attack, where perpetrators infected unsuspecting customers’ systems with a malware that stole login credentials, and made off with over 1.1 million US dollars. Not even major financial corporations like VISA, PayPal, and MasterCard are invincible from cyber-attacks.

The security standards and precautions have certainly evolved since these high profile attacks. But the speed of technological developments and its integration into our economy far supersedes that of the defense mechanisms and protocols in place to mitigate any cyber-attack on these developments. It goes to show that they are unparalleled and reactive in nature which ultimately begs the question: Is it safe to utilize these new payment platforms?

PayTM for instance is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and few other international dealers. This is an essential certification for companies that store credit-card info. PayTM also uses 128-bit encryption technology to crypt any information transfer between two systems. It takes more than 100 trillion years for a hacker to crack a password under 128-bit encryption. Needless to say, transactions via PayTM are fairly secure. Other companies like MobikWix also employ the 128-bit encryption technology. This is a common security measure that companies dealing with credit card information and transactions deploy, hence there is little doubt that companies taking advantage of demonetization are employing their share of precautions for secure transactions.

Is that secure enough?

But, these precautions won’t make us invulnerable. There are other things aside from the login credentials that hackers target these days. For example, just few days back, hackers breached a British mobile company, Three Mobile’s database and stole private information on six million users. Another example is the recent massive data breach of Indian bank networks that compromised over three million users’ financial data. The breach occurred between May 25 and June 10, victimizing major banking companies, including HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. This stolen data can be sold underground, used for identity theft, or strengthen brute force attacks for further personal attacks.

These breaches may appear sophisticated, but there are other easier methods that anyone with basic IT skills can deploy. For Instance, here is an article by a hacker displaying the html code on how to fake the PayTM website. Using a spoofed site, a hacker can use phishing tactic to gain login credentials from unsuspecting users. Other tactics include fake mobile applications or spyware that steal information, social engineering tactics that make you reveal your login credentials, etc. This is nothing new however; spoofing, phishing, and spyware have plagued the IT security industry for more than a decade, with their tactics getting increasingly sophisticated.

But, if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, still experienced cyber-attacks, what does that imply about unsuspecting users? Most new users were forced onto the digital payments bandwagon due to the currency demonetisation. Especially street-vendors, who were primarily reliant on cash payments before the demonetization, such as the Chai-wallas and Pan-wallas that were quick to adapt so as to maintain their revenue. Are these new users aware of the security risks involved here? I highly doubt it. Even if they are aware of the risks, whose responsibility is it and what precautions can they take to minimize damage from future attacks?

Whose responsibility is it?

It is not a single entity’s responsibility. Everybody involved in the process, including companies offering the service, the customers, and the government should do their share to mitigate cyber-attacks and minimize its damages. The following is a three pronged approach for companies, customers and the government to mitigate security risks:

digital-payment-risk-management

Companies

All companies that offer platforms or services enabling digital payments should, first and foremost, increase awareness of the risks among their customer base and educate them on ways to secure themselves. Employ behavior analytics and pattern analysis at their fraud departments to predict suspicious behavior. Stay proactive in looking out for any spoofed applications or websites that masquerade their service. Proactively monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement proactive measures to thwart their tactics.

Government

The Government should also do its share to protect its citizens by minimizing vulnerabilities. It should check if the current policies regulating this platform are adequate, and update it if necessary. Educate the populace on the risks involved. Enforce strict policies and hold companies accountable for not meeting security standards. Minimize benefits that come from overlooking security precautions. And, strengthen public-private partnership on live information sharing about cyber-attacks and fraud.

Customers

Customers should do their share to minimize damages. They should educate themselves about the risks involved, and take appropriate precautions. Minimize vulnerability with two-factor authentication and routine password changes. Check for applications’ authenticity by looking for the number of downloads and reviews by other users; the higher the number of downloads and reviews are, the higher the chances that the application is legitimate. In addition, check for other application releases from that developer. Check for website’s authenticity by checking for proper spelling of the web address, or if the website is secure by checking for a green padlock symbol on the left to the web address, and that the address starts with ‘https:’ Keep the web browsers updated as they can recognize illegitimate sites easily. Do not share sensitive information including login credentials over emails, phone calls, or chats. Lastly, trust your instincts and double check to make sure you don’t leave yourself vulnerable.

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution

Comments { 0 }

Unified strategy on cyber security regulation needed – V

 

By Sandesh Anand
There is little doubt that securing our cyberspace is important. Over the last few years, the union government has acknowledged the importance and taken many initiatives to improve the security posture of our cyber infrastructure. However, the lack of a coherent message  from the various agencies working on such an initiative, can lead to cyber-security becoming no more than a heavily regulated compliance burden.

Cyber Security is complex, but the regulators need to keep it simple.

The “National Cyber Security Policy” drafted in 2013 is an important document. While not yet implemented in full, various recommendations made in that documented have been implemented. One of the principal “strategies” of this policy is to create a nodal agency to co-ordinate all matters related to cyber security. The CERT-in was created to fulfill this requirement. In addition, Section 70(A) of the IT Act mandates the creation of another “nodal” agency to protect the nation’s Critical Information Infrastructure. The NCIIPC (National Critical Information Infrastructure Protection Center)f was hence created. Finally, regulators of various sectors (banking, Telecom etc.) have understood the importance of cybersecurity and have come up with their own “CyberSecurity guidelines”.

 

Sense the problem?
Let’s take the example of a bank, which wants to implement a cyber security program. In addition to doing all they can to protect their assets (based on their expertise), they also want to make sure all the regulatory boxes are ticked. Given they come under the definition of “Critical Infrastructure”, they will need to follow the guidelines provided by NCIIPC. In addition, RBI has multiple guidelines on how to implement their Information Security program. CERT-in also provides various guidelines on how to implement specific aspects of the bank’s Information Security program.
The story repeats when a breach occurs. NCIIPC has a 24*7 desk to handle incidents on CII (the bank will need to notify them), at the same time, banks are required to notify RBI and CERT-in when a major breach occurs (defining “major breach” itself can be an interesting exercise. Let’s reserve that for a separate post). So in addition to swiftly dealing with a breach, the bank will have to deal with the red-tape of communicating with three different agencies.
Given the complexity of the subject, it is desirable to have multiple opinions on the best way to implement cyber security. However, it is important for the regulatory framework to speak in one voice. Far too often, security is looked at as a bottleneck or a mere compliance requirement. When this happens, the focus of the industry is less about securing their ecosystem and more about making sure all the boxes are ticked. As we figure our way through the maze of cyber security, it is important for our regulatory system to get its act together. There has been talk about a “National Cyber Security Assurance Framework” being developed. Such a framework should work to unite all the current efforts instead of adding yet another layer of regulation for the industry to follow.

 

Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans
Comments { 0 }

Mapping Cyber Security in the broader field of National Security – IV

As the cyberspace playing field grows, so does the cyber assets, vulnerabilities and potential threats.

Security cannot be guaranteed and the task of securing a nation is hard. On the other hand, threats to National Security are many. Amongst these threats, in an ever-expanding interconnected world, threats via cyberspace are getting more serious, with each cyber attack giving tantalizing clues of worse things that could happen. In the previous blog in this series about the Cyber Security, a brief introduction to the terms National Security and Cyber Security were given. These days, we also come across several other terms related to cyberspace like Information Security, Data Security, IT Security, ICT Security and so on. Quite often, there is a lack of clarity on the scope of each.

 

Cyber_AVT_pic2With the increasing risks of cyber attacks due to the widespread reach of cyberspace, it is clear that measures taken to secure the assets and people of the nation will have to be enhanced and adapted with time. To define an effective strategy, it is essential to understand

  • the various types of cyber-linked Assets that need to be protected and how they can be classified
  • the Vulnerabilities that exist which could be taken advantage off by adversaries
  • the various Threats possible and how they can be classified
  • what measures are needed to Protect these assets, how to Prevent and Deter such attacks and appropriately Respond to, if an attack occurs.

In the broader realm of National Security, assets of a nation can be classified into two types:

  • Tangible Assets (Critical Infrastructure, Banking Institutions, Food, Water, etc)
  • Intangible Assets (Identity, Privacy, Reputation, Governance, Public Confidence etc)

To classify the subset of assets whose protection fall within the purview of Cyber Security strategies, one good approach could be to split the assets first based on whether they are information and non-information related. Borrowing the methodology adopted by Rossouw von Solms and Johan van Niekerk as explained in their paper titled From information security to cyber security, information can further be divided into Digital and non-Digital. The latter includes information that is stored in print or writing, for example, books, files, art works, etc. Digital information corresponds to information stored in digital forms like memory disks or memory drives. The scope of Information Security covers protection of information of all kinds, be it digital or not, and that of systems, tools, objects and various means that are used to store them. It also includes aspects like authorized access, secure transmission and usage of information.

Digital data rely on special hardware and software for its storage, processing and transmission. These are typically grouped together under Information and Communication Technology (ICT), which include hardware assets (like personal computers, servers, data storage units, and telecommunication networks), software assets (like software programs) and associated application databases and services. Protection of ICT assets is a subset of Information Security and normally comes under the scope of ICT Security or IT (Information Technology) Security. It also includes protection to ensure authenticity, non-repudiation, accountability and reliability of digital information.

The trend we see is that the reach of ICT technologies to store, process or transmit information is expanding and hence, the scope of IT/ICT Security will soon form a large part of Information Security.

Cyber related information assets are tangible assets. There are also non-information assets that rely on ICT infrastructure for their operations. These include power grids, medical facilities, etc. Cyber attack can not only target ICT systems but can be carried out using ICT systems to wreck operations of other non-ICT systems or infrastructures. In addition to this, there are also intangible assets that are more people-centric like identity, trust, reputation, privacy, brand name, social status, etc. In some cases, the information itself can cause a security threat through subversion or propaganda.

Any adverse impact on these non-information based assets and intangible assets can have direct or indirect financial and non-financial implications. Examples include attack via cyberspace to bring down the power grid, cyber terrorism, hacktivism, etc. Though it is quite often hard to quantify the losses due to cyber attacks on intangible assets, the importance of securing these assets from cyber attacks is paramount. Therefore, the scope of Cyber Security is wider than IT Security. It is not just limited to ICT protection, but also includes protection of people and systems which use or interface with ICT systems (see security boundaries venn diagram below). The scope of cyber security is increasing progressively with time as more and more people and systems get connected to the cyber space (as shown by the red arrows in the diagram).

Security Boundaries Venn Diagram

Hostile attacks via cyber space occur due to Vulnerabilities that exist in the system. Cyber technology is a mix of computer hardware and computer software written to perform a specific functionality. Vulnerabilities that exist in ICT systems are openings for potential cyber attacks. Taking a cue from the Routine Activity Theory (Cohen and Felson 1979) that states that crime rate trend is dependent on the convergence in time and space of three basic elements: Motivated Offenders, Suitable Targets and Absence of Capable Guardians, in cyberspace too, motivated offenders will always be on the lookout for vulnerabilities in the system.

Vulnerabilities need not necessarily have to be in ICT hardware or software systems, it can also be due to bad processes and bad practices by people using it. Quite often, people are the weak link in a secure system. While every effort can be made to make a product secure enough to make it fully resilient from attacks through security audits, exhaustive penetration attack testing, etc, vulnerabilities will exist, which will be known only when some attack exploits it, either as part of some authorized testing or when it was used to perform some malicious attack. Hence, management of vulnerabilities should follow a continuous process of improvement cycle, so that, with each iteration, the count reduces over time.

And with these vulnerabilities, comes Threat of attacks. Cyber Attacks at a very broad level can be classified into two main categories, which overlap each other;

  • Cyber Crime
  • Cyber War

Cyber attacks like Cyber Espionage, Cyber Hacking, Cyber Subversion, Cyber Sabotage fall in the overlap area as they can be classified as acts of cyber war or just cyber crime or both, depending on the actors involved and the objective of the attacks. Crime crimes typically have a legal framework to deal with such incidents, unlike cyber war attacks.

CyberCrime_War

From cyber crime perspective, Wall (2007) suggested a good way to categorize the type of crimes:

  • computer integrity crimes : offences relating to the confidentiality, integrity and availability of information or computer systems
  • computer-assisted crimes : offences assisted by computers
  • computer content crimes : offences that focus on the content of computers

Now, that we have tried to map the various types of assets that have a touch point with cyberspace, the kinds of vulnerabilities that can exist and a classification of the types of cyber attacks, the question that arises in the Indian context is ‘Is India’s National Cyber Security Policy 2013 and the Legal framework able to address the challenges of Cyber Security today and in future?’

In the next blog, we will delve deeper into the different types of cyber crimes and also deliberate, with a few examples, the various cyber conflicts on whether to classify them as acts of cyber war or other. We will also make an attempt to look at what legal frameworks are available in India to deal with such cyber incidents today and what more is needed.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

Cyber Security: It is not about securing the Cyberspace alone – III

The lack of a universal definition of Cyber Security is a challenge. Is it so expansive and dynamic that it is hard to define?

The World Economic Forum highlighted that two out of the top ten global risks in 2015 are Cyber Attacks and Data Fraud or Theft. The priority to secure the nation from such risks is getting bigger. So, the question that arises is, what all do we need to protect and how much should we do?

In the face of these fast moving developments in the technology sector coupled with strong interconnections amongst people and systems via cyberspace, the strategies and procedures for National Security need to adapt continuously. An effective strategy is needed to minimise new gaps that appear due to advancements in cyberspace. To go about this, we first need to look at

  • the various types of Assets that need to be protected and how they can be classified
  • the various Threats and Attacks possible and how they can be classified
  • what measures are needed to protect these assets, how to prevent and deter such attacks and appropriately respond to, if an attack occurs.

National Security at a very broad level covers providing security of all assets that includes critical infrastructures and the citizens, protecting the economy and various operations, ensuring safety and health to public, countering any internal or external attacks, etc. Threats can be of various kinds like war attacks, terrorist attacks, etc. Tallinn Manual defines Cyber Attack as a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.

In all these set of assets, Information and Communication Technology (ICT) forms one key part of assets which need protection. ICT includes all forms of information storing and processing computer systems (hardware/software), electrical and electronic equipment, telecommunication equipment, etc. In cyberspace, in addition to the ICT infrastructure, information that is stored or transmitted is of prime value. Confidential information must be protected from illegal access and manipulation, and all information should be available for access when needed to the person(s) authorised . The goal of Information Security is to ensure the preservation of confidentially, integrity and availability of information stored in any form – be it digital (like in a hard-disk or memory device) or print like books or any other form that is possible. The term Information Security is used more in the corporate side to refer to information in the cyberspace.

CyberSecurity_300p_final

 

To begin with, we can say that Cyber Security applies to security of ICT assets and all information related assets in cyberspace. ISO defines it as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. The Indian National Cyber Security Policy 2013 defines Cyber Security as a measure “To build a secure and resilient cyberspace for citizens, businesses and Government. To protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.”

The paper by Rossouw von Solms and Johan van Niekerk titled From information security to cyber security makes this distinction between Information Security, ICT security and Cyber Security. It also widens the scope of cyber security to include assets like people who could be indirectly impacted due to acts which use ICT-based systems as one of the means to carry out them. The paper argues that all of Cyber Security is not necessarily a subset of Information Security. Instead, there are cyber security threats that don’t form part of the scope of Information Security. Examples highlighted are Cyber bullying, threat to non-information based home assets that are automated, Cyber Terrorism, illegal sharing of data, etc. The Venn diagram shown below gives a high-level picture using the concepts listed above.

Venn_Diag

So, given the wider scope, Cyber Security can be considered as measures adopted

  • to protect the assets (including people), which are part of cyber domain or have links with the cyberspace, from threats of attacks
  • to preserve confidentially of information, integrity and availability of networks and infrastructure and
  • to build a resilient framework to prevent, deter any attacks and accordingly respond to them in any event.

 In the next blog in this series, we will elaborate on the Venn diagram shown above to break-down the various assets and categorise them into different security types. We will also take a closer look at vulnerabilities, types of threats and causes for cyber attacks.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

The penchant to get interconnected is unstoppable – II

Vast interconnections help greater access to information and enable the path to greater knowledge, application and even prediction. Having an edge with a little caution matters!

Communication, data collection and analytics will foster economic growth and for some, it may even help predicting the future. Being able to predict the weather, stock markets, energy supply, prices of commodities, market potential, etc based on various data points and statistical analysis has seen increasing demand. Today, in an interconnected world of cyberspace, a place where we have people-to-people communication, people-to-machine communication and machine-to-machine communications evolving at a tremendous pace, the opportunities opening up are galore. And India, with a vast population and economic potential, cyberspace technologies are key to minimise inefficiencies and to implement effective solutions that can work at scale. On the other hand, highly networked interconnections will also bring along its share of vulnerabilities which can be exploited. In the first part of this series of blogs on Cyber Security topic, the broad definition of Cyberspace was provided together with a brief introduction on the questions around Cyber Security. Before going into the details of Cyber Security, it is essential to look at what are the trends and reach of cyberspace in India.

The TRAI report on The Indian Telecom Services Performance Indicators for the period July-September 2015 showed that newly added broadband Internet subscriber rates are growing faster than narrowband subscribers added, and see a clear indication that Indians are accessing internet more via wireless than wireline technologies. The impact of the challenges faced to lay cables to connect all areas in India, particularly in rural areas, is now to some extent mitigated due to the wireless alternative (e.g. the National Optical Fibre Network project in India initiated in 2011 to connect 2,50,000 Gram panchayats using optical links is facing huge delays). The total number of internet subscribers touched 324.95million at the end of September 2015, with wireless internet subscribers accounting for more than 93% of the subscriptions.

While mobile devices enable faster penetration of internet today, wireline solutions like ADSL, Cable Modem and Optical Fibre to home solutions will also gain traction along the way due to its higher bandwidth capability, lower cost and wider application base (like Audio/Video streaming).

Globally, in the Information and Communication Technology (ICT) sector, we are seeing a massive growth in internet users since 2000. ITU’s ICT Facts & Figures report show that the number of internet users has increased to 3.2Billion in 2015 from just around 400million in 2000. Internet penetration grew seven-fold from 6.5% to 43% between 2000-2015. As per Ericsson’s India Mobility Report June 2015, India is one of the fastest economies using mobile for accessing the internet. The number of smartphone subscriptions is expected to grow at a CAGR of 35% from 2014 to 2020, reaching 750million subscriptions. The total data traffic is expected to touch as high as 2800PetaBytes per month in 2020, which is a 55% CAGR growth compared to figures in 2014. The usage of mobile data services is seen in all segments like Audio/Video streaming, Social Networking, E-Commerce, Instant Messaging, Banking and Finance, Emails, etc. Globally, India grew the fastest in terms of net subscriber additions in Q3 2015.

From Digital India to Smart Cities, technologies like Internet-of-Things will bring more devices connected to the internet (not limited to PCs and Mobile phones, but also household appliances, automobiles,  homes, etc) and enhanced services via cloud based technologies. The cyberspace environment is going through a transformation which will make it very complex. Cisco predicts that there will be 50billion devices connected to the internet by 2020, that is an average of ~6.58 devices per person. And if we consider only the actual number of internet users in 2020, this figure would be much higher.

However, the increasing interconnections will raise the chances of increasing vulnerability in the system, hence making users more prone to security risks. Given that the benefits of connecting to Internet outweigh the economic costs of cyber attacks, nations need to focus more on how to tackle the challenges of cyber security. ITU’s Global Cyber Security Index report released in April 2015 made an evaluation of India’s Cyberwellness profile. Interestingly, India was ranked 5th in the Global Cyber Security Index (ps. rank was shared with six other countries). While this may be commendable, the word of caution to take note (also mentioned in the report) is that this ranking is based on data concerning the commitment and preparedness of the country and not really taking into account the detailed capabilities and possible vulnerabilities in the cyberspace systems – which is also critical.

In this information age, the question that arises is how prepared is the nation to handle cyber attacks? Do we know the vulnerabilities in the systems we use and are able to take appropriate actions immediately? What level of cyber security awareness do users have? What are all the key critical assets that need to be air-gapped to prevent any catastrophic impacts due to cyber attacks? With the ever increasing value of information of a billion people and with ability to control critical infrastructure and business/household systems from remote locations, do we have the right capabilities and capacities to protect the citizens and systems and to respond swiftly to minimise impact of an attack and also, have in place appropriate measures to prevent or deter such attacks?

In the next blog in this series, we will look further into the scope of cyber security in the context of National Security and beyond.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }

From Cybernetics to the web of Cyberspace – I

A look at the origins of the word ‘Cyberspace’ and questions around it.

Is Science a boon or a bane?” – a topic for essays in the past! Today, topics of more interest are “Is Cyberspace a boon or a bane? How about Machine Learning and Artificial Intelligence?” Perhaps, in future, one can just ask the machine for an answer!

Without going too far into the future, it is interesting enough to look at cyberspace today and follow the influence of cyber technologies in society. Clearly, no surprise when we read reports of teenagers born in the internet age fearing of a life without internet. While the pros-and-cons of cyber technologies are being analysed by policy makers, it is obvious – Cyberspace is here to stay.

What is “Cyberspace”?

CyberSpace_1

It was André-Marie Ampère who first introduced the word cybernétique in French in his book Essai sur la Philosophie des Sciences in 1834. However, the word cyber got closer to its current meaning in the 1940s, from the word Cybernetics, coined by scientist Norbert Wiener in his book Cybernetics, or Control and Communication in the Animal and Machine. Cybernetics originated from the Greek work ‘kybernḗtēs’  (also spelt kubernetes), which meant ‘steersman’ or ‘rudder man’ The verb version meaning ‘to control’ or ‘to steer’ was used in the context of the new science of controlling machines and even people, using a set of interconnected control and communication systems.

A decade later, the shortened form of ‘cyber’ started getting prefixed to form new words like cyber-punk, cybernetic organism (which later got shortened and popularised as ‘cyborg’), etc. It was only in the 1980s, the word ‘cyberspace’ was popularised by William Gibson in his science fiction novel ‘Neuromancer’ in a very imaginative way as “A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts . . . A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non space of the mind, clusters and constellations of data. Like city lights, receding….

The compound word Cyberspace is also sometimes used differently with a hyphenation like ‘cyber-space’ or with cyber as a prefix as ‘cyber space’. Based on sources from Google Ngram Viewer, the compound word ‘cyberspace’ is more commonly used.

The International Organisation for Standardisation (ISO) defines cyberspace as a complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. The Indian National Cyber Security Policy 2013 defines cyberspace as a complex environment consisting of interactions between people, software, and services, supported by worldwide distribution of information and communication technology (ICT) devices and networks.

Based on various definitions by different countries and organisations like that initiated by New America, Cyberspace can be summarised as:

  • It is a complex environment comprising of a global network of interdependent IT infrastructures, telecommunication networks, storage systems and computer processing systems, which form a part of the Internet
  • It enables exchange of information and interaction of people and machines like computers where information can be created, deleted, stored and processed
  • It is a mix of public and private virtual space without borders

Every node that is connected to this cyberspace, be it a machine which works independently or a human connected to it through some device, is reachable from another node located anywhere. Access to the node depends on the access permissions and security walls built around it. Due to the exposure to malicious attacks and cyber-related crime, security of data and identity are becoming crucial. Do we have sufficient data about cyber incidents and able to measure the economic cost of such incidents?

Cyber Security is gaining importance over the past decade. In the World Economic Forum’s Global Risks 2015 report, cyber risk is one of the top ten global risks. Many other related terms are often used in the context of Cyber Security like Cyber attack, Cyber crime, Information Security or IT Security, Data Security, Cyber Defence, Hacktivism, Cyber bullying, etc. What do they all mean and how different is each from the other? Is there a common definition used globally for all?  What is its trade-off with Privacy and Freedom of Expression?

Moreover, efforts are being made to analyse how the new dimensions of such extensive real-time connectivity without borders is changing the way people go about with their decision making. What do studies in cyber sociology teach us about the behavioural changes seen in people when using or interacting in cyberspace?

Cyberspace technologies have helped transform businesses and have fuelled economic growth during the last 15 years. The extent of its reach is expedited with increasing adoption of mobile devices, giving instant access to the internet both indoors and also outdoors. Social media and social networks are changing the way people interact and get access to information and respond. How are social media and networks influencing governance, balance of power, social and political stability?

In this new series of blogs on Cyber Security and related topics, we will explore the above questions. In the next part, I will provide an overview of the penetration of internet in India and also, broadly define Cyber Security, Cyber Crime and Cyber Defense in the context of National Security.

Sudeep Divakaran is a Research Scholar at Takshashila Institution

Comments { 0 }