Cyber Security: Threats and Challenges
Printer-friendly versionSend to friend
| Image 2 of 3 |
Cyber Security: Threats and Challenges : First Session

First Session

Introduction by Air Chief Marshal S.P. Tyagi

A seminar on the subject of “Cyber Security: Threats and Challenges” was held at the VIF Seminar Hall on 9 September 2010 from 10.30am to 15.30 pm. The morning session was chaired by former CAS, Air Chief Marshal S. P. Tyagi. The eminent speakers were senior telecom analyst Mr.. N. K. Goyal, Vice Admiral (Retd) Raman Puri (former Chief of the Integrated Defence) and Commander (Retd) K. K. Chaudhary. The afternoon session was chaired by Ambassador Satish Chandra, former Deputy National Security Advisor, and was addressed by Lt General (Retd) Aditya Singh, former Southern Army Commander and Mr.. Vipin Tyagi – Director C-DOT.

Both the sessions were highly interactive with a number of serving Armed Forces officers and members of the National Security Council Secretariat exchanging their views and insights on the subject.

In his welcome remarks, Mr. Ajit Doval, the Director VIF (former Director of Intelligence Bureau) underscored that “our dependencies define our vulnerabilities”. Cyber space, he said, was now a huge dependency and hence had become a major vulnerability. There was a need for situational awareness in this critical realm, he added.

Mr. Doval, a former Director of Intelligence Bureau, commented that while technology was important in the cyber security domain and a lot of counter measures will come from it, technology “by itself will not be able to provide the solution”.

“People are extremely important in terms of their capabilities, training, intentions and the processes. In all our security related agencies and work we will probably have to rethink and rework on making them more streamlined and effective against the threats we face”.

Air Chief Marshal S. P. Tyagi (Retd) referred back to the days of the “analogue generation” to make the point that “we live in a very different and digitized world”. India is stepping out into a new dimension. The role of Indian military is undergoing change. In this new world, both national interests and security challenges lie even beyond geographical boundaries, he said.

The former IAF Chief remarked that due to this changed scenario, India will have to get into the world of cyber security and cyber warfare. The primary purpose of this foray, he said, is to attain full freedom to use cyber space, while denying it to others with hostile intentions. “No longer is the business of security a responsibility of security agencies only, he commented.



INFRASTRUCTURE ISSUES FOR CYBER SECURITY & TERRORISM by Mr.. N. K. Goyal, President, CMAI Association of India

Mr.. Goyal first introduced his organisation as “a professional trade body across ICT sector covering communications, electronics, multimedia, IT, VAS, telecom operators, infrastructure, civil aviation, alternate energy, hardware and software etc”. CMAI has signed more than 54 MoUs across the globe. It lays special emphasis on promotion of environmental friendly policies and to cultivate generally good values in public and general awareness and protection of cyberspace. It also assists strategic operations, trade, businesses and manufacturing.

Mr.. Goyal then highlighted the “dichotomy” in India, the world’s largest democracy with diverse people, cultures and signs of breaking up. India is a high-tech country but suffering from basic necessities of food, shelter, education and medical facilities. She is a global economic player, but lost in national priorities.

Taking the gathering back to pre-1990 telecom era, he said till that time fixed line and long waits for a telephone connection were the norms. The telecom network was owned by the government and it was for one to one voice only. Several known players were in the fray in local manufacturing, like BEL, GCEL, ITI, Tatas, Modi, JK, Usha, Arvind Lal etc along with MNCs such as Alcatel, Ericsson, Motorola, Nokia, Siemens, etc. National Telecom Security in those days had limited implications mainly limited to protecting eves call dropping and allowing lawful interception. Post paid billing secured verifiable customer identity.

In post-1990, ownership has shifted to private players with substantial foreign equity, where prime consideration is profitability. Voice has been shifted to data and increased use for economic activities, banks, aviations, hospitals, power etc. Therefore, national security issues today encompass economic disruption as well.

The closed fixed network has shifted to Open IP, where all network can be connected seamlessly without human intervention. Operators are becoming just carriers and actual data resides at edge of network, which is open. So Network security issues too are much enlarged at present.
The IP Network designing was never planned for security considerations. Its main emphasis is on open and transparent network. Globally Information Warfare (IW) includes new frontiers for National security. It includes not only protecting own network but also planning attacks on others. Already some Countries like China, USA and Israel have full-fledged IW Brigades.

Continuing to describe, Indian issues in Telecom Network of the post nineties era, Mr.. Goyal said that mobile revolution has been very successful. It has witnessed an exceptional growth of 600+ millions today with world highest monthly additions. On the flipside, landline emphasis is missing. Imports are allowed freely without any duties, specifications, testing, evaluation and certification. Local Indian and MNC manufacturing is gone with large scale dependent on imports that too on price considerations rather than quality and strategic issues. New technologies are in place without locally available expertise. We have lost sight that new technologies come with several riders and inbuilt growth for spanners, cyber attackers and mal virus threat etc.

Customer identity has been lost somewhere in growth, he said.



Economic Integration beyond national territories

Global economic integration creates new kinds of risks for national security. Foreign ownership of telecommunications services is one such risk. The technological improvements that made communications technologies better and cheaper can also make interception more difficult. These improvements included the use of fiber optics, packet switching, strong commercial encryption, and the spread of Voice over Internet Protocol (“VoIP”). In the earlier territorial concept of security, borders were clearly demarcated, industries were national, and key services were state-owned or provided by national firms. This made the management of security tasks (Such as communications interception) easier for national authorities.

However, the economic underpinnings of this territorial approach have been eroded. Agreements on international trade and finance, buttressed by technological developments, have made it easier for nationals of one country to own and invest in companies and provide services in another country. International agreements to remove regulatory obstacles for foreign ownership, combined with national economic policies that privatize and deregulate key services are increasing the integration of national economies.



New technologies new threats

Information security breaches/spamming/ attackers/internal misuse have increased in recent times. Instances of customer data threats, identity thefts, secondary use of personal data etc are keeping pace with every day new technologies.

With globalization comes threat from across the borders to protect the systems. And these network security issues are for operators and citizens both. Modern era economic war is gaining more prominence than physical war. Entire Country -- airports, railways, power generation-- can be brought to standstill and virtually collapsed though modern day war machines.

This situation requires a basic decision. Should we forget national security to avail latest technologies? Where will we be, if national security is compromised? Obviously, the state of affairs calls for better security and Internet Governance. Already we are seeing disturbing signs. Wifi was used for terror emails for Delhi blasts in September 2008. It was traced to a residence in Chembur, Mumbai, and Prior to Ahmedabad blasts in July, 2008 an email was traced back to the residence of US national Kenneth Haywood in Navi Mumbai.

Technology is also being very widely used in all sorts of crime ranging from credit card fraud to data theft to simple defamation. Regulatory requirement, therefore, is the need of hour to avoid unsecured wireless networks as also National security requirements.



Cyber security economics…Despiriting realisation

Current economic incentives actually favor cyber attackers. It is due to the reason that cyber attacks are comparatively cheap and easy to execute and the profits that can be generated from cyber attacks are enormous. Because of the typically long distance physical proximity, there is very little risk of being caught or suffering retaliation. The cyber defensive perimeter, therefore, is nearly limitless and the losses are difficult to assess. Defense is costly and often does not generate perceived adequate return on investment.



Mobile new threats

New technologies related to Blackberry, VOIP, Skype, Goggle Voice, Satellite Phones etc are raising questions. There are cell phones without IMEI numbers or with duplicate IMEI numbers. There is no central mechanism to prohibit stolen phones being used. Addresses of customers are usually not verified. There are multiple phones at same address without knowledge of customer



Laws in UK

In UK, all messages are sent and received by members of the Foreign & Commonwealth Office and its missions overseas. They can be monitored and/or recorded in accordance with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Government there keeps and uses information in line with the Data Protection Act 1998. It may release this personal information to other UK government departments and public authorities.



European laws

European Union is tightening legal loophole in current lawful intercept laws so that European law enforcement can listen in on phone calls traveling over the Internet. This is due to problems Italian authorities are facing criminals using both VoIP and Skype to frustrate investigators.


Promotion of specific technologies around the world

In Israel, 24 Investment companies have been recognized by the government. Each is to promote 10 innovations per year. Govt. gives 0.5 Mn. US$ each which totals 5.0 Mn. US$ each investment company each year. This amount is not to be returned except when investment co. winds up or innovative co. goes IPO. Success is expected in 7-8 years.

In China, companies tend to establish cooperative R&D labs with universities and research institutes to back up their business development, which provides affluent fund for universities and research institutes to purchase test equipment. Besides telecom, the defense and aerospace sectors have become the hubs of activity for test equipment vendors. The deteriorating security environment and intensified focus on homeland security have accelerated spending on the aerospace, military, and defense segments. The Government is intensifying efforts to modernize its armed forces and the deployment of high-tech weaponry unlocks a host of opportunities.



Some telecom scandals

Vodafone is alleged to have spied on its own directors during the boardroom dispute over the strategy being pursued by Arun Sarin in 2006 which lead to the departure of chairman Lord MacLaurin and the resignation of former chief executive Sir Chris Gent from his role as life president. There is an ongoing scandal engulfing Germany's Deutsche Telekom which has also been alleged to have spied on its directors to shut down leaks to journalists. Czech Republic television has alleged that T-Mobile breached data protection laws when it passed customer details to a partner bank, Komercni banka for a co-branded credit card service.



Questions about unusual global technological trends

Is there a tendency to market newer more expensive technology because the promised technology results are not delivered in existing technologies for various valid reasons?

Is there a trend to create lots of hype for a technology which is expected to be available in market may be after 2-3 years?

Is anybody analyzing the actual speed and results delivered on existing technology as was hyped?

Is it a fact that announcement of new things are made based on ideal conditions and higher spectrum, which in ordinary case are not feasible in actual conditions?



Technology is crackable

Israel Weizmann Institute of Science, Faculty of Mathematics and Computer Science have developed a theoretical attack to hack the protective 3 G encryption in two hours using a PC. 96 key bits in a few minutes and the complete 128 bit key in less than two hours. German engineers hacked A5/1 encryption method of 2G GSM handsets.

At the end of his presentation, Mr. Goyal referred to report "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" prepared for the US-China Economic and Security Review Commission by Northrop Grumman Corporation.

He said that the Chinese have adopted a formal IW strategy called “Integrated Network Electronic Warfare” (INEW) that consolidates the offensive mission for both computer network attack (CNA) and EW.INEW includes using techniques such as electronic jamming, electronic deception and suppression to disrupt information acquisition and information transfer, launching a virus attack or hacking to sabotage information processing and information utilization, and using anti-radiation and other weapons based on new mechanisms to destroy enemy information platforms and information facilities.

The second speaker Vice Admiral (Retd) Raman Puri apprised the select gathering on the “vulnerability of cyber space and our national policy. The former CISC spoke of his concerns when he said that “the state we are in is not good for cyber security”.



VULNERABILITY OF CYBER SPACE AND OUR NATIONAL POLICY by Vice Admiral (Retd) Raman Puri

Introduction

Cyber Warfare has become one of the biggest challenges faced by the nation in recent years. It threatens national security via the intricate networks of our critical infrastructure through online and virtual attacks. The problem is that an electronic attack can be large, widespread, and sudden - far beyond the capabilities of conventional predictive models to anticipate. We are already today engaged in low-intensity cyber conflicts, characterized by aggressive enemy efforts to collect intelligence on the country's weapons, electrical grid, traffic-control system, and even its financial markets. The Services that are dependent on Internet based systems have their very important, if not critical information assets, are therefore precariously exposed. Few of the incidents around the globe can be an eye-opener in proving how serious the vulnerabilities in cyber space could be:-

  • Multiday attacks against CNN and Yahoo in 2000.
  • A distributed denial of service (DDOS) attack was launched against government websites in Georgia, before and during the armed conflagration between that country and Russia.
  • In 2007, a similar assault was launched against government and commercial computer networks in Estonia.
  • In 1982, a three- kiloton explosion tore apart a natural gas pipeline in Siberia; the detonation was so large it was visible from outer space. Two decades later, the New York Times columnist William Safire reported that the blast was caused by a cyber-operation planned and executed by the CIA. United States carefully placed faulty chips and tainted software into the Soviet supply chain causing the chips to fail in the field.
  • IEEE Spectrum attributed the success of Israel's September 2007 bombing raid on a suspected Syrian nuclear facility to a carefully planted "kill switch" that remotely turned off Syrian surveillance radar.
  • Repeated attacks of our own Government websites.

Undeniably, information technology and the Internet have now developed to such an extent that they have become a major element-comparable to nuclear forces-of national power. Even Inta Nets which use Public Switching/Routing at some points, or hardware which is vulnerable are not quite secure. During the Cold War, nuclear deterrence was able to keep the United States and the Soviet Union in check. Based on that logic, then, cyber deterrence could play a similar role in the information age.



The Weapons of Mass Disruption

The specific features of these weapons are their capacity for cross-border use, the covert and anonymous nature of the preparations they allow for hostile actions in cyberspace, and the difficulty of averting and appropriately responding to such attacks. When repelling a cyber attack, the target will not be aware of the motives of its source, and therefore will not be' able to identify what is occurring as a criminal, terrorist, or military-political act. Military cyber attacks can easily be disguised as criminal or terrorist acts. Moreover, it is often very difficult to reliably determine precisely what country such actions were carried out from. And even if the country is identified, it is very difficult to prove that the attack was carried out specifically by its armed forces. This underscores the need for the world community to safeguard the information infrastructure with a systemic approach that factors in the entire array of threats to cyberspace and their asymmetric nature. It would also be helpful to study the possibilities of creating an international system for identifying the source of any "hostile" action involving the use of ICT. In order to safeguard the security of cyberspace at the national level, we should identify and study the actors in cyberspace, including the "enemies" operating there. Today we can identify the following actors:

(a)  Users, Operators and Administrators: These groups do not have a negative influence on cyber security. They are actors who lawfully provide cyberspace resources or consume them.
(b)  Non-hostile Hackers: As a rule, they unintentionally have a negative impact on cyber security, whether they are doing so "just for fun" (settling a bet or dispute, for example) or to show off.
(c)  Hostile Hackers: Their motives include revenge, envy, and self-interest.
(d)  Network Combatants: They can have a positive or negative impact on - cyber security for their own purposes. In network law enforcement, activities are prescribed by law and financed by the state. Other combatants may be secretly financed by state or private entities pursuing covert agendas, and China excels in this area having hundreds of thousands of such combatants available.
(e)  Cyber Criminals: Criminals using cyber as their weapons of choice.
(f)  Cyber Terrorists: Terrorists using cyber as their weapons of choice.
(g)  Governments: State bodies that use cyberspace for military-political purposes information operations today are very much a part & parcel in the planning and execution of combat operations.
(h)  Nongovernmental organisations: Groups that may use cyberspace to promote their political agendas.

All of these actors are growing stronger, building up their capacity to have an impact on cyberspace.

It is essential for policymakers to understand the vulnerability in our cyber space and not view cyber warfare as an abstract future threat and make cyber security a crucial national priority. Given our current structures & compartmentalization in the functioning of our ministries, while there is certainly large general awareness today, there is very little understanding of the vulnerabilities in the cyber space and the ways and means to tackle them.



The Vulnerable Points

Our critical infrastructure is exposed to high risk of cyber attack. This attack could come in one or a combination of many of the following forms:-

Hardware backdoors: A hardware breach is more difficult to detect and much more difficult to defend against than a network or software intrusion. There are two primary challenges when it comes to enhancing security in chips: ensuring their authenticity (because designs can be copied) and detecting malevolent function inside the device (because designs can be changed). One could easily imagine a kill switch disabling the fire-control logic inside a missile once it had been armed or its guidance system had been activated, effectively disabling the tactical attack capability of a fighter jet.

Inauthentic parts are also a threat. In January 2008, for example, the FBI reported that 3,600 counterfeit, Cisco network components were discovered inside US defence and power systems. These systems were reportedly made in China rather than in US itself, Cisco being a US company. As many as five percent of all commercially available chips are not genuine -- having been made with inferior materials that do not stand up under extreme conditions, such as high temperature or high speeds. Because of its inherent complexity, modern electronic infrastructure is exposed to foreign intrusion.

Software backdoors: The Operating Systems made by Trans National Corporate could easily relay information fed into the database. It is difficult to believe that the suppliers of technology could not break into the OS whenever they need and without even a word of caution to the users including in our nuclear establishments, defence, financial institutions and the government.

Communication Pipeline: With increase in FDI cap in telecom to 74%, India had ignored the strategic importance of our communication pipelines. For those who believe that Security concerns in telecom is a myth needs to look at project Echelon, borne out of a US-UK joint agreement on sharing communications intelligence with Australia, Canada and New Zealand as partners. Echelon is a global electronic surveillance network which is designed and coordinated by the National Security Agency (deals with cryptography and code breaking) of the US Government and has been in operation since decades. It is a global network, which can intercept all Telephone, Telex, Satellite, Fax and E -mail communications. As the foreign capital takes control over our telecom companies, there would be no control whatsoever on the hardware equipments imported from them. Information security of our Defence as well as sensitive economic entities like the stock market or banks is, therefore, quite vulnerable. With low level of development of our hardware manufacturing sector, it makes our telecom companies highly import intensive. And what is most exasperating are the lobbies working with great effectiveness representing countries of our national security concerns. As almost all government communications also take place through the public telecom network, opening a part of the public telecom network to foreign ownership is carrying unacceptable risks.

Distributed denial of Service Attack: With most of our hardware, software and communication infrastructure being made and controlled by foreign companies, each and every system, whether in office or at home is vulnerable to bots. These bots are difficult to get detected after they get installed and get active on master's call. The net of millions of such bots can be an easy tool to carry out DDoS attck on our critical infrastructure.



Policy of countermeasure

Control your communication pipeline: Rethink on 74% FDI in telecom. There a need to restrict foreign ownership in telecom. If we look at the US, it is clear why they still insist upon restrictions on foreign ownership of their own communication infrastructure while pressurizing other countries for decontrol. They know exactly how eavesdropping electronically on telephone and other conversation leads to "hard intelligence". The national security agency (NSA) has been listening to such conversations for decades. In today's world, if one country can own a telecom company in another, it makes all this easier as also the added ability to listen to the fixed line communications as well. Owning the physical telecom network in a country gives these agencies thus access to another slice of telecom traffic. It can "mine" this information remotely, without the knowledge of even the operating company personnel by appropriate selection of hardware. And finally, there is no incentive for a foreign company to encourage the development & use of domestically developed and produced secure hardware and this FDI policy in very largely responsible for state of India's hardware industry, with not a single modern Chip making lab in the country.

Indigenize chip fabrication: Small countries like Israel, Vietnam, Taiwan and Singapore export more chips than what they consume. Local equipment manufacturing in India was less than $33 billion in 2007, almost a sixth of China. Without government impetus, domestic consumption would not make a case for fabrication units here. The Indian semiconductor industry is going through an evolution stage and it will benefit to have a fabrication unit at the core of the semiconductor ecosystem. China, Taiwan and other European nations started on the semiconductor manufacturing path domestic market for the same encouraging companies to continue researches further to make more robust, user-friendly and patch-ready.

Adopt Private-Public Partnership: We need to involve the private sector as it owns 85 percent of our nation's information infrastructure. According to McAfee estimates, businesses worldwide saw up to $1 trillion in data stolen through cyber espionage last year. This is an unparalleled loss of intellectual property. To protect our information networks against espionage, crime, and attacks in cyberspace, we need an unprecedented private-public partnership.

Build up international alliance on security of cyberspace to thwart the threat of Cyber MDs: All the actors of cyber space are growing stronger, building up their capacity to have an impact on cyberspace. As a result, the makeup of a system of international and regional cyber security needs to be based on the idea of establishing a universal and comprehensive regime of international law that does not allow the use of the internet for military-political purposes and ensures that it functions in a year ago. Even though we are late getting into the game, it is worth making more investments and government support to compete with pothers on price or cutting-edge technology. A lot needs to be done to develop a government-industry partnership in R&D and production of ICT hardware, robust infrastructure, efficient supply chain, a broad ecosystem of industry suppliers and a receptive financial environment.

Build own Operating System and API's for foreign application: Operating system is the basic interface between hardware and application software. Though, India has recognized the importance of having an indigenous low-grade, but clean, software to nix the chances of foreign states infiltrating computers in India. However the initiatives taken in that line is primarily with an objective of using this for key government computers only. The low-scale use of such operating system will not only make this user-unfriendly, where the population is floating, less computer savvy, and used to established OS at home and office. A national policy of use of indigenous OS on all computers in India will not only keep the user-density high but also ensure good work internationally in countering cyber crime by identifying the operating locations, apprehending the suspects, and prosecuting the criminals. Working together, we need concerted efforts to appropriately punish criminal activity, which will aid in deterrence and in countering syndicated global criminal activity. We need to involve the international community in a broad range of other areas as well. Many of the developed nations of the world are as dependent on a healthy, secure Internet as we are, so this is a multi-dimensional, global problem. It's not just India, all other nations of the world are interested in peaceful coexistence on the Internet, So, we all have work to do in achieving peaceful coexistence in cyberspace and we've got to get to work on that now.

Work on United Nations Cyberspace Treaty when it comes to constructing an effective system of deterrence against cyber threats, the best means to that end would be the construction and utilization of a global United Nations framework. The ultimate goal should be to establish a Cyberspace Treaty, which would spell out what constitutes acceptable and unacceptable behavior. This would go a long way towards ensuring peace and security in cyberspace and the process of working in a stable, secure and continuous manner. To achieve these objectives, we must move to carry out the following tasks:

Create an international system of Internet governance, which would call for the transfer of such functions as managing the system of domain names and root servers to the International Telecommunication Union. In this context, it is essential I to take steps to increase the influence of intergovernmental bodies on the creation of Internet protocols, so as to improve the security of their use and to make possible to identify perpetrators of information attacks.

Adopt a universal international political-legal pact that condemns the use of the Internet for military-political purposes. It should also contain definitions recommended by the world community for aggression in information space and for information weapons; ascertain the aggressor's liability under international law; and implement joint measures to minimize the damage to global cyberspace and a specific country's cyberspace. The purpose of this pact would be to bolster the confidence of members of the international community in the global information infrastructure and to reduce the threat of hostile uses of information; towards a United Nations Cyberspace Treaty should help develop a common understanding of all aspects of cyber security among countries at various stages of economic development. All stakeholders need to come to a common understanding on what constitutes cyber crime, cyber terrorism and other forms of cyber threats.



Conclusion

From a historic perspective, international adversaries are also known to enjoy hiding behind "the skirts of the civilians", by building barracks next to schools, headquarters next to hospitals, or building a ghost infrastructure within the urban landscape, right under the nose of civilians themselves, used as bites and insurance for causing-complexity in upcoming attacks. A nation having the hardware and software supplied by others and communication lines in control of other countries - may seem to be developing fast - but may be quite close to disaster in case of a conflict.

When the symbol of evil -Ravana- was dying, Rama asked Laxman to take some learning. What he symbolized was that it is a good idea to learn from the knowledge of others even if they are our perceived adversaries. We need to learn from China - Chinese used their huge domestic market strategically. They first forced the telecom manufacturers to set up plants in China with Chinese partners by making it clear they would accept only equipment manufactured in China. All the Chinese service companies were state owned entities, so all the telecom majors fell in line and set up shop there. Similar steps were taken to ensure the reduction of hardware and software back doors. We need to have vision and will power to achieve self dependence and information security over our adversaries.



DIMENSIONS OF CYBER CRIME: DEFENDING NATIONAL CYBER SPACE by Commander (Retd) K. K. Chaudhary

Introduction

Enhancing cyber security and protecting critical information infrastructures are essential to nation’s security and economic well-being. Deterring cyber crime is an integral component of a national cyber security and critical information infrastructure protection strategy. In particular, this includes the adoption of appropriate defence to reduce vulnerability of our cyberspace against activities intended to affect the integrity of national critical infrastructures. At the national level, this is a shared responsibility requiring coordinated action related to the prevention, preparation, response, and recovery from incidents on the part of government authorities, the private sector and citizens. The formulation and implementation of a national framework and strategy for cyber security thus requires a comprehensive approach. The development and support of cyber security strategies are a vital element in the fight against cyber crime.



Dimensions of Cyber Crime

Imagine, our own people joining the Army of adversaries, of course unknowingly. Spread your imagination little further - large number of people of several countries, friendly or unfriendly, joining the Army of our adversaries for fight against us.

Add some more possibilities – none of these have any illegal arms to get identified or caught and most of those foreigners cannot be charged/killed even if caught!

Look at some more possibilities – the backdoors planted in important chips of our critical infrastructure force the system to malfunction or shut down.
This is not a fiction or a mere imagination.



Some Case Studies

Case Study-I :
In February 1998, a number of Department of Defense networks were attacked using a well-known vulnerability in the Solaris (UNIX-based) computer system. The attackers probed Defense Department servers to see if the vulnerability existed; exploited the vulnerability and entered the system; planted a program to gather data; and then returned later to collect that data.

Over 500 computer systems were compromised, including military, commercial, and educational sites, by attackers using only moderately sophisticated tools. In the end, two California High School students were arrested, who later pled guilty. Their mentor, an 18 year-old Israeli, was also arrested and indicted.

Takeaway: Office servers, networking devices and nodes were not regularly patched, monitored and audited despite a robust security policy. In absence of regular monitoring and audits, these remained vulnerable to attack for a long period of time till the final detection.

Case Study–II :
One of the most notorious cyber-warfare offensives to date took place in Estonia in 2007 when more than 1 million computers were used to jam government, business and media websites. The attacks, widely believed to have originated in Russia, coincided with a period of heightened bilateral political tension. They inflicted damage estimated in the tens of millions of Euros of damage.

These were perpetrated as DDoS attacks, with computers from around the world directly controlled or hijacked by hostile hackers to make bogus requests for information.

Takeaway: Millions of ‘unprotected’ computers across the geography, mostly the home computers, were vulnerable to various social engineering attacks to successfully plant bots in them. These bots were centrally controlled by a master. DDoS attack could be carried out successfully.

Case Study-III :
Hacking of Sarah Palin’s email account. As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birth date, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.”

Takeaway: Ignorance of user on the need of strong password and discipline while interacting on social networking sites made this hacking unbelievably easy.

Case Study–IV :
Wiki-Leaks has released a document set called the Afghan War Diary, an extraordinary compendium of over 91,000 reports covering the war in Afghanistan from 2004 to 2010.

Takeaway: Either the highly protected machines which stored this info were highly vulnerable to enable peeping inside or the insiders could be ‘driven’ to leak out the information embarrassing the entire US administration.

Case Study–V :
March 26, 2010, 08:10 PM — IDG News Service — Operators at NIC Chile noticed that several ISPs (Internet service providers) were providing faulty DNS information, apparently derived from China. China uses its own root DNS server to enforce Internet censorship on its so-called Great Firewall of China, and the ISPs were using this incorrect DNS information. That caused users of the Chile and US based ISPs trying to visit Facebook, Twitter and YouTube were directed to Chinese computers instead.

Netnod, an ISP, which maintains a copy of its root DNS server in China, insists that its server did not contain the bad data that redirected Internet traffic, and security experts agree, saying that its data was probably being altered by the Chinese government somewhere on China's network, in order to enforce the country's Great Firewall.

Takeaway: China has successfully challenged the unilateral US control of the root zone file and has its own root server for Chinese netizens to visit Internet. This not only guarantees the security for netizens visiting from China and raise the linking speed, but also, provides it capability to confuse the other root servers and divert Internet traffic to itself for any analysis especially during the conflicts. A very recent successful attempt to tame Blackberry to set up a root server in China is another example of how China has built up its Great Wall of Internet.

Case Study–VI :
Many Governments (Saudi, Australia, Germany, China – to name a few) have been mulling over banning the Blackberry services in their countries due to the inherent security risk in point-to-point communication. The Government of India has also joined the league and has been pressurizing RIM to set of server in India or allow access to the encrypted messages. Blackberry has seen huge success of its mail/messaging services in the private industry due to point-to-point encryption feature. Under the pressure from industries, several governments are finding it difficult to ban the service despite knowing the fact that such point-to-point encryption facility may aid the communication between anti-nationals, terrorists etc.

Takeaway: Governments across the world have ignored the serious security threat associated with the point-to-point encryption system of Blackberry in favour of its popularity in the business communication. They have been influenced by the industry on the name of business opportunities.



Vulnerabilities that enable cyber crime

Though we are quite familiar with the saying ‘Offence is the best defence’, we need to realize the fact that one successful attack by our adversaries on our weak defence is sufficient to demoralize us and make our cyber weapons quite blurred. Unfortunately, there is no early warning in the incoming cyber weapons as it is not clear if it is sourced from within or outside. In such case, a risk assessment of our computing assets is an absolute necessity.

Vulnerability of computing assets: For the purpose of risk assessment we should classify the computing resources in three groups:

a. Assets on the premises of offices. The computers and communication devices in office premises have accountable and trained owners with defined responsibilities. Generally, there is a security policy based on International standards that the users are supposed to follow.

b. Assets at home. These computers and communication devices are owned by users who are the most ignorant ones in the matter of netiquettes. Most of such computers house pirated software and do not get OS patch and AV DAT updation on regular basis. These are the most vulnerable computing resources and easy targets for hackers to lure them with freebies and install jobmies or bots.

c. Assets at Educational Institutions. These computers are generally governed by a security policy but are mostly used by students. Most of the youngsters are tempted to enjoy the thrill of being at the ‘superhighway’ without any restrictions and download free tools recklessly to explore the net. These computers are generally honey pots for the hackers.

Vulnerability of our Internet Gateways: The unilateral control of US on the root zone file is an area of great concern not only for India but also for all the developing countries. This ensures that whenever we try to visit any-indian-company.com, the query goes to US-based root server and then redirected to India-based resource server.

The issue is so serious that UN has been forced by several developing countries to initiate steps to decentralize the control of root servers. This development represents a grave political challenge to the Internet Corporation for Assigned Names and Numbers (ICANN), which was birthed by the U.S. government to handle root DNS.

Point to note is that China realized the importance of this and Instead of being served by overseas domain servers, it set up its own root server infrastructure that provides DNS function to its netizens. Interestingly, its Network Communications Group signed with US-based VeriSign Incorporation, the world's largest domain name registry services provider, to launch the Chinese mirror root server. By this china has not only been able to control the sites that its netizens should surf and save huge bandwidth of International gateways but also, more importantly, saved the privacy of the Internet behavior of its netizens.

Vulnerability of our Messaging Infrastructure: The absence of fully owned messaging infrastructure has forced our netizens to use freely available infrastructure of MNCs. Most of the Indians have accounts in yahoo, gmail, hotmail etc. The most worrying point is that they exchange sensitive information also on such infrastructure without considering the fact that the materials exchanged remain stored in different countries.

Point to note again is that China realized the vulnerability of its senior officials as the Blackberry service gained popularity. It brought the Blackberry to its knees by ensuring that its server for Chinese netizens remains within the geography of China. Notably, India has also taken the first step in this direction.

Vulnerability of our Software & Hardware: Our dependency on MNC’s operating systems and Database Management Systems is well known. The operating system is the basic software that provides interface between the hardware and application system. A backdoor component of the software can prove fatal for the entire computing resource. The problems multiplies manifold if even hardware is not indigenously made.

Vulnerability of our netizens: A significantly large number of our citizens who use Internet are unaware of the risk associated with Internet surfing and use. Downloading freeware, pornographic material, screensavers, movies and music, sharing of many personal information on the social networking sites such as Orkut and Facebook, using pirated software on machines are few of the most popular activities that expose our people to large number of vulnerabilities. Cyber stalking and cyber bullying have driven many of our young brains to commit suicide; Freeware and pirated software have caused millions of our computers becoming part of botnets.

Our estimates may vary, but these activities consume as much as 60 percent of the Internet’s bandwidth; no one knows how much of this traffic is legitimate, how much violates copyright laws, how much supplies Trojans and bots and how much is a threat to national security. There is absolutely negligible effort on the part of our Government to create awareness among the users and prepare effective conditions to ensure that illegal activities affecting the national security are not conducted due to ignorance.



Recommendations to Reduce Risk

Force end-point hygiene. Each end-point in India, whether at home or at office, must go through a hygiene test, before the ISP provides the Internet connection. The test should check the latest OS patch and AV update and allow the connection only if these are found updated.

Control Internet gateway. In addition to ensuring root server in India, our Government must ensure that all ISPs have sufficient controls of preventing malicious packets entering our national gateways.

Create indigenous messaging infrastructure. We should create infrastructure to have sufficient messaging servers within our geography and force our netigens to use this infrastructure only, at least for all official purpose. The infrastructure should include encryption technologies and should ensure that all mails going to other domains are encrypted with suitable algorithm (asymmetric preferred).

Use media to drive awareness. Nobody is borne unpatriotic. It is mostly the ignorance of the security requirements that people fall into the net of crime and then get coerced to continue in fear of getting exposed. The tendency of using pirated software just to save some money or visiting prohibited sites to quench the thirst of curiosity are few main reasons of getting infected with bots and Trojans or affected by phishing and extortion or getting into anti-national spy net. Government needs to create awareness among its Netizens on the issues related with cyber security. It should also be a mandatory part of syllabus in schools and colleges. A one-semester course in cyber security must be made essential in all B.Tech. Programs.

Regular audit. The information assets of Government offices and critical services of public and private industries are useful targets of cyber criminals. Hence their information security standards must be measured regularly with respect to an International benchmark. ISO 27001 is one such benchmark and all government offices dealing with sensitive information asset must get certified for this.

In US Government’s search for such standards, Paul Kurtz, COO of Good Harbor Consulting, LLC testified before multiple Congressional subcommittees regarding his assessment of the Federal Information Security Management Act (FISMA). Below is an excerpt of Paul's testimony.

"The US government could lead the drive toward a common global standard for the public and private sector to secure information systems by accepting ISO 27001 as equal to FISMA. In addition, acceptance of ISO 27001certification would improve transparency of Federal information security and reduce the bureaucracy and costs associated with current FISMA compliance procedures."

Our Government has also taken step in such direction albeit slow. It is essential that this be taken on priority and public-private partnership be made to ensure regular third party audits of all IT installations in line with ISO 27001.

Develop Research Infrastructure. Government needs to fund research to handle various dimensions of cyber crime in proactive way. Case in point is that the British police forces have begun trials of a sophisticated computer software package which aims to boost their efficiency by predicting where and when future crimes will take place. The system evaluates patterns of past and present incidents, then combines the information with a range of data including crime reports, intelligence briefings, offender behaviour profiles and even weather forecasts and uses "predictive analytics" method. The initial report is that this package is the key factor behind a 31% reduction in overall crime and a 15% fall in violent crime. The system has also been credited with improving morale among officers of the police force by boosting arrest rates and helping them to feel as if they are "making a difference".

Invest in development of fabrication capability. Government needs to facilitate and encourage in developing our own fabrication capability. This will not only ensure a technological independence but also greater degree of assurance towards the functioning of critical computing devices.

Invest in developing indigenous OS and APIs. There have been many attempts in past to develop indigenous operating system and application interfaces, but they remained unsuccessful as most of them were not supported as a national endeavor. Government needs to invest in such efforts and ensure its usage throughout in whatever way it is possible, including passing an Act for its enforcement.



Conclusion

Cyber warfare should not be understood in the narrow mindset of military operation. Military is goal driven with idea of “brute force”. The adversaries are known, the expected directions of launch of weapon are predictable and early warnings can be obtained. Defeating enemies in cyberspace is different there is no early warning and the direction from which attack has been done can be anything including our own computers. Hence a nation's army can not be involved in a true "cyber war" as the hacking just doesn't fit into the military model.

It is an issue in which every common netizen of the country has to be the warrior and play key role. The awareness level of common people, good hygiene of computers at home, institutions and Government offices, adequate control measures at our National gateways, indigenization of hardware and software as far as practicable and regular audit of our information infrastructure are few important steps that we must take to ensure that we do not allow attacks on our computing infrastructure.

In parallel, we also need to encourage some nationalistic hacker groups working independently from the main government, wherein the government doesn't tell these hackers what to do; they just know that in any conflict, nationalistic youths will hack their enemy. This is how Russia and China most probably are doing.

In the discussion that took place at the end of the session, eminent experts aired their apprehensions and gave suggestions. Brigadier (retd) Gurmeet Kanwal, Director of the Centre for Land Warfare Studies (CLAWS), was of the view that 74% FDI in highly successful Telecom Sector should not be "tinkered with till you have a viable solution”. Gen Aditya Singh, who delivered his talk in second session, remarked that exponential pace of change will impact our security. “This is the urgency we need to consider.”

Agreeing with him was the seminar’s organizer Lt Gen (Retd) R K Sawhney: “Majority of our policymakers is blissfully unaware of cyber security. Awareness is absolutely necessary.”



Report on the Second Session


Introduction by Ambassador Satish Chandra

The Chair of the Session began by saying that he became aware of cyber crime and cyber warfare as early as 1994. While he was at NSC there was concern over Cyber Security and Cyber Warfare. A Paper in this regard was presented to the Cabinet Secretary for approval. It was advised that the focus should be on Cyber Security and not Cyber warfare. Ambassador Satish Chandra emphasized that both are an integral part. He criticized defensive mind sets and illustrated that the Indian security perspective should be proactive rather than reactive. He further elaborated that there was a need to be aggressive and if necessary have the capability to engage in Cyber Warfare.

Ambassador Satish Chandra welcomed Lt Gen Aditya Singh and requested him to take the floor.


OFFENSIVE CYBER OPERATIONS by Lt Gen Aditya Singh

He started by citing that the number of incidents have gone up in regard to Cyber crime and it is the greatest mover. He emphasized that according to President Barak Obama, Cyber Crime has caused a 1 trillion dollar loss to USA. He began by Richard A. Clarke’s definition of Cyber War (May 2010), as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption”. He also gave an alternative definition offered by the Economist which describes cyber warfare as "the fifth domain of warfare, after land, sea, air and space".

There are three broad manifestations of Cyber Crime and Cyber Warfare. They are a) Information Gathering, b) Vandalism – defacing web pages or denial of service, and c) Sabotage – DDoS, Destruction of Data etc. He emphasized that it is Sabotage which is of real concern to nations. According to a series of studies conducted by the US there are 175 countries have the capacity to engage in Cyber wars. 140 of which are capable of conducting offensive cyber operations. The studies have identified a top ten watch list in this regard. They are namely, China, Russian Business Network, Iran, Russia tied with France, Extremist/Terrorist Groups, Israel, North Korea, Japan, Turkey and Pakistan. It is evident that two of our neighboring countries China and Pakistan are part of this list of top ten. The speaker pointed out that the linkages are very important factor in understanding Cyber network e.g., Russia tied up with France and a number of Middle East countries use Russian hackers and networks. The speaker quoted that “there are at least 10 countries in the world whose internet capability is sophisticated enough to carry out cyber attacks … and they can make it appear to come from anywhere”, from Craig Mundie, Chief Research and Strategy Officer, Microsoft. Lt Gen Singh cited the example of North Korea which took over a server in UK and used this network to sabotage USA and Australian database in a manner that the attacks appeared to be coming from UK.

The speaker drew attention to the following lines from the USA National Security Strategy report published in May 26, 2010 which says that “Use of Force: Military force, at times, may be necessary to defend our country and allies or to preserve broader peace and security, including by protecting civilians facing a grave humanitarian crisis. We will draw on diplomacy, development, and international norms and institutions to help resolve disagreements, prevent conflict, and maintain peace, mitigating where possible the need for the use of force. This means credibly underwriting U.S. defense commitments with tailored approaches to deterrence and ensuring the U.S. military continues to have the necessary capabilities across all domains—land, air, sea, space, and cyber. It also includes helping our allies and partners build capacity to fulfill their responsibilities to contribute to regional and global security”.

He continued that America hosts most of the servers and a very large number of Pakistani websites are also hosted in America. Largest spam and malware are generated not in China but in US. 36% of Malware is generated in the US and 33% in China. He argued that the cyber space is in fact not a zone of peace and it is important to understand that cyber warfare is becoming necessary whether we like it or not. He insisted that if US feels necessary to enhance its capabilities in all domains including cyber it gives us moral justification of engaging in the same. There are however contending views about the possibilities of Cyber War among various scholars in this area.

He cited the examples of USA and Britain both having set up Cyber Commands. Russia, Israel and North Korea all have engaged in capacity building toward cyber war. Iran boasts of having the second largest cyber army in the world. Israel has over 8200 strong military intelligence unit dedicated for cyber warfare. The NATO has formed the Co-operative Cyber Defense Centre for Excellence which is set up for cyber warfare. China started investing in this area since 1990 and by 1997 it has setup several institutions and four dedicated universities for this purpose. So much so that it has produced 1500 to 2000 Ph D scholars in encryption technology as against maximum 5 in our country. War as an informationalized aspect is an extension of philosophy of Sunzi which has been consciously practiced in China since 1990s. In China hacking is a capital offense. The General talked about Li Wen, the greatest hacker of the country who was caught but instead made to work for the government. It is only possible in a closed and authoritarian polity like china. China specializes in getting into a system but does not have the capacity to carry out the positive aspect of hacking as yet because of lack of hardware and technology.

The speaker talked of the Indian scenario. He cited the example of Data Security Council of India, a private body under NASSCOM, which has laid down guidelines for best practices in audit systems and develops security architecture. They have done this because foreign companies interested in setting up BPO organizations in India will do so only when these companies are assured that the data they share are secured. He appreciated the effort made by the Data Security Council of India for developing a system of norms to ensure secure data to overseas clients interested in investing in BPOs here.

The speaker elaborated the following issues in context to India scenario, namely, objectives, deterrence, proactive cyber defense, legal provisions, war situation, doctrine/policy, structure, cyber command and coordinating agency. He spoke of capacity building toward Cyber Offensive as the main objective to understand how system can be defended when needed.

The speaker concluded with the following recommendation, a) Building a cyber doctrine and policy within the NSC; b) Creation of a cyber–space command; c) Setting up of R & D comprising of private and public agencies; d) Strategies towards developing cyber awareness and education; e) Language training for the understanding of adversaries. As far as vulnerability is concerned Lt Gen Singh said that China is secure because nobody hacks in Chinese, however, China has immense weakness in its cyber domain.

Ambassador Satish Chandra thanked Lt Gen Aditya Singh for an insightful presentation and he then welcomed Vipin Tyagi, Director and Member of Board, Center for Developments of Telematics (C-DOT), to present his paper on Research and development of Cyber Crime and Cyber Forensics.


TELECOM SECURITY INITIATIVE: STRATEGIC PERSPECTIVE by Vipin Tyagi

The speaker began with three entities that are involved in cyber security, a) network, b) information and c) people and interplay of these three entities in isolation so that an effective system can be created. He moved on to integrating of the network information by interception and picking up information through different types of licenses that are issued by the government e.g., ISP (Internet), TSP (mobile & Land Line), ILD (International Long distance), NLD (National Long distance) and others (Satellite) etc. He talked of establishing a centralized monitoring system involving all Service Providers, all law enforcement Agencies and all Departments. In this system of monitoring the information would come to a centralized system and then distributed. A centralized monitoring system requires integration across services such as GSM, PSTN, GPRS, 3 G and Internet/Data etc.

He moved on to talk about standardization in cyber security and cyber telecommunication. There are multiple agencies which are involved with this standardization. For example the TEC a government body working towards lawful interception and lawful monitoring. Other agencies who are involved in some aspect of standardization are ETSI, ITU, IEEE and ISO/IEC. He informed that in the telecommunication area a tremendous unification is happening where all the bodies are in convergence.

He began with the framework that has been adopted by C-DOT for making telecommunication safe. C-DOT proposes a unified process to take care of the enterprise security in which Telecom network security, application & public interfaces and user-end services are important aspects. He proposes an indigenous R&D and an Indigenous chain.

The speaker went on to talk about the major security threats in regard to telecom network & services namely, destruction, corruption, theft or loss, disclosure and interruption. He elaborated on network vulnerability from various sources. He talked of 3 layers of protection which build on one another - applications, services and infrastructure and 8 dimensions to protect against all major security threats – access control, authentication, non-repudiation, data confidentiality, communication security, data integrity, availability and privacy. He also discussed the domains of network activities in 3 planes - control plane, user-end plane and management plane. He further went on to discuss the following installation safety guidelines: Earth quake proof Buildings for equipment installation; Raised floors for equipment protection from floods; Fire/Smoke detection /Extinguisher system; proper earthing for equipment; Antistatic flooring; Grouting of the exchange equipments; Proper emergency exits; Lightning protection; and integrated protection modules for hardware protection from external high voltages. Mr. Tyagi also elaborated on the mobile networks related security issues. He provided a few mobile end to end communication models with various threat points and threat interfaces and the solutions for each.

Vipin Tyagi concluded his presentation by emphasizing the need for India to enhance its R&D in telecommunication security. He once again proposed India to have an indigenous R&D and an Indigenous chain where the database needed to be integrated across systems. He finally proposed a one nation one system for Indian telecommunication.

Event Date 
September 9, 2010
Contact Us