Services
 
 
Analysis
You are here:orfonline.org Publications Analysis
 
Take cyber security seriously
R. Swaminathan
15 February 2013

It's still firmly in the realm of conspiracy theories. But some believe the US and Israel formally attacked Iran sometime in the month of June 2010 and both are now at war. There is some uncomfortable evidence to support these conspiracy theorists, and more keeps tumbling out. But it's still circumstantial at best. In June of that year cyber-security experts discovered an extremely sophisticated computer worm called Stuxnet. As they dug deeper to understand it they found the worm had a programmable logic controller (PLC) hidden in its rootkit. It was a first in any virus or a worm. A PLC changes the logical and sequencing structure of an infected programme or a machine. As they tumbled further into the hole, as Alice once did in a storybook, they discovered that the worm had a special fondness for the Supervisory Control and Data Acquisition (SCADA) systems of Siemens. These systems control and monitor specific industrial processes. This is where it gets racy and circumstantial with just the right dash of ifs and buts. In Iran these proprietary systems do not run any ordinary industrial processes. They are at the heart of the uranium enrichment infrastructure across six locations in that country. By August, when the hole had been dug deep enough, Symantec found that 60% of the infected computers across the world were in Iran. Kaspersky Lab came to the conclusion that such a sophisticated attack could have been conducted only with a 'nation-state's support'. The US and Israeli officials were privately delighted at the disruption of the Iranian nuclear programme. In the shadowy world of cyber-attacks a buzz did the rounds that Stuxnet was a joint US-Israeli attack called 'Operation Olympic Games' started by George W Bush and expanded by Barack Obama. The retaliation - whispers claim it's from Iran - was from a virus called Shamoon and took out the administrative operations of the world's largest oil company Aramco. The Saudi-owned oil company is America's largest supplier. This warless war hasn't seen its end yet. Contrast this with just about 30 years back. Iraq was constructing a nuclear reactor just outside Baghdad. As usual Israel's security hackles were raised and a fleet of F-16As escorted by F-15s took a risky manoeuvre violating Jordanian and Saudi Arabian airspace and bombing the reactor. It threatened to escalate into an all-out war.

Today, national security cannot be divorced from cyber-security, cyber attacks and cyber warfare. In fact, the very definition of security is undergoing a change and includes the security of digital assets, networks and smart systems. Any unauthorised attempt to undermine or compromise a computer-based system, track the movements of an individual or transactions of an organisation and subvert the digital systems and networks to lead to a denial of service can be defined as a cyber attack. A cyber attack consists of a broad range of activities, from a virus or a worm stalling or taking over an operating system of a single individual computer or bringing down an entire network, like a power grid or the process infrastructure of an industry, as in the case of the Iranian nuclear plants. All forms of cyber attacks are here to stay as an analogue society is rapidly transforming into a digital one. Everything from money, utilities, civic services, financial and social transactions, governance, home security, transportation, entertainment and, why, even one's own identity is now digital. With each step towards digitisation, a previously analogue and physical asset turns into a digital one. A physical asset could be guarded behind an iron door and a lock and key. A digital asset, however, is amorphous and needs to be defended behind firewalls against increasingly ingenious, sophisticated and stronger attackers.

India is also rapidly turning into a digital society. The focus of India's cyber security has essentially been on personal digital devices. There is a certain justification for it as India has seen an alarming spurt in the growth of malware on mobile devices, especially on the fastest-growing Android platform. A 2012 report on Windows and Mobile Malware released by the anti-virus firm Quick Heal found social media platforms are the favourite haunts of cybercriminals to plant malware. The report found an increase of over 90 percent in Windows malware and gargantuan 170 percent in its modification. Interestingly, the report also found that the virus attacks on mobile digital devices increased by 30 percent with an 80 percent increase in its modifications. In a perverse manner, it reiterated the mobile revolution that's taking place in India.

India, however, in its exclusive focus on personal digital devices, has defused the larger focus on protecting national digital assets, which should have been crystal clear and sharp. India received a rude jolt in 2011 when it was discovered that a group of hackers had carried out a systematic attack on India's government digital assets, comprising the databases of several ministries and departments. These hackers were able to get into the email accounts of some of our top bureaucrats. Though no country was named, it was widely suspected to be China. The digital assets of Taiwan, the US, South Korea, Vietnam and Canada were also targeted. But China is not the only one testing India's cyber defences. A group calling itself the Pakistan Cyber Army has repeatedly attacked Indian digital assets. In December 2010, it hacked into the Central Bureau of Investigation website. Soon, the same group hacked into the Bharat Sanchar Nigam Limited (BSNL) website. Pakistan-based hacker groups have attacked 112 Indian websites within a span of three months. It's not something the Indian cybersecurity establishment is proud of.

Clearly, a lot more needs to be done to secure India's national digital assets. Even though India set up the National Technical Research Organisation (NTRO) with a specific mandate to 'develop technology capabilities in aviation, remote sensing, data gathering and processing, cyber security, cryptology systems, strategic hardware and software development and strategic monitoring', it has been dogged by a lack of direction and several controversies. It's under the Research and Analysis Wing (R&AW), but its autonomy is patchy. Several other organisations with overlapping functions have been making life difficult for NTRO. Additionally several unseemly controversies - from procuring Israeli UAVs for Rs 450 crores without the bundled satellite link making it useless to the alleged tapping of 750,000 phones illegally - have been trailing the organisation continuously. Despite recognising the threat of Chinese hackers, and setting its own team of ethical hackers, the NTRO still doesn't have a comprehensive and integrated policy to secure India's digital assets.

Security firm McAfee in December 2012 released an alarming report that a gang of cybercriminals have developed a sophisticated Trojan capable of siphoning off billions of dollars from banks. Thirty banks in the US were high on the target list. McAfee says the cybercriminals are so organised that they are recruiting other criminals to ensure that the amounts siphoned off from each bank is limited so as to not arouse any suspicion. All banks in the US are on high alert and the US government has put a special team of cybercops to crack this case. It's a situation that can as well be staring India in the face. India is a growing economy and its banks are going acquire global proportions soon. It's only a matter of time before India starts leaving its digital footprints on the global stage. It's time that India recognises cyberwarfare as the fifth dimension of warfare and accord cybersecurity the priority it deserves. It's time India declares its public and private digital infrastructure as a strategic national asset.

(The writer is a Visiting Fellow at Observer Research Foundation. He is also a National Internet Exchange of India Fellow)