Cyberspace is unique in the sense that you can’t see it but only feel the damage once done. Humans have low understanding of what’s not visible.
Jamtara: Sabka Number Ayega is the name of a new Netflix series being streamed. Jamtara is a remote rural area in Jharkhand, India. A bunch of young adults, uneducated but motivated, cheat people of money by enticing them over phone to reveal their credit card numbers. The victims are from far off places like Delhi, and including respectable people such as lawyers, policemen and housewives. The series highlights the ignorance of the people and the shoddy investigation by the police. In short it’s about phishing. And that too, not being done from metro cities or sophisticated environments, and the victims are not uneducated but have one factor in common: greed. Though fiction, it may well be based on truth. Cybercrimes are prevalent all over India but are underreported. The consciousness is low but cybercrimes are just starting to get attention.
There’s an old saying that cyberspace is the fifth domain of warfare after land, water, air and space. Cyberspace is unique in the sense that you can’t see it but only feel the damage once done. Humans have low understanding of what’s not visible. Many of the dangers to our civilization are invisible; climate change, non natural emf perils, food-chain contamination, havoc caused by artificial lighting are some of them. Cyber threats come in this category. And the worst part is all these perils are interconnected. For instance, 5G spectrum is almost reaching the standards of X-Ray. It means faster streaming and downloads, which we enjoy without realizing that the body is subject to constant scanning by X-Ray like manipulated magnetic field, which is compressed without regard to the consequences. Who would like to be lying on the scanning bed of ICU in a hospital 24×7? Yes, we seem to love it! Or take the example of how cellphone towers have caused the extinction of birds, which eat insects for food. With the birds extinct or reduced in numbers, the insects thrive and devastate the crops. To meet this challenge we invent more and more deadly chemicals to spray, causing havoc to our food chain. When we enjoy streaming a movie on Netflix, we are oblivious of thousands of servers all over the world working overtime, streaming over 4G/5G spectrums, spewing enormous heat into the environment, for which available cooling technologies are inadequate.
We’re interconnected on cyberspace, facilitating the exchange of petabytes of data, selling and buying goods, and do many more things which weren’t there before the advent of internet. The problems of cyber crimes also multiplied and we have become aware of them slowly, if not to the desirable level. We’re painfully learning that keeping cyber hygiene is not sufficient. The problem is much more complex than expected. As cyberspace knows no borders, we would like to know what is being done at the international level to jointly fight this menace. In fact, in 2018, a decision was taken by UN member states to conduct two negotiations on the international security angle of cyber technology. It is hoped that a breakthrough can be made on application of international laws on cyberspace.
In the beginning, there used to be an IT engineer who was responsible for all issues connected with computers, hardware, software, trouble shooting etc.; when cyber security came into consciousness he was told to look after that too. I’m sure in many companies it’s not very different even now. This needs to change. Whether it’s a small or large team, cyber security can’t be fully successful. The major companies like Target or Yahoo in the US, which were hacked in the past, had armies of security specialists with large investments. Every user from top to bottom in every organization needs to contribute in order for the security program to be successful.
India woke up to the necessity of having a cyber policy only in 2013 and came out with a hurriedly made document, which came under heavy criticism for lacking depth and detailed guidelines. Most of the provisions were in the form of suggestions and recommendations rather than mandatory requirements. In this year we expect a fresh cyber security policy document from the government.
Thankfully, the Privacy Act will be in place. The new cyber security policy document hopefully will lay down regulatory clauses in accordance with this Act. Earlier there was neither a data protection Act nor an agency dedicated to data protection. In 2017, the Supreme Court upheld the right to privacy as enshrined in the Constitution. Subsequently, the government is moving a Personal Data Protection Bill (PDPB) 2019, which proposes some data localization and government access to data. It also has a proposal to create a data protection authority (DPAI) of India. But this is only the beginning and a pretty late one at that. We know the fate of rules and regulations in our country if they are not backed by strict implementation. This means putting in place detailed SOPs (standard operating procedures), templates, and compliance requirements backed by penal provisions.
CYBER SECURITY IN U.S.
In the United States, the networks handling public data need to be FISMA (Federal Information Security Management Act) compliant before they are issued with the authority to operate (ATO). The NIST (National Institute of Standards & Technology) has drawn up the forms and templates of security requirements based on the Act. This makes the task simpler for the agencies seeking ATO. Without this authorization the networks can’t function. The major areas of work done by FISMA and NIST in the US include System Security Plans (SSP) and checklists and Risk Management Framework (RMF). The SSPs are assessed by independent assessors before ATO certifications and periodic reauthorizations are done. They also carry out privacy threshold analysis and business-impact analysis. The RMF includes, among other things, security categorization, security controls and assessments, implementation, security authorizations for information systems and monitoring security controls and plan of action (POA).
LEGAL AND INSTITUTIONAL CONTROLS
The next required step would be to make director and CEO level executives responsible for Cyber security measures and compliances. With the increase in the number of incidents and financial losses, increasing number of companies in India are resorting to cyber insurance policies. This is one step better but inadequate. If the systems, approvals, and compliance schedules are not in place, and if SOPs are not followed to the letter and spirit, the insurance companies are not going to pay up. The result would be the loss being passed on to the share and stakeholders, which is unacceptable. It’s for this reason too that the public and the shareholders have a right to know what’s being done to protect their private data. While physical components such as hardware, systems and software and servers and networks get adequate attention, the human component needs more attention. Sometimes cyber attacks could be insider jobs. So companies need to be vigilant about permanent employees, contractors, vendors and outsourcing agencies.
Much emphasis is laid on legal and institutional controls, along with Director/CEO level control and responsibilities, because only then cyber hygiene and security technology measures become meaningful and relevant to the organization. We will see how this is important for the cause of cyber security at individual, organizational and national and international levels. Every stakeholder needs to identify what the “crown jewels” of the organization are in terms of data, which the hackers are likely to be interested in. These could be user database, intellectual properties and others.
Then comes a qualitative analysis of risk, which will help decide the steps required for risk management. Another would be to have an overview of how cyber attacks occur and what the usual behaviour patterns of hackers are. The chain of actions generally come under four or five categories; reconnaissance, intrusion, lateral movement, command and control, and execute/exfiltrations.
When hackers indulge in these actions, they give out definite signals and a robust system with an alert operator behind the systems, would be able to detect the hacking. In practice, it’s seen that hackers look for the following: critical infrastructures (CI) as they did in the case of Kudamkulam nuclear power plant recently, programmable logical controllers (PLC), supervisory control and data acquisition (SCADA), operational technologies (OT), application programming interfaces (APIs), crypto mining/storage hunting/theft of processing power etc., among others. Some of the signals to watch out for: patch-windows, web and power shells, abnormal logins and privileged user behaviours, WMI anomaly, reconnaissance signals, malware/ransomware signals, RDP signals, SMB anomalies, ICMP variations, and many others. One needs to take help from organizations like MITRE’s Cyber Analytics Repository (CAR) for behavioural analytics of cyber attacks. Another useful resource is the Open Web Application Security Project (OWASP) especially for Internet of things (IoT), IoT being the most vulnerable targets of attack.
INTERNAL DETECTION SYSTEMS
The most important point here is how are we going to detect intrusion and when? In India, an average of 220 days is taken to detect infiltration, by which time considerable damage would have been done. A robust system means to be in a position to detect an attack within hours or a few days at the maximum. In most of the cases the internal detection systems are so poor that an external alert from law enforcement agencies or others are required to open our eyes. Early detection is a game changer. Even when cloud computing is resorted to, ultimately inside the cloud it’s our responsibility.
So, when we have legal backing and institutional arrangements, are up-to date on security technologies such as firewalls, “honey pots”, the latest techniques involving block chain technologies, AI and or Natural Language Processing (NLP) and machine learning or practices of security hygiene such as protected email systems, multi factor password systems etc, are we completely safe from attacks? Do we have our kitty bags overflowing with tools like a lab environment and VMWare, virtual machines and hypervisors, Splunk for auditing logs, Nessus for remote scanning, packet analyzer WireShark etc? And are we aware of any number of malware in circulation, be it, virus or worms, ransomware, Trojan horse, backdoors, botnets for denial of service, keystroke logger, adware and spyware? We may have firewalls, anti-malware scanners which look for signatures and other arrangements all backed by efficient armies of engineers. But do all these guarantee an attack-free environment? No. Remember, no one or no organization, however much advanced they may be in security are totally safe and that criminals and hackers always stay one step ahead. Moreover, security, most of the time, is like there’s no great advantage if you do, but certainly great harm if you don’t.
Underinvesting in cyber security can be a hindrance. Major threats to companies with regard to cyber security are not technological. They are human and psychological. Employees need to cultivate awareness. Employees need to overcome biases, bad habits and behaviours which are exploited by hackers. Employees can be the weakest link in the security process, if not directed properly. So employees have to b properly trained. Executives should notify the stakeholders immediately after a breach. Customer trust should be retained through swift actions and honest approach. Trustworthiness is generated by data protection and privacy. Big data and machine learning have brought in a new element of risk. More than the intended attacks, it’s the uncanny interferences by algorithms which need to be looked out for. As AI systems become more sophisticated, cyber attacks are bound to rise by AI assisted hacking. According to experts, more AI-enabled flawless systems are the only remedy since computer-human brain interfaces are on the increase, which are likely to be exploited.
Sampath Ramanujan, a former IPS, has dealt with airport security and industrial security, and worked in policing, law & order and intelligence, apart from handling corporate security in top corporates.