DC Pathak
(The writer is a former Director Intelligence Bureau)
Sometimes the roots of a problem are obscured by discussions on the 'enormity' of its possible repercussions – some of this is happening in the way experts were making their expansive analysis of the threats to cyber security.
The success of the Information Technology Revolution – 1991 is accepted as the cut-off year for this transition since in that year, investment in the IT sector exceeded that in the industrial sector for the first time in the US – marking the advent of the Age of Information as the Internet provided for instant communication, created borderless markets and made way for globalization, producing the new phenomenon called Knowledge Economy.
Internet-based products and services – from mobile to Twitter and home delivery – held the sway. The fact that information would be communicated and stored on the Internet produced the problem of securing it against the adversary's attempt at prying into the same or against the theft of data committed for other undesirable purposes.
The first point of clarity about the use of the Internet, however, is that it is a public platform and the user therefore should be aware that he or she should not say on it what would not be permitted to be spoken from such a platform.
Section 66 of the IT Act punishes calls for violence, specific threats to persons or a brazen attack on the nation's sovereignty. The 'public' character of the Internet makes it illogical for you to expect that your information fed thereby you would be kept confidential — until special steps are taken by you as a user or by the organization which obtains information from you online, to safeguard it against exposure. A large part of the noise raised about the 'privacy' of information loaded on the Internet, therefore, made no sense. The second fundamental thing about the use of the Internet is that security in any sphere — cyber, industrial or State-related — revolves around the threats to the three assets of a target organization, material, human resources and protected information.
Correspondingly, there are concepts of physical security, personnel security and information security for protection against what is described in professional terms as Sabotage, Subversion and Espionage, respectively.
Taking the issue of 'information security first – in the context of the Internet – it has to be mentioned that by definition, Espionage is manoeuvring 'unauthorized access to protected information. If the organization has not protected its information it cannot complain of a breach of its security — this protection starts with the 'security classification' of the particular information in terms of its being labelled as 'restricted', 'secret' or 'top secret' and determination of who amongst the employees would have access to it.
Security of information in the 'virtual' layer begins with the techniques of 'access control' to limit entry to authorized users — these include Firewalls, Passwords and Biometric Devices. The security policy has to be formulated with clarity to achieve the effective design and implementation of Firewalls.
Cryptography transforms a clear text into a non-decipherable cybertext. The key size of the encryption process reflects the strength of the algorithm. Encryption is the best device for ensuring message 'confidentiality' or privacy and also for checking unauthorized access to data. It is to be noted that multiple encryptions may make the security stronger but it may have a negative influence on efficiency. Logically, Passwords should be stored on record in encrypted form. And finally, Biometrics has to be extensively used for establishing the identity of the legitimate user.
There is a strong Physical Security side of cyber operations. At the physical layer, which is the data communication interface with the hardware, specific access controls are required. This is the layer that performs the physical transfer of data to the transmission medium.
Floppy disks, magnetic tapes, pen drives, optical disks and any other hard drive backup material should always be kept in safe custody. Printed, unclaimed and sensitive documents must be destroyed by 'shredding'. The IT Act of India provides detailed guidelines even on a secure site design for a Data Centre or Master Computer. All openings of this Centre should be monitored round the clock by surveillance video cameras.
Physical Security begins with the installation of a secure perimeter — which is not always a brick-and-mortar structure — and prompt detection of any attempt to intrude into the same. One of its objectives is to prevent Sabotage which by definition is 'the threat of causing unacceptable physical damage to the target organization'.
Data destruction will also fall into this description. All strategic sectors of the economy are run on cyber systems whose security is a must for averting a disruptive attack that would impact national stability. Codebreaking may be done by the enemy by using brute force in which an attempt is made to decipher the code by using every possible key combination.
Launching a direct clandestine attack from outside may result in 'denial of service' in which the ports of the target are clogged and the network resource is degraded. Data destruction may be caused by injecting a virus through false messaging. A malicious website may be used to download a virus.
Unfortunately, any 'hacking' or unauthorized penetration of the system is detected only after it had succeeded and that is why the emergency response to any such event was important for mitigating the damage.
The Personnel Security component of the cyber domain is often underestimated for a lack of understanding of how the threat against it came into play without getting detected. In all systems having a direct bearing on national security, the angle of the threat of Subversion, which by definition is rooted in the enemy's capacity to alter the loyalty of an employee of the target organization is accorded high priority.
The standards of Personnel Security — which aim at preventing this subversion — are more stringent in the sensitive sectors of national security. The enemy can either recruit an employee already on the roll by managing to reach out to the individual and then exploiting some vulnerability of the latter to affect a switch in the loyalty — from the organization to the entity outside — or alternately, 'plant' its agent under 'cover' in the target organization using some vulnerability in the prescribed process of entry.
The importance of background checks and enquiry into the character and antecedents before the employment is confirmed, suggests itself. Insensitive organizations, there is periodical re-verification, as well. A subverted employee would be used by the adversary for various objectives like securing access to protected information and carrying out acts of sabotage.
The third basic feature of cyber security relates to a universal finding that nearly half of the breaches there were attributable to an insider. One of the tasks of the security set-up of a sensitive enterprise is to take note of any 'suspicious' conduct of an employee and check out that to determine if the individual was not already working for some outsider. At a deeper level, the security set-up looks for any 'vulnerability' shown by an employee like greed, addiction or disgruntlement and examines it for administering a warning to the individual for that 'weakness' — after all this would be noticed by the adversary as well.
Further, the practice of the 'need to know' principle is meant to enforce 'restrictive security' by which the employee is given access to only that part of organizational knowledge which was essential for the individual's performance- this reduces the subversive potential of a compromised member.
It is for this reason that internal Firewalls are also used to protect one area of a company from another in pursuance of 'restrictive security'. In an Intelligence organization, where the 'need to know' principle is followed in totality, members understand what part of operational knowledge is not to be shared with their colleagues. They also know that restrictive security did not operate vertically. A fourth essential point about cyber security is that its framework rests on certain requisites — legal, operational and managerial — and like in any other security domain, conforms to the principle that security is an 'integral' concept not given to divisibility of any kind.
Security is a mainstream function as it requires full knowledge of the enterprise and derives its authority from the top man. Training is necessary for all aspects of security and a security-savvy culture has to be established to avert avoidable failures.
A cyber security regime banks for its success on its capacity to attend to the details. A System Administrator has to be appointed, this is a legal requirement, whose responsibilities are exclusive to creating, classifying, retrieving, deleting and archiving information, putting in place arrangements for Password management, authorizing access to users on a 'need to know and 'need to do' basis with complete documentation of this authorization, ensuring that all security violations are recorded, investigated and put up for review by the top management and finally, ensuring that security policies are understood by all members of the organization. For this, an audit trail of security-sensitive access and actions taken shall be logged.
Finally, the cyber domain is an instrument of development and facilitates the welfare function of the democratic State, but it is also a licence for anti-national forces to indulge in mischief against the latter. Weapons of higher defence, including nuclear missiles, operate on complex cyber security systems that are fail-safe.
In what is a new phenomenon, social media — a product of the Internet — is already becoming an instrument of combat and 'proxy war'. We live in times where a minimal understanding of cyber security issues is an essential component of the requirement of 'being well-informed' — this is the mandate of the age, for being successful in any sphere of work. (IANS)