Cyber WarfareBorderless, and Lethal
Warfare is no longer restricted to the conventional physical form, its breaking all barriers to adorn a new avatar
Monday, January 17, 2011
The recent hacking of the Central Bureau of Investigation’s (CBI) website by a group called ‘Pakistani Cyber Army’ has raised a volley of questions. Has the war metamorphosed from a physical existence to an IT feature? Who are the actual victims of this warfare? How safe are our websites? Is this just the beginning? In reply, the Defence Research and Development Organization (DRDO) said that it would be developing both software and hardware to put defence networks out of the reach of hackers.
The cyber attack on the CBI website was, apparently, retaliation by a group called the Pakistani Cyber Army. The group also warned that mass defacement of Indian websites would continue if Indian hackers kept on their attacks on Pakistani websites. Before the attack on the CBI website, there was a hack attack carried out on 35 Pakistani government websites. Prominent among these include those run by the Pakistan Navy, the National Accountability Bureau, and the ministries of foreign affairs, education and finance. All of the affected websites reportedly ran on the same server. A crew called the Indian Cyber Army carried out the mass attack, which it claimed was a cyber-protest about the Mumbai terrorist attacks of November 2008.
Need for a Chakravuyh
If the systems and networks have gaping holes and vulnerabilities then anyone can attack. So, first and foremost, it is very essential that we have adequate defences raised against such vulnerabilities. This means that calculative efforts need to be taken to scrutinize the security of websites and ensure that more efforts are take to secure the websites and server. It is very difficult to halt these types of attacks other than providing effective defence mechanisms as they are borderless attacks.
It is clear that a cyber war is afoot. And with the passing of each day the warfare is assuming new proportions. The reason for this could be the fact that today organizations as small as that of your next door panwalla to a huge multinational organization, are craving for their own unique identity on the Internet. This has resulted in a huge number of new websites being registered on the Internet everyday. In such a scenario the development of the websites is done on a mass scale by a number of companies across India but security issues receive back-seat attention. Even a few of the so called ‘biggest websites of India’ are subject to a very basic attack such as authentication bypass.
But the bigger problem is that this huge number of small websites are not even close to being up-to-the-mark in terms of security of their data. This leaves them vulnerable to attacks from hackers, also making it possible for them to deface thousands of websites in a single day. This is always going to be a cat and mouse game. With the enhancement of technology, there will come new and sophisticated ways to break the networks and the teams would have to be very updated to be able to mitigate these risks.
“In my view, there has to be multi-layered defences, something similar to ‘Chakravuyh’ as we are used to of yester years. There has to be sufficient deterrents to discourage these kind of attacks, followed by adequate preventive measures to nullify/mitigate the attacks. If still someone is able to penetrate the defences, then there should exist a sophisticated detection mechanism so as to give a quick reaction and support. Over and above, a continuous learning system which corrects any potential and existing vulnerabilities,” says Pawan Desai, chief operating officer, MitKat Advisory Services.
On the Rise
The emergence of cyber warfare is not a recent phenomenon. It has been on the radar since the emergence of Internet and its threat is ever increasing in the wired world that we live in today.
Cyber warfare is one of the most potent forms of attacks as its impact versus casualty ratio is very effective as compared to conventional warfare. In the present case, both India and Pakistan are very advanced in terms of their capabilities for cyber attacks, as they possess some of the best people in this field across the globe. Many experts feel that the coming days would witness an exponential increase in cyber attacks across the border. “Cyber warfare is a very serious threat to a nation’s security, its property and people, and the damage it does could be irreversible and worse than a nuclear attack,” says Karnika Seth, attorney at Law and partner, Seth Associates
“In such a type of a war, it needs to be borne in mind that the so-called ‘brave warriors’ of the war are not the ones who actually become shaheed but instead the innocent users of the Internet who are at risk. Such wars, if till now are not the order of the day, will surely become so in the next few years. The main reason I can see behind such a trend is the exponential rise in the number of users coming on the Internet on a daily basis, compared to the linear rise in the awareness of these users,” explains Sunny Vaghela, an information security and cyber crime consultant.
Focus on Data Safety
If a website of a large organization can also be prone to an attack by a cyber criminal then how safe is the data on the Internet? It is as safe an one would want it to be. For example, PHP websites are the most vulnerable websites these days but then although Facebook is a PHP website but it is very secured! The reason: It spends a considerable amount of money on its security because it understands its importance.
“Similarly, people need to understand the importance of investing on the security of their website, the awareness needs to come. They should always go for penetration testing from CERT empaneled organizations, get Payment Card Industry (PCI) standard for e-commerce websites and install Intrusion Detection System/Intrusion Prevention System (IDS/IPS) in networks,” says Vaghela.
Cyber threat is no longer a potential threat but is staring prominently at our faces. Apart from all the government websites, our critical infrastructure would be the area of interest to the adversaries. Hence, all defence strategies should be in line keeping the potential and existing threats into perspective.
“We would need a structured approach in safeguarding our critical information from the adversaries. This problem should not be looked only from the perspective of technology, there has to be a holistic perspective of integrating people, process and technology to develop effective defense mechanisms. There needs to be a seam line integration between all the operators in the value chain. Also, this is going to be a continuous program, and need not be dealt as one activity,” says Desai.
The government needs to formulate more strict norms at the level at which a website/server is being formed/registered. It must have a proper assessment system by which every new website/server being registered needs to be assessed for new vulnerabilities and exploits, and only on clearing the assessment should it be allowed to go ahead with its setup. Currently, we do not have an all-India Cyber Police Service and we need such a set up, one which provides the police leadership for Cyber Crime related defense.
The government needs to adopt a multi-pronged strategy in terms of:
- Setting up institutions to simulate sophisticated cyber attacks with the help of qualified personnel. These institutes would be used for training various agencies like intelligence, IT administrators, developers, etc, for offensive and defensive cyber warfare techniques.
- Set up early-warning capabilities about impending attacks and developing expertise in cyber forensics, which includes tools that focus on acquiring information from attacked systems to find out sources of attacks.
- A task force that will certify all imported software and hardware procured.
- Put up segmentwise security guidelines for critical infrastructures and economic segments like banking, defence, railways, aviation, atomic energy, oil & gas, etc.
- Carry out regular assessments of these establishments.
- Set up a computer emergency response team for each of these sectors.
Principal Secretary, IT and BT, Department of Karnataka Government has initiated an action plan to develop an Inter-State Coordination group for cyber security from which some thoughts can be generated as an input for the national plan.
The Government needs to use resources from the private sector to formulate a good defense mechanism. A comprehensive cyber defense strategy for the country is required to be developed. “To start the process a ‘National Cyber Security Advisory Group’ needs to be set up with suitable advisors in place. In my opinion, we need to set up a ‘Cyber Force’ as the fourth wing of our defense along with Army, Navy and Airforce. This has to be under the defense ministry. There needs to be two other national level sub agencies one under the Home department which coordinates the defense against the cyber crimes and another under Ministry of IT which coordinates the corporate information security initiatives. CERT-In can undertake the responsibility of coordinating the IS initiatives along with NIC which may focus on e-governance projects,” says N Vijayashankar (Naavi), a reputed cyber law specialist and an e-business consultant.
Naavi further elaborates that the overall control should rest with the Cyber Force which should be responsible for defending the Indian Cyber Borders. Since Cyber borders exist in every computer connected to the Internet, the cyber Force is not like the physical army which remains unseen by a common man at far away borders. This Cyber Force needs to have its units in the cities and work with ISPs and MSPs in defending the Indian Cyber Space.
“It can be headquartered in the Silicon City of India, Bengaluru, which is developing into the Cyber Security capital of India. It has to deploy its units in all major ISPs and MSPs which are the gateways to the Cyber Space. It may also need to deploy special protection forces at critical projects such as UID, NSE, IDRBT, etc. Lot of thought has to go into structuring the activities of such a force and it needs an elaborate discussion in a separate forum,” says Vijayashankar.
All said and done, the term war is assuming new proportions and refraining to owe allegiance to the conventional form of physical warfare. It leaves one and all non-pulsed by its new avatar and grasping with the thought of what next is in store.