War, virtually

Cyber attacks on critical infrastructure around the world are on the rise. Countries are framing policies to deal with this threat as the dependence of nations on cyberspace is expanding, while the threat landscape is getting worse. Not only is business and governance conducted through cyberspace, even militaries use private and public networks for their interactions with suppliers, payment systems and other organisations, although they may use intranets for secure internal communications. But the separation of intranets from the internet is illusory — the reported transmission of naval secrets of the Eastern Command to IP addresses in China earlier this month is proof enough.

Cyberspace is asymmetric, and offence dominant; it provides anonymity because of difficulties in attribution, with implications for bringing criminals to justice and for deterrence and reprisal. Silent, undetected attacks by non-state actors and nation-states for cyber espionage, and disruption of critical infrastructure that can cripple economies and spread disorder, are a reality. Should governments, therefore, consider cyber security part of national security?

The internet started as a domain for academics and technophiles. Today, cyberspace, made up of global networks, is viewed as a global commons, albeit of a new kind, since it is manmade. It is the fifth global commons, after sea, air, space and outer space. It facilitates the transfer of data and information and is largely owned by the private sector. But it is a national asset too, since it enables a host of business and government services to citizens; critical infrastructure depends on it for efficient operation.

However, issues of ownership complicate governance and require high levels of public-private sector cooperation. Attacks on critical infrastructure such as telecom and defence can have crippling effects on civilians, with outcomes similar to those achieved by traditional war. The attacks on these systems can come from anywhere in the world because cyberspace is borderless.

This was underlined by Stuxnet and Flame, believed to be the handiwork of a nation-state. While the former destroyed a nuclear reactor in Iran, the latter is for cyber espionage. Adversaries can plant malware in infrastructure and military equipment. National security depends on a safe cyberspace commons, and there must be rules of behaviour in it. At the very least, there is need for cooperation between law enforcement agencies across jurisdictions to track cyber criminals and bring them to justice.

The impact of cyber attacks is beginning to be felt in India since the economy is becoming digital and the government is relying on technology to solve governance problems, both for service delivery and financial inclusion. Defence and police agencies are making strategic use of technology to modernise. Mobile phones provide connectivity for several hundred million people, who are using existing applications with known vulnerabilities, thereby exposing national infrastructure and assets to more attacks. The attackers are both local and global. There have been cyber attacks on the Prime Minister's Office, defence agencies and corporations to steal state and business secrets.

What is our response to these attacks as a nation? India is, by and large, in a state of denial — we just do not admit that any significant loss occurred in successful cyber attacks. This is perhaps due to our feudal approach to governance, whereas cyberspace warrants an information age response — it calls for information sharing and cooperation across multiple agencies.

Cyberspace has no boundaries, even though nations are trying to police and control activities within their jurisdictions. Traditional dividing lines between defence and security, civilian and defence, military solutions and law enforcement, the public and private sectors, are breaking down. No single ministry can handle all facets of cybersecurity; they need to coordinate. Lead agencies have to be appointed and empowered. Finally, because the networks and critical infrastructure are largely owned by the private sector, its involvement in cybersecurity is essential. The government has to launch public-private partnership programs to protect critical infrastructure.

A cyber security strategy should include low-hanging fruit in the form of implementing security best practices and independent third-party security audits, apart from investing in a trained workforce. Government agencies have a tendency to shroud audits in secrecy because of the fear of exposure. It is better to learn in-house through third-party audits — howsoever damaging the findings maybe, since they afford corrective steps — rather than from cyber attackers after the data loss. This calls for a cultural change in outlook.

The government has taken steps to enhance cyber security, increasing awareness in the country, but a comprehensive national cyber security strategy that empowers different agencies with coordination at the highest level is essential. There are no short cuts.

The writer, presently CEO, Data Security Council of India, was founder director, CERT-In. Views are personal, express@expressindia.com

Please read our terms of use before posting comments