Sometimes the roots of a problem are obscured by discussions on the ‘enormity’ of its possible repercussions — some of this is happening in the way experts were making their expansive analysis of the threats to cyber security.
The success of Information Technology Revolution — 1991 is accepted as the cut off year for this transition since in that year, investment in IT sector exceeded that in the industrial sector for the first time in US — marked the advent of the Age of Information as the Internet provided for instant communication, created borderless markets and made way for globalisation, producing the new phenomenon called Knowledge Economy.
Internet-based products and services — from mobile to Twitter and home delivery — held the sway. The fact that information would be communicated and stored on Internet produced the problem of securing it against the adversary’s attempt at prying into the same or against the theft of data committed for other undesirable purposes.
The first point of clarity about the use of Internet, however, is that it is a public platform and the user therefore should be aware that he or she should not say on it what would not be permitted to be spoken from such a platform.
Section 66 of IT Act punishes calls for violence, specific threats to persons or a brazen attack on the nation’s sovereignty. The ‘public’ character of Internet makes it illogical for you to expect that your information fed there by you would be kept confidential — until special steps are taken by you as a user or by the organisation which obtains information from you online, to safeguard it against exposure. A large part of noise raised about ‘privacy’ of information loaded on the Internet, therefore, made no sense.
The second fundamental thing about the use of Internet is that security in any sphere — cyber, industrial or State-related — revolves around the threats to the three assets of a target organisation, material, human resource and protected information.
Correspondingly, there are concepts of physical security, personnel security and information security for protection against what is described in professional terms as Sabotage, Subversion and Espionage, respectively.
Taking the issue of ‘information security’ first — in the context of Internet — it has to be mentioned that by definition, Espionage is manoeuvring ‘unauthorised access to protected information’. If the organisation has not protected its information it cannot complain of breach of its security — this protection starts with the ‘security classification’ of the particular information in terms of its being labelled as ‘restricted’, ‘secret’ or ‘top secret’ and determination of who amongst the employees would have access to it.
Security of information in the ‘virtual’ layer begins with the techniques of ‘access control’ to limit entry to authorised users — these include Firewalls, Passwords and Biometric Devices. The security policy has to be formulated with clarity to achieve effective designing and implementation of Firewalls.
Cryptography transforms a clear text into a non-decipherable cyber text. The key size of the encryption process reflects the strength of the algorithm. Encryption is the best device for ensuring message ‘confidentiality’ or privacy and also for checking unauthorised access to data. It is to be noted that multiple encryptions may make the security stronger but it may have a negative influence on efficiency. It is logical that Passwords should be stored on record in encrypted form. And finally, Biometrics has to be extensively used for establishing the identity of the legitimate user.
There is a strong Physical Security side of cyber operations. At the physical layer, which is the data communication interface with the hardware, specific access controls are required. This is the layer that performs the physical transfer of data to the transmission medium.
Floppy disks, magnetic tapes, pen-drives, optical disks and any other hard drive back up material should always be kept in safe custody. Printed, unclaimed and sensitive documents must be destroyed by ‘shredding’.
The IT Act of India provides detailed guidelines even on a secure site design for a Data Centre or Master Computer. All openings of this Centre should be monitored round the clock by surveillance video-cameras.
Physical Security begins with the installation of a secure perimeter — which is not always a brick-and-mortar structure — and prompt detection of any attempt to make an intrusion into the same. One of its objectives is to prevent Sabotage which by definition is ‘the threat of causing unacceptable physical damage to the target organisation’.
Data destruction will also fall into this description. All strategic sectors of economy are run on cyber systems whose security is a must for averting a disruptive attack that would impact national stability. Code breaking may be done by the enemy by using brute force in which an attempt is made to decipher the code by using every possible key combination.
Launching a direct clandestine attack from outside may result in ‘denial of service’ in which the ports of the target are clogged and the network resource is degraded. Data destruction may be caused by injecting a virus through false messaging. A malicious website may be used to download a virus.
Unfortunately, any ‘hacking’ or unauthorised penetration of the system is detected only after it had succeeded and that is why emergency response to any such event was important for mitigating the damage.
The Personnel Security component of cyber domain is often underestimated for lack of understanding of the ways in which the threat against it came into play without getting detected. In all systems having a direct bearing on national security, the angle of threat of Subversion, which by definition is rooted in the enemy’s capacity to alter the loyalty of an employee of the target organisation, is accorded high priority.
The standards of Personnel Security — which aim at preventing this subversion — are more stringent in the sensitive sectors of national security. The enemy can either recruit an employee already on the roll by managing to reach out to the individual and then exploiting some vulnerability of the latter to affect a switch in the loyalty — from the organisation to the entity outside — or alternately, ‘plant’ its agent under ‘cover’ in the target organisation using some vulnerability in the prescribed process of entry.
Importance of background checks and enquiry into the character and antecedents before the employment is confirmed, suggests itself. In sensitive organisations, there is periodical reverification, as well. It is obvious that a subverted employee would be used by the adversary for various objectives like securing access to protected information and carrying out acts of sabotage.
The third basic feature of cyber security relates to a universal finding that nearly half of the breaches there were attributable to an insider. One of the tasks of the security set up of a sensitive enterprise is to take note of any ‘suspicious’ conduct of an employee and check out on that to determine if the individual was not already working for some outsider.
At a deeper level, the security set up looks for any ‘vulnerability’ shown by an employee like greed, addiction or disgruntlement and examines it for administering a warning to the individual for that ‘weakness’ — after all this would be noticed by the adversary as well.
Further, the practice of ‘need to know’ principle is meant to enforce ‘restrictive security’ by which the employee is given access to only that part of organisational knowledge which was essential for the individual’s own performance- this reduces the subversive potential of a compromised member.
It is for this reason that internal Firewalls are also used to protect one area of a company from another in pursuance of ‘restrictive security’. In an Intelligence organisation, where the ‘need to know’ principle is followed in totality, members understand what part of operational knowledge is not to be shared with the colleagues. They also know that restrictive security did not operate vertically.
A fourth essential point about cyber security is that its framework rests on certain requisites — legal, operational and managerial — and like in any other security domain, conforms to the principle that security is an ‘integral’ concept not given to divisibility of any kind.
Security is a mainstream function as it requires full knowledge of the enterprise and derives its authority from the top man. Training is necessary for all aspects of security and a security savvy culture has to be established to avert avoidable failures.
A cyber security regime banks for its success on its capacity to attend to the details. A System Administrator has to be appointed, this is a legal requirement, whose responsibilities are exclusive for creating, classifying, retrieving, deleting and archiving information, putting in place arrangements for Password management, authorising access to users on a ‘need to know’ and ‘need to do’ basis with a complete documentation of this authorisation, ensuring that all security violations are recorded, investigated and put up for review by the top management and finally, ensuring that security policies are understood by all members of the organisation. For this, an audit trail of security sensitive access and actions taken shall be logged.
Finally, the cyber domain is an instrument of development and facilitates the welfare function of the democratic State, but it is also a licence for anti-national forces to indulge in mischief against the latter. Weapons of higher defence, including nuclear missiles, operate on complex cyber security systems that are fail-safe.
In what is a new phenomenon, social media — a product of Internet — is already becoming an instrument of combat and ‘proxy war’. We live in times where a minimal understanding of cyber security issues is an essential component of the requirement of ‘being well-informed’ — this is the mandate of the age, for being successful in any sphere of work.
(The writer is a former Director of Intelligence Bureau. Views are personal)