Category: Cyber Security

Articles on cyber security

Featured

Traceability vs Privacy: The Real Issue is of Collective Security

Source: weforum.org

Societies have long realised the need to provide collective security for all to ensure sustainable development and prosperity. Providing collective security involved imposing some form of social control to regulate individual and group behaviour through gathering information about individuals. In the modern information age, a good government can ensure collective security through efficient use of information for law enforcement without necessarily encroaching upon individual privacy.  

Countries around the world have enacted laws to ensure that such information could be collected easily through various sources to help in achieving the wider societal goal of collective security. The US enacted the Stored Communications Act (SCA) in 1986 to require the internet service providers (ISPs) to provide content and metadata on stored emails to the government agencies under certain conditions. As this law soon became outdated due to rapid technological advances, the US passed the Communication Assistance for Law Enforcement Act (CALEA) that required the telecom companies to redesign their networks to facilitate wiretapping by the government agencies. Later, in 2005, it was expanded to cover ISPs and services like Skype, etc.   

UK and Australia have gone even further in enacting laws that require device makers and software developers to provide access to encrypted data. The Investigative Powers Act 2016 and the Investigatory Powers Regulations 2018 in the UK provide sweeping powers to the intelligence and law enforcement agencies to carry out both targeted and bulk interception of internet communications and hack into devices to access data. The Telecommunications Assistance and Access Act 2018 of Australia gives broad powers to the government agencies to require communication service providers (CSPs) to decrypt any communication.

The raging debate in India over the ‘traceability’ provision in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 must be understood in the context of the need for ensuring collective security as a social good. The rules require the significant social media intermediaries to identify the first originator of a message in India for investigation of grave offences relating to the sovereignty and integrity of the country, crimes against women and children, etc. that are punishable with a minimum prison term of 5 years.

Critics have claimed that this provision would seriously undermine privacy and force the intermediaries to break the end-to-end encryption. However, the rules make it very clear that what is required to be provided by the intermediaries is only the metadata about the first originator of the offending message, and not its contents.  The message itself needs to be provided by the law enforcement agencies to the intermediaries. There is no attempt to make them break any encryption. With such safeguards built into the rules, the provision cannot be termed as harming privacy. In fact, the rules place much less onerous obligations on the intermediaries for sharing information compared to what several other countries have mandated, as noted earlier.

The law and the evolving jurisprudence in this domain in India have provided strong safeguards for ensuring freedom of expression and privacy. The upcoming Personal Data Protection Bill aims to further enhance this legal framework for protection of personal data and online privacy subject to reasonable checks in the interest of collective and national security. John Locke, a famous 17th century philosopher and the “Father of Liberalism”, argued in his Second Treatise of Civil Government that individuals needed a strong government to be able to exercise their individual rights and liberties.  

There need not necessarily be a trade-off between privacy and collective security. Collective security is just as essential to make people feel safe and allow them to enjoy their privacy protections to function effectively as individuals.  The new IT Rules seek to achieve that larger social good.

(The above article appeared in The Economic Times on 10th October 2021. It is available at: https://economictimes.indiatimes.com/tech/catalysts/traceability-vs-privacy-the-real-issue-is-of-collective-security/articleshow/86721078.cms?from=mdr. The views are personal.)

India In The Global Cyber Security Market

Introduction

The cyberspace, comprising ICT networks, computer systems and mobile networks and devices connected to the Internet, is by its very nature borderless. A country’s cyberspace is an integral part of the global cyberspace. The increasing penetration of Internet, particularly in developing countries, is leading to exponential growth in cyberspace. The rapid growth in the ownership of smart mobile devices (mobile phones and tablets) that can access the Internet has added to the increasing expansion of cyberspace in the country.

The exponential expansion in the global cyberspace has raised very pertinent questions about its security. The success of the global Internet system can be chiefly attributed to its relative openness and low entry barriers. However, these very same factors are also partly responsible for the grave threats to the cyberspace in the forms of cyber espionage, cyber warfare, cyber terrorism and cyber crime (IDSA, 2012). As nations spend heavily on creating the necessary ICT infrastructure to bring more citizens online to derive benefits from social and economic development opportunities that the Internet provides, cyberspace is expected to face greater threats in the future. Cyber security has consequently acquired much greater importance today than in the recent past. Several incidents of cyber crime across the world have led to heightened awareness about ensuring cyber security. What are the opportunities and challenges that this scenario is likely to throw up domestically and globally? How can countries like India address the challenges and benefit from the opportunities in the domestic and the global cyber security market?  In this article, I attempt to answer these central questions.

The rest of the paper proceeds as follows. First, I discuss the main features of the global cyberspace briefly. Then I discuss the main vulnerabilities of the global cyberspace and how they pose a threat to its security. Next, I discuss the organizational and coordination challenges for cyber security. Then, I discuss the opportunities and challenges for the country in the domestic space for cyber security and then I present the opportunities and challenges for India in the global cyber security market. Finally, I conclude. 

The Global Cyberspace

To appreciate the opportunities and challenges in the global cyber security market, it is necessary to understand its size and nature in all its ramifications.  As per the latest estimates, the number of Internet users in the world has risen to over 2.7 billion in 2013 corresponding to nearly 40% of the world’s population (ITU (1), 2013). The active mobile broadband subscriptions stood at 2.1 billion in 2013. Globally, 750 million households, comprising 41% of the total, are connected to the Internet. The expansion of the Internet is projected to be on an unprecedented scale in the future with the advent of the Internet of Things (IoT) and the IPv6 protocol that would make possible virtually unlimited IP addresses.

Similarly, the expansion of the Internet is taking place at an exponential rate in India as well. The total percentage of individuals using the Internet in India has grown from a mere 3.95% in 2007 to 12.58% in 2012 (ITU (2), 2013). The total number of Internet users in the country is estimated at 164.8 million as on March 31, 2013 (TRAI, 2013). Out of these, 143.2 million users accessed the Internet through mobile devices.

Vulnerabilities of Cyberspace

As noted before, by its very nature, the global cyberspace is borderless and cannot be isolated to national or regional boundaries. One of the fundamental concerns on cyber security arise from the fact that the core Internet protocols are insecure and the expansion of Internet is taking place on the same insecure systems. The global explosion in mobile based Internet usage is increasing the vulnerability of the cyberspace.  As the Internet has become central to the social, economic and political life of citizens and nations, countries are investing heavily in establishing information and communications technology (ICT) infrastructure to bring more and more citizens online. Thus, protection of the critical ICT infrastructure has emerged as another major challenge in addition to securing the communications and transactions conducted over the Internet. 

The vulnerability of the cyberspace is already being exploited by both state and non-state actors (Marmon, 2011). The attacks in the cyberspace can be mounted by potential adversaries intending to inflict damage at social, economic or commercial interests. They can also be targeted at achieving political or military objectives. They are often aimed at weakening or crippling the critical ICT infrastructure of the adversary to cause denial of access to information and networks or to render them non-functional. In 2007, there were massive cyber attacks on Estonia aimed at disabling the websites of government ministries, political parties, newspapers, banks, and companies. The attackers, suspected to be from a major country with involvement of state actors, employed sophisticated cyber warfare techniques to disable Estonia’s critical ICT networks and e-government infrastructure (Traynor, 2007).

The nature of cyberspace makes it very difficult to identify the perpetrators of these attacks and makes it especially attractive for enemies who do not want to be engaged in conventional conflicts. There is no contact or physical action across the border and the attacking party can completely deny any involvement. The attacked party may not even be sure as to when and how to react. Both the state and non-state actors have developed capabilities to engage in cyber attacks for prolonged periods without being identified.

Organizational and Coordination Challenges in Cyber Security

There are some additional features of critical ICT infrastructure and cyberspace that merit discussion here. Cyber infrastructure is largely owned and operated by the private sector. However, ensuring cyber security involves a multi-agency and multi-layered effort involving both state and private agencies. This poses a significant organizational and coordination challenge for the agencies dealing with cyber security.

At an organizational level, cyber security is not merely a technological issue, but a management issue as well. This encompasses enterprise risk management and involves human, process reengineering, change management, legal, network and security aspects. While the private agencies are responsible for securing their individual pieces of the infrastructure, the seamless flow and exchange of information and inter-linkages amongst the networks make it essential to coordinate the entire effort through an integrated command and control entity that is accountable for cyber security. The roles and responsibilities of all the parties need to be clearly specified. There is a need for governments to establish the appropriate policy mechanisms and legal structures. While security investments made by the private industry take care of their individual corporate needs, they might fall short of the requirements to secure a national network-wide infrastructure. Thus, a pure market-based approach to ensure cyber security may not work. A key challenge in this regard is to provide for the additional investments that might be required to secure the cyberspace and the critical ICT infrastructure for the country. This might come from incentives provided to the industry to generate collective action in a well planned approach to secure the critical ICT infrastructure.

Lack of capacity at the executive and policy making levels within organizations is another major challenge in ensuring cyber security. There is a need for a focused approach to build capacities to deal with security incidents, deploy latest technological solutions, provide adequate training to all the relevant levels of employees and deal with process transformation and change management required to achieve this goal.

Opportunities and Challenges in the Domestic Market for Cyber Security

Before we discuss the opportunities and challenges for India in the global cyber security market, it is relevant to discuss the cyber security scenario and the emerging opportunities and challenges within the country and how the government and the industry can meet them and benefit from the opportunities. As India develops its ICT infrastructure in an effort to bring more and more of its citizens online through projects such as the National Optical Fibre Network (NOFN) and makes greater efforts to provide public services electronically through its e-governance projects, the risks for cyber security in the country are going to be much higher in future. It would also make the entire ICT infrastructure and cyber assets in the country far more vulnerable to cyber attacks from both state and non-state actors from countries inimical to India. Are we geared to meet these challenges?

The government has recently taken several steps to ensure greater focus on these issues within the country. It has recently notified the National Cyber Security Policy 2013 (DeitY, 2013) with the goal of addressing the cyber security domain comprehensively from a national perspective. The main goal of the policy is to make the cyberspace secure and resilient for citizens, businesses, and the government. The policy envisages the establishment of national and sectoral mechanisms to ensure cyber security through the creation of a National Critical Information Infrastructure Protection Centre (NCIIPC).  Computer Emergency Response Team (CERT-In) shall act as the nodal agency for coordination of all cyber security and crisis management efforts. It will also act as the nodal organization for coordination and operationalization of sectoral CERTs in specific domains in the country.

Though efforts are being made to create an effective policy framework to deal with cyber security in the country, there are areas where significant challenges lie in ensuring cyber security. I would like to mention e-governance as a specific case in point here. The country has put in place a separate core ICT infrastructure for e-governance consisting of state wide area networks (SWANs) and state data centres (SDCs) in each state and union territory. Common Service Centres (CSCs), run by private village level entrepreneurs (VLEs), act as the front end for delivery of these services in rural areas. Currently, over 100,000 CSCs are operational across the country. Recently, mobile governance has been implemented to bring all government services on the mobile platform. The National e-Governance Plan is the flagship programme in e-governance consisting of 31 Mission Mode Projects (MMPs) spanning across a large number of government ministries and departments both at the national and state levels. During the last seven years of its implementation, NeGP has achieved good success with 23 out of the 31 projects delivering services electronically to the citizens and businesses.

Though NeGP has succeeded well, ensuring cyber security has been a big challenge as it involves protecting critical ICT infrastructure such as SWANs, SDCs and the applications of various departments running on them. Though scheme specific guidelines have been issued and several states have made significant efforts to protect their cyber assets, there is a need for a comprehensive policy on cyber security in e-governance and ensuring uniformity in its implementation across the country. Application level security is another important domain where greater efforts are required to ensure security.

The scenario discussed above presents big opportunities for the government and the industry to address cyber security comprehensively. As the government moves forward to put a policy framework in place, the IT industry can develop appropriate technological solutions to address the cyber security requirements of the core ICT infrastructure and applications. Massive opportunities for the industry are also opening up in sectors such as defence and telecom where the needs for cyber security are more critical.

Opportunities and Challenges in Global Cyber Security

Protecting the cyberspace and the critical ICT infrastructure have emerged as major challenges globally due to the factors discussed above. The Internet has emerged as the central feature affecting the lives of billions globally through e-commerce, banking, travel, e-government, email, etc. With the emergence of smart technologies, a host of utility services such as water supply networks, electricity distribution, etc. are critically dependent on ICT networks. Electronic systems and communications play a key role in the operation of equipment in the defence sector.

What are the opportunities and challenges that such a situation presents before nations like India? To analyse these aspects, it is important to understand the key trends in emerging technologies and how they impact the security scenario in cyber space. In the following paragraphs, I discuss seven such key trends and explain how they present challenges and opportunities for the Indian industry globally.

The most important phenomenon that is driving the expansion in the usage of Internet worldwide is mobility. The advent of mobile devices has brought unprecedented numbers of users online and has consequently increased the risks associated with cyberspace as many of the mobile and tablet users may be first time users of Internet and may not be skilled enough to understand these risks. Expansion in the usage of smart phones and tablets has also brought into focus the security of the operating systems and the applications that run on them. As the usage expands, so will the attempts by hackers to break into these devices and steal sensitive personal and corporate information. While this poses challenges for the device manufacturers and OS developers, it presents great opportunities for the Indian firms working in the mobility domain. As India is known for its prowess in software development, developing security solutions and secure applications for the mobile world is an unprecedented opportunity globally that is just waiting to be grabbed.  

The second most important technology trend that is driving the ICT industry is the emergence of the cloud platform. While this phenomenon started emerging a few years ago, it is only now that it is maturing and the cloud based solutions are being deployed across a number of domains in business, industry and government. Ensuring proper security of applications and data on the cloud is a major challenge and its entire implications are still not clear. Even a few cloud failures can result in massive breaches in security and devastating loss of data for the users. As the cloud encompasses the entire gamut of infrastructure, platform, and software as services, developing security solutions for this platform presents the Indian industry with an outstanding opportunity globally. A related segment which also presents great opportunities is data centre operations and management. Another related phenomenon is the emergence of security as a service on the cloud. This is another space that offers good opportunities for Indian firms.

The third important trend that has emerged recently is that of use of multi-factor authentication to improve security. Just a simple password is not enough to ensure access to a host of applications and services in areas such as banking, insurance, financial transactions, government services etc. In India, already Aadhaar based biometric authentication has emerged as a new mechanism to authenticate the identity of users. This presents an excellent opportunity for the Indian industry to develop applications in this domain and address the security concerns.

The fourth trend that is causing significant impact on cyber security globally is the continuous morphing of hacker groups and individuals to maintain their anonymity. This poses serious challenges for the organizations and government agencies trying to secure cyber space as the attacks cannot be attributed to any specific entity. However, this situation also presents very good opportunities for the Indian industry to continuously evolve technologies that can help in unmasking the identity of these anonymous attackers. Active cooperation amongst government agencies and organizations internationally are required to achieve the desired objectives in this area. Efforts in this direction by agencies such as the United Nations are already going on and the issue of global cyber security is likely to come up at the 68th session of the UN General Assembly in September 2013 (United Nations, 2013).    

The fifth trend that is impacting the cyber security scenario is the increasing involvement of state actors in cyber war aimed at crippling the information and communication infrastructure of their targeted countries and crippling their social, economic, government and military activities. There is enough evidence of involvement of state actors in several recent incidents of cyber attacks (Marmon, 2011). Stuxnet is a case in point (Vijayan, 2012). This situation has emerged as a serious challenge for countries like India which are surrounded by several inimical neighbours. However, this also presents the country with a big opportunity to develop solutions to secure its ICT infrastructure and cyber assets.

The sixth emerging trend that will have a significant bearing on cyber security is the related issue of ensuring privacy and confidentiality of information pertaining to individuals and businesses. One of the motivations for cyber attacks is to gain access to or steal information that has commercial value or that helps the attackers to commit fraud with that information. To ensure privacy, effective laws and regulations need to be put in place to ensure what data can be used and shared and for what purpose. It also has bearings on where the data can be stored in servers. This is already a major concern in some domains such as healthcare, where privacy and security concerns about hosting and sharing health data are very significant. As India is the world leader in IT services outsourcing business, this offers a big opportunity for the Indian government to put in place effective policies to assure the international community that the country respects the concerns on privacy and confidentiality of data. The Indian industry should exploit this opportunity in a big way to get a bigger share of the worldwide market in IT and IT enabled services.

Lastly, there are greater efforts being made now internationally at multilateral level to address the global concerns on cyber security. Recently, the international Group of Governmental Experts, representing 15 countries including India, has submitted a report to the United Nations secretary general on enhancing cyber security globally (United Nations, 2013). International cooperation in cyber security presents great opportunities for India to spearhead and lead the efforts to build global consensus around the approaches to address the issues. It would also open up tremendous opportunities for the Indian industry to develop and showcase its capabilities to offer technical solutions to deal with the threats.

Conclusion

Cyber security has emerged as one of the most important concerns internationally due to the enormous damage that cyber attacks can cause to the core ICT infrastructure and information assets that are central to the social, economic and political life of nations, citizens, and businesses. As the attackers can disguise themselves easily and their real identities are very difficult to ascertain, it is even more incumbent upon the stakeholders involved to take urgent measures to ensure cyber security. While India has recently taken a number of steps to enhance the security of its vital ICT infrastructure and cyber assets at the national level, specific domains such as e-governance, telecom, defence, etc. need specific strategies to deal with cyber security more comprehensively. Globally, a number of countries are grappling with similar issues and are stepping up efforts to enhance cyber security within their territories. Efforts are also on at multilateral level, such as the UN, to deal with the issue comprehensively and formulate strategies that can succeed in addressing the concerns globally. As India is known worldwide for its IT prowess, this scenario presents great opportunities for the country to lead the efforts internationally to build consensus around approaches to address cyber security globally. It also presents tremendous opportunities for the Indian IT industry to develop technical solutions to deal with the threats and secure the ICT infrastructure and the cyber assets both in the domestic space as well as internationally.

References

  1. DeitY. (2013).  National Cyber Security Policy. Department of Electronics and Information Technology (DeitY). Accessed August 25, 2013 from: http://deity.gov.in/sites/upload_files/dit/files/National%20Cyber%20Security%20Policy%20%281%29.pdf
  2. IDSA. (2012). India’s Cyber Security Challenge. IDSA Task Force Report. Institute for Defence Studies and Analysis (IDSA). March 2012.  Accessed August 9 from: http://idsa.in/system/files/book_indiacybersecurity.pdf.
  3. ITU (1). (2013). The World in 2013. ICT Facts and Figures. International Telecommunications Union. Accessed September 18 from: http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2013.pdf.
  4. ITU (2). (2013). Statistics. Time Series by Country. Percentage of individuals using the Internet. International Telecommunications Union. Accessed September 18 from: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx.
  5. Marmon, W. (2011). Main Cyber Threats Now Coming From Governments as “State Actors”. European Affairs. November 2011. Accessed September 15, 2013 from: http://www.europeaninstitute.org/EA-November-2011/main-cyber-threats-now-coming-from-governments-as-state-actors.html
  6. TRAI. (2013). The Indian Telecom Services Performance Indicators, January – March 2013. Telecom Regulatory Authority of India (TRAI). Accessed August 25 from: : http://www.trai.gov.in/WriteReadData/WhatsNew/Documents/Indicator%20Reports%20-01082013.pdf.
  7. Traynor, I. (2007). Russia accused of unleashing cyber war to disable Estonia.  The Guardian. 17 May 2007. Accessed September 17 from: http://www.theguardian.com/world/2007/may/17/topstories3.russia.   
  8. United Nations. (2013). Developments in the Field of Information and Telecommunications in the Context of International Security. Accessed September 16, 2013 from: http://www.un.org/disarmament/topics/informationsecurity/.

Vijayan, J. (2012). Government role in Stuxnet could increase attcks against US firms. Computerworld. June 2012. Accessed September 19, 2013 from: http://www.computerworld.com/s/article/9227696/Government_role_in_Stuxnet_could_increase_attacks_against_U.S._firms?pageNumber=1

(The above article was published in Seminar, October 2013. It is available at: http://www.india-seminar.com/2013/650/650_rajendra_kumar.htm).