New Delhi: In the last 12 months, some 10 Indian government ministry websites have been targets of cyber attacks. Recently, security experts with Boston-based Core Security Technologies said such attackers could “gain control of countries’ water treatment plants, natural gas pipelines and other critical utilities”.
At the same time, a number of online privacy concerns have surfaced. Mediadefender, a system designed to spot and prevent copyright infringement, has come under fire for crippling networks for alleged piracy. In August 2007, Comcast, the second largest Internet service provider, or ISP, in the US had drawn flak from advocacy groups for “actively interfering with Internet traffic”, choking bandwidth to file-sharing networks such as Bittorent. In a phone interview, Howard Schmidt, an information networks expert and a senior cyber-security adviser in the Bush administration, talks about the growing concern over surveillance and monitoring on the Internet. Edited excerpts:
In information security, is there a trade-off between privacy, as an end user, and security, in terms of more secure systems and networks?
In the past three or four years, we’ve started realizing that security and privacy are two sides of the same coin. With current cybercrime, the target is a user’s data and, therefore, in a lot of cases, the security and privacy folk have to work together.
Growing concern: Howard Schmidt, senior cyber-security adviser for the Bush administration and an information networks expert.
The second part — surveillance and monitoring — has been a particularly troublesome area, where we start looking at the governments role in what they consider to be protection, and what citizens look at as protecting their own privacy. Some of this depends on the society, the culture, and the country. In central Europe, the legal framework puts privacy as a priority above many other things. And there are countries in North Asia, for example, that make it clear that surveillance and monitoring will be routine.
What kind of legal framework would be necessary to fix instances such as ISPs shutting down file-sharing networks, and throttling bandwidth, irrespective of what legitimate uses a network might have?
I don’t think we’ve quite figured that out, yet. We are seeing a tremendous debate, now about the concept of net neutrality (the principle that all content on the Internet is treated equal, and should not be tiered, or layered. ISPs, as per the principle of net neutrality, cannot offer paid, “premium” services to favour one kind of content over another).
But this becomes both a business issue, and a matter of principle. Some broadband providers are now saying we want to charge more and exercise greater control, while others say net neutrality is the way to go. There have been attempts to create a legal framework, but I don’t think a US solution, or an EU (European Union) solution, or a China solution is going to work.
A part of the solution may come from the work that ITU (International Telecommunications Union, a specialized agency of the United Nations that deals with standardizing telecom practices) (does) to determine what’s going to be most fair and most balanced.
How important is information security for a country such as India?
I think it is particularly important for a country like India because it will help differentiate the market here versus the market in the rest of the world. If India becomes known as the nation with the most robust, secure, protected network infrastructure, that’s going to do a lot for the economy.
When you have one isolated incident of someone stealing documents from, say, a call centre, it is magnified beyond what it should be, even though the same thing happens worldwide. It gives people ammunition to say, “No, we shouldn’t trust Internet technologies, or we shouldn’t trust people based outside this geographic region.”
Do you see a cyber attack to have the same impact, say, as the 9/11 terror attacks in the US?
I think its really difficult to compare the two of those, whether a cyber 9/11 is possible — but when we look at the death and destruction caused in a real world attack, I don’t think we can compare the two.
The way I try to answer this, is that we tend to look at cyber attacks as “disruptive,” and not “destructive.” We think of some regions in the world that have dependence on ICTs — whether its power systems or transport. But these critical system are built in a way to ensure only “disruption” and not “destruction.” We’ve come a long way in, and today we are able to identify attacks early, mitigate it quickly and recover from it fast as well.