Building a robust and resilient cyber system
With weapons stolen from the government, a group of belligerents begin to unleash anarchy on citizens worldwide and plan to get rich in the process—until a young man accidentally finds the kill switch to destroy their plans. Will he be able to stop them and save the world? This may sound like a Hollywood thriller but it is, in fact, a summation of the worldwide cyberattack that took place less than a fortnight ago. One group of hackers (only to be imagined in dark hoodies) picked up cyber tools stolen by another from America’s National Security Agency, and then effectively “weaponized” them to hold hostage millions of computers across the world. Users, mostly using older version of the Microsoft Windows software, were locked out of their computers—and told to pay a ransom in bitcoins if they wanted to get back in.
Though the attack was contained soon enough, the ransomware still managed to infect hospitals in Britain, the rail system in Germany, factories in France, mobile phones in Spain, banks in Russia, universities in China and a multinational courier delivery company in the US. India was reportedly one of the worst-affected countries although, notably, no major mass disruptions were reported. As for the hackers, they made just about a paltry $100,000 in bitcoins which they are unlikely to be able to access anytime soon.
For now, one can take comfort in that this was quite the anti-climax—this is real life after all, not Hollywood—but there’s no looking away from the fact that this attack could have been much worse had it, for example, not been designed to extort money but to actually take down critical infrastructure systems, high-value military targets or even nuclear installations. Indeed, there have already been such attacks and security breaches, going back to the 2007 intrusions in Estonia that shut down the national government, the 2009 attack on US government websites, the 2010 Stuxnet attack that crippled Iran’s nuclear programme, the 2013 attack on banks and a TV station in South Korea amid tensions with North Korea, the 2014 attack on Sony Pictures Entertainment, and the cyber heist last year at Bangladesh’s central bank. Yet, as this latest attack testifies, the world is still playing catch-up and several vulnerabilities remain.
Worse still, these vulnerabilities will continue to grow as our daily lives are further integrated into the cyber arena. Already, more things are connected to the Internet than people, according to Cisco, while a 2014 study by Hewlett Packard found that 70% of Internet of Things devices contain “serious vulnerabilities”. Similarly, while self-driving cars have created a buzz on the one hand, on the other, the Federal Bureau of Investigation has issued cautionary notes on over-the-Internet attacks on self-driven vehicles.
The situation is arguably worse in developed nations which are far more dependent on the Internet—for example, last year hackers broke into a US water supply company and manipulated its water treatment systems—but developing countries, including India, can hardly afford to be complacent. After all, if cyberattacks in previous years could lead to huge monetary losses, today they can cost lives.
Yet, traditional security concepts and frameworks have struggled to adapt in the cyber arena. And so it is that even in this increasingly hyper-connected digital world, wherein the lack of cybersecurity is a real concern, posing an imminent threat to the life and well-being of citizens, few states take direct responsibility for the cybersecurity of civilian assets. This includes not just critical infrastructure networks such as power lines and stock markets but also individuals and business organizations.
And if that wasn’t enough, cybersecurity brings with it all the challenges of sub-conventional warfare and amplifies them. Think of how difficult it has been to pre-empt lone wolf attacks or establish deterrence against jihadi terror groups. In the cyber realm, it is equally difficult to trace and track the enemy; and even when one is neutralized, several others appear in no time.
Fighting this hydra-headed monster is a challenge, to say the least, but it is one that must be tackled head on. The state, of course, has to take on a greater responsibility but it alone cannot secure our lives. This has to be a collective effort involving all stakeholders—industry, academia, foreign partners and private individuals.
A good starting point is the three-layered Israeli strategy that goes beyond security to build a cyber system that is robust, resilient and has strong defence capabilities. Think of the country’s IT infrastructure as a human body. At the first level, the body needs a robust immune system to protect it from everyday attacks without disrupting the flow of work. Here, individuals are responsible for their personal hygiene and vaccinations—which in cyber terms means updating security systems and changing passwords. Still, no matter how robust the immune system, individuals will fall sick at some point and will have to be taken to hospitals. This is the second level—that of building resilience. Think of the Indian Computer Emergency Response Team as the cyber equivalent of the Centers for Disease Control and Prevention in the US. The third level is that of national defence, wherein there is a direct threat to the state and its citizens. The government takes the lead role here but, importantly, its success depends on the robustness and resilience of the system as a whole.
How do you think India can improve its cybersecurity? Tell us at firstname.lastname@example.org