Last week, I had the opportunity to attend a major annual conference of information security officers from different industries in India. I have been attending such events over the last five years and it is fascinating how the threat scenarios discussed in these forums have changed during that time. And frighteningly so. Until a few years ago, the biggest threats hinged around wannabe hackers, nerdy kids and to some extent, practitioners of corporate espionage. We generally talked about how intellectual property rights could be stolen or mails hacked. On more private levels, how criminals ranging from perverts scouting their victims (usually children) to burglars “casing the joints” could use the Internet to solicit or identify potential targets. But in the last few years, those scenarios have paled in comparison to what the state, corporates and private citizens could be subjected to. Welcome to the age of cyber-terrorism and cyber-war.
Also Read Raghu Raman’s earlier columns
On the afternoon of 5 November, Nidal Malik Hasan stormed out into the Fort Hood military base in Texas and gunned over 40 soldiers, killing 13 and injuring 30, before he was shot down. Horrific though this incident was, it was by no means a new one, except for some startling facts. Firstly, Nidal Hasan was a serving US Marine major and posted to the base as a psychiatrist; so not only was he was one of the ‘good guys’, he was also an educated and trained government soldier. Secondly, investigations of his emails and browsing patterns have revealed that he was probably influenced and indoctrinated by radical fundamentalists who leveraged his Palestinian descent and personal disapproval of the US invasion of Afghanistan and Iraq to motivate him to become a terrorist, using the Internet.
While this may have been one of the more dramatic instances of proliferation of fundamentalism through Internet, it is a no-brainer that radical elements will resort to this ubiquitous channel to propagate their cause. The Internet is free, unfettered, incredibly difficult to monitor and a truly global resource. In many ways, this strategy creates what in military parlance is called a “turning move”, because instead of attacking the strong part of the defences, the enemy turns away from them and hits from a totally different dimension, thus making barricades ineffectual.
Extrapolate this into the following actual scenarios. Radicals are casting their recruitment drive by creating underground websites preaching their cause and the alleged atrocities of the establishment. Impassioned rantings, first-person accounts of unjust persecution and doctored videos of atrocities are used to inflame and incite potential recruits. Those who visit such sites regularly, or profess sympathy, are shortlisted and “handlers” are assigned to them. These handlers initiate personal contact through emails or chats and slowly but steadily recruit candidates into the fold, who are then subjected to brainwashing, cajoling, and finally, to direct action. This could be in the form of bombing, sabotage, espionage and assistance to other radical members. Or, as in the case of Nidal Hasan, using the very training that he had been given and the access he was entrusted with, to kill his fellow soldiers.
In August last year, Russia attacked Georgia over the disputed territory of South Ossetia. This border dispute was also a harbinger of a new weapon system. While the Russian forces were mounting their operations, they were assisted by a large number of pro-Russian individuals. Websites cropped up in support of a cyber operation, ‘StopGerogia’. Essentially, these sites had software downloads and instructions on how to use them. Any pro-Russian individual could simply enter the address of a Georgian website and block it out. As armed hostilities intensified, these denial-of-service attacks became overwhelming and effectively blocked out Georgia’s capability to give out their side of the story, ensuring Russia’s domination of public opinion—an essential part of any war. The interesting aspect is that Russia’s conventional forces were far superior to anything that Georgia could have confronted them with. Yet, the usage of the Internet as a weapon of war was proof of the Internet’s power as a force multiplier.
And here is a third scenario. The Indian information technology and telecommunications networks are expanding rapidly. Both in the private and public sector. E-governance programs, communication grids and the explosion of cellular and financial services need millions of devices such as routers, switches, automated teller machines and point-of-sale units. All organizations, especially the public sector, are understandably cost-conscious and look at the most economically efficient set of products while awarding out such turnkey projects. Turns out that devices made in China or the Far Eastern countries win hands down on price.
Consider yourself in the shoes of the Chinese generals. Here is an opportunity to seed the entire Indian electronic, telecommunications and Internet grid with devices made by state funded and run companies—devices that are essentially black boxes to Indian buyers. Devices that can have Trojans coded into them so that they could be controlled or shut down at will by a secret command. So, if all they have to do is to make sure that their devices are the lowest in price, which they can by spending a few hundred crores, wouldn’t that be a brilliant return of investment?
It is past time for India to develop a concentrated doctrine on cyber-defence and a strategic plan that dovetails the security of public and private networks. Because the ubiquitous and federated nature of the Internet makes it impossible to be state guarded, this has to be a collaborative initiative between the state, private sector and individual citizens.
Raghu Raman is chief executive of corporate risk consulting firm Mahindra Special Services Group that advises companies and organizations on threat assessments and risk mitigation strategies.
Respond to his fortnightly column at firstname.lastname@example.org