We must strengthen social trust for truly effective cyber security4 min read . Updated: 20 Dec 2020, 09:26 PM IST
Information-sharing among various stakeholders under a clear set of rules is vital for the country to stave off cyber threats
Had it not been for over-ambition or arrogance on the part of the hackers—allegedly linked to Russian intelligence agencies—in attacking FireEye, a leading private cyber-security firm, it might have taken the world longer to discover that thousands of government bodies, corporations and even think-tanks around the world had been compromised for months. The culprits had gotten into the target networks by compromising the software update servers of Solarwinds, exploiting the vulnerabilities in the global information technology (IT) supply chain. As the world was dealing with the covid-19 pandemic, the hackers installed back doors, exfiltrated data, and perhaps planted other mischief that we are yet unaware of. The primary targets appear to be in the United States, but systems in several other countries, including India are potentially affected.
The operation was more cyber espionage than a cyber attack. Countries spy on each other all the time with every means at their disposal, and in that sense, this episode is no different. Yet, the scale, sophistication and brazenness of the operation alerts us to the level at which the old spy game is now being played. It went undetected for almost ten months in a country that possesses among the most advanced cyber security and intelligence capacities in the world. Indeed, seeing how the perpetrators were prepared for their operation to be exposed by taking on FireEye, it is reasonable to believe that they have more sophisticated tricks up their sleeve.
There are three major implications of this, and none of them is new. First, some nation-states have very strong cyber attack capabilities and use them fairly readily in a world where large-scale conventional wars have become less likely. Moreover, in the unsettled world order of our times, the cyber domain is especially anarchic, which means that the “cyber strong can do what they can, and the cyber weak must suffer what they must." It also permits extreme asymmetry, enabling small countries like Israel and Singapore, or regimes like North Korea, to wield vastly disproportionate power within the domain.
While both governments and private firms are attempting to create international law and norms to govern behaviour in cyberspace, such efforts are unlikely to be effective because cyber strategy itself is a work-in-progress. We understood nuclear strategy—that it is about deterrence—only decades after the first use and deployment of nuclear weapons. Similarly, we are yet to figure out how strategy works in the cyber domain. In the meantime, we are trying to apply concepts like deterrence and forward defence from our understanding of traditional physical conflicts to cyber threats, and hoping that something works. It is only after humankind understands cyber strategy that it will be possible to arrive at effective international laws and norms.
The second implication of the Sunburst attacks is that in the meantime countries need to focus on cyber defence on an ongoing basis. Investments in cyber security discourage lower-grade attackers and diverts them to seek softer targets elsewhere. This in turn means that Indian networks must be as well-defended as their foreign peers, as relative weakness will make us more attractive targets.
Third, cyber security and cyber defence require the government, private sector, academia, civil society and citizens to collaborate intimately in a non-hierarchical, networked fashion. The secret sauce of this recipe is trust. Unfortunately, this is in short supply in India. We can declare cyber strategies, create formal structures, appoint experts and allocate budgets, but unless there is trust among the players, our cyber defences will remain weak. That’s because information sharing is the bedrock of cybersecurity, and can only take place in an atmosphere of mutual trust.
To create trust, we must clearly define rights, legal roles and responsibilities of the government, private sector and citizens, and scrupulously respect them. The informal and often legally-questionable interactions between law enforcement, intelligence, private companies and citizens must make way for formal and legally well-defined ones. A privacy law is crucial in this respect, for it clarifies the boundary between individual rights and national security. Let us be clear: Without strong privacy and data protection laws that keep both corporate and state power in check, cyber security will be an elusive goal.
Cyber defence is truly a national endeavour in that everyone has a role to play. It calls for civil- military cooperation at an unprecedented scale, requiring the government to have “tentacles" in telecom and private networks. A truly national cyber defence architecture will require cyber security personnel and equipment to be embedded across public, private and academic networks. Without a legal mandate and clear boundaries, such a system will quickly become a dystopia. In other words, in the context of liberal democracies, civil-military collaboration requires unambiguous civil-military separation.
Nitin Pai is co-founder and director of The Takshashila Institution, an independent centre for research and education in public policy