Discussion of Information Technology and Communications Security
Rear Admiral (Retired) Raja Menon and Kumar Patel,
Discussion moderators Raja Menon and Kumar Patel agreed that India will face new and graver challenges to its information technology (IT) and communications sector as it grows more sophisticated. They also seconded the observations of Seymour Goodman and N. Balakrishnan that it is important to distinguish between hackers and defacers who have a variety of motives.
Menon and Patel asked a series of questions, to which the presenters offered answers, with others joining in the discussion as noted.
The first question asked was, can a state retain its technological advantage over terrorists, and how does it convert its technological superiority to practical use?
Goodman answered by saying that the state–terrorist relationship was extremely asymmetrical. While the state, because of its capacity, has a huge technological advantage over terrorists, the problem is that the kinds of nonlinearities associated with what terrorists do in cyberspace give leverage to those with relatively little technical capability. It is going to be very difficult to overcome this because nonlinear leverage has always been thought of as one of the great advantages of the networks. It gives a small number of relatively weak people extensive access to a lot of information, each other, potential recruits and sympathizers, and prospective targets. There is also a negative aspect of tightening access against terrorists or other malicious users more generally because it would compromise access and privacy for many, many more “good” users.
POLICING AND JURISDICTION
Several participants raised the issue of policing the Internet, and also of jurisdiction when tracking down cyberterrorism and bringing attackers to justice. It was noted that in India, the IT act is not intrusive, but Internet service providers (ISPs) are
statutorily bound to provide adjacent space for intelligence agencies. Canada, the United Kingdom, and Germany were introduced laws that would restrict the freedom of the Internet. The question of the adequacy of technical methods to police the Internet was raised, and whether a certain level of compulsion can be introduced, since companies were most reluctant to move in this direction. It was also asked whether there are other models of cybersecurity, perhaps derived from industry practices or from the quality assurance model.30
How do India and the United States compare or differ in their vulnerability to cyberattack? Does India need a critical infrastructure assurance group or infrastructure protection agencies?
Balakrishnan’s response was that the problems in India and the United States are completely different. If you walk into an airport in India it is not uncommon to find that the computers are down and that they have switched to manual procedures. India now has an unreliable network, although it is not that poorly designed. Because of a variety of other infrastructure issues, sometimes the machines become unreliable.
He added that India’s international gateway bandwidth is much smaller compared to its national backbone bandwidth, whereas in the United States, both are comparable. A campus such as Carnegie-Mellon University (CMU) has an Internet connectivity of about 3.5 gigabytes (GBytes), and the U.S. backbone is of the same order. In other words, CMU is the Internet. In India the Internet is completely different from the Indian network, and only a thin pipe connects the two, so it is not possible to take over the bigger network—India’s system has an advantage as well as a disadvantage.
Is there a cause-and-effect relationship between cyberattacks and world events?
Balakrishnan’s response was that cause and effect were actually like transformers; one is a transformer of the other, and very often, unless we also do a deeper study of the violation of the causality principle, it is very difficult to say which came first. However, he continued, what we know is that within a window of 1 week to 10 days, both of them peak. We cannot say that if cyberactivity increases, tomorrow morning there will be a terrorist attack, but a week’s time is a more reasonable prediction that activity will flow up in both of them. This has been seen in several serious analyses of maps, methods, and so on.
As for the absence of suicide bombers in cyberspace, Balakrishnan noted that the problem is not only are there no suicide bombers, attackers’ identities are also unknown, giving them a phenomenal advantage. In this respect, it is instructive to compare Indian and U.S. law. Whenever you talk about damage, you talk about two things: time and jurisdiction. In India the jurisdiction is related to the place where the damage has occurred; thus, if a house is bombed, the case will go to a local court, whereas in the United States, if there is any damage to U.S. property, it will be tried in a federal court. Balakrishnan noted that under Indian law, if he hacked a Pakistani site, he would go to jail, but if a Pakistani hacked an Indian site, nothing would happen because he is not covered by Indian law, which is incompatible with the question of jurisdiction and borderless crime.
Lewis Branscomb noted that the jurisdiction problem was very difficult, but that
for terrorism it really mattered because we want to capture the terrorist. A terrorist is not a cybervandal or a fraudster from a remote country, but it is physically difficult to apprehend somebody not in your own country. Branscomb noted a precedent in civil aviation hijacking, when the world decides not to tolerate a particular act and defines it as a crime. In civil aviation it is called interfering with airport and aircraft operations, and the political judgment is taken out of the hijacking issue. Airplane hijacking was a terrible problem in the 1970s, a hijacking every week or so, sometimes more than that. This became such a threat to civil aviation and to states’ economies that almost 174 nations agreed to a sequence of treaties that universally declared hijacking a crime. There is something similar with extradition for murder; everyone recognizes murder as a common crime, and there are extradition agreements that bring people to justice.
Branscomb asked whether we could define a core subset of acts against cyberinfrastructure that the great majority of states would agree are crimes, and agree to cooperate in prosecution and punishment. The situation is complicated because not only can somebody from Pakistan attack somebody in India, but someone in Pakistan can go through 28 different countries and attack people in both India and the United States. No country is capable of physically locating and apprehending that person on its own. Branscomb stated that this was an example where near-universal international cooperation is absolutely necessary and feasible.
What about attacks on bandwidth?
Goodman answered that there were basically two ways to attack bandwidth. One is to clog it up, and the other is to remove parts of it. There were instances where there were such successful attacks that hundreds of millions of dollars in losses were attributed to them. Goodman noted that these were for short periods of time, and most of the losses were not lost transactions but delayed transactions; however, some technically knowledgeable people believe that serious, extended, sustained follow-up attacks are possible, and that this would seriously cripple bandwidth for extended periods of time, but so far this has not happened.
What about attacks for financial gain or to gain access to government intelligent networks?
Balakrishnan suggested that the billions of dollars lost worldwide to hacking can be classified into two categories: denial of a potential gain and actual theft of money. Together these constitute financial loss. In India, neither of them is possible. There is little e-commerce, with few Web transactions; if they fail there is still a parallel mechanism, simply using a phone. But in the United States, where many of the e-commerce Web sites are located, jamming these sites for about 2 hours leads to a loss of business, as the customer moves on to some other site. However, Indian insurance laws are very lax compared to U.S. laws, so if somebody steals from a credit card, there is still a loss to the holder of the card.
As for access to government intelligence networks, Goodman stated that he did not really know; government intelligence communities are even less likely than banks to report when they have been attacked. However, many intelligence systems have safety gaps, and are not connected to the kinds of networks that terrorists can access; terrorists might be able to access things that are considered to be of relatively limited value in loss if they are compromised. Terrorists are certainly looking around, trying to learn how to build weapons of mass destruction, and they seem to be collecting information (floor
plans for buildings and so forth) on how to attack various kinds of infrastructures. In the end, most intelligence agencies are compromised in the worst way by insiders, and Goodman said that he suspected that there were such activities going on also in South Asia.
Questions were posed about the acceptable cost of cybersecurity, that is, what is minimally acceptable, and how to measure cost not only in dollars and rupees, but also in inconvenience to system or Internet users. In response, Goodman observed that states could force the private sector to do better, but that it was a complicated issue. The United States has tried to put together national cybersecurity strategies, but was criticized because it did not put much pressure on the private sector, most of the actual owners and operators, to improve their cybersecurity. There is also the criticism that there has been little substantive public input despite the extensive use of various security products by individual private users, and these two criticisms may be related to that lack of input. Goodman noted that one real problem is the very diversity of the private sector; it has very different cyberspace needs and capabilities, and it is not evident what the government could insist that either the entire private sector or some subclass of it could actually do. Further, the government itself was reluctant to make demands on the private sector when it did not know exactly what to demand. This is what happened with Y2K, although one of the steps the government took that was cheap and apparently effective was to have the Securities and Exchange Commission insist that companies that were listed with them basically report to their stockholders on what they were doing to mitigate the Y2K threat.
Regarding quality assurance models, Goodman’s judgment was that not only quality assurance but also such things as insurance have both distributed risk and raised standards in sectors such as home, auto, and fire insurance, but no one has been able to think of good models for cyberrisk. In that context, what little you see of cyberinsurance in the United States tends to be in the form of insurance with very limited coverage and very high premiums because the insurance companies do not know what to do, in the absence of good data; they are experimenting, but experimenting on the side where any errors are likely to favor them.
In replying to the specific question of what is an acceptable cost for cybersecurity, Goodman stated that nobody really knows, in part because cost issues are very complicated. Cost is not just a matter of dollars or buying more software, it includes people’s time. There are now so many kinds of low-level attacks taking place that lots of staffs in computer centers typically spend about one-quarter of their time trying to deal with it, even in relatively low interest targets such as universities.
Goodman continued, adding security also is a functional problem. What does adding security mean? Does it mean looking at your customers more closely, limiting their access? That is a cost. Does it mean vetting your own employees to reduce prospective insider problems? That is a cost. Doing a lot of checking in real time or near-real-time reduces speed. Adding more security functions might squeeze or retard the kinds of functions that your organization really wants out of its cybersecurity. The bottom line seems to be that, for now, most organizations are taking the risk of attack. They are doing more, but perhaps not as much as keeping up with the risk and the threats, or eliminating the vulnerabilities that they might be able to eliminate.
Goodman also noted that in matters of cost and security, the U.S. government was
no paragon of virtue; many parts of it have been found desperately wanting. The reasons such agencies as the Departments of Energy, Homeland Security, and Defense, and others, have not been able to do much are cost and lack of expertise. Even if you want to do something, do you have somebody who can do it?
Goodman and Branscomb also elaborated on the “Orange Book,” promulgated by the National Security Agency, which was supposed to deal with software acceptability and security. Goodman noted that it never became a popular resource, possibly because it was written before networking pervaded the industry. Branscomb elaborated on this, noting that the Orange Book was intended to establish levels of provable or demonstrable security in large operating systems in big computers. IBM never managed to make a computer that would qualify at the highest level, and in any case, did not have the incentive to do it even though the government would have wanted to purchase such a computer. In those days IBM’s biggest customers were large financial institutions, insurance companies, banks, and the like, and the banks were so accustomed to accepting 2 or 3 percent defalcations (or embezzlements) as the cost of doing business and had therefore concluded that it was cheaper to absorb those losses than it was to spend that extra money to ensure every teller was honest. They treated computer fraud the same way. There is thus no market for secure systems for commercial applications; companies can absorb small losses. Branscomb concluded by noting that the reason there are very little government research funds for academics to study how to build secure operating systems is that the number of universities that formally train people in this field is very small and in general they are not considered excellent. This, he said, was a serious problem, and reflects the fact that our intellectual investments are influenced by a market economy.
Regarding U.S.-Indian cooperation, Menon summarized some of the ongoing cooperative mechanisms between the two countries. These included the U.S. Department of State’s Bureau of Political and Military Affairs, White House Office of Cyber Security, National Communication System, Department of Defense, White House Office of Science and Technology, National Infrastructure Protection Center, Critical Infrastructure Assurance Office of the Department of Justice, Carnegie-Mellon University, Defense Advanced Research Projects Agency, and Idaho State University. In India there is the National Security Council staff, which is the coordinating agency, the Intelligence Bureau, Navy, Army, Air Force, Ministry of Defense, Central Bureau of Intelligence, Department of Transportation, the Center for Artificial Intelligence and Robotics, and the Department of Information Technology. These entities have formed four task forces: (1) legal cooperation and law enforcement (under the joint chair of the National Infrastructure Protection Center and the Indian Intelligence Bureau); (2) information security standards and research and development (under the joint chair of White House Office of Science and Technology and Department of Information Technology); (3) information infrastructure protection (chaired by the National Informatics Center and the National Communications Center); and (4) defense cooperation between the Indian Army and the C3I Directorate of the U.S. Department of
Defense. Menon observed that this cooperation was less formidable than it sounded because the United States was years ahead of India in many fields; further, while many of the U.S. organizations are statutorily tasked with certain responsibilities against terrorism, including cyberterrorism and infrastructure protection, this is not so in India, which has some way to go.
This point was reiterated by Roddam Narasimha when he noted that the United States and India have different IT and communications infrastructure vulnerabilities, because they are at different stages of using networks. The Indian system is still less network dependent, so parallel mechanical systems are still operational. Yet there is widespread agreement that in both countries the vulnerabilities are very great and cybersecurity is still weak. This is one area where in order to ensure greater security, international cooperation is essential, although the mechanisms for doing this are not yet strong.