The cyber security conundrum

The cyber security conundrum
x

The cyber security conundrum 

Highlights

The success of Information Technology Revolution – 1991 is accepted as the cut-off year for this transition since in that year, investment in IT sector exceeded that in the industrial sector for the first time in US – marked the advent of the Age of Information as the Internet provided for instant communication, created borderless markets and made way for globalisation, producing the new phenomenon called Knowledge Economy.

The success of Information Technology Revolution – 1991 is accepted as the cut-off year for this transition since in that year, investment in IT sector exceeded that in the industrial sector for the first time in US – marked the advent of the Age of Information as the Internet provided for instant communication, created borderless markets and made way for globalisation, producing the new phenomenon called Knowledge Economy.

Internet-based products and services – from mobile to Twitter and home delivery – held the sway. The fact that information would be communicated and stored on Internet produced the problem of securing it against the adversary's attempt at prying into the same or against the theft of data committed for other undesirable purposes.

The first point of clarity about the use of Internet, however, is that it is a public platform and the user, therefore, should be aware that he or she should not say on it what would not be permitted to be spoken from such a platform. Section 66 of IT Act punishes calls for violence, specific threats to persons or a brazen attack on the nation's sovereignty. The 'public' character of Internet makes it illogical for you to expect that your information fed there by you would be kept confidential – until special steps are taken by you as a user or by the organisation which obtains information from you online to safeguard it against exposure. A large part of noise raised about 'privacy' of information loaded on the Internet, therefore, made no sense.

The second fundamental thing about the use of Internet is that security in any sphere – cyber, industrial or State-related – revolves around the threats to the three assets of a target – organisation, material, human resource and protected information. Correspondingly, there are concepts of physical security, personnel security and information security for protection against what is described in professional terms as sabotage, subversion and espionage, respectively.

Taking the issue of 'information security' first – in the context of Internet – it has to be mentioned that by definition, espionage is manoeuvring 'unauthorised access to protected information.' If the organisation has not protected its information it cannot complain of breach of its security – this protection starts with the 'security classification' of the particular information in terms of its being labelled as 'restricted,' 'secret' or 'top secret' and determination of who amongst the employees would have access to it.

Security of information in the 'virtual' layer begins with the techniques of 'access control' to limit entry to authorised users – these include Firewalls, Passwords and Biometric Devices. The security policy has to be formulated with clarity to achieve effective designing and implementation of Firewalls. It is to be noted that multiple encryptions may make the security stronger but it may have a negative influence on efficiency. It is logical that passwords should be stored on record in encrypted form. And finally, Biometrics has to be extensively used for establishing the identity of the legitimate user.

There is a strong physical security side of cyber operations. At the physical layer, which is the data communication interface with the hardware, specific access controls are required. This is the layer that performs the physical transfer of data to the transmission medium. Floppy disks, magnetic tapes, pen-drives, optical disks and any other hard drive back up material should always be kept in safe custody. Printed, unclaimed and sensitive documents must be destroyed by 'shredding.'

The IT Act of India provides detailed guidelines even on a secure site design for a Data Centre or Master Computer. All openings of this Centre should be monitored round-the-clock by surveillance video-cameras. Physical security begins with the installation of a secure perimeter – which is not always a brick-and-mortar structure – and prompt detection of any attempt to make an intrusion into the same. One of its objectives is to prevent Sabotage which by definition is 'the threat of causing unacceptable physical damage to the target organisation.' Data destruction will also fall into this description. All strategic sectors of economy are run on cyber systems whose security is a must for averting a disruptive attack that would impact national stability. Code breaking may be done by the enemy by using brute force in which an attempt is made to decipher the code by using every possible key combination.

Launching a direct clandestine attack from outside may result in 'denial of service' in which the ports of the target are clogged and the network resource is degraded. Data destruction may be caused by injecting a virus through false messaging. A malicious website may be used to download a virus. Unfortunately, any 'hacking' or unauthorised penetration of the system is detected only after it has succeeded and that is why emergency response to any such event is important for mitigating the damage.

The Personnel Security component of cyber domain is often underestimated for lack of understanding of the ways in which the threat against it came into play without getting detected. In all systems having a direct bearing on national security, the angle of threat of Subversion, which by definition is rooted in the enemy's capacity to alter the loyalty of an employee of the target organisation, is accorded high priority. The standards of Personnel Security – which aim at preventing this subversion – are more stringent in the sensitive sectors of national security.

The third basic feature of cyber security relates to a universal finding that nearly half of the breaches there were attributable to an insider. One of the tasks of the security set up of a sensitive enterprise is to take note of any 'suspicious' conduct of an employee and check out on that to determine if the individual was not already working for some outsider.

Further, the practice of 'need to know' principle is meant to enforce 'restrictive security' by which the employee is given access to only that part of organisational knowledge which was essential for the individual's own performance – this reduces the subversive potential of a compromised member.

It is for this reason that internal Firewalls are also used to protect one area of a company from another in pursuance of 'restrictive security.' In an Intelligence organisation, where the 'need to know' principle is followed in totality, members understand what part of operational knowledge is not to be shared with the colleagues. They also know that restrictive security did not operate vertically.

A fourth essential point about cyber security is that its framework rests on certain requisites – legal, operational and managerial – and like in any other security domain, conforms to the principle that security is an 'integral' concept not given to divisibility of any kind.

Security is a mainstream function as it requires full knowledge of the enterprise and derives its authority from the top man. Training is necessary for all aspects of security and a security-savvy culture has to be established to avert avoidable failures. Finally, the cyber domain is an instrument of development and facilitates the welfare function of the democratic State, but it is also a licence for anti-national forces to indulge in mischief against the latter. Weapons of higher defence, including nuclear missiles, operate on complex cyber security systems that are fail-safe. In what is a new phenomenon, social media – a product of Internet – is already becoming an instrument of combat and 'proxy war.' We live in times where a minimal understanding of cyber security issues is an essential component of the requirement of 'being well-informed' – this is the mandate of the age, for being successful in any sphere of work.

(The writer is a former Director of Intelligence Bureau. Views are personal)

Show Full Article
Print Article
Next Story
More Stories
ADVERTISEMENT