Cyber Porposal

Full Terms & Conditions of access and use can be found at https://www.tandfonline.com/action/journalInformation?journalCode=rsan20

Strategic Analysis

ISSN: 0970-0161 (Print) 1754-0054 (Online) Journal homepage: https://www.tandfonline.com/loi/rsan20

Cyber: Also a Domain of War and Terror

Suryakanthi Tripathi

To cite this article: Suryakanthi Tripathi (2015) Cyber: Also a Domain of War and Terror, Strategic Analysis, 39:1, 1-8, DOI: 10.1080/09700161.2014.980549

To link to this article: https://doi.org/10.1080/09700161.2014.980549

Published online: 14 Jan 2015.

Submit your article to this journal

Article views: 2533

View related articles

View Crossmark data

Commentary

Cyber: Also a Domain of War and Terror

Suryakanthi Tripathi

India, the IT nation, did not make a news splash at CyberTech 2014. That is worth apassing thought. Because cyber is the fifth and new domain of warfare, after land, sea, air and space.

CyberTech 2014 took place in Tel Aviv in January, and displayed Israel’s prowess in cyber-defence. Israel’s National Cyber Bureau, which played a major role in organising the event, defines its goals as drawing up cyber-defence policies, deve- loping cybersecurity legislation and turning Israel into a global cyber incubator. The Israelis say that as hackers keep getting more sophisticated, the brightest digital security minds from around the world will need to come together. And CyberTech 2014 did do that, bringing together some 500 heads of industry, representatives of cybersecurity agencies from across the world, as well as a large US delegation from the White House and their Department of Homeland Security. Many agreed that Israel’s experience in foiling thousands of cyber-attacks each day and the quality of their cyber start-ups could be very lucrative for business within and outside its borders.

According to a 2013 UN document,1 by the year 2017, mobile broadband subscriptions will cover 70 per cent of the world’s total population. By 2020, the number of networked devices (the ‘internet of things’) is expected to outnumber people by six to one, transforming current conceptions of the internet. In this hyper- connected world, the document says, it will become hard to imagine any crime not linked with cyber-connectivity.

It is said that roughly 80 per cent of cybercrime acts originate not as individual but as some form of organised activity, which, in its diversification, keeps attracting new actors, including those with relatively modest skills.2 Cybercrime is now a business opportunity, driven by profit and personal gain. McAfee, the computer security soft- ware firm, estimates that cybercrime now costs the global economy about $500 billion annually. Even so, cybercrime is still in its infancy and, according to an expert in the European Cybercrime Centre, ‘You ain’t seen nothing yet’.3

The data breach of the US retailer giant Target, in which around 80 million customer accounts were compromised during the 2013 holiday season, was a harsh warning. Estimates suggest that the cost to Target and its shareholders may exceed $1 billion.4 It has generated fears of cyber-fatality, something that could happen when

Suryakanthi Tripathi is a former diplomat and her last posting was as India’s ambassador to Spain. She is the Managing Trustee of India Foundation, a non-political trust that is engaged in social and cultural activities.

Strategic Analysis, 2015 Vol. 39, No. 1, 1–8, http://dx.doi.org/10.1080/09700161.2014.980549

© 2015 Institute for Defence Studies and Analyses

a security breach is so extensive and damaging that the company simply cannot recover from it.

After the attack on Target, at the end of February 2014 the cybersecurity firm Hold Security LLC announced that it had discovered the data of some 360 million account credentials that were available for sale on a cyber black market site. It is being called the largest single data breach ever and, of the total account credentials, 105 million seem to have come from a single attack. Apparently, hackers only have to install malware on point-of-sale devices, and then the credit and debit card details come streaming in.

Understandably, cybersecurity companies and stock valuations are on the rise. As cybersecurity no longer remains just a matter of corporate choice, its budgets are escalating. Forecasts indicate that the global cybersecurity market will increase from $80 billion at present to over $140 billion by 2017. Entrepreneurs rake in profits in addressing these risks, although building effective security strategies does need a high level of expertise and funds. According to the research firm CB Insights, venture capitalists are investing record highs in cybersecurity companies, from mobile-app security platforms to online authentication infrastructures.

A further incentive is that cybersecurity start-ups generally exit rather quickly, either through acquisition or an Initial Public Offering (IPO) and, according to some reports, with some tenfold return on investment.6 FireEye’s IPO, for example, in September 2013 raised about $304 million, and just five months later had a market cap of $10 billion, highlighting the booming real-time virtual security sector. Although its stock dropped thereafter, the increased demand for the highest quality cybersecurity software continues. It is said that FireEye operates a network of more than two million virtual machine-based security platforms, which constantly evolve to identify advanced threats that might have gone unnoticed by older technologies. In 2014, FireEye also acquired Mandiant whose core business is forensic cybersecurity and is said to be best known for unveiling a Chinese set-up believed to have been behind a series of hacking attacks in the US. Other deals include Cisco’s $2.7 billion purchase of network security firm Sourcefire, and IBM’s purchase of Trusteer, an Israeli start-up, for $800 million. Even Google has been active in acquiring cyberse- curity start-ups.

RSA, a well-known US electronic security company, presents a scenario in which cybercrime will continue to improve its techniques—hacktivism will target enterprises and cyber-criminals will leverage Big Data principles to improve effectiveness.

Mr. Preet Bharara, familiar to many in India thanks to the India–US discomfiture over the wage tangle of an Indian diplomat and her domestic help, had this to say about cybercrime: ‘As the United States attorney in Manhattan, I have come to worry about few things as much as the gathering cyber threat’.7

The cybersecurity world is currently divided into two types of companies. There are the established companies such as Kaspersky, Checkpoint or Symantec, who provide solutions for individual users as well as enterprises. Next are the recent breed of start-ups that develop cyber-defence strategies, adopting quicker heuristic approaches or crowd-sourcing to solicit ideas from a larger online community.

The American response

According to President Obama, the economic prosperity of the USA, its national security and individual liberties depend on them securing cyberspace. Only then

2 Suryakanthi Tripathi

would the internet also remain an engine for economic growth and a platform for the free exchange of ideas.

Calling cyberspace a ‘new domain of warfare’ in 2011, the US Department of Defense has set up the US Cyber Command, apart from cyber commands for its army, air forces and ocean fleet, for ‘defending US and allied interests in cyberspace’, and ‘working together to make that inherently collaborative, adaptable environment … for military command and control’.8 Cyber Command has been called the newest global combatant and its sole mission is cyberspace, outside the traditional battlefields of land, sea, air and space.

The US Congress, for its part, has under consideration the National Cybersecurity and Critical Infrastructure Protection Act that will amend the 2002 Homeland Security Act. It would require the Department of Homeland Security to conduct cybersecurity activities on behalf of the federal government and would also codify the role of the department in preventing and responding to cybersecurity incidents involving federal civilian agencies and critical infrastructure in the United States. Since 95 per cent of the American cyber infrastructure is reportedly private sector owned and operated, the bill aims to establish a threat information-sharing partnership between Homeland Security and the private sector.

Hacker attacks against JPMorgan Chase and nine other US financial institutions in recent months have caused alarm and the US administration is seeking to enhance the legal authority of the Department of Homeland Security to fight cyber-terrorists. JPMorgan is also now set to double its $250 million annual computer security budget. This is expected to improve firewall protection, internal protection, vendor protection and everything that links to a client or customer. In August 2014, the giant company disclosed that it had been attacked by hackers, and subsequently announced that the contact information of 76 million households and seven million small businesses had been exposed. The reassurance, however, was that despite the hacking having gone unnoticed for about two months, there was no evidence that financial information, such as passwords, dates of birth, social security numbers or account numbers, had been compromised.

After the vulnerability of the most heavily fortified American financial institutions had been laid bare, the FBI is reported to have initiated a criminal inquiry into these attacks. But what appears worrisome to the American authorities is the scale of the attack, combined with the lack of clarity about the hackers’ identity or motives. According to industry experts, despite huge sums invested in detection technologies, it is becoming very difficult to trace an attack to its source and, hence, it will be almost impossible to deter one.9

The Obama administration has been working to address the weakness of pass- words via the National Strategy for Trusted Identities in Cyberspace. The White House cybersecurity coordinator, Michael Daniel, at a recent news event said that he would like to kill the password dead since it could no longer ensure security. Using a password to access a bank account or mobile phone would soon be a thing of the past, according to him.10 Instead, he recommended the use of biometric security measures to access computers and smartphones or facial recognition security through the device’s camera. Even a selfie could be a security measure instead of just being used for posting on Facebook. The idea was multifactor authentication to make hacking that much more difficult.

On the other hand, this also has to be seen in the context of the current friction between the US Justice Department and a company like Apple, which has introduced

Strategic Analysis 3

new privacy features for its iPhones and iPads. Features like fingerprint scanners on phones are becoming popular because consumers believe they will also be better protected from the government intruding on their private data. The FBI is consider- ably upset with these tech companies for ‘marketing something expressly to allow people to place themselves beyond the law’.11

US cyber resilience policy also includes their voluntary Cybersecurity Framework, announced in February 2014, for providers in 16 critical infrastructure sectors. First introduced in the US president’s 2013 State of the Union address as a key deliverable, it has been developed by companies, federal agencies and international contributors working together, and is a reference guide for the private sector and government to jointly face a shared challenge. It comprises a set of cybersecurity activities that cover identifying, protecting, detecting, responding to and recovering from cyber intrusions, and also provides for an organisation that will gauge its cyber effectiveness, weak- nesses and strengths included.

China awakens

China has the largest number of internet users—more than 600 million—and was once listed as the second most cyber-targeted nation. Chinese leaders accept that their IT abilities are lagging and want to transform China into a cyber power. President Xi Jinping, in his first year in office, began presiding over a new group on cyber and information security. Its mandate is to draft strategies for protecting national secrets and developing digital defences, viewing it as a most pressing strategic concern.

The Obama administration asserts that there are cyber-attacks by Chinese hackers on Americans and American companies doing business in China, some of them possibly even state-sponsored. Beijing, in its turn, says that it is a frequent victim of attacks of American origin. Talks between the two countries over cyber-attacks and national security leaks have become complicated after revelations that the US National Security Agency has been spying around the world, even on American allies.

Israel’s innovation

Israel has invested heavily in cybersecurity and supplies—over 10 per cent of global IT security products, significantly disproportionate to its size. This is also impressive because of the export restrictions that their businesses have to contend with. Hoping to consolidate its position as a world leader, Israel depends on a cutting-edge talent pool capable of rapid innovation. Israel has also created a new cyber-defence author- ity to defend Israel’s civilian networks and help bridge the public–private cyber divide.

At the World Economic Forum in January 2014 in Davos, Switzerland, Israeli Prime Minister Netanyahu, before addressing international issues, talked of his nation’s high-tech abilities and its intention to become one of the top three countries in cybersecurity. On the heels of Davos, at CyberTech 2014, he said: ‘Foreign countries want three things—Israeli technology, Israeli technology and Israeli tech- nology’. He also called on tech giants and Western powers to band together to protect the world from cyber-attacks, promising to relax export restrictions on Israeli security- related technologies.12

This may be a little problematic since tech companies and intelligence agencies would be loath to trade secrets with each other or reveal their own vulnerabilities.

4 Suryakanthi Tripathi

While Israel is currently formulating export regulations, some Israelis see a security compromise in allowing cyber companies, mostly formed by graduates of their own stealth security units, to export advanced technologies that could then be turned against Israel itself. There are concerns about safeguarding their technology advan- tages and limiting the access of potential hackers to their cybersecurity research and solutions. Israeli intelligence is also guarded as it does not want to help its enemies better protect their own systems by using Israeli skills. However, in cyberspace it is difficult to wall up technology, since it eventually finds its way to the marketplace.

According to experts, Israel faces roughly 100,000 cyber threats a day, and was the victim of an average of 1.5 serious cyber-attacks an hour in 2013. These attacks, they claim, have been turned into a source of strength as Israel was pressurised into advancing its technology and knowledge. It is now being called the nation of cybersecurity start-ups, with these start-ups getting tax incentives through their National Cyber Bureau.13 US companies Lockheed Martin and RSA Security announced that they would invest in Israel’s national cyber complex in Beersheba, joining the likes of Deutsche Telekom and IBM. The market, in fact, is dominated by smaller enterprises, demonstrating that technology ‘giants’ generally do not have the security solutions that Israeli start-ups are offering. Israel is said to have the largest number of high-tech start-ups globally in absolute terms after the US.

Israel’s state-of-the-art ‘Cyber Gym’ was opened in February 2014 by the Israel Electric Company (IEC) to train its employees to defend against cyber-attacks. IEC, which alone receives around 10,000 attacks per hour according to its CEO, claims that it has the unique capabilities to train other companies from around the world against system hacking.14 Training consists of real-time defence by students against attacks by live instructor-hacks.

India alert

It was the NSA leaks that revealed that American agencies were also spying on Indians and that India had no legal or technical safeguards in this matter. This prompted the Government of India to announce its first National Cyber Security Policy in July 2013. The policy was expected to help build a secure and resilient cyberspace for citizens, businesses and the government, namely a cyberspace in which all stakeholders within the country as well as the global community had confidence.

The challenge of a cyber policy lies also in its operationalisation and implementa- tion. Critical infrastructure such as defence systems, power infrastructure, nuclear plants and telecom networks need to be protected. As far as India is concerned, the training of 500,000 cybersecurity professionals in the next five years is considered key, as is the verification of IT products and services used by government departments and enterprises. The last measure was apparently inspired by the NSA leaks that indicated that US agencies had used technology companies to enhance their ability to spy on foreigners.

After launching the policy, the concerned minister of state at that time, Shri Milind Deora, tweeted: ‘Unveiled India’s First Cyber Security Policy to safeguard individual privacy, corporate data and sovereign virtual assets’.15 There were reactions to this policy, but few over the moon, the ministerial tweet notwithstanding. And there were many questions. Is India’s cyber policy all words and no action? Where is the implementation plan? Where are the details—where are the hows and whos? Where are the manpower and tech resources? How will the policy make its way through

Strategic Analysis 5

academia and industry? Have we also announced a policy just because the world has one?

Even so, it is better to start with a policy than have none at all. India’s online vulnerability is said to be immense but is not even remotely

quantified as there is no central body for reporting cybercrime. For example, an estimated 16.6 million Americans were defrauded in 2012. What is the figure for India? We will never know unless there is some mechanism to gauge the volume, variety and innovation of cybercrimes.

The EC Council outlined its view about India in its report, published in two parts over 2013–2014, entitled ‘Talent Crisis in Indian Information Security’.16 It revealed worrisome gaps in India’s IT security, which could impact handling cyber threats in banking, defence, information, energy and so on, and also highlighted that India’s vulnerability lay in the shortage of talent.

The EC Council, with almost 100 countries as members, is a top certification body for information security professionals, and the owner/creator of the famous Certified Ethical Hacker (CEH) and similar programmes. They say India is poorly equipped to handle cyber intrusions owing to a ‘serious shortage’ of skilled professionals. In nine crucial segments of information security, such as application architecture, code review and cryptography, Indian talent is said to be alarmingly low. Only 0.97 per cent of Indian IT students reportedly have basic skills in information security, and only 13 per cent have an understanding of concepts necessary for being trained. Setting an earlier target even than the government’s, the EC suggested that India needed 500,000 cyber professionals by 2015, but that less than one per cent of future IT professionals were being trained in this field. The scenario is said to be bleak, and could impact the future operations of India’s government, businesses and individuals.17

At a New Delhi roundtable in February 2014, Sanjay Bavisi, president of the EC Council, summarised the situation as follows: India is the software capital of the world. However, the risks posed by vulnerabilities and information security threats to the nation’s IT infrastructure across industries are disheartening. In an ever evolving cybersecurity landscape, we need to respond to sophisticated threats immediately and this, in turn, requires a trained talent pipeline. He thereafter told Press Trust of India (PTI) that India’s response to cyber-terrorism was disjointed, with no central cyber command and a non-existent cybersecurity training programme.18

Let us take an example. How well protected is the biometric ‘Big Data’ collected by the Unique Identification Authority of India (UADAI) for the issue of unique identification numbers? Do we have clear-cut answers? On the UIDAI website (www.uidai.gov.in) are pages relating to its mandate, vision, core values, technology development and so on, but, as far as one can see, nothing much is mentioned about information security. In any case, this project was taken up before the National Cyber Security Policy was announced. Is this data then accessible to cyber-smart hacker groups or agencies in different countries? How valid is this Big Data since its collection itself is said to have been poorly monitored? How is this data’s security kept constantly upgraded against theft or sabotage, given the relentless advances in hacking techni- ques? What are the ramifications for national security if the system is compromised?

With the threat landscape changed, cybersecurity is no longer just an IT issue, but a strategic business issue needing a cross-functional team. According to Deloitte, banks and financial services companies adopt innovations for growth and cost optimisation that, in turn, introduce new vulnerabilities and complexities in their technology ecosystem.19 Cybersecurity thus needs to be integrated in the decision-

6 Suryakanthi Tripathi

making process, even if it alters the very decision itself. The mainstream adoption of cloud computing, ‘internet of things’ and Bring Your Own Device (BYOD) is expected to increase attacker opportunities.

Mobile phone use in India presents specific challenges. Large businesses in India —primarily banks that promote mobile transactions as being critical to growth—do seem to be gearing up. Corporate networks have to handle sophisticated, targeted and advanced persistent threats (APTs) against data security. A challenging task is to manage the vast range of mobile operating systems and platforms that amplifies overall security exposure. The use of unsecured internet connections on mobile devices can corrupt the end point, which could then threaten the whole network. Banks, nudged by the Reserve Bank of India (RBI), are being compelled to revisit their architecture and security mechanisms. Some banks, for example, adopt two- factor authentication of image and phrase, as well as an SSL protocol, an encrypted link between server and client. As with internet banking, mobile transactions also go through different levels of security checks before a transaction can be completed. Companies are also introducing their own apps that offer customers greater flexibility and functionality through an outside-in approach while also bettering the security of transactions.

During the Ukraine crisis in 2014, just before the Crimean referendum, NATO websites were hit in cyber-attacks, reflecting the region’s territorial tensions in cyber- space. While the alliance said that none of its essential systems had been compro- mised, it was reported that the main NATO website and the NATO-affiliated cybersecurity centre in Estonia were affected by the so-called ‘distributed denial of service’ (DDoS) attack, in which hackers bombard websites causing them to slow down or crash. The attack was claimed by a group calling itself ‘cyber berkut’, who said it was the retaliation of those Ukrainians angered by what they saw as NATO interference in their country.20

There are obvious military risks to computer and communications systems. There is also the vulnerability of critical civilian infrastructures to cyber-sabotage. Attacks could be from nation-states or non-state actors.

Many future battles will shift to cyberspace. Cyber-terrorism, whose definition continues to be debated, is essentially an internet-based terrorist attack causing large- scale disruption of computer networks. Eugene Kaspersky, founder of Kaspersky Lab, feels that ‘cyber-terrorism’ is a more accurate term than ‘cyberwar’, because in today’s attacks, one is clueless about who did it or when they might strike again. He equated large-scale cyber weapons, such as the Flame Virus and NetTraveler Virus, with biological weapons, for they could be just as destructive in an intercon- nected world.21

Cybercrime could make traffic lights freeze, garble aircraft communications, paralyse banks, erase satellite data and splinter military command-and-control sys- tems. The EC Council has a slogan: ‘Hackers are here. Where are you?’ That should trigger a nation to frequently ask itself, ‘Where are we?’

Where are we, India?

Notes 1. United Nations Office on Drugs and Crime, Vienna, ‘Comprehensive Study on Cybercrime -

Draft’, February 2013. 2. Pierluigi Paganini, ‘The Impact of Cybercrime’, InfoSec Institute, Illinois, February 2013.

Strategic Analysis 7

3. Holly Ellyatt, ‘The Threat from Cybercrime’, CNBC Report, 13 August 2013, at http://www. cnbc.com/id/100959481# (Accessed December 2, 2014).

4. John Vomhof Jr, ‘Target’s data breach fraud cost could top $1 billion’, Charlotte Business Journal, Feb 3, 2014.

5. PM lauds Israeli prowess at Cybertech 2014 Opening, The Times of Israel, January 27, 2014, at http://www.timesofisrael.com/pm-lauds-israeli-prowess-at-cybertech-2014-opening/ (Accessed December 2, 2014).

6. Bob Ackerman Jr., ‘Stealing the Show: Cybersecurity Stock Valuations on the Rise’, Special to CNBC.com, March 9, 2014.

7. Preet Bharara, ‘Asleep at the Laptop’, Op-Ed, The New York Times, June 3, 2012 at http:// www.nytimes.com/2012/06/04/opinion/preventing-a-cybercrime-wave.html?_r=1& (Accessed December 2, 2014).

8. The Cyber Domain - Security and Operations, Special Report, US Department of Defense. 9. Michael Corkery, Jessica Silver-Greenberg and David E. Sanger, ‘Obama Had Security Fears

on JPMorgan Data Breach’, The New York Times, October 8, 2014, at http://dealbook. nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall- street/?_php=true&_type=blogs&emc=edit_na_20141008&nlid=55349507&_r=0 (Accessed December 2, 2014).

10. Guy Taylor, ‘Obama’s cybersecurity adviser: Biometrics will replace passwords for safety’s sake’, The Washington Times, October 9, 2014, at http://www.washingtontimes.com/news/2014/ oct/9/obamas-cybersecurity-adviser-biometrics-will-repla/ (Accessed December 2, 2014).

11. Craig Timberg and Greg Miller, ‘FBI blasts Apple, Google for locking police out of phones’, The Washington Post, September 25, 2014, at http://www.washingtonpost.com/business/techno logy/2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_story.html (Accessed December 2, 2014).

12. Joe Barnes, ‘Israel utilises its cyber security expertise’, The Financial Times, February 24, 2014, at http://www.ft.com/intl/cms/s/0/8b6e572c-97e7-11e3-8dc3-00144feab7de.html#axzz3 KXXT0Je6 (Accessed December 2, 2014).

13. Ari Yashar, ‘Israel’s New “Cyber Gym” Trains Cyber-Warfare’, December 2, 2013, at http:// www.israelnationalnews.com/News/News.aspx/174712#.VHre6jSUd3E (Accessed December 2, 2014).

14. Ibid. 15. https://twitter.com/milinddeora/status/351946198816526336 (Accessed December 2, 2014). 16. EC- Council Foundation, ‘The Talent Crisis in InfoSec - An Outlook of the Future of the

Indian Information Security Scenario.’ 17. Ibid. 18. PTI, ‘India not prepared to handle cyber terrorism threat: EC Council’, Economic Times, February

19, 2014, at http://articles.economictimes.indiatimes.com/2014-02-19/news/47489884_1_cyber- ddos-participants (Accessed December 2, 2014).

19. Jim Eckenrode, ‘Transforming cybersecurity: New approaches for an evolving threat land- scape’, Deloitte Center for Financial Services, 2014.

20. Adrian Croft and Peter Apps, ‘NATO websites hit in cyber attack linked to Crimea tension’, Reuters, Mar 16, 2014, at http://www.reuters.com/article/2014/03/16/us-ukraine-nato- idUSBREA2E0T320140316 (Accessed December 2, 2014).

21. David Shamah, ‘Latest viruses could mean “end of world as we know it,” says man who discovered Flame’, The Times of Israel, June 6, 2012, at http://www.timesofisrael.com/ experts-we-lost-the-cyber-war-now-were-in-the-era-of-cyber-terror/#ixzz3KQV7Alyw (Accessed December 2, 2014).

8 Suryakanthi Tripathi