Académique Documents
Professionnel Documents
Culture Documents
S R R Aiyengar
a n d wa r fa
rl re
fo st
e
r
ud
nt
ies
Ce
CLAWS
vi
KNOWLEDGE WORLD
ct
or ion
y through vis
ud
nt
ies
Ce
CLAWS
vi
ct
or ion
y through vis
The Centre for Land Warfare Studies (CLAWS), New Delhi, is an autonomous think tank dealing
with national security and conceptual aspects of land warfare, including conventional and
sub-conventional conflicts and terrorism. CLAWS conducts research that is futuristic in outlook
and policy-oriented in approach.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means, electronic, mechanical, photocopying, recording
or otherwise, without the prior written permission of the copyright owner.
The views expressed in this paper are those of the author and do not represent the views of the
Centre for Land Warfare Studies.
KNOWLEDGE WORLD
www.kwpub.in
Published in India by
Kalpana Shukla
KW Publishers Pvt Ltd
New Delhi: 4676/21, First Floor, Ansari Road, Daryaganj, New Delhi 110002
Phone: +91.11.23263498 / 43528107
email: mail@kwpub.in / knowledgeworld@vsnl.net
MUMBAI: 15 Jay Kay Industrial Estate, Linking Road Extn., Santacruz (W), Mumbai 400054
Phone: +91.22.26614110 / 26613505
email: mumbai@kwpub.in
3. Threat Characteristics 4
9. Prioritisation of Efforts 17
17. Central and Nodal Referral Agency for Cyber Security in India 26
Appendix
S R R AIYENGAR
1
National Strategy for
In security matters, there is nothing like absolute security. We are only trying
to build comfort levels because security costs money and lack of it costs
much more. Comfort level is a manifestation of efforts as well as realisation
of their effectiveness and limitation*
Introduction
It was science fiction writer William Gibson who coined the term cyberspace
in his short story Burning Chrome. He later popularised the concept in his
debut novel Neuromancer (1984). Unlike most computer terms, cyberspace
does not have a standard, objective definition. Instead, it is used to describe
the entire virtual world of computers. For example, an object in cyberspace
refers to a block of data floating around a computer system or network.1 With
the advent of the internet, cyberspace now extends to the global network
of computers. It is composed of hundreds of thousands of interconnected
computers, servers, routers, switches, and fibre optic cables that allow our
critical infrastructure to work. Thus, the healthy functioning of cyberspace is
essential for our economic and national security.
In the past few years, threats in the domain of cyberspace have risen
dramatically. Securing cyberspace is an extraordinarily difficult strategic
challenge that requires coordinated and focused efforts from the entire
society the central, state and local governments, the private sector,
and the ordinary citizens who use the internet (Netizens). In the current
digital era, where governance as well as business is increasingly being led by
Information Communications Technology (ICT), any discussion on national
*
Indian Computer Emergency Response Team (CERT-In), Department of Information
Technology, Ministry of Communications and Information Technology, Government of
India.
S R R AIYENGAR
The Symantec India 2009 Security and Storage survey revealed that in 3
2008, India registered a sizeable increase in nefarious web activities, with 12
networks, in a way that was not intended and who is not authorised to
access the same.
l Insiders consist of current and former employees, temporary workers,
They have the most resources and may decide to employ cyber weapons
to augment or replace conventional ones.
Over the years, cyber criminals across the globe have organised themselves
into groups. Their level of sophistication has increased from the early days
of the I Love You virus. Hacking for profit has subsumed hacking for fun.
Recent attacks show how dangerous and expensive cyber attacks can be if
carried out in coordination. Common threats include spam, spoofing, phishing,
viruses, worms, Trojans, spyware, repudiation, information disclosure, denial
of service, elevation of privilege, botnets and pirated software. Details of
these threats and their intended effects are listed in the Appendix.3
The above-mentioned threats are only some of the observed threats
known today. Uncertainties exist regarding the intent and full technical
capabilities of several observed attacks. The increasing number of mobile
devices and the growing number of users are targets of unauthorised and
S R R AIYENGAR
potentially harmful software, including worms, viruses, and spyware. As a 5
result, it becomes essential for any organisation to secure and manage these
S R R AIYENGAR
constructive and destructive uses is common to all technologies, the rapid 7
spread of IT makes the resolution of this issue particularly urgent. While
escalating the use of cyber warfare techniques and are actively training
new hackers.
l A coordinated attack on Estonias cyber infrastructure was thought by
College and Fort Hood cost the US Administration $20-30 million each.
l In 2007, reports confirmed that cyber attacks emanating from the
Some of the software used to carry out these attacks indicates that the
strikes were clearly designed and tested with much greater resources than
usually possessed by individual hackers. Traditional protective measures are not
enough to defend against attacks such as those on Estonia, since the complexity
and coordination involved in these botnets are totally new. National networks
S R R AIYENGAR
with less sophisticated monitoring and defence capabilities could face serious 9
threats to their security. There are signs that intelligence agencies around the
and the war in Kosovo (1999), have forced China to take a fresh look at
its defence policies, capabilities and priorities. China has understood that
confrontation with systems is the principal mode of modern battle. A 2007
US Department of Defense (DoD) report to Congress stated that the
Chinese army sees computer network operations as critical to achieving
electromagnetic dominance. The report, which for the most part focuses
on Chinas land, air, sea and space capabilities, also noted that numerous
intrusions into computer systems at the DoD and its contractors emanated
from China. Although it is unclear if these intrusions were conducted by
or with the endorsement of the Peoples Liberation Army (PLA) or other
elements of the Chinese government, the report stated that developing
capabilities for cyber warfare was consistent with authoritative PLA writings
on the subject.
Attacks which appear to come from China have a variety of motives,
including theft of intellectual property, gathering of intelligence, research on
the operations of the US military, and the creation of beachheads inside US
military networks for future use. Its hard to believe its not government-
driven, a Netwarcomm official told Federal Computer Weekly. In its section
on information warfare, the public report covered Chinas development
of electronic counter-measures, its inclusion of offensive cyber attacks in
military exercises and its development of viruses to attack enemy computer
systems. German, British and American government officials have previously
reported that attacks coming from China had targeted government networks.
The German media has accused the Chinese military of sponsoring attacks
targeting the computers of Germanys top officials, while MI 5, the United
Kingdoms intelligence service, warned top corporations to watch out for
Chinese attacks targeting their systems.
While attacks from Chinese servers have garnered the most attention,
security experts still question the ultimate source of the attacks. Most
developed nations have military teams capable of launching offensive cyber
attacks and profit-driven cyber crime continues to be the largest source
of attacks.5 A report released in October by the US-China Economic and
Security Review Commission described an unseen cyber war, in which
S R R AIYENGAR
hackers most of whom appear to reside in China constantly bombard 11
American agencies and defence contractors with malicious software designed
S R R AIYENGAR
infrastructure and, thus, is the infrastructure of infrastructure or what we 13
can call core infrastructure.
troops in the Siachin sector. The reports are also corroborated by the
radio station Vadi Ki Awaz.
l The newly imported AN/TPQ 37 Weapon Locating Radar suddenly
International Airport and the Air Traffic Control tower reports that its
Instrument Landing System is non-functional and its software programme
has been fully compromised. It also warns that theres every possibility of
the mid-air collision of aircraft cleared for landing.
l The Prime Minister comes live on TV and declares a national emergency.
Over the past few months, serious security intrusions have been
reported in the government networks of Germany, the United States, the
United Kingdom, France and New Zealand. India is swallowing the bitter
truth: if the future is digital, then the wars of the future will be virtual.
Since we lack the means to measure the robustness of our infrastructure
systems, it is difficult to know whether our critical infrastructure is becoming
more or less robust as a result of government and private initiatives and
S R R AIYENGAR
new technology. The operational environment in 2010-15 is likely to see 15
an increase in the capability and opportunity of known threat sources.
across India over three years. Called Project Saksham, the plan aims to set up
connected PC kiosks in at least 200,000 villages, using existing phone lines or
VSAT satellite link-ups. These kiosks are to be run by local entrepreneurs.11
VSAT is a commercial service typically used to provide internet access to
remote locations. It can be expensive but offers speeds up to 2 megabits per
second (mbps).
infrastructures.
l Reduce the overall national vulnerability to cyber attacks; and
S R R AIYENGAR
Prioritisation of Efforts 17
There is a need for a synoptic and holistic view of cyberspace. It would be
Preventing an Attack
There are three possible ways to prevent an attack. One is to deter the
attacker by demonstrating the capability to inflict punishment. When the
cost of punishment is less for the defender than the loss that can be caused
S R R AIYENGAR
by the attacker, there will be an incentive to develop ways of discovering 19
attackers. A second way to prevent an attack is by establishing cyber attacks as
Thwarting an Attack
The detailed knowledge needed to thwart an attack would rest primarily with
the owner of the target. There are many ways of defending systems against
cyber attacks, and a certain number of measures must be employed for the
owner to demonstrate due diligence in protecting property rights. These will
include requiring authorisation to enter premises, monitoring and recording
the use of the system to detect unauthorised activities, periodic inspection
of the integrity of critical software and establishing and enforcing policies
governing systems security and responses to unexpected events. There is
considerably more potential to protect systems if the owners cooperate for
their mutual benefit.
A third approach is to build systems with a degree of intrusion tolerance.
These would aim at limiting the effectiveness of single intruders through
architectural approaches such as distributed control, multiple redundant
systems with voting, incorporation of air gaps and automated and manual
monitoring of critical operations. Undertaking cooperative terminal defence
would ensure greater overall effectiveness.
S R R AIYENGAR
be concealed from potential attackers, and the system should be designed 21
to give unsuccessful attackers as little information as possible on which to
Deterring an Attacker
The responsibility for deterring an attacker is shared by the system owner/
individual and the national government. If the owner has installed effective
intrusion-detection software, an intruder is more likely to concede defeat.
Secondary roles are played by the national government and NGOs. The national
governments law enforcement agencies will offer a more effective deterrent
when an attacker has been identified and located. Criminal prosecutions are
often lengthy, costly and time consuming, but, if successful, will have some
impact on deterring potential attackers by showing that the risks outweigh
the gains. If cyberspace could be monitored, it might be possible to spot
preparations for an attack and make a preemptive strike. This idea is akin
to conventional military thinking, where preparations can be defeated and
pre-emptive action taken. The current state of cyber-intelligence and early
warning systems are hardly inspiring but such capabilities could, one day,
Post-attack Reconstitution
This is an area where the system owner has the central role, for only
the owner can establish what is operating and what has been shut down,
what reconstitution alternatives exist and how remedial measures can be
effected operationally. Governments can play an important role in that
they can provide back-up personnel and facilities (if available), assist in the
coordination of emergency responses or provide leadership in drawing up
pre-attack planning for disaster recovery.
S R R AIYENGAR
Improving Defensive Performance Through Lessons Learnt 23
This would also help in the design of future systems. Exploitable flaws in
Regulatory Provisions
Regulation to protect public interest is a universally accepted norm. However,
more recently, the regulation of markets and the imposition of technical
standards have come to be seen as economically inefficient and inhibiting
technical and business innovation. This opinion notwithstanding, there is
still significant regulation over matters concerning public safety in transport,
food, drugs; in assuring equitable access to telecommunication services; in
the protection of financial frauds; and in the protection of the environment.
Regulation in cyber security matters will be equally necessary, because when
disasters occur, the public reaction is usually to ask why the government did
not act sooner and more vigorously. Another possible regulatory role would
be to require independent testing or certification of private terminal defence
and reconstitution efforts. Government regulation can also play a role in
ensuring a minimum quality of service of regulated utilities.
S R R AIYENGAR
telecommunications, manufacturing, retail, professional services, education, 25
entertainment and recreation, business support services and real estate. It
the security posture of their IT systems and enhance their ability to resist
cyber attacks and recover within a reasonable time, if attacks do occur.
l Enabling CERT-In to enhance its capacity and outreach and to achieve
S R R AIYENGAR
from the government, defence, public sector and private sector. CERT-In 27
has an important role to play in the overall cyber security efforts. While the
S R R AIYENGAR
Security Assurance: Actions by Home Users and Small 29
Businesses
security advisories.
l Maintaining reasonable and trustworthy access control to prevent abuse
of computer resources.
S R R AIYENGAR
On empirical grounds, one can say that the response to the cyber security 31
challenge is developing along multi-organisational lines, and it appears that this
means to improve general welfare around the world. But the broad reach
of the loose and lightly regulated digital infrastructure poses great risks to
nations, private enterprises and individuals. The Government of India has the
responsibility of addressing these strategic vulnerabilities, to ensure that the
country and its citizens, together with the larger community of nations, can
realise the full potential of the information technology revolution.
Indias efforts towards the formulation of a National Cyber Security
Strategy are not, so far, distinctly visible. With the enactment of ITA 2008,
CERT-In has been provided with some teeth, in that it now has a statutory
role to play. While the rules for such roles are being worked out, there is
a fair amount of apprehension about some of the operating sections of the
revised ITA 2008, especially those related to the protection of civil rights,
rights to privacy and protection of propriety data.
Cyber security and personal privacy need not be opposing goals.
Cyberspace security programmes must strengthen, not weaken, such
protections. CERT-In must continue to meet regularly with privacy advocates
to discuss cyber security and the implementation of ITA 2008.
In December 2009, Chinese hackers are believed to have attempted
to penetrate Indias most sensitive government offices, in the latest sign of
rising tensions between the two rival Asian powers. M K Narayanan, Indias
former National Security Adviser, has stated that his office and other
government departments were targeted on 15 December, the same date
that several US companies reported cyber attacks from China. This was
not the first instance of an attempt to hack into our computers, Narayanan
told The Times. He said that the attack came in the form of an e-mail with
a PDF attachment containing a Trojan, which allowed the hacker to access
a computer remotely and download or delete files. The virus was detected
and officials were told not to log on until it was eliminated. It is difficult to
find the exact source of the virus but China seems to be the main suspect.
It seems well founded, Narayanan said, adding that India was cooperating
with America and Britain to bolster its cyber defences.18 But both American
and Indian officials believe that China is, at best, an internet mischief maker
and, at worst, a potential cyber-adversary. US officials hope that tighter ties
S R R AIYENGAR
with India on internet security issues can help make the networks of both 33
countries stronger.19
Pirated Software: Counterfeit software is illegal and often contains bugs and
viruses. Legitimate software provides up-to-date protection against hackers
and e-mail viruses as well as providing improved system recovery tools.
S R R AIYENGAR
Spoofing: There are two main types of spoofing IP spoofing and e-mail
spoofing. IP spoofing is largely a security exploit. Here the intruder sends data 35
packets that display an IP address different from that of the intruder. Thus, if
Notes
1. Cyberspace, http://www.techterms.com/definition/cyberspace, accessed on 10 February
2010
2. Deepa Kurup, Web Security Compromised, The Hindu, 07 June 2009.
3. Donald D Codling, Cyber Threats in the 21st Century, FBI Cyber Division, 26 January
2010, www.meeting.afrinic.net/afgwg/presentations/day2/01_02_drccyberthreats.pdf,
accessed on 10 February 2010.
4. Bruce Hoffman, The Use of the Internet by Islamic Extremists, Testimony presented to
the House Permanent Select Committee on Intelligence, 04 May 2006, http://www.rand.
S R R AIYENGAR