A good interview with Dr. Martin Libicki on cyberwar from the 2010 McCain Conference.
Rohan Joshi and your truly have a brief in August 2011 edition of Pragati covering the “weird” compromise of National Security Guards’ website and the downtime of National Investigation Agency’s website.
Defacement of websites is a routine occurrence and usually not a cause of major concern, apart from the embarrassment caused by the negative publicity. However, unauthorised access to the email system is a different matter altogether. Depending upon the practices being followed, this could either have leaked encrypted digital communication between various officials in NSG and beyond, which would be of no practical use to the attacker, or could have revealed unencrypted emails discussing sensitive topics. The details have been sketchy but at least one media report states that the computer system used by an arm major-general had been ‘hacked’ into, as it was discovered that a number of “letters” were sent on the behalf of the general officer.
After the brief was sent off to the editors, the Minister of State for Communications and Information Technology, Sachin Pilot, told the Lok Sabha via a written reply that a total of 117 Government websites were defaced during the period January – June, 2011. With regards to the situation of the NIA’s website the press release goes on to say:
The reply further stated that the information on the website of National Investigation Agency (NIA) is temporarily disabled. Since the website of National Investigation Agency was not hacked, no inquiry in this regard has been conducted.
It has been a month since the website was taken down and it still is in the state of “maintenance“, which begs the question – why just the NIA website? It sure does looks like the site was compromised in some form or the other. Will we ever know the truth about what was compromised? Unlikely!
Michael Hirsh at National Journal has a sober article titled “Here, There Be Dragons” on cyberwar mongering
In truth, cyberskeptics abound. They include many independent analysts as well as some of Panetta’s high-level colleagues in the Obama administration. These skeptics say that much of the alarm stems from a fear of the unknown rather than from concrete evidence of life-and-death threats. It is, they suggest, a 21st-century version of the medieval mapmakers who would mark the boundaries of the known world and then draw mythical beasts on the other side conveying the message: “Here, there be dragons.”
The White House’s own cybersecurity coordinator, Howard Schmidt, pointedly avoids using the term “cyberwar,” saying that most cyberthreats are closer to criminal acts than to military actions. “Words do matter,” Schmidt remarked at a conference in February. “When we start throwing out these things, like we’re in the midst of a cyberwar, or that cyberwar is around the corner, there’s a lot of [those things] that don’t actually apply, so we really have to define what it is that we’re talking about.”
In a recent Takshashila Executive program I made it a point to draw the distinction between cyber events, cyber crime, cyber attacks, cyber war and cyber terrorism. The nature of the audience warranted this, but my belief is that Schmidt is absolutely right that words do matter and that we at large do not overuse the words that have specific meaning and in the process weaken the case against threats that do really exist. James Lewis from CSIS had a similar message in his article Cyber Attacks, Real or Imagined, and Cyber War
Only by adopting an exceptionally elastic definition of cyber attack can we say they are frequent. There have been many annoyances, much crime, and rampant spying, but the only incidents that have caused physical damage or disruption to critical services are the alleged Israeli use of cyber attack to disrupt Syrian air defenses and the Stuxnet attacks against Iran’s nuclear facilities.
Nations are afraid of cyber war and are careful to stay below the threshold of what could be considered under international law the use of force or an act of war. Crime, even if state sponsored, does not justify a military response. Countries do not go to war over espionage. There is intense hostile activity in cyberspace, but it stays below the threshold of attack.
The Department of Information Technology, Government of India issued a discussion draft on National Cyber Security Policy (pdf) on 26th March 2011 and invited comments on it. In our opinion this draft of the national policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. We feel that the document substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security.
However, we have identified some areas of improvement, including scope, ownership, resource allocation and management, technical and non-technical controls, which we present for the government’s consideration. This Takshashila policy advisory document (pdf) provides comments and feedback on the draft.
Feel free to provide your input on the original discussion draft or our response to it, in the comment section below.
Iran says it has been targeted by a second computer virus.
Iran has been targeted by a second computer virus in a “cyber war” waged by its enemies, its commander of civil defense said on Monday. Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called “Stars,” was being investigated by experts.
“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.
“The particular characteristics of the Stars virus have been discovered,” Jalali said. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organisations.”
While it is interesting to figure out what “congruous and harmonious with the system” actually means, even more interesting is what kind of mischief someone in this position can conjure up and blame it on “clear and present danger to critical national infrastructure”. Many believe that Iran was successfully targeted by the Stuxnet worm. Given this history, how many would fault Iran if it decides to “hunt down” machines/entities that are helping spread this new virus against it? Will such a strategy be acceptable by the world at large? Would the US or China or for that matter India be able to use similar logic to implement an active defense strategy? How can the international community verify Iran’s claims?
Important question with no clear answers. What do you think?
Secrecy of Cyber Threats Said to Cause Complacency? Oh please! First of all, ignorance or unawareness is not the same as complacency. Furthermore, while the bill concerned, Cyber Security Public Awareness Act, is itself a boon, especially for researchers as well as those who want to hold the government accountable, the central theme of the article‘s rhetoric that the awareness among population is low because the attacks on critical infrastructure and government networks are classified just doesn’t add up. Give the high rate of identity theft,
a lot of which has cyber-related cause and the huge amount of existing press on the matter of cyber attacks (China is the new USSR), it is not the lack of information that is preventing the spread of “awareness” (read hysteria). More likely is a combination of:
- Bigger things to worry about, economy comes to mind
- Cognitive disconnect between report of incident, its impact and relevance to oneself
- Knowledge that recent over-the-top war mongering is a part of an elaborate scheme to get more federal budget
The Internet Corporation for Assigned Names and Numbers (ICANN), the body responsible for the management of the top-level domain name space, recently approved the establishment of the top-level domain (TLD) “.xxx” as a sponsored TLD. The domain is currently intended as a (voluntary) option for pornographic sites. The Indian government, or at least one of its officials, promptly threatened to exercise its censorship scissors by declaring the intention to block access to .xxx domains:
“India along with many other countries from the Middle East and Indonesia opposed the grant of the domain in the first place, and we would proceed to block the whole domain, as it goes against the IT Act and Indian laws,” said a senior official at the ministry of IT. “Though some people have said that segregation is better, and some countries allow it. But for other nations transmission and direct distribution of such content goes against their moral and culture,” he added.
There seems to be nothing official about the statement, other than that it was uttered by “a senior official at the ministry of IT” but it wouldn’t be surprising that this is indeed the stand of the ministry on this matter, especially if precedence is considered.
The Information Technology (Amendment) Act, 2008 that the official mentions, defines the prohibition on “lascivious” and “sexually explicit” in Chapter Paragraphs 67 and 67 A as:
67. Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description fora term which may extend to three years and with fine which may extend to five lakhrupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.
67 A Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees andin the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
Not surprisingly, the Act does not define or clarify as to what constitutes transmission and publishing but what is interesting is that paragraph 69 provides the intermediaries (like ISPs) protection from liability (up to an extent) of the content it is carrying. This means that as long as the .xxx domains are hosted outside India, by organisations without a presence in India, there doesn’t seem to be any automatic way for the block to be set in place unless the provisions in paragraph 69 A are exercised by the government:
69A. (1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereigntyand integrity of India, defence of India, security of the State, friendly relations with foreignStates or public order or for preventing incitement to the commission of any cognizableoffence relating to above, it may subject to the provisions of sub-section (2), for reasons tobe recorded in writing, by order, direct any agency of the Government or intermediary toblock for access by the public or cause to be blocked for access by the public any informationgenerated, transmitted, received, stored or hosted in any computer resource.
Given that the most likely interpretation of paragraph 67 does not make it a crime to view (not transmit or publish) pornography online, the stage is set for a good tussle between the government and those who object to the moral policing by the government. Also interesting is the attitude of the government to non-.xxx domains that host pornographic material. The use of .xxx domains is voluntary and it is unlikely that pornographic content will be confined to the sTLD. So far the government has not actively blocked every pornographic content online, so a question that someone wanting to question the .xxx block could ask, is why they are being singled out.
Those who have been following the saga of the .xxx TLD application within ICANN would remember the warning provided by the Governmental Advisory Committee (GAC) of ICANN when they stated in their San Francisco Communique (pdf):
the GAC would like to inform the ICANN Board that an introduction of a .xxx TLD into the root might lead to steps taken by some governments to prohibit access to this TLD. The GAC therefore calls the Board’s attention to concerns expressed by experts that such steps bear a potential risk/threat to the universal resolvability and stability of the DNS.
The GAC must be doing the “We told you so!” dance. Blocking/filtering exists at various scales and at various levels though most do not happen at the DNS level. Given that blocking of the .xxx domain will most likely involve a DNS level block and the history of incorrectly implementing blocks and filters by Indian ISPs, it is not far-fetched to be alarmed that the stability of the DNS is threatened, as pointed out by the GAC. What would of course follow is a cat and mouse game between technically savvy users would try and consider ways to circumvent the block (there are several ways based on how the blockis implemented) and the government/ISPs that tries to prevent “depravation and corruption”.
Interesting times :)
Minister of State for Communications & Information Technology has provided the official version of the impact of Stuxnet on critical infrastructures in India. In a reply to a written question in Rajya Sabha on 11th March, he provided the information that:
Some computer systems in India were also infected by the Stuxnet, but none of the infections have so far been reported in sensitive Industrial systems.
He then goes on to explain the steps being taken to tackle the problem of virus and protection of sensitive installations in the country, which includes the use of alerts and advisories being produced by CERT-In and workshops being conducted by it. With such a mandate one would assume CERT-In is on the top of things at least when it comes to issuing advisories. Not so! They issued the advisory on Stuxnet on July 23rd 2010, long after Virusblokada reported W32.Stuxnet (June 17), Microsoft issued the advisory 2286198 (July 16) and after Siemens report that it is investigating reports that the malware is infecting the SCADA systems (July 19). With such a lag in issuing the advisory, it would be hard to give CERT-In any credit for the reported absence of Stuxnet in “sensitive Industrial systems”.
As usual these official press releases opens up more questions. For one, where exactly were the computer systems that were infected by Stuxnet found? This is second to the more intriguing question – what is with the title of the press release – “Protection of Sensitive Installations from but ‘Free Virus’”?
Egypt has disposed of its dictator, soon after Tunisia handed out similar treatment to its own. The dizzying pace of these developments left many too shocked to comment, even as journalists scrambled to follow and write up the latest news.
A question that is making the rounds is, “Why now?” A part of the answer seems to be — to the surprise of many—social media.
- ConcettaJuicy: Hello. I see that you don't update your website t...
- Raymundo: Just desire to say your atclrie is as surprising. ...
- @srijith: At Vyuha "The “mirror” effect" http://t.co/u...
- @srijith: GoI bars international vendors from National Optic...
- @filter_c: I am reminded of an old blogpost by @srijith on th...
- Cyber Security Policy: [...] NSCS’ cyber Security Policy | VyūhaAn...
- (@srijith) (@srijith): At Vyuha - "Use of private companies in cyber ope...
- Srikanth R. (@_R_Srikanth) (@_R_Srikanth): Informative Q&A on Cyberwar by Dr. Martin Libi...
- Rohan Joshi (@filter_c): Hello, Mr. Sachin Pilot. RT @srijith: Over at Vyū...
- Srijith (@srijith) (@srijith): Over at Vyūha - “Hacked and shamed” and beyon...
- Govt to develop own operating system May 12, 2010
- Why did GhostNet succeed? April 22, 2010
- Hardware security and the Chinese May 17, 2010
- In the Beginning April 20, 2010
- Biomimicry on its “side” March 1, 2011
- Security of Indian Electronic Voting Machines May 3, 2010
- Army does 27001 audit, that should make it secure July 21, 2010
- No .xxx please, we are .gov.in April 5, 2011
- System security and fascination with homegrown solutions February 13, 2011
- Cyberwar makes NPT useless? October 22, 2010