By Pradeep Gupta, Chairman, CyberMedia Group.
Source: Kevin G. Coleman of the Technolytics Institute
Some Recent Events
- Secure public Wi-Fi networks
- Deploy IP Surveillance in public places
- Increase police to population ratio, which is the lowest in the world
- Increase cyber staff in Indian anti-terror agencies
The Statesman, April 17, 2010
Go Top
CYBER TERRORISM – ROLE OF PRIVATE SECTOR
BY B. G. GUPTA, Director, SCI Software Pvt.Ltd.,
THE WORLD TODAY
Organizations today are getting more and more dependant on Information Technology to transact business. Vulnerability of organizations (Government, Public or Private sector alike) to Information Warfare (IW) through cyber terrorism has never been greater. The availability of information, its reliability, confidentiality and integrity are most threatened. Information security is a major boardroom concern with organizations today than ever before.
The world scenario with respect to the information security is very gloomy. Consider the following facts around the world.
- In the past minute there have been approximately 54,000 serious computer attacks reported to hackerwatch.org!
- Five percent of businesses estimate the cost of systems disruption would be over $5 million an hour and 60% of businesses do not know how must computer attacks costs them. Only 1% of business continuity plans address cyber attacks and only 3% address computer viruses.
- Today an unprotected PC connected to the Internet lasts only a few minutes before it is compromised!
- In a recent study conducted by the Computer Crime Research Center, 90% of respondents detected computer security breaches within the last twelve months.
- Today, 1.9 million IP addresses have been linked to Online Child Exploitation a $20 billion a year industry.
- US President Barack Obama said on Friday the 29th May 2009 that the U.S. government wasn't as prepared as it should have been against the disruptions caused by hacker attacks.
According to a report compiled by Panda Labs, in 2008, 10 million bot computers were used to distribute spam and malware across the Internet each day. As per the CBI's Conference on International Police Cooperation against Cyber Crime, March 2009, annual take by theft-oriented cyber criminals is estimated to be as high as 100 billion dollars and 97 per cent of these offences go undetected.
Military leaders says Pentagon's spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems. As many as 1,500 Defense Department computers were taken offline in June, 2007, because of a cyber attack, Pentagon officials said. Defense Secretary Robert Gates said the Pentagon sees hundreds of attacks a day.
WHAT IS CYBER TERRORISM
In the wake of the recent computer attacks, many have been quick to jump to conclusions that a new breed of terrorism is on the rise and our country must defend itself with all possible means. As a society we have a vast operational and legal experience and proved techniques to combat terrorism, but are we ready to fight terrorism in the new arena – cyber space?
Cyber terrorism is a controversial term. Some authors choose a very narrow definition, relating to deployments, by known terrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic. By this narrow definition, it is difficult to identify any instances of cyber terrorism. Cyber terrorism can also be defined much more generally, for example, as “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.” This broad definition was created by Kevin G. Coleman of the Technolytics Institute. The term was coined by Barry C. Collin.
A renowned expert Dorothy Denning defined cyber-terrorism as "unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives".
R. Stark from the SMS University defines cyber-terrorism as " any attack against an information function, regardless of the means"
US State Department defines Cyber Terrorism as: “Premeditated, politically motivated violence perpetrated against noncombatant targets by sub-national groups or clandestine agents, usually intended to influence an audience.”
Where as per the FBI Cyber terrorism is defined as: “The unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.”
However according to According to FEMA (Federal Emergency Management Agency of USA) Cyber terrorism is: “Unlawful attacks and threats of attack against computers, networks, and the information systems stored therein when done to intimidate, or coerce a government or its people in furtherance of political or social objectives.”
The definitions may differ from agency to agency, the basic reason terrorist use internet for perpetuating the terror are Rapid communications, Low cost, Ubiquity, Ease of use, sophistication of tools and Anonymity.
INDIA AND CYBER TERRORISM
- March 2008: An IP address originating from China intrudes into secured Indian cyber territory. The hackers attacked the ministry of external affairs website, managed by servers located in the national capital
- India could face cyber terrorism on the scale of the one witnessed in Estonia in 2007. The small Baltic country came to a standstill due to three-week wave of massive cyber attacks.
- Our banking system, stock trading, communications, airports, railway stations and several other key activities could be paralyzed due to such attacks.
- Circa 2010: Commonwealth Games are in full swing in New Delhi and the Delhi Metro Rail is running on full capacity. On the third day of the Games, in the midst of a morning rush, the servers of DMRC crash thus cutting off power and halting the trains underground in the dark.
CYBER TERRORISM AND CRITICAL INFRASTRUCTURE
Twenty years ago, “infrastructure” was defined primarily with respect to the adequacy of the nation’s public works. In the mid-1990's, however, the growing threat of international terrorism led policy makers to reconsider the definition of “infrastructure” in the context of homeland security.
Critical Infrastructure is the basic facilities, services, and installations needed for the functioning of a community or society, such as transportation and communications systems, water and power lines, and public institutions including schools, post offices, and prisons.
Most popular definition of Critical Infrastructure is the one under the US Patriot Act, which states the Critical infrastructure is “Systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Following are the generally accepted critical infrastructure for a society:
- Agriculture
- Food
- Water
- Public Health
- Emergency Services
- Government
- Defense Industrial Base
- Information and Telecommunications
- Energy
- Transportation
- Banking and Finance
- Chemical Industry
- Postal and Shipping
Critical information infrastructure is seen as a likely target for cyber terrorists since it comprises assets, primarily related to national energy requirements and communications that underlie state survival, whose ultimate protection is a responsibility of governments whose policies terrorists may aim to influence.
Citizens take critical infrastructure as a given and granted, the Businesses do not think pro-actively about their dependence on critical infrastructure. It is commonly understood that above mentioned critical infrastructure are managed by cyber systems and any break down, how so ever small, can lead to chaos, destruction and misery for the large population of any country. However the would be terrorist are looking for ways to exploit these gaps.
SCADA – Supervisory Control and Data Acquisition
SCADA stands for Supervisory Control and Data Acquisition — any application that gets data about a system in order to control that system is a SCADA application.
A SCADA application has two elements: 1. The process/system/machinery you want to monitor and control, 2. A network of intelligent devices that interfaces with the first system through sensors and control outputs.
Typically, SCADA systems are used to automate complex industrial processes where human control is impractical — systems where there are more control factors, and more fast-moving control factors, than human beings can comfortably manage. Around the world, SCADA systems control a major part of the Critical Infrastructure such as:
- Electric power generation, transmission and distribution
- Water and sewage
- Buildings, facilities and environments
- Manufacturing
- Mass transit
- Traffic signals
SCADA MAY BE OF SUBSTANTIAL INTEREST TO MAJOR TERRORISTS
SCADA SYSTEMS MAY SUFFER SABOTAGE BY DISGRUNTLED INSIDERS, ACTING INDIVIDUALLY
TOOLS OF CYBER TERRORISM
Distributed Denial of service attack (DDoS): which is action (s) by distributed computers that prevent any part of another computer system from functioning in accordance with its intended purpose.
Worms: which are an independent program that replicates itself from machine to machine across network connections. A worm often congests networks as it spreads.
Trojan horse: which is a program that appears legitimate but contains hidden codes allowing unauthorized collection, exploitation, falsification, or destruction of data on a host computer.
Virus: which is a program that infects other programs by modifying them to include a copy of themselves.
Back Door: which is a hole in the security of a computer system deliberately left in place by designers or maintainers or established by maliciously manipulating a computer system (Back Doors allow hackers to re-enter into a system at later times).
WILL CYBER TERRORISM INCREASE?
Certainly YES. Cyber Terrorism is carried out by disrupting activities, undermining confidence, and creating fear. It may be the preferred methodology due to:
- Cheaper than traditional terror tactics
- Anonymity
- Diverse targets
- Low risk of detection
- Low risk of personnel injury
- Low investment
- Can affect larger number of people at once
- Operate from nearly any location
- Few resources are needed
IS PRIVATE SECTOR READY?
In India, we have a tendency to expect the Government to do everything and no private sector company thinks it has an obligation to society to initiate path breaking policy initiatives.
Governments, of course, can only do to a certain limit, because so many of the information systems and networks are owned and operated by the private sector. Accordingly, the cornerstone of the national cyber security strategy has to be an effective partnership with industry...
Unfortunately, NGOs in India are not financially resourceful to take up these initiatives themselves. In case some of the leading IT companies come forward to support new policy initiatives, India can establish it as a global policy mover.
After all, industry is in the best position to identify threats and vulnerabilities, articulate the need for security and protection of assets, and share ideas and best practices for the development of cyber security technologies, policies, and programs.
WHAT IS ON STAKE FOR PRIVATE SECTOR
Private sector may not realize as such, but there is a lot on stake for the private sector. Given the present conditions in the country the role played by the government may be limited and the private sector will have to fend for it self. The following are the major reasons why the private sector will have to take a lead:
- Corporate Assets are in Information form and are soft targets for economic destabilization.
- E Economy is an important aspect of economy and is a soft target for proxy wars.
- Banks and other Critical economic activities of the country are in private hands.
- Critical infrastructure projects are in Private hands.
- Companies manage ISPs, MSPs and maintain their own satellite links to Cyber Space.
- Companies manufacture and maintain hardware and software which control the cyber space.
- A large section of the employees are cyber savvy, trained as ethical hackers, move in and out of the country freely with their laptops, have access to cyber assets of the company from within the firewall and from outside.
- Corporates have the skills to assist the law enforcement in Cyber Security.
- Cyber Space has no boundaries either between the countries nor between the private sector and the public sector
ROLE OF PRIVATE SECTOR
The degree to which the private and public sectors cooperate to protect critical infrastructure and how they do so is important. Most analysts agree the need for more information sharing between the public and private sector, but the more debatable issue is how institutionalised or codified this cooperation might be. Given the importance of ensuring that critical infrastructure provides a reliable service, governments have traditionally shared relevant intelligence information about impending threats to such infrastructure with its owners and operators, but on an informal basis.
While government agencies may discuss external threats with infrastructure owners on a need-to-know basis, governments now want to know more about electronic information attacks carried out within the private sector so they can gauge the level and type of potential threats to national security. Threat assessments will benefit from having winnowed out the great majority of incidents that is not directly related to national security.
The private sector, however, has been reluctant to provide such data, in part due to fear of damage to company reputation if the details became known to the public, for example. Given the number of industry and computer security surveys over the past few years that indicate a high level of insider-caused incidents, however, managements would find it difficult to acknowledge the management failures leading to disgruntled employees bent on vengeance or fraud, or poor technical and administrative implementation of IT security policies.
Many companies, including in the financial services sector, write off a considerable amount of the losses from computer incidents whatever the cause, which is cheaper than improving implementation of information security policies.
Following are the ways in which the private sector can contribute towards the prevention of cyber terrorism:
- Focus on Self Security : Information Vs. Physical
- Developing a security culture within the organization: ISO 27001
- Assisting the Government in its security functions
- Contributing to the development of Cyber Security culture in the Country.
- Co-operate with the relevant agencies engaged in Cyber Patrolling.
- Support and Promote Cyber Patrolling Projects of the Government.
- Make “Due Diligence” a voluntary compliance Program for every employee.
- Accord high priority for information security systems.
- Private-Public collaboration holds the key for national security even in cyber space.
PRIVATE SECTOR CAN ALSO CONTRIBUTE BY
Private sector has a lot of stake in preventing cyber terrorism. It can help it self by carrying out the following:
- IT companies should be obligated to notify the Government if they have any evidence that any security vulnerability was exploited by hackers or terrorists.
- There should be strong penalties if any vulnerability was exploited and not reported especially if any personal information was lost or stolen.
- Businesses, IT companies, and ISPs must have strong and sound computer security policies in place.
- Consideration of means to foster multi-skilled IT staff and experts in relation to information security
- Consideration of certification systems for professionals
- Establishment of information sharing, utilization and cooperation systems among IT businesses
- Development of guidelines for the creation of service continuance and restoration plans
- Development of quantitative risk evaluation methods
- Consideration of insurance functions and other means of alleviating damage
- Consideration of legal system problems in terms of information security
WHAT ELSE THE PRIVATE SECTOR DO
There are other activities which can be performed by the private sector, which once carried out will be of tremendous advantage to every body in the long run. Some such activities are summarized below:
- Develop definition of responsibilities for software producers and Internet service providers.
- Promote diversity, openness, interoperability, usability and competition as key drivers for security.
- Disseminate good security practices for network operators, service providers and SMEs.
- Promote training programmes for effective implementation of security practices.
- Affordable security certification schemes for products, processes and services.
- Involve insurance sector in developing appropriate risk management tools and methods to tackle ICT-related risks and foster a culture of risk management
CONCLUSION
We should accept the FACT that vulnerabilities open doors to the unexpected. We should also accept that there is NO separation between the cyber world and the physical world. The terrorism is multifaceted, therefore, traditional definitions must be adapted to the new realities. We some times become distracted – insider threat is real & growing. We should change the way we THINK about future threats…don’t be a security APPEASER.
The information age has brought us many good things, but along with those good things came some bad things too. All we can do as citizens is to protect ourselves by protecting our information, who we give it to and how much we give it out. Our government is trying to do its part, so let’s support them and their efforts and stop this cyber battle.
The present paper has explored as to what is Cyber Terrorism, how does it impacts upon the nation, what can done to minimize the bad effects and who all should be involved and what way. Finally the paper describes the role that Private Sector can play.
Go Top
