Cyber-security asymmetries 101: Hacking is easier than defending.
Indian and Pakistani hackers are out defacing websites of each others’ countries. On the second anniversary of the 26/11 attacks in Mumbai, an Indian group calling itself the “Indian Cyber Army” (ICA) carried out an attack on 36 Pakistani websites, including the websites of the Pakistani Navy, the National Accountability Bureau (NAB) and Ministry of Foreign Affairs.
In response, a group called Pakistan Cyber Army (PCA) launched an attack on about 200 Indian websites, including the CBI (littering it with trash-talk that should, quite frankly, embarrass the hackers more than the compromise should, the CBI). The very next day, Indian groups retaliated by hacking Pakistan’s Oil & Gas Regulatory Authority (OGRA) and a Pakistani Army recruitment website.
A review of the list of 200 websites hacked by the PCA reveals that a majority of sites were private small-business websites. Embarrassing perhaps, but of low strategic value. The goal of any large-scale defacement is to hurt the reputation of the victim. If PCA’s victim was the Indian state, then its targets were poorly chosen.
Yes, websites owned by Indians were hit, but they are hardly representative of the Indian state in the same way that the government or the military is. This could indicate that the attack itself was poorly planned and motivated more by a desire to show that Pakistani hackers could retaliate quickly, by hitting out at low-hanging fruit, than an orchestrated attempt to deliver the same quality of response as ICA did on 26/11. By all measures, compromising the website of Khanna Constructions isn’t remotely of the same strategic value as defacing the Pakistani Ministry of Foreign Affairs website.
But the world of cyber-security is faced with certain asymmetries. Hacking is easier than defending. For any government to be able to defend its “universe” of websites requires it to have three things — an appreciation for the challenge it faces, determination to address the challenge, and good counsel on how to address the challenge. If the first two are absent, the third is almost irrelevant.
It is no secret that the first two are almost entirely missing in India. In an apparent response to the hacking of the CBI website, we were given this bit of information from DRDO, via PTI:
Close on the heels of hacking of the CBI website, Defence Research and Development Organisation (DRDO) on Sunday said it was developing a mechanism to make websites hacking-proof. “It is always better to use indigenously developed systems than using others’ designs,” he said. The DRDO chief expressed optimism that its engineers could certainly develop hacking proof devices. [NDTV] (Credit: Parth Bakshi)
That’s just brilliant. Not only do they not know what they are talking about, they also don’t know what hit them nor how to defend against it.
And pray, what is a “hacking-proof” website?
Based on the attack on the CBI website, we know that a vulnerability management program isn’t in place right now. The CBI attack was a standard SQL-injection exploit. Out-of-the-box solutions (some, even free) exist today that assess whether websites are susceptible to SQL-injection and other attacks. Even a basic vulnerability management program would have detected and alerted those responsible for security about the existing vulnerability.
That dovetails nicely into my closing question: who owns the security of India’s websites and supporting infrastructure, across the Centre and State? The answer is no one. And everyone. The blind lead the blind. With that being the case, there really is no reason not to believe that Indian websites will continue to get hit over the coming days and months, just as they have over the past many years. Cyber-security is uphill battle to begin with. With the current levels of apathy and ignorance to such issues prevalent in our government, we should be prepared for nothing less.