The importance of prompt governmental action on cybersecurity threats.
In Part-II of The Weakest Link, Srikanth R., Senior Research Associate for Cyber Security Studies, writes about how India and other countries have reacted and should continue to act to counter cybersecurity threats (also read Part I).
While the attack on RSA was in progress, a slew of attacks on companies and governments all over the world were taking place. These attacks were credited to anonymous groups of people who are not necessarily hackers, but with sufficient skills to detect sites running older versions of software with publicly known exploits. These attacks compromised the data stored in websites that were not up to date with patches to fix known security holes. Unlike zero day attacks that require sufficient technical competence, these attacks were the result of exploiting well-known weaknesses of website software, and did not require much technical competence.
Such attacks have already resulted in the publication of private databases of various web sites all over the world, including NIC in India, indicating that organizations in India will also be potential targets for such groups. In fact, Such organizations need to secure their networks by applying patches for all known security holes, i.e., not zero day.
These events point to an urgent need for organizations/companies specializing in cybersecurity services in India that can provide services such as penetration testing, website audits, and IT security audits for a fee. Such organizations can also be valuable in bringing best practices to all people in an organization — a chain is only as strong as the weakest link, and this is especially true of implementing secure processes and practices in any organization.
All of the above events raise obvious questions about the current status of the security of the corporate and government networks that may be considered high value targets to adversarial state and non-state actors. In considering these targets, it helps to be realistic about the actual importance of a target, and not “official importance”.
Taking down a government agency’s website is an annoyance but it does not actually affect the daily activity of Indians in real terms. The value of disrupting the networks and functioning of an organization increases as the use of technology in governance increases, as it directly affects citizens using such governance schemes. In particular, schemes such as Aadhaar will soon be a high value target as it becomes more central to the functioning of large numbers of organizations, governmental and corporate, as their own services become dependent on the Aadhaar networks functioning as designed.
It would be beneficial to have an independent organization that is in charge of testing and fixing the security of such flagship schemes that hold private information of a growing number of citizens. On this note, it should be noted that data security must be viewed in a comprehensive manner, which in this case would mean security of all paper copies of data collected from the citizenry to be entered into the Aadhaar databases.
Citizens groups need to question the government on whether all the data collected for the UID databases are destroyed once in the Aadhar databases, and if not, demand information on the safeguards taken by the Indian Government to protect this data from being abused in the future. Failing such assurances from the government, citizens must resist any moves to make UID mandatory for all citizens.
The other key infrastructure that will be target to hackers will be telephone networks that are tied to internet data networks. The most obvious way to place the entire network at risk is to run the network using products from foreign corporations without access to the exact source code that run on the hardware on the network and the hardware design of the chips used. Such backdoors can be built into the hardware too.
If an entire network of machines is built from such hardware, a literal flick of the switch can shut down the network when it is most needed. The recent announcement by Reliance Industries to build their company cellular networks based completely on Huawei products is very alarming, because there is no indication that Huawei has parted with the source code for the networks to Reliance.
Short of Reliance building and installing Huawei Source code on their products, there is no way to ensure that Huawei has not installed hardware or software Trojans in the systems sold to Reliance. Operating any hardware/software without the source code in sensitive domains that will be targets to enemy hackers is an exercise in extremely poor judgement.
Summarily, physical security of a State and its cyber security are both complementary aspects of overall National Security. Organizations that provide crucial services to important entities or the public at large must take immediate steps to secure internal processes and procedures of all their employees that have access to their networks.
Furthermore, Indian organizations must eschew incorporating proprietary, i.e., non open source, hardware and software platforms from competitor states such as China, unless they acquire complete knowledge of what hardware and software is being deployed to build public infrastructure. Instead of creating myriad new governmental organizations that do little to improve the security of the nation’s networks, the Indian Government would do well to provide incentives for private businesses that provide critical services and information in securing corporate and governmental networks.