Warning: Creating default object from empty value in /nfs/c03/h01/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | Cyber Security RSS feed for this section

Big Brother India?

Why the Central Monitoring System (CMS) is not India’s PRISM.

Read almost any article on India’s soon to be implemented Central Monitoring System (CMS), and you’ll see references and attempts to draw parallels between the CMS and the (until recently) secret U.S. surveillance and data-collection program, PRISM.  Some articles have drawn comparisons between the two programs in an attempt to amplify threat perceptions, while other equations, curiously, seem to have been drawn with a sense of national pride.

Except the CMS is not India’s PRISM.  The only similarity between the two programs appears to be the objective — an apparent attempt to implement a program for the legal interception of data.  But that’s where all comparisons should end.  Both programs differ on general approach, operate under very different legal environments, and are dissimilar in terms of checks-and-balances and technical capabilities.

Interestingly, while the Indian government publicly announced its intention to establish a program for the legal interception of citizens’ data, it did not put into place any of the checks-and-balances needed (that we know of, anyway) for such an intrusive program.  Electronic data under the CMS, for example, can be legally intercepted by dozens of government agencies without the knowledge or cooperation of telecommunications and Internet service providers.  Indian citizens know little else about the program, apart from the fact that it apparently exists.

On the other hand, although the establishment of PRISM was a much more clandestine affair, the U.S. put into place mechanisms to regulate surveillance and circumscribed Executive authority.  Surveillance without the acquiescence of service providers was made difficult.  Only the U.S. Attorney General and the Director of National Intelligence could authorize surveillance through a formal order obtained through a Foreign Intelligence Surveillance Act (FISA) court; service providers were provided the ability to challenge the order to grant access to surveillance in a FISA court.

The legal environment matters too.  Strong privacy and data retention regulation in the U.S. have allowed groups to sue U.S. government agencies involved in PRISM on the grounds that it violated the rights of citizens to “reasonable expectations of privacy.”  Similar laws do not exist in India and it is unclear as to what recourse an Indian citizen would have vs. the Government of India should his or her privacy be unreasonably breached (or personal data disclosed) through electronic surveillance.

But perhaps most importantly, the differences are stark with regard to technical capabilities.  For all intents and purposes, the Internet as we know it today is a culmination of research conducted by the U.S.’s armed forces and educational institutions.  Mechanisms to secure data, in storage and in transit, were also developed by institutions in the U.S.  The AES encryption algorithm (in its various avatars) for instance, is now widely used to encrypt data worldwide.

The AES itself owes its mass acceptance to a detailed assessment and approval by a body of the U.S. government.  Which one? Oh, a tiny little agency known as the NSA.  Indeed, the same NSA in charge of PRISM.  How many countries and agencies would you suppose understand the intricacies and vulnerabilities of the AES algorithm better than the NSA?

India, on the other hand, benefits from no such advantages.  Its public and private institutions are not net-contributors to mass acceptance Internet and telecommunications technologies.  Most services consumed by Internet users in India (e.g., Google, Gmail, Facebook) are not physically based in India and employ encryption technologies that the Indian government cannot breach (at least, not without the active assistance of foreign governments).   Thus, even with the CMS, the Indian government will be at the mercy of foreign service providers to gain access to data published on popular and secure Internet platforms.

The Indian government could, of course, intercept land-based and mobile communication.  Indeed, the recent announcement by Research in Motion (the makers of BlackBerry mobile devices) means that the Indian government will have the ability to intercept voice and data communicated through all non-Corporate BlackBerry devices in India.  These capabilities, will no doubt, be rolled into the CMS.  But the use of open-source mobile operating systems coupled with encryption technology could still frustrate attempts to intercept mobile communication.

Effectively, this means that the Indian government is attempting to build a program whose extensive Executive mandate does not match its limited and imbalanced technical capabilities.  Such a system will, I fear, be inept or worse, vulnerable to misuse.

Ultimately, the Indian government must engage its citizens in a dialog on the need for a system for legal surveillance, and build trust among its citizens.  Ordinary, law-abiding citizens are not the only mass consumers of Internet and telecommunications technologies; terrorists and enemies of the state are too.  You could make a fairly solid argument, particularly given the challenges India continues to face with regard to national security, in favor of a system for legal surveillance.  Unfortunately, the Indian government has chosen silence instead of dialog.  This is no way to assuage the anxieties of citizens in a liberal democracy such as ours.

Read the Takshashila Institution‘s discussion document on the Central Monitoring System where we argue that:

[S]uch an inherently pervasive and intrusive program cannot be deployed in a liberal democracy without an adequate level of trust between the government and its citizens and an appropriate framework of checks-and-balances to ensure that entrusted agencies do not overstep their jurisdiction.

Thus, it is imperative that the Indian government take its citizens into confidence on the necessity for such a program, evolve an appropriate framework of laws, including those pertaining to privacy and data retention, and establish a system of checks-and-balances to ensure against systemic overreach prior to the implementation of the CMS. [Takshashila Institution]


Read full story · Comments { 1 }

Guestpost — The Weakest Link (II)

The importance of prompt governmental action on cybersecurity threats.

In Part-II of The Weakest Link, Srikanth R., Senior Research Associate for Cyber Security Studies, writes about how India and other countries have reacted and should continue to act to counter cybersecurity threats (also read Part I).

While the attack on RSA was in progress, a slew of attacks on companies and governments all over the world were taking place. These attacks were credited to anonymous groups of people who are not necessarily hackers, but with sufficient skills to detect sites running older versions of software with publicly known exploits. These attacks compromised the data stored in websites that were not up to date with patches to fix known security holes. Unlike zero day attacks that require sufficient technical competence, these attacks were the result of exploiting well-known weaknesses of website software, and did not require much technical competence.

Such attacks have already resulted in the publication of private databases of various web sites all over the world, including NIC in India, indicating that organizations in India will also be potential targets for such groups. In fact, Such organizations need to secure their networks by applying patches for all known security holes, i.e., not zero day.

These events point to an urgent need for organizations/companies specializing in cybersecurity services in India that can provide services such as penetration testing, website audits, and IT security audits for a fee. Such organizations can also be valuable in bringing best practices to all people in an organization — a chain is only as strong as the weakest link, and this is especially true of implementing secure processes and practices in any organization.

All of the above events raise obvious questions about the current status of the security of the corporate and government networks that may be considered high value targets to adversarial state and non-state actors. In considering these targets, it helps to be realistic about the actual importance of a target, and not “official importance”.

Taking down a government agency’s website is an annoyance but it does not actually affect the daily activity of Indians in real terms. The value of disrupting the networks and functioning of an organization increases as the use of technology in governance increases, as it directly affects citizens using such governance schemes. In particular, schemes such as Aadhaar will soon be a high value target as it becomes more central to the functioning of large numbers of organizations, governmental and corporate, as their own services become dependent on the Aadhaar networks functioning as designed.

It would be beneficial to have an independent organization that is in charge of testing and fixing the security of such flagship schemes that hold private information of a growing number of citizens. On this note, it should be noted that data security must be viewed in a comprehensive manner, which in this case would mean security of all paper copies of data collected from the citizenry to be entered into the Aadhaar databases.

Citizens groups need to question the government on whether all the data collected for the UID databases are destroyed once in the Aadhar databases, and if not, demand information on the safeguards taken by the Indian Government to protect this data from being abused in the future. Failing such assurances from the government, citizens must resist any moves to make UID mandatory for all citizens.

The other key infrastructure that will be target to hackers will be telephone networks that are tied to internet data networks. The most obvious way to place the entire network at risk is to run the network using products from foreign corporations without access to the exact source code that run on the hardware on the network and the hardware design of the chips used. Such backdoors can be built into the hardware too.

If an entire network of machines is built from such hardware, a literal flick of the switch can shut down the network when it is most needed. The recent announcement by Reliance Industries to build their company cellular networks based completely on Huawei products is very alarming, because there is no indication that Huawei has parted with the source code for the networks to Reliance.

Short of Reliance building and installing Huawei Source code on their products, there is no way to ensure that Huawei has not installed hardware or software Trojans in the systems sold to Reliance. Operating any hardware/software without the source code in sensitive domains that will be targets to enemy hackers is an exercise in extremely poor judgement.

Summarily, physical security of a State and its cyber security are both complementary aspects of overall National Security. Organizations that provide crucial services to important entities or the public at large must take immediate steps to secure internal processes and procedures of all their employees that have access to their networks.

Furthermore, Indian organizations must eschew incorporating proprietary, i.e., non open source, hardware and software platforms from competitor states such as China, unless they acquire complete knowledge of what hardware and software is being deployed to build public infrastructure. Instead of creating myriad new governmental organizations that do little to improve the security of the nation’s networks, the Indian Government would do well to provide incentives for private businesses that provide critical services and information in securing corporate and governmental networks.

Read full story · Comments { 0 }

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.

After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.

In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }

Filtered Café

The government’s proposed legislation on cyber cafés is misplaced.

At the outset, thanks to both @PRSLegislative and @_R_Srikanth for alerting me to a draft legislation put forward by the Department of Information Technology (DIT) on governing the workings of cyber cafés in India.  The government has published the draft legislation and sought feedback from citizens, by February 28, 2011.  A copy of the draft legislation is available here.

PRSLegislative summarizes the legislation thus:

The draft regulations requires every cyber café to have a license and give internet access to people after they prove their identity to the satisfaction of the cyber café.  The cyber cafés are required to maintain the logs of users and of websites accessed by users. Cyber cafés are also required to ensure that their service is not utilised by people for any illegal activity or for viewing pornography.  There are requirements on the physical layout of the cyber café — for example, they need to prominently display a board stating that users may not view pornography. [PRSLegislative]

There are several issues with the government’s proposal, of which some are articulated below (those concerned about the proposed legislation are encouraged to respond to DIT directly via the email address provided in  PRSLegislative’s blog):

The first question that such a proposed legislation raises is one of objectives.  I.e., what does the government hope to achieve by seeing the implementation of the security provisions in the proposed legislation?  If the idea is essentially one pertaining to national security — i.e., denying vulnerable systems or networks to individuals who can use them to aid in plotting against the nation, then some security prescriptions outlined appear incongrous to this objective (more on them later).

Second, while the government’s desire to establish the identity of individuals using the café’s wireless network can certainly be appreciated, the proposed legislation does not account for the fact that individuals visiting cyber cafés may just as easily use their own laptops — either within the premises of the cyber café, or in its vicinity (with or without the permission or knowledge of the owners, depending on how wireless access points are set up).

Third, unless the government is reasonably sure that none of India’s 81 million Internet users access “obscene” material or pornography within the confines of their homes, or that the government fully expects to track, identify and fully prosecute everyone that does, expecting cyber cafés to warn or to otherwise deter accessing whatever the government may consider “obscene” (not defined) is beyond ridiculous.

The question of whether or not a democratic government should have the right to dictate to its citizens, under whose consent it governs, as to what they can or cannot see is another issue (for the record, no it shouldn’t). Again, the question here is about objectives.  If this is about national security, then this particular provision conflicts with the overall objective of the proposed legislation.

Next, how does the government plan to monitor cyber cafés to ensure they comply with the required standards?  The Cyber Café Association of India itself has a membership of 180,000 cyber cafés and 40,000 Internet kiosks. It is safe to assume that the entire population of cyber cafés in India is considerably larger.  Unless the government has adequate financial and manpower resources to regularly ensure compliance, the legislation becomes meaningless.

Further, whenever physical or logical security requirements are mandated, there are costs associated with them.  These will have to be borne by the cyber cafés (who will need to invest time and money in installing and monitoring services) and by the government (to ensure that standards are being adhered to).  Additionally, cyber cafés will need to obtain a license (unsure if these are different from the licenses that cyber cafés are already required to obtain), which, no doubt, will have costs associated with it, which eventually will be passed on to their patrons.

The whole point of security, however, is that it must be an enabler, not a deterrent to business.  Some of the provisions articulated in the proposed legislation are indeed laudable (the intent to protect minors, deter terrorists and their collaborators, etc.), however, when taken as a whole, the proposed legilation will have a negative impact on cyber cafés in India.  Especially if the government is unclear about the raison d’être for this legislation and doesn’t really have any desire or ability to enforce the provisions of the legislation.

It will be an example of a clueless GoI chasing its own tail, and unfortunately, not for the first time.


Read full story · Comments { 1 }