Prime Edition

Sean S. Costigan

In 2010 he was Visiting Fellow at the Institute for Foreign Policy Studies, University of Calcutta. @seancostigan on twitter

Cyber terrorism must be jointly tackled

A new cadre of tech-savvy analysts is needed for a deeper understanding of today’s challenges, especially to address the gap between government and cybercriminals..

President Barack Obama and first lady Michelle Obama walk to board Air Force One at Andrews Air Force Base on Saturday on route to New Delhi by way of Ramstein Air Base, Germany. PTI

Democracies have much at stake in cyberspace. Our peoples depend on access to information, free exchange and the free movement of data. India and the United States share many commonalities, not least of which are vibrant communities, dependence on IT as a key economic sector and, unfortunately, many vulnerabilities that are ripe for exploitation. The recent Sony hack has brought attention to state-sponsored acts of terror in cyberspace. Despite ample evidence of cyberattacks, many in the security professions remain in denial about cyber terrorism. Their critiques typically fall into three main groups, each of which has the benefit of appearing to be based in sound reasoning, however, the rationales for each are fatally flawed.

The first — the (lack of) Expertise Fallacy — is based on outdated knowledge and is typically articulated in defence circles by those with limited technical understanding. The facts are these:

* Sufficient technical knowledge for physically damaging and terrorising attacks can be rented — the criminal underworld is awash in reasonably skilled for-hire hackers.

* Custom malware can be purchased on the open market and Dark Web.

* Free courses in hacking are available to anyone with an Internet connection.

* Entire gratis hacking suites are available for download, and technical support is never more than a forum away.

* Information technology has grown in power, security often remains a poorly executed afterthought, and technical complexity for exploits has been reduced.

* Younger, more tech savvy terrorists and hacktivists are coming of age at a time of substantially increased societal connectedness and vulnerability.

* States are actively engaged in weaponising code and are all too willing to hide behind the challenges of attribution — many will be apt to share code with proxies in furtherance of their objectives, just as states continue to support terrorism in the "physical" realm.

The second critique, a sort of "Nothing to See Here" position, rests on the suspect notion that terrorists aren't quick to change and will just keep using cyberspace for intelligence, communication, recruitment, fundraising and movement of monies, as they did for the attacks of 2001 in the US and 2008 in India. Yet, adding the delivery of weaponised code to the terrorist arsenal does not alter terrorists' continuing use of the Internet for other purposes. Reduced technical complexity, lowered costs and most importantly, the continued push to connect the virtual and the physical — think of the growth of the Internet of Things or Machine-to-Machine connectivity — is making for new, enticing physical targets worldwide.

For those who doubt that the physical and virtual worlds are merging, evidence is mounting to the contrary. Last month, Reuters reported that computers at South Korea's nuclear power operator had been compromised. Korean officials were quick to assert that there is no chance of a direct hack against the reactor's control systems since they are air-gapped (think of that as not connected to an outside network) but stealing "non-critical" data has been shown to enable deeper penetration of systems in the past, whether through social engineering or the generation of intelligence about specific technical systems. This is the dynamic: steal a little here, come back to do harm later. Such was the case, as reported by the BBC, in a recent attack on a steel works in Germany that purportedly caused catastrophic damage to a blast furnace. These attacks are indicative of an unsettling trend, as there is now little difference between the physical and the virtual.

Finally, the "Doubting Thomas" view is a regular contender for most often heard critique of anything in the security realm that might be considered new. The challenge here is one of sussing out what is likely from unlikely, the perceived unknown from the possibly unknowable, and clearly evident biases from requisite openness to the new. It is crucial to have critical, but not dismissive, voices in emerging security challenges. History teaches scepticism, but it also shows how vulnerable humans are to cognitive bias, and how this substantial limitation often precedes disaster.

The case has been made that the recent Sony hack was the work of North Korean government hackers. North Korea, which has grown its military cyber forces to an estimated 5,900 from some 3,000 people in 2012, evidently with substantial help from China, continues to deny the charges and has called for a joint US-DPRK investigation. While that is unlikely to take place, it is crucial to grasp that we are going to experience a real cyberattack that kills and terrorises people, not just one that dissuades a media company from delivering its wares.

To address the mounting skills gap that is evident between government and cybercriminals, a new cadre of technologically savvy analysts is needed to press the case for deeper understanding of today's challenges and tomorrow's looming surprises. This cadre should not be made up of primarily technical people, but rather should be representative of a mix of disciplines to help keep minds open to the possibilities of strategic surprise and to help alert those in power in government and in the corporate boardroom. To that end, a joint India-US higher educational and information sharing effort would greatly help. The sooner we work together to overcome biases, outdated thinking and misguided conservatism, the better apt we will be to plan for what is probable and prepare for resilience post real cyber terror.

 

Creative-for-SG


iTv Network : newsX India News Media Academy aaj Samaaj  
  Powered by : Star Infranet