Pages

29 January 2015

Cyber security Challenges

By K D Nayak & Amit Sharma

Cyber warfare being considered as a legitimate mode of attrition between nations, a new spectrum of operations have opened up with the full panoply of instruments

President Barack Obama, in his presidential address spoke that “Our digital infrastructure will be treated as a strategic national asset”. The underlined essence of president Obama’s statement clearly points to the fact that world leaders are considering the importance and consequently the threats to information infrastructure to a level where they are termed as a country’s strategic asset. Over last 20 years, there has been a colossal change in the way in which threats have evolved in cyberspace, to an extent that strategists around the world are recognising cyberspace as the fifth domain of warfare. This rapid evolution of threats, from non-state actors and at the behest or in some cases directly by state actors, has resulted in a global cyber pandemonium and chaos. The scenario is further aggravated by the global incoherence of domestic and international cyber laws in relation to law enforcement model; attribution issues; international disharmony on cyber issues; and most importantly non-availability of a global treaty, especially for issues relating to law of war model.

With nations around the world, preparing to defend against the threats and, to capitalize the opportunities provided by this relatively new realm of warfare; it is imperative to protect our sovereign cyberspace especially the critical information infrastructure. The situation is exacerbated with the active inclusion of state actor in cyberspace and the development of advanced cyber weapons which have graduated from non-disruptive cyber espionage weapons i.e. utilizing zero day exploits, to highly lethal disruptive weapons targeting SCADA and DCS systems like the STUXNET. The erudition of these cyber weapons especially in relation to stealth parameters clearly delineate them from the classical malwares, viruses etc. This scenario was further exacerbated by Snowden’s revelation of strategic US cyber espionage programme call the PRISM. PRISM clearly drew the line and marked the herald of a new era of threats in cyberspace focused primarily on the state use of cyber space as a weapon of war.

If we look at Indian cyber security scenario, India ranks 3rd in terms of the highest number of Internet users in the world after USA and China, the number is projected to grow 6-fold between 2012-2017 with a compound annual growth rate of 44%; but at the same time India secures a spot amongst the top 10 spam-sending countries in the world alongside USA. India was ranked among the top five countries to be affected by cybercrime, according to a 22 October report by online security firm ”Symantec Corp”. Our strategic dependence on information infrastructure for force-multiplier effect has resulted in a strategic vulnerability and this vulnerability when coupled with the portents of cyber weapons result in the herald of an era of cyber chaos and bedlam. Under these circumstances, it becomes imperative for us to embark for cyber deterrence capabilities and to achieve such a capability, Information security is the key factor. Protection of information and information infrastructure is now a key factor to our national security and the four binding pillars of information security i.e. Confidentiality, Integrity, Availability and Non-repudiation are the prerequisite to achieve it. Confidentiality is among the key factors especially in relation to defence systems and the emphasis is always on strong crypto-logical i.e. encryption systems. These encryption technologies follow a strongly scientific approach, and designs cryptographic algorithms around computational hardness assumptions, thus making such algorithms hard to break by an adversary i.e. cryptanalysis. It is theoretically possible to break such a system but it is unfeasible to do so by any practical means. These schemes are therefore computationally secure. Albeit, there exist information – theoretically secure schemes that probably cannot be broken. An example is the one-time pad—but these schemes are more difficult to implement than the theoretically breakable but computationally secure mechanisms. The implementation of cryptology ranges from public/asymmetric key encryptions ranging from elliptical and hyper-elliptical systems to private/symmetric key encryptions systems like AES, 3DES, Serpent etc. However, confidentiality is the key ingredient to a secure system, nevertheless it is imperative that the age old dictum of ‘Defence in Depth’ should be followed in hitherto to conceive, design and implement such a systems. This military strategy application in information security is based on the ideais based on the paradigm of defending a system against any particular attack using several, varying methods.

Conceived by the National Security Agency (NSA) this layering tactic, provides a comprehensive approach to information and electronic security and seeks to delay, rather than prevent, the advance of an attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system where multiple layers of defence prevent espionage and direct attacks against critical systems. Defense in depth measures should not only prevent security breaches, but also buy an organization time to detect and respond to an attack, thereby reducing and mitigating the consequences of a breach.

Some of the measures classically used in Defence in Depth methodology include strong Authentication systems based on biometrics, digital signatures etc.; Hashing passwords; Firewalls and Demilitarised zones; Intrusion Prevention Systems; Network behavior analyzers; Advanced malware detector and Anti virus systems; Virtual Private Networks; integrity managers Security logs and Access control systems; vulnerability assessment and auditing etc. Although Defence in Depth is a critical to information security, but these will be inherently flawed if secure designing methodology is not followed.

The concept of Secure Design framework revolves around the paradigms of Secure by Design, Secure by Default, and Secure in Deployment with a primary aim to achieve trustworthiness. These concepts have shaped the development process to help deliver secure systems. Secure by Design means that you have taken the appropriate steps to ensure that the overall design of the product is secure from the outset especially including threat modeling at the design phase and using secure design, coding, and testing guidelines. Secure by Default means that the system when released is configured secure by default i.e. if a feature is optional, then it can be turned off by default. If a feature is not activated, then an attacker cannot use it to compromise your product. Secure in Deployment means that the system is maintainable after installation. If a product is difficult to administer, it makes it more difficult to maintain protection against security threats as new ones evolve. The key goal is to achieve Mission Assurance in Cyberspace, which subsequently revolves around achieving trustworthy components, trustworthy supply chain, trustworthy architecting, trustworthy assessment, trustworthy penetration testing and most importantly trustworthy administration.

DRDO’s approach to achieve mission assurance is by achieving system assurance by design thus ensuring assurance by providing safeguard against leakage. This objective is meticulously met via a strategic approach involving System architecture and Trusted Platform development involving Custom Designed Hardware to Guard Against Embedded “black box” Attacks, Side Channel Attacks based on Timing, Fault Injection and Power Analysis; Custom Firmware/Software on Operating Systems less platforms to Prevent Intentional/Unintentional Leakage; Custom Interface development to Control, unauthorized Transactions, unauthorized access; Development robust cryptographic algorithms specifically custom designed algorithm which are Resistant to all known modern day attacks; development of Conservative Design methodology and most importantly independent white box evaluation. DRDO’s approach also includes developing capabilities to produce robust high grade cryptographic devices based on Indigenously developed cryptographic algorithms and Indigenously architected high assurance platforms; and capabilities to develop advanced architectures for LAN and WAN security to Safeguard information systems to counter external and internal threats has been developed. For the near term risk mitigation DRDO works on the approach of development Software based security systems running on COTS computing platforms. For the long term risk mitigation DRDO has initiated the development of Trustworthy and Secure networking devices that can maintain their performance integrity in the face of attacks; Trustworthy computing platforms for application specific information processing; and Trustworthy storage solutions to prevent data leakage. Having said so much about the technological means of securing cyberspace, we would reiterate that technology does not provide for a silver bullet to this problem, but is part of a complex solution, which will involve people and processes along with technology. Unless and until our processes are securely implemented and exercised rather than retrofitting; and our people are appropriately sensitised and made aware about the critical aspects of security, we would not achieve the larger perspective of secure cyberspace. Hence we should aim at targeting all the three components i.e. the technology, people and processes to develope a secure cyber ecosystems which will ensure the safeguard of our sovereign interests in this new realm, the cyberspace.

Apart from targeting all the three components i.e. the technology, people and processes to develop a secure cyber ecosystems, a strategic aspect that India needs to put its emphasis on, is development of indigenous fabrication and production capability. The threats in cyberspace have manifested now to a level where they are considered as a threat to our national security. The growth of cyber crime and its ugly mutation, the cyber warfare i.e. state sponsored manifestation, has resulted in the herald of need for new era of need for security in the information technology field in India. Although there is a gamete of factors associated with this phenomenon, however lack of indigenous development/production and consequently supply chain infection emerges out to be the most notable. This is the Achilles heel of Indian ICT ecosystem. Unfortunately, India missed the race of silicon revolution involving the development of technologies, systems, fabrication and production of microelectronics and allied systems; which in-hitherto resulted in its extensive dependence on imported systems and technologies. This was further exacerbated by the psychological remnants of the British Raj involving the preference to imported products (unfortunately at a higher cost) over Indian counterpart, which in reality has been deeply ingrained in the Indian mental setup. This aspect of “import driven” approach for addressing majority of the need both in the Defence and the Civilian sector has resulted in inducing a strategic vulnerability; not only the lack of support for development of indigenous capability, but due to the imminent threat of supply chain infection especially involving advanced embedded and software based malwares. There have been multiple instances around the world where counterfeit hardware had entered into the crucial military industrial complexes via supply chain infection.

No comments:

Post a Comment