Indo-US cyber security cooperation
JENNIFER MCARDLE and MICHAEL CHEETHAM
Science knows no country, because knowledge belongs to humanity, and is the torch which illuminates the world. Science is the highest personification of the nation because that nation will remain the first, which carries the furthest the works of thought and intelligence.
– Louis Pasteur
THE Internet has experienced an astonishing expansion over the past two decades, starting as a small network limited primarily to the scientific community before growing into a global network serving over 2.5 billion users. The expansion of the Internet has facilitated the creation of the cyber economy, widespread automated regulation of key control systems, financial transactions, the sharing and storing of information (including highly sensitive data) [JLM1] and the emergence of new forms of communication such as email and social media.1 The evolution of digital communications has allowed for their integration into all facets of daily existence, causing people to rely upon them in much the same way that we rely on traditional infrastructure. However, despite the ubiquitous benefits of the cyber domain, it is also vulnerable to crime and conflict.
The computer security company McAfee, a wholly-owned subsidiary of Intel Corporation, notes that every year there is an increase of over a million new viruses and logic bombs, and that this figure is increasing.2 Cyber security threats come from a multitude of sources: criminal networks and syndicates, states actors, and politically motivated ‘hacktivists’ and terrorists. These threats can manifest in many different forms: ‘phishing’ scams that entice people into revealing sensitive data; denial of service attacks; espionage; terrorist recruitment; and cyber warfare or cyber terrorist attacks that could degrade widespread systems, incapacitating critical infrastructure like power and water and destabilizing economic and national security.
InIndia, the Minister of State for Telecommunications Milind Deora noted in the Lok Sabha that cyber attacks rose to 22,060 in 2012 from 23 in 2004, with malware infections and targeted denial service increasingly reported by private users and the government.3 In the United States, outgoing Homeland Security Secretary, Janet Napolitano, warned her successor in late August to strengthen US cyber defences, noting, ‘Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.’4 Reports of cyber attacks and potential cyber threats have become widespread in India and the United States, and in both cases this can partly be attributed to the intrinsic vulnerability of the underlying technologies in digital communications.
To better understand the cyber challenges that lie ahead for India and the United States, both nations must develop a common scientific language and a stronger scientific basis for computer security. As the US National Science Foundation (NSF), Intelligence Advanced Research Projects Activity (IARPA), and the National Security Agency (NSA) noted in 2011, while some scientific work in computer security has been conducted, the field could benefit from a stronger scientific foundation: universal laws, fundamental principles, the scientific method, and the systemization and generalization of knowledge.5 Developing a science of cyber security could help fill this conceptual void.
This paper will proceed in three parts: first, it will clarify what the science of cyber security is by examining the history and current research presently underway in the field. Second, it will show how science can be used as a mechanism to deepen collaboration between India and the United States in cyber security. While both states are strategic partners with cooperative cyber security consultations and dialogues, substantive cyber security cooperation between the two has been sluggish. Science, which provides opportunities for trust and capacity building, can be used as a diplomatic tool to enhance that cooperation.
Finally, this paper will present a current initiative that seeks to bring Indian and American scientists and social scientists together to explore and make recommendations to jointly develop a foundational science to cyber security. While the science of cyber security cannot guarantee complete protection against cyber security threats, it will provide both India and the United States greater certainty about the capabilities and limitations of each state’s security mechanisms, allowing both New Delhi and Washington to make well-informed risk decisions.
In 2008, the Information Security Panel of the NSA initiated a conversation on the scientific underpinnings of computer security. ‘Their concern stemmed from the growing use of commercial off the shelf technology in critical government systems, and they questioned whether the frequency of high profile security failures could be attributed to a lack of scientific rigour in security engineering. In contrast, they noted that the science and engineering associated with cryptographic systems, while still imperfect, seemed to result in far fewer catastrophic failures.’6
To address these concerns, in November 2008, the NSA in cooperation with IARPA and the NSF convened a Workshop on the Science of Security (i.e., science of cyber security) in Berkeley, California. The dialogue focused on the complexity of creating a foundational science to cyber security and the ability to produce systems that are secure in real world settings. The global Science of Security Virtual Organization (SoS VO) notes that a science of cyber security would encompass ‘a body of knowledge containing laws, axioms and provable theories relating to some aspect of system security. Security science should provide an understanding of the limits of what is possible in some security domain, by providing objective and qualitative or quantifiable descriptions of security properties and behaviours.’7
Articulating a concise definition for the science of cyber security is problematic due to the abstract and artificially constructed nature of the cyber environment. For the purposes of this paper, Dusko Pavlovic’s parallel with the challenges of fortress defence is a particularly insightful example.8
Fortresses have throughout history been used as a mechanism to protect a populace from external adversaries. A fortress consisting of walls and gates can be paralleled to cyber space’s access controls and authentication protocols. These are static architectural views of security. However, as the Greeks’ use of the Trojan horse in the Greco-Trojan wars demonstrates, there is a need to protect a city once adversaries penetrate, infiltrate, or subvert static defences. This requires a more dynamic form of flexible defence. The science of cyber security would provide those dynamic defences. It would rely on ‘predictive analytics, based on mining the data gathered by active or passive observations, network probes, honeypots, or direct interactions’ to identify and respond to those adversaries.9 Similar to an immune response in the body, a science of cyber security would identify threats, adapt to those threats, and seek to eliminate them.
Complicating the security picture is the difficulty in establishing the difference between systems and the external environment in the cyber domain. ‘In large networks, with immense numbers of processes, the distinction between the system and the environment becomes meaningless.’10 The task of science is to delineate the distinction between the system and the environment, dynamically responding to changes and adapting to them. To meet these challenges cyber security specialists are drawing on diverse disciplines for inspiration: physics, mathematics, cryptology, the social sciences, and even fields as diverse as astronomy, meteorology, agriculture, and medicine.
The Berkeley workshop gave birth to new research programmes such as the Team for Research in Ubiquitous Secure Technology (TRUST),11 research ‘lablets’ at select research institutions throughout the United States,12 and cooperative initiatives with foreign partners in the United Kingdom and Canada. Recent scientific initiatives have included Geometric Logic for Analyzing Security with Strands, Quantifiable/Refinement of Hyper Properties, and Integrity of Untrusted Computations.13 Despite these commendable efforts, there is a need to expand cooperative programmes to study the science of cyber security beyond historically close US allies to areas of future geostrategic importance. As Robert Meushaw, the former technical director of the NSA’s Information Assurance (IA) Research laboratory has noted, developing a robust science of cyber security will be a long-term process that will require broad-based collaboration. Indian and US common threat perceptions emanating from the cyber environment, when coupled with both states’ strong science and technology research and education, make them natural partners to pursue the study of the science of cyber security in an unclassified manner.
At first glance it may seem as if India and the United States have the beginnings of a robust cyber engagement – India and the United States conducted a second round of cyber consultations in June 2012 as part of the overall US-India Strategic Dialogue; through a Cyber Security Forum, India and the United States have agreed to Computer Response Team (CERT) cooperation; India has participated in a cyber war game hosted by the Department of Homeland Security; there is ongoing dialogue through a Joint Working Group on Information and Communications Technology; and India and the United States have cooperated in attempting to develop some norms and confidence building measures in cyber space for the United Nations Group of Government Experts on Information Security.
In reality, however, Indian and US cyber engagement lacks substantive progress and continues at a slow pace. This can largely be attributed to a lack of trust and larger diplomatic discrepancies in cyber security between the two governments.14 There is a need to build trust, develop capacity and better align interests in the field of cyber security in New Delhi and Washington. Science could provide the diplomatic mechanism to achieve that goal.
The great American philosopher Henry David Thoreau once quipped, ‘The language of friendship is not words but meaning.’ What is science if not the quest for greater meaning? Science diplomacy seeks to go beyond mere words and to bridge differences through meaningful cooperation. The soft power of science allows it to be an effective foreign policy instrument. The fundamental principles of science – rationality, transparency and universality – are the same the world over, allowing people to communicate in a common language. Science provides a non-ideological environment in which to share ideas, build capacity, and solve common problems.
Using science to establish deeper diplomatic relations in overall state-to-state relations or simply in a given area of tension is not without historical precedent. Indeed, science played an integral role in the Sino-US rapprochement of 1972, the easing of US-Soviet tensions during the Cold War, and even more recently in building trust networks between American and Iranian scientists.15 Discussing the scientific implications of international or diplomatic issues provides an alternative means of communication. ‘Scientific discussions have the advantage of being fact based, potentially more objective than typical diplomatic discussions, and in many cases less susceptible to the vicissitudes of standard diplomatic relations.’16
Jointly discussing and developing a science of cyber security may provide India and the United States the ability to surpass the diplomatic inertia that has plagued current cyber security negotiations and move towards a more substantive dialogue that targets the root of security problems. By first addressing the science of cyber security, India and the United States can develop trust that can later be used as the basis for broader diplomatic policy discussions.
Recognizing the need for a more robust cyber security engagement between the United States and India, the American Association for the Advancement of Science (AAAS), Centre for Science, Technology, and Security Policy (CSTSP)17 and the International Science and Technology Partnership (INSTP)18 programme have partnered to sponsor an Indo-US Science of Cyber security Initiative.
With support from both government and industry, AAAS will convene a three-day workshop in Bangalore in 2014 to bring together key scientific stakeholders in India and the United States to discuss the scientific underpinnings of cyber security. An inter-disciplinary group of thought leaders from both India and the United States will be selected to participate in the workshop in order to explore, study, and make recommendations to jointly develop a more reliant cyber security environment.
The workshop will provide key inputs to both the US-India Strategic Dialogue and the Joint Commission on S&T Cooperation. Outcomes from the workshop will be published in workshop reports for participants as summary reports and in peer reviewed journals and op-eds as science policy articles. Potential topics for the three-day workshop are: human perception, psychology, physiology, economics, data analytics, model checking, cryptography, type theory, and new technologies to combat phishing, spyware, botnets, and other relevant threats.
As a follow-up to the workshop, AAAS will support early stage interactions between Indian and US scientists on issues identified at the workshop. The sub-awards for these interactions will be selected through a competitive process coordinated by CSTSP and INSTP. Grants will be judged on scientific merit, scientific and technical feasibility, and demonstration of Indo-US cooperative possibilities. A variety of grants could be supported under this aspect of the programme, ranging from student and faculty fellowships, to more substantial awards for technical workshops or virtual joint research.
In 2015, AAAS will hold a symposium at AAAS headquarters in Washington, D.C. to bring together the grantees to present their results and share lessons learned with scientific and policy stakeholders. The proceedings will be published in a final report and disseminated. Key policy makers – particularly those involved in the Joint Commission on S&T Cooperation with India and the US-India Strategic Dialogue – will receive individual briefings by staff and key stakeholders engaged throughout the process.
The [JLM2] present state of Indo-US cyber security cooperation is falling far short of its full potential. Relations between the two countries in cyber security have been characterized by mistrust, misread expectations, and different diplomatic obligations. Cyber attacks and potential cyber threats in both India and the United States are pervasive; this can be partially attributed to the vulnerable nature of the technologies underlying digital communications. These threats in India and the United States will continue to grow as both states more readily rely on digital communications to support key infrastructure, economic, and security activities. There is a need for India and the United States to more deeply cooperate to jointly address these threats.
The science of cyber security provides a mechanism for Indian and American scientists to build trust and address core cyber security challenges, which can later be translated into larger cyber security policy initiatives. Utilizing science diplomacy offers an alternative channel for deeper Indo-US cyber security engagement.
1. Andrew Krepinevich, ‘Cyber Warfare: A "Nuclear Option"?’ Center for Strategic and Budgetary Assessments, 2012.
2. Brigid Grauman, ‘Cybersecurity: The Vexed Question of Global Rules’, Security and Defence Agenda, 2012, p. 8.
3. ‘Govt. to Chart Road Map to Safeguard India’s Cyber Security Architecture’, Business Standard, 24 August 2013. Retrievable at: http://www.business-standard.com/article/news-ani/govt-to-chart-road-map-to-safeguard-india-s-cyber-security-architecture-113082400153_1.html
4. Jordy Yager, ‘Napolitano Warns Large-Scale Cyberattack on US is Inevitable’, The Hill, 27 August 2013. Retrievable at: http://thehill.com /blogs/hillicon-valley/technology/318937-napolitano-warns-large-scale-cyber-attack-on-us-is-inevitable
5. David Evans, ‘NSF/IARPA/NSA Workshop on the Science of Security: Workshop Report’, NSF/IARPA/NSA Workshop on the Science of Security, 17-18 November 2008.
6. Robert Meushaw, ‘NSA Initiatives in Cybersecurity Science’, The Next Wave 19(4), 2012, p. 9.
7. Science of Security Virtual Organization, retrievable at: http://cps-vo.org/group/SoS/about
8. Dusko Pavlovic, ‘On Bugs and Elephants: Mining for Science of Security’, The Next Wave 19(2), 2012, p. 23.
10. Ibid., p. 27.
11. ‘The Team for Research in Ubiquitous Secure Technology (TRUST) is focused on the development of cyber security science and technology that will radically transform the ability of organizations to design, build, and operate trustworthy information systems for the nation’s critical infrastructure.’ For more information: http://www.truststc.org/index.html
12. A small number of academic research groups, or ‘lablets’ were funded to conduct specific work in science. The original ‘lablets’ included Carnegie Mellon University, University of Illinois, and North Carolina State University. The number of ‘lablets’ conducting science of cyber security has expanded with time due to outreach requirements stipulated to the original three ‘lablets’.
13. See the Science of Security Virtual organization for more information: http://cps-vo.org/node/5991
14. See, Franz-Stefan Gady, ‘US-India Cyber Diplomacy: A Waiting Game’, The National Interest, 24 October 2012, and Cherian Samuel, ‘Prospects for India-US Cyber Security Cooperation’, Strategic Analysis 35(5), September 2011, pp. 770-780.
15. For more on historic and current examples of science diplomacy see The Royal Society, ‘New Frontiers in Science Diplomacy: Navigating the Changing Balance of Power’, The Royal Society, January 2010; Micah Lowenthal, ‘Science Diplomacy for Nuclear Security’, USIP Special Report, 2011, and the AAAS Quarterly publication, Science Diplomacy.
16. Micah Lowenthal, ‘Science Diplomacy for Nuclear Security’, USIP Special Report, 2011, and the AAAS Quarterly publication, Science Diplomacy.
17. CSTSP, established in 2004, has a robust international security portfolio. Ongoing initiatives include scientific engagement in the Middle East and North Africa, Central Asia, and selective engagement through non-sensitive scientific cooperation with Iran and North Korea. These latter activities are done together with the AAAS Centre for Science Diplomacy for such initiatives are indeed trust-building, diplomatic exercises. The goal of CSTSP is to bring high quality analysis and greater transparency to uses at the intersection of science and security while also remaining culturally sensitive to the social needs of multiple international communities. http://www.aaas.org/cstsp/
18. Based at AAAS, INSTP hosts the US office of the Indo-US Science and Technology Forum (IUSSTF). IUSSTF was created in 2000 to promote mutually beneficial cooperation in science, technology, and health between individuals and institutions in the two countries. IUSSTF has supported the interaction of over 12,000 scientists, 300 bilateral workshops, 40 advanced schools or training programmes, 45 virtual centres, and hundreds of faculty and student fellowships each year. INSTP and IUSSTF have developed a detailed understanding of India’s science and technology landscape and built an extensive network of the leading scientists, engineers, health professionals, and research institutions in India. http://www.aaas.org/instp