A global concern
AHMAD CAMERON
‘This world – cyberspace – is a world that we depend on every single day... [it] has made us more interconnected than at any time in human history.’
– Barack Obama, 29 May 2009.
1THE statement by US President speaks volumes about cyberspace and its current significance for the human race. Information and Communications Technology (ICT) has today become the backbone of economic growth because it is a critical resource which all sectors of the economy rely on. ICT’s complex systems keep our economies running in key sectors such as finance, health, energy and transport. Hundreds of business models are also based on the uninterrupted availability of ICT.
The growth and dependence on ICT has given rise to new challenges. Consequently, today there is a trade-off in our global village between enjoying the conveniences offered by ICT and minimizing the opportunities its use presents to eavesdropping by nation states on one hand and criminals on the other. While the motives of the former are about power politics and hegemony, the latter are out to cheat gullible and ignorant individuals who are unable to estimate the reach of ICT into their private lives. Criminals in cyberspace are today capable of spreading sophisticated threats through mobile devices, cloud applications and have the ability to infiltrate high value targets.
According to a 2011 Norton study, threats to cyberspace have increased dramatically in the past year afflicting 431 million adult victims globally – or 14 adults victims every second, one million cyber crime victims every day.
2 Cyber crime has now become a business which exceeds a trillion dollars a year in online fraud, identity theft and lost intellectual property, affecting millions of people around the world, as well as countless businesses and governments of every nation.
T
he pace at which cyber attack tools and techniques have developed has become dangerous. Statistics compiled by two well-known internet security companies, Akamai and Symantec, together show that malicious computer programmes now originate in more than 190 countries. More than 60% of all the malicious code ever detected was introduced into cyberspace in 2008 alone.The 2007 wave of distributed denial of service (DDoS) attacks which hit Estonia and subsequently the 2008 Russian cyber attacks on Georgia during the brief South Ossetian war highlighted the gravity of cyber threats. This revealed yet another dimension of ICT, forcing several European countries to adopt cyber security strategies.
The UN too has realized how cyber security has grown into a complex transnational issue that requires global cooperation for ensuring a safe internet as well as security of a nations resources. To address the issues and challenges around cyber security and cyber crime, the United Nations Economic and Social Council (ECOSOC) held a special event on ‘Cyber Security and Development’, organized jointly by the Department of Economic and Social Affairs (DESA) and the International Telecommunication Union (ITU) in December 2011. Its objective was primarily to: (i) Build awareness at the international policy level by providing ECOSOC members with a picture of the current situation and challenges concerning cyber security and its links to development. (ii) Identify a range of best practice policies and initiatives around the world to build a culture of cyber security. (iii) Explore options for a global response to rising cyber crime.
T
he challenges faced by governments vis-à-vis cyber security issues are scary as there is no simple way to detect, identify and recover from attackers who cannot be seen or heard, leave behind no physical evidence, and hide their tracks through a complex web of compromised computers. As a result of integration of controls, processing and provision of services through ICT, the sophisticated attackers and/or hackers can disrupt the electronic controls of, for instance, our power grids, water treatment plants and telecommunications networks. They can interfere with the production and delivery of basic goods and services provided by our governments and the private sector. They can easily sabotage privacy by stealing our personal information.Post the 2008 cyber attacks in Europe, many developed nations began to take note of the opportunities as well as the risks associated with cyberspace and ICT. For instance, the Government Accountability Office (GAO) in its July 2010 report to the Congressional Requesters appraised the enormity of the genie of cyberspace and need for cyber security.
T
he US has an Internet Crime Complaint Center (IC3) which provides services to both the victims of online crimes and to law enforcement agencies. Its 2011 report reveals that for the third year in a row it received over 300,000 complaints, a 3.4% increase over the previous year. The adjusted dollar loss of complaints was $485.3 million.3In its May 2011 document released by the office of the President of the United States, the government has spelt out the strategic position of ICT in its incarnation as cyberspace. There are more than four billion digital wireless devices in the world today. Scarcely a half-century back, that number was zero. Due to ICT it is possible to engage in transnational dialogue and ensure the global flow of goods and services critical for the nation’s economy. Moreover, even critical life sustaining infrastructure responsible for disseminating electricity and water, control air traffic, and support our financial system, are today networked on account of ICT. Consequently, governments are now able to streamline the provision of essential services through eGovernance. Further, it is evident that the Middle East ‘Spring Revolutions’ have a lot to do with ICT, leading to social and political movements grouping in new and more expansive forms of organization and action. For all nations the underlying digital infrastructure is or will soon become a national asset.
I
t is critical that ICT continues to empower individuals, enrich societies, and support R&D to build modern economies. The characteristics of openness and interoperability responsible for its explosive growth must be retained with the same vigor. This can happen only when our networks are secure and reliable; they must retain the trust of individuals, businesses and governments, and should be resilient to arbitrary or malicious disruption. The future of an open, interoperable, secure and reliable cyberspace depends on nations recognizing and safeguarding that which should endure, while confronting those who would destabilize or undermine our increasingly networked world. In the near future we can foresee a reliable access to the ICT across the globe, at a price that businesses and families can afford.
T
he strategic guideline issued by the government stresses five basic principles viz.: upholding fundamental freedoms; respect for property; valuing privacy; protection from crime; and right of self-defence. The document explicitly spells out the role of the US regarding the future of cyberspace: enlarge the focus through diplomacy by strengthening partnerships at the global level; actively look after its defence through acts of dissuasion and deterrence with the ultimate aim of making progress on the development front which will ensure prosperity and security.
US Challenges in Addressing Global Cyber Security and Governance 4 |
|
Challenge |
Description |
Leadership |
Providing top-level leadership that can coordinate across federal entities and forge a coherent national approach. |
Strategy |
Developing a comprehensive national strategy that specifies overarching goals, subordinate objectives, activities to support those objectives, and outcome-oriented performance metrics and time frames. |
Coordination |
Engaging all key federal entities in order to coordinate policy related to global aspects of cyberspace security and governance. |
Standards and policies |
Ensuring that international technical standards and polices do not pose unnecessary barriers to US trade. |
Incident response |
Participating in international cyber-incident response, which includes appropriately sharing information without jeopardizing national security. |
Differing law |
Investigating and prosecuting transnational cyber crime amid a plurality of laws, varying technical capabilities, and differing priorities. |
Norms |
Providing models of behaviour that shape the policies and activities of countries, such as defining countries’ sovereign responsibility regarding the actions of its citizens. |
In 2010, Vic Toews, Canada’s Federal Minister for Public Safety said, ‘Canadians’ personal and professional lives have gone digital: we live, work, and play in cyberspace
5.’ The official policy document visualizes risks and threats associated with increasing dependence upon the digital technologies making the country vulnerable to cyber attacks which can jeopardize its vital economic and defense infrastructure. Its economy relies heavily on the internet: by 2007 online sales reached $62.7 billion and 87% of the businesses used the internet; 67% of Canadian was using online banking by 2009. There are over 130 online services offered by the federal government such as filing of taxes, employment insurance, students’ loans etc., indicating the extent to which cyber technology has been adapted in the day to day functioning of government services.
T
he strategy reflects Canadian values such as the rule of law, accountability and privacy; allows continual improvements to be made to meet emerging threats; integrates activity across the Government of Canada; emphasizes partnerships with Canadians, provinces, territories, business and academe; and builds upon the close working relationships with our allies. Overall, the strategy involves an aggressive effort to integrate and arrive at a synergic action plan to combat cyber crimes by key federal, provincial, private sector and academia.Legislation on the following aspects have already been promulgated by the government: making it a crime to use a computer system to sexually exploit a child; requiring internet service providers to maintain intercept capable systems, so that law enforcement agencies can execute judicially authorized interceptions; requiring internet service providers to service the police with basic customer identification data, as this information is essential to combating online crimes that occur in real time, such as child sexual abuse; and increasing the assistance that Canada provides to its treaty partners in fighting serious crimes. In addition, Canada has formed an intelligence partnership with the US, Australia and UK. It is also one of the few non-European states that have signed the Council of Europe’s Convention on Cybercrime.
I
n July 2012 the European Economic Commission (EEC) released its Cyber Security Report. Based on a survey on cyber security of EU’s 27 countries, it estimated that more than a million users are victims of cyber crimes every day. Its gravity is apparent when one finds that over 53% of EU citizen access internet at least once a day, with around 24% through smart phones. Buying goods (53%), social networking sites (52%) and online banking (48%) occupied the top ranks in the usage of cyber based services. The users (40%) are apprehensive about misuse of their personal data and in carrying out online payments (38%).6 Despite EU constituting a group of relatively developed countries, most of its citizens claim not to be well informed about the risks of cyber crime (59%) while 38% say they are very or fairly well informed. On account of such surveys and increasing incidence of cyber crimes/attacks, individual countries have begun formulating cyber security policies and plans.Just as the UK secured the seas for its national safety and prosperity in the 19th century and in the 20th century secured the air, now in the 21st century its government has to secure an advantage in cyber space. Therefore, the British strategy for cyber security, like the US and other G8 countries, is holistic, covering the entire government, several organizations across sectors, taking along its international partners and the public to work together in reducing risk and exploiting opportunities by improving knowledge, capabilities and decision making in order to secure the UK’s advantage in cyberspace.
7 The threats to those who use cyberspace range from phishing on one end to enable credit card fraud to corporate espionage at the other. These cyber attacks can have an adverse affect on national organizations, individuals, critical infrastructure, and the business of government.The focus of the strategy is to reduce the threat of cyber operations by reducing an adversary’s motivation and capability; reduce the vulnerability of UK interests to cyber operations; reduce the impact of cyber operations on UK interests, while exploiting opportunities in cyberspace; gather intelligence on threat actors; promote support for UK policies; and intervene against adversaries by improving knowledge, capabilities and decision making; improve knowledge and awareness; develop doctrine and policy; develop governance and decision making; and enhance technical and human capabilities.
J
apan is one of the top ranking consumer electronics manufacturers in the world. Its brands of computers, smart phones, drives and other paraphernalia are displayed with pride across electronic stores throughout the world. With increasing dependence of everyday life from phones to running of organizations through ICT, the country made investments in establishing ICT infrastructure to run its economy after WW II. In 2000, it established the National Information Security Center (NISC).In February 2009, the Second National Strategy on Information Security (NSIS) was promulgated for the years 2009-2011. It covered four subjects, viz. central and local governments, critical infrastructure, business entities, and individuals. In the areas devoted to critical infrastructure and business entities, private enterprises serve as the subjects of its actions while the government provides support. Further, MIC and the METI have set up grassroots IT security ‘classrooms’ all over the country to pro-mote security awareness.
T
he NISC in 2005 developed governmental standards for information security measures for the central government computer systems, which were distributed to all Japanese national governing bodies. Since the cyber world expands almost on a daily basis, the government realized the need to remain on the ball. Consequently, the list of security management and administration objectives and practices is revised almost every year and is now in its fifth version.Based on a standardized template, the NISC performs all measuring and reporting about its responsibilities to ministries and agencies. The template consists of thirty six questions and a checklist of items in ten subcategories divided into four areas: planning, knowledge sharing, execution, and evaluation and improvement. Even features such as education for IT security supervisors, compilation and maintenance of information asset lists, and incident handling manuals have been taken care of in the design of the template used for monitoring and reporting by the organizations NISC governs under its mandate. The NISC then rates the reported activities with single, double, and triple stars.
Though a G8 country, Japan lags behind in the area of cryptography R&D. On one hand, the national institutions of higher learning have not been at the forefront of cryptography research which is a cornerstone of cyber security for e-governance and e-commerce. On the other hand, it does not have a cryptography policy. Further, the cryptographic algorithms used by the Japanese government’s online services system were selected between 2000 and 2003, and need revision.
8
A
fter the US, China is the second largest economy of the world today.9 Its economy, political stability and sustenance depend upon productivity, social livelihood, and national security. Within China, in 2011, about 8.531 million computers were attacked every day, which accounted for 5.7% of daily networked computers, reaching a growth rate of 48% compared with the year 2010. Another survey found 60% of those surveyed had their personal information stolen; more than 66% of them agreed that we should intensify efforts to combat the illegal behavior. The estimated overall damage to the Chinese economy9 exceeded 5.36 billion RMB ($USD 0.852 billion), affecting 110.8 million Chinese users (~22%) and 1.1 million websites (20%) in 2011.Though it is commonly believed that intrusions targeting proprietary economic data and sensitive national security information is Chinese handiwork, a large proportion of malicious activity globally actually originates from computer hosts located in the United States. Many PLA writings view US dominance in cyberspace as the key vulnerability of China’s security and military systems. Hence, both the countries view cyberspace as a new domain of conflict, and eye each other suspiciously.
C
urrently, China does not have a comprehensive and integrated policy approach to cyber security. There are legal loopholes in public information safety. Further, it lacks an effective management mechanism. Despite political power being centralized, Chinese governance is fragmented regionally and functionally. In order to implement civilian or industrial cyber security, the government has to grapple with a complex maze of regulatory institutions, inconsistent implementation of policy directives, and public and private sector actors pursuing incompatible interests. For instance, the Ministry of Public Security is responsible for cyber crime and critical infrastructure protection and has a nationwide network of research labs. Further, the State Encryption Bureau is responsible for party, military, and civilian encryption management (but not intelligence cryptology).The State Secrets Bureau manages all classified networks and has been active since the 2009 revision to the state secrets law. The military (PLA) is also a key player in the civilian sphere, through front end elements of General Staff Department units (3/PLA, 4/PLA, PLA Encryption Bureau, and the PLA State Secrets Office). Hence, there is a fractious network of military, intelligence, and other state entities involved in cyber policy and activity who are concerned about international as well as domestic security. Further, its institutions and the legal system are incomplete. Information security strategies and plans are insufficient. Internet technologies need further development. General public education is barely satisfactory.
To meet the needs for cyber security, the NNISCSG was created in 2002. This body drafted the national civilian cyber security strategy (Document 27) and approved major cyber security related policies and national strategies. After completing strategy formulation and policy planning in the first part of the decade, this body was disbanded in 2008 and reconstituted in 2009, but there is no public record of meetings since then.
Interestingly, nationalist ‘hacktivism’, in the form of website defacements, service denials, and network exploitation, flows both ways across the Pacific. This unfortunate situation exacerbates mistrust and raises suspicions in both countries (US and China) regarding the others’ motives and activities.
F
or the Latin American continent in 2012, global trends in illicit cyber activity showed how previously unknown threats have evolved to become a mainstream problem and a danger to all types of internet users. Android related malware incidents rose from a thousand to more than 350,000 in the span of just one year.10Knowledge of the cyber threat landscape and government responses in Latin America and the Caribbean is fragmented. Much of what is known about the regions cyber threat landscape is based on uninformed news reports and innuendo. Some sources show that banking malware was the region’s top cyber crime problem in 2011 while others judge that the biggest issue was multipurpose malware that compromised routers on a scale larger in Latin America than in any other part of the world.
D
uring 2012, one of the biggest challenges to curbing illicit cyber activity was the lack of adequate legislation and robust policies. Further, due to inexperienced investigators and a shortage of prosecutors who specialized in technology-related offences, many countries find it difficult to deter and prosecute hackers and other cyber criminals. Based on the prevailing economic, political and social environment, each country has handled cyber security differently. Some countries certainly view cyber security as a threat to its national security and defense. Countries whose economy is based on exports, consider it as having a greater impact on economic development or international competitiveness, while those countries which are at the lower end of the development ladder view it as a facilitator of education, social intermixing, and citizen-centric governance. Hence, Latin American countries are trying to incorporate both these considerations into their cyber security regimes.The difficulty has been aggravated due to a low level of awareness amongst Internet users facing incident responders, investigators, prosecutors, and network administrators. In government’s opinion, public interest in cyber security remained cursory as a result most have yet to implement effective, large-scale awareness raising campaigns amongst the users.
With reports such as those from the Organization of American States (OAS), governments finally have started taking note of the problems associated with cyber security. A number of countries have adopted a global view of cyber crime frameworks by working on substantive and procedural laws. Nevertheless, even countries with a powerful legal structure continue to face difficulties due to low levels of expertise in information security.
Collectively, members of the OAS have shown unity on cyber security issues
10. It may be worth noticing that the European Union adopted a cyber security strategy in February 2013, whereas OAS member states unanimously adopted a Comprehensive Inter-American Cyber Security Strategy nine years earlier in 2004! Further, in March 2012, member states also approved a declaration on ‘Strengthening Cyber Security in the Americas’ in March 2012. The consensus augers well for the political will of member states towards cyber security matters though much work still needs to be done. It has certainly established regional cooperation and information sharing amongst the Latin American countries.
I
ndia has for the past two decades established its position as a significant player in ICT at the global level. The Government of India established a satellite based computer network, the National Informatics Centre Network (NICNET) in 1985-86.11 By unleashing computerization of railway reservations, the doors of ICT were thrown open by the bold initiatives of the central government. This became the turning point in the country’s history of ICT. The liberalization of the economy gave an additional boost to the growth of ICT with proliferation of computers, mobile phones and cable TV coverage reaching a majority of the country’s geographical area. Additionally, the government promulgated the Information Technology Act 2000 and subsequently, in July 2013, released its cyber policy through the Indian Computer Emergency Response Team (ICERT). At the ICT educational front too, the central and state governments have played their role in a satisfactory manner by encouraging the opening of engineering colleges, IITs and IIMs for the creation of required manpower for the needs of an expanding ICT sector.Consequently, the Indian corporate and private sector has benefited from this boom in ICT due to the foundations laid by governments three decades back. But the manner in which the corporate sector should have contributed to strengthen the foundations of ICT through funding and sponsoring of R&D projects has been far from satisfactory. The private sector in India is represented by several chambers of commerce, such as FICCI, CII, ASSOCHAM, MAIT, PHD, NASSCOM, among others. By undertaking marketing research and trends, these organizations have indeed done a good job. For instance, MAIT represents the IT sector’s manufacturers in India. According to it, the Indian ICT hardware market’s forecast is shown in Figure 1 below. It is based on a survey of 35 cities in India.
A
ll the chambers of commerce have sectors in its functional domain related to ICT to address the challenges and prepare primarily reports related to sales of ICT products and services. These private sector conglomerates have conducted seminars about advances in ICT at regular intervals. Hence, its executives and corporate members are fully aware of the need to build a solid foundation for the cyber security infrastructure because their businesses are highly dependent on ICT today. However, none of the chambers of commerce, nor the private sector, have sponsored R&D projects or shown any interest in supporting such work in collaboration with academia. So the onus and responsibility has invariably rested on the government to fund any R&D, while the private sector has only reaped the benefits.
T
he role of academia in cyber security research has not been that promising either. Despite commitment and availability of funds, the academia among the big three, viz. IITs, IIMs and IISC, has failed to show interest in the area of cyber security application research projects, such as on cryptography, tracking algorithms, intrusion detection and network security infringements. The ministry of IT under the cyber security area lists five projects it has sponsored with only one being done in an IIT. This casual approach of the academia is reflected in the paucity of professionals.
All India Forecast (Urban) in Million Units |
Though on the policy formulation front India has made some progress, but in comparison with the G8 and other developing countries like China, Brazil, South Korea and Malaysia, effort on the part of the politicians, bureaucracy and the judiciary, who are required to implement the policy, seems limited. The technocrats in the government have to project the urgency, severity and essential requirements for setting up a cyber security task force with teeth to bite, stringent penalties and ownership along with answerability by the corporate sector of India.
Footnotes:
1. Government of USA, the Office of the President of USA, International Strategy for Cyberspace. Washington DC, 2011, Web.
2. United Nations, Department of Economic Affairs, Cyber Security: A Global Issue Demanding a Global Approach. New York, USA, 2011, Web.
3. Government of United States, FBI, FBI-IC3: Internet Crime Report. 2011, Web.
4. Government of United States, GAO, Cyberspace: Report by GAO to Congressional Requesters GAO-10-606. Washington DC, 2010, Web.
5. Government of Canada, Canada’s Cyber Security Policy for a Stronger and More Prosperous Canada. Ottawa, 2010, Web.
6. European Commission, Directorate General of Home Affairs, Cyber Security Report. 2012, Web.
7. Government of United Kingdom, Office of the Prime Minister, Cyber Security Strategy of UK. London, 2009, Web.
8. Yasuhide Yamada et al., Comparative Study of Information Security Policies of Japan and United States, Journal of National Security and Law Policy, 2010, Web.
9. China and Cyber Security: Political, Economic and Strategic Dimensions, A Report from Workshop. University of California, San Diego, USA, 2012, Web.
10. Organization of America States, Latin American and Caribbean Cyber Security Trends and Government Responses: A Report. 2013, Web.
11. Gulshan Rai, Cyber Security and Role of CERT – Presentation. Department of Electronics, Government of India. CERT-IN, New Delhi, 2011, Web. http://www.cert-in.org.in
Glossary:
ASSOCHAM: The Associated Chambers of Commerce and Industry of India.
CII: Confederation of Indian Industry.
CISSP: Certified Information Systems Security Professional.
CISA: Certified Information Systems Auditor.
CRMA: Certification in Risk Management Assurance.
CRYPTREC: Cryptography Research and Evaluation Committee.
CSIRT: National Computer Security Incident Response Teams.
FICCI: Federation of Indian Chambers of Commerce and Industry.
ICERT: Indian Computer Emergency Response Team.
ICT: Information and Communications Technology.
MAIT: Manufacturers Association for Information Technology.
NASSCOM: National Association of Software and Services Companies.
NICNET: National Informatics Centre Network.
NNISCSG: National Network and Information Security Coordination Small Group.
OAS: Organization of American States.
PHD: Punjab, Haryana and Delhi Chambers of Commerce.
PLA: Peoples Liberation Army.