Cyberwarfare Will Threaten Two Things We Hold Dear—Freedom and the Internet

The increasing number of cyberattacks around the world is alarming and India ranks 33rd in the world when it comes to receiving web-borne threats. The article argues for a global framework to tackle cybercrime, with a mix of formal and informal agreements between states.

According to Kaspersky Lab, India ranks 33rd globally in the list of countries facing web-borne threats (New Indian Express 2018). Digital transactions in India could reach $1 trillion by 2025 (Indian Express 2018). In light of these figures, important steps must be taken to address cybersecurity challenges, in order to ensure a safe cyberspace for our citizens. The lack of skilled specialists in the field is proving to be a hindrance in our quest for a connected digital future. If we are to ascertain a digital future for the country and its people, we need to first address the issues pertaining to the lack of skilled specialists and develop an active, facilitative ecosystem that promotes innovation and advancement in the field of cybersecurity. Only then can we look at building a “Digital India” that brings people together, bridges divides, and facilitates financial inclusion of the underserved, underrepresented, and the unconnected.

The Risks

On 12 May 2017, the world witnessed one of the most devastating cyberattacks in history in the form of the WannaCry ransomware cryptoworm that affected 200,000 computers in 150 countries within a day of its emergence. More than 1.3 million computers were at risk (Jones 2017). India was among the four most-affected countries, probably due to the widespread use of Windows XP, one of the most vulnerable operating systems (Goswami 2017). Quick Heal Technologies, a cybersecurity firm, said that it had detected over 48,000 WannaCry attack attempts in India, with 60% of them aimed at enterprises (Nair 2017).

The WannaCry ransomware supposedly used a flaw in Microsoft’s software that was initially discovered and used by the National Security Agency (NSA) of the United States (McGoogan et al 2017). A similar malware called Petya affected thousands of computers across Europe in June 2017. While the virus shared numerous characteristics with the notorious WannaCry ransomware, it did not allow users to retrieve their data even after payments were made. This malware is what the experts call a “wiper,” specifically designed to wipe the entire data from computers (Kastrenakes 2017).

Though the ransomware attack was thwarted, the episode has left the entire world feeling uneasy and unsafe. It has raised numerous questions regarding cyberattacks, cybersecurity, and cyberwarfare that need quick but certain solutions, especially in terms of the role that nation states need to play in casting a new diplomatic order.

However, before trying to find solutions for these problems, it is important to understand what all these terms mean, their relevance to us, and the key emerging trends.

What is Cyberwarfare?

The Rand Corporation^[1] defines cyberwarfare as actions carried out by a nation state or an international organisation against another with the intention to damage information networks through computer viruses and other malware (RAND 2018). These attacks are perpetrated using malicious software, viruses, worms, and Trojan Horses. The perpetrator and the victim have to be recognised international entities for the attacks to be recognised as cyberwarfare. The key difference between cyberwarfare and actual warfare is that in the latter case, you can tell from where the bullets are coming. Cyberattacks are an outcome of the evolution of war—the shift from guns and cannons to keyboards and code.

A succinct definition of cyberwar was given by Clarke and Knake (2010), who described it as:

actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.

The apparent involvement of Russia in the United States (US) election in 2016 is seen as one of the most blatant acts of cyber aggression perpetrated by one nation against another. When the information systems of the Democratic National Committee were hacked, many in the US Congress had urged the Barack Obama administration to retaliate (Libicki 2016). While a retaliatory cyberattack was on the cards, an actual war with real weapons and casualties was not an unthinkable proposition. The US retaliated by increasing sanctions against Russia and by dismissing some Russian diplomats.

Cyberattacks are increasingly being used by nations as a precursor to war, or, in some cases, as a form of guerrilla warfare. Cyberattacks are not just the work of individuals but are increasingly being undertaken by groups backed by governments for a number of nefarious purposes, including shutting down crucial infrastructure. Eroding digital trust in a nation has severe financial as well as socio-economic costs attached to it.

There are a number of reasons behind countries indulging in cyberwarfare (Suciu 2014). Deniability and anonymity, along with the difficulty in tracing footprints, makes it a better tool for intelligence gathering and surveillance. It also allows for intimidation. There are differing views on cost, and some experts believe that cyberwarfare is not much cheaper than the actual arms race. The Obama administration had proposed a budget of $14 billion for cybersecurity initiatives for the year 2016 (Swarts 2015).

A recent list of predictions from the AT Kearney Global Business Policy Council for the year 2017 anticipated that at least one major economy would face a cyber-attack that would cripple its infrastructure (much like the attacks faced by the likes of Amazon, Twitter and PayPal) (Laudicina and Peterson 2016). Distributed denial of service (DDoS) attacks are increasingly being carried out by state-backed hackers, who were already dangerous before being recruited by their governments.

In an impressive feat of cyberwarfare, the Iranian nuclear facility in Natanz was targeted using a worm, Stuxnet, which entered its computer systems through the Windows operating systems and spread to the Siemens control systems. The worm, upon reaching its target, managed to sabotage the uranium-enrichment centrifuges, causing them to overheat, and (according to some unconfirmed reports) some of them to actually explode (Smith 2013). This was followed by attacks on banks in Lebanon using the Gauss virus. Personal computers all over the West Asia were targetted using the Mahdi virus and in Iranian government offices via the Wiper virus. The Russian anti-virus company, Kaspersky, identified similarities and patterns in the attacks and deduced that the attacks were led by the US and Israeli military forces (Smith 2013).

Since then, Iran has claimed to own a cyber arsenal of its own, while similar claims have also been made by Russia, North Korea, and China. Cyberweapons are here to stay and that is forcing governments across the world to strengthen cybersecurity and build their own weaponry. The aim is to strike back; but, this is not as easy as it sounds. Cyberattacks are highly conspicuous and take time to be identified and attributed to the perpetrators.

Trends in Cyberwarfare

The threat of a cyberwar is so real and imminent that many countries have recently begun augmenting and consolidating their cybersecurity preparedness and have started amassing cyber-arsenal as a cyber-deterrence measure. Hacking and cyber posturing have become political across the globe, which is an indication of universal interest in the subject. In the last few years, a lot of emphasis has been placed on protection against cyberattacks. The following are some of the latest trends that need attention and a careful cohesive response by states and businesses alike.

(i) Data manipulation: Data theft can turn into data manipulation when the integrity of the data is compromised. This can erode digital trust and deal substantial blows to the reputation of individuals and institutions that are targeted.

(ii) Consumer devices at risk: Consumer devices are easier to target due to low levels of cybersecurity and gatekeeping. Adware, ransomware, viruses, and other similar software can easily penetrate consumer devices en masse and create panic in addition to a loss of vast amounts of data.

(iii) Bolder attacks: With each success story, hackers become emboldened and more motivated, organising themselves in groups and disguising themselves as activists, e-commerce websites, and fraudulent dating websites. By passing through countries with limited cyber infrastructure and a high tolerance for cybercrime, hackers can stay anonymous and continue their operations.

(iv) Chain management: The director of the Federal Bureau of Investigation (FBI) famously remarked that there are only two kinds of companies that now exist: those that have been breached and those that will be breached (Mueller 2012). The attacks on large corporations, such as Target and Home Depot, were not individual upfront acts; the attackers also went after vendors and supplier systems (Smith 2014). Most small businesses see cybersecurity as a cost. Governments are now looking globally to incentivise businesses with greater levels of preparedness to reduce associated carrier costs.

(v) Smarter attackers: With each attack and each thwarted attempt, the attackers will keep looking for new, more resilient forms of attacks that will be more difficult to break down or thwart. Any breaches of systems will be more difficult to pick up or identify and even more difficult to beat.

(vi) Fourth-party attacks: As more and more third-party risks are being identified, the attacker trends continue to move outwards in the supply chain to include subcontractors, outsourcers, cloud service providers, and device manufacturers (Pescatore 2017).

(vii) Badness planting: Similar to ransomware, but more comprehensive in its implementation, is badness planting that does not introduce malware onto systems to encrypt data, but downloads onto corporate personal computers and servers to compromise critical information.

(viii) Sleeper hosts: Like organised terror outlets, attackers and state actors are creating sleeper cells in cyberwarfare where, despite breaching the security networks (like in the case of the Sony hack), the aggressors remain dormant for long periods of time—spying, replicating, multiplying, and then aiming for maximum damage.

(ix) Cyber risk insurance: Many corporations, organisations, and even individuals are now opting for cyber insurance to protect themselves from losses incurred due to breaches and information loss.

(x) Partner apps: Applications, which may have been given access by users or other larger apps, go rogue or misuse those ubiquitous privacy permissions for vast amounts of data mining, compromising user security and national security.

Cybersecurity and Cyberespionage

A comprehensive global framework for cyberwarfare would allow countries to tackle cybercrime, including state-sponsored organisations like the Shadow Brokers.

However, putting together a framework or even a legal locus standi is complicated. In the case of a diplomat carrying out espionage activities, the laws in most countries are clear. However, in the case of cyberespionage being done from another country, or a company executive helping a rival company, the laws are murky. It is difficult to ascertain or accuse anyone in the case of a cybercrime or even cyberwarfare as the identity of the attacker is not known in almost all cases (Chivvis and Dion-Schwarz 2017). Putting together an international convention is even tougher because the cyber dimension adds new and significant uncertainty to warfare. It is difficult both to prevent and react to, which then makes it difficult to form universal laws and rules regarding it.

The approach has to be a mix of formal and informal agreements between states, reducing the gap between open and secret diplomacy. Some countries like the US and Russia have put in place a “hotline”^[2] in order to manage a crisis situation which may arise from an ICT security incident. But even there, the response framework is far from a formal one and is more reactive in nature (Bjola and Coward 2016). Public vocalisation does force a greater diplomatic response, but it can also prevent states from proving their incorruptibility, thereby increasing the risk of antagonising relationships between states.^[3] The reputational costs for an attacker country could be kept in mind, forcing the country to crackdown atleast on individual attacks that are not state-backed.

According to the 2017 Cybersecurity Report by Cybersecurity Ventures (Morgan 2017), the use of unsuspecting citizens for acts of terror is increasing globally, and in countries with low levels of digital literacy, this is a real threat (Oriti 2017). With more and more countries increasing the usage of their cyber arsenal and investing heavily in cyberespionage and such warfare, it is clearly time to bring in a convention akin to the Geneva Convention. There is no equivalent convention for cyberwarfare at this time. On 21 November 2017 at the Global Conference on Cyber Space held in Delhi, the Global Commission on the Stability of Cyberspace issued a global call to protect at least the public core^[4] of the internet.

Without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.

Building even rough consensus on this principle/norm would require consistent long-term engagement.

India’s Take on Cybersecurity

Post WannaCry, the Indian government was forced into action, activating its "preparedness and response mechanism" whereby the Indian Computer Emergency Response Team (CERT-In) was instructed to gather all the information regarding the ransomware and all stakeholders in the public and private sector were contacted in order to have their systems patched as per the advisory issued by CERT-In (Economic Times 2017). After Narendra Modi’s visit to Berlin and Madrid in late 2017, India is all set to enter a cybersecurity partnership with both Germany and Spain. The main agendas of this partnership are to fight against cybercrime and cyber violence. India is currently in cybersecurity dialogues with around 15 nations. As of now, the function of identifying and neutralising cyberthreats rests with CERT-In. According to its website, it was established for “responding to computer security incidents as and when they occur” and also for collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents" (CERT-In 2018).

In a marked departure from the policies of the United Progressive Alliance (UPA) government, Ravi Shankar Prasad, then the union minister for communication and information technology^[5] announced during the Internet Corporation for Assigned Names and Numbers (ICANN) meeting in June 2015 that India would support a multi-stakeholder model^[6] of internet governance in line with the position of the US, the United Kingdom, and the European Union. Despite the declaration of the shift to a multilateral approach to support a multi-stakeholder model, cybersecurity has traditionally been carried out through “government to government” dialogues when sovereign issues are involved and multi-stakeholder dialogues have fructified only in technology and trade issues of cybersecurity and governance.

On 10 March 2018, the 49th raising day of the paramilitary forces, Home Minister Rajnath Singh, while addressing Central Industrial Security Force jawans, said that there was a lurking threat to the critical infrastructure of the country and that we had to be prepared for all eventualities (Economic Times 2018a). He opined that cybersecurity should not only be put in place, but also strengthened from time to time. He asked those in the power, rail, and nuclear energy sectors to conduct regular cybersecurity audits. Keeping this in mind, a new division for cybersecurity was established in the home ministry, besides the National Critical Information Infrastructure Protection Centre at the federal level. The Union budget 2018–19 too comes with the announcement of a new centre of excellence for cyberspace to be established under the Department of Science and Technology (Economic Times 2018b). While these measures are a welcome step in the right direction, much more needs to be done. Two things that we hold dear are at stake: freedom and the internet.

Governments work well with the private sector, which is responsible for the infrastructure required to run the network, but other stakeholders like the media, academia and the civil society, can also enhance their contribution in nation building. The government, through initiatives like public consultations and work groups, expanded task forces, and citizen champions can benefit tremendously from deeper engagement and greater civic contribution. It is equally important to take these conversations to schools, universities, and campuses, and collaborate with parents, teachers, and law enforcement agents.

Notes

[1] Rand Corporation is an American non-profit global policy think tank created in 1948 by Douglas Aircraft Company to offer research and analysis to the United States Armed Forces.

[2] The hotline refers to a secure and direct voice communication line between cybersecurity departments in the two countries.

[3] China’s reputation was marred by the revelation of its GhostNet operations where the majority of the IPs were China-based. However, it could easily be explained by China having the largest internet base in the world.

[4] Elements of the public core include, among other things, internet routing, domain name system, certificates and trust, and communications cables.

[5] The Ministry of Communication and Information Technology was bifurcated into Ministry of Communications and Ministry of Electronics and Information Technology in July 2016.

[6] A multi-stakeholder model involves government bodies, private companies, international bodies, and the academia.

References

Bjola, Corneliu and Ashley Coward (2016): “Cyber-intelligence and Diplomacy: The Secret Link,” Secret Diplomacy: Concepts, Contexts and Cases, Corneliu Bjola and Stuart Murray (eds), London: Routledge.

CERT-In (2018): “Welcome to CERT-In,” Indian Computer Emergency Response Team, http://www.cert-in.org.in/.

Chivvis, Christopher S and Cynthia Dion-Schwarz (2017): “Why It's So Hard to Stop a Cyberattack — And Even Harder to Fight Back?” Rand Blog, 30 March, https://www.rand.org/blog/2017/03/why-its-so-hard-to-stop-a-cyberattack-and-even-harder.html.

Clarke, Richard A and Robert Knake (2010): Cyber War: The Next Threat to National Security and What to Do About It, New York: Harper Collins.

Economic Times (2017): “Ransomware Threat: Govt Activates Mechanism to Prevent Cyberattack,” 15 May, https://ciso.economictimes.indiatimes.com/news/ransomware-threat-govt-activates-mechanism-to-prevent-cyberattack/58678310.

Economic Times (2018a): “Strategic Installations Should Go for Regular Cyber-security Audits: Rajnath Singh,"10 March, https://economictimes.indiatimes.com/news/defence/strategic-installations-should-go-for-regular-cyber-security-audits-rajnath-singh/articleshow/63247363.cms.

Economic Times (2018b): “Budget Proposes Up To 17% Hike for Science Ministries, Depts,” 1 February, https://economictimes.indiatimes.com/news/economy/finance/budget-proposes-up-to-17-hike-for-science-ministries-depts/articleshow/62746126.cms.

Goswami, Dev (2017): “WannaCry Ransomware Cyber Attack: 104 Countries Hit, India Among Worst Affected, US NSA Attracts Criticism,” India Today, 14 May, http://indiatoday.intoday.in/story/wanna-cry-ransomware-attack-104-countries-hit-nsa-criticised/1/953338.html.

Indian Express (2018): “Annual Digital Transactions in India Could Reach $1 Trillion By 2025: Report,” 13 March, http://indianexpress.com/article/technology/tech-news-technology/annual-digital-transactions-in-india-could-reach-1-trillion-by-2025-report-5096354/.

Jones, Sam (2017): “Global Alert to Prepare for Fresh Cyber-attacks,” Financial Times, 14 May, https://www.ft.com/content/bb4dda38-389f-11e7-821a-6027b8a20f23.

Kastrenakes, Jacob (2017): “Petya Virus Is Something Worse than Ransomware, New Analysis Shows,” Verge, 28 June, https://www.theverge.com/2017/6/28/15887496/petya-virus-not-actually-ransomware-analysis-shows.

Laudicina, Paul and Erik Peterson (2016): "Year-ahead Predictions 2017: Ten Significant Global Events that Will Occur and Trends Will Gains Strength in the Coming Year," ATKearney Global Business Policy Council, http://www.atkearney.in/documents/10192/9960319/Year+Ahead+Predictions+2017-GBPC.pdf/16b2c5d7-6e5b-477a-9de3-f74cb6e0451c.

Libicki, Martin C (2016): “Checklist for a US–Russia Cyberwar,” Rand Blog, Rand Corporation, https://www.rand.org/blog/2016/10/checklist-for-a-us-russia-cyberwar.html.

McGoogan, Cara, James Titcomb and Charlotte Krol (2017): “What Is WannaCry and How Does Ransomware Work?” Telegraph, 18 May, http://www.telegraph.co.uk/technology/0/ransomware-does-work/.

Morgan, Steve (2017): 2017 Cybercrime Report, Cybersecurity Ventures, https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf.

Mueller, Robert S (2012): “Speech at the RSA Cyber Security Conference in San Francisco, CA,” Federal Bureau of Investigation, 1 March, https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies.

Nair, Geeta (2017): “WannaCry Ransomware Outbreak: 48,000 Attempts in India, Says Quick Heal,” Financial Express, 17 May, http://www.financialexpress.com/industry/technology/wannacry-ransomware-outbreak-48000-attempts-in-india-says-quick-heal/672147/.

New Indian Express (2018): “India Placed 33rd Worldwide in Web-borne Threats: Kaspersky,” 12 March, http://www.newindianexpress.com/nation/2018/mar/12/india-placed-33rd-worldwide-in-web-borne-threats-kaspersky-1785955.html.

Oriti, Thomas (2017): “Cyberterrorists Targeting Healthcare Systems, Critical Infrastructure,” ABC News, 23 October, http://www.abc.net.au/news/2017-10-23/forget-explosives,-terrorists-are-coming-after-cyber-systems/9076786.

Pescatore, John (2017): “Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017,” SANS Whitepaper, SANS Institute Reading Room, https://www.sans.org/reading-room/whitepapers/analyst/cyber-security-trends-aiming-target-increase-security-2017-37702.

Rand (2018): Cyber Warfare, Rand Corporation, https://www.rand.org/topics/cyber-warfare.html.

Shane Scott, Nicole Perloth, and David E. Sanger (2017): “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core,” New York Times, 12 November, https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html.

Smith, Dan (2013): “Cyber Warfare and the New Age Battleground,” Telegraph, 9 August, http://www.telegraph.co.uk/sponsored/technology/technology-trends/10231677/cyber-warfare-what-is.html.

Smith, Gerry (2014): “Home Depot Admits 56 Million Payment Cards at Risk after Cyber Attack,” Huffington Post, 19 September, https://www.huffingtonpost.in/entry/home-depot-hack_n_5845378.

Suciu, Peter (2014): “Why Cyber Warfare Is So Attractive to Small Nations,” Fortune, December 21, http://fortune.com/2014/12/21/why-cyber-warfare-is-so-attractive-to-small-nations/.

Swarts, Phillip (2015): “Obama Budget Dedicates $14B to Cybersecurity,” Washington Times, 2 February, https://www.washingtontimes.com/news/2015/feb/2/obama-budget-dedicates-14b-to-cybersecurity/.

Symantec Security Response (2017): “What You Need to Know About the Wannacry Ransomware,” Symantec, https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack.