Issues of cyber security might have come from the fringes to the centre of the threat calculus, but framing a coherent response has proved to be a difficult task. The vulnerabilities specific to software, hardware, applications and critical infrastructure are generic, and do not need recounting. The approaches of countries such as China and Russia have been analysed and commented upon in considerable detail. China is seen as an outlier that is exploiting the vulnerabilities to the maximum, to conduct a range of activities from cyber espionage to cyber harassment, on the basis of a stated policy to neutralise the advantages of countries it perceives as hostile to it; advantages that could be in terms of military and technological superiority, or even an open society. Russia has been criticised for a policy of tolerating the activities of cyber criminals and even utilising them for its purposes through its intelligence agencies, so long as their activities are not directed against the motherland. Recent trends indicate that what should have been the exception is increasingly becoming the norm. The absence of agreed norms of conduct in cyberspace and the scope for conducting a myriad range of malafide activities with limited risk of retribution is leading to both vertical and horizontal proliferation of such activities.
In most countries, de facto responsibility for cyber security is being vested with intelligence agencies for reasons of expediency; they have the necessary expertise and experience to deal with cyber security issues. These moves have potential long-term detrimental and destabilising effects. In the first instance, the mutual suspicion generated by such agencies across the entire spectrum of institutions, both within and outside national boundaries, makes the kind of co-operation required for cyber security very difficult, even when backed by political and administrative fiat. Recent reports that the National Security Agency (NSA), which is responsible for cyber security in the United States, is building massive complexes to capture, store, and analyse data flowing through the world’s networks would mean that the same agency would become the leading source of information insecurity. This, coupled with other news of private companies with global footprints such as Google entering into close collaboration with the NSA, will naturally create suspicions in other countries where these companies operate. Other issues being debated within the United States pertain to the NSA’s attempts to arrogate more powers of investigation, but the arguments against the granting of such powers are applicable universally.
Unless there is an international effort to work towards norms for cyberspace, the lawlessness that currently pervades will assume gargantuan proportions. The unhealthy dependence on intelligence agencies to manage cyberspace will lead to unholy alliances between these agencies and the lawless elements, almost out of necessity since the so-called “cyberwars” that break out every now and then are a numbers game. A comparison of the cyber wars in West Asia and South Asia would seem to bear this out, especially with regard to why such attacks have not crossed any red lines, despite threats to bring down the financial systems and so on. The near equivalence of hackers in the countries of South Asia would point to a low level form of deterrence in existence. Nearly all upswings in defacements and hacking, which normally follow a tit-for-tat pattern, have ended in truces being called by the hackers on various sides. The invisible hand of the intelligence agencies has been seen to be present wherever in the world patriotic hacking has taken place, and South Asia would be no exception. That there have not been any major incidents of hacking ascribed to hackers in the sub-continent despite the low levels of computer security would lead one to speculate that these agencies have had a restraining effect on such activities. That said, the scope for losing control is quite high, especially as more and more critical services go online and become potential targets.
One of the biggest drawbacks to securing cyberspace in the Indian context is the lack of adequate data. Whatever data is available does not adequately convey the full picture, or worse, can be misleading. Skewed data also results in skewed priorities; the continued highlighting of website hackings leads to a great deal of time being spent on securing government websites, irrespective of their importance, at a time when greater attention should be paid to other facets of cyber security such as securing critical infrastructure or auditing the cyber security preparedness of companies in critical sectors. To illustrate, according to the annual report of the National Crime Records Bureau, cyber-related crimes were a mere 1,322 in 2010, making up 0.19 per cent of all crimes in the country. At the same time, according to figures from the Reserve Bank of India as recently reported to Parliament, the total amount involved in cases of financial fraud over the Internet in 2011 was Rs.787.39 lakh or US $1.6 million. And finally, according to the Computer Emergency Response Team-India (CERT-In), 13,301 security incidents were reported to it in 2011. While these indices have been monitored over the past few years and provide a general idea of the upward trend in cyber-related incidents, they do not lend themselves easily to further analysis in the absence of more detailed data. For instance, in the case of financial fraud, it would be useful to know whether these were perpetrated by exploiting technical vulnerabilities or through other means such as social engineering, or by a combination of the two. The absence of more precise figures creates an information gap between the various stakeholders, be it the government, the various service providers primarily in the private sector, and the end users of these services. Much of the data lies with different organisations and is not available in the public domain. With cyber infrastructure and data largely in the hands of the private sector, there needs to be much more by way of standardisation and sharing of data between the government and the private critical information infrastructure companies such as the Internet Service Providers.
These issues highlight the complex and inter-connected challenges in cyber security, and demonstrate how the short sighted approach towards these challenges is taking us further away from the oft-vaunted goals of an open, secure and stable cyberspace.