Dr Cherian Samuel is a Research Fellow (SS) at Manohar Parrikar Institute for Defence Studies and Analyses, New Delhi. Click here for detailed profile.
The first decade of the 21st century has seen a virtual explosion in internet usage. This spectacular growth, while a testimony to the Internet’s utility in a variety of activities ranging from commerce to communication and from navigation to social networking, has also made it the target of actors ranging from criminals looking to explore the vulnerabilities of the network to make money, to governments intent on controlling the dissemination of information and clamping down on political expression. This is beginning to result in governments working at cross-purposes when it comes to maintaining the security and stability of the Internet. The fact that the internet is characterized by blurred boundaries, with no clear demarcations between civilian and military, state and non-state, and foreign and domestic as in other domains, coupled with its existing vulnerabilities has led to unhealthy trends, which, if not addressed adequately, could pose severe problems.
If the decade began with 360 million Internet users worldwide, it ended with over 1.7 billion, a growth of 380 per cent. Internet users from India approximately number 81 million, with more users expected to connect in the coming years as internet access increasingly shifts to mobile phones. (While over 100 million GPRS enabled phones have been sold in India, there are only 7 million broadband connections). Despite the low numbers in relation to the population, Indians have been active users of the Internet across various segments. The two top email providers, Gmail and Yahoo, had over 34 million users registered from India. Similar figures were also seen in social networking, where Orkut was the leading site with 16 million users followed by Facebook with 8 million. The rapid pace of adaption to the Internet is underscored by the fact that the Indian Railways, India’s top e-commerce retailer, saw its online sales go up from 19 million tickets in 2008 to 44 million tickets in 2009, a growth of 130 per cent. This represented a value of Rs. 3800 crore ($875 million).
Growing online activity has resulted in increasing instances of online fraud. While internet fraud is on the rise, cyber laws have proved to be ineffective in the face of the complex issues thrown up by Internet. As a case in point, though the cyber-crimes unit of the Bangalore Police receives over 200 complaints every year, statistics show that only 10 per cent have been solved and a majority of these are yet to be even tried in the courts. The cases that did reach the courts are yet to reach a verdict since the perpetrators usually reside in third countries. Even though the Indian IT Act 2000 confers extra-territorial jurisdiction on Indian courts and empowers them to take cognizance of offences committed outside India even by foreign nationals provided “that such offence involves a computer, computer system or computer network located in India,” this has so far existed only on paper.
A second related phenomenon has been the increasing use of the Internet by state and non-state actors to engage in what almost amounts to a virtual war by way of attacks on critical internet infrastructure such as those of public utilities and banks, and attempts to infiltrate the networks of key governmental departments. As information becomes the currency of the 21st century, and computers the banks that hold this information, albeit with very little of the security that one associates with banks, they have become irresistible targets for state and non-state entities. The nature of digital information is such that once the defences of a system or network are breached, the digital information contained therein can a) be retrieved, b) altered, or c) watched for changes. Information security is assured only when the principles of confidentiality, integrity and accessibility are maintained. This applies as much to systems and networks maintained by governments, militaries, and commercial entities, as it does to that of individuals.
In the recent past, the governments of the United Kingdom, the United States, France, Belgium, Germany, and India have publicly stated that their systems and networks have been infiltrated. A number of reports have pointed to a state-criminal network-hacker nexus. Criminal networks have, over the years, professionalized the business of discovering and exploiting weaknesses in software that allow them to undertake a variety of actions ranging from taking control of those computers, accessing information on those computers or rendering them unusable. Whilst hackers provide the technical expertise, existing international criminal networks have learnt how to squeeze the maximum out of these compromised computers, and have turnovers estimated in the billions of dollars.
Whilst this would remain at the level of criminal activity, it has acquired dangerous proportions and impinges on national security when a state-criminal network-hacker nexus builds up. There is enough circumstantial evidence to show that some states have turned a blind eye to cyber-space centred criminal and illegal activities, perceiving certain advantages to be had from building up such a capacity. States have the same advantages as criminal networks in undertaking actions in cyber-space. These include: the ease of expanding geographic reach to cover virtually the entire world at negligible cost in terms of scaling up; the difficulties with attribution and the concomitant advantage of deniability leading to the inability of the target state to frame a suitable response; and the increasing number of “e-ready” targets. All these factors were seen at work during the cyber attacks on Estonia and Georgia in 2008 where further investigations have failed to prove the provenance of the attackers. Such identification has proved difficult even when agencies have co-operated as in the recent email hacking case (which almost derailed the Conference on Climate Change in Copenhagen) commonly referred to as “Climategate.” The digital trail led to Russia and the Russian Secret Service (FSB) was accused of paying hackers to break into the computers of scientists and retrieve their emails. Stung by this accusation, the FSB provided evidence to investigators that the trail continued to a computer email server in Malaysia from whence the trail went cold again though fingers are now being pointed at China.
A third phenomenon has been the use of the Internet by political dissenters for a variety of purposes including for the dissemination of information, orchestrating meetings, and publicity. Governments that do not tolerate dissent such as those of Russia, China and Iran have responded with censorship, curbing access both within and without, and have also used the same medium to keep tabs on dissenters. These governments have been proactive in attempting to control their internet space, primarily through national technical means, including monitoring and censorship. Opposition activists in Iran, for instance, have made effective use of Twitter and Facebook as part of their campaign. The government, on the other hand, has used the same media to crack down on opposition activists. The Chinese government’s tight control over Internet connectivity and the reported deployment of over 30,000 “net nannies” has resulted in a vastly different and highly sanitized internet experience for a Chinese resident than what obtains in the rest of the world.
These conflicting perspectives and approaches to the Internet have resulted in a virtual gridlock when it comes to moving forward on getting a basic international framework in place. As a case in point, Russia has for long been pressing for a cyberspace treaty with the United States on the lines of the Chemical Weapons Treaty and focusing on constraining the military uses of cyberspace. The United States has been resisting this approach and instead wants to focus on the criminalization of cyberspace, arguing that a law enforcement approach was more important considering the imminent threats. Both sides are suspicious of the other’s intentions; while the Americans feel that a treaty approach would legitimize censorship of the Internet and increased governmental oversight would facilitate greater control by authoritarian regimes, the Russians do not favour the law and order approach since they feel that it would infringe on their sovereignty. Consequently, though a member of the 47 nation Council of Europe, Russia is the only major state (along with Turkey) that has neither signed nor ratified the Council of Europe Convention on Cybercrime since it allows for cross-country investigation of cybercrimes without the necessity of first getting approval from the governments concerned. Currently, the Convention is the only legal document dealing with the issue. Non-European states that have signed the Convention include Canada, Japan, the United States and South Africa; and other countries including India have been repeatedly pressed to join the Convention. The Convention itself has been flayed by public interest groups for violating fundamental human rights, impinging on privacy and giving undue powers to governments. All this only serves to underscore the fine line that governments have to walk between maintaining the openness of the Internet and ensuring the security of its users.
Internet at the Crossroads
More from the author
The first decade of the 21st century has seen a virtual explosion in internet usage. This spectacular growth, while a testimony to the Internet’s utility in a variety of activities ranging from commerce to communication and from navigation to social networking, has also made it the target of actors ranging from criminals looking to explore the vulnerabilities of the network to make money, to governments intent on controlling the dissemination of information and clamping down on political expression. This is beginning to result in governments working at cross-purposes when it comes to maintaining the security and stability of the Internet. The fact that the internet is characterized by blurred boundaries, with no clear demarcations between civilian and military, state and non-state, and foreign and domestic as in other domains, coupled with its existing vulnerabilities has led to unhealthy trends, which, if not addressed adequately, could pose severe problems.
If the decade began with 360 million Internet users worldwide, it ended with over 1.7 billion, a growth of 380 per cent. Internet users from India approximately number 81 million, with more users expected to connect in the coming years as internet access increasingly shifts to mobile phones. (While over 100 million GPRS enabled phones have been sold in India, there are only 7 million broadband connections). Despite the low numbers in relation to the population, Indians have been active users of the Internet across various segments. The two top email providers, Gmail and Yahoo, had over 34 million users registered from India. Similar figures were also seen in social networking, where Orkut was the leading site with 16 million users followed by Facebook with 8 million. The rapid pace of adaption to the Internet is underscored by the fact that the Indian Railways, India’s top e-commerce retailer, saw its online sales go up from 19 million tickets in 2008 to 44 million tickets in 2009, a growth of 130 per cent. This represented a value of Rs. 3800 crore ($875 million).
Growing online activity has resulted in increasing instances of online fraud. While internet fraud is on the rise, cyber laws have proved to be ineffective in the face of the complex issues thrown up by Internet. As a case in point, though the cyber-crimes unit of the Bangalore Police receives over 200 complaints every year, statistics show that only 10 per cent have been solved and a majority of these are yet to be even tried in the courts. The cases that did reach the courts are yet to reach a verdict since the perpetrators usually reside in third countries. Even though the Indian IT Act 2000 confers extra-territorial jurisdiction on Indian courts and empowers them to take cognizance of offences committed outside India even by foreign nationals provided “that such offence involves a computer, computer system or computer network located in India,” this has so far existed only on paper.
A second related phenomenon has been the increasing use of the Internet by state and non-state actors to engage in what almost amounts to a virtual war by way of attacks on critical internet infrastructure such as those of public utilities and banks, and attempts to infiltrate the networks of key governmental departments. As information becomes the currency of the 21st century, and computers the banks that hold this information, albeit with very little of the security that one associates with banks, they have become irresistible targets for state and non-state entities. The nature of digital information is such that once the defences of a system or network are breached, the digital information contained therein can a) be retrieved, b) altered, or c) watched for changes. Information security is assured only when the principles of confidentiality, integrity and accessibility are maintained. This applies as much to systems and networks maintained by governments, militaries, and commercial entities, as it does to that of individuals.
In the recent past, the governments of the United Kingdom, the United States, France, Belgium, Germany, and India have publicly stated that their systems and networks have been infiltrated. A number of reports have pointed to a state-criminal network-hacker nexus. Criminal networks have, over the years, professionalized the business of discovering and exploiting weaknesses in software that allow them to undertake a variety of actions ranging from taking control of those computers, accessing information on those computers or rendering them unusable. Whilst hackers provide the technical expertise, existing international criminal networks have learnt how to squeeze the maximum out of these compromised computers, and have turnovers estimated in the billions of dollars.
Whilst this would remain at the level of criminal activity, it has acquired dangerous proportions and impinges on national security when a state-criminal network-hacker nexus builds up. There is enough circumstantial evidence to show that some states have turned a blind eye to cyber-space centred criminal and illegal activities, perceiving certain advantages to be had from building up such a capacity. States have the same advantages as criminal networks in undertaking actions in cyber-space. These include: the ease of expanding geographic reach to cover virtually the entire world at negligible cost in terms of scaling up; the difficulties with attribution and the concomitant advantage of deniability leading to the inability of the target state to frame a suitable response; and the increasing number of “e-ready” targets. All these factors were seen at work during the cyber attacks on Estonia and Georgia in 2008 where further investigations have failed to prove the provenance of the attackers. Such identification has proved difficult even when agencies have co-operated as in the recent email hacking case (which almost derailed the Conference on Climate Change in Copenhagen) commonly referred to as “Climategate.” The digital trail led to Russia and the Russian Secret Service (FSB) was accused of paying hackers to break into the computers of scientists and retrieve their emails. Stung by this accusation, the FSB provided evidence to investigators that the trail continued to a computer email server in Malaysia from whence the trail went cold again though fingers are now being pointed at China.
A third phenomenon has been the use of the Internet by political dissenters for a variety of purposes including for the dissemination of information, orchestrating meetings, and publicity. Governments that do not tolerate dissent such as those of Russia, China and Iran have responded with censorship, curbing access both within and without, and have also used the same medium to keep tabs on dissenters. These governments have been proactive in attempting to control their internet space, primarily through national technical means, including monitoring and censorship. Opposition activists in Iran, for instance, have made effective use of Twitter and Facebook as part of their campaign. The government, on the other hand, has used the same media to crack down on opposition activists. The Chinese government’s tight control over Internet connectivity and the reported deployment of over 30,000 “net nannies” has resulted in a vastly different and highly sanitized internet experience for a Chinese resident than what obtains in the rest of the world.
These conflicting perspectives and approaches to the Internet have resulted in a virtual gridlock when it comes to moving forward on getting a basic international framework in place. As a case in point, Russia has for long been pressing for a cyberspace treaty with the United States on the lines of the Chemical Weapons Treaty and focusing on constraining the military uses of cyberspace. The United States has been resisting this approach and instead wants to focus on the criminalization of cyberspace, arguing that a law enforcement approach was more important considering the imminent threats. Both sides are suspicious of the other’s intentions; while the Americans feel that a treaty approach would legitimize censorship of the Internet and increased governmental oversight would facilitate greater control by authoritarian regimes, the Russians do not favour the law and order approach since they feel that it would infringe on their sovereignty. Consequently, though a member of the 47 nation Council of Europe, Russia is the only major state (along with Turkey) that has neither signed nor ratified the Council of Europe Convention on Cybercrime since it allows for cross-country investigation of cybercrimes without the necessity of first getting approval from the governments concerned. Currently, the Convention is the only legal document dealing with the issue. Non-European states that have signed the Convention include Canada, Japan, the United States and South Africa; and other countries including India have been repeatedly pressed to join the Convention. The Convention itself has been flayed by public interest groups for violating fundamental human rights, impinging on privacy and giving undue powers to governments. All this only serves to underscore the fine line that governments have to walk between maintaining the openness of the Internet and ensuring the security of its users.
Related Publications