Cyber Threats and Risk Mitigation

“The single biggest existential threat that’s out there, I think, is cyber.”

Michael Mullen

Introduction

Digital is the new paradigm. All facets of life today are being disrupted by digital technology, changing the way things were done or are being done. This disruption is all around us, in day to day life as well as complex organisations like business, industry or military. The two technologies i.e. Information Technology and Communication Technology have ushered in new efficiencies, new ways to do things and this change is continuous and exponential. In the Indian context, the ‘Digital India’ thrust of the Government has taken our country in a new direction at a previously unimagined pace. IRCTC, Cashless transactions,  E Governance, GSTN, E Banking, Bharat Net have all provided the means and reach to citizens and the Government to take up the task of development of our society, in an inclusive manner at a fast pace.

2. INTERNET and associated technologies have made it possible to disseminate information at the blink of the eye, re-engineer and control various processes, in every possible field. The society today has become heavily dependent on this digital infrastructure, the Cyber Space. It is the lifeline of economy and other structures of the society. If disrupted, the resultant mayhem would be catastrophic. Just imagine the chaos if the complete banking or transport or communication network is brought down, deliberately or due to a failure. All network and information infrastructure is planned with due backups catering for routine failure. However, there is a need to cater for disturbance caused by deliberate action.
3. Exploitation of cyberspace for degrading the digital civil and military infrastructure, poses a rapidly growing threat to national security of the country. Hence it’s necessary to analyse the trends in cyber threats, assess how these can impact the environment in Indian scenario and how to mitigate this threat. As per CERT India, one cyber attack was reported every 10 minutes in the first six months of 2017. As many as 27,482 cases were reported from January to June, higher than 2016 when it was one in every 12 minutes.

Cyber Threats to Society

4. Criminals have used the Internet to sell drugs, guns, ammunition, forgeries (passports, driving licences) and financial information (credit card information, bank account login details). Online marketplace ‘Silk Road’ set up in 2011 by Ross Ulbrickt aka ‘Dead Pirate Roberts’, did business worth $1.2 billion (in Bitcoins), had 957,909 registered users before it was shut down in 2013. Site anonymity was maintained by using TOR (The Onion Router) and using bitcoins (a digital currency) for transactions. Silk Road provided a platform for trading in :

• Narcotics and controlled substances.
• Malicious software.
• Unlawful services such as hacking into Facebook, Twitter, Emails, Tutorials for hacking ATMs, Contacts for guns, arms, fake currency.
• Pirated content, digital goods.
• Forged Documents.

5. Another example was ‘Dark Market’ which facilitated buying and selling of stolen financial information. Set up in 2008 by Renukanth Subramanium in London, it had 2500 members dealing in stolen credit card data, login credentials and equipment for financial crimes. It was taken down in 2010. These organisations were fully organised with corporate like structure having administrators, moderators, Receivers, Hackers/data thieves and users.
6. The two examples cited are living proof of availability of Cyber Crime as a Service (CCAAS) where sites or vendors are offering to buy – sell – hire – outsource all the sophisticated technologies of cyber threats. On the offer are:

• Specific hacker software.
• Secure Hosting.
• DDoS botnets.
• List of targets for Phishing schemes.
• Access to Critical Systems.
• Custom Virus development.
• Batches of credit card numbers.
• Zero day exploit exchanges. Cases where Administrators have zero day to fix the flaw, hence hackers have the maximum advantage.

7. Almost every part of daily life is becoming vulnerable as the dependence on digital technologies increases. Modern automobiles are totally driven by software, adopting the technology of ‘drive by wire’ wherein almost all functions are controlled by software. Many sensors and communications systems are integrated to make cars smart and the vehicle system can be configured and optimised using smart phones or laptops, making them vulnerable to hacking. Automotive cyber security researchers Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee in 2015, using the radio used in entertainment system. In May 2017, FBI arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California since 2014.
8. Attack on airline ground computer systems used for issuing flight plans can cause mayhem in the operations of airlines. Hacking of an airplane is possible by getting access to its satellite communication system through passenger WiFi and inflight infotainment system. There have been reported incidents of hacking of a plane in flight, causing it to climb by ‘overwriting’ code on thrust management computer. A cyber security consultant Chris Roberts told the FBI in May 2015 that he hacked into computer systems aboard airliners about 20 times and managed to control an aircraft engine during a flight.
9. The domain of Healthcare is also going through digital disruption. The diagnostics, sensors monitoring vital parameters, electronic medical records (EMR), telemedicine, all these systems are vulnerable to cyber threats. Some possibilities are:

• Remote manipulation of drug infusion pumps.
• Altering digital medical records.
• Restart/reboot critical equipment.
• Spoof blood tests / other diagnostics.
• Changing temperature settings in systems storing blood or drugs.
• Bluetooth enabled defibrillators or pacemakers could be made to deliver random shocks to a patient’s heart.

10. It is hard today to imagine life without WhatsApp, Google, Facebook, Amazon, Ola, Paytm, Netflix, et al. What most of us do not realise is that these services collect huge amount of data about users allowing them to understand each customer to improve their services and of course profits. This data of millions of Indians could be made available to enemy intelligence agencies who could find negative information about, say a policy maker and make her change a key decision. The location or movement of troops can be detected just based on location data change of service personnel. The possibilities of misuse of such data are endless.
11. The society is also facing the problem of addiction of younger generation to digital world and social media. Millennials or The Generation Y have grown up with these technologies and are vulnerable to exploitation by cyber criminals. ‘Blue Whale Game’ or ‘The Game of death’ claimed its first victim in India on 01 Aug 2017. The maker of the game Philipp Budeikin was convicted and sentenced to three years in jail in Russia. Using the ‘Dark web’, Budeikin played with the minds of impressionable young men and women inciting them to commit suicide. Child pornography, human trafficking, illegal money laundering and many more heinous crimes have been abetted through cyber technology.
12. Hackers are constantly looking for new ways to access data. Most recently, the way was as simple as a fish tank. The hackers attempted to acquire data from a North American casino by using an Internet-connected fish tank, according to a report released on 19 July 2017 by cyber security firm Darktrace. The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank. “Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data.” The report said 10 GB of data were sent out to a device in Finland. As more products with the ability to connect to the Internet become available (IoT – Internet of Things), opportunities for hackers to access data through outside-the-box ways have risen. Recently FBI warned parents about the privacy risks of toys connected to the Internet, which could help a hacker learn a child’s name, location and other personal information.

Cyber Threats in Military domain

13. Warfare has also been disrupted by this digital assault of technology. Technology has always been driven by the military and today all weapon systems and mechanics of warfare rely heavily on digital systems. Direct traditional warfare is changing into asymmetric warfare against traditional and non traditional enemies, where cyber space provides a very potent arena with its tremendous and quick reach. Shaping perceptions, disseminating information across borders at a lightening pace, technology is making it difficult to anticipate the character of future conflict. Technology is providing means which can offset conventional capability and bring victory without bloodshed.
14. The increased dependency on communica-tion and data networks, storage of information in cyber domain and its vulnerabilities, lack of mutual consent between countries on effective control of operations in cyber domain has brought in a new type of threat – Cyber warfare. Many countries and non state actors are conducting Cyber Espionage, Cyber Reconnaissance and are also involved in creating offensive Cyber Warfare capabilities. Cyber attacks and network intrusions, linked to nation states are being reported at an increased frequency. Major resources are being utilised on how to conduct Cyber Warfare rather than preventing it. There is lack of International dialogue and activity with respect to controlling cyberspace.
15. Exploitation of cyberspace for carrying out attacks on military infrastructure, government and financial institutions poses a rapidly growing threat to national security. Such attacks would more often than not be launched in peacetime by state or non state actors. Rather today, one must assume that most nations would be engaging in this form of warfare, all the time, as it has the advantage of :

• Attribution is difficult and attacker can choose timing, location and impact.
• Asymmetric tool ideal for nations with comparatively weaker conventional force to gain military advantage.
• Low cost and high impact option.
• Ideal option for non state actors.

16. All the major weapon systems are increasingly becoming digital as technology enables integration with sophisticated sensors, command and control systems for increased situational awareness, accuracy and lethality. Requirement of quick response, shortening of OODA loop requires automation and computer control of weapon systems. The increased dependence on digital technology brings in the element of cyber threats. The complex weapon systems with numerous components developed by different agencies, some using COTS technology, with millions of lines of code, are vulnerable to exploitation. Hidden bugs, trapdoors in software or hardware which could be triggered during war or at a chosen instant, cannot be ruled out.
17. Operation Orchard or ‘The Silent Strike’ was an Israeli airstrike on a suspected nuclear reactor in the Deir ez-Zor region of Syria, which occurred just after midnight on September 6, 2007. The attack denied by Israel, showcased its cyber warfare capabilities as Israeli electronic warfare (EW) systems took over Syria’s air defence systems, feeding them a false sky-picture for the entire period of time that the Israeli fighter jets needed to cross into Syria, bomb the target and return. The compromising of the air defence system could only have been possible if a cyber attack induced a false sky picture. It is also believed that Mossad hacked into the computer of a senior Syrian government official in 2005-6 and planted a Trojan horse which siphoned off files containing detailed plans, photos of the illicit nuclear facility.

Risk Mitigation

18. The threat of cyber attacks will always exist in both civil and military domains which imposes a grave risk. Systems and ideas have to be evolved to mitigate this risk. Vulnerability is a measure of ability to prevent a security incident. The current security system and procedures represent the active steps one has taken to reduce the vulnerability. Vulnerability is a dynamic concept. It changes whenever the environment, operations, personnel, business and/or systems change. Each time a substantive security-related change occurs in an area, one needs to reconsider the vulnerability in that area.  Hence continuous risk assessment would be needed in this domain.
19. Recognition of these threats and getting used to the idea that vulnerabilities exist is the first step. Most of us treat these scenarios as imaginary, something that happens to others. All victims of ransomeware like ‘Wanna Cry’ or ‘Petya’ realised the gravity of such an attack only after experiencing it. Most victims are not sure of unlocking their computers even if they pay the ransom. Essential components of defence such as Firewalls, Intrusion detection/prevention systems, Unified Threat Management systems, Encryption, Patch/Password management and Antivirus systems must be used. Maintaining air gap between Internet and internal networks, use of wired media and secure storage reduce the vulnerability to a great extent.
20. Hackers are trying so many ingenious ways to break into systems, that the government will have to get involved in regulating digital systems. The expected onslaught of Internet of Things (IoT) products in near future makes it imperative. Getting everything to go through Government approval, on the cyber front, will raise questions about privacy and bureaucratic control but it may be the bare minimum required to protect the users. How to do this globally – would be a real challenge. As for what people can do to protect themselves against these kinds of attacks, education and awareness would be the start point. Consumers will have to educate themselves about digital products and take advantage of offered protection features. Latest operating systems and software must be used and continuously updated.
21. Data being collected by various companies and organisations need to be regulated. Data protection laws are not enough. The issue of where data is resident needs attention. Data is protected under the laws of the land where it is stored. Most of the social media and e-commerce companies store this data in US where No protection is afforded to data of non US citizens. Private information of Indians must be stored in India. Currently Indian government agencies are at the mercy of foreign agencies to get the data of own citizens which is totally unacceptable from a security perspective. The access to such data must be governed by Indian laws. The next war may not be physical but in the Cyber space and Data will be a key weapon. A country needs to protect its resources and should not be at the mercy of foreign governments and companies.
22. The Armed forces face the following challenges:

• Induction of systems in a quick time frame to make up shortages without proper risk analysis will lead to disaster.  Proper analysis, appropriate GSQR and testing is necessary to mitigate these risks.
• Ensure proper testing of all systems being inducted. Since the defence forces import most of the weapon systems currently, some components of these systems could have a trojan implanted which could be triggered when required. Proper EMI/EMC testing would mitigate a large component of this risk and prevent a ‘Silent Strike’.
• Need to evolve effective response mechanism at organisational level to respond to day to day cyber attacks.
• Requirement of forming a cyber work force with requisite qualifications to handle emergent cyber threats.
• Synergy of effort at organisational level to develop best practices to handle cyber incidents.
• Plan and exercise Cyber Crisis Management at National and Defence Forces Level.

23. Some recommendations :

• Formulation of a National Cyber Security Policy. The release of the National Cyber Security Policy 2013 is an important step towards securing the Cyber space. The implementation of policies must be carried out in a time bound manner.
• Common communication infrastructure and agencies like ‘National Cyber Coordination Centre’ be established at national level for sharing and processing of information related to cyber threats.
• Define strategy at national level for conduct of cyber offensive activities and develop such capabilities.
• Proper laboratories with suitably trained manpower to conduct tests to check vulnerabilities, to keep pace with rapid technological changes and quickly support operational cyber-warriors with the latest upgrades, techniques and threats.
• Allocation of budget to enhance existing cyber capabilities both in defensive and offensive fields.

Conclusion

24. Cyberspace is increasingly becoming a place of risk and danger, vulnerable to hacks and threats. With today’s civilisation dependent on interconnected cyber systems to virtually operate most of the critical systems that make our daily lives easier, it is obvious that cyber warfare will be the choice for many governments and non state actors in future conflicts, especially those with limited access to expensive, conventional weapons of mass destruction. Hence it is imperative
    that this field be given due importance and both offensive and defensive capabilities acquired in a time bound manner.

“As the world is increasingly interconnected, everyone shares the

responsibility of securing cyberspace.” – Newton Lee

(Brig Subhash Katoch (Retd) is a highly technical professional with 37 years of comprehensive experience in military telecommunication technologies, data networks, cyber security, analytics, decision support systems, automation, database management, EMI/EMC testing and compliance. He holds a MBA from FMS, Delhi University, 2001; M.Phil. (Defence & Management), DAVV Indore, 2005; M.Sc. (Defence & Strategic Studies) Madras University, Chennai, 1993; M.Tech.(Computer science and Technology), IIT, Chennai, 1990.)

(This article is carried in the print edition of September-October 2017 issue of India Foundation Journal.)