Analysis, Observer Research Foundation , ORF Cyber Monitor , 17 March 2015
Original link is here
The Sony hack is a textbook example of the fog of cyberwar. The whole incident is a telling manifestation of the many aspects of cybersecurity: There is the allegation of a state-sponsored international incident by North Korea and the promise of a ‘proportional response’ by the United States of America. The Sony hack brings to mind the question of state behavior in cyberspace; the threat to business advancing public-private cooperation in combating such attacks; and the question of motive – an assault on the freedom of expression, as opposed to the more predictable motivations of theft, terrorism and war.
Other countries, including India, have observed the consequences with keen interest. This includes the disruptions in North Korea’s Internet connectivity that followed immediately after the attack was successfully attributed to the authoritarian North Korean state by the US. How does this episode play out against all the narratives built to understand and respond to cyber security threats?
At the outset, there are larger questions to consider.
The first is the fundamental understanding that access to the Internet is an essential feature of security; that without connectivity, the citizen is not plugged into the system, as he cannot engage digitally with either his fellow citizenry or the state. After all, security cannot be for security’s sake. It must be based on the premise that security infrastructure is to protect its people, its nation-state, its economic interests within its territory and globally. To this end, India’s ambitious ‘Digital India’ project, which has committed an investment of $21 billion with the stated ambition to secure lastmile connectivity and effective e-governance for every citizen, is only a partial response to the enormous challenges facing the Indian subcontinent in its digital endeavors.
The second question relates to the fundamental tension between development and security. This holds especially true for developing countries like India. They are witnessing rapid internet proliferation, a phenomenon that goes hand-in-hand with cheap devices with questionable security standards and a digitally naïve population susceptible to hackers, thieves and phishers alike. They will be susceptible to sophisticated attacks as well, as they build up their capacity. The inevitably linked trilemma of security, privacy and surveillance, in the face of complex challenges has raised many-layered problems in need of examination. Finding a balance between surveillance and privacy in order to secure citizens without infringing their rights is the order of the day. But countries are struggling to achieve this equilibrium.
Most recently, the UK – to the horror of privacy activists everywhere – has come out in favor of banning encryption to intercept communications so as to ensure security more effectively. There is also the need for accountability of state intelligence agencies. They can quite easily infringe on citizens’ personal communications in their zeal to catch the bad guys. Therefore a strong mechanism needs to be put in place to ensure they are encouraged to act responsibly.
There is also a need for governments, private sector companies and civil society, including those fighting for individuals’ rights, to cooperate in creating robust cyber security frameworks. Key questions on the quality of interconnectivity and appropriate mechanisms for securing critical infrastructure have to be addressed. What are the costs of cyber security and how will they be shared? Who will define and how will we all agree to what is the optimal level of security in cyberspace? What is the role of the private sector in this regard? Governments cannot begin to understand the range, frequency and severity of the attacks on their countries unless critical infrastructure operators and private enterprises share this information with them. In many countries confidence building measures are necessary to develop this relationship.
Thirdly, given that attacks do not only originate from criminals and terrorists, an understanding – ‘norms’ – of state behavior in cyberspace need to be fleshed out. This could be done by way of universal multilateral agreements (desirable but unlikely) or by consensus between like-minded states who wish to set rules of engagement (less inclusive but more efficient). Countries also need to examine what can best be described as ‘unintended consequences’ of state behaviour. For example, the Stuxnet virus, which exploited a weakness in the Microsoft operating system, affected 18 percent of computers in Indonesia and 8 percent in India, causing these countries great financial loss as they had to upgrade their systems to counter the virus.
At the same time, no conversation about cyber security can be complete without addressing online terror. Online terror networks, aided by the multiplicity of communication networks over the Internet, have become a common cause of concern for individuals and states alike. This growing threat cannot be countered unless solutions that enable real-time information sharing between countries are developed. These questions – and more – were at the core of the debates at CyFy 2014 – the India conference on Internet Governance and Cyber Security hosted by the Observer Research Foundation. India’s Deputy National Security Advisor emphasized the importance of international norm-building and central role of the UN Group of Governmental Experts. He stated that “the Indian position on these issues will continue to evolve?”, adding that this group of experts “is a useful forum, but it should be made more representative.” India’s Minister of Communications and Information Technology echoed a similar thought at CyFy – “?this unhindered growth of networks of infected computers across the world – how do we propose to address this problem in the absence of global cyberspace norms to regulate and guide responsible behaviour in cyberspace?”
Which brings us back to the incident involving Sony, North Korea and the United States. It shines the torch on cyber security, state behavior, damages, responses and attacks on freedom of expression. Do we have a blueprint or a road map to respond to such developments? Maybe not – and therefore 2015 will be a vital year for finding common ground to keep the digital world secure.
(The author is Vice President and Senior Fellow at Observer Research Foundation, Delhi. This article originally appeared in The Security Times, a special edition of the Atlantic Times for the Munich Security Conference, February 2015.)