Pic courtesy : Wikiality.com
Ever since I started reading up on InfoWar and gained an understanding of cyberspace from a military dimension, I have invariably wondered about what makes the vast bureaucracies of the West and China, manage and enforce the continuity in policy that would be needed to build and handhold the rise of their ICT industry. Why in spite of promising starts the Indian system is unable to get our act correctly, is it wrong strategy ? Or is it key personnel at crucial appointments getting compromised ?
I am an unabashed admirer of American Chutzpah and enterprise. Microsoft, Apple, IBM, Google, Cisco etc are icons which I would like our nationals to emulate and surpass. Indeed they have not only helped a large number of our countrymen in employment opportunities, but truly helped the information revolution. But I would definitely like to keep them at arm’s length as far as National Security is concerned, in the same way I would not want the British Empire back in spite of they introducing many revolutions like the Railways and Telegraph.
Now, this is another paper that I have authored to make the powers be understand what it takes to secure cyberspace more than 3 years back. Lots of people have hailed it, appreciated it and approved of it and some true nationalists have in their small way tried to enforce it. I have asked many experts if there is any other way to enforce cyber security in our critical infrastructure they have been unanimous there is no other way. The Govt has also taken out a policy favouring FOSS adoption. But.. 🙂 We wait..
War can be defined as a tool for coercive foreign policy; and in the modern era where nation states primarily compete for competitive economic advantage, the importance of Information and Communication Technologies (ICT) assumes significance. USA, the world leader in innovations in this field, and the original proponent of concepts of Information Warfare, today controls most of the Information repositories of the world through their giant MNC’s and has been successful in influencing the thought processes of the majority of the global population where free flow of data has been linked to freedom of expression and ideas.
The hollowness of these ideas was exposed by the Snowden revelations and recognized recently by the European Union in a land mark judgment where the principle of ‘safe harbor’ used to transfer data across national boundaries was stuck down. This has profound implications for the world where clear delineation has been made between freedom of speech, ideas and personal data. During the cold war era, battles were fought using traditional resources where fortunes of war tilted in favor of the Armed forces having the largest traditional defense assets such as number of soldiers, Air Crafts, Naval Ships, Nuclear Deterrents etc. In the Information Age, although traditional methods of power projection are still relevant, the advantage will always belong to nations that can effectively garner and process huge volumes of data to give a competitive advantage to their nation in all spheres be it military, diplomacy, trade etc.
Before the advent of the Information Era, Intelligence efforts were mostly human operative based and Cyber Intelligence budgets were miniscule. However as we head in to 2016, it’s no longer the case. Post the Cold War era, Cyber Warfare & Cyber Defense Capabilities are now a key resource of most modern Military Establishments and is effectively used for both defense and offence strategies. Information Warfare, a term coined by the Americans, now play a crucial role in determining the outcome of battles even before the traditional defense assets are deployed on the war front. In the last couple of years, we have seen increased evidence of how this new mode of battle is fought. An example is the StuxNet attack on the Iranian Nuclear Facilities where the Americans were able to cause significant damage to Iranian nuclear ambitions through Cyber infiltration and subsequent damage to the Nuclear Plant Machinery – all done remotely without a single person on the ground. While this was a dramatic example of Cyber Warfare, there are more mundane yet equally damaging examples on an everyday basis around lack of proper Cyber Defense Capabilities leading to theft of sensitive data and compromise of key systems to make a country vulnerable over time.
All major facets of the economic pillars and critical strategic assets of modern day nation states like the telecommunication networks, banking, the stock market, railway network, power sector, the defense forces etc. of the country are all dependent on efficient Cyber Defense Capabilities. However the Snowden revelations and the surveillance activity carried out by USA and its allies(The Five Eyes) have unequivocally proved that cyber defense capabilities of most countries are largely ineffective against nationally orchestrated Information Warfare.
Cyber Warfare – the Industry Nexus:
A detailed review of the cyber security vulnerabilities across the government establishments in the world in the last two years reveal that source for such vulnerabilities came from compromised IT resources such as:-
- Hardware – Personal Computers, Servers, Smart Phones, Authentication hardware such as Biometric systems, RSA tokens and other computer equipment
- Networks – Firewalls, VPN, Routers and other Network Equipment.
- Software & Software Services – Windows Operating System (OS), Macintosh OS, BlackBerry RIM OS, Android/Symbian/Apple OS for mobile phones, Web Sites, Social Networks, Email Systems, Messaging Services, Encryption Algorithms etc.
It’s remarkable that the common factor that caused vulnerabilities across all of the above systems is eerily the same – backdoors in the Hardware, Networks or Software provided by large OEM’s having closed source architecture. A detailed look at the budgets of some of the Military establishments reveals that a large part of their budgets are ear marked for investing in or to influence big industry players who supply the hardware, networks and software to vulnerable governments, consumers and corporates across the world.
The intimate relationship between IT giants and the military establishments of the West and China as corroborated by reports such as the Snowden revelation have shaken the very foundation of cyber space and the global information and communication industry (ICT). We now find ourselves in a unique situation where the equipment and technology that supposedly protects our Cyber frontiers are sabotaged by vulnerabilities in them and used against us. The dangers to national security from the big data stored on the server farms of the giant MNCs are but the tip of iceberg. Another small glimpse of what is yet to come was revealed when it came out that RSA, a US based giant in the authentication domain was forced to accept that its encryption standards were deliberately weakened so that the NSA could decrypt and monitor global financial communication and other encrypted communications using RSA products. Even countries like Germany and Brazil were targets of such surveillance.
Arriving at a Solution
The most obvious solution to the problem is to ensure that there are no backdoors or vulnerabilities in the Hardware, Network or Software used by the key government establishments. At a first glance, it would seem that the easiest route to achieve this goal is by having dedicated science or academic bodies funded purely to provide the systems that are critical to keeping the IT infrastructure of the government running. However as we have learned from our experience and experience of many governments worldwide, there are some critical drawbacks with this approach as enumerated below:-
End to end Expertise: It is possible for the Government funded or Academic bodies to provide certain parts of the overall solution, however the vast scale involved in creating an entire solution that spans Hardware, Network and Software makes it hard for any one such body to undertake.
Cost: It would be too expensive to fund the R&D involved in creating all of this technology from scratch and that too only for government. However, if an industry body capable of selling the same technology to others outside the government establishments did this, economies of scale would come into play and the overall cost of the solution to the government would be much lower.
Attracting Industry Veterans who have implemented such systems in the West: The key element of creating such robust systems is generally the people, i.e. the engineers and product managers who have been involved and trained by the Multi- national companies that helped to create the technology in the first place. This sort of talent is pretty hard to attract to the government sector but the largest pool of manpower in the globe is available in the Indian software sector.
Better Adoption: Most of the IT technologies, in particular software systems are built and refined iteratively through the experience of millions of people using them. This is part of the reason why a leading operating system player such as Microsoft Windows is so popular and is able to keep up with changing needs of the user base with time. It is hard to achieve this sort of software perfection unless you are an industry body dealing with the needs of many users and having a rich feature roadmap.
The Solution – Collaboration between Industry Bodies and the Government/ Academia:
The above facts lead us to the conclusion that the best path to success in creating such technologies and be successful in scale and adoption across the Government sector is by engaging one or more professional companies that is based in the national jurisdiction and collaborates well with the Government. Such companies needs to have the following characteristics
Within the jurisdiction of the national legal system: To protect the interests of a nation, the primary condition for accepting technology systems should be that the company should be under the jurisdiction of the national legal system. This allows the respective government to be able to protect its interests and enforce security through the strong arm of the law.
The product should be Open Source based: The fundamental contributor to security is the source code or “blue print” used to power the Hardware (firmware in this case), Software (software code) or Network (Firmware used in the Network Devices). Open source code is used by millions of people across the world and the joint community development makes the code base and applications created out of the open source code auditable and thus more secure. For example, Open Source Linux or FreeBSD operating systems are inherently more secure than Microsoft Windows Operating system if you consider the attack incidents or vulnerabilities per device. Further, Linux or FreeBSD based operating systems are easily auditable and every bit of their code based is available freely.
Any proprietary code exceptions should be auditable: It is likely that the vendor who is providing the open source based system may write custom components that they do not license under open source ambits. In this case, they should be willing to provide such code for the government to examine and do a code audit on.
100% supported, feature rich and maintained: It’s a common myth that Open Source based technologies can be freely downloaded by a large enterprise or government organization and be customized to suit their needs without additional overheads. While this is legally possible from a license point of view, the expertise and overhead required in creating a manage- able, enterprise grade solution based on open source systems is quite involved. Quite often the pieces available in the open source world are largely academic and give you a boiler plate to build your solution on but require extensive R&D and stitching together of multiple open source projects to get to a solution that can be adopted by a standard end user confirming to all of the enterprise IT mandates. Additionally, you will need to submit such a product to rigorous security and scalability testing as well as packaging in appropriate hardware such as appliances. So the requirement while finding an industry partner adept at Open Source is someone who has experience doing projects of such scale for large enterprises.
Validating the Open Source Strategy
A validation of the above strategy can be done by looking at the Hardware, Network or Software Stack adopted by the US or Chinese Military Establishments who lead in both Cyber Warfare and Cyber Defense capabilities. For example, here is a breakdown of the US military procurement standards
• Hardware: Mostly American home grown company’s only, example: DELL, RSA for Bio-metric, Intel etc.
• Network: Mostly American home grown companies only, example: CISCO routers.
• Software: Almost all of the operating systems critical to the functioning of the military are Linux, FreeBSD or Solaris UNIX based systems. The Enterprise Management systems such as the End Point Management systems are procured from US companies as well.
• Industry Partners: While the US government has a size- able budget for funding its own R&D for IT, they actually depend on industry partners to customize and deploy the open source products with the condition that.
- All such companies are US owned and fall within the jurisprudence of the US Courts.
- All source code is shared with the US government.
- All personnel involved in the deployment should be US nationals and they shall sign a non-disclosure agreement that protects against disclosing the details to other non-US national employees in the same company.
High Level Recommendation:
Below are some high level recommendations on the various systems that are vulnerable to Cyber attacks.
Hardware: This involves:
Computers: The personal computers, laptops etc which have relatively low threat can be sourced from indigenous vendor. However the Operating System used in these machines should be replaced with one that is open source based and from an indigenous vendor.
Smart Phones – these should use a secure system that is open source based and different from what is supplied by closed source vendors.
Biometric Tokens, OTP Devices: Should use indigenous vendors and should stay away from the RSA based algorithms given the inherent vulnerabilities in these products.
Network: This involves: Routers, Firewalls and VPNs: Should be replaced with Indigenous Open Source systems.
Single Sign on Systems: These are the Authentication systems critical to accessing any system in the network and should be replaced with secure, auditable open source systems.
Communication:All incoming and outgoing communication should be encrypted using a protocol that does not have any inherent weakness and any network device that relays this information in the network should be Indigenous and Open Source based. This is applicable to the Routers, Firewalls and VPN like network devices and also to communication protocols such as SMS on the phone.
Software: This involves:
Operating System: The Operating System should be moved to secure Linux or FreeBSD systems that have been security tested and configured to prevent any security attacks. The biggest sources of Security Bottlenecks are typically Microsoft Windows Systems.
End Point Management Systems: Systems such as Anti-Virus solutions, Configuration management, Patch Management, Authentication Management, Security Management and other additions to the base operating system are generally high threat systems. These should be replaced with Open Source Systems.
Email, File Transfer and Web Servers: Should be replaced with Open Source Solutions incorporating End to end encryption.
The global ICT market will undergo a revolution post Snowden. The initial ripples can already be seen in the recently concluded BRICS conference where Brazil, Russia and South Africa urged India to take the lead in building a new global ICT architecture based on Open Source Technologies. This article gives a broad context to the various techniques that can be used to bolster Cyber Defense Capabilities in a Government Organization. However specific recommendations on the requirement in each of the above areas will vary based on the nature of the organization and the complexity and type of the network involved. A vast market exists globally for such expertise and Indian companies can form partnerships with minority stake, majority stake to be held by a chosen partner of the parent nation. This will kick start a revolution in trusted security networks.