tglogo.gif (4260 bytes)

 

 

 

 

Search

Forum

Home

Feedback

Credits

About Raj

 

 

National Security in Network Era

By Dr. Raj Mehta & Kamlesh Morarji

 (This article has been published in Deccan Herald, Bangalore in two parts in Edit Page on Nov. 7 and 8, 2002. I have sought release to be published in other newspapers, e-media and other forums)

A stand-alone computer is a useful tool. Its power is enhanced unimaginable times when it is connected to other computers in a network, whether it be private network (an Intranet) or a public network (e.g. Internet).

To organize and manage the complex society that we live in, computer networks are indispensable.

What flows over these networks is human knowledge. It is increasing at a pace never foreseen before in history. Commerce and almost all activities of our daily living rely on this knowledge.  If our functioning has to be orderly, the integrity of the information becomes a central issue. Any unauthorized alteration of information has potential of creating chaos.

Among the security threats faced by present-day information-networked societies, a prominent one is information warfare.  Surprisingly, it is possible to seriously damage and even destroy communication networks and computer systems that are central to modern economies and their national defense.  In the extreme, the fabric that holds a nation together can be damaged to the extent that civil society becomes vulnerable to physical attack and destruction.

Consider the following hypothetical scenarios that are technically quite feasible:

  • Infrastructure failure (railways, telecom, airways, power grids).
    More and more of Indian infrastructure is relying on computers and networks to provide basic services – e.g. rail travel, communication, travel by air and power and possibly many others. If these networks become inoperative then life as we know today in modern India will come to a stand-still, and law and order problems could result across the country.  With on-going privatization of the infrastructure sectors, relevant network security issues will increasingly pass beyond direct regulatory control.
  • Pension, LIC, PF and bank account beneficiary data alteration.
    Unfriendly elements get control of the computers and networks of these agencies and cause their data to be maliciously altered, thereby causing mass confusion and disruption of life and normal activities.   Banks for example could be most vulnerable to such attacks, more so as they expose themselves to the risks of Internet Banking.  Billions are known to have been lost by such frauds with banks overseas, even as they moved cautiously towards networked banking. 
  • Malicious alteration of data on revenue collection and claims.
     Computers and networks that hold important revenue data for various government
     departments and agencies could be compromised and maliciously altered without even  being detected.  The resulting loss of revenue and the long, drawn-out litigations among people and between authorities and people would be unimaginable.  Such a failure would give rise to unwarranted disputes and turn them into bloody battles bringing unending suffering to citizens.
  • Immigration lapse.
    Imagine a group of terrorists approaching an Immigration desk at any port of entry in India. The immigration and security people who could intercept them rely on their computers that are networked with different International ports of entry in India and with India’s overseas Consular offices as well.  If the security of these computer databases were to be breached and information on such terrorists deleted or shielded even for a limited time, the terrorists would be allotted visas and would enter India without any agency being able to detect such an invasion.  Can you imagine what havoc this could cause?

 In India we are moving towards mass computerization of all of our activities. Any and all of the above scenarios are very much possible, because of:

  • A wide-spread lack of security-awareness, and
  • ·Some inherent problems with our computer and network hardware and software.

Prominent types of computer and network security breach are the following:

  • Security violation, that allows an external hacker to take control of critical servers and equipment.
    The use of foreign hardware/software constitutes a threat as there are in-built mechanisms (known as backdoors and doorbells) and components that can make the entire information on a computer or a network available to some agency of a foreign power.  For example, all the hardware/software imported from < style='font-size: 11.0pt;font-family:Arial'>USA is known to contain features that will permit NSA (National Security Agency—the spy agency of USA) to control every computer and piece of hardware/software exported out of USA.
    ARE YOU AWARE that this is part of an agreement between the US Government and U.S. manufacturers, as a requirement to get an export permit granted?
  • Distributed Denial of service attack (DDoS).
    If any of the infrastructure computers or networks can be overwhelmed by someone with malicious intent, or routinely by someone wanting to use Internet from any of the computers, the whole of the subject service can be made inoperative by mass sending of information packets, made to appear as hardware failure.  Of course if such machines are connected to the internet, they are even more at risk.  This type of attack has happened to servers connected to parts of the global public network – internet, e.g. yahoo.com and others, who lost their service for several hours.
  • Exploiting Inherent flaws(bugs) within Hardware/Software
    Of course there are other types or means associated with and exploiting many technical errors (bugs) which are present in all computer and network hardware and software.  For any particular model or generation of hardware or software, such errors get discovered and corrected by the manufacturer or supplier only over a considerable period of time, measured in months or years, if at all.  Owing to the continual development and adoption of new hardware and software, this is an ever-present problem.

The above stated instances are only a tip of the iceberg, the most glaring examples of how our security is being compromised.

The point I really want to drive home is that it is our responsibility to reduce our vulnerability to such threats.   We know there are unprincipled and criminal people and predatory and hostile countries that we have to deal with from time to time.   If we do suffer harm through computer security breaches and information warfare now and in the future, the fault lies with us for not being sufficiently vigilant to know what is going on even now, and in failing to take steps toward better security and privacy.

To deal with the threats to our computer networks (and hence to our way of life) a two pronged strategy is outlined below—One new laws must be enacted which will address the threats was we know and perceive now. Second, a new initiative to educate (a neglected aspect of present computer/network era) every user connecting to the network MUST be undertaken—to use computer/network safely; only then any network can ever be secured.

What can Parliamentarians do to help achieve preparedness against, and prevention of, such devastating calamities?   The following may comprise a tentative Computer/Network Security Agenda:

  1. Establish Advisory Committees that are receptive to hearing opinions and ideas of experts so as to function as a cohesive conduit between government agencies and well meaning knowledgeable experts.  This will enable cautionary advice to be heard and awareness to be established at various levels.  It will further enable the nation to review and act upon nationalist issues in these areas.  Such Committees may be constituted as multi-disciplinary bodies and must include senior Parliamentarians, nominees from concerned ministries, Security, Intelligence and Defense agencies, and exponents of academic research as well.
  1. Legislate -  Mandate that for every hardware/software imported in the country, its vendor shall have to submit for examination, the source code (human readable listings) of any software coded with the equipment and of all proprietary software as well, without “gagging” (i.e. contractually preventing public disclosures of adverse findings of) the examiners. This is not unusual in present times. We won’t be the first ones to require this. Peru has already set the precedence for this. < style='font-size: 11.0pt;font-family:Arial'>Mexico, Germany, Finland, Korea, Thailand, Philippines, France, Taiwan, China and some others are considering in some degree or the other such requirements.  There are even similar moves at the State level in California, USA.
  1. Move towards mandatory declarations (in a phased manner) for all business, trade, banking, infrastructure and industrial establishments who are networked to publicly disclose legally binding management assurances to the effect that adequate actions have been or will be taken within a definite time scale in order to achieve preparedness for better security against information warfare, whether by an actual nation, or other entity.  And further make it well known that full audit and disclosure in this regard is on the agenda for being implemented in future. 
  1. Mandate that compulsory public liability insurance be procured by all such establishments for meeting public liability claims arising from any adverse sufferings that could be caused as a result of their network security inadequacies.  A specialized cell to assess insurance claims as well as premium rates and rebates applicable to adequately complying establishments will surely induce better security implementation.
  1. Make it mandatory for all telecom and Internet service providers to embark on mass communication program that will spread awareness amongst users of their services, and make them more knowledgeable to report risks, threats and violations.  Those who comply may be given rebates in license fees that will help in partly meeting the costs of such a mass communication exercise.
  1. Establish and keep upgrading security standards to be complied with for securing networks that are in use by public, government and business. 
  1. Consider suitable amendments in policies for procuring imported telecom and network equipment, computer hardware and software.  
  1. Develop indigenous hardware software through a National Centre for Information Networks. 

Finally it must be said that we do have some awareness in India about Network Security. There is a Government of India website devoted to this: http://www.itsecurity.gov.in, but unfortunately, it is a collection of material from US or other sources.   We don’t have something which is developed indigenously. There are courses organized by STQC-IT Services for system administrators and IT managers. From my perspective this is not nearly enough.

A Network or the Internet has to be viewed as a chain. Every link, especially people, is important.   As the adage goes—the strength of a chain is only as strong as its weakest link. So every computer on the network has to be as secure as any other and every person manning the computer has to be as knowledgeable as any network professional. Only then is true security possible.  Security awareness has to go down to every user who logs on to any network.

Traditionally, < style='font-size:11.0pt;font-family: Arial'>Switzerland was the secure neutral crossroads, strongly self-defended, but remaining the neutral meeting place for government and commerce. < style='font-size: 11.0pt;font-family:Arial'>India is poised to take that same position in networking, but the strong self-defense must grow to the needs. The balance to keep international ties while establishing that growth is difficult, but not impossible. It will take will, work and wisdom -- a new acronym for WWW.

A dynamic policy for an effective digital security in the new Internet Millennium can establish < style='font-size: 11.0pt;font-family:Arial'>India as a global center for an International Network Economy. The cost of maintaining an effectively secure digital network infrastructure is lower than the cost of any remedial action, even when damages are comparatively small. Regions of the world that are prepared in this way will become a magnet for use of their infrastructure. India can and become Switzerland of the Network Age.

Here's India's greatest chance to become a world leader of an International Network Economy by creating the desired secured infrastructure. Let India not miss it!

About "The Authors"

Dr. Raj Mehta

Campaigner, scientist, an author, online educator and new media exponent--the World Wide Web, Dr Mehta feels very few have clue as to how to use it. Presently involved in "educating our legislators on aspects of Net and computer security", this 50 plus alumnus of Stanford University (worked with Nobel Laureate Dr. William Shockley) besides having worked for Raytheon, ITT Semiconductors, IBM R&D Labs in California holds four basic patents related to transistor processing.  He has successfully conducted several corporate seminars at Hoechst Marion Roussel to introduce Internet and the Internet technology for the corporate use and for personal use. Author of  "Internet Users Guide For VSNL's Gateway Internet Access Services (GIAS)", published by Videsh Sanchar Nigam Ltd. it led to the birth of India's first online voluntary virtual community to help Internet Users of India – TheGuide http://guide.vsnl.net.in
Email Address: rajm@stanfordalumni.org
&
Kamlesh Morarji
Email Address: kamlesh.nm1@gmail.com

 




Copyright © 1999-2002 Dr. Raj Mehta. All rights reserved.