Event ReportsPublished on Jan 17, 2014
Experts warn that while governments are getting better at managing cyber and internet threats, adversaries may go after private sector systems, in the absence of active public-private cooperation.
Cyber adversaries may go after private sector systems: Experts

While governments are getting better at managing cyber and internet threats, adversaries may go after private sector systems, in the absence of active public-private cooperation, experts have warned.

Participating in a roundtable discussion on "Debating Cyber Security and Internet Governance" at Observer Research Foundation on January 17, they pointed out that private sector systems have a critical bearing on the health of the (victim) nation, raising the question of how social systems as a whole, not just governmental infrastructure can be protected.

The central theme of the discussion was enhancing network protection and addressing governmental disagreements on internet governance. The current trends do not paint a bright picture, with the issue of government-led capacity lagging behind the unregulated cyber world being flagged.

The lack of a global consensus on the approach to cyber governance was attributed to the basic divergence between the two principal schools of interpretation. The liberal democratic paradigm emphasises the ’protection of information networks’ against sabotage and unwarranted intrusion, whereas the authoritarian paradigm additionally focuses on ’content management’, thus scrutinising content with an intention to regulate dissent or counter opinions. The issue, it was said, gets magnified when these diverging interpretations are sought to be pushed onto the global governance agenda. A concern was expressed that cyber parochialism and ’cyber balkanization’ goes against the very essence of a borderless information world, and would potentially disrupt the critical role played by the internet in socio-economic globalisation, thus creating massive distortions in markets and inter-state relations.

It was agreed that the functional capabilities of hardware and software are increasing exponentially. Cyber security capabilities have either not evolved bottom up or have tended to lag behind these technologies, or have failed to predict or register surges in the cyber space. An example is the Arab Spring. A cyber security expert, in 2005, could never have predicted the influence and usage of social media for such political upheaval, given that Facebook was still restricted to college campuses at the time and Twitter had not been invented.

Forecasting the dynamic evolution of these possibilities and assessing their possible impacts has become an increasingly complex task. This has generated a vicious circle, with several Middle Eastern and Asian governments exhibiting an increasing urge to monitor and censor information entering and leaving their territorial jurisdictions through the web media.

Concern was voiced over the frequency and capacity with which cyber attacks are increasingly being used as a state tool for achieving strategic objectives or tactical advantages, generally in a clandestine manner and through proxies posing as non-state actors. It was mentioned that the reality is that espionage has a long history - with states spying on each other, and also establishing systems for signalling, verification and declaration of intent and policy. Functionally, if the propensity to use clandestine strategies to dominate increases, it will be increasingly difficult to predict future scenarios.

While expressing relief that so far, cyber terrorist elements haven’t succeeded at any heavy impact attacks on banks, or been able to launder money, apprehensions were expressed that "the day isn’t far when they focus the nature of attacks and scale them up, not limiting them to enabling items but full-fledged vehicles of disruption." This was witnessed in the 26/11 Mumbai attacks when real time command and control systems were utilised to a level of sophistication that US Special Forces use. The scenario gets muddied further, with sundry unpredictable actors like ’hacktivists’, petty cyber criminals and the proliferating cyber tools market.

Most of the participants at the discussion agreed that the US and India share common philosophical values - democratic liberalism and respect for fundamental human rights like the freedom of expression and information - the room was confident about mutual efforts to enhance cooperation and better understanding on the imperative of institutionalised cyberspace governance through dialogue.

"Swing States" like India and Brazil need to facilitate a basic consensus on a cyber code of conduct and a paradigm on international cyber security and governance. At the same time, conservative states like China and Russia also need to be brought into the fold through enhanced cooperation.

The need to work jointly on the law enforcement and mutual legal assistance aspects was highlighted. With regards to the legal framework, some thought that states should come to an understanding that the Geneva and Hague Conventions, along with the essentials of the UN Charter - with laws relating to armed conflict - must apply to the cyber world, unambiguously, in letter and spirit. As for the need of a new, legally binding treaty, there was a view that there is no such urgency, provided the existing global frameworks and international laws are applied correctly.

The discussion also delved into the quest for finding an appropriate model for cyberspace governance, and agreed that a multi-stakeholder model was the best way forward. Non-governmental actors should play critical facilitative roles; these multi-stakeholder models can be based on the Organisation for the Prohibition of Chemical Weapons (OPCW), which would be more appropriate than a technology control regime akin to the Nuclear Non-Proliferation Treaty (NPT). It was also opined that despite the International Telecommunication Union (ITU) increasingly including the private sector, its framework is not designed for the advanced nature of the Internet Protocol (IP). It was thought that till a basic foundation has been created through greater understanding, governments must strive to progressively make their national cyber governance structures more inclusive in terms of stakeholder representation and real time and strategic information cooperation. This would build the preparedness and resilience of critical information infrastructure systems against sabotage and unwarranted interference.

Participants agreed that certain outstanding challenges to future prospects had emerged -cyber jurisdictional issues creating conflicts between national legal systems that cyber players are subjected to. These legal systems are naturally culturally influenced. Different countries must take on the challenges of monitoring, posed by the massive connectivity proliferation due to the onset of Internet Protocol version 6 (IPv6), machine to machine connectivity and artificial intelligence aided automation. Hence, the key, it was stressed, was to bring about social empowerment and attitudinal maturity of individual users in warding off cyber threats and responsible internet behaviour - through consistent outreach and awareness building, while steadily enhancing structural capacities in monitoring and keeping potential threat actions at bay.

It was also mentioned that India has envisaged scaling up internet penetration from the current 15 per cent (of the population) to over 75 per cent in the next ten years. Millions of last mile operators would be seamlessly connected, with free content being the chief agent of inclusion, simultaneously administering critical platforms like ’Aadhar’ - the Unique Identification Authority of India (UIDAI) -- administered service delivery modernisation programme. Despite the potential, emerging vulnerabilities pose a huge challenge.

(This report is prepared by Maulik Mavani, Research Intern, Observer Research Foundation, Delhi)

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.