Event ReportsPublished on Feb 11, 2014
Cyber attacks are not a security challenge that can easily be eliminated. No kind of infrastructure is absolutely impregnable and the adverse impacts can at best be minimised by emphasising on risk containments, according to experts.
Cyber attacks difficult to be eliminated: Experts

Cyber attacks are not a security challenge that can easily be eliminated. No kind of infrastructure is absolutely impregnable and the adverse impacts can at best be minimised by emphasising on risk containments. This was among the key conclusions reached by participants at the panel discussion on "Benefits and Challenges of National Cyber Threat Information Sharing" at Observer Research Foundation, Delhi, On February 11.

It was opined that the structure of networks needs to be refined. In today’s cyberspace, information spreads almost unhindered through a flat environment. With a single compromise, malware tends to infiltrate the entire programme and in effect disrupts the entire network. Security experts recommend that security risk can be minimised by segmenting information by building containers inside the network. Indeed, these issues must be tackled as soon as possible; especially as the interconnectivity between products is increasing, the stakes are raised higher, as critical systems such as pace makers, insulin pumps, etc. will be connected to computers, clouds, etc.

The panellists applauded the timing of this conference as the PPD 21 from the US government directive on how to handle critical information infrastructure has just been published. Other countries have tried to enforce regulations on the same theme. However, according to the speakers, the costs of these requirements were not fully understood. As a result, the programmes were not fully successful. The Obama Administration has since learnt from these experiences and has established a private-public partnership, involving intelligence services, the Homeland Defence Security and the National Institute of Science and Technology. They have established a framework with the best practices and incentives to help industries adopt them. In addition, information on threats, such as fraudulent IP addresses, will be shared among all the actors.

Major companies or institutions have enough resources to secure their networks, according to participants. They can afford, for instance, to build redundancy into the systems —a process also known as a cross-domain solution. These solutions, however, have not yet migrated to mid-level companies like public-private partnership companies, for example power or water providers. Though these companies are critical infrastructure, they do not assume the stature similar to National Security. In addition, with limited resources they cannot afford to invest a large amount of money in cyber security.

Experts present argued that, to be more effective, information on cyber threats should be open source. Companies that have suffered cyber attacks should share learned information amongst other companies. However, it was contended that there was a problem in this suggestion. Currently, if a company discloses information of its history of attacks, the company’s reputation will decline. If this can change, and proactive companies that share information could be protected and their initiatives awarded, cyber security would be much more effective and sustainable. It was emphasised that public perceptions must learn to adapt.

According to some panellists, it should not be forgotten that threats could come from outside as well as inside systems. Even though inside threats are less likely, they never-the-less pose the trickiest challenge. Architecture of inside networks should be revised,as it is no longer relevant to have a master administrator who has access to all the information. "Such an operational structure only makes things worse, and therefore IT services should be given access to only relevant information to their sector", argued the speakers.

Further on into the discussion, the importance for companies to implement threat specific training at the individual level was mentioned. It was explained that "Risks are inherent and thus comprehension is essential. Understanding your assets is the key so that vital aspects are prioritised. Employees must understand the risks that they will be facing and how to react to each one".

Another point that was raised by the participants was about how to effectively respond to the supply chain integrity question. "A company", it was said, "must be sure that every sector is secure; however, it is impossible to do this. Even after rigorous process design, nothing can be guaranteed. It is complex and costly, but also a priority in today’s environment. It must be assumed then that there are going to be breaches and contaminations rather than hope they never occur; efforts must be focused on the resilience of the system."

An expert present said, "It is important to keep in mind that the effects of cyber threats go beyond petty thefts. Information stolen is not limited to an individual’s credit cards or personal information, but can extend to a great number of other people and their governments. The information could even be used for infiltration into a nation’s security infrastructure. For example, information stolen by Chinese cyber criminals during the Katrina disaster could handicap the USA’s responses in the future. Essentially, we are in the dark about how far cyber security threats reach and how much danger they pose to a nation."

In conclusion, the discussion focused on the parallels between the Indian cyber market and that of the USA. They are vey similar in nature: a big market, diversified industries and private companies as opposed to public issues, as well as the same government interest and obligation to protect industry and the consumers. As a result, it was argued, it is vital to have businesses in the cyber security sector that develop expertise and make profit from assessing and tackling information threats. This would allow multiple actors to contribute to information threat sharing and information security.

(This report is prepared by Benjamin Bath, Research Intern, Observer Research Foundation, Delhi)

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.