Security shaman Bruce Schneier did what he does best today – raise the alarm about the systematic probing of critical pieces of the Internet. Some motivated actors launched carefully calibrated attacks to test the underlying gears of cyberspace, getting a better understanding of where and when to throw a spanner in the works so that the whole machine grinds to a halt.
Not divulging further details, Schneier says that the precision of actors involved points to an adversarial nation state rehearsing its march towards the next battlefield.
The element of surprise in the 1971 Indo-Pakistan war was the water bund. Under the guise of anti-flood measures, both sides had dug up the border to create ditches, dams and bunds. As the battles flared up, the defensive flanks would flood these networks by manipulating the course of rivers and canals. The incoming tanks and soldiers would be caught in a pit of muck and grime, completely losing the initiative.
Imagine someone flooding the sovereign cyberspace of a nation in a similar fashion, with enemy bunds that are strewn not just across the border but everywhere inside the territory. The reconnaissance party that Schneier mentions knows better that the element of surprise in the wars of the future would be a pre-emptive strike at enemy’s information infrastructure. With no seamless command-and-control, one would be approaching the battlefield blind.
Over no other medium or theatre does asymmetric warfare manifest more viciously than it does in cyber. Just one actor and a single action is all what it would take to unleash havoc. The cybersecurity architecture on the other hand looks like a geometry of the selfish herd – which hides its weakest in a flock of the weak.
Security researchers hate such hypotheses, but what really constitutes the sovereign cyberspace of a nation? How do we draw our cyber borders? From the smartphone of a bureaucrat posted abroad, the unregulated networks of the private sector to the compromised foreign hardware that powers our internet – unlike the physical frontiers, the various permutations and combinations of information flow make for a dynamic and evolving cyber homeland.
Such were the challenges confronted head-on at the Borderless Cyber Europe conference that took place this month.
Take the case of the menace that is cyber-espionage. As a lowly little operative in the government, gunning for one espionage campaign after the other, I helplessly looked on as they exfiltrated sensitive information out of India. Hiding behind a highly decentralised command-and-control, with targets that spanned numerous organisations and their chaotic networks, and a trail of evidence that hopped geographies – the odds were stacked so high that even calculable defeat would be deemed as victory.
Unlike other technology landscapes, where emerging standards opened up new markets, the cybersecurity ecosystem was exclusively driven by vendors till now. It is astonishing to see how the key messages and public perception have been manipulated to an extent that the offered “security” drives the very insecurity.
The conventional solutions to tackle cyber at a national-level generally proposed the setting up of overly-centralised Deep Packet Inspection regimes that needlessly complicated the matters by encroaching on the warrant-based lawful interception space. Unaware Indian agencies, encouraged by suspicious foreign vendors, had even drawn the blueprints of a similar Central Monitoring System. Sceptics across the globe have rightly feared for the threat to civil liberties and the Orwellian politics of control, the potent side-effects of such platforms. To scan and store every packet passing through cyberspace is not only an overkill but also prohibitively expensive.
Fight decentralisation with decentralisation, chaos with chaos, is the message that has emerged from Borderless Cyber Europe. A new set of open, inter-operable standards that allows the creation of vendor-agnostic, collaborative and cross-organisational threat intelligence sharing grids – dealing only with metadata – could easily be scaled nationally or even internationally. Organisations under an industry vertical or critical sector can group themselves together to facilitate the automated sharing of metadata, which can then be fed to a national command centre. It’s a regulation-free, oversight-less and privacy-friendly model.
The US has already bootstrapped the National Cybersecurity and Communications Integration Center (NCCIC) to commandeer homeland cyber defence of civilian and non-civilian infrastructure. Richard Struse, who heads the NCCIC, shared key learnings at the conference, underlining the fact that trust and metrics are its holy grails.
We at Bhujang are engaging stakeholders in India round-the-clock and building the technical enablers of a similar framework, hoping to safeguard the future of this burgeoning nation.