Threats to databases
In an age of exploding data, information and knowledge, both human and machine, cyber security is as much a necessity for personal privacy as it is for internal and external national security, or for day-to-day economic activities and operation of social and economic infrastructure systems. Cyber security also constitutes the defensive part of modern warfare which is intimately connected with the blood-and-guts, on-the-ground military operations.
Thus, the threats to privacy and to national security from loss, leakage or corruption of data whether due to ignorance, inadvertence or cyber attack, need to be understood clearly.
Vulnerability to cyber attack is a function of the inter-connectedness of personal and institutional computer systems, and the integrity and quality of cyber defences at every level. Data has no geographical or political borders. The border for data is essentially the physical border formed by the physical infrastructure of installed hardware and the electronic boundary of the IT system or database within which the system manager has control.
Cyber attack has come into public spaces precisely because of increasing interconnectedness between systems or autonomous data silos, as internet users proliferate at the staggering rate of eight new internet users every second. This is even while there are allegedly 250,000 new computer viruses being created every day, which have the potential to infect private and institutional systems from around 300,000 infected websites, which can and do change every day. That gives an idea of the threat lurking behind every single keystroke of every computer which is connected to the internet.
Cyber criminals are not only professional in their capabilities, but are well organised, and even advertise their profession. There are ads for hacking services, which can be purchased by, say, a business person, to knock out business competitors by obtaining information or disabling systems for a critical period or effectively making the system inoperable by deliberately overloading it with inputs – called DDOS, standing for deliberate denial of services. DDOS can cost the purchaser of the hacking service $5 to $100 per hour or more depending upon the built-in security of the system, the risk of discovery, the benefit that the customer would get out of the DDOS to his business rival, etc.
While hacking into a system to extract (copy), corrupt or delete data is fraught with the risk of being traced, arranging DDOS is perhaps relatively safer. Alternatively, the hacker can be employed to infect a target system with malware. Such advertised services are themselves difficult to trace to a physical address, since the operators are skilled geeks who could be a next door neighbour or living on another continent.
Reportedly, malware sales and distribution to potential and in-practice cyber criminals is a thriving business. For example, a package named Black Hole Exploit Pack complete with full technical support and documentation, enables a newcomer to set up his own malicious hacking server.
Further, computer systems can be invaded by planting or embedding hardware at some stage of the manufacturing process or inserting malware during system installation. This provides a so-called “backdoor” to the system, unknown to the user, permitting individual criminals, corporate competitors, intelligence outfits or deep state actors unauthorised – and often undetected – entry to the system, for their respective nefarious purposes.
Software firewalls can prevent unauthorised entry into systems, but it must be understood that an engineer working in even a reputed firewall vendor company could have illicit and secret association with a hacking facility at the individual level.
Even otherwise, hacking is a part-time or full-time occupation which is open to even the very young, like 8-years of age. Some hackers do it for kicks – supposedly harmless – or to deliberately harm some particular person or organization, while others do it for making money.
All it requires for hacking a system is some self-acquired skill on computers (not very difficult for today’s youngsters born to the keyboard), motivation to hack (monetary incentives or personal satisfaction aims), and time (part-time after school or work is adequate) to succeed. The world over, cyber experts admit that a system is safe only until it is hacked, and the truth of this admission is that very high security systems like NASA, CIA, FBI etc. have been hacked or had malware injected into them.
Hard truth
Thus, cyber attack can be on an individual computer, a system, a network, or a server. But the threat is not only through the internet. There are many software devices and tools for physically gaining access to a system or database.
Most cyber criminals skilfully cover their tracks to escape detection and arrest. It helps them that most cyber security laws are national in scope whereas the internet is not limited to national political or geographical boundaries, being borderless and international. Furthermore, countries do not agree with each other on cyber security and privacy.
Backdoors and built-in threats
The IT infrastructure, meaning critical high-end hardware and software (“equipment”, hereinafter), in most, perhaps all, central and state government ministries, departments and organizations is purchased from international vendors. These vendors are not the original equipment manufacturers (OEMs), since OEMs have limited global marketing capability. The purchaser enters into a contract with the vendor who procures the infrastructure from the OEM and installs it. In most cases, the vendor is also contracted for life-cycle technical support since the design and details of the equipment are protected by the OEM under IPR.
Further, the OEM, operating under an export control regime, insists on the purchaser providing end-use certification. The nexus between the IT OEMs and the intelligence community needs no highlighting. It is this nexus which permits the OEM to secretly embed targeted hardware and/or software in the equipment, including detecting and suiting the geographical location of the end-user.
Regarding the life-cycle technical support of the equipment, the vendor is often contracted for on-line support. This means that the purchaser actually hands over the entire live system to the vendor’s systems engineer – who may be physically located anywhere in the world – for updation, upgradation, rectifications, etc. At this stage, one or more of the following could happen: (1) If a backdoor was not installed at time of supply and installation, this can be done, (2) If a backdoor was installed at time of supply and installation, data can be downloaded, (3) A new or updated backdoor can be installed.
On-line technical support by the vendor may be preferred because it is cheaper than having a vendor’s engineer visit the site, and also because security clearances for physical visits could be problematic especially in high-security installations.
The point here is that critical IT hardware and software infrastructure is purchased from the international market, for end-use in defence, home, finance and banking operations, energy including oil, education, health, social welfare, electric power, nuclear power, railway operations, air traffic control, rail and air passenger reservations, public or private sector industry, etc., including UIDAI’s Central ID Repository (CIDR).
Thus vulnerability to cyber attack is substantial when every single item of critical hardware and software is purchased from international vendors, especially those who also provide technical support as part of the contract.
Sub-critical equipment
Cyber vulnerability is not only from critical hardware. Sub-critical hardware is also vulnerable when purchased from international vendors.
Sub-critical hardware is essential for operation of IT systems, and routers are one such item used for communication, data handling and transfer. Routers are sub-critical hardware which route data within and between IT systems. Routers are much like postmen who collect snail-mail from post boxes and post offices and deliver it to the addressee, hopefully without reading the communications or extracting anything from the mail. However, for digital data security, data is coded and voice communication is scrambled. The software for some routers is regularly updated by security patches, and this, as in critical equipment, is a source of substantial cyber threat.
Open market purchase
IT equipment purchased from the open market overcomes the disadvantage of revealing the end-use and prevents installation of targeted backdoors. Cyber threat is minimised but not eliminated because, for example, a mother board or a hard disk or the microprocessor could have secretly embedded devices which can be activated remotely. Notwithstanding, this is a “safer” route.
However, this route of open market purchase calls for increased levels of hands-on IT competence for system design, integration and implementation. Such talent is not difficult to find in our country, but sadly this is not encouraged because of reliance on foreign vendors who exercise influence at the highest levels of state and central governments.
Security evaluation
Criteria for IT-product security evaluation is done under a framework of evaluation assurance levels from 1 to 7. EALs 1 to 4 are relatively easily dealt with, but levels 5 to 7 involve checks ranging from investigation into the source of the hardware and software, to the checks for embedded hardware and/or software, to silicon-chip-level testing to check whether the device performs only the task for which it is purchased and none other. As EALs increase, the level of expertise, infrastructure required, and time-and-cost required for conducting evaluation grow exponentially. These need to be assessed according to the assessed risk of cyber attack, the extent of non-acceptable consequences, and the capability and time-frame for restoration after attack. Infrastructure planning and provision should be done accordingly.
Effects of cyber attack on national databases
Cyber attack by a foreign power or a criminal group on a national database by one of the means mentioned above can be disguised to appear as internal system failure. Simultaneous attack on multiple databases can bring the economy to a grinding halt. The ability to enter multiple data silos or systems almost simultaneously is provided by an “entry-point” which is common to them.
Such an entry-point could be through a database which provides a digital entity that is linked to multiple databases. Several experts consider UIDAI’s Aadhaar number, which is linked to multiple databases, as providing a hacker with entry into multiple databases. That is, if CIDR is hacked, it can be a clandestine route for entry into linked databases. In fact UIDAI naively created and implemented the CIDR by contract with an international vendor which had intimate links with the intelligence community of the vendor’s country. Hence, the danger of backdoors having already been installed cannot be ruled out. It is a moot point whether Aadhaar is UIDAI’s self-goal by unwittingly planting a cyber-crime bomb, notwithstanding their unconvincing protestations.
A law to protect data would not hinder a determined aggressor from hacking into the CIDR. It would appear that cyber security with national security consequences was apparently not a priority with the architects of UIDAI’s Aadhaar, and hence justification for alleging naivety.
In international politics, cyber attack is an act of war, justifying reactive military response. However, when cyber attack disables multiple databases which affect military logistics and operations, it can restrict or limit the scale or speed of military response.
Capability for cyber security
As mentioned earlier, India has virtually zero production of critical hardware and software even in core sectors like defence, home, finance, energy (especially oil) and transportation, all of which impinge immediately and directly on the daily economic life of individuals and the State. Total dependence on international vendors for critical IT hardware and software is the bitter truth.
The attitude of successive governments to this truth has been denial, finger-pointing, or targeting whistleblowers by trolling or legal action – Tribune journalist Rachna Khaira being the most recent instance – or “shooting” the messenger, or adopting an ostrich-head-in-sand policy. It is not surprising that the problem has not gone away. Rather, the risk has increased from military, political and economic perspectives.
Focussing on data protection at database levels is inadequate, since data is simply digital alpha-numeric strings divorced from real-time situations and real-life people. Privacy, cyber security and national security which are at the core of individual sovereignty and national sovereignty, need to be covered both by actionable policy and law.
A degree of assurance for cyber security can only be had by using national human and material resources drawn from India’s public and private sectors. This is obviously a process which will take years, and planning for this can only be effective after the risks and consequences of cyber attack are accepted and realistically assessed at state and centre government levels, and policy and law on data and cyber security are formulated. All this needs to be with policy and time-bound action plans cleared at the level of the National Security Council.
National Security Council
Government’s e-governance initiatives will inevitably shift every aspect of national functioning into the cyber domain. As it gains momentum, the concommitant risk will be increased attractiveness as a cyber target.
Since cyber security compromised in one sector gives an aggressor access to associated sectors that use linked data, cyber-security cannot be effective unless it encompasses the entire linked databases of knowledge-information-data across administrative and procedural demarcations. Only holistically architectured security can reduce vulnerability to cyber attack, limit or contain damage to databases and speed up recovery in case of successful attack.
A national database like UIDAI’s Aadhaar CIDR was created without laws to safeguard it or the data that it contains. Even after a law was passed in 2016, reports of leaked data are eliciting defensive responses from UIDAI, indicating successive governments’ casual approach to cyber security. A law to protect data can fix responsibility for invasion of databases and prescribe legal action. It would be ineffective when the attacker is outside India’s political boundaries, and cannot take cognisance of the larger aspect of cyber security at the national level. That would call for holistic policy at the National Security Council level, with action plans for time-bound, phase-wise implementation.
An effective cyber strike on the day-to-day governance of a nation could be catastrophic, impinging on national security and also compromising national sovereignty. Being in a state of denial with respect to cyber security, as in the UIDAI’s case, will only take our country closer to the edge of a precipice beyond the point of no return. We need to think beyond feel-good, band-aid solutions like formulating a law on data protection. Political tie-ups with countries which promise assistance in security can only further compromise security, since critical IT hardware and software in use are all imported, and may actually facilitate the foreign intelligence agency’s access. The National Security Council has its task cut out, but is it listening?
Major General S.G. Vombatkere, VSM, retired as Additional DG Discipline & Vigilance in Army HQ AG’s Branch. His area of interest is strategic and development-related issues.