By Cherian Samuel
2011 was an eventful year in cyberspace, with many headline grabbing events, from Stuxnet to the Arab Spring to regular hacking by the Anonymous Collective, to name just a few, having a cyber component attached to them. In more cases than one, these events upended the conventional wisdom on cyberspace and have set in motion reactions that will have a long term impact on the cyberspace arena in the coming years.
The Stuxnet worm had been observed in the wild from 2010 onwards, but the events that gave it the dubious distinction of being the first “military grade cyber weapon” unfolded in public view only in 2011 when it became known that Iranian nuclear facilities had been targeted by the worm. This event put paid to the notion that “airgapped” or systems disconnected from the Internet were impervious to being hacked. It also brought to the fore the fact that critical infrastructure is the Achilles Heel of the cyber age since most infrastructure run off SCADA-based computer systems of the type used to run Iran’s nuclear infrastructure. While previously it was believed that critical infrastructure would and could only be targeted in the course of full-on kinetic hostilities, Stuxnet proved that targeted attacks were possible, though such attacks from conception to enactment would require an enormous amount of effort and resources. The cost of developing Stuxnet was estimated at anywhere up to $10 million. However, that could yet change, given the enormous amount of resources available for hire around the world. It also became known that vulnerabilities in SCADA systems could not be easily patched for a number of reasons, ranging from the fact that these systems ran 24/7 and could not be taken offline to the possible unintended consequences of fiddling with source code and antediluvian operating systems.
While Western powers were believed to be behind Stuxnet, these advanced economies have also found themselves unable to deal with the large-scale exfiltration of intellectual property, the monetary value of which is estimated to run into the billions. While the needle of suspicion was invariably pointed to China, the common thread that ran through both Stuxnet and cyber stealing was that the origin of the perpetrators could not be conclusively proved since much of the protocols that governed cyberspace was designed to run on trust and could thus be easily spoofed. Though there was talk of economic sanctions and the like against offender countries, the fact that the presumed major offender companies were also major trading partners as well as the earlier mentioned attribution problem nipped that particular solution in the bud. There was much talk on the roles and responsibilities of governments vis-à-vis the private sector, again an outcome of the peculiarities of this domain where much of the infrastructure is in private hands, but these remained inconclusive.
Cyber muscles were sought to be flexed with the establishment of Cyber Commands by many countries, but cyber espionage continues unabated. The raising of such Commands has hastened the need for discussion on issues such as adapting the laws of armed conflict to cyber warfare as well as how to adapt principles such as neutrality and proportionality, which form the bedrock of international humanitarian law, to this new domain. Norms governing collective security and actions to be taken as embodied in Chapter 7 of the UN Charter are found wanting in the context of cyberwar, particularly when it came to the rapidity of cyber attacks and the inordinate time it takes for decision making and action under these rules.
Those countries which thought that they could reshape cyberspace in their own image, and particularly to limit its information dispersal role, found that a network essentially created to withstand a nuclear attack could not be easily controlled. Incumbent governments from Egypt to Libya caught in the throes of what came to be called the Arab Spring found out to their cost that the redundancy and resilience built into cyber networks made the sealing of cyber borders not an impossible task, but one that could be easily circumvented.
Different priorities and perspectives from various countries and the myriad number of stakeholders have hamstrung international efforts to cobble together a strategy to combat pressing issues such as cyber crime and cyber terrorism. Multi-stakeholders convened in multiple venues from Nairobi to London with intentions of at least working out common norms for securing cyberspace, but the outcomes were again inconclusive. More summits will take place in 2012, including one in New Delhi.
All these furious activities notwithstanding, cyber criminals, cyber spies and hackers made merry, with high profile cases ranging from the RSA secureID hack to the Sony Playstation network to the Dutch Certificate Authority hack hitting the headlines with regularity. The varied nature of these attacks and the vulnerabilities utilized underscored the fact that these attacks were impossible to predict, and prevent, at least in the near term, and that it was more important to have protocols and response mechanisms in place to limit the damage caused by such attacks.
Malicious cyber activity in India was par for the course. As in previous years, information on cyber espionage and hacking of government computers came largely from sources abroad. McAfee’s report on Operation ShadyRAT listed an “Indian government entity” as having been penetrated by cyber spies. The website defacement competition between Indian and Pakistani hackers continued as usual, with the Anonymous Collective chipping in and defacing the NIC server to register their support for Anna Hazare. Though these defacements were not more than the equivalent of digital graffiti, they showed that websites were not locked down and that more grievous damage could be easily inflicted. There is no doubt that more malicious activities have taken place but these have not been reported either because they are yet to be discovered or they have been discovered but not publicised. Though the Department of Information Technology released a draft cyber security manual, putting it into practice would require a gargantuan effort, probably the reason why timelines are missing from the document. In terms of a wake-up call, probably the most significant attack that occurred was that on the baggage system at Indira Gandhi International Airport which as a result ground to a halt in June 2011. A CBI report initially described this as a cyber attack from an unknown location. Subsequent investigations revealed that the perpetrators were disgruntled engineers handling the software. The Insider threat remains a crucial but under-appreciated vulnerability that needs fixing.
The last week of the year has not been with its share of cyber news. Security company STRATFOR was hacked by members of the ANTISEC/Anonymous Collective with the hack revealing that the company had not taken even the most basic of precautions and stored credit card information in plain text. If a security and intelligence company, often called the “Shadow CIA”, could not get its cyber-security right, the less said the better about other entities. And in one of its last actions of the year, the US Congress authorised the use of offensive military action in cyberspace.
Given these developments, one can safely predict that 2012 would see an upward trend on already active indices, be cyber crime, cyber espionage or cyber activism. An uptick in the steady march towards the militarization of cyberspace is also a safe prediction. Where the next headline grabbing cyber event would take place or in what form is difficult to predict, though it could well be perpetrated by a class that is yet to open its account, the cyber terrorist.
Originally published by Institute for Defence Studies and Analyses (www.idsa.in) at http://www.idsa.in/idsacomments/TheYearThatWasinCyberspace_291211