Cyber Security Issues and Challenges Excerpts from the talk given by
Mr. Vijayashankar Nagaraj Rao in the MMAKAS conclave on “Securing India in Cyber Space.”
Criminals are today running with the data and we are all running after the criminals, to recover either our lost money or data. In this fight, some tech companies benefit from cyber crimes. There are also some vested interests who delay the Personal Data Protection (PDP) Bill. Information Technology Act 2000 itself has got many data protection requirements within that Act. In 2006, at the same time when Information Technology Act was being amended, a bill for personal data protection was presented. But unfortunately, it never became a law.
ITA 2000 Amendment became a law in 2008 and that is what we are having with Section 43A and Section 72A. People don’t want PDP bill to be passed because they want to make merry before the law sets in and all of us, in some way or the other, let this happen. As cyber security professionals, we need to see what we can do to ensure that cyber security really happens on the ground.
Organisation or End Victim?
There are two perspectives to cyber security threat:
- Organisational Perspective, and
- End Victim Perspective
Organisations think that they are the owner of data and they have to be safeguarded. The end victim perspective is different. Personal data protection, they think, is their fundamental right and therefore they think that they should be protected. Cyber crimes affect companies through ransomware. It also affects individuals because of identity theft. Our credit cards and SIM cards are cloned and reused somewhere else. The industry appears to be more concerned with protecting the organization and less concerned about protecting the individual.
Many times, institutions end up saying that their responsibility is only to create awareness and education. Awareness creation is only the first necessary step but not the sufficient step. We need to address security requirements at a higher level—for intermediaries like ISPs and the organizations which handle data. In fact, no crime will ever happen, if the victim is always careful. If I don’t keep money in my hip pocket, then there will be no pickpocketing. So you cannot say that it is due to the negligence of the cyber crime victim. It is necessary that the society, which includes the government and companies, must work together to ensure that if they want to use technology, then it should be safe. Otherwise, we are happy even without a technology.
The role of intermediaries
There are two dimensions to the threats in information security that have been recognised by the IT Act—the Body Corporation and Intermediaries. The Body Corporation that handles sensitive personal data are required to address reasonable security practices. They are expected to have a contractual arrangement with data subjects and accordingly protect the data. This is as per Section 72A and Section 43A, which speak about reasonable security practices.
Intermediaries, who pass data and let crimes happen, are also responsible for cyber security. Twitter and other social media organizations want freedom to do business without the corresponding responsibility to take care of security. As a result, cyber security suffers and we let intermediaries escape with no responsibilities. This is something which information security professionals must address. A proposed bill to protect personal data security recognizes two categories of data handlers: data fiduciary and data processor. The data fiduciary is a person who has to take the responsibility to provide protection to the privacy of the individual. The fiduciary will have to act as a trustee to the data’s principal and, therefore, his responsibility is greater. The data processor will have to follow instructions of the data fiduciary. The data fiduciary will provide assistance to the data processor.
Security: A Moving Target
Security is always a moving target. What was true and sufficient yesterday may not be true and sufficient today. New threats emerge along with new technology solutions. We are supposed to utilize that to the benefit of the target audience of cyber security which includes not only the organizations but also the end users of systems. For example, bank is not the focus of information security. Bank customers should be the focus. When we are able to look at it in that sense, we can really address cyber security for the benefit of the society.
Of course, we know that we cannot protect individual customers without protecting the bank. The focus should be the benefit of the people behind the systems. That is one important difference which will come when the data protection act becomes a law.
Passwords May Soon be Passe
For data security in the past, we were harping on complicated passwords having 8 digits with capital letters, small letters, and special characters and so on. That was one step in hardening the security. Then we went into hardware tokens. Today, we talk of something like single sign-on with a chain of authentications, some of which are automatically handled. Many of the security issues like the single sign-on and zero trust security tools sometimes appear to contradict each other. We are not clear whether it is good to focus all security measures in one single sign-on authenticating device or we should have multiple authentications. In fact, one concept in security today is that authentication does not end at the time of login. It has to be a continuous process from log in to log out. Artificial intelligence should track the behaviour of the user from log in to log out and where necessary, have adoptive authentication like putting challenges again and again to the person. If necessary, ask him to re-login.
No doubt this will hurt the convenience of the system about which technology people are more interested in, but convenience without security cannot be supported. So passwords are on the way out. We need to have a replacement or an alternative to passwords.
We have also used encryption of data which ultimately comes back to password because the key has to be managed. Then we have used virtual private networks (VPN). Again, it comes back to passwords. The IT Act 2000 introduced the digital signature system which can be used for creating VPN between the sender and the receiver of the message. We are still happy to use the VPN system where device to device encryption is done but not for person to person encryption. Therefore, security, which is available as per the law is not fully utilized.
Spate of New Devices
In terms of devices itself, we have moved from computers to mobiles, wearables, medical implants inside our body, IOT devices and industrial assets like CCTV cameras. The security scenario has been changing and new threats are evolving because of this.
One of the things which I am more concerned is not the end customer security. Phishing and other things are there. But more importantly, we have the organizational level security threats, like the ‘zero day’ vulnerabilities in software that is sold for a price. People experience difficulties. Software companies do not take responsibility for their products. That is why we face zero day vulnerabilities. Even the patches do not help in updating the software. The new supply chain attacks target even the patches and updates. So, one has to be very careful.
Early Bird Catches the Worm
You may to have a system where patches cannot be immediately applied. You must have a sandbox kind of an arrangement, because just as we say that the early bird catches the worm, we can also say that only the early worm gets caught. So when there is an update, we don’t know what new vulnerabilities are there in the update itself. That is how major ransomware attacks have happened in the recent days.
One of the things which I am more concerned is not the end customer security. Phishing and other things are there. But more importantly, we have the organizational level security threats, like the ‘zero day’ vulnerabilities in software that is sold for a price.
Then there are misconfiguration of software which people do; supply chain vulnerabilities; and backdoor or Manchurian chips, which people try to implant. These are threats which have to be addressed at the higher level. At the individual level, we have this identity theft and phishing, which will continue to be threats. But the actors are moving from cybercriminals to cyber terrorists and cyber enemy nations where the resources are enormous. The individuals will not have ability to counter threats from these actors. Organizations have better capabilities, provided they invest in security, which they are today trying to push on to the individuals. Even cyber insurance in banking should be taken by organizations. They should not push this to individuals. But nobody seems to bother about the individual needs that have to be protected by the organizations or intermediaries.
Various kinds of malware are known, but what we are worried is crime-as-a service. As a society, we are letting crime-as-a-service or malware-as-a service. We should prevent criminals from becoming organisations. While at the machine shop, we may have secured data, chances of corruption of data transmitted from sensors to server are very high. It is possible that an entire batch of production could be corrupted. Technology and innovation should not be introduced, unmindful of the risks.
A device like Alexa at home may be continuously listening to what we speak. I do not know how it will react. CCTV provides lot of advantages but it is also being misused and prone to attacks. When intelligence fails in autonomous cars, we may have serious issues. We have risks in wireless implantable medical devices. Human lives could be at threat and cyber security should focus on securing such medical devices from attacks. Governments today are moving towards humanoids and on top of that, Saudi Arabia is giving citizenship to humanoid robot. A robot is also a computer with a chip designed by an individual. If that individual has provided a back door, then the humanoid can be a threat to lives.
Recently, we have seen that the OEM equipment boards have been hacked. China used a tiny chip in the motherboard to infiltrate America’s top companies like Amazon. Iranian nuclear power station, 50 feet below the ground, was attacked. We have seen the US pipe line attacks and we see supply chain attacks happening every day. In every one of our computers, it is possible that there could be some sort of crypto mining going on.
- Technologists are ignoring “Security by Design” principle which is their duty.
- As a society, we use AI more to aid crimes than to protect the society.
- The government is dithering over the crypto ban.
- The law enforcement agencies are surrendering to the power of the dark web.
This is the situation that we have today. Cyber security professionals need to do a lot of introspection to find the right solutions. The question is: do we have sufficient will to fight cyber threats? n