Its been an eventful 12 months in cyberspace, with some international headline grabbing events including the Stuxnet worm and hacking by the group Anonymous. In a number of cases, events have upended the conventional wisdom on cyberspace and have set in motion responses that will have a long term impact on cyberspace.
The Stuxnet worm had been discussed for some time, but its label as the first military grade cyber weapon was only really earned this year, when it was revealed that Iranian nuclear facilities had been targeted by the worm. The revelation put paid to the notion that “air-gapped” systems – those not connected to the Internet – were impervious to attack.
While previously it had generally been assumed that critical infrastructure would only be targeted in the course of full-on hostilities, Stuxnet proved that targeted attacks were possible, although they require enormous resources. Indeed, some put the cost of developing Stuxnet at anywhere up to $10 million. However, given the level of resources available for hire around the world, such costs could tumble.
While many saw Western powers as likely behind Stuxnet, these advanced economies have either way also found themselves unable to deal with the large-scale exfiltration of intellectual property, the value of which is estimated to run into the billions. While the needle of suspicion has invariably pointed to China, the common thread that ran through Stuxnet and other cyber threats was that the origin of the perpetrators couldn’t be conclusively proved.
Though there was talk of economic sanctions and the like against alleged offending countries, the fact that the potential biggest source of the problem is also a major trading partner for many has complicated any response.
A number of countries, including India, have reacted to the perceived threat by announcing plans for their own cyber commands, which itself has highlighted the need to thrash out domestic and international laws on conflict in cyber space, not least clarifying questions of proportionality. The fact is that international norms governing collective security and actions to be taken in response to threats, as embodied in Chapter 7 of the U.N. Charter, have been found wanting in terms of cyber conflict.
Differing priorities and perspectives from myriad stakeholders have so far hamstrung international efforts to cobble together a strategy to combat pressing issues such as cyber crime and cyber terrorism, despite a string of meetings in venues from London to Nairobi. Here in New Delhi, we’ll be hosting our own cyber discussions next year.
In the meantime, though, cyber criminals, spies and hackers have made merry, with high profile cases ranging from the RSA securID hack to that of the Sony PlayStation network to thesecurity breach at DigiNotar, a Dutch certificate authority, which saw the fraudulent issuing of security certificates.The varied nature of the attacks has underscored the fact that they are often impossible to predict, and that there’s bound to be more to come.
Here in India, malicious cyber activity has been par for the course. But, as in previous years, information on cyber espionage and hacking of government computers came largely from sources overseas. McAfee’s report on Operation ShadyRAT listed an “Indian government entity” as having been penetrated by cyber spies. Meanwhile, the website defacement competition between Indian and Pakistani hackers continued as usual, with Anonymous apparently chipping in and defacing the NIC server to register their support for Anna Hazare. Though these defacements were little more than digital graffiti, they showed that websites weren’t properly locked down, suggesting more grievous damage could easily be inflicted.
There also seems little doubt that more malicious activities have taken place that haven’t been reported, either because they are yet to be discovered, or else they’ve been discovered but not publicized. Probably the most significant wake-up call for India came as a result of an attack on the passenger processing system at Indira Gandhi International Airport, which was badly disrupted in June. A CBI report initially described it as a cyber attack from an unknown location. Subsequent investigations revealed that the perpetrators were disgruntled engineers handling the software. Such insider threats remain a crucial but underappreciated vulnerability.
And the year has ended with a sobering attack on security firm STRATFOR, the hacking of which suggested that the company hadn’t taken even the most basic of precautions such as encrypting credit card information. If a security and intelligence company that has been dubbed the “Shadow CIA” can’t get its cyber-security right, the less said the better about other entities.
In one of its last actions of the year, the U.S. Congress authorized the use of offensive military action in cyberspace. Given such developments and responses this year, it’s hard to imagine that 2012 won’t see more of the same, even as we continue the steady march towards the militarization of cyberspace.
The big question now is whether next year will herald a headline grabbing attack by a class that is yet to really open its account on the international stage – the cyber terrorist.
Cherian Samuel is an associate fellow at the Institute for Defence Studies and Analyses (www.idsa.in) in New Delhi. This is an edited and abridged version of an article that was originally published by the organization here.