Security in Network Era
Raj Mehta &
has been published in Deccan Herald, Bangalore in two parts in Edit Page
on Nov. 7 and 8, 2002. I have sought release to be published in other
newspapers, e-media and other forums)
A stand-alone computer
is a useful tool. Its power is enhanced unimaginable times when it is
connected to other computers in a network, whether it be private network
(an Intranet) or a public network (e.g. Internet).
To organize and manage
the complex society that we live in, computer networks are indispensable.
What flows over these
networks is human knowledge. It is increasing at a pace never foreseen
before in history. Commerce and almost all activities of our daily living
rely on this knowledge. If our functioning has to be orderly, the integrity
of the information becomes a central issue. Any unauthorized alteration
of information has potential of creating chaos.
Among the security
threats faced by present-day information-networked societies, a prominent
one is information warfare. Surprisingly, it is possible to seriously
damage and even destroy communication networks and computer systems that
are central to modern economies and their national defense. In the extreme,
the fabric that holds a nation together can be damaged to the extent that
civil society becomes vulnerable to physical attack and destruction.
Consider the following
hypothetical scenarios that are technically quite feasible:
failure (railways, telecom, airways, power grids).
More and more of Indian infrastructure is relying on computers and networks
to provide basic services – e.g. rail travel, communication, travel
by air and power and possibly many others. If these networks become
inoperative then life as we know today in modern India
will come to a stand-still, and law and order problems could result
across the country. With on-going privatization of the infrastructure
sectors, relevant network security issues will increasingly pass beyond
direct regulatory control.
- Pension, LIC,
PF and bank account beneficiary data alteration.
elements get control of the computers and networks of these agencies
and cause their data to be maliciously altered, thereby causing mass
confusion and disruption of life and normal activities. Banks for
example could be most vulnerable to such attacks, more so as they expose
themselves to the risks of Internet Banking. Billions are known to
have been lost by such frauds with banks overseas, even as they moved
cautiously towards networked banking.
- Malicious alteration
of data on revenue collection and claims.
Computers and networks that hold important revenue data for various
and agencies could be compromised and maliciously altered without even
The resulting loss of revenue and the long, drawn-out litigations among
people and between authorities and people would be unimaginable. Such
a failure would give rise to unwarranted disputes and turn them into
bloody battles bringing unending suffering to citizens.
a group of terrorists approaching an Immigration desk at any port of
entry in India.
The immigration and security people who could intercept them rely on
their computers that are networked with different International ports
of entry in India
and with India’s
overseas Consular offices as well. If the security of these computer
databases were to be breached and information on such terrorists deleted
or shielded even for a limited time, the terrorists would be allotted
visas and would enter India
without any agency being able to detect such an invasion. Can you imagine
what havoc this could cause?
we are moving towards mass computerization of all of our activities. Any
and all of the above scenarios are very much possible, because of:
- A wide-spread
lack of security-awareness, and
- ·Some inherent
problems with our computer and network hardware and software.
Prominent types of
computer and network security breach are the following:
- Security violation,
that allows an external hacker to take control of critical servers and
The use of foreign hardware/software constitutes a threat as there are
in-built mechanisms (known as backdoors and doorbells) and components
that can make the entire information on a computer or a network available
to some agency of a foreign power. For example, all the hardware/software
imported from < style='font-size: 11.0pt;font-family:Arial'>USA
is known to contain features that will permit NSA (National Security
Agency—the spy agency of USA) to control every computer and piece of
hardware/software exported out of USA.ARE
YOU AWARE that this is part of an agreement between the US Government
manufacturers, as a requirement to get an export permit granted?
Denial of service attack (DDoS).
If any of the infrastructure computers or networks can be overwhelmed
by someone with malicious intent, or routinely by someone wanting to
use Internet from any of the computers, the whole of the subject service
can be made inoperative by mass sending of information packets, made
to appear as hardware failure. Of course if such machines are connected
to the internet, they are even more at risk. This type of attack has
happened to servers connected to parts of the global public network
– internet, e.g. yahoo.com and others, who lost their service for several
- Exploiting Inherent
flaws(bugs) within Hardware/Software
Of course there are other types or means associated with and exploiting
many technical errors (bugs) which are present in all computer and network
hardware and software. For any particular model or generation of hardware
or software, such errors get discovered and corrected by the manufacturer
or supplier only over a considerable period of time, measured in months
or years, if at all. Owing to the continual development and adoption
of new hardware and software, this is an ever-present problem.
The above stated
instances are only a tip of the iceberg, the most glaring examples of
how our security is being compromised.
The point I really
want to drive home is that it is our responsibility to reduce our vulnerability
to such threats. We know there are unprincipled and criminal people
and predatory and hostile countries that we have to deal with from time
to time. If we do suffer harm through computer security breaches and
information warfare now and in the future, the fault lies with us for
not being sufficiently vigilant to know what is going on even now, and
in failing to take steps toward better security and privacy.
To deal with the
threats to our computer networks (and hence to our way of life) a two
pronged strategy is outlined below—One new laws must be enacted which
will address the threats was we know and perceive now. Second, a new initiative
to educate (a neglected aspect of present computer/network era) every
user connecting to the network MUST be undertaken—to use computer/network
safely; only then any network can ever be secured.
What can Parliamentarians
do to help achieve preparedness against, and prevention of, such devastating
calamities? The following may comprise a tentative Computer/Network
- Establish Advisory
Committees that are receptive to hearing opinions and ideas of experts
so as to function as a cohesive conduit between government agencies
and well meaning knowledgeable experts. This will enable cautionary
advice to be heard and awareness to be established at various levels.
It will further enable the nation to review and act upon nationalist
issues in these areas. Such Committees may be constituted as multi-disciplinary
bodies and must include senior Parliamentarians, nominees from concerned
ministries, Security, Intelligence and Defense agencies, and exponents
of academic research as well.
- Legislate - Mandate
that for every hardware/software imported in the country, its vendor
shall have to submit for examination, the source code (human readable
listings) of any software coded with the equipment and of all proprietary
software as well, without “gagging” (i.e. contractually preventing public
disclosures of adverse findings of) the examiners. This is not unusual
in present times. We won’t be the first ones to require this. Peru
has already set the precedence for this. <
and some others are considering in some degree or the other such requirements.
There are even similar moves at the State level in California,
- Move towards mandatory
declarations (in a phased manner) for all business, trade, banking,
infrastructure and industrial establishments who are networked to publicly
disclose legally binding management assurances to the effect that adequate
actions have been or will be taken within a definite time scale in order
to achieve preparedness for better security against information warfare,
whether by an actual nation, or other entity. And further make it well
known that full audit and disclosure in this regard is on the agenda
for being implemented in future.
- Mandate that compulsory
public liability insurance be procured by all such establishments for
meeting public liability claims arising from any adverse sufferings
that could be caused as a result of their network security inadequacies.
A specialized cell to assess insurance claims as well as premium rates
and rebates applicable to adequately complying establishments will surely
induce better security implementation.
- Make it mandatory
for all telecom and Internet service providers to embark on mass communication
program that will spread awareness amongst users of their services,
and make them more knowledgeable to report risks, threats and violations.
Those who comply may be given rebates in license fees that will help
in partly meeting the costs of such a mass communication exercise.
- Establish and
keep upgrading security standards to be complied with for securing networks
that are in use by public, government and business.
- Consider suitable
amendments in policies for procuring imported telecom and network equipment,
computer hardware and software.
- Develop indigenous
hardware software through a National Centre for Information Networks.
Finally it must be
said that we do have some awareness in India
about Network Security. There is a Government of India website devoted
to this: http://www.itsecurity.gov.in, but unfortunately,
it is a collection of material from US or other sources. We don’t have
something which is developed indigenously. There are courses organized
by STQC-IT Services for system administrators and IT managers. From my
perspective this is not nearly enough.
A Network or the
Internet has to be viewed as a chain. Every link, especially people, is
important. As the adage goes—the strength of a chain is only as strong
as its weakest link. So every computer on the network has to be as
secure as any other and every person manning the computer has to be as
knowledgeable as any network professional. Only then is true security
possible. Security awareness has to go down to every user who logs on
to any network.
was the secure neutral crossroads, strongly self-defended, but remaining
the neutral meeting place for government and commerce. <
is poised to take that same position in networking, but the strong self-defense
must grow to the needs. The balance to keep international ties while establishing
that growth is difficult, but not impossible. It will take will, work
and wisdom -- a new acronym for WWW.
A dynamic policy
for an effective digital security in the new Internet Millennium can establish
< style='font-size: 11.0pt;font-family:Arial'>India
as a global center for an International Network Economy. The cost of maintaining
an effectively secure digital network infrastructure is lower than the
cost of any remedial action, even when damages are comparatively small.
Regions of the world that are prepared in this way will become a magnet
for use of their infrastructure. India
can and become Switzerland
of the Network Age.
India's greatest chance to become a world
leader of an International Network Economy by creating the desired secured
infrastructure. Let India
not miss it!
About "The Authors"
scientist, an author, online educator and new media exponent--the World
Wide Web, Dr Mehta feels very few have clue as to how to use it. Presently
involved in "educating our legislators on aspects of Net and computer
security", this 50 plus alumnus of Stanford University (worked with
Nobel Laureate Dr. William Shockley) besides having worked for Raytheon,
ITT Semiconductors, IBM R&D Labs in California holds four basic patents
related to transistor processing. He has successfully conducted several
corporate seminars at Hoechst Marion Roussel to introduce Internet and
the Internet technology for the corporate use and for personal use. Author
of "Internet Users Guide For VSNL's Gateway Internet Access Services
(GIAS)", published by Videsh Sanchar Nigam Ltd. it led to the birth
of India's first online voluntary virtual community to help Internet Users
of India – TheGuide http://guide.vsnl.net.in
Copyright © 1999-2002 Dr. Raj
Mehta. All rights reserved.