National Security in Network Age--An Interview
(Please note that questions in the following were posed by Ms. Surekha Kadapa, a free lance journalist. Part of these may be published in Sunday Mid Day Times possibly on Aug. 25, 2002)
Internet/Data Networks have made lot of impact on our lives. But for dot-com bust we would have seen more of business activity moving onlinemaking for speed and ease for completing tasks..
Is it safe to carry on online activities where sensitive information is passed on?
If my ordeal of having my identity stolen last year August, by some of the associates of Sept. 11 hijackers, and having to reverse the financial losses, is what is in store, my answer is not to carry on any online activities. Though I do not really known for sure how my Identity was stolen but my online activities are very strong suspect.
This brings to question how secure is Internet? How secure are dedicated networks like e.g. Army, Navy or Air Forces networks?
Form National Security point of view they are 100% insecure. The earlier we realize and do something about It will be in the best interest of India. Please read on
Commerce is built on that "knowledge". When a key commodity in the world was salt, even brutal force could not prevent salt from carrying forward commerce. Indeed, this is a reference to Gandhjiis historic Dandi salt march. Not because commerce is the end-all, but because it is the way we have even today for cooperation that continues to benefit mankind.
With the unimaginable increase in knowledge that continues to gain momentum, it has become an essential part of our lives. And this repository of knowledge is distributed across the entire Internet. It is creating new business methods - from the website that sells products across global markets, to the vertical supply chain coordination of industry. Anyone not part of this digital worldwide network looses. Anyone who legitimately participates does gain.
Couple of wonderful example of this in India, gained international attention. Iliterate women in Madhya Pradesh uses the `Gyandoot' network for comparing prices prevailing in nearby markets. This empowers them with knowledge that enhances trade prospects for the entire rural community. Another example of this is e-seva offered in Andhra Pradesh. Andhra Pradeshs e-Seva project making easier for ordinary citizens of the twin city to get some of the documents etc.
As ecommerce grows, Internet needs to be made more secure. Effective protections are therefore needed, to provide the stability that must be built in by design, or the fall of an immense virtual infrastructure, can be faster than a building targeted by a terrorist in the physical world.
India has to be a part of this knowledge revolution by integrating its commerce into the realm of the digitally connected world. Abundant bandwidth capacity will therefore be required to link people to the large repository of knowledge and opportunities on the Internet.
As people become more and more network dependent for their commercial infrastructure, intelligent governance assumes unquestionable importance. It is expected that the Government adopts a leadership role, here. If encouraged, this leadership, will spread beyond governance, and work for society, at large.
Do the hardware and software we purchase
blindly from abroad compromise our national security?
How do these make our network insecure?
The news about the above agreement was posted on Cisco site in mid-1998. Shortly, there after this news was removed from the Cisco website. Of course privacy groups picked it up and some of this is still available in the archives of their discussions (in Google type Cisco Backs Backdoor for Internet Wiretaps). Gradually all this information which was readily available about backdoors and doorbells was removed from the Internet. (I happen to save and print some of these reports).
The above all is being done surreptitiously. However Microsoft Windows is another story. For a long time independent security experts have discovered some facts which suggest that Microsoft may have deliberately designed windows with a software key which gives National Security Agency (NSA, US government spy agency) easy access to every copy of windows installed anywhere, using holes in existing networking software. Please read some details at: < http://guide.vsnl.net.in/tcpip/columns/_nsakey/index.html>. Of course with Windows XP and now with Windows 2000 the licensing agreement which the user accepts gives Microsoft permission to transmit the information from users hard disk to Microsoft. The user has no control or say in the matter.
The above stated instances are the tip of the iceberg and most glaring examples of how our security is being compromised.
But the point I really want to drive home isit is not the fault of USA that we have this security issues. If we were in a similar situation we might have done the same. The fault lies with us for not being vigilant to know that this is going on even now and not taking the necessary steps to assure our own security and privacy.
The important issue is that those who are purchasing products must be aware and knowledgeable enough to know that there is a serious issue at hand and we need to start dealing with it by some national policy.
Even by trying to get assurance from vendors that this is not the case, may only result in the US government not allowing the export of such equipment.
No I dont see an easy way out of this.
Only real solution I see is to have a national plan for making such equipment (e.g. routers and software to start with) within the country. Not only for this issue but for the future needs of the countrye.g. Cutting-edge optical processing is being developed in Israel for the grandchildren of today's computers, with similar work in Europe. India must be ready for the future, as well as the present.
Post 11, Sept 2001 what are the chances
such keys are not built in the systems?
Couple of glaring examples:
The additional powers and funds available to NSA will make sure that they have the maximum advantage in spying on foreign nations. You can be sure that all the IT products being exported out of US have backdoors or doorbells in them.
What can India do? Do you have any plans
to educate the Indian legislators on this issue? How do you plan to Go
We have to have a national policy for developing if not complete hardware but the parts of hardware which are called firmware where software resides.
However to just do above is not going to work effectively to give us desired results.
What is ultimately going to work is the knowledge and awareness at individual levelfrom lay user to an expert about need for security.
Here is how to look at this. Internet or any Network as it is built now is a distributed system. There is no central control. This is the basic design of the network. So it is like a chain where computers are linked to each other. And like a chain each link is important and the chain is as strong as its weakest link. People are part of this chain too. So there knowledge about security is an integral part of the security of the network.
So from my perspective the real solution lies in education of the people at all levels about security issues. How can one be secure? What are vulnerabilities? etc. Too many specifics to enumerate here.
I am talking to two MPs who have shown interest in these issues. Part of my task is to educate them in these matters.
How about educating people and legislation
All this is possible because ISPs who run the networks do not know the implications of promiscuous mailers on their networks and their IPs. The result is that the spammers from e.g. US, Korea, or China, etc., use these to create a traffic jam on the network. A worse implication of this is that, mail from such a server will never reach 1/4 to 1/3 of Internet addresses as it is blacklisted in ORBD (Open Relay Data Base < http://www.ordb.org/ and most of ISPs in US rely on it to control spam) and in various shared and private databases around the world. There are now over sixty that are shared by various networks, plus private lists which cannot easily be discovered. A new distributed-database network adds hundreds more.
Based on blacklisting in these databases the offending mailserver is shutdown. Every time one is shut down by the misdirection of various government actions, ten spring up to take its place, because of consumer demand. The worst of it is that neither the ISP nor the user are likely to discover how much damage has been done. Spam is undermining the Internet, and wherever it is the worst, it causes the most hidden damages.
Again solution to this is not more legislationthough it is necessary, but making people aware of what spam is doing to their service.
TheGuide (http://guide.vsnl.net.in/sbc/ ) has a spam busting center and gives tips as to what to do at individual level to combat it. However more needs to be done to empower the user and also the network administrator. But most important is to have ISPs realize how this is hurting them, and worse is still to come.
What are the issues dear to your heart
which u would like to address in the coming months?
Traditionally, Switzerland was the secure neutral crossroads, strongly self-defended, but remaining the neutral meeting place for government and commerce. India is poised to take that same position in networking, but the strong self-defense must grow to the needs. The balance to keep international ties while establishing that growth is difficult, but not impossible. It will take will, work and wisdom -- a new acronym for WWW.
Here's India's greatest chance to become a world leader of an International Network Economy by creating the desired secured infrastructure. Let India not miss it!
weakest and potentially the strongest link. Software can be perfected
over time to become a strong component. Hardware can be engineered to
exceed needs. But people can always make a mistake, or better, catch a
mistake before it becomes damage.