THE RECENT HACKING OF THE Kundankulam nuclear power plant in Tamil Nadu, India again brings the issue of cybersecurity threats and their terrifying potential for cyberwar between nations and asymmetrical cyberwar by non-state actors to the fore. United Nations Secretary-General Antonio Guterres issued a warning last year, “Episodes of cyber warfare between states already exist.
What is worse is that there is no regulatory scheme for that type of warfare.” The cyber looting of $1 billion from the Bangladesh Bank exposed another kind of threat that has the potential to rain destruction on a country without overt violence by merely destroying its financial system.
Cyberwarfare at different levels of intensity is at the height of cybersecurity concerns, which also affect nations and socials at various levels. It helps start with a look at the array of threats before going into the policy dimensions. Cybersecurity threats can be classified for the purpose of this discussion into four levels with varying degrees of threats with some overlap.
The highest are threats that can be escalated to the level of cyber warfare and these exponentially increase the risk of asymmetrical warfare. In a conventional, for example, war bombers, missiles and artillery along with their support systems can be required to destroy industrial complexes, communications infrastructure, railway networks and a power and water supply systems. But it can all be accomplished without the need for any weapons by hacking into computer systems controlling them.
Within this category of cyber warfare, the most dangerous threat would be a nuclear catastrophe engineered through hacking civilian or military nuclear facilities.
Although it was ostensibly meant to be a nuclear disarmament effort, the attempt to cripple Iran’s nuclear fuel generation using the infamous Stuxnet virus demonstrates the capabilities for nuclear sabotage. These possibilities point to the enormous offensive capabilities nations, as well as non-state actors, can wield.
Former United States Defence Secretary Leon Panetta has summed up the risks at this level warning of a “cyber Pearl Harbour” – an allusion to the devastating Japanese attack on Hawaii that caught the US unawares and brought Japan into the Second World War.
The level of cyber threats below that – which are political but have the potential to rise to the higher level – are those that can create havoc in the political and civic systems. The higher level of this verging on cyber warfare would be the hacking into the voter list (accepting that the voting system itself if safe due to the paper trail) because of the potential for regime change.
The hacking of government systems to issue fake orders, change or destroy records or to interfere in personnel matters is another aspect of the threat at this level.
Consider at this level also the use of social media to create civil disturbances or encourage activities that paralyse governments and cause huge losses of lives and property and destroy the social order. (The role of social media in Egypt and Ukraine would be examples of this, although some would try to make the distinction between what they consider noble causes and those that they would disapprove of like the Russian use of social media to try to disrupt the 2016 election in the US. This could echo the “who is a terrorist” debate – making a distinction based on motives rather than actions.)
Major financial and economic crimes with no direct or identifiable political motive, but would fall into the third tier. Theft of intellectual property from businesses or research institutions would be a major subset of this (although sometimes they can also have military or political aspects when the targets have military use).
Then there are what appear to be crimes of opportunity the cyber heist of about $1 billion from Bangladesh Bank in 2016 and the $13.5 million cyber theft from India’s Cosmo bank. At this level are the ransomware attacks that shut down government operations at the local level as well as the British shutting down local government computer systems in the US and the British health system and demanded payments to restore them.
But such attacks can rise to the level of cyber warfare if they are used to sabotage a nation’s financial infrastructure, crippling its functioning. And then there are low-level cybercrimes that affect individuals and businesses and institutions with small stakes.
A comprehensive national cybersecurity policy would have to have several approaches to the different types of threats. While social media is at centre stage in most of the discussions about cybersecurity and the impact on societies and politics, the norms for dealing with inevitably collide with issues like freedom of expression and control exerted by powerful multinational corporations. Therefore, leaving them aside here is a look at the policy perspectives for dealing with more pressing issues of cybersecurity.
The most important action needs to be at the political and diplomatic levels in promoting an international legal regime for cyber uses with military potential. The United Nations has been trying to come up with a framework for this with an experts’ group but has not made any concrete moves, even though most major nations have expressed support for this.
The General Assembly has adopted resolutions on the Creation of a Global Culture of Cybersecurity in 2002 and 2004, the second one dealing specifically with the protection of infrastructures, which are but seminal efforts. While warning about the risk of cyberwar, Guterres wondered if the Geneva Conventions on international conduct in conventional war can be applied to cyberwar.
The suggestion by Microsoft president and chief legal officer Brad Smith for a Digital Geneva Convention on Cybersecurity could be a starting point. He proposes a treaty like the Fourth Geneva Convention that deals with the protection of civilians during times of war which has been signed by 196 countries.
His proposal goes beyond the protection of civilians, businesses and critical infrastructure to restraint in developing cyber weapons, a commitment to nonproliferation of cyber weapons and limiting any offensive action to avoid a “mass event.”
Some of the issues in developing international norms for cybersecurity reflect the dilemmas of nuclear weapons use and disarmament and complicate their development. For example, there is the question of no-first-use, which the US has ruled out.
Where India should focus its diplomacy is on consensus building on key issues by disaggregating them from contentious East-West issues of freedom of information and human rights to focus on overarching issues of military use.
Side by side with this is pushing for international action against non-state actors getting and using cyberweapons. Those noble ideals, but at a practical level countries like India have to develop both defensive and offensive cyber capabilities – and one has to presume that is happening.
Alongside this, military doctrines on deployment and use of cyber capabilities is a new area that requires development intellectually. At the domestic level, cybersecurity policies have to first aim to develop a culture of cybersecurity and propagate them. And then comes enforcing cyber discipline.
It is essential to quarantine critical systems from the internet completely to protect against intrusions; this is supposed to be in place for the critical elements of the nuclear power plants.
Higher levels of security for important offices requiring the use of special telecommunications equipment is essential when they have to communicate across phone and internet systems. (Officials at certain levels in the US are required to use special phones – which President Donald Trump reportedly often does not to the consternation of security officials who have reported finding intrusion devices planted in the nation’s capitals believed to be by foreign countries. His predecessor Barack Obama had to accept limitations on using his favourite Blackberry.)
Officials and diplomats often use commercial mail like Gmail for official communications, which can be risky and should be avoided. Where official equipment is used for social media as part of official business, norms should be set for security software.
It is also important to develop and enforce norms for cybersecurity for the private sector, especially for financial and other important sectors. As with government sector, audits and rules for disclosure of risks must be developed and enforced. Ultimately a lot of this comes down to personal responsibility and that is where the propagation of the culture of cybersecurity is important.
A major threat to cybersecurity also comes from the vulnerability of cyberinfrastructure hardware. Satellites have been subverted through software-based attacks and the ubiquity of their utilisation for virtually everything from weather prediction and communications to navigation and the military raises a dire warning about their destructive potential.
A corollary to the cyberwar potential based on software is the threat of a physical attack against the hardware infrastructure. Taking down communication satellites or destroying undersea cables would be examples of such attacks with devastating consequences.
Taking the space threat seriously, President Donald Trump has created the Space Force.The Outer Space Treaty is focused on weaponisation of space, but what is needed is a more comprehensive international regime to protect vital assets in space.
In a paper for the UN Institute for Disarmament Research, Rajeswari Pillai Rajagopalan, an expert on cyber and space issues has suggested that the UN Disarmament Commission could be the starting point for future regulation to protect space hardware security.
An international regime to deal with terrestrial infrastructure hardware also is an area awaiting exploration.
— Arul Louis
(The writer, a New York-based journalist, is a non-resident Senior Fellow of the Society for Policy Studies. He can be contacted at email@example.com and followed on Twitter @arulouis. He is a former news editor and columnist of the technology section of the New York Daily News.)
(This article has been reproduced here in arrangement with the South Asia Monitor. It can be accessed at https://southasiamonitor.org)