Cyber Security and Malware are two sides of the same coin. While the former tries to protect critical infrastructures, computer systems, networks, etc yet the latter abhors this same protection. Malware writers are increasingly targeting digital assets to gain control over them and to manipulate them for cyber attacks, cyber crimes and other nefarious activities. We have often heard about machines being turned into botnet and compromised systems to further launch cyber attacks, send spam communications or to deliver malicious codes, software and payloads. A simple search at a customised search engine or with a customised search setting would reveal that Internet is full of unprotected and insecure devices, SCADA systems and computers. Naturally, the critical infrastructures relying upon them are very vulnerable to various forms of cyber attacks.
Malware have years of history and experience behind them to unsettle cyber security initiatives. As these malware evolved, their sophistication and impact has also become elegant. Cyber security service providers and companies are finding it really difficult to match the might of these malware. Some of these malware are so advanced that they are not detected even after many years of their victimisation. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc are some of the examples of such malware.
Financial sector has witnessed its own share of malware. For instance, the notorious malware Carbanak was instrumental in stealing about a Billion US Dollars from financial institutions worldwide. Vskimmer Trojan, capable of stealing credit card information from Windows systems, was already in circulation. Similarly, the Malware Dump Memory Grabber was also targeting POS systems and ATMs of major U.S. banks. These malware have created havoc in India and international levels.
Hardware based malware are also common these days. Kaspersky has revealed in the past that intelligence agencies have been using hardware based stealth spyware. These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Similarly, Lenovo was accused of pre installing adware in its laptops. We cannot ignore the killer USBs that can damage the system in which they are used. Telecom equipment companies like Huawei and ZTE are already facing heat over cyber security aspects of their telecom equipments in countries like India, Australia, etc. Huawei was also accused of breaching national security of India by hacking base station controller in AP.
As the law enforcement and intelligence agencies wish to engage in illegal and unconstitutional e-surveillance and spying, cyber security of computer systems and mobile phones and their communications are not allowed to be managed in a secured and encrypted manner. For instance, Vodafone has confirmed that India has been using “secret wires” in the telecom infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “investigation” that never made public so far. This is the reason why Indian mobile security is poorer than Pakistan that is using much better and secured communication systems.
There is no dearth of ideas and methodologies that malware owners can use. U.S. law enforcement agencies have been using fake cell phone towers to illegally intercept mobile communications and data. Surveillance hardware and software like Stingray, Triggerfish, etc are commonly used in U.S. and other jurisdictions. It has also been reported that NSA has been using radio waves and malware for engaging in world wide e-surveillance. Even Anti virus updates can be exploited to install malware upon the targeted systems. Thus, whether a computer system is online, offline or an isolate one, the “combined technique” of malware embedded hardware, spyware, malware and radio waves can allow NSA to get the “relevant information” with some effort in this regard. No doubt, U.S. government is also the biggest buyer of malware in the world.
It is obvious that besides having robust and resilient cyber security infrastructures we also need self defence mechanisms to prevent malware from infecting our systems. There are some methods that can be used to minimise cyber attacks and cyber threats from these malware but 100% cyber security is not possible. However, there are limits to legitimate exercise of self defence and it ceases to be available after a point. In the absence of international cyber law treaty and international cyber security treaty (PDF), this limit has to be judged and guided by the principle of private international law.
Nevertheless, complicated techno legal issues in the field of cyber law and cyber security would keep on arising in the absence of international harmonisation. For instance, authorship attribution is a complicated subject that has to be ascertained before a cyber crime or cyber attack liability can be imputed to an individual, nation or organisation. Similarly, whether a victim can launch his/its own cyber attack against the offender is still to be judged by the courts around the world. Nature, scope and prevention of cyber warfare is another complicated area that cannot be resolved by taking recourse of Tallinn Manual. For the time being, malware are clearly winning the fight against the cyber security vendors and if there is no change in the “strategy and mindset” of security stakeholders, this would be the norm for the next decade.
At Perry4Law Organisation (P4LO) we have dedicated a blog titled International Legal Issues of Cyber Attacks and Cyber Security in this regard. The aim is to provide a techno legal database of articles and opinions about international legal issues of cyber attacks, cyber security, cyber crimes and cyber law. It is supported by Centre of Excellence for Cyber Security Research and Development in India (CECSRDI). We would cover more techno legal issues of cyber security, malware and international law at that blog.