Monthly Archives: January 2017

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968

CIA Has Been Issuing Computer Security And Cyber Security Warnings Since 1968Cyber security is not an easy task to manage especially in the contemporary times. Cyber security is not just technical part but it also includes the legal aspects as well. This is the reason why cyber security is a techno legal field. We have been treating cyber security as mere technical field for long and this is not producing any productive results.

For instance, the Central Intelligence Agency (CIA) of United States has been struggling to deal with cyber security and computer security since 1968 and much before. At least the official records about CIA’s involvement in the cyber security fields goes back to 1968 where CIA issued a cyber security warning to US government. This makes it almost 50 years of concern and expertise for CIA in the field of cyber security.

So it would be safe to conclude that US government is seized with cyber security related issues at least since 1968. And if US government is still concerned about cyber security, it means that by and large our cyber security efforts have failed to achieve the required goals. Meanwhile, President Donald Trump is about to sign an executive order to strengthen US cyber security capabilities. This is in addition to the transborder hacking and search powers of the Federal Bureau of Investigation (FBI) that gives the US law enforcement agency long arm jurisdiction. Despite all cyber power, US still believe that cyber warfare is undermining its traditional defenses.

The problem with a sophisticated and global cyber attack is that we cannot ascertain the authorship attribution with certainty in almost all cases. For instance, US has accused Russia of manipulating its elections results through cyber attacks whereas Russia has accused that CIA has hacked the Kremlin. Who is speaking truth and who is speaking falsehood is not easy to ascertain in these circumstances.

As per the media report, the U.S. government has been in the cyber security business for many decades. In 1968, the CIA added a computer security subcommittee to the U.S. Intelligence Board, a government wide body convened by the CIA to coordinate intelligence efforts. The US intelligence community has been dealing with many of the problems of access control, physical security, contractor access, data verification and other issues that continue to plague government agencies even today. So the cyber security problems are persistent and ever evolving and this is the reason why laws of various countries are not even close to resolve such complicated cyber issues.

In February 1969, subcommittee participants were instructed to list in order of priority their computer security problem areas. The NSA member said that access control topped the list, followed by computer malfunctions, information classification and physical security. An Air Force member wanted to prioritise the development of a method to securely erase the drums of magnetic storage tape containing highly classified information, when those tapes needed to be decommissioned. The Navy concurred in this judgement. The Defense Intelligence Agency sought to come up with a working definition of a system and its components as a first step to developing a computer security standard.

In one memo, the group examined the security threats posed by the possibility of hostile exploitation of weak points in the computer operations of the intelligence community. In assigning this task to the Subcommittee, the Security Committee requested that the Counterintelligence Staff of CIA be asked to report any known cases where hostile services had attempted to exploit the security vulnerabilities of the computer operations. In addition, the Subcommittee was asked to study any possible threat of hostile penetration of the computer operations.

The memorandum also warned about the Soviet Bloc that had interest in the American computing technology. This means US was on loggerheads with Russia regarding computing technology and cyber security at least since 1968. So cyber espionage and cyber warfare are not new concepts but just new definitions for the old forms of computing espionage and cyber attacks.

The Subcommittee asked CIA counterintelligence personnel to look for possible examples of intrusion or exploitation by rivals. According to the memo’s findings, the CIA and the FBI “were able to provide information on several cases involving hostile attempts to exploit either personnel associated with Community computer operations or personnel employed by American computing manufacturers having potential contact with government operations.”

Additionally, that report confirmed the existence of vulnerabilities in intelligence community systems that were postulated as possible threats in a draft of a classified Defense Science Bureau Task Force report from January 1970 — including one flaw that allowed for system-wide memory dumps to be initiated by programmers who were only supposed to have limited access. Another bug from back in the days of magnetic tape storage allowed users to bypass storage protection features of the IBM 360 system to access program data.

Information and communication technology (ICT) has significantly changed since 1968 and many more layers of complications and complexities have been added. This discussion by CIA is a hint how the future of computers, Internet and ICT can be changed by States and State actors forever.

Source: IoT And Smart Cities Forum Of India.

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs Rejuvenation

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs RejuvenationThese days more and more critical services are connected with and controlled by computers and other information and communication technology (ICT). As a result they are also vulnerable to sophisticated cyber attacks from around the world. Malware have evolved to such an extent that many times they are not traced for years and the cyber attacks keep on stealing sensitive and crucial information. This is a troublesome notion when critical information infrastructures are involved as the stakes are very high there.

We at Perry4Law Organisation (P4LO) believe that critical infrastructure protection in India (pdf) needs a more focused and extensive cyber security protection. We have recently provided cyber security trends of India 2017 here and here and even there we have mentioned the significance of critical infrastructure protection (CIP) in India. Indian government has still to do extensive work regarding ensuring cyber security in general and critical infrastructure protection in particular.

But in a very positive development, Indian government has already established the National Critical Information Infrastructure Protection Centre (NCIIPC) of India. The NCIIPC is also working to ensure robust cyber security for Indian critical infrastructure. However, for reasons best known to Indian government, NCIIPC seems to be a half hearted approach so far. Even the website of NCIIPC has little to offer regarding scope, nature, expertise and purpose of NCIIPC. We at Perry4Law Organisation (P4LO) believe that NCIIPC needs to play a more pro active and extensive role in present cyber security scenario of India.

Till the end of 2016, the cyber security infrastructure of India is not in a good shape. We have to cover a long road before India can be considered to be even moderately cyber secure. While India can afford to be little bit lax regarding general cyber security yet cyber security of CIP needs urgent attention of Indian government. For instance, using telemedicine and online healthcare systems without robust cyber security is inviting troubles of all sorts. In fact, healthcare industry and its infrastructure can safely be considered to be a critical infrastructure. Similarly, banks in India must be treated as critical infrastructure and cyber security must be accordingly managed. Mass usage of digital payments without cyber security would create lots of trouble for India in the long run. In these circumstances, role of NCIIPC must be more pro active than the present one.

There are many startups and entrepreneurs that would explore fintech and critical infrastructure related business activities in 2017. They would need strong cyber law and cyber security laws on the one hand and an authority to protect their critical infrastructures on the other. Similarly, cyber security breach disclosure norms would also be required so that CERT-In and NCIIPC can protect Indian infrastructures and systems in a better manner.

Perry4Law Organisation (P4LO) requests Indian government to consider these suggestions on priority basis.