by Nirmal John
. . . consider yourself in the shoes of the Chinese generals. Here is an opportunity to seed the entire Indian electronic, telecommunications, and Internet grid with devices made by state-funded and run companies—devices that are essentially black boxes for Indian buyers. Devices that can have trojans coded into them so that they could be controlled or shut down at will by secret command.
An even grimmer picture can be painted for the future. Take the example of global cyberterrorism that is still in its early days. India has been a victim of terrorism for many decades now, but the country has not yet witnessed massive attacks of cyberterrorism. This is if you do not consider the use of the Internet, and social media channels, in particular, to recruit jihadis. But as cyber weapons trickle down from national security agencies and cyber-armies of nation states, there is no reason why they wouldn’t follow the same well-trodden route taken by Kalashnikovs and become a part of terrorist arsenal.
A case in point, as mentioned in an earlier chapter, is the rise of ransomware. Vulnerabilities that were being used as weapons by nation states are now available to hackers to create the Petyas and WannaCrys of the world. The image conjured up by the word ‘terrorist’ is still largely one of young men with AK-47s or bombs strapped to themselves. But, surely, it is only a matter of time before terrorists wise up to the deadly potential of technology to sow fear and educate themselves on using it to further their agenda. Engineers and coders among terrorists can do the job of disrupting the assets of countries or governments that they perceive to be hostile to their interests. This can be done with or without collusion of governments, by individuals simply acting on their own or by terrorist groups.
Malicious attacks on key infrastructure and databases can be expected in a conflict-ridden world where, instead of fighting with weapons in a proxy war, the citizenry—any ordinary person from among them—can participate in the attack without spilling blood, just by sitting in the comfort of their couches and chipping away at the networked assets of their perceived enemies. It is the democratization of terror, where anyone with the required knowledge, skill and an agenda can wreak havoc.
India has been at the receiving end of terrorism for many years, and that has, over the last two decades, spread to the cyberspace too. Pakistani hackers have regularly taken ‘credit’ for several of the breaches in security that have happened in Indian cyberspace. While most of this has consisted of low-level attacks, such as defacing of websites, the threat of more serious breaches is very real.
As a white paper from the cybersecurity firm Symantec points out, there is a distinction between cyberterrorism activities that use the computer as a tool to aid their offline agenda and the very real possibility of people who are exclusively cyberterrorists. What’s more, the combination of anonymity that the cyberspace offers and the simplicity of the weaponry—code—makes this far more difficult to fight than conventional terrorism. The Symantec report says:
. . . a successful cyberterrorism event could require no more prerequisite than knowledge—something that is essentially free for use to the owner once acquired, and an asset that can be used over and over again. Thus, it would be possible that such an environment could facilitate the creation of entirely new terrorist groups—no monies would be required for action, and members could organize themselves quickly and easily in the anonymity of cyberspace.21
Then there is the spectre of espionage too. A leak of 22,400 pages of data pertaining to a submarine deal of the Indian Navy was reported by the Australian in August 2016, which claimed that the information leaked ‘ . . . details of the entire secret combat capability of the six Scorpene-class submarines’. That includes ‘. . . the frequencies at which the submarines gather intelligence and the levels of noise the subs make at various speeds’. The leaked papers also contain ‘information on the submarine’s diving depths, range and endurance, besides its magnetic, electromagnetic, and infrared data’.22
The chief of Naval Staff, Admiral Sunil Lanba, said in September 2016 that the leak didn’t occur in India,23 and added that initial inquiries suggested the data was compromised at the French manufacturer’s end. That may be so, but that doesn’t mask the reality that there are foreign powers who would place a premium on getting hold of that data. Leaks that compromise national security can happen any time and anywhere. The question is, what can be done about them.
* * *
The solution that can help accelerate the country’s efforts to acquire better tools to protect both its military and civilian infrastructure is mobilization of the hacker ecosystem in the country. India, with its sizeable young and technologically savvy population, has one of the world’s most active and vibrant communities of hackers. The authorities need to start engaging with this population better than they are currently.
For most people, the hacker is a mysterious being. There is very little that the person on the street knows about the digital lock-picker, and much of the little they do know has been influenced by how the hacker is portrayed in popular culture. The term ‘hacker’ has become a complicated idea to comprehend. Its usage—alternating between reference to black hat and white hat hacker—means it conjures up an image that oscillates between something of an outlaw in the Wild West of the Internet and that of the sheriff in town.
Talk to those who are part of this community, and their frustration, particularly stemming from a lack of appreciation of what they do, comes to the fore. Most of them are hackers who are willing to engage with the government but have faced apathy from them. Take the case of seventeen-year-old Rahul (his name has been changed to protect his identity). The mild-mannered and soft-spoken Rahul spends a lot of time in the darker alleyways of the Internet, trying to grasp newer techniques. ‘I am always driven by knowledge. I hack to learn. To me hacking is finding the shortest path to traverse a problem; it has a meaning beyond computers,’ he says.
‘In our community, a lot of people have contacted various government agencies after finding vulnerabilities. Many a time you don’t get a reply at all from them. We are even asked to refrain from doing what we are doing or face police charges. Whenever I meet someone from the government in person and tell them about the government’s vulnerabilities, their reaction is always to immediately say they are secure and we don’t need to worry about anything. They outright deny everything,’ he says, with more than a tinge of frustration in his voice.
The threat of arrest from government agencies has made him wary of reporting vulnerabilities ‘Now, even when I find a bug I don’t report it. They are already demotivating us. Why would anyone report a vulnerability when they are threatened with a jail sentence in return?’
This attitude needs to be fixed. The relationship between the government and the hacking community can be a mutually beneficial one. Governments as well as companies become cagey when people report vulnerabilities. The Information Technology Act clearly prohibits unauthorized access. Going by the letter of the law, there is no doubt that government agencies are right to feel aggrieved when the security they have put in place has been breached. But at the same time they need to learn how to handle talented programmers who find vulnerabilities that may lead to serious loss of data.
The United States runs several programmes which seek to involve hackers and other technology professionals under Defense Digital Service, run by the United States Department of Defense. These include bug bounty programmes that challenge hackers to find vulnerabilities ‘across operationally relevant systems’. Technology publication TechCrunch quotes Chris Lynch of Defense Digital Service: ‘The whole idea of “security through obscurity” is completely backwards. We need to understand where our weaknesses are in order to fix them, and there is no better way than to open it up to the global hacker community.’24
There is an urgent need for such programmes in India too, where the muscle power of Indian hackers can be channelized to improve security. Currently, there are only a few public-facing programmes that involve Indian hackers, and th
at needs to change. The government needs to invest further in understanding and channelizing their energies.
That change could start with an effort to understand the psyche of hackers and what motivates them. There are several reasons why a large number of hackers from around the world like watching the Golden Globe-winning American television series, Mr Robot. For one, nonsensical mumbo jumbo doesn’t pass for code when hackers do their thing on the screen. The techniques of hacking that are shown on screen are real, so is much of the code that flashes on the monitors. Mr Robot is a world away from the stereotypical, almost comical, portrayal of hacking that is de rigueur in most shows and movies. The creators of the show have taken an immense amount of pain to pay careful attention to detail. That is attractive to uber-nerd programmers, hitherto the butt of geek jokes on shows like the Big Bang Theory, who identify with the show and its plot.
Another, perhaps an even more pertinent reason, is that Mr Robot beautifully captures the conflicts arising from the innate sense of idealism that drives many hackers. The central character, Elliot Alderson, portrayed brilliantly by Rami Malek in a multiple award-winning turn, is a hacker in the throes of conflict.
The story takes the viewer through his transformation. He works by day at a cybersecurity firm, and uses his skills at night to fight paedophilia and other ills of the society to become the force behind a vigilante group, FSociety, which takes down E Corp, the comic-book villain-esque representation of the evil corporation encapsulating everything wrong with capitalism.
There is something about Elliot’s character that most hackers identify with, and it doesn’t really matter if the hacker is a black hat or a white hat. The sense of idealism and an overwhelming belief in the power of technology to set right the ills of the society is real, and that is what drives many young coders. Hackers tend to have an acute, heightened sense of what is right and what is wrong, and much of their behaviour is based on how they interpret what they see as injustice or unfairness.
There is a certain duality that extends to the choices they have too. There is a time when they are presented with the option to go mainstream and fight or stay under the radar and do their thing. A heightened sense of social injustice is one of the characteristics that underpins many hackers, in particular the hacktivist kind that get together in collectives like Anonymous, and this, along with their genuine patriotism, needs to be tapped.
This is something of a starting point for governments. As Mr Robot puts it, ‘The world is a dangerous place, Elliott, not because of those who do evil, but because of those who look on and do nothing.’
CHAPTER 8
WHITE HAT IS GREENBACK
The Business of Securing Data Is Booming
Fear. Urgency. Desperation. Panic. The themes that dominate that call for help are almost always the same. Pretty much everyone working in the cybersecurity business knows what it is to get that call, especially in the middle of the night. There used to be a time when break-ins were reported first to the police. But with crime itself changing in nature, the way it is reported is changing too. The cops aren’t in control when it comes to new-age crime and theft of data. Dialling 100 may not get you far when it comes to data breaches.
Saket Modi has been receiving these calls for a few years now. Modi is a baby-faced young man in his twenties who boasts an easy charm. His company is named Lucideus. It is a mash-up of two names from the ancient scriptures—Lucifer, the Latin word which came to be used to describe the devil, and Zeus, the supreme Greek deity who, among other things, dispensed justice.
The mash-up is meant to be a reference to how the ‘bad’ and the ‘good’ come together online. Modi’s earlier office in Safdarjung Development Area market near IIT in Delhi was small and tastefully appointed in white (perhaps to accentuate the idea of the white hat hacker). He has since moved to a new, much larger space in Okhla, still tastefully appointed, still in white.
He started out when he was in his teens, helping companies investigate breaches and shore up their cybersecurity. His carefully constructed reputation as a young white hat hacker brought him many projects over the years. These days he is among those advising the Government of India on matters of cybersecurity.
Most of his projects for companies started with a call from a panic-laden voice. Modi particularly remembers one call from nearly five years back. It was the chief executive of one of India’s largest services companies at the other end of the line. The CEO introduced himself. He had met Modi on the sidelines of a conference; they’d exchanged visiting cards, and the chief executive had fished out Modi’s card to call him.
‘We think we are in major trouble. How quickly can you fly to Bengaluru?’
Modi was used to such requests from panic-stricken executives. He asked for a bit more context on what exactly had gone wrong.
‘The CEO of one of my top five clients, who is a huge name internationally, called me earlier today. He asked me to immediately stop all the operations I was doing for his company. He didn’t explain why. He just said that he will be calling me later to explain further.’
This was a client that contributed a very significant chunk to the Indian company’s top line. There were hundreds of employees from the Indian company working on the client’s projects.
‘I suspect there has been a breach, because of which all this could be happening. There are a few other things that would explain this reaction from the client. The truth is, I can’t afford to lose this client under any circumstances,’ the executive confessed.
Saket Modi took the next flight to Bengaluru.
It was when he reached the office of the chief executive that Modi realized he wasn’t the only one who had got a call from him. There, sitting in the conference room and waiting to be briefed, were cyber-forensics experts from big accounting firms and other security researchers like himself.
Even though this was par for the course when it came to how Indian companies reacted in such situations, Modi says he was taken aback. He says this has become a common practice when it comes to investigating breaches—the targeted company invites the names known to have cyber-forensics experience for a briefing post an incident and then gives the job to whoever bids the lowest. The question he asks is whether matters of security can be treated like other supplier relationships, especially in a crisis situation?
This is probably how things work in many Indian corporations but, as he points out with evident displeasure, that is not how security and breach protocol should roll, particularly in a crisis situation. ‘Security is not an L1 business.’
The chief executive briefed the gathering about the situation. There had indeed been a breach. He was looking for partners who could immediately deploy resources to find the vulnerabilities that had led to the breach and could help plug them. That was the only way he could convince the client not to terminate the contract.
Modi ended up with the project even though his quoted fee was high. He flew in his team from New Delhi and, during the investigation, found several vulnerabilities in the organization that had resulted in the breach.
The team started by pouring over the access logs which list the requests for individual files from a website. They then isolated the sectors which were compromised, and sandboxed them. That meant that they used a separate machine, not connected to the company’s main network, to run programmes and test the behaviour of the malicious code.
The idea behind doing this was to deduce if there were patterns in the type of data that was being compromised. If they could unearth a pattern, it could theoretically lead them to the hacker.
Unfortunately, as in many such instances, Modi says, he couldn’t identify the source of the breach as its origins were from beyond Indian borders and hidden in a complex trail of IPs. His team couldn’t definitively pinpoint the location, but they pushed the chief executive and his company to shore up every single facet of its security protocol.
The client continued the shutdown of the handling of his operati
ons by the Indian company for a month, while Modi and his team worked on overhauling the Indian company’s security system. A month later, Modi had a call with the CEO of the company’s international client to detail the steps they had taken to make sure that breaches such as the one that had happened would not recur. Later, the client sent a team to audit the changes, and only when it was satisfied did the client allow the company to resume work on its projects. It cost the Indian company thousands of billable hours, not to mention damage to their standing in front of the client.
* * *
Much of the naivety that underpins the responses to breaches by Indian companies is because of their lack of a coherent incident-response plan. Most Indian companies, particularly the small and medium enterprises, don’t have a breach protocol. When it does become apparent that there has been a breach, most leaders are left flabbergasted.
How should a company respond to incidents of data breach? Who are the people within the company who should make the decisions on it? Whom should they contact to investigate the breach? Is there anything to be gained by going to the cops? What is the public relations strategy going to be? There are plenty of questions that swirl in the vortex of the storm that a security breach entails.
Many victims, security researchers insist, are not even in a position to know whether or not a breach has happened. Vulnerabilities are unknown because security audits don’t happen periodically, as they should. Malware has been known to sneak in and stay in the system undetected for months on end.
Atul Gupta of KPMG compares the usual reaction of Indian companies to individuals faced with health problems. ‘The only thing that an individual looks for when there is a health complication is the right kind of care. Organizations really get to that stage. How do you work to avoid that panic?’ Airline crews are extremely well equipped to handle a panic situation, and that is what Gupta points to as a model to follow. ‘Incidents are bound to happen, whatever you do. How you manage the situation while the attack is on will determine its impact. If you do panic, things are going to get really, really bad.’