Over the years, hacking or the art of getting unauthorised access into computer systems has evolved unrecognisably. The paradigms of protection haven’t kept pace with the exponential progress made by hackers, thus making systems more vulnerable to attacks than ever before. Reasons for this include proliferation of applications, devices, user hygiene and quite simply the overwhelming complications of modern life.
Technology and the ease of hacking
Our smartphones, with access to official mails and other social media, also run other applications that can ‘record’ the key strokes. Similarly, the interaction between different applications – for instance, Facebook giving access to other portals – essentially creates the phenomenon of ‘roaming’ passwords i.e. one or two passwords that most users use across an array of applications. As networks expand and become more complicated, millions of devices like routers and modems get added to it and each of these devices bring with them their own vulnerabilities. At the basic level, each device needs to have a complex password, managing which becomes a nightmare. So invariably companies resort to some sort of a ‘password schema’, which by definition is easy to crack.
So despite the investment of billions of dollars for protection of computer systems – the truth is that it gets easier to access information with each passing year. We are at the terminal end of a protection doctrine that has outlived its time. The US offers proof of this paradigm obsolescence. A nation with the highest defence budget in the world (more than 25 countries put together) could not prevent the theft of their intellectual property by other countries whether it was their NextGen stealth fighter aircrafts or nuclear reactors. Nor could they prevent the ISIS from leveraging social media tools like Facebook, Twitter or YouTube – all of which are US companies. And they could not even prevent the largest data leakage episode in history – the Snowden leaks.
Social media and acess to information
Corporates are no better off in this. Despite much vaunted security investments – most experts concur that it is much likelier to lose massive amounts of information now, than it used to be even five years ago. Regular disclosures of major hacks by tier one technology companies like LinkedIn, Facebook, Instagram, credit cards and banks, whose business models hinge on data security and who can afford to spend far more than most corporates, is a testimony to this phenomenon.
So clearly more resources is not the answer.
Let’s take a look at the situation from another perspective. What are we trying to protect anyway? Be it private citizens, corporates or for that matter the government; our tactical, operational and strategic information has been hijacked long ago. Here’s how?
India’s information process
Our smartphones and personal computers have absolute access to personal/work mails, social media sites and other access portals like banking and travel. If we examine the information value chain– we come to the sobering reality that India doesn’t ‘own’ the chip that powers these devices, it doesn’t ‘own’ the operating system that runs it, it has no control over the thousands of applications that process the information, it doesn’t control the ‘pipelines’ that transport the information or own the servers where the information is stored and mined. Even the anti-virus or anti-malware software that assures us that our devices are safe – are not owned by us. Our citizens in the personal or professional capacities store their information in foreign clouds. Every individual’s physical location at each moment is known to companies like Google and Telecom service providers. Who you meet, which place you went to, how much you spent and what your deepest fears or secrets are is known to these companies anyway.
These private companies are free to harvest such information, sell or manipulate it at their discretion without any permission from their users. We sign such draconian terms of agreement at the time of creating our accounts and continue to sign away further safeguards because these companies are free to change the terms unilaterally whenever they choose and they do so regularly. At a strategic level, several of such companies are part of the US government surveillance and economic intelligence programs.
Clearly it is time to re-evaluate our beliefs.
Information security
The three pillars on which the information security is based on are: confidentiality, integrity and availability. Confidentiality means that only authorised people should have access to information. Integrity implies that there should be no possibility of tampering the information and availability means that the authorised user must have the information when he/she needs it. A decade ago, there was a rationale in placing emphasis on confidentiality and integrity. At that time, creation of information was expensive, and was a source of competitive advantage. But most of all – it could be protected. That latter scenario has changed completely. In the age of ‘Snowden threats’, protection technologies have diminishing returns. And no – the fig leaf of background checks doesn’t help because such checks only assure that the perpetrator has not committed data theft before. They, as in the case of Snowden or Bradley Manning, cannot predict or prevent future behaviour.
In the pursuit of confidentiality and integrity, the biggest casualty has been ‘availability’. It is getting increasingly harder to access your own information. Ironically, our company’s/country’s data being accessed by a competitor may cause some damage but far greater damage is being caused by our own data, not reaching us. This paradox would be funny, if it wasn’t so sad.
Thousands of government servants use Gmail or Yahoo accounts over foreign telecom channels for correspondence and yet there are many policies preventing sharing of information within the same departments. There are elaborate warnings against photography on airports and prohibited areas when Google earth can give a bird’s eye view of any such establishment. Sensitive government/corporate information is shared using third party like WhatsApp – foreign circuits. A private telecom service provider has complete visibility of troop movements, sensitive meetings or movements of senior leadership while elaborate charades are carried out to keep such information secret. The army still blacks out its formation signs and unit identities during mobilisation, when cell phones carried by each soldier reveal who and where they are. But perhaps the most damaging of all doctrines has been the government philosophy of ‘disconnecting’ its people from the internet. This ostrich syndrome has created an entire generation of technologically lobotomised officials.
Creating safe operating systems
It is not that solutions haven’t been debated and discussed. But unfortunately that is all which has happened. Ranging from ambitious plans to create own ‘safe’ operating systems to indigenous design and building of chips – the ideas haven’t fructified; and at this late stage probably never will. The entry barriers of economies of scale, intellectual property and in some cases, simply the accompanying ecosystems are so high, that attempting to recreate a Silicon Valley or Shenzen is out of economic feasibility unless the government invests billions in the form of subsidies and steadfast mind share. And even then, results will emerge only after decades – if at all.
We have to face the reality that Indian information networks are intractably dominated by the hardware, software, chipware and appware of foreign companies. If data is the new oil, we don’t own or control the oilfields, the pipelines or the refineries. Our current security paradigms may give us limited protection against the tactical threats like criminal hackers or non-state players but strategically our nation’s information jugular is in the absolute external chokehold. Any belief otherwise would be akin to peddling snake oil.
The author is Group President Reliance Industries and former CEO of NATGRID. He tweets @captraman. Views expressed are personal.