Skip to main content

Battling the bots |(The Indian Express )

Alarm bells rang out on October 21 when large chunks of the internet in the United States and Europe were made inoperable. This happened because of a specific type of hostile attack, termed “Denial of Service”; this paralyses an organisation’s internet-facing servers (computers) by flooding them with artificially created traffic that has been dramatically scaled up. Here, the pin-point objective was to paralyse an online directory service organisation, Dyn, central to successful internet operation. The attackers hacked and took control of an estimated 100,000 low-end devices that can autonomously access the internet, directing them to overwhelm Dyn — and consequentially paralyse the internet. The Internet of Things (IoT) was involved because the attack exploited very large numbers of ubiquitous low-end devices connected to the internet. This event was a chilling demonstration of the new vulnerabilities that attend the astounding growth of the IoT, and the central role of the internet as the digital nervous system of the interconnected machine and human experience. Technology, and the exploding range of services it enables, has consistently outpaced our understanding of the internet’s evolution and the systems designed to protect it. In this case, the hijacked devices were primarily simple internet cameras that have become popular as security surveillance devices. Attackers easily hacked many of these and took control by introducing malicious code that repurposed these devices as “bot” devices — slaves to central controllers — acting then as an army of “bots”, sending volumes of spurious requests to the chosen target. The attackers exploited the fact that many such microprocessor-based devices are vulnerable and can be maliciously made to access the internet autonomously because built-in security barriers are inadequate or neglected. Police Seize Rs. 58 lakhs In New Denominations In contrast, modern computers, laptops or other networking devices, where security is a major consideration in design architecture, with software properly updated, are more difficult to hack into, though not impossible. This was demonstrated by the well-documented hacking of computers in the offices of the Dalai Lama, where hackers took control of built-in microphones and cameras to eavesdrop on conversations and watch all visitors. But even when individual machines are hacked — with a loss of valuable information — they do not scale easily into an army of “bots”. Low-end IoT devices are vulnerable because they are cheap commodity items; addressing security would require sophistication in design and add to the cost. This class of IoT items is proliferating with new applications, many useful, some frivolous; for example, many home appliances, thermostats, security and monitoring devices and personal convenience devices are part of the IoT. So are fitness trackers, certain medical implants and the proliferation of computer-like devices in automobiles. The IoT is in its early stages and expected to expand exponentially — but new security challenges that must be addressed are daunting. Ultimately, solutions will be developed. But the ever-present gap between the growth of enabling technologies that lead and the lag in the required development of security safeguarding technologies is alarming. This lag phenomenon will not change. And the consequences are not easy to predict. But the events of the internet shutdown in October left cyber-savvy people spooked, including in the world of national security. There are three standout issues: First, the threat scenario, that has long been a major “what if” concern for people who worry about such things, has now been demonstrated. Second, if such an attack can be mounted with an estimated 100,000 captive “bot” devices, then what would the impact be with, say, one million devices or more, directed toward multiple critical targets? What if these attacks were directed at specific individuals, groups or organisations for economic damage, or to disable infrastructure with hostile intent? The effects could be crippling or devastating in terms of civil, economic or military impact. The third is the concern about who was behind this attack — it is theoretically possible that a gifted but misguided teenager could be responsible. But that is highly unlikely. What worries security experts is the likelihood that a nation state, or its surrogates, were behind the attack. The capability demonstrated could be a prototype for a scaled-up attack on other critical parts of services and infrastructure dependent on the public internet. The challenge is what can be done about this. Long-term solutions will require immediate operational actions and practices with longer-range initiatives, some policy driven. These will require shared responsibilities across a spectrum of players, from individuals to institutional and corporate entities and various agencies of the government. The root cause is the vulnerability of devices where security has not been addressed as part of the original design, or indeed, provisions do exist but these processes have not been followed at the time of activation. It is critical that standards for device security must exist and compliance must be required for sale and operation. The most effective move would be to embrace the standards and protocols being adopted by technologically advanced economies of the West that have dramatically higher stakes and are developing safeguards. That will position India well for the future as its own reliance on the internet rises steeply. But even that would be a partial solution since hundreds of millions of vulnerable devices are already out there globally — the IoT is not waiting to happen. An important step should be to assess the risk from all exposed devices and take actions to contain this. In some cases, the fix might be simple; replace default passwords by strong, unique passwords. But when security considerations are not well addressed, the only sensible action would be to either disable autonomous access or remove the devices altogether. Urgent action is an imperative — otherwise, we risk becoming collective victims of cyber-attacks or unwitting accomplices to these incidents, potentially with large-scale and serious consequences. At a national level, more is needed. The imperatives are, first, to set policy, strategies and priorities to address this and other aspects of cyber security, including appropriate frameworks of laws and statutes. Second, it is vital to develop and set specific standards and provide guidance for compliance. Third, we must identify vulnerabilities and prioritise actions to protect critical infrastructure and operational capabilities. Fourth, developing and maintaining specific real-time interventional capability to address a cyber attack of this nature by pinpointing and containing it, and ensuring resilience for protection and restoration of capabilities, is important. Fifth, we must carefully think through protocols that will be necessary to manage such complex issues that cross organisational boundaries in real time — the ability to respond must not be hampered by internal boundaries and conflicting authorities. Cyber security is a complex topic that requires a range of coordinated, dynamically adaptive actions where responsibilities span from individuals and organisations to national governments. The stakes are enormous. Cyber security is already a rapidly evolving frontier of vulnerability and threat. The option to do nothing does not exist.


Popular posts from this blog

SC asks Centre to strike a balance on Rohingya issue (.hindu)

Supreme Court orally indicates that the government should not deport Rohingya “now” as the Centre prevails over it to not record any such views in its formal order, citing “international ramifications”.

The Supreme Court on Friday came close to ordering the government not to deport the Rohingya.

It finally settled on merely observing that a balance should be struck between humanitarian concern for the community and the country's national security and economic interests.

The court was hearing a bunch of petitions, one filed by persons within the Rohingya community, against a proposed move to deport over 40,000 Rohingya refugees. A three-judge Bench, led by Chief Justice of India Dipak Misra, began by orally indicating that the government should not deport Rohingya “now”, but the government prevailed on the court to not pass any formal order, citing “international ramifications”. With this, the status quo continues even though the court gave the community liberty to approach it in …

Khar’s experimentation with Himalayan nettle brings recognition (downtoearth)

Nature never fails to surprise us. In many parts of the world, natural resources are the only source of livelihood opportunities available to people. They can be in the form of wild shrubs like Daphne papyracea and Daphne bholua (paper plant) that are used to make paper or Gossypium spp (cotton) that forms the backbone of the textile industry.

Nothing can compete with the dynamism of biological resources. Recently, Girardinia diversifolia (Himalayan nettle), a fibre-yielding plant, has become an important livelihood option for people living in the remote mountainous villages of the Hindu Kush Himalaya.

There is a community in Khar, a hamlet in Darchula district in far-western Nepal, which produces fabrics from Himalayan nettle. The fabric and the things made from it are sold in local as well as national and international markets as high-end products.

A Himalayan nettle value chain development initiative implemented by the Kailash Sacred Landscape Conservation and Development Initiati…

India’s criminal wastage: over 10 million works under MGNREGA incomplete or abandoned (hindu)

In the last three and half years, the rate of work completion under the Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA) has drastically declined, leading to wastage of public money and leaving villages more prone to drought. This could also be a reason for people moving out of the programme.

At a time when more than one-third of India’s districts are reeling under a drought-like situation due to deficit rainfall, here comes another bad news. The works started under the MGNREGA—close to 80 per cent related to water conservation, irrigation and land development—are increasingly not being completed or in practice, abandoned.

Going by the data (as on October 12) in the Ministry of Rural Development’s website, which tracks progress of MGNREGA through a comprehensive MIS, 10.4 million works have not been completed since April 2014. In the last three and half years, 39.7 million works were started under the programme. Going by the stipulation under the programme, close to 7…