Cyber Threats And You

Updated: Jan 24 2003, 05:30am hrs
Ever since the unfortunate accident on September 11, 2001, the world in general, and the technical world in particular, has become overly concerned about cyber threats. A series of media reports have added to the paranoia in certain quarters. For example: Cyber crime leading to a reported loss of $ 43 billion by G-8 countries alone; reports of e-mails sent to all chosen heads of states from adolf@hitler.com; Pentagon sites undergoing Denial of Service (DOS) for three hours; Barc site getting hacked; reports of SMS from Veerappan! And even e-Jihad!

In turn, this has led to extreme worry in some quarters. They are worried of a war with e-bombs; they want the design of cyber safety zones; they want governments to initiate an army of cyber soldiers; they want legislation to punish those committing cyber crimes; in turn, a cyber insurance industry would get created!

On the other hand, there are others who feel that the threats are over-stated. A spokesperson of the US government opined that while many computer networks remain vulnerable, few critical infrastructures are equally vulnerable. Some even go to the extent of stating that cyber threats are similar to Y2K threats the worst mistake by any computer system on account of Y2K was to send a reminder to a 104-year old woman to enroll in kindergarten!

From a technical perspective, cyber threats come in many forms. The least damaging ones are SPAM, unsolicited junk mail; more damaging ones include malicious code a virus with the potential to damage files and worms that get into the system and start hogging resources, leaving the system to serve only the worms! Other attacks are cyber squatters (who pose as your site and get all requests to your site URL), electronic stone throwers, who hack your site and disfigure the opening page of your site (often leading to embarrassment like showing the Pakistani national flag on the Indian prime ministers site). Still others steal user information by accessing your site system files and sometimes steal programmes from the secure computers of software development houses. To make matters worse, there are a whole bunch of tools and software that make the efforts of these hackers easy. For example, a script can help a potential hacker to peep into the network traffic and steal passwords effortlessly! Such scripts are freely floating on the Net.

The more dangerous hackers can go to the extent of using the networks to transfer money into their account, even put in place a system to steal minuscule amounts (that may go unnoticed) from millions of users. With software controlling many technical systems, like power plants, nuclear reactors and weapon systems, the more deadly sins could be the tripping of power transmission, nuclear reactors or even remote firing of arms from ones own home!

Policy planners are constrained by the lack of intimate technical knowledge about the inner workings of such cyber crime activities. The former dean of the Kennedy School of Government, Harvard University, went to the extent to state that, Policy planners are forced to decide on issues that they do not understand and whose impact they cannot understand. Gartner Consulting pointed out that key difficulties include the sophistication of hackers, non-availability of tools, the refusal of managements to accept the threats and the insufficient money spent on protection against cyber attacks.

Given this background, what is urgently needed is a pragmatic approach that starts with a mindset that accepts cyber threats as one more threat a threat that comes with the power of the internet, the way the technology of flying led to threats from air (like the 9/11 disaster). With a mindset change, one needs to approach the threat scientifically, through a process of assessment, measurement, and monitoring tools. Luckily, these are available today, but there is a lack of education at different levels to appreciate and prepare one against such threats. One laudable attempt in this direction is the emergence of BS 7799 standard from the British Institute of Standards that provides a systematic way to assess and protect against cyber threats. It is a starting point. There will be many such initiatives in the coming years. But like all threats, cyber threats, too, will be controlled over the years.

The author is the Director of the Indian Institute of Information Technology, Bangalore. The views expressed here are personal. He can be contacted at ss@iiitb.ac.in