National Security in Network Age

By Dr Raj Mehta


It is August 15, 2002—the Independence day. It has been 55 years that we have gained our freedom. Many things have changed. Perhaps one of the dramatic changes has been in communications. Indeed the world has shrunk into a “global village”. Today anything we do as a nation will affect not only our neighbors but rest of the world.

Internet/Data Networks have made lot of impact on our lives. But for dot-com bust we would have seen more of business activity moving online—making for speed and ease for completing tasks..

Is it safe to carry on online activities where sensitive information is passed on?

If my ordeal of having my identity stolen last year August, by some of the associates of Sept. 11 hijackers, and having to reverse the financial losses, is what is in store, my answer is not to carry on any online activities. Though I do not really known for sure how my Identity was stolen… but my online activities are very strong suspect.

This brings to question how secure is Internet? How secure are dedicated networks like e.g. Army, Navy or Air Force’s networks?

Form National Security point of view they are 100% insecure. The earlier we realize and do something about It will be in the best interest of India. Please read on…

Introduction:


What flows over the Internet is human knowledge. It is increasing at a pace never foreseen before in history. Accessing even a small part of this knowledge, involves sifting of enormous data. This requires growing capacities of high-speed data pipes (referred to as fiber bandwidth).

Commerce is built on that "knowledge". When a key commodity in the world was salt, even brutal force could not prevent salt from carrying forward commerce. Indeed, this is a reference to Gandhjii’s historic “Dandi salt march”. Not because commerce is the end-all, but because it is the way we have even today for cooperation that continues to benefit mankind.

With the unimaginable increase in knowledge that continues to gain momentum, it has become an essential part of our lives. And this repository of knowledge is distributed across the entire Internet. It is creating new business methods - from the website that sells products across global markets, to the vertical supply chain coordination of industry. Anyone not part of this digital worldwide network looses. Anyone who legitimately participates does gain.

Couple of wonderful example of this in India, gained international attention. Illiterate women in Madhya Pradesh uses the `Gyandoot' network for comparing prices prevailing in nearby markets. This empowers them with knowledge that enhances trade prospects for the entire rural community. Another example of this is e-seva offered in Andhar Pradesh. Andhra Pradesh’s e-Seva project making easier for ordinary citizens of the twin city to get some of the documents etc.

As ecommerce grows, Internet needs to be made more secure. Effective protections are therefore needed, to provide the stability that must be built in by design, or the fall of an immense virtual infrastructure, can be faster than a building targeted by a terrorist in the physical world.

India has to be a part of this knowledge revolution by integrating its commerce into the realm of the digitally connected world. Abundant bandwidth capacity will therefore be required to link people to the large repository of knowledge and opportunities on the Internet.

As people become more and more network dependent for their commercial infrastructure, intelligent governance assumes unquestionable importance. It is expected that the Government adopts a leadership role, here. If encouraged, this leadership, will spread beyond governance, and work for society, at large.

Do the hardware and software we purchase blindly from abroad compromise our national security?


Yes very definitely. It is an issue few have paid attention to in India and we have gone ahead starting to build networks using imported hardware and software.

When any computer or part of a LAN is connected to the Internet, there is a risk of exposure of all data on the computers. All become part of the global Internet just by being connected. These forms a chain where every link in the chain contributes to the strength of the chain ... and that people are part of that chain -- indeed -- part of the Internet. The people of India are her strength.

Both hardware and software are very complex systems and it is hard to be able to discern if they compromise (make available) information which was meant for only the eyes and ears of very few select people. Some computer systems hold databases of important information which in wrong hands can do lot of harm to people. Network… like Intranet and Internet are a communication channel and in the process the information can be communicated to anyone (especially if it is on a public network like Internet) as specified by the designers of the equipment or software.

How do these make our network insecure?


The story starts long ago but for our purpose we can pickup the thread in 1998. Lets us just consider The United States: US companies wanting to export Network related equipment and software were restricted before that time by USA laws to only being able to export low (easily breakable) encryption products. Where as customers abroad demanded high encryption products. US government (read here National Security Agency i.e. NSA – the spy agency for USA) required that to be able to export high encryption products the product makers should either give a key (to be able to read all the encrypted information) to them or provide alternate means to be able to read this information. In a landmark deal which was agreed by 13 major manufacturers of hardware/software (these include: Ascend, Bay Networks, Cisco Systems, 3Com, Hewlett-Packard Company, Intel, Microsoft, Netscape Communications, Network Associates, Novell, RedCreek Communications, Secure Computing and Sun Microsystems) agreed to build in a private doorbell in the products they made which on a command from NSA – so to say, flicks a “network control switch”, that makes the product surreptitiously record everything you type or do online before it is encrypted (e.g. a Cisco router software begins to surreptitiously record everything you type or do online). That information is bundled into a file that can be sent or picked up by NSA. Please note this was solution arrived at in mid-1998. In last four years we don’t know what other means have been developed to collect the information at will by NSA.

The news about the above agreement was posted on Cisco site in mid-1998. Shortly, there after this news was removed from the Cisco website. Of course privacy groups picked it up and some of this is still available in the archives of their discussions (in Google type “Cisco Backs Backdoor for Internet Wiretaps”). Gradually all this information which was readily available about backdoors and doorbells was removed from the Internet. (I happen to save and print some of these reports).

The above all is being done surreptitiously. However Microsoft Windows is another story. For a long time independent security experts have discovered some facts which suggest that Microsoft may have deliberately designed windows with a software key which gives National Security Agency (NSA, US government spy agency) easy access to every copy of windows installed anywhere, using holes in existing networking software. Please read some details at: < http://guide.vsnl.net.in/tcpip/columns/_nsakey/index.html>. Of course with Windows XP and now with Windows 2000 the licensing agreement which the user accepts gives Microsoft permission to transmit the information from user’s hard disk to Microsoft. The user has no control or say in the matter.

The above stated instances are the tip of the iceberg and most glaring examples of how our security is being compromised.

But the point I really want to drive home is—it is not the fault of USA that we have this security issues. If we were in a similar situation we might have done the same. The fault lies with us for not being vigilant to know that this is going on even now and not taking the necessary steps to assure our own security and privacy.


Is there a way out? Can we lay condition in our future purchases?


This is going to be a difficult issue to tackle. We are completely dependent on US supplying hardware and software. Though, we represent a significant market for US companies, but they are not dependent on us. It can possibly be done in case by case purchases.

The important issue is that those who are purchasing products must be aware and knowledgeable enough to know that there is a serious issue at hand and we need to start dealing with it by some national policy.

Even by trying to get assurance from vendors that this is not the case, may only result in the US government not allowing the export of such equipment.

No I don’t see an easy way out of this.

Only real solution I see is to have a national plan for making such equipment (e.g. routers and software to start with) within the country. Not only for this issue but for the future needs of the country—e.g. Cutting-edge optical processing is being developed in Israel for the grandchildren of today's computers, with similar work in Europe. India must be ready for the future, as well as the present.

Post 11, Sept 2001 what are the chances such keys are not built in the systems?


Since September 11, incident all civil liberties of even US citizens have been compromised in a way one can never think that it was possible in USA. Daily laws are being enacted which take away privacy.

Couple of glaring examples:

Echelon intelligence gathering organization is perhaps the most powerful in the world. Several reports suggest that this a global electronic communications surveillance system which is extreme threat to the privacy of people all over the world. Echelon captures large amounts of satellite, microwave, cellular and fiber-optic traffic, including communications to and from USA. This large quantity of voice and data communications are then processed through sophisticated filtering technologies. This massive spying system apparently operates with little oversight by legal entities. Moreover, the agencies that run Echelon have provided few details as to the legal guidelines for the project.

Recently, there have been agreement between US Government and anti-virus manufacturers agreeing to NOT detect government created Trojans such as keyloggers and their virus/worm/blackbag delivery systems. Basically they propagate like any virus or worm mailing it self to all the computers around the world and thus giving access to NSA to all the infected computers.

More and more powers are being vested in law enforcement agencies which compromise civil liberties. For example pre Sept. 11 it was unthinkable for anyone to be held in custody for more than 48 hrs without recourse to process of law in USA. Post Sept. 11 there are reported to be 1000 or more people being held without any access to courts to get any justice. This is the real world. Another recent example which relates to information technology is that only this week HP has sued a security research firm for disclosing a vulnerability in their Tru64 Unix Operating system under the DCMA of 1998—the copy protection law. At one time this would have been given proper credit and would have encouraged the company to improve the product.

The additional powers and funds available to NSA will make sure that they have the maximum advantage in spying on foreign nations. You can be sure that all the IT products being exported out of US have backdoors or doorbells in them.

What can India do? Do you have any plans to educate the Indian legislators on this issue? How do you plan to Go about it?


There are few things India can do to start with. For example ban the use of all proprietary software which is being imported e.g. Operating system. Use only open source software where Indian computer scientist can examine the source code and make sure that it does not have any backdoors or doorbells.

We have to have a national policy for developing if not complete hardware but the parts of hardware which are called firmware where software resides.

However to just do above is not going to work effectively to give us desired results.

What is ultimately going to work is the knowledge and awareness at individual level—from lay user to an expert about need for security.

Here is how to look at this. Internet or any Network as it is built now is a distributed system. There is no central control. This is the basic design of the network. So it is like a chain where computers are linked to each other. And like a chain each link is important and the chain is as strong as its weakest link. People are part of this chain too. So there knowledge about security is an integral part of the security of the network.

So from my perspective the real solution lies in education of the people at all levels about security issues. How can one be secure? What are vulnerabilities? etc. Too many specifics to enumerate here.

I am talking to two MPs who have shown interest in these issues. Part of my task is to educate them in these matters.

What are the issues dear to your heart which u would like to address in the coming months?


What I will say in next sentence may be construed to be presumptuous. I would like to see India to become the Switzerland of the Network age. Below are some of my thoughts as to how this may be possible:

Traditionally, Switzerland was the secure neutral crossroads, strongly self-defended, but remaining the neutral meeting place for government and commerce. India is poised to take that same position in networking, but the strong self-defense must grow to the needs. The balance to keep international ties while establishing that growth is difficult, but not impossible. It will take will, work and wisdom -- a new acronym for WWW.

Conclusion:


A dynamic policy for an effective digital security in the new Internet Millennium can establish India as a global centre for an International Network Economy. The cost of maintaining an effectively secure digital network infrastructure is lower than the cost of any remedial action, even when damages are comparatively small. Regions of the world that are prepared in this way will become a magnet for use of their infrastructure.

Here's India's greatest chance to become a world leader of an International Network Economy by creating the desired secured infrastructure. Let India not miss it!

PEOPLE–potentially the weakest and potentially the strongest link. Software can be perfected over time to become a strong component. Hardware can be engineered to exceed needs. But people can always make a mistake, or better, catch a mistake before it becomes damage.