The Hindu Business Line : Serious about security

Three conferences held in Europe recently confirm that governments on the Continent are serious about cyber security. While one was somewhat low profile and might not have had any measurable impact on efforts to weaken marauders in cyberspace, the other two were promising and imaginative. The first of them, a three-day NATO Summit in Romania, was expected to deal at length with the subject of securing surfers and come out with some radical measures. Surprisingly, however, it made only a cursory reference to the problem and stopped with a pious declaration that the alliance would strengthen cyber defence and share best practices.

This perfunctory treatment of a menace that is growing in dimension has surprised many observers, especially because one of NATO's new members, Estonia, was subjected to a major cyber attack just one year ago and the country took some time to recover from the shock. This tiny Baltic republic is a highly computerised nation and its economy nearly ground to a halt in April 2007 after a series of denial of service (DoS) attacks from across the border.

Estonia believed that the source of attacks was computers present in Russia, although it did not go as far to say that the operation was one sponsored by the State. Incidentally, relations between the two countries are frosty, and the Estonian misgivings were, therefore, not ill-founded. Authorities in Estonia have started working on a centre for digital defence at Tallinn, the capital, which will operate as an international academy where experts will meet to discuss cyber threats and suggest measures to overcome them.

ROLE OF ISPS - PROMISING PROGRESS

The other two conferences, which were held in Strasbourg (France), were sponsored by the Council of Europe. The first was more significant of the two because it discussed a controversial subject, namely, the role of Internet Service Providers (ISPs) in the war against cyber crime. Those of us who are or were in law enforcement know how difficult it is to extract any information from ISPs while investigating cyber crime.

The victim among the citizenry also finds it frustrating to secure vital information from ISPs, who generally regard collecting data and passing it on to either the victim or law enforcement a waste of time. There is an annoying lack of enthusiasm in countering cyber crime on their part that greatly dilutes the whole exercise of bringing cyber criminals to book. This is a universal complaint and not just an Indian phenomenon.

Those who met at Strasbourg were clear that unless there was a transformation in the attitudes of ISPs, very little progress can be achieved in the area. The informal agreement arrived at between ISPs and law enforcement on this occasion is described as the first of its kind. It laid emphasis on the sharing of best practices and drafting of a procedure that will be followed when the police approach ISPs for information. Perhaps more important was how to ensure an ISP responds to a demand for information from the police on a round-the-clock basis. The framework that emerged at the end of the conference seemed practical and promising.

The second conference, again in Strasbourg, devoted major attention to the Convention on cyber crime that was adopted in 2001 and opened up for signature in Budapest. This was a landmark agreement which aimed at swift prosecution of offenders and greater international cooperation in handling cyber crime. About 40 countries (including six non-Council members, such as the US) have signed the treaty, but more than half are yet to ratify it because they have not made appropriate changes in their national law on cyber crime, a pre-condition to ratification.

The ultimate aim of those who endorse the Convention is to establish international enforcement machinery. This appears to be a pipe dream, because we know how touchy nations are when it is a question of subordinating their sovereignty to the demands of an international criminal justice agency, however laudable the latter's objective might be.

India is one such country that has shown itself only moderately moved by global trends of greater determination on the part of cyber intruders to wreck the stability of cyberspace. As far as I know, we have not signed the Council of Europe's Convention on cyber crime. Nor have we made necessary changes in our cyber law to make penalties for violation really stiff, and in tune with the Council of Europe's 2001 Convention. This apparent indifference has necessarily drawn flak from those who are doing business with India.

REFRESHINGLY DIFFERENT APPROACH

In contrast, governments elsewhere in the world have displayed a refreshingly different approach. They have been sensitive to the fears arising from daring intrusions, both in the public and private sectors. In the US, for instance, since 9/11, the Federal government has intensified the vigil over cyberspace. Security has been tightened in a big way, causing annoyance to genuine and law abiding computer users, and sometimes a bit of amusement to cyber experts.

Drawing a balance between making access to information relatively easy and submitting to the demands of national security has been found to be a difficult exercise. Some of the measures introduced in Federal offices to restrict Internet access have been considered unimaginative and harsh. For instance, some employees of the Commerce department do not have direct access to the Internet. Nearly ten of them will have to share just one laptop that has a secure Net connection. The Bureau of Indian Affairs, another government department, had to withdraw Internet connection from its employees on the orders of a Judge after a breach of security had taken place.

In the UK, there is a new move to create a central database that would carry details of every phone call made, e-mail sent and the time spent by each user surfing the Net. This is an ambitious scheme if one considers the fact that last year 57 billion text messages and 3 billion e-mails were sent in the country. This proposal for a comprehensive telecommunication database is an expansion of the already existing regulations that require telecom companies to retain data of all calls and text messages for a period of 12 months so as to facilitate investigation. What is now contemplated is an extension of the data keeping to cover e-mails and VoIP calls. All these administrative actions are a fall-out of the July 7, 2007, bombings, and an attempt to comply with a European Union directive on record keeping. If all goes well, the Bill on the subject is likely to be incorporated in the Queen's Speech from the Throne later this year.

PHISHERS AT IT AGAIN

It is always nice to end with something that can tickle all of us who are addicted to the Net and look upon government restrictions as a spoil-sport. Would you believe that of all Web sites it was the UK Home Office's site crimereduction.homeoffice.gov.uk that was the target of phishers recently. It is learnt that an RFI (Remote File Inclusion) exploit was used to hack the site for hosting an Italian phishing Web site. Phishers served up a page resembling the contents of a site belonging to an Italian bank that had been subjected to repeated attacks. It is still a matter of speculation why the phishers chose a government site, that too one in the UK, to show off their prowess. This is what possibly makes cyber crime such an interesting field of study!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

Related Stories:
China, US lead in Net attack origination
Heed the warning

More Stories on : Security | ISPs | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
The ride gets hotter for BPOs

Lean and mean, but how green?

Doc visits don’t have to be a pain

Recovering digital camera photos

Electronic payments through mobile

Serious about security

Quiz

Listen to your data

404 ravikanth