Hacking and Cyber Wars
Cyber wars and the hacking threat
By Roopen Roy Jul 26 2011
The events of the past few months have demonstrated
beyond doubt that hacking and electronic interception are serious matters. They can undo individuals, shake empires, destroy careers and put people behind bars. Hacking can be resorted to by almost anyone—the state acting as the Orwellian Big Brother, corporations, media and a new breed of people who, fired by an almost ideological self-righteousness, are calling themselves ‘hacktivists’.
In most cases the hackers are ahead of the law-enforcing establishment. In the Bollywood movie A Wednesday the Mumbai police commissioner Prakash Rathode (Anupam Kher) is so helpless in dealing with a tech-savvy “terrorist” that he seeks the assistance of a hacker (a young college student) to pin point his location.
Recently, a well-known international consulting firm became the target of ‘hacktivists’. As luck would have it, the consulting firm advises the US federal government on cyber security. The hackers penetrated the network of the consulting firm and stole over 90,000 military e-mail addresses and passwords. There were two serious flaws in their security system. First, the algorithms used to encrypt the passwords were weak and the hackers easily cracked the code. The second weakness was in the system’s vulnerability to insertion of malicious code technically known as ‘SQL injection’. In order to mock the victim and add insult to injury, the anonymous hackers sent an invoice of $310 to the consulting firm as a fee for conducting ‘a security audit’.
Hacking and infiltration, sponsored and organised by hostile governments, is an alarming new phenomenon. It has the potential to cause unimaginable havoc and losses if a country’s leaders and security agencies do not wake up to their potential to cause harm. It is time that India took tough and well-funded security measures and built disaster recovery plans. Both the US and the Indian government have been targets of cyber-attacks in recent times.
In 2009, the Obama administration announced the creation of the US Cyber Command as a response to escalating cyber warfare. The US government also has a National Security Agency (NSA) whose official mission is to ‘to protect US national security systems and to produce foreign signals intelligence information’. Its electronic eavesdropping mission includes radio broadcasting, the internet, telephone calls and other intercepted forms of communication. NSA is the world’s single largest employer of mathematicians and the owner of the single largest group of supercomputers.
In the corporate world, there have been over 2000 serious incidents of hacking. Sony’s PlayStation Network was shut down worldwide for more than a month while the company reviewed its security procedures. To recount the incident briefly, Sony discovered in April 2011 that hackers had gained access to 77 million accounts on its PlayStation Network. In its financial statements Sony disclosed that it estimated costs for the breach to reach 14 billion yen this year. The figure does not include any costs for compensating customers. In an interesting twist to the tale, the insurance company of Sony has declined to compensate for the losses. Instead, Zurich American Insurance has sued Sony in a New York court arguing that the policy it set up for Sony does not cover the part of the business that suffered the breach or the sort of damage the theft caused. It is now a whole new world where companies have to be careful about their liabilities to their customers for hacking and how they can bulletproof their insurance policies.
Last week, more than a dozen hackers allegedly from Anonymous, the group that claimed responsibility for some of the recent attacks on Sony systems, have been arrested. The FBI raided multiple homes in New Jersey, New York, California and Florida in relation to a probe on the group, according to media reports.
In India, hacking is punishable by law. Section 66 of the Information Technology Act defines hacking and prescribes punishments. It says that “whoever, with the intent of causing, or knowing that is likely to cause wrongful loss or damage to the public or any person, destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking”. Whoever commits hacking shall be punished with imprisonment of up to three years, or with fine, which may extend up to two lakh rupees, or with both. The definition of hacking and computer resources is somewhat vague and needs to be updated to cover illegal access, mobile devices and the cloud.
Hacking by newshounds has created quite a firestorm in the UK. David Carr at the New York Times could not resist the temptation of comparing it to what is happening in the Arab world. “A kind of British spring is under way,” he said with a touch of irony, adding, “Democracy, aided by sunlight, has broken out in Britain.” The media tycoon Rupert Murdoch, spoke with rare candour when he confessed, “This is the humblest day of my life.” The hacktivists took sweet revenge. Hacker group LulzSec claimed responsibility for hacking the website of The Sun (belonging to the Murdoch group) and posted a false story claiming that News Corp CEO Rupert Murdoch was found dead. Those who live by the sword are being shot by those who wield modern cyber weapons.
(The writer is managing director of Deloitte Consulting, India. These are his personal views)