Strategic Analysis:
A Monthly Journal of the IDSA
Security Implications for Wired India: Role of Technology
Prashant Bakshi, Research Fellow, IDSA
Abstract
With an expanding IT infrastructure, India is getting 'wired' to the 'global village' at an extremely rapid pace. Prudence demands that we pay due attention to the threats impinging upon our electronic frontiers. In a multifarious threat scenario, technology aids deployed in a 'layered' manner offer the most credible defence. While discussing various technologies, this article stresses our capability to develop core technologies and adapt them with effective policies in the working environment. Since technology itself is not the panacea for information security, unless aptly supported by sound legislation and effective policies, a secure 'wired India' would remain a distant dream.
The sword of technology cuts two ways. It can be used in offence-it can destroy an opponent even before his first lunge. But it can also cut the very hand that wields it.
- Alvin and Heidi Toffler 1
Restoration of trading on the New York Stock Exchange, barely a week after the World Trade Center (WTC) catastrophe, demonstrated corporate America's preparedness for such a disaster in terms of data recovery and information security. Global markets, reeling under the impact, could have collapsed further, if off- site/back-up data were not available. 2 In the aftermath of the WTC attack, a deadly computer worm named 'Nimda' (palindrome of 'admin'), close on the heels of Code Red and Sircam, wreaked havoc in cyberspace. The cause for alarm is not just the escalation of such attacks but their increasing sophistication. 3
An earlier paper, 4 discussing the threat perceptions of 'wired India', suggested a three-pronged approach to implement information security-technology, legislation, and policy. This paper, focusing on technology, is divided into three Section. Section I introduces the concept of 'layered defence'. Sections II studies the current trends in information security technologies, discussing in some detail critical issues like firewalls and encryption. Finally, a few Indian initiatives are highlighted, addressing the challenge in developing and adapting indigenous technologies to defend our information infrastructure, vital not only to our national security, but also to fulfil our aspirations of becoming a knowledge-based economy and an information-based society.
I. Layered Defence
Confronted by a broad spectrum of threats from an adversary that is largely unknown, information security professionals have in recent times debated various tactics, showing a preference for the concept of 'layered defence' or 'defence in depth'. 5 A simple layered defence approach is shown in Fig. 1. It caters for a multifarious threat scenario and assumes each layer acting as a barrier to potential intruders. The threats perceived are: destruction of information, disruption, data manipulation, data interception, and chipping.
Fig. 1. Layered Approach to Information Security
Destruction-physical destruction of vital information assets using conventional weapons.
Disruption-electronic disruption using non-conventional weapons, viz. EMP (electromagnetic pulse), DEW (directed energy weapons), etc.
Data manipulation-computer viruses, worms, trojans, and other malicious software.
Data interception-sniffers and other 'snooping' techniques to intercept confidential information.
Chipping-malicious software embedded surreptitiously in systems.
Subsequent paragraphs discuss various technologies that can be deployed at various layers to counter these threats.
II. Current Trends in Information Security Technologies
Perimeter Security: The First Line of Defence
Information warfare is a conflict in which information and information systems act as both the weapons and the targets.
- Winn Schwartau 6
Information infrastructure needs to be secured from both physical as well as electronic attacks. The outer layer caters for physical security, which could include weapons of mass destruction and disruption (WMDD), theft and even possible damage by natural disasters. It also offers preventive measures against electronic attacks through sophisticated surveillance and access control technologies, such as WMDD, surveillance, against WMDD, theft, and access control.
WMDD: In the Gulf War, extensive use of information systems by the US forces led to precision targeting of Iraqi command and control nodes. Tomahawk cruise missiles reportedly dispensed ribbons of carbon fibres over Iraqi electrical power stations, resulting in disruption of power systems. 7 Since then, the concept of WMDD has gained an impetus with extensive research effort on weapons capable of "blinding" the enemy. 8 Another technology, TEMPEST (transient electromagnetic pulse emanation surveillance technology) can be exploited by adversaries to eavesdrop on information displayed by computer monitors (and screens that emit radiation). Protection against such weapons involves "hardening" of equipment using Faraday Caging or enclosing rooms and equipment with sufficient quantity of metal to block radiation. But this may be costly and cumbersome, suitable only for highly classified information assets. At times, technology itself offers simple answers. A solution against TEMPEST, proposed by Markus Kuhn and Ross Anderson in 1998, involves using a particular font that makes TEMPEST monitoring ineffective without compro-mising text quality. 9 For risk against mass destruction redundancy in the system having mirrored servers at remote sites and back-up of critical data ensures the best safety. In addition to human threat, data centres need to have safeguards built against natural calamities like fire, water ingress and power breakdowns as well.
Surveillance: Advanced digital technology enables simultaneously recording and viewing images. This has immense potential in remote monitoring and surveillance of vital information assets. Even video cameras and close circuit television (CCTV) greatly augment physical security by complementing efforts of conventional security guards posted outside installations. Cameras with inbuilt alarms and sensors-sensitive to motion and eye contact-act as further deterrents against intruders.
Theft: According to the CSI/FBI joint survey 2001, laptop theft itself contributed to an approximate loss of $8.8 million. 10 The threat posed by hackers "snooping" for information may not always be viable. An easier option is to simply steal a laptop or a diskette. From cable kits that lock workstations on their desks, to disk locks preventing unauthorized users from inserting a diskette (thereby booting or infecting the PC with a virus), there are products available to match a host of requirements.
Software solutions can also be effective against theft. Compu-Trace Theft Recovery Software, marketed by Computer Security Products, is designed to lie dormant on a laptop computer, and is configured to automatically call (with the inbuilt modem speaker turned off) a toll-free number at the monitoring centre. With each call, the telephone number and the computer serial number is recorded. The monitoring centre uses the information to trace the telephone number, which is passed to law enforcement agencies for retrieving the stolen laptop. Another device, an Etherlock Alarm System plugged into the network hub, triggers an alarm when a network wire is unplugged. 11
Access Control: Technologies to authenticate users have come of age. A diverse range of products are available, offering from a cursory to the most stringent check. The smart card has extensive application in the banking, telephone and travel sectors. With an embedded microprocessor and memory to store data, users can digitally sign and encrypt messages without fear of divulging or compromising a secret password/PIN. These can be used for accessing networks too, where a user has to merely swipe the card on a card reader to gain access to any terminal in the network.
Biometrics caters for a higher security level, where authentication is not confined to passwords or coded numbers checking. It involves biological data to recognize individuals based on unique physical characteristics, viz., fingerprints, retina, palms, face, handwriting, etc. Fingerprint scanners, simple to use and install, are fast gaining popularity. A user places a finger on a reader that scans it, digitizes the fingerprint, and compares it against a stored fingerprint image in the database for authenticating the user. Among the more popular brands is Compaq's fingerprint identification product, compatible with Windows 95/98 or Windows NT systems. 12
Gatekeepers of the Network
Firewalls: Organizations connecting their Local Area Networks (LANs) to the Internet use commercial firewalls. Larger organizations also employ Intranet, which is a separate subnet of the network. Intranet typically is a device that combines hardware and software features to exercise a centralized access control policy between networks, i.e. own trusted network and the less trusted public ones (such as the Internet). Protecting the internal network from outsiders it acts as a gatekeeper. The firewall has an inherent 'black box' feature that enables recording of logs to determine the security status of the network.
A firewall, however, is not impregnable. Robert Marsh, Chairman of the President's Commission on Critical Infrastructure Protection, constituted in 1996 to evaluate the threat on US information infrastructure, stated: "There isn't a firewall that a group of experts can't get around, despite the increasing sophistication of firewall defences. In the eternal war between hackers and defenders, the defenders have to be lucky all the time, hackers just once." 13
Some of the best protected systems, including the US Department of Defence and NASA, have been penetrated, with hackers either exploiting the weakness of the firewall or the system administrator's inability to configure the firewall. The configuration and implementation is the key factor in this cat-and-mouse game where firewall becomes a strategy and not just a product. Where a remote user is allowed to bypass the firewall to gain access to an internal network or a user on the internal network connects to the Internet through a dial-up modem, the network is exposed to an insecure connection and the firewall is rendered ineffective. Among the better known firewalls are Packet Filtering, Application Gateway and Hybrid firewalls.
Packet Filtering Firewalls use routers with packet filtering features that allow or deny access based on the source and destination address of Internet Protocol (IP) packets. They are known to be susceptible to IP spoofing (a technique used to gain unauthorized access with a "spoofed" IP address indicating that the message is actually coming from a trusted source) and are only recommended for low-risk environments.
Application Gateway Firewalls use server programs called proxies that take external requests, examine them and forward legitimate requests to the internal hosts that provide the necessary service. This feature enhances it as the most secure option, offering some distinct advantages: (a) It can be configured as the only host address visible to the outside network. Thereby, all connections to and from the internal network are to be routed through the firewall. (b) The use of proxies for different services prevents direct access to the services on the internal network (e.g. Telnet, FTP, HTTP, RLOGIN, etc.), protecting against insecure or mis-configured hosts. (c) Strong user authentication and detailed logging facilities are possible.
Hybrid or Complex Gateway Firewalls combine the features of both Packet Filtering and Application Gateway firewalls. Apart from detecting intrusions, they can also take pre-emptive actions to prevent an intrusion that includes disconnecting the network from the Internet. Table 1 summarizes the functioning of firewalls.
Table 1. Firewall Security Risks
Firewall architecture High risk Medium risk Low risk
Packet Filtering Unacceptable Minimal security Recommended
Application Gateway Effective option Recommended Acceptable
Hybrid Gateway Recommended Effective option Acceptable
Source:Steven F. Blanding, "Secured Connections to External Networks", in Micki Krause and Harold F. Tipton (eds.), Handbook of Information Security Management (London: Boca Raton, 1999), p. 99.
Demilitarized zone (DMZ) is an additional safety zone that can be configured. Hosts acting as proxy servers are used to connect to the Internet. Thus the DMZ is a segment between the router (that connects to the Internet) and the firewall.
Intrusion Detection Systems (IDS): A more proactive gatekeeper that assists the system administrator to detect and respond to intrusion attacks. These can be reactive or passive. Passive systems detect a potential breach, log the necessary information and sound an alert. Reactive systems positively respond to a breach, for example, by logging off an unauthorized user. Cisco's Net Ranger system is a pioneering effort in IDS.
Anti-Virus Software: More than 22,000 viruses exist, with nearly 300 new ones being added daily. 14 News of high-profile virus/worm attacks (the likes of Melissa, Love Bug, Anna Kournikova, Sircam, Code Red, Nimda, etc.) has resulted in public awareness of anti-virus software. Companies offering anti-virus solutions (viz. Mcafee, Symantec, Trend Micro, etc.) generally have an add-on live update feature. Installing anti-virus scanners at the firewall level itself is a precaution against the flow of viruses into the network through the Internet. Total Virus Defence Suite 15 from Network Associates offers network protection against all sources of virus transmission.
Internal Security
Few persons on planet Earth today realize that the decisive factor in the outcome of World War II was not the brilliance of highly publicized Allied military leaders and statesmen. Rather, victory or defeat hinged on the secret war of wits between each side's ingenious scientists and cryptanalysts (code breakers).
- William B. Breur 16
Perimeter security technologies protect the medium or channel of information flow, not information per se. The convergence of data, communications and computer technologies has led to a compelling need for both communication security and data security. The "killer application" that provides both is cryptography.
From Enigma to Pretty Good Privacy (PGP): Cryptography, the art of secret writing, goes back at least 4000 years in history. The Caesar cipher used by Julius Caesar in Egypt is one of the known ancient methods of encryption. The Arabs in the seventh century wrote down the methods of cryptanalysis. In India, the Kama Sutra places secret writing as forty-fifth in a list of arts women should know. 17
By World War II, electromechanical devices replaced handwritten forms of cryptography, and some incredible feats in code breaking were accomplished. Most significant was the invention of the revolutionary German Enigma communication system and the ensuing espionage and cryptanalysis that led to breaking the Enigma code by British intelligence. 18 Intercepts of Enigma (code-named Ultra) were a major cause for Germany's setback. It is speculated that the US might have avoided the attack on Pearl Harbor had it been able to decipher the Japanese coded messages. Its cracking the Japanese code later gave the US a distinct edge in the Battle of Midway.
After World War II, the National Security Agency (NSA) was founded in the USA to function as a full-fledged cryptography agency. In the mid-1970s, the increasing popularity of computers (especially in the financial sector) dictated the need for a publicly available cryptographic system. The DES (Data Encryption Standard) 19 emerged in 1976, and has since been the US federal government's standard method for encrypting sensitive information. It is the most widely accepted, publicly available cryptographic system today.
However, the drawback with secret key codes (or symmetric cryptography) like DES lies in the single key that is used by both sender and receiver; where security can be compromised by the interception of the key during transmission. To overcome this weakness, Whitfield Diffe and Martin Hellman introduced the concept of public- key cryptography or asymmetric cryptography in 1976. Here two keys are brought into use-the public and the private key. The message is encrypted with the public key and decrypted using the private key. The public key is available in the public domain, while the private key lies in the safe possession of its owner. In 1977, a team of scientists-Ron Rivest, Adi Shamir and Leonard Adelman-created RSA, the first public-key cryptographic system. The US government's fear that strong encryption programs could come in the hands of non-state actors came true, when Philip Zimmerman, a computer scientist, used RSA to create an exceptionally strong encryption program (128 bits) called Pretty Good Privacy (PGP), which became freely available on the Internet in 1991. 20
Digital Signatures and Public Key Infrastructure (PKI): Public-key cryptography offers all the objectives of information security-confidentiality, integrity, authenticity and non-repudiation. It offers authentication using digital signatures, a technique that uses public-key encryption to "sign" electronic documents. Digital signature is an algorithm attached to a message that uniquely identifies the sender. Digital signature also provides non-repudiation, i.e. when participants transact business electronically using digital signatures, they cannot deny the transaction.
Digital signature schemes have two steps: (a) generating a message digest ("hash") of the message; and (b) generating the signature by combining the message digest with the user's secret key. Adding a signature to a message validates the integrity of the message. Digital signatures confirm that the message has not been altered since it was signed, because any such changes will invalidate the signature. Among several applications of digital signatures confidential e-mail, electronic funds transfer, electronic data interchange (EDI) and software distribution are included.
The success of digital signatures and use of public-key encryption require an infrastructure, where people are assured of the authenticity of the public key, and to maintain trust that is vital for the encryption process. Public-key infrastructure (PKI) consists of parties who offer trusted services such as key certification, key distribution and revocation, time stamping and data recovery. Depending upon the service offered, the trusted party may be called a Certification Authority (CA), a Key Escrow Agent (KEA) or a Data Recovery Agent (DRA), the overall term for these parties being Trusted Third Parties (TTP).
Cryptanalysis and the Future of Cryptography: As in the proverbial contest between the locksmith and the burglar, developments in cryptography are quickly overtaken by the means of cracking them. The primary cause is the incredible increase in computing power. According to Moore's law, computing power doubles every eighteen months, and so far, the prediction has been proved right. To keep pace with Moore's law, cryptographers would have to raise the key length by at least one bit every eighteen months or roughly six bits every ten years. In fact both 40-bit DES and 56-bit DES have been cracked in "challenge contests". 21 Table 2 highlights the vulnerability of cryptography systems to distributed attacks.
Table 2. Distributed Crypto Attacks
Date of CrackSystem and No. of Time spentCracker
key lengthcomputers
used
28 Jan 1997RC-5, 40 bits 2503.5 hours Ian Goldberg
10 Feb 1997RC-5, 48 bits 3500 13 days Germano Carroni
17 Jun 1997DES, 56 bits 70,000 120 days Rocke Verser, Michael Sanders andothers
19 Oct 1997RC-5, 56 bits 500,000 250 days David McNett
23 Feb 1998DES, 56 bits no information 39 days David McNettavailable
15 Jul 1998DES, 56 bits 12.5 days EFF DES cracker
Source: Bert-Jaap Kroops, The Crypto Controversy: A Key Conflict in the Information Age (Netherlands: Kluwer Law International, 1999), p. 42.
Attempts at cryptanalysis, especially where intelligence agencies are concerned, include unethical practices too. The scam involving Crypto AG, one of the world's leading cryptography companies, and NSA, unearthed that NSA had corroborated with Crypto AG to build backdoors into every machine that they sold worldwide (nearly 120 countries). For decades, these rigged machines served NSA with easy access to secure communications. 22
Domestic crypto debate in the US is basically a conflict between law enforcement agencies and cyber-liberty activists. The government's attempt to control encryption is based on the difficulty experienced in deciphering high-end encryption used by criminals and terrorists. 23 Activists view restrictions imposed on encryption as an infringement on their right to communicate securely in an information society. Subsequent attempts by the government to implement key escrow-a system for providing government access to keys by having people deposit their private keys with a Trusted Third Party (TTP)-failed, with the Clipper Chip 24 initiative proving a disaster. The export of cryptography is another sensitive issue and has always been under severe constraints. Internationally, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies controls the export of dual-use technologies. The USA follows even more stringent control. Initially, crypto exports were placed in the munitions list of the International Traffic in Arms Regulation (ITAR). It was only in 1996 that they were transferred to the Department of Commerce under the Export Administration Regulations (EAR). As per present regulations, anything stronger than 128 bits for symmetric key crypto systems and greater than 512 bits for public key crypto systems cannot be exported from the US. Some countries have restrictions on domestic cryptography, and themselves apply import restrictions, e.g. France, Russia, China, South Korea, and India. 25
III. India and Information Security Technologies
Cryptography: In January 1999, the Defence Research and Development Organization (DRDO) and the Central Vigilance Commission (CVC) issued an alert, warning Indian organizations from buying foreign network-security software. 26 The CVC, thereafter, made it mandatory for all financial institutions to procure security software developed exclusively within the country. Explaining his view, the CVC has written, "The only way to guard against insecure or booby-trapped software products is to write our own software and develop our own hardware." 27 The Institute for Development and Research in Banking Technology (IDRBT) has contributed significantly. It established INFINET (Indian Financial Network) in 1999 to provide a reliable communication backbone for the banking and financial sector. In a joint effort with Tata Consultancy Services (TCS) it has developed a messaging solution, based on smart-card-based PKI. Termed as Structured Financial Messaging Solution (SFMS), it promises a secure and multi-tiered system for banks to send financial information via the INFINET.
The Centre for Development of Advanced Computing (C-DAC) and DRDO have been at the forefront of information security technologies. The Networking and Internet Software Group (NISG) of the C-DAC, Pune is working on the development of core network security technologies, which include C-DAC's Virtual Private Network (C-VPN), a crypto package (C-Crypto) and prototype of e-commerce applications. 29 DRDO on its part has been instrumental in integrating security mechanisms in the Indian Army's Army Radio Engineering network (AREN) and Army Static Switch Communication Network (ASCON). 30 The Indian Air Force is working with Indian Institute of Technology (IIT), Kanpur, on development of 128-bit encryption algorithm. Once approved, it would be used for bulk and online encryption. 31 IIT, Kanpur has also collaborated with the Indian Navy's Weapons and Electronic System Engineering Establishment (WESEE) in the development of Trinetra, an encryption code for Naval communications, which is believed to be the first time that a major block cipher system has been developed indigenously.
Smart Cards: Smart cards are witnessing a boom in the country. Vijay Parthasarathy, President SCAFI (Smart Card Forum of India), forecasts that the number of smart card users in India is likely to grow to over 250-300 million in the next few years from the present 20 million users. Apart from burgeoning cellular users (Sim card is a form of smart card), other users of smart cards are the electronic passbook for the micro-finance industry, BPCL Petro Card, driving licence in Gujarat, ration cards for villagers in Kerala, and a card-based payment system for bus commuters in Mumbai. As e-governance thrives in the country, the smart card industry will only multiply.
PKI: The IT Act 2000 establishes the guidelines and framework for carrying out valid electronic transactions. With a regulatory framework in place, the Ministry of Information Technology (MIT) is in the process of issuing licences to Certification Authorities (CA) who will be responsible for verifying digital signatures. A number of organizations have been short-listed as CAs having technological wherewithal to validate digital signatures of end-users.
Biometrics: Computer Maintenance Corporation (CMC) has developed an advanced automated fingerprint identification system called fingerprint analysis and criminal tracking system (FACTS), which has evoked tremendous interest from the law enforcement agencies. 32 The system is being integrated with the National Crime Records Bureau (NCRB) database-Crime and Criminal Information System (CCIS)-having 3,50,000 digitized fingerprints already in its digital library.
Emergency Response Centre (ERC): The Ministry of Information Technology (MIT), in collaboration with CMC Ltd has set up a centre for IT security at Hyderabad, which is on the same lines as the western concept of CERT (Computer Emergency Response Team). It acts as a single point of contact for vulnerability assessment of IT applications and technical evaluation of security products available in the market. A security portal <www.itsecurity.gov.in> has also been launched, offering updates, alerts on security aspects and a forum for interaction and online discussion.
The Challenges Ahead
Information security in the Indian context is driven by two factors-the ability to develop core technologies (products) and adapting them with effective policies in the working environment (process).
Products: Recent virus outbreaks illustrated the swiftness with which viruses/worms are replicating across networks. By estimated reports, Nimda affected 143,972 computers worldwide in 48 hours. More importantly, they increasingly focus on systems operating Windows NT and Microsoft's Internet Information Servers (IIS) as the target. Proprietary software caters exclusively for the demands of the users, and therefore, compromises security in order to achieve higher functionality. ActiveX, JavaScript and VBScript are examples of products that enhance the quality of worldwide web pages yet seriously endanger security. On the other hand, open-source software like Linux is considered fairly secure. Here, a number of programers worldwide contributed to its development. Hence, it offers quicker patches on security bugs, as the source code is available to a larger number of programers in the public domain.
The compelling need for developing indigenous security solutions is highlighted in the annual report of the Centre for Development of Telematics (C-DOT). The report notes: "Presently, all of the security solutions are based on foreign technologies and there are virtually no indigenous solutions for either network security or content security. This costs huge amounts of licence fees, outflow of foreign exchange and dependence. Moreover the security achieved through foreign technology always carries a risk of foreign deciphering." 33
India holds a prominent place in the IT world and has tremendous capability for innovation. Recently, a team of scientists from the Indian Institute of Science (IIS), Bangalore unveiled a prototype computer, called Simputer 34 (acronym for "simple computer" as it is a highly user-friendly and portable computer device). Designed to give rural Indians better access to information, the Simputer will use open-source software (probably, Linux) with smart card technology, enabling multiple users to access the device and safely transact on applications like micro-finance, banking and telephony. Taking such innovation to higher levels, with better interaction and information sharing between R&D institutes in the country, there is no reason why India cannot be a pioneer in information security technologies.
Process: Two recent surveys conducted on corporate India, namely PWH-CII (Price Waterhouse Coopers-Confederation of Indian Industry) and KPMG speak of the poor information security set-up in the private sector. The PWH-CII IT Security Survey covered 72 Indian companies and found that 77 per cent of the organizations lack a coherent information security policy. 35 Similarly, KPMG's India Fraud Survey Report 2001 revealed a staggering 43 per cent of Indian companies venturing into e-business without a security policy in place. The Indian predicament is aggravated with low budgets for e-security, lack of trained professionals and, most of all, dismal awareness level amongst users. In the early days of the Internet, the phrase security through obscurity 36 was used to describe the complacent or rather ignorant approach of system administrators towards network security. This situation still persists in India, demanding immediate change in attitude, which does not see security as a product alone, but as a process that needs to be constantly updated.
Unfortunately, even the best of technologies and practices are susceptible to failure. Prudence demands that we do not overlook the crucial aspect-reliability-best achieved through redundancy, and having alternative options available at all times. In crises, even an unlikely option might emerge as the best response, as proved during the killer earthquake that rocked Gujarat on 26 January 2001. When civil communication infrastructure collapsed, only two channels of communication were available-Army network (through VSAT and INMARSAT) and the amateur radio operators, better known as HAMs. 37 This was not the first time that HAMs came to the rescue: the NIAR (National Institute of Amateur Radio) also played a key role during the 1993 Latur earthquake, 1996, the Amarnath tragedy and the 1999 Orissa super-cyclone.
Endnotes
Note 1: Alvin and Heidi Toffler, War and Anti-War: Survival at the Dawn of the 21st Century (New York: Little, Brown and Company, 1993), p. 147. Back
Note 2: In the wake of the Y2K threat, American companies, especially in the financial sector had established elaborate contingency and disaster recovery plans. For more details see Rob Wells, "Regulators Say Banks Used Y2K Plans During Attacks", Technology News at www.reuters.com. Back
Note 3: Computer security experts rate Nimda as the fastest replicating virus/worm, likely to be more damaging than Code Red, which cost an estimated $2.6 billion. For more details see Izhar Lev and Michael Knight, "Computer Viruses: e-biological Warfare", Jane's Intelligence Review, March 2001, pp. 53-5. Back
Note 4: Prashant Bakshi, "Security Implications for a Wired India: Challenges Ahead", Strategic Analysis XXV(1), April 2001. Also accessible at www.idsa-india.org/an-apr-7.01.htm. Back
Note 5: For instance, see V. Adm. J.M. McConnell and Edward J. Giorgio, "Building Information Security Layer by Layer", US Naval Institute Proceedings, December 1998, p. 112. Although the concept discussed caters for a naval fleet at sea, operating on a Naval Intranet, it can be expanded to organizations in general. Back
Note 6: Winn Schwartau, "Ethical Conundra of Information Warfare", in Alan D. Campen, Douglas H. Dearth and R. Thomas Goodden (eds.), Cyber War: Security, Strategy and Conflict in the Information Age (New Delhi: Bookmart, 2000), p. 244. The author is known as the "Civilian Architect of IW" and provides an interesting insight into various threat scenarios the US faces today. Back
Note 7: Alan D. Campen, "Iraqi Command and Control: The Information Differential", in idem (ed.), The First Information War (New Delhi: Bookmart), p. 173. Back
Note 8: For more details on Microwave and EMP weapons see David A. Fulghum, "Microwave Weapons Await a Future War", Aviation Week & Space Technology, June 1996, p. 30. Also see C.N. Ghosh, "EMP Weapons", Strategic Analysis XXIV(7), October 2000. Also accessible at www.idsa-india.org/an-oct-00-8.htm. Back
Note 9: Markus G. Kuhn and Ross J. Anderson, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations at www.cl.clam.ac.uk/~mgk25/ih98-tempest.pdf. Back
Note 10: FBI and CSI (Computer Security Institute) annual report on computer security is the most comprehensive survey conducted worldwide. The 2001 report is available at www.gocsi.com. Back
Note 11: Jae K. Shim, Anique A. Qureshi and Joel G. Siegel, International Handbook of Computer Security (New Delhi: Har Anand, 2001), p. 25. For more information on computer security products also visit www.computersecurity.com. Back
Note 12: "Biometrics to the Rescue", Chip magazine, September 1998, p. 13. Back
Note 13: James Adams, The Next World War: Computers Are the Weapons and the Frontline is Everywhere (New York: Simon & Schuster, 1998), p. 182. Back
Note 14: Shim et al., n. 11, p. 73. Back
Note 15: Ibid. Back
Note 16: William B. Breur, Secret Weapons of World War II (New York: John Wiley & Sons, 2000), p. 1. Back
Note 17: For a detailed account of the history of cryptography read David Kahn, The Code Breakers: The Story of Secret Writing (New York: Macmillan, 1967). Back
Note 18: Breur, n. 16, pp. 5-10. Enigma (Greek word for puzzle) was a compact electronic machine that could perform encoding and decoding of messages in two to three minutes, producing 22 billion different code combinations. French intelligence made the first breakthrough when a German traitor named "Source D" sold a secret Enigma operating manual to them. Thereafter, Polish spies smuggled one of the Enigma machines out of a German factory and a team of Britain's foremost scientists and mathematicians led by Alan Turing and Alfred Knox developed a duplicate machine. This creation, called "Bomb", matched the electrical circuits of Enigma, permitting the device to imitate the daily change in keying procedures by Germans. For a detailed account on breaking of the Enigma code used by the German U-boats, read David Kahn, Seizing the Enigma: The Race to Break the German U-boat Codes (London: Souvenir Press, 1992). Back
Note 19: In 1974, the National Bureau of Standards (now NIST-National Institute of Standards and Technology) asked for proposals for a standard cryptographic algorithm. IBM responded with the Lucifer system, which was evaluated with the help of the NSA and eventually adapted as DES (Data Encryption Standard) in 1976. It is speculated that the NSA installed a trap door in DES, or weakened the algorithm from 128 bits in Lucifer to 56 bits in DES. Back
Note 20: PGP is downloadable at www.pgpi.org. Back
Note 21: Typically, cryptography design methodology involves design and attack teams, working in tandem. In the academic community, researchers publish their code and invite contemporary researchers to crack their code in organized contests. Back
Note 22: The lid on Crypto AG blew off when Crypto AG sales agent Hans Beuhler was arrested by the Iranian police on charges of spying. For a detailed account see Adams, n. 13, p. 213. Also see Wayne Magden, "Crypto AG: The NSA's Trojan Horse?" at www.stratmag.com. Back
Note 23: Use of encryption by terrorists and criminals is well documented. See Dorothy E. Denning and William E. Baugh Jr., "Cases Involving Encryption in Crime and Terrorism", available at www.cs.georgetown.edu/~denning/crypto/cases.html. The article includes the case of Ramzi Yousef, alleged member of Al-Qaeda network responsible for bombing the World Trade Center in 1993 and a Manila airliner in late 1995. When apprehended at Manila, the FBI found several encrypted files in his laptop computer. These were successfully decrypted (the key was stored in the same computer), and found to contain information pertaining to further plans of blowing up eleven US-owned commercial airliners in the Far East. Back
Note 24: The Clipper Chip was a tamper-resistant device, which used the Skipjack algorithm, a symmetric crypto system designed by the NSA. It used an 80-bit key and was stronger than DES to resist a brute force attack. To be used in cell phones, the idea was that the government would be able to monitor or decrypt all cell phone conversations. It was therefore announced that all private encryption keys would be held in escrow so the government could access them whenever circumstances required. However, the public rejected the idea. Back
Note 25: Bert-Jaap Koops, The Crypto Controversy: A Key Conflict in the Information Age (Netherlands: Kluwer Law International, 1999), p. 98. Also visit US Bureau of Export Administration official website at ww.bxa.gov. Back
Note 26: Akshay Joshi, Information Age and India (New Delhi: Knowledge World, 2001), p. 234. Back
Note 27: N. Vittal and S. Mahalingam, Information Technology: India's Tomorrow (New Delhi: Manas Publications, 2001), p. 242. Back
Note 28: Initially, INFINET was a satellite-based VSAT network that had 675 VSATs supporting approximately 200 towns and cities across India. To complement the VSAT network, a terrestrial network is being developed, that will connect 21 major cities through a leased line network. For more details on IDRBT's security solutions read "TCS, IDRBT Tie-up for Messaging Solutions", Cyber News Service, 26 February 2001. Also accessible at www.ciol.com. Back
Note 29: Nanda Kasabe, "C-DAC Foraying into Network, Internet Security", Cyber News Service, 22 September 2000. Also accessible at www.ciol.com. Back
Note 30: See www.drdo.org/labs/electronics/Irde/achieve/shtml. Back
Note 31: Ministry of Defence, Government of India, Annual Report 2000-01, p. 39. Back
Note 32: Cited by Harish Kumar, Director NCRB at the Conference on "IT and Law Enforcement" organized by Sun Microsystems, New Delhi, 19 August 2001. Back
Note 33: Annual Report on Working of C-DOT-2000, p. 37. Back
Note 34: Sanjay Kapoor, "How Can You Use a PC if You Can't Even Read", Asiaweek, 29 June 2001, p. 41. Back
Note 35: Bharti Jain, "Poor IT Security Worrying India Inc", Economic Times, New Delhi, 17 January 2001. Back
Note 36: Maximum Security: A Hacker's Guide to Protecting Your Network (New Delhi: Techmedia, 1998), p. 68. The author (anonymous, and speculated to be a well-known hacker), defines security by obscurity as a term applied by hackers to most OS vendors' favourite way of coping with security holes, namely, ignoring them, documenting neither any known holes nor the underlying security algorithms, trusting that nobody will find out about them and that people who find out about them won't exploit them. Back
Note 37: Arun Sharma, "HAM to the Rescue", Times of India, New Delhi, 15 February 2001. Back