Raisina Dialogue Diaries: Lessons for dealing with threats to and from cyberspace

In 2017, and to kick things off with something of a truism, the threats to and from cyberspace are of major concern to States, organisations (from major corporations to NGOs) and individuals.

With almost everything from your mobile phones and computers to nuclear power plants and air traffic control connected to the ‘International Internet of Important Things’ (an attribution shall soon follow), the system is vulnerable to all sorts of damage.

Equally, with the internet ending the era of one-way communication – that is to say, from broadcaster or publisher to consumer – and removing gatekeepers of information from the equation almost entirely – look at the profusion of fake news for an example, the system is capable of inflicting all sorts of damage.

Framed slightly differently, the issue can be divided into two parts: The problems with the medium (the technological part) and the problems with the message (the human element).

These concepts came together at the second Raisina Dialogue, held in New Delhi from 17 to 19 January under the motif of ‘The New Normal: Multilateralism with Multipolarity’. Given how closely the multi-stakeholder model of the internet fits into the idea of multipolarity and indeed multilateralism, it’s no surprise that it turned out to be one of the most engaging topics over the three days.

And over the course of two panel discussions titled ‘Cyber Security: The Internet of Risks’ and ‘Reclaiming the Digital: Countering Violent Extremism Online’, a dozen-odd commentators laid out their biggest concerns and pointers for how to counter the threat.

The medium

It was Patricia Lewis, research director, International Security at UK-based think-tank Chatham House, who used the phrase ‘International Internet of Important Things’ to refer to the various elements that make up the international political infrastructure: From air traffic, space systems, shipping and financial systems to energy, food (production chains), resources, logistics, and telecom, land transport and ultimately, the internet itself.

All these seemingly dissimilar systems are linked for by Lewis for the following reasons:

  • They all depend on connectivity
  • They are highly dependent on industrial control systems, ergo, digital instructions
  • They are dependent on positioning systems (like GPS) and digital timing systems

There’s nothing really all that new or unheard-of in that little breakdown, but it’s always worth prefacing any discourse about cyber danger by putting those points out there as a reminder of just how high the stakes are.

As Gulshan Rai, India’s national cyber security coordinator, pointed out, the complexity of malware and its levels of penetration are increasing. So how does one get around this constantly growing threat? Well, a step in the right direction, as the panellists agreed, would be to establish a global understanding of what constitutes a crime in cyber space. Considering the idea that the cyber world isn’t disconnected from the real world, it was postulated that what constitutes a crime in the real world should also be seen as a cyber crime. For instance, theft, break-and-entry, spying, stalking and like in the real world are crimes. Their online counterparts, phishing, hacking, snooping, cyber-stalking etc should also be crimes.

READ  50,362 cyber security related incidents were logged in 2016, says CERT-In

Now, that’s easier said than done when one considers how various countries approach the internet, with some speaking about internet sovereignty and others discussing the concept of an open internet. According to Chris Painter, cyber coordinator for the US state department, internet sovereignty cannot be an absolute and that cooperation among countries is a must. This seems like a no-brainer, because unlike land and sea boundaries, there are no spatial boundaries on the internet and so, there’s no my part of the internet and your part of the internet, where the rules can vary.

Painter added that one way to go about this is to get the likeminded countries together to flesh out and then follow a framework and then get other countries to participate. All of which, in theory, sounds like the right way to go about identifying and slowing down cyber crime.

However, achieving any of this is going to be difficult for as long as there is no trust.

Trust between States.

Trust between organisations.

Trust between individuals.

It is only after trust is cultivated, that transparency among States/organisations/individuals can exist and sharing of crucial information (relating to dangerous malware, critical threats or emerging potentially toxic trends) can occur. But this is a good point at which to contemplate just when countries – that presently utilise their resources to hack and snoop on each other – will begin to share information openly; and just when industry players will share information about threats instead of capitalising on them to bring down their rivals; and finally, when individuals will share crucial information that helps out their fellow individuals safeguard from malware.

The topic of trust is a good bridge between the technological and human aspects of things, not only because the era in which we presently find ourselves requires humans to put a lot of trust in technology. And while securing the tech part of the cyber world is crucial, equally so is securing the human involvement – the message that is sent out using the medium of the internet.

The message

It was General Sir Chris Deverell, commander of the UK’s Joint Forces Command, who pointed out that in order for cyber defence and resilience to be put into place in this ‘web of global threats’, it was important for close cooperation to exist between the armed services, police and industry.

While that sort of cooperation is vital to take down crimes that constitute threats to the system like phishing, hacking, identity theft and snooping, it’s equally important when tackling one of the biggest threats from the system that is messaging designed to promote violent extremism. It’s hard to find a person with an active online presence today who hasn’t encountered this sort of messaging, whether directly or indirectly. So whether it’s the various videos or posts that appear online and glorify beheadings, setting people on fire and what-have-you, or tweets calling for some sort of violent action or even news reports that talk about these videos/posts/tweets, everyone has experienced them. And the process of combating this threat is in government nomenclature known as CVE or countering violent extremism.

READ  Experts believe CERT-Fin is good but cyber-security needs more focus

The general pointed out that there has to be a three step process to countering the misuse of cyber infrastructure to encourage and instigate violent extremism:

  • Strategic communication: Countering the messaging of extremist outfits and individuals with positive messages. More on this in a bit. Or a byte.
  • Prevention: Finding ways and means – in conjunction with various social media platforms – to shut down the accounts and content of extremists using these platforms. Governments across the world have brought the likes of Facebook, Twitter and Google onboard in order to ensure that such actors and their messages are swiftly shut down. Further, as panellist Ankhi Das (director, Public Policy for Facebook India) pointed out, Facebook, Twitter, Google and Microsoft have partnered to create a ‘hash database’ – an ever-updating database (put together by humans, rather than algorithms) of red flags across the companies’ various social networks to sniff out potential threats.
  • Cyber resilience and defence: Ensuring that systems – ranging from IT, critical infrastructure, telecom, business, financial and government systems – are capable of delivering their intended outcome at all times, even when under attack or after falling victim to a security breach.

Let’s look at the first aspect in a bit more detail.

Strategic communication or messaging, as briefly touched upon above, is the process of putting out a counter-narrative of positivity, community and wholesomeness to take on the notions of alienation, disenfranchisement or the idea that a particular way of life is under threat espoused by the offerings of the Islamic State and its ilk.

All of which sounds great in theory, but there are a few considerations that must be borne in mind.

The first of these is that identifying the social media platforms most commonly used by extremists is of utmost importance. It’s no good trawling millions of MySpace profiles and Instagram posts, if the most commonly-used platform is Snapchat. Identification of the most-used platform is important because it’s there that the counter-messages can be sent out.

The second factor is research. That is to say that conditions that are conducive to and drivers that lead people to radicalisation must be identified and understood. This understanding cannot come from someone sitting in Washington, DC, London or New Delhi. Ergo, this requires an on-ground team that understands the local language, culture and, without being too glib, life.

The third of these is the need to rope in community leaders and groups to be part of the movement. Governments, as pointed out by the Hedayah Centre’s senior research analyst Sara Zeiger, may not always be the best messengers. Considering a lot of the propaganda being countered is essentially anti-government (or as in the case of the Islamic State, against the notion of nation-states entirely), what is needed is a voice with credibility. And that’s where community volunteers and leaders play an important role.

A sub-part of this section is marketing. It’s no good putting out counter-messages that are dull and monotonous, like a professor sitting in front of a blackboard talking about why violent extremism is bad. To counter a well-produced and packaged message from extremists, an equally appealing, eye-catching and ‘shareworthy’ missive is required. Irfan Saeed, the deputy director for CVE in the US state department, noted that it’s less about content than it is about dissemination, adding that on average, children watch Facebook videos for between seven and eight seconds. That is the window you get in which to make an impact. And that is another reason why this task cannot be left to governments alone.

READ  Do Macs get viruses? | Do Macs need antivirus software: Why you (probably) need antivirus software for your Mac, and our Mac security FAQs

Fourth, while the online medium is a very commonly used one and let’s be honest, the easiest one to employ in the quest to radicalise, the process is by no means limited to the internet. What happens offline is more immediate and effective than the online method. As a result, CVE has to be a holistic process, that includes counselling, public speeches and a programme of rehabilitation and reintegration for those who have gone astray.

This is all great, but it raises a lot of implications, which is what the fifth consideration is all about. What happens to the freedom of speech and privacy? Presumably, to be able to sift through messages to find those that propagate extremism, a few toes will be trampled upon in the process. And innocent users may find themselves on the receiving end of deleted posts/accounts on one hand, to criminal investigation and arrest on the other. Ensuring that innocent users aren’t targeted and their privacy/freedom of speech isn’t compromised, requires, as highlighted at the start of this section, trust. And this is a two-way street. Citizens and law-enforcement agencies must trust each other, which, sadly, is easier said than done.

So if social media – is such a problem, why not just block those sites or shut internet access down – as often happens in areas like the Kashmir Valley, you may well ask. Zafar Sobhan, editor of Bangladeshi daily Dhaka Tribune, said that a war of ideas, like the one in which we find ourselves, cannot be won by shutting down the medium; it can only be won with better ideas. Viewing the internet as the problem is to misdiagnose the case at hand. In fact, as Union minister Ravi Shankar Prasad noted after his ministerial address earlier at the Raisina Dialogue, “Just because some accidents take place on a highway, you don’t block the highway.”

At the end of the day, the internet is a tool. And like all modern day tools – whether an airplane, a mobile phone, a truck, a postal letter and so on, this one too can be used as a tool for terror. The degree of security that can be lent to this tool depends on all of us. Trust, transparency and vigilance are the need of the day, because as Uri Rosenthal, special envoy for cyberspace in the Dutch government’s Ministry of Foreign Affairs, pointed out, “The internet is only as strong as its weakest link.”