South Asia

Many of the participants emphasized the importance of the conference's location. "We are all in the room today because we recognize that India is an essential partner on cybersecurity," said Ross Perot, Jr., chairman of the EastWest Institute.

The report contains results of an informal poll of participants, where 93 percent expressed the view that the cybersecurity risk is higher than one year ago. A preview of EWI's 4th Worldwide Cybersecurity Trustbuilding Summit, which will be held in Silicon Valley in 2013, is also included.

High-ranking Indian officials—among them, Deputy National Security Advisor Latha Reddy and Secretary R. Chandrashekhar of the Department of Telecommunications—not only participated in the summit but also helped frame key issues on the agenda. In addition, EWI partnered with the National Association of Software and Service Companies (NASSCOM), the Federation of Indian Chambers of Commerce and Industry (FICCI) and the Data Security Council of India (DSCI), which sponsored three breakthrough groups. The topics were chosen in consultation with the Indian government and private sector leaders. 

Key summit sponsors included Deloitte, Goldman Sachs, Huawei, Knightsbridge Cybersystems, Microsoft, Reliance Industries Limited, Stroz Friedberg, and Vodafone. (For a full list of sponsors, see the opening section of the report.)

Top authorities from both industry and government agreed that the rapid pace of technological change has triggered a corresponding leap in exposure to vulnerabilities that can be exploited by cyber criminals. This has also raised fears about government intrusion that could threaten privacy and individual freedoms. 

Michael Chertoff, chairman of the Chertoff Group and former U.S. Secretary of Homeland Security, pointed out how complicated many of these issues have become. "You cannot have privacy without security," he said, while acknowledging the legitimate fears that some governments will attempt to control Internet content.

Building Trust in Cyberspace illustrates how, as was the case with the previous summits in Dallas and London, the New Delhi summit helped spur the process of producing concrete recommendations for industry and government. If implemented, those recommendations will help make cyberspace and the real world more stable and secure. 

Click here for video highlights of the summit.

For information on the 3rd Worldwide Cybersecurity Summit, please visit www.cybersummit2012.com

In India and Pakistan’s Energy Security: Can Afghanistan Play a Critical Role?, EWI Fellow Danila Bochkarev argues that the power shortages can be addressed by building new energy corridors or a “New Silk Road,” which would transform Afghanistan into a regional trade and transit hub. 

The report illustrates how this infrastructure would strengthen economic, political and social ties between Central Asia and South Asia and contribute to a more stable Afghanistan, allowing for improved economic growth.

"There is no shortage of energy resources in the Southwest Asia-Central Asia region and natural gas is abundantly available in this part of the world,” Bochkarev said. “Major centers of energy consumption in India and Pakistan are in proximity to the major producers of gas and hydroelectricity.”

The report describes two planned energy infrastructure projects that would run through Afghanistan—the Trans-Afghanistan Pipeline (TAPI) and the Central Asia South Asia Regional Electricity Trade Project (CASA 1000)—to access Turkmen gas and Central Asian electricity. “Afghanistan’s role as a transit country for gas from Central Asia can hardly be overestimated,” Bochkarev added.

A major challenge to these projects is, of course, the unstable security situation in Afghanistan and lack of genuine multilateral energy cooperation. Nonetheless, Bochkarev argues that the Energy Charter Treaty (ECT) could serve as an appropriate institutional umbrella for participating countries, providing for regional rules and regulations. ECT investment protection mechanisms, his report adds, would help to re-establish international investors’ confidence in the region’s economic and regulatory policies.

The release of this report coincides with the convening of the EastWest Institute’s 9th Annual Worldwide Security Conference in Brussels on November 12-13 at the World Customs Organization. The focus of WSC 9 will be “Reshaping Economic Security in Southwest Asia and the Middle East.”

For more information on the 9th Annual Worldwide Security Conference and to register, please visit: http://www.ewi.info/events/9th-annual-worldwide-security-conference.

Cyberspace comprises IT networks, computer resources, and all the fixed and mobile devices connected to the global Internet. A nation’s cyberspace is part of the global cyberspace; it cannot be isolated to define its boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike the physical world that is limited by geographical boundaries in space—land, sea, river waters, and air—cyberspace can and is continuing to expand. Increased Internet penetration is leading to growth of cyberspace, since its size is proportional to the activities that are carried through it.

Cyberspace merges seamlessly with the physical world. So do cyber crimes. Cyber attackers can disrupt critical infrastructures such as financial and air traffic control systems, producing effects that are similar to terrorist attacks in the physical space They can also carry out identity theft and financial fraud; steal corporate information such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities.

Anyone can exploit vulnerabilities in any system connected to the Internet and attack it from anywhere in the world without being identified. As the Internet and new technologies grow, so do their vulnerabilities. Knowledge about these vulnerabilities and how to exploit them are widely available on the Internet. During the development of the global digital Internet and communications technology (ICT) infrastructure, the key considerations were interoperability and efficiency, not security. The explosion of mobile devices continues to be based on these insecure systems of Internet protocols.

It is increasingly cheap to launch cyber attacks, but security systems are getting more and more expensive. This growing asymmetry is a game changer. It has another dimension, too—individuals, terrorists, criminal gangs, or smaller nations can take on much bigger powers in cyberspace, and through it, in the physical world, as well. The effects of attacks on critical infrastructure such as electricity and water supplies are similar to those that would be caused by weapons of mass destruction, without the need for any physical attacks.

Proving attribution in cyberspace is a great challenge. In most cases, it is extremely difficult to attribute cyber attacks to nation-states, collecting irrefutable evidence. The very nature of botnets and zombies makes it difficult to do so, leading to the conclusion that “the Internet is the perfect platform for plausible deniability.”

Nations are developing cyber attack capabilities with a view to dominating cyberspace. However, unilateral dominance in cyberspace is not achievable by any country. But uncontrolled growth of cyber attack capabilities—in effect, cyber attack proliferation—is an increasingly troubling phenomenon. Yet another disturbing reality is that cyber attacks can be launched ever more easily, and propagated faster using the same broadband that nations are building for global e-commerce. Finally, the consequences of a cyber attack are more likely to be indirect and more uncertain than most scenarios currently envision; we may not always recognize the damage inflicted by cyber attackers.

Cybersecurity is a global problem that has to be addressed globally by all governments jointly. No government can fight cybercrime or secure its cyberspace in isolation. Cybersecurity is not a technology problem that can be ‘solved’; it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and traditional diplomacy. Cyber attacks constitute an instrument of national policy at the nexus of technology, policy, law, ethics, and national security. Such attacks should spur debate and discussion, without any secrecy, both inside and outside governments at national and international levels. This is all the more so because of the growing number of significant actors not tied to, or even loosely affiliated with, nation-states. Over the last few months, events in cyberspace such as the GhostNet attacks on governments and large multinational corporations, whether to steal intellectual property or attack free speech, bear this out. They are not restricted by geographical borders or national laws.

There is an added dimension to this problem: the infrastructures are owned and operated by the private sector, and cyberspace passes through various legal jurisdictions all over the world. Each government has to engage in supporting its private sector for cybersecurity through effective public-private partnership (PPP) models, with clearly-defined roles for government and industry. Because cyberspace is relatively new, legal concepts for ‘standards of care’ do not exist. Should governments create incentives to generate collective action? For example, they could reduce liability in exchange for improved security, or introduce tax incentives, new regulatory requirements, and compliance mechanisms. Nations have to take appropriate steps in their respective jurisdictions to create necessary laws, promote the implementation of reasonable security practices, incident management, and information sharing mechanisms, and continuously educate both corporate and home users about cybersecurity.

International cooperation is essential to securing cyberspace. When it comes to tracking cyber criminals, it is not only the laws dealing with cyber crimes that must exist in various countries, but the collection of appropriate cyber forensics data in various jurisdictions and their presentation in courts of law, which are essential to bring criminals to justice in sovereign countries. The term “cybersecurity” depends upon international cooperation at the following levels:

• National nodal centers on information infrastructure, based on public-private partnerships, to cooperate;
• Global service providers such as Google, Microsoft, Twitter, Yahoo, and Facebook to cooperate with law enforcement agencies in all countries and respond to their requests for investigations;
• Computer Emergency Response Teams (CERTs) to exchange threats and vulnerabilities data in an open way to build an early-watch-and-warning system;
• Incident management and sharing of information with a view to building an international incident response system;
• Critical-infrastructure protection: Establishment of an international clearing house for critical-infrastructure protection to share threats, vulnerabilities, and attack vectors;
• Sharing and deployment of best practices for cybersecurity;
• Creation of continued awareness on cyber threats, and international coordination as part of early-watch-and-warning system;
• Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign responsibility, and use of force to reconcile differing national laws concerning the investigation and prosecution of cyber crimes, data preservation, protection, and privacy. Address the problem of existing cyber laws that do not carry enforcement provisions;
• Incident response and transnational cooperation, including establishment of appropriate mechanisms for cooperation. Such measures must include provisions to respond to counter cyber terrorism, including acts of sabotage of critical infrastructure and cyber espionage through information warfare
• Law enforcement agencies to investigate cases, collect forensic evidence at the behest of other countries, and prosecute cyber criminals to bring them to justice.

It is time for the international community to start debates and discussions to encourage nations to create domestic public-private partnerships for cybersecurity, establishing laws for cyber crimes, and, more importantly, to take steps for international cooperation to secure cyberspace.