Dr. Tughral Yamin, Associate Dean, NUST Institute of Peace and Conflict Studies, delivered a lecture on “Security and Cyber Warfare: Implications and Challenges” on August 11, 2015, at IPRI.
Dr. Tughral Yamin defined the concept of National Security and said that the government was responsible to protect the state and its citizens against all kinds of internal and external threats. He argued that government assured protection of state and citizens on the basis of elements of national power such as international stature of a state, economic strength, military might, technological superiority, diplomatic skills, energy and mineral resources, national leadership and its ability to maintain law and order within the country. He highlighted that responsibility for national security was generally enshrined in a nation’s constitution while many countries like the US and India as well as Pakistan had delegated the responsibility of coordinating national security matters to their National Security Advisors.
He said that United States and India had created the offices of the Cyber Security Coordinators, who reported directly to the President or Prime Minister while Pakistan had yet to designate lead agency wholly or partially responsible for cyber affairs. He identified the stakeholders as Cabinet Committee on National Security, Ministry of Defence, Ministry of Interior, Ministry of IT, Joint Services Headquarters, Intelligence Agencies and IT Industry.
He defined cyber warfare as internet-based conflict based on two types of warfare: offensive cyber warfare and defensive cyber warfare. He argued that offensive cyber warfare involved attacks on the adversary’s information systems while defensive cyber warfare involved defensive measures against such attacks. He said that cyber-attacks could disable official websites and networks, disrupt/disable essential services, steal or alter classified data, cripple financial systems.
He described two types of cyber-attacks as syntactic attacks and semantic attacks. Syntactic attack according to him, involved introducing malicious software into adversary’s system such as viruses, worms and Trojan horses. While semantic attack as he recognized, was carried out by modifying or disseminating correct and incorrect information; to set someone in the wrong direction; or to cover one’s tracks. He elaborated that a typical cyber-attack took place when malicious acts usually originating from an anonymous source hacked into a susceptible system to steal data, alter data and destroy the system.
He said that the targets of cyber-attack could be personal computers; computer networks managing the information systems of organizations, businesses, and financial institutions; critical infrastructure (vital assets of a nation – virtual/physical) controlled by Supervisory Control and Data Acquisition (SCADA).
He mentioned that state actors, non-state actors, criminals, hackers, freelancers and insiders in any facility could launch cyber-attacks. He said that cyber-attacks could have adverse impact on national security and could paralyze the government’s decision making systems; cripple a nation’s critical infrastructure; cause panic among the masses; and could trigger inadvertent wars.
He gave examples of various states which underwent cyber-attacks and highlighted the impact of these attacks on national security. He quoted example of Estonia where a series of cyber-attacks were launched against Estonia in April 2007, targeting websites of organizations, including the parliament, banks, ministries, newspapers and broadcast stations and led to the denial of services against the general public. He also talked about physical as well as cyber-attacks against Georgia in 2008 when website of Georgian President was overloaded and taken down for twenty four hours as well as news agencies, television stations and other important websites were hacked.
He highlighted Stuxnet, a worm, which was typically introduced to the target environment via an infected USB flash drive. He said that Stuxnet compromised Iranian PLCs (Programmable Logic Controllers), collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart, destroying almost one-fifth of Iran’s nuclear centrifuges.
He gave example of US drone that flew from Afghanistan and violated Iranian air space, after changing its IP (internet protocol) address made it to land in Iranian territory. He identified the role of non-state actors in launching cyber warfare and gave example of ISIS that hacked US Central Command’s website.
He concluded by saying that there was lack of awareness about cyber threats and security and suggested that Pakistan should formulate a cyber-security policy and appoint a federal coordinator for cyber security. He also recommended that Pakistan should have a Computer Emergency Response Team (CERT) and it did not have cyber security cooperation agreements with the regional states as well. He stressed the need to put the issue of cyber security cooperation on the agenda of SAARC to enhance cooperation in this domain in South Asia.