The correct control of cyber security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions.
Information technology (IT) is critical and valuable to our society. IT systems support business processes by storing, processing, and communicating critical and sensitive business data. In addition, IT systems are often used to control and monitor physical industrial processes. For example, our electrical power supply, water supply and railroads are controlled by IT systems. These “controlling” systems have many names. In this Notes they are referred to as SCADA (Supervisory Control and Data Acquisition) systems, or occasionally, as industrial control systems. They are complex real-time systems that include components like databases, application servers, web interfaces, human machine interfaces, dedicated communication equipment, process control logic, and numerous sensors and actuators that measure and control the state of the industrial process. In many industrial processes (e.g., electrical power transmission) these components are also distributed over a large geographical area. SCADA systems can be seen as the nervous system of industrial processes and since our society is heavily dependent on the industrial processes that SCADA systems manage, we are also dependent on the behavior of our SCADA systems.
Over the last two decades our SCADA systems and their environments have changed. They used to be built on proprietary and specialized protocols and platforms. Today, however, SCADA systems operate on top of common and widely used operating systems (Windows XP) and use protocols that are standardized and publicly available. These changes have altered the threat environment for SCADA systems.
The move to more well-known and open solutions lowers the threshold for attackers who seek to exploit vulnerabilities in these SCADA systems. Vulnerabilities are regularly found in the software components used in SCADA systems (the operating systems) and instructions that can be used to exploit these vulnerabilities are often made available in the public domain. The increased openness also lowers the thresholds for attacks targeting special-purpose SCADA components, programmable logic controllers (PLCs). Today there is an interest in the vulnerabilities they have and there is information available in the public domain about their design and internal components. In fact, it is even possible to buy a subscription to exploit code specifically targeting SCADA systems’ components. In other words, a successful cyber attack against a SCADA system today does not require the SCADA-expertise that was required prior to the move to more open, standardized and common components.
In parallel with the move to more common and widely known solutions, SCADA systems have moved from being isolated and standalone to be interwoven in the larger IT environment of enterprises. Process data collected by SCADA systems, production plans, and facility drawings are often exchanged over enterprises’ computer networks. It is also common to allow users to remotely connect to operator interfaces, for instance, so that process-operators can connect remotely when they are on standby duty and so that suppliers are able to perform maintenance remotely.
The increased integration with more administrative enterprise systems has also contributed to a changed threat environment. Administrative systems are, with few exceptions, connected (directly or indirectly) to the internet. Hence, the possibility for administrative systems to exchange data with SCADA systems is also a possibility for attackers or malware to come in contact with these systems and exploit their vulnerabilities, without physical proximity.
The lowered threshold to find and use SCADA-related vulnerabilities and tighter integration with enterprise systems are two cyber security problems that add to the volume of cyber security issues related to architecture and configuration of the actual SCADA systems. Historically, SCADA systems were built to be reliable and available, but not to be secure against attacks with a malicious intent.
SCADA systems are thus critical assets, have exploitable vulnerabilities, and are interwoven into the enterprise architectures. Decision makers who wish to manage their cyber security need to be able to assess the vulnerabilities associated with different solution architectures. However, assessing the cyber security of an enterprise environment is difficult. The budget allocated for cyber security assessments is usually limited. This prohibits assessments from covering and investigating all factors that could be of importance. The set of variables that should be investigated, and how important they are, is also hazy and partly unknown. For instance, guidelines such as do not prioritize their cyber security recommendations. Such prioritizations are also difficult to do in a generic guideline since the importance of many variables are contingent on the systems architecture and environment and guidelines are limited to one or few typical architectures. Variables are also dependent on each other. An attack against a SCADA system may be performed in a number of ways and can involve a series of steps where different vulnerabilities are exploited. Thus, some combinations of vulnerabilities can make an attack easy, but a slightly different combination may make attacks extremely difficult. Thus, informed decisions require an analysis of the vulnerabilities associated with different architectural scenarios, and at the same time, an analysis of how these vulnerabilities relate to each other.
These problems are not unique for SCADA systems. Many administrative IT systems also have complex environments; administrative IT systems often need to be analyzed on a high level of abstraction; the importance of different variables is hazy also for administrative IT systems. Like the administrative environment, the SCADA environment consists of software, hardware, humans, and management processes. And as described above, there is a substantial overlap between the components which are used in both environments today. However, there is a difference in what needs to be protected in these environments. Security is often thought of as a triage of confidentiality, integrity and availability. For SCADA systems, integrity and availability of functionality are crucial, but confidentiality of business data is not. Because of this, cyber security assessments of SCADA systems have a different focus than for many other systems. The importance of availability and integrity has also other implications. For instance, because of the consequence of a potential malfunction, it is recommended that SCADA systems should not be updated before extensive testing, and network based vulnerability scanners should be used with care in SCADA environments.
Information security is increasingly seen as not only fulfillment of Confidentiality, Integrity and Availability, but as protecting against a number of threats having by doing correct economic tradeoffs. A growing research into the economics of information security during the last decade aims to understand security problems in terms of economic factors and incentives among agents making decisions about security, typically assumed to aim at maximizing their utility. Such analysis is made by treating economic factors as equally important in explaining security problems as properties inherent in the systems that are to be protected. It is thus natural to view the control of security as a sequence of decisions that have to be made as new information appears about an uncertain threat environment. Seen in the light of this and that obtaining security information usually in it is cost, I think that any usage of security metrics must be related to allowing more rational decisions with respect to security. It is in this way I consider security metrics and decisions in the following. The basic way to understand any decision-making situation is to consider which kind of information the decision-maker will have available to form the basis of judgments. For people, both the available information, but also potentially the way in which it is framed (presented), may affect how well decisions will be made to ensure goals.
One of the common requirements on security metrics is that they should be able to guide decisions and actions to reach security goals. However, it is an open question how to make a security metric usable and ensuring such usage will be correct (with respect to achieving goals) comes with challenges. The idea to use quantified risk as a metric for decisions can be split up into two steps. First do objective risk analysis using both assessment of system vulnerabilities and available threats in order to measure security risk. Second, present these results in a usable way so that the decision-maker can make correct and rational decisions. While both of these steps present considerable challenges to using good security metrics, I consider why decisions using quantified security risk as a metric may go wrong in the second step. Lacking information about security properties of a system clearly limits the security decisions, but I fear that introducing metrics do not necessarily improve them; this may be due to 1) that information is incorrect or imprecise, or 2) that usage will be incorrect. This work takes the second view and we argue that even with perfect risk assessment, it may not be obvious that security decisions will always improve. I am thus seeking properties in risky decision problems that actually predict the overall goal – maximizing utility – to be, or not to be, fulfilled. More specifically, we need to find properties in quantifications that may put decision-making at risk of going wrong.
The way to understand where security decisions go wrong is by using how people are predicted to act on perceived rather than actual risk. I thus need to use both normative and descriptive models of decision-making under risk. For normative decisions, I use the well-established economic principle of maximizing expected utility. But for the descriptive part, I note that decision faults on risky decisions not only happen in various situations, but have remarkably been shown to happen systematically describe by models from behavioral economics.
I have considered when quantified risk is being used by people making security decisions. An exploration of the parameter space in two simple problems showed that results from behavioral economics may have impact on the usability of quantitative risk methods. The results visualized do not lend themselves to easy and intuitive explanations, but I view my results as a first systematic step towards understanding security problems with quantitative information.
There have been many proposals to quantify risk for information security, mostly in order to allow better security decisions. But a blind belief in quantification itself seems unwise, even if it is made correctly. Behavioral economics shows systematic deviations of weighting when people act on explicit risk. This is likely to threaten security and its goals as security is increasingly seen as the management of economical trade-offs. I think that these findings can be used partially to predict or understand wrong security decisions depending on risk information. Furthermore, this motivates the study how strategic agents may manipulate, or attack, the perception of a risky decision.
Even though any descriptive model of human decision-making is approximate at best, I still believe this work gives a well-articulated argument regarding threats with using explicit risk as security metric. My approach may also be understood in terms of standard system specification and threat models: economic rationality in this case is the specification, and the threat depends on bias for risk information. I also studied a way of correcting the problem with reframing for two simple security decision scenarios, but only got partial predictive support for fixing problems this way. Furthermore, I have not found such numerical examinations in behavioral economics to date.
Further work on this topic needs to empirically confirm or reject these predictions and study to which degree they occur (even though previous work clearly makes the hypothesis clearly plausible at least to some degree) in a security context. Furthermore, I think that similar issues may also arise with several forms of quantified information for security decisions.
These questions may also be extended to consider several self-interested parties, in game-theoretical situations. Another topic is using different utility functions, and where it may be normative to be economically risk-aversive rather than risk-neutral. With respect to the problems outlined, rational decision-making is a natural way to understand and motivate the control of security and requirements on security metrics. But when selecting the format of information, a problem is also partially about usability. Usability faults often turn into security problems, which is also likely for quantified risk. In the end the challenge is to provide users with usable security information, and even more broadly investigate what kind of support is required for decisions. This is clearly a topic for further research since introducing quantified risk is not without problems. Using knowledge from economics and psychology seems necessary to understand the correct control of security.
Biological warfare: A global security threat
Biological warfare is not a new concept in arena of international politics as it has been used as a tool to sabotage enemy in previous centuries. Biological weapons are a sub-category of Weapons of Mass destruction (WMDs) in which there is a deliberate use of micro-organisms like pathogens and toxins to cause disease or death in humans, livestock and yields.Form its usage in 14th century by Mongols to its usage by imperial Japan during 1930s-40s against Chinese, it has always been a threat to global security. The evolution of bio-weapons can be broadly categorized into four phases; first phase includes the post WWII developments with the evident use of chlorine and phosgene in Ypres.The second phase was marked by the use of nerve agents like tabun, cholinesterase inhibitor and anthrax and plague bombs. The initiation of third phase was marked by the use of biological weapons in Vietnam war during 1970s where deadly agents like Agent orange were used. 4th and last phase include the time of biological and technological revolution where genetic engineering techniques were at their peak. Traditionally they have been used in wartime in order to defeat enemy but with the emergence of violent non-state actors, bioterrorism is another potential threat to the security of states. There are certain goals that are associated with the use of biological weapons. Firstly, it is purposed to hit to economy of the targeted country, breaking down government authority and have a psychological effect on masses of the targeted population. It is also a kind of psychological warfare as it may hit a smaller number of people but leaves impact on wider audience through intimidation and spreading fear. It also creates natural circumstances under which a population is induced with disease without revealing the actual perpetrator.
With the advancement in genetic engineering techniques more lethal biological weapons are being produced everyday around the world. Countries which are economically deprived are more likely to pursue such goals as it is difficult for them to go for heavy military sophistication keeping into consideration their poor economic conditions. Biological weapons serve as inexpensive tool for developing countries to address their issues in prevailing international security environment. During the initial decades of cold war, united states of America (USA) and Soviet Union went for acquiring tons of biological weapons alongside nuclear proliferation.
The quest for these weapons reduced during 1970s with the formation of Biological and Toxin Weapons Convention (BWC). This convention was presented in 1972 before countries and finally came into force in 1975 with 150 countries who signed this convention and 140 countries who fully joined this treaty. This convention prohibits any biological weaponization in order to promote peace and stability around the world. But this convention has obvious defects as it is unable to address many issues like it doesn’t prevents itself the use of biological weapons but just reinforces 1925 Geneva Protocol which forbids the use of bio-weapons. Convention allows ‘defensive research’ to which there are many objections that what is incorporated into this defensive research. It is non-binding to the signatory states and in case if countries are proliferating it lacks the effective oversight techniques to look after them either they are pursuing these biological weapons capabilities or not. Since the inception of this convention till now it has clearly failed in stopping the countries from acquisition as well as usage of these weapons. This is evident as there were many cases after 1975 where these weapons were used as in 1980s when Iraq used mustard gas, sarin and tabun against Iran and many other ethnic groups inside Iran. Another incident which was highlighted was Sarine nerve gas attack in Tokyo subway system leaving thousands injured and many got killed. In post-cold war era, however, the number of these attacks reduced as much attention was shifted to terrorism after 9/11 attacks with the change in global security architecture.
“Anthrax letters” in post 9/11 attacks revealed yet another dimension of bio-weapons which was the threat of bioterrorism from non-state actors. US became a victim of bio-terrorism when in 2001 a powder was transported through letters containing bacterium called anthrax infecting many people. One purpose which terrorists have is to make general masses feel as if they are unsafe in the hands of their government which can be best achieved through the use of these weapons. The fact that biological weapons are cheaper and more devastating than conventional weapons make it more likely for biological weapons to be used by terrorists. Also, the fact that they are easy to hide and transport and a smaller quantity can leave long-lasting impacts on larger population makes these weapons more appealing. Now that we are facing a global pandemic in the form of COVID-19 which according to some conspiracy theories is a biological weapon pose even more serious challenge to the international security in coming decades. There is no such scientific research which proves Corona Virus as a biological weapon but the realization here is that whether or not it is a biological weapon but world was least prepared for it. Not only the developing countries but also developed states suffered more despite having enormous medical infrastructure. The fact that there has been decline in the incidents related to bioterrorism should never let us think that there is no possibility of such attacks. The fact that world failed to handle Covid-19 puts a question mark on the credibility of measures if we are faced with bio-terrorism. The medical community as well as general population needs to develop an understanding of how to respond if there is such attack. At the international level there is a dire need to develop some strong norms which discourage the development and use of such weapons in any capacity.
The ‘Post-Covid-19 World’ Will Never Come
On May 3rd, the New York Times bannered “Reaching ‘Herd Immunity’ Is Unlikely in the U.S., Experts Now Believe” and reported that “there is widespread consensus among scientists and public health experts that the herd immunity threshold is not attainable — at least not in the foreseeable future, and perhaps not ever.”
In other words: the ‘news’-sources that were opposing the governments’ taking action against Covid-19 — libertarian ’news’-sites that oppose governmental laws and regulations, regardless of the predominant view by the vast majority of the scientists who specialize in studying the given subject — are looking wronger all the time, as this “novel coronavirus” (which is what it was originally called) becomes less and less “novel,” and more and more understood scientifically.
The “herd immunity” advocates for anti-Covid-19 policies have been saying that governments should just let the virus spread until nature takes its course and such a large proportion of the population have survived the infection as to then greatly reduce the likelihood that an uninfected person will become infected. An uninfected person will increasingly be surrounded by people who have developed a natural immunity to the disease, and by people who don’t and never did become infected by it. The vulnerable people will have become eliminated (died) or else cured, and so they won’t be spreading the disease to others. That’s the libertarian ’solution’, the final solution to the Covid-19 problem, according to libertarians.
For example, on 9 April 2020, Forbes magazine headlined “After Rejecting A Coronavirus Lockdown, Sweden Sees Rise In Deaths” and reported that, “Sweden’s chief epidemiologist Anders Tegnell has continuously advocated for laid back measures, saying on Swedish TV Sunday that the pandemic could be defeated by herd immunity, or the indirect protection from a large portion of a population being immune to an infection, or a combination of immunity and vaccination. However, critics have argued that with a coronavirus vaccine could be more than a year away, and insufficient evidence that coronavirus patients that recover are immune from becoming infected again, the strategy of relying on herd immunity and vaccinations [is] ineffective.”
The libertarian proposal of relying upon “herd immunity” for producing policies against this disease has continued, nonetheless.
CNN headlined on 28 April 2020, “Sweden says its coronavirus approach has worked. The numbers suggest a different story”, and reported that
On March 28, a petition signed by 2,000 Swedish researchers, including Carl-Henrik Heldin, chairman of the Nobel Foundation, called for the nation’s government to “immediately take steps to comply with the World Health Organization’s (WHO) recommendations.”
The scientists added: “The measures should aim to severely limit contact between people in society and to greatly increase the capacity to test people for Covid-19 infection.”
“These measures must be in place as soon as possible, as is currently the case in our European neighboring countries,” they wrote. “Our country should not be an exception to the work to curb the pandemic.”
The petition said that trying to “create a herd immunity, in the same way that occurs during an influenza epidemic, has low scientific support.”
Swedish authorities have denied having a strategy to create herd immunity, one the UK government was rumored to be working towards earlier on in the pandemic — leading to widespread criticism — before it enforced a strict lockdown.
FORTUNE magazine headlined on 30 July 2020, “How parts of India inadvertently achieved herd immunity”, and reported that, “Around 57% of people across parts of India’s financial hub of Mumbai have coronavirus antibodies, a July study found, indicating that the population may have inadvertently achieved the controversial ‘herd immunity’ protection from the coronavirus.” Furthermore:
Herd immunity is an approach to the coronavirus pandemic where, instead of instituting lockdowns and other restrictions to slow infections, authorities allow daily life to go on as normal, letting the disease spread. In theory, enough people will become infected, recover, and gain immunity that the spread will slow on its own and people who are not immune will be protected by the immunity of those who are. University of Chicago researchers estimated in a paper published in May that achieving herd immunity from COVID-19 would require 67% of people to be immune to the disease. Mayo Clinic estimates 70% of the U.S. population will need to be immune for the U.S. to achieve herd immunity, which can also be achieved by vaccinating that proportion of a population.
On 27 September 2020, Reuters bannered “In Brazil’s Amazon a COVID-19 resurgence dashes herd immunity hopes”, and reported that, “The largest city in Brazil’s Amazon has closed bars and river beaches to contain a fresh surge of coronavirus cases, a trend that may dash theories that Manaus was one of the world’s first places to reach collective, or herd, immunity.”
Right now, the global average of Covid-19 intensity (total cases of the disease thus far) is 19,693 persons per million population. For examples: Botswana is barely below that intensity, at 19,629, and Norway is barely above that intensity, at 20,795. Sweden is at 95,905, which is nearly five times the global average. Brazil is 69,006, which is around 3.5 times worse than average. India is 14,321, which is slightly better than average. USA is 99,754.
However, the day prior, on May 2nd, America had 30,701 new cases. Brazil had 28,935. Norway had 210. India had 370,059. Sweden’s latest daily count (as-of May 3rd) was 5,937 on April 29th, 15 times Norway’s 385 on that date. Sweden’s population is 1.9 times that of Norway. India’s daily count is soaring. Their population is four times America’s, but the number of new daily cases in India is twelve times America’s. Whereas India has had only one-seventh as much Covid-19 intensity till now, India is soaring upwards to become ultimately, perhaps, even worse than America is on Covid-19 performance. And Brazil is already almost as bad as America, on Covid-19 performance, and will soon surpass America in Covid-19 failure.
There is no “herd immunity” against Covid-19, yet, anywhere. It’s just another libertarian myth. But libertarians still continue to believe it — they refuse to accept the data.
Application of Cyber Security: A Comparative Analysis of Pakistan and India
In today’s world, communication is controlled by the internet. The Internet is what links the communication protocol of a state to its cyber domain. Cyber security encompasses techniques, technologies, methods and blueprints made to secure networking systems from potential cyber-attacks. Efficient systems of cyber security therefore mitigate and reduce the danger of network systems being attacked or accessed by unauthorized systems.
Despite the existence of such robust networks and security protocols, the exploit of such systems is always a click away, due to the integration of the internet as a worldwide network, and in times of global outbreaks and crisis, internet activity also inevitably increases. This was particularly observable with the spread of the Covid-19 as a global pandemic, which also saw an increase in over-the-web activity, and gave a new breathing space for cyber-criminals. According to estimates, Covid-19, as a pandemic, can already be classified as the largest ever existing threat to cyber-security across the globe, since the induction of the world wide web as a global chain of networks. Thus, it would be fair to say that the effects of the covid-19 were not selectively felt by developing states only, but also encapsulated great powers of the contemporary era.
While contextualizing Pakistan and India in the cyber-security debate following the events of the covid-19 scenario, the trend in increased virtual cyber-attacks and espionage was no different to the rest of the world. The real question mark lies in the ability of both countries to effectively deal with the overwhelming cyber-activity in the post-pandemic era. The government of Pakistan established the National Center for Cyber Security (NCCS) in June 2018, and continues to strengthen its cyber-security domain, with a dynamic change in policy making, centric to cybersecurity and threats to cybersecurity from its immediate adversary, India. The current Prime Minister of Pakistan, Mr. Imran Khan, also launched ‘Digital Pakistan Vision’, with the primary objectives of increasing connectivity, rectifying digital infrastructure, and investing in the awareness of digital skills and promotion of entrepreneurship. Pakistan also approved the first ‘Digital Pakistan Policy’, aiming to focus on investment opportunities by IT companies and building the framework necessary for a digital ecosystem. Although a sustained effort has been made to strengthen the cyber-domain of Pakistan, there are many technicalities and loopholes that must be addressed with high priority. One, the lack of an effective communication method, that is free from external intrusion, and allows for the restriction of unwanted network traffic on its master server. In more recent times, an intrusion occurred during the webinar of Institute of Strategic Studies (ISSI) due to non-encrypted internet connection, which allowed unspecified individuals access to the digital webinar. Two, the lack of stable internet connectivity, which prevents effective implementation of security protocols and acts as a hindrance to critical data packets, that must be sent between cyber-security officials in an event of a cyber-attack or espionage of any degree. Three, the existence of exploitable source code in key governmental websites and pages that are always prone to cyber-attacks, and must be revisited in the near future.
On the other hand, India saw a 37% in cyber-activity in the wake of the covid-19 pandemic; an eye-opener for state officials, who have prioritized cybersecurity as the next immediate threat to Indian National Security. In recent developments, India has also launched several directives to its cyber-security strategy in the post-pandemic era, including the initiative launched by The Ministry of Electronics and Information Technology (MEITY), namely ‘Cyber Surakshit Bharat’ with the coordination and support of the National E-Governance Division. According to MIETY, 44 training and mock drills are being given to 265 organizations from different states of the world, a landmark achievement in Indian cyber-security history. However, just like its South Asian neighbor Pakistan, India is also equally overwhelmed by the threat and emergence of hostile cyber-activity. With a 45% ratio of internal cyber attacks, and a 38% ratio of external intrusions from proposed adversaries, China and North Korea, India has strengthened its ties with Israel to revamp its cyber-security strategy, in order to mitigate the immediate threat to its cyber-domain, both internally and externally.
Conclusion and Recommendations
There is an immediate need to extend and further research the cyber capabilities of both Pakistan and India, which would primarily define the different types of technologies and how they are being actively made a part of the National security policy of both Pakistan and India. These efforts must be the immediate need of the hour, with the uncertainty of the Covid-19 and its irregular patterns becoming an inevitable fate of regional and global politics, in the times to come. While India seems to have its primary bases covered, there is no denying that the Covid-19 pandemic did not have a sparing effect on its cyber-domain, either, leaving the door open for Pakistan to make significant improvements to its cyber domain and cyber-security strategy, in order to effectively deter the threat faced from its adversary. Moreover, Pakistan can also seek inspiration from a potential integrated tri-service defense cyber strategy, that is being highly considered by Indian cyber-security and state officials, which would aid in keeping any form of cyber-hostility at bay in upcoming times.
Climate Change Problem: an Emerging Threat to Global Security
Climate Change is one of the greatest challenges faced by humanity. The Greenhouse–gas emissions and over-exploitation of natural resources result...
Viet Nam’s mango industry: towards compliance with export market requirements
A Swiss-funded project, implemented by the United Nations Industrial Development Organization (UNIDO), is helping mango value chain stakeholders in the...
Armenia After the Parliamentary Elections
On June 20, snap parliamentary elections will be held in Armenia. The move will ease tensions in the country but...
Free press ‘a cornerstone’ of democratic societies
The United Nations Secretary-General on Monday urged governments to “do everything in their power” to support free, independent and diverse...
The World Biggest COVID-19 Crisis: Failure of India’s Vaccine Diplomacy
As over 100 million people in the U.S. are fully vaccinated and the world’s daily count of new cases is...
New ways of thinking and working are necessary to reap blockchain benefits in capital markets
The World Economic Forum today released Digital Assets, Distributed Ledger Technology, and the Future of Capital Markets. Across the capital...
Ukraine to Modernize Higher Education System with World Bank Support
The World Bank’s Board of Executive Directors approved today a $200 million project to support the Government of Ukraine’s efforts...
Middle East3 days ago
Iran’s Impunity Will Grow if Evidence of Past Crimes is Fully Destroyed
Reports3 days ago
Global electric car sales set for further strong growth after 40% rise in 2020
Reports3 days ago
Labour market disruption & COVID-19 support measures contribute to widespread falls in taxes
Diplomacy3 days ago
Ramifications of The Pandemic In International Relations
South Asia2 days ago
West Bengal Election: Implications for Indian Politics
East Asia2 days ago
Kissinger Again Warns US, China Heading for Armageddon-like Clash
Economy2 days ago
Role of WTO in Regularization of International Trade
Energy News3 days ago
Seven Countries Account for Two-Thirds of Global Gas Flaring