UN should take stronger steps on cybersecurity as economic crime and data theft dominate digital world

While the United Nations has, over the years, put into force several protocols dealing with cyber-attacks, events in the recent past point to their insufficiency in dissuading member nations from attacking each other in the cyber domain.

Most reported cyber-attacks are by its permanent members and non-state actors owing allegiance to rogue governments who hack government-controlled infrastructure and its websites. The attacked country is often left to defend itself by its poorly resourced cyber security cells. There has been no concerted effort by the UN to help crackdown on cyberwarfare which affects the common man, especially when it comes to their identity and data theft .

The UN was formed on October 24, 1945. Though it has a Geneva Convention on war, which is a series of treaties designed to protect wounded and sick soldiers during wartime, it understood the importance of cyberwarfare only under Secretary-General Ban Ki Moon in 2011 or thereabouts.

Cyber-attacks have been reported by nearly all member countries and most attacks originate out of US, Russia and China. Lately, even Pakistan has started both overt and covert cyberwarfare with a special focus on Indian government or related websites.

The case for a strong UN intervention becomes even more urgent as this September, when the UN General Assembly met in New York, it coincided with headlines about 500 million compromised Yahoo mail user accounts.

According to Global Risk Advisors, an international strategic consultancy specialising in cyber security and related fields, the lack of global stability becomes especially clear when we look at the UN Security Council. Among the five permanent members - China, France, the Russian Federation, the United Kingdom, and the United States - the US, China, and Russia are most active in cyberwarfare.

So, what exactly is cyberwarfare? The UN has no set definition of what constitutes cyberwarfare and there are no UN conventions yet that govern it. The most accepted definition is that it is an area where nations hack or intrude into each another’s cyberspace with serious possibilities of damage – from dangerous acts such as disabling nuclear systems to defacing home pages of government organisations.

Such cyber-attacks affect individuals when it involves data theft like the one that happened last week, where three million debit cards of both MasterCard and Visa issued by the State Bank of India, ICICI, Axis Bank, Yes Bank and HDFC bank were compromised. All the banks whose users’ data have been compromised point to the fact that it was done outside India, which is where the role of the UN gains more importance.

Murali Mohan, a cybercrime expert based in Bengaluru, says that there are many types of cybercrimes that occur, but the most dangerous are the ones that involve personal details such as identity theft and bank data thefts which can have international ramifications.

“The number of financial crimes are very high. It may involve Nigerian scammers who trick victims into transferring funds to those sitting abroad and withdrawing money from your account. The banks never take onus and always put the blame on the victim for being careless. But, if you look at last week’s debit cards case, it affected only those who used a particular bank’s ATM which was compromised,” says Murali Mohan.

This incident highlights new security challenges for banks as the breach has been traced to the Hardware Security Module where a suspected malware in the Yes Bank ATM’s led to card numbers and PIN details being compromised. The source of the trouble was pinpointed to Hitachi Payment Services, which manages the bank’s ATM network. But, a review undertaken by Yes Bank, however, said no evidence of a breach has been detected in its ATM machines. But, whatever be the case, this is far more serious than phishing where fraudsters install skimmers on ATM machines. It also hit debit cards as these cards are not secured by a chip and hence easy to clone once basic details are gathered.

As of 2012, at least 11 nations had offensive cyberwarfare capabilities, while at least 33 had defensive capabilities. Among the nations with offensive capabilities, the United States, China, and Russia have publicly announced the existence of cyberwarfare units within their militaries, says Global Risk Advisors.

The group in its report on cyberwarfare said:

Chinese hacks tend to be information-focussed with an eye toward industrial espionage. For example, Chinese hackers have stolen classified information on the F-35 fighter jet, and in 2010 they managed to hack into 34 large companies including Google. While Chinese hackers tend to make a lot of noise when they attack, Russian hackers tend to be subtler, like their US counterparts. Most recently, hackers believed to be tied to the Russian government have tried selling stolen NSA cyber weapons on the internet.

But the question is whether the UN is helpless to prevent it?

Much before the UN took any initiative, it was the Council of Europe way back in 2001 that woke up to the potential wreck cyberwarfare could be and, as a result, the Budapest Convention on Cybercrime came into effect in 2004. In contrast, the UN’s effort has been more of a lip service as it passed a few resolutions where it has asked more capable countries to share information with other less-capable nations to defend themselves.

In 2010, an UN sub-group identified that cyber threats were a serious challenge in the 21^st century. More recently, members have begun responding to discuss a draft proposal to prevent members from using cyberspace for acts of aggression. It becomes more serious when data breaches happen and the common man is affected.