statutorily bound to provide adjacent space for intelligence agencies. Canada, the United Kingdom, and Germany were introduced laws that would restrict the freedom of the Internet. The question of the adequacy of technical methods to police the Internet was raised, and whether a certain level of compulsion can be introduced, since companies were most reluctant to move in this direction. It was also asked whether there are other models of cybersecurity, perhaps derived from industry practices or from the quality assurance model.30

How do India and the United States compare or differ in their vulnerability to cyberattack? Does India need a critical infrastructure assurance group or infrastructure protection agencies?

Balakrishnan’s response was that the problems in India and the United States are completely different. If you walk into an airport in India it is not uncommon to find that the computers are down and that they have switched to manual procedures. India now has an unreliable network, although it is not that poorly designed. Because of a variety of other infrastructure issues, sometimes the machines become unreliable.

He added that India’s international gateway bandwidth is much smaller compared to its national backbone bandwidth, whereas in the United States, both are comparable. A campus such as Carnegie-Mellon University (CMU) has an Internet connectivity of about 3.5 gigabytes (GBytes), and the U.S. backbone is of the same order. In other words, CMU is the Internet. In India the Internet is completely different from the Indian network, and only a thin pipe connects the two, so it is not possible to take over the bigger network—India’s system has an advantage as well as a disadvantage.

Is there a cause-and-effect relationship between cyberattacks and world events?

Balakrishnan’s response was that cause and effect were actually like transformers; one is a transformer of the other, and very often, unless we also do a deeper study of the violation of the causality principle, it is very difficult to say which came first. However, he continued, what we know is that within a window of 1 week to 10 days, both of them peak. We cannot say that if cyberactivity increases, tomorrow morning there will be a terrorist attack, but a week’s time is a more reasonable prediction that activity will flow up in both of them. This has been seen in several serious analyses of maps, methods, and so on.

As for the absence of suicide bombers in cyberspace, Balakrishnan noted that the problem is not only are there no suicide bombers, attackers’ identities are also unknown, giving them a phenomenal advantage. In this respect, it is instructive to compare Indian and U.S. law. Whenever you talk about damage, you talk about two things: time and jurisdiction. In India the jurisdiction is related to the place where the damage has occurred; thus, if a house is bombed, the case will go to a local court, whereas in the United States, if there is any damage to U.S. property, it will be tried in a federal court. Balakrishnan noted that under Indian law, if he hacked a Pakistani site, he would go to jail, but if a Pakistani hacked an Indian site, nothing would happen because he is not covered by Indian law, which is incompatible with the question of jurisdiction and borderless crime.

Lewis Branscomb noted that the jurisdiction problem was very difficult, but that

30

This model audits the quality control of companies to enable them to participate in government work; they have to meet certain government or military specifications.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement