Threats of the unseen kind
A budding computer scientist pursuing a PhD at the McMaster University, Canada recently wrote a blog post on the increasing human capacity for self-destruction enabled by science. First, it was the atomic bomb created by physicists, then it was the nerve gas created by chemists, and now the neural networks created by cyber nerds that pump enormous power into artificial intelligence bots—bots that can take over our lives, manipulate our behaviour, and pretty much get us to do anything they please.
The atomic bombs have captured our imagination for almost 70 years since the US bombing of Hiroshima and Nagasaki in 1945 due to their massive destructive power (a single hydrogen bomb has the power to level a mega city of several million people). Nerve gas and other chemical weapons only came to light after the horrific results of such weapons used by the US on innocent civilians during the Vietnam War. Chemical weapons don't create a bang as big as atomic weapons but their impact on human lives is just as deadly or may be even worse.
Because of their deadly and inhuman effects on people, the UN has placed a universal ban on such weapons but people in general are still not as fascinated by chemical weapons as they are by atomic weapons.
Now rogue cyber systems leveraging the computational prowess of computer processors that are growing geometrically from year to year and self-learning artificial intelligence programmes known as machine learning systems are weaponising a threat of a previously unseen kind—threats that most people associate with science fiction movies like the Terminator sequels. Notwithstanding the common perception to the contrary, such threats are real although most of us don't realise that a Terminator-movie-like Skynet is a distinct possibility in the near future.
What is more alarming is that criminal minds combining forces with cyber techies can swoop down on any computer system anywhere in the world stealing and/or mutating personal, financial, medical, property, government and utility databases and leave billions of dollars' worth of damage in its wake. Such cybercrimes are happening all the time, and what's disconcerting is that these crimes are most often perpetrated from outside our borders.
The hacking of sensitive government sites happens almost every other month and most of the time the damage is not assessed or made public. The 2016 cyber heist of Bangladesh Bank funds from the Federal Reserve Bank of New York came to light many months later only after a hue and cry at the Philippines parliament got reported in the press. Aside from the central bank, a recent assessment of the commercial banks, as reported in this paper, found them woefully unprepared to fend off a cyber attack. Our utilities are also not safe nor are the law enforcement and civil defence systems.
However, keeping our heads buried in the sand will not save us from cyber storms that are imperceptibly brewing as we speak. According to UN estimates, the world economy loses more than a trillion dollars to cybercrimes every year—that's more than 1 percent of the global GDP. Just because we can't see it does not mean cyber threats are not real. In fact, persistent cyber threats are the most common danger to our well-being as a citizen and as a nation.
While the government has lately paid heed to cyber threats and prepared a draft Cyber Security Act, the effort met with serious criticisms from civil liberties and human rights advocates as the proposed act purportedly contains provisions of discretionary authority to detain citizens and confiscate property without showing a probable cause. The criticisms are very serious in nature and deserve appropriate review by the cabinet and the parliament. However, we must also realise that a modern cyber security act along with its enforcement paraphernalia is a crying need of the hour and we must do everything possible to make that happen. We certainly must uphold human rights and protect citizens from unlawful detentions but at the same time we must not throw away the baby with the bathwater when dealing with cyber threats.
The draft Cyber Security Act is known to have proposed a cyber security council headed by the prime minister and a cyber security directorate headed by a civil servant. It is time the policymakers came to their senses and revised the proposal in line with modern constructs to effectively fend off cyber threats—threats that can literally wipe out 2-4 billion dollars' worth or 1-2 percent of GDP every year. First of all, civil or military services simply cannot produce an officer capable of addressing and managing the highly technical cyber security affairs, and that is true not just in Bangladesh but anywhere in the world. Secondly, with the kind of magisterial authority envisaged for the position, the head of the cyber security organ must be sanctioned by the constitution, or in other words, it must be a constitutional post like the C&AG.
Thirdly, in order to afford truly capable citizens engaged in such a service, the post needs to have compensations in line with the market demand for such positions. This constitutional post may be given an appropriate name signifying its authority and the rank and status of a State Minister. The position should be made answerable to the parliament and given appropriate legal mandates to exercise enforcement of the law with due process under the law of the land.
One of the routine functions of this new Office of the Cyber Security should be to make periodic cyber security sweeps of all key cyber installations such as the national data centre, Bangladesh Bank data centre, election commission data centre, passports and immigration data centre, submarine cable landing station, Bangabandhu satellite earth station and other such installations. The cyber security boss's office should also carry out cyber vulnerability checks under simulated cyber attacks and promulgate specific business continuity procedures in case of multi-source combined cyber attacks, or even state-sponsored cyber warfare. These kinds of threats are emerging all the time, and state-sponsored cyber bots like Stuxnet crippling nuclear installations in foreign countries are not the exception, but increasingly, the norm.
If a swarm of remotely piloted, weaponised drones attack us, then no conventional air force and missile defence can protect us. Only an appropriate cyber security response can ward off such an evil onslaught. Is this conceivable in the near future? Ask the thousands of children in Afghanistan, Syria and Palestine that have succumbed to such drone attacks in the last decade. Can we afford to equip ourselves and build intrinsic capacity to fend off such attacks? The real question is, can we afford not to?