Indian National Cyber Security
[Note developed for the Seminar on Cyber Security at Hotel Atria, Bangalore, on October 17, 2007]
India is celebrating 60 years of Independence. At this point of time it is natural for us to focus on the security of the nation. In the current Digital era where “Governance” as well as “Business” is increasingly being led by ICT, the discussion on security of the nation is not complete without a discussion of the Cyber Space in which e-Governance and e-Commerce take place.
Our attention is usually drawn on “Cyber Security” when we hear about “Cyber Crimes”. Our first thought on “National Cyber Security” therefore starts on how good is our infrastructure for handling “Cyber Crimes”.
In the corporate sector, the focus of “Cyber Security” is more on “Information Security” and prevention of unauthorized access to the Corporate Information systems or denial of access to the systems by authorized persons.
The e-Governance and e-Commerce sector as well as the Individuals who use Computers and Mobiles are also concerned about Cyber Crimes and how it affects them.
A question arises whether there is any role for the Corporate sector or the common Netizens in “National Cyber Security”. After all, the civilians normally are not required to go to fight at our physical borders and therefore are not very much involved in the national security process. Similarly, private sector companies also have only a peripheral role in the national security in the physical space.
The situation in the Cyber Space is however different. While we normally say that Cyber Space has no boundary, it also means that beyond the cyber space of every individual, there lies an international cyber space. Every time a Netizen sends and receives a data packet on the Internet, he is going out of the National Cyber Space and wandering in International Cyber space. There is therefore a far bigger role for individual civilians and Corporate sector in the national Cyber Space security. Consequently, the strategy for National Cyber Space has to be different from that for the physical cyber space.
Some Recent Incidents
If we reflect on some of the recent incidents of Cyber Security breaches, we can get an idea about how the security threats arise.
Recently, a Swedish security professional by name Dan Egested created a sensation by finding out e-mail passwords of about 100 senior Indian Government officials including several embassy officials and DRDO officials and posting them on the Internet. The e-mail passwords gave access to confidential correspondence between the Government and the officials and could have some repercussions on national security. A matter of greater concern was the realization that any person with a reasonable security knowledge could have accessed similar information earlier and some of them could be terrorists who are trying to destroy our country.
Another incident which was of significance was the report that the website of one of major Banks had been hacked and infested with malicious codes that downloaded about 22 Trojans to any individual who visited the home page of the Bank. Some of these Trojans could be “Key Logger” Trojans and the security of thousands of Bank customers were compromised due to the breach at the Bank’s server level.
A third incident of importance to occur recently was the dramatic demonstration of the power of SMS/Phone spoofing through websites. In a well published TV programme, a Chartered Accountant from Ahmedabad showed how he could put through a call in the name of the home minister of the country to another minister.
A fourth incident of significance was the fact that the web server of National Police Academy, Hyderabad was found to have been penetrated and a phishing website had been hosted there on.
Close on the heels of this incident, on the International scenario, it was reported that one ISP in Russia was making a business of hosting facilities for Cyber Criminals and over 50% of the global phishing sites had been hosted by the network. It was interesting to note that to use the services of this ISP, the privileged clients had to demonstrate a track record of “Identity Theft”. A question arises if in the interest of the Indian Netizens, can the Indian State take any action to stop this service provider from facilitating attacks on Indian Netizens. Their activity is nothing different from our neighboring countries hosting terrorist camps and training for which we do discuss if we have a “Right of Hot Pursuit”.
These incidents indicate the high levels of risks that Indian Cyber Space is encountering today. They also highlight the fact that the security professionals in the various organizations that have been attacked have failed in securing their networks and exposed the country to grave risks.
How Do We Respond?
Having observed such incidents, the next question that arises is what is our response to them?. Are we now wiser and have we identified what remedial measures we need to take to prevent such incidents in future?
While the Government is expected to have its own resources to take protective measures, the common man when affected would run to the Cyber Crime Police stations for relief. Unfortunately, our Cyber Crime police stations have not been able to come up to the expectations of the public. Many times, the Police have refused to register cases and often made the complainant run from pillar to post to even lodge a complaint. The confusion arises since some Cyber Crime Police stations do not recognize any crime coming under IPC as Cyber Crimes even if they have been committed with the use of Cyber tools. They are under the false impression that they exist only to take care of offences under Information technology act alone. Public are therefore losing faith in the Law enforcement’s ability to protect Cyber space.
Lack of Coordination between Security agencies
In the few cases where Cyber Crime cases have been initiated, lack of coordination between different Police stations have frustrated the investigation. In some cases when the investigation trail goes abroad, CBI is not coming forth with its own support and the investigations reach a dead trail.
When Cyber Crimes are committed with mobile network, it is often difficult to convince the mobile service providers that they are responsible for assisting the Police in the investigation. Many of them do not even recognize mobile crimes as Cyber Crimes and therefore fail to appreciate their legal obligations.
In the private sector, whenever crimes are reported, companies are more concerned about their own reputation than public good and they do everything within their powers not to register a complaint nor enable a proper investigation. This is particularly true of Bankers who hide any frauds that occur in their network for the fear of losing public confidence.
The software developers in the country contribute in their own measure to the insecurity in the Cyber space by supplying software that has many security weaknesses and leave it to future security patches to correct the bugs which they should have corrected at the beta level.
Some software developers hide under the IPR claims to shield their source codes and prevent the user from making a proper security assessment. Many security professionals believe that major software vendors deliberately keep a backdoor entry to the software for apparently legitimate purpose but with dangerous possibilities.
Threat in the Critical IT Infrastructure Security
Apart from the security threats that are visible in the above incidents, there is another lurking danger where our critical IT infrastructures such as the missile launching stations, the defense support IT systems etc could be under threat of an Electronic warfare. There are serious reports about China specializing in such Cyber Space warfare which could be a potential threat to the Indian security.
This realization that there is a security threat to the country’s armed forces has already been recognized by many other countries. USA has been one of the first to set up a Cyber Space Command to assist its defense forces in defending against an external cyber threat and also enable USA to launch a cyber war on another country. Perhaps the US Cyber Command would now be thinking about neutralizing the Russian Business Network which appears to be a global cyber crime node.
A recent seminar in Vietnam attended by many countries such as Australia, Malaysia, Singapore etc explored the need for National Cyber Security and some of these countries are already in the process of developing a national cyber space security strategy.
In India efforts in the direction of a national cyber security strategy are not so far visible. The Government of India has set up CERT-In as a division of the Ministry of Information Technology which is being nurtured as the nodal security agency in India. NIC which has been involved in many e-Governance projects and should be a natural choice for ensuring cyber security in e-Governance project does not seem to have made much progress. CDAC has been involved in certain research projects and is not in the forefront of strategizing a national cyber security plan. Private sector is concerned only in its needs to get ISO certified. Nasscom is focusing on building a security organization for BPOs which is in the early stages of planning.
There was one serious attempt to develop a national cyber security agency five years back when Dr Abdul Kalam before being elected as President of India initiated the formation of the Society for Electronic Transaction Security which later paled into the background.
A serious adverse consequence of an inadequate state response to perceived national security threat is the emergence of private tech savvy individual hacker groups who try to counter hack foreign websites known to be inimical to the national interests. This “hactivist” tendency however presents the danger of degenerating into Cyber Naxalism and needs to be regulated.
Components of the Security Plan
When we look at the National Cyber Space we need to look at the following different components of Cyber space since the security requirements of each of these segments may be different.
- Security of the Critical IT Infrastructure of the Government
- Security of e-Governance infrastructure
- Security against Cyber Crimes
- Security of Information in the industry infrastructure
- Security of Individual desktops/electronic devices
Analyzing all these efforts, it appears that the biggest challenge ahead of us is to develop a synergistic cooperation between different security organizations in such a manner that the national cyber space remains secured. If such a collaborative structure is to be built up then there is also the issue of whether it is feasible for the Government sector to join hands with the private sector with a common objective of securing the common cyber space. Effective Public-Private sector cooperation is therefore one of the key challenges to be faced in building the national cyber security infrastructure.
Towards Finding a Solution
In order to find a solution to the need for developing a national cyber security infrastructure, the following structure is suggested.
Under the suggested plan, the national cyber security infrastructure would be headed by a “National Cyber Army Command”. This would be equivalent to the fourth division of the defense forces consisting of the Army, Navy and Air force. It would however be different in the sense that it would also provide leadership to the other security agencies in the Cyber space. To draw an anomaly, it is like the Army being also in charge of the Police outfits in the country. The concept would be a “Unified Command” for all Cyber Security requirements.
This National Cyber Army Command (NCAC) would supervise five main sub divisions. The first would be a “Critical Infrastructure Security Force”. This would cover the security requirements of the armed forces as well as select installations of national importance such as the nuclear power stations, rocket launching station, AIR and Doordarshan etc. This subdivision will be the equivalent of the Cyber Command which USA has envisaged and will mainly have the military objectives.
All other assets of the Government such as the e-Governance support infrastructure will come under “Non Critical Government Infrastructure” and its security may be handled by Cert-In. NIC may limit its role to provision of IT services.
In order to make the Cyber Crime Policing more effective, an Indian Cyber Crime Police (ICCP) Cadre should be created and all state Cyber Crime police stations should be merged in this all India police force. The officials in this cadre should have a separate career plan and should be professionally managed outside the political control of the state units. The CBI’s Cyber Crime unit should also be merged with the ICCP service which should have its own police stations wherever required. Local police force and the ICCP should exchange support and help each other whenever required.
The above three sub divisions will operate in the public sector.
In the private sector, two subdivisions should be made one for the industry infrastructure security and the other for the individual security. The industry level Information Security Managers should coordinate their efforts through an All India Federation of IS Managers. This should be a self regulating body such as the CII.
The individual desktop security should be driven by the initiatives of the private sector security product companies . Preferably the Information Insurance industry should be developed in India and a consortium of Information Insurers should drive the desk top security initiatives through appropriate incentivisation of security implementation.
Individual programmes to be undertaken by each of these sub divisions would include Education, Product development, Standardization and Certification, Regulatory measures etc.
In order to continue the debate further, it is suggested that a “Think Tank” be formed out of the expert participants of the Cyber Security Seminar who may develop a recommendatory note to be submitted to the Central Government within an appropriate time frame.
October 17, 2007