3.

Issues in cyber security and steps to tackle it

What
While rapid technological developments have provided vast areas of new opportunity and potential
sources of efficiency for organisations of all sizes, these new technologies have also brought
unprecedented threats with them. Cyber security – defined as the protection of systems, networks
and data in cyberspace – is a critical issue for all businesses, governments, individuals and
organizations.

Cyber risks can be divided into three distinct areas:

Cyber crime
Conducted by individuals working alone, or in organised groups, intent on extracting money, data or
causing disruption, cyber crime can take many forms, including the financial and intellectual
property fraud, impairing the operations of a website or service, child pornography, internet stalking
etc.

Cyber war
cyberspace as a fifth potential theatre of war along with land, sea, air and space. A nation state
conducting sabotage and espionage against another nation in order to cause disruption or to extract
data.

Cyber terror
An organisation, working independently of a nation state, conducting terrorist activities through the
medium of cyberspace.

Indian context
The issue of cyber security in India needs to be contextualised in terms: Internet users; move
towards increased digitisation and access to the internet; increasing cyber attacks on India and
strategy in place.

Rise in internet usage: India today has more than 300 million internet users. But penetration(
percentage of population) is still low at only 19%.

The internet and other forms of networking have been put to several uses including providing
financial services, for networking critical infrastructure such as air traffic control, satellite
networking, welfare programmes, information sharing at all levels, communications and more.

There has been an increasing thrust on e-governance, seen as a cost-effective way of taking public
services to the masses across the country. Critical sectors such as Defence, Energy, Finance, Space,
Telecommunications, Transport, Land Records, Public Essential Services and Utilities, Law
Enforcement and Security all increasingly depend on NWs to relay data, for communication purposes
and for commercial transactions. The National e-governance Program (NeGP) is one of the most
ambitious in the world and seeks to provide more than 1200 governmental services online.
Under the digital india mission, there is an effort to transform the country into a digitally
empowered knowledge economy. It Includes various schemes like Digital Locker, e-eduction, e-
health, e-sign and national scholarship portal. BharatNet in 11 states and Next Generation Network
(NGN), are also a part of Digital India campaign. The programme includes projects that aim to ensure
that government services are available to citizens electronically and people get benefit of the latest
information and communication technology. The Ministry of Communications and IT is the nodal
agency to implement the programme.

2014 saw a 136 percent increase in cyber threats and attacks against Indian government
organizations and a 126 percent spike in attacks targeting financial services organizations. According
to Symantec’s 2013 Norton Report, by July 2013, sophisticated cyber assaults like ransomware and
spear-phishing has cost Indian individuals and companies some $4 billion. In 2012, cyber attacks
were reported on the Indian Navy’s Eastern Command systems. The Eastern Naval Command
oversees the maritime activities in the South China Sea, as well as the development of ballistic
missile submarines.

Twin challenge: In cyberspace it is very easy for an attacker to cover his tracks and even mislead the
target into believing that the attack has come from somewhere else and unlike the national territory
or space that is being defended by the land, sea and air forces is well defined. Outer space and
cyberspace are different. They are inherently international even from the perspective of national
interest. Moreover, a key part of this space, the global Internet system, is still under the control of
one country (the US) .
The strategy communicated to the public involves the following focus areas1:

 Preventing cyber attacks against the country's critical infrastructures

 Reduce national vulnerability to cyber attacks
 Minimise damage and recovery time from cyber attacks
The stakeholders involved in handling cyber security include:

(1) National Information Board (NIB);

(2) National Crisis Management Committee (NCMC);

(3) NSCS;

(4) Ministry of Home Affairs (MHA);

(5) Ministry of Defence;

(6) DIT;

(7) DoT;

(8) National Cyber Response Centre (NCRC);

(9) CERT-In and sectoral CERTs-In

1
http://deity.gov.in/content/strategic-approach
(10) National Information Infrastructure Protection Centre (NIIPC);

(11) National Disaster ManagementAuthority (NDMA).

The agencies will be involved in setting up of our own ‘cyber security architecture’ that will comprise
the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing
among stakeholders, the Cyber Operation Centre that will be jointly run by the NTRO and the armed
forces for threat management and mitigation for identified critical sectors and defence, and the
National Critical Information Infrastructure Protection Centre (NCIIPC) under the NTRO for providing
cover to ‘critical information infrastructure’.

CERT-In is mandated under the IT Amendment Act, 2008 to serve as the national nodal under the
Ministry of communications and Information Technology agency in charge of cyber security. It is
tasked with security of national assets and now protects cyber assets in non-critical areas as well.
NDMA and some others play only a peripheral role; and many of the sectoral CERTs are yet to come
up.

Issues

Vulnerability of critical infrastructure- Electricity, Rail, Air services, Telecommunications, Satellite

networks, Health and financial services, defence networks form the core of the critical infrastructure
in the country- infrastructure whose disruption has a massive national and individual cost.

Misuse of the law: The ITAct of 2008 covers all actions in this domain. Sections 69, 69A and 69B contain
provisions for intercepting, monitoring or blocking traffic where, amongst other reasons, there is a
threat to national security and section 70Acovers protection of critical infrastructure.

However, Section 69 and 69 A and B have been criticised owing to their adverse implications on the
right of privacy (a corollary of Art. 21) and freedom of expression (Art. 19).

While the threat of cyber-terrorism might be very real, blanket monitoring of traffic is not the way
forward to get results, and may prove counter-productive. Instead, targeted monitoring is advisable.

Section 69: empowers the Government or agencies to intercept, monitor or decrypt

any information generated, transmitted, received or stored in any computer resource, subject to
where it believes that this content threatens the security of the State; the sovereignty, integrity or
defence of India; friendly relations with foreign States; public order; or to prevent incitement for the
commission of a cognisable offence relating to any of the above.
Section 69A of the IT (Amendment) Act, 2008, allows the Central Government to block content
where it believes that this content threatens the security of the State; the sovereignty, integrity or
defence of India; friendly relations with foreign States; public order; or to prevent incitement for the
commission of a cognisable offence relating to any of the above.
Section 69B discusses the power to authorize to monitor and collect traffic data or information
through any computer resource.
Inadequate capabilities: India’s official cyber security workforce comprises a mere 556 experts
deployed in various government agencies. How inadequate is India’s cyber security manpower can
be gauged by the fact that China has 1.25 lakh experts.

The Indian government budgeted just $7.76 million for cyber security in 2013, compared with at
least $751 million spent by the U.S. government on its cyberspace programs.

Training in cyber security at university level had been neglected until recently.

Apart from a smattering of police stations in the country staffed by policemen trained in cyber
forensics and cyber investigation, there is a major lack of a police force equipped to deal with cyber
crime and cyber terror.

Vulnerability to an Information war (IW) waged by India’s rivals such as China- India has been the
target of cyber attacks by individuals traced back to Chinese IP addresses. There is also concern in
the Indian defence establishment that use of Chinese hardware and software in Indian ICT may be
prone to hacking by Chinese state sponsored ‘hacktivists’ – case in point is the directive issues by the
Indian Airforce issuing a high alert against Xiaomi smartphones- which was suspected to transmit
data on the handset to their servers in China without the users knowledge. This information can
then be potentially accessed by Chinese intelligence agencies.

The way forward

Strengthen the inter-ministerial coordination arrangements for cyberspace security under the
National Security Adviser (NSA)2.

The case for a new Cyber Command in the structure of the defence forces to manage cyber defence
and cyber warfare.

Implementation of the National Cyber Security Strategy, that identifies following major actions and
initiatives for user awareness, education, and training:

 Promote a comprehensive national awareness program

 Foster adequate training and education programs to support the Nation's cyber security
needs
 Increase the efficiency of existing cyber security training programs and devise domain
specific training programs (ex: Law Enforcement, Judiciary, E-Governance etc)
 Promote private-sector support for well-coordinated, widely recognized professional cyber
security certifications.
In this vein, we must:

Focus on increasing cyber security awareness on the part of computer users, system/network
administrators, technology developers, auditors, Chief Information Officers (CIOs), Chief
Executive Officers (CEOs), and corporates.

2
http://www.idsa.in/book/IndiasCyberSecurityChallenges
Create a multi-level certification programs for cyber security professionals complicate the
task of addressing cyber vulnerabilities.

Adopt Public-private partnerships (PPP) for information security in identified sectors dependent on
the use of IT.

Introduce legislative measures to handle the special features of crime and security in cyberspace.

Focus on training and R&D- Since indigenous R&D is an essential component of national information
security measure due to various reasons- a major one being export restrictions on sophisticated
products by advanced countries. Second major reason for undertaking R&D is to build confidence
that an imported IT security product itself does not turn out to be a veiled security threat.

Creation/augmentation of Sectoral CERTs: For an effective National Cyber Security Alert System,
there is a need to create sectoral CERTs to cater to the very specific domain needs of different
sectors. In this direction sectoral CERTs have been established by Army, Air force and Navy in the
defence sector.

Diplomatically push for an international convention on cyberspace, because national defence and
international cooperation are inevitably intermeshed. This means that a country's government must
ensure coherence between its security policy and the diplomatic stance taken by it in multilateral
and bilateral discussions on matters like Internet and telecom governance, human rights related to
information freedoms, trade negotiations on infotech services, and so on.

Capacity building all around to cope with a potentially crippling shortage of qualified personnel