Thursday, 13 June 2013

Government rolls out cyber security framework

By Ajai Shukla
Business Standard, 13th Jun 13

As Delhi prepared for the closing ceremony of the Commonwealth Games on Oct 14, 2010, Indian cyber security analysts carefully monitored metadata trends for any signs of a cyber attack that could disrupt the high-profile ceremony, or throw city infrastructure like traffic lights out of gear. Already, during the course of the games, more than 8,000 cyber attacks had been detected and defused. At noon, analysts detected a spike in malware (malicious software) and found that it came from a computer in the “Games Control Room” at the Ashok Hotel, which it had entered disguised as pornography. Unable to neutralise the malware on line, a physical raid was launched on the Ashok Hotel, the offending computer taken off the network and the closing ceremony went off unimpeded.

At that time, in 2010-11, India was the 10th most heavily cyber-attacked country; today, it is second only to the United States. With internet usage rising exponentially --- from 202 million users in Mar 2010, to 412 million in Mar 2011, to 485 million in Mar 2012, India is now second only to China in the number of devices (including cellphones) connected to the internet.

This also makes India uniquely vulnerable. Intelligence sources say that, in the recent past, malicious activities against Indian networks have originated from hosts in 20 different countries: the US, Brazil, Nigeria, China, Iran, Russia, North and South Korea, Japan, Taiwan, Australia, Ukraine, Romania, Israel, France, UK, Netherlands, Germany, Poland and Pakistan.

Emphasising the amorphous nature of cyber attack, sources clarify that they could have been routed through those countries without the hosts even being aware of this activity. During the same period, several attacks abroad were detected as originating from hosts located in India.

Now the government is rolling out an extensive policy, which the union cabinet cleared on May 8. This consists of a National Cyber Security Framework, which broadly empowers the government to create a legal and structural framework. Based on this, a National Cyber Security Policy lays out the ground rules in a more specific manner. The aim is to facilitating the creation of a secure computing environment in which users can enjoy a level of trust and confidence in electronic transactions.

The new framework is rooted in the Information Technology Act 2000, specifically Sections 43, 43A, 72A and 79, which enjoin companies to comply with data security and privacy protection. It provides for multi-layered protection, with responsibility allocated to various stakeholders, including the Dept of Electronics and IT; Ministry of Defence; Defence R&D Organisation; and the National Technical Resource Organisation. The National Security Council Secretariat will ensure compliance of cyber security policies

Government IT officials say that the new policy has successfully straddled the spectrum of users, including central and state governments, public private entities, academia and private users. Unlike with the National Counter Terrorism Centre (NCTC), which many state governments opposed as an infringement on their federal autonomy, the states have cooperated without reserve on cyber security. Already nine states have set up cyber security centres.

“As India becomes more networked, we will become more vulnerable to cyber attack. Today, we are protected by virtue of being under-networked. As a networked country, coordinating between multiple agencies will becomes a growing challenge,” says an official who works on cyber security.

New Delhi has increasingly focused on cyber security, given the threat from China-based hackers, who many people believe are directly linked with the Chinese military. In March, security consultancy, Mandiant, accused the Shanghai-based People’s Liberation Army (PLA) Unit 61398 of stealing commercial secrets from US companies. That same month, Tom Donilon, President Obama’s National Security Advisor, charged that cyber attacks were “emanating from China on an unprecedented scale.”

“Hostile cyber entities map our systems daily. They scope us out, check the effectiveness of our safeguards and see how good our reactions are. That is why we need a strong framework,” says the cyber security official.

To ensure the system’s readiness, the Computer Emergency Readiness Team (CERT) --- an umbrella body that will oversee cyber-protection --- will conduct regular cyber security drills, at the national level and bilaterally with other countries. The first national drill is scheduled in August.

In addition, CERT is training “cyber security auditors”, who will be empanelled and listed on a website, from where they can be hired by companies for auditing their cyber security. In addition, the government has set up a website --- --- that ordinary citizens can access to ensure that their personal computers are free of malware.


Anonymous said...

So the summary of the news is - As long as officials search for pornography there remains a high chance of getting virus or malware.

Anonymous said...

control room... for what... what kind of games... really... govt should look... what they pay babus for... know why unions for... zero productivity...

Anonymous said...

It's beggars belief that some of the Union State wheel out infringement of State autonomy and at the same breath when a terrorist strike take place they are the first to point finger at the Centre Gov. The set up of NCTC is not welcome for what ever compulsion they have,it smacks of amorphous attitude that's pervasive in Indian politics.

joydeep ghosh said...

@Ajai sir

before the GOI readies to fight cyber attacks it needs to confront the other govt. who are cyber snooping on us. Like the case of US cyber snooping that has been leaked by a man named Edward Snowden which reportedly says India was one of the biggest targets of US cyber snooping.

I consider it as a cyber attack on our IT system. First we need to curtail these kind of snooping then only can we think of effectively controlling malware cyber attacks.


Joydeep Ghosh

Andy said...

Dear Ajay sir,
We do not need a Cyber attack to disrupt Traffic Lights in Delhi. They hardly work outside the "Lutyens Delhi". It is matter of great shame that we have ambitions of becoming a "Regional Power" but can not even have Traffic Lights working in the nation's capital.

K1pt said... is NOT a Indian government website.

The correct address is:

Just FYI

Anonymous said...

Its not the policy but the implementation that matters.
India has some of the most comprehensive policies in many areas
of governance but little oversight
and follow through. The fact of the
matter is that if a sophisticated actor
wants to hack into Indian networks
there will be nothing preventing them.
Lets start with that basic assumption
and secure our infrastructure around it. For example, assume China has access to
everything stored on any computer in India. Then use other means like
encryption to secure it.

fouji brat said...

Well Said Ajay.... But only issue is can rule and regulations protect anything/.....

Unless the population of this country is conscious nothing can be implemented... see for the instance mentioned by you of the porn like material in Ashok hotel....