By Ajai Shukla
Business Standard, 22nd Jun 13
On August 15, 2012, in what Vanity Fair magazine dramatically termed “history’s first known cyber-war”, hackers calling themselves the Cutting Sword of Justice inserted a sophisticated virus called Shamoon into 30,000 computer hard drives in the headquarters of Saudi Arabian oil giant, Saudi Aramco. Shamoon wiped out all the data, leaving behind an image of an American flag on fire.
Most information that comes out of the super-secret world of cyber attack and defence is either misinformation or disinformation. But US officials and forensic analysts investigating the Saudi Aramco strike could not but wonder whether this was Iranian vengeance, visited on a key US ally. Two years earlier, unknown hackers (many suspect the US and Israel) had infiltrated a destructive computer worm called Stuxnet into the centrifuges that Iran uses to enrich uranium for its nuclear programme. The Stuxnet attack is believed to have disabled hundreds, if not thousands, of centrifuges, setting back Iran’s nuclear weapons programme.
Soon after the Shamoon attack, it became clear that Washington did not regard this as the work of amateurs. Speaking publicly in New York on Oct 11, 2012, then US Defence Secretary, Leon Panetta --- who had often raised the spectre of a “cyber Pearl Harbour” --- described what could happen in such an attack.
“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country,” said Panetta.
A key difficulty in responding to a cyber attack is the difficulty in identifying where an attack originates. Panetta claimed that the US had made “significant advances” in being able to do so. He also made it clear that cyberspace was a new battlespace.
“We defend. We deter. And if called upon, we take decisive action,” he said. “In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”
America is hardly the only one in this game, with China reportedly nurturing a sophisticated cyber warfare capability with which to target US computer networks as a part of its “asymmetric” strategy. In March, security consultancy firm, Mandiant, accused the Shanghai-based People’s Liberation Army (PLA) Unit 61398 of stealing commercial secrets from US companies. That month, Tom Donilon, President Obama’s National Security Advisor, charged that cyber attacks were “emanating from China on an unprecedented scale.”
India, however, has been slow in fixing its attention on cyber security. This may partly be because much of the country’s critical infrastructure --- power grids, public transportation, nuclear power plants, defence systems --- is controlled by manual systems, or by stand-alone computer systems that are not linked over the internet. In that respect, India’s infrastructural backwardness has proved a useful safeguard against cyber attack.
“It is not unusual to find New Delhi’s central ministry officials using unsecured email systems, sometimes even commercial email accounts on public servers. But India’s sensitive networks tend to be isolated, with no point of contact with the internet that would render them vulnerable to on-line hacking. Several agencies have their own, dedicated, secure optic fibre networks, notably the military; the Defence R&D Organisation (DRDO); and the police’s Crime and Criminal Tracking Network System (CCTNS), the national database that is being gradually rolled out,” says Praveen Swami, the Strategic Affairs Editor of Network 18.
But the government has understood that an ostrich-like response to the digital threat --- which is to have as little digitization as possible --- is not a viable, long-term strategy. The economic ministries are finding that volumes of data are becoming larger and larger. And the compulsion for more open governance, with public access to a growing mountain of information, requires the internet to be harnessed, mastered and adequately secured.
The growing threat
Although India’s day-to-day governance and infrastructure management is not heavily reliant on the internet, there is unease within government at the growing vulnerability of private internet users to cyber attack. According to figures that the government shared with Business Standard, India was the 10th most intensely cyber-attacked country in 2010-11; today, it is second only to the United States. With internet usage (including cellphones) rising dramatically --- from 202 million users in Mar 2010, to 412 million in Mar 2011, to 485 million in Mar 2012, India is now second only to China in the number of devices connected to the internet.
This makes users vulnerable. Intelligence sources say that, in the recent past, malicious activities against Indian networks have originated from hosts in 20 different countries: the US, Brazil, Nigeria, China, Iran, Russia, North and South Korea, Japan, Taiwan, Australia, Ukraine, Romania, Israel, France, UK, Netherlands, Germany, Poland and Pakistan.
“As India becomes more networked, we will become more vulnerable to cyber attack. Today, we are protected by virtue of being under-networked. As a networked country, coordinating between multiple agencies will becomes a growing challenge,” says a top government cyber security official.
The new cyber security framework
Under the National Security Advisor (NSA), the government has begun rolling out an expansive cyber security policy. This aims to create a secure computing environment and generate the high level of public trust and confidence in electronic transactions that is essential for a modern e-economy. The new framework is rooted in the Information Technology Act 2000, specifically Sections 43, 43A, 72A and 79, which require companies to comply with data security and privacy protection.
On May 8, the apex Cabinet Committee on Security (CCS) cleared a National Cyber Security Framework. Senior officials who are spearheading this effort describe it as a “multi-layered approach that ensures defence in-depth.” Put simply, that means making things difficult for a hacker: she must have to hack through successive layers of defences in order to breach the network.
In all this, the private sector has been allowed an unprecedented role in partnering government bodies. In July 2012, a Joint Working Group (JWG) was set up with representatives from both the public and private sectors, which considered how the private and public sectors could work together. On Oct 15, 2012, the JWG’s report was released by the NSA, laying out a roadmap for engaging the private sector and suggesting a permanent joint mechanism for private-public partnership. This JWG has been constituted, with representatives from private industry and the government.
Besides incorporating the private sector, the new policy also appears to have successfully bridged the federal divide between central and state governments. Unlike the National Counter Terrorism Centre (NCTC), which many state governments had opposed as an infringement on their federal autonomy, almost every state is cooperating whole-heartedly on cyber security. Nine states have already set up cyber security centres and South Block officials say many more are set to follow.
Overall responsibility for overseeing and ensuring compliance with cyber security policies is with the National Security Council (NSC) Secretariat. In addition, various stakeholders --- e.g. the Department of Electronics and Information Technology; the Ministry of Defence; the DRDO, the National Technical Research Organisation (NTRO) --- have been allocated specific roles in cyber defence.
Then there is the Indian Computer Emergency Response Team (CERT-In), with its network of sectoral CERTs, which is designated under the Information Technology Amendment Act, 2008, as the national custodian of information relating to cyber-security; issue forecasts and alerts; coordinate responses to incidents of cyber attack; and issue guidelines and advisories as required.
CERT-In is also required to conduct regular cyber security drills, within the country and bilaterally with other countries. The first national drill has been scheduled for August. CERT-In is also training “cyber security auditors”, who will then be empanelled and listed on a website, from where they can be hired by companies for auditing their cyber security readiness.
Preparing for the time when India’s power grids and transport systems are networked over the internet, a National Critical Information Infrastructure Protection Centre (NCIIPC) is also being set up.
To remain state-of-the-art in a field in which last week’s technology is already out-dated, a High Powered Committee (HPC), under the Principal Scientific Advisor to the government, will control a national R&D fund that will set priorities for research and indigenisation. Backing this up will be a Centre of Excellence in Cryptology, which will be set up in IIT Kolkata.
But the big question remains: is India’s cyber establishment purely defensive, or have our cyber czars begun creating the cyber-kinetic attack capabilities that can destroy enemy equipment and infrastructure --- assets that the US and China have painstakingly built. The head of the US Cyber Command, General Keith Alexander, has recruited thousands of computer experts, nerds and hackers, building up a military cyber strike capability that can reputedly paralyse a modern, networked country. But ask Indian officials about whether they are building such capabilities and you get a wry smile and the bland response: “You know we don’t do things like that.”
Big Brother is watching
Along with the initiative to protect computer networks, the government is also moving boldly into the sensitive realm of information monitoring. A recent Reuters report says that New Delhi has launched a massive surveillance programme, called Central Monitoring System, which is reportedly capable of monitoring all of India’s 900 million landline and mobile phone subscribers and 120 million internet users. The new system, which started rolling out in April, allows intelligence agencies to monitor and record phone conversations, read email and text messages, and track social media like Facebook, Twitter and LinkedIn.
Making the new system unusually draconian is the discretion it provides bureaucrats to approve requests for surveillance, which can be made by any one of nine government agencies, including the Central Bureau of Investigation (CBI), Intelligence Bureau (IB) and the Income Tax Department. With the union or state home secretaries permitted to approve requests for surveillance, this bypasses the traditional system of a court warrant being needed for monitoring a citizen.
That Indian intelligence agencies are already tracking Google searches is evident from Google’s Transparency Report, which reports that New Delhi sent Google 4,750 requests for user data in 2012, a figure exceeded only by Washington.
In the absence of a modern privacy law, India’s surveillance systems operate under the Indian Telegraph Act, 1885, which granted vast discretionary powers to the government to listen in to private conversations. Rajan Mathews, director general of the Cellular Operators Association of India, told Reuters: “We are obligated by law to give access to our networks to every legal enforcement agency.”
The recent expose on the US government’s monitoring of communications through the so-called Prism project and the worldwide outrage that it led to, highlighted an increasingly vociferous debate over cyber security: between security on the one hand; and privacy and civil liberties on the other.
“Given the security threats today, I will grudgingly accept that some monitoring is necessary,” says a lady who lives in Mumbai, a city that has seen multiple terror attacks. “But I want my privacy protected. I want tight safeguards on the data that agencies collect. How long will they keep it? What will they do with it? I may not be doing anything wrong, but I don’t want anyone to know that the first thing I do when I wake up in the morning is call my fruit-vendor and ask him to send across a papaya! It’s a simple question of privacy.”
Meenakshi Ganguly, the South Asia Director of Human Rights Watch points out that Indian agencies tend to leak data that should remain private. “There is always the danger of private data and conversations going out to unauthorised recipients. A central monitoring system is vulnerable to misuse. An innocuous comment can be interpreted as a threat to someone or something; and we have seen that the response of the state can be ugly,” says Ganguly.
The often ham-handed response of the state was visible in the case of Illina Sen, the wife of civil rights activist Binayak Sen, whose email to the Indian Social Institute (ISI), a research body set up by Jesuit priests, was recovered from Binayak Sen’s computer. But Chhatisgarh Special Prosecutor, TC Pandya, deposed in court that Illina Sen had linkages with Pakistan’s Inter-Services Intelligence (ISI), little caring for truth or reputation.
“We need a new set of very tight laws. If we are going to live with surveillance, we need an internationally accepted protocol that protects the public from misuse of data. Unless that comes into place the central monitoring system will be misused by apparatchiks,” says Ganguly.
“There is also the argument that the threat of a cyber attack is deliberately over played. So far, even in the highly-networked West, no major incident has ever been caused by a cyber crime. There is definitely an element of hype in scenarios of terrorists hijacking a nuclear power plant… it is far-fetched. So there is a need for balance,” says Swami.