In July 2011, the Government of India made a major move towards strengthening its cyber security regime. It signed an agreement with the United States to establish best practices for the exchange of cyber security information.With 2012 being pinned as the “year of war against cyber crime” by The Economic Times, it’s time for India to ramp up and prioritize policies, investments, and education to defend the nation against the threats of a new age of interconnectedness and innovation.
The memorandum was a good early step in developing a broad policy for India aimed at thwarting cyber threats, particularly in the realm of international collaboration. However, neither institutions nor individuals in India currently adhere to any Internet safety standards because none have been put in place. Thus, it has been an easy target for a multitude of cyber attacks, espionage and thievery from parties abroad. On the very same day the memorandum was signed, news reports were critical of Indian officials’ use of public server email addresses such as Gmail, Hotmail, and Yahoo for government business. Such a lax attitude towards the security of government information is appalling. Strong measures against data vulnerability, as well as risks to businesses and critical infrastructure, must be made a national priority at this time.
An April 2010 report jointly published by Canada’s Information Warfare Monitor and the United States’ Shadowserver Foundation, titled Shadows in the Cloud, documented that attackers “systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and other countries.” The study highlighted the extent to which Indian digital borders were penetrated. It found theft of classified documents belonging to the Indian government, two were marked “SECRET,” six marked “RESTRICTED,” and five marked “CONFIDENTIAL”. Of the 44 computers from which stolen data was recovered, 40 were located in India. The researchers traced the attackers’ location to Chendu, People’s Republic of China. These Canadian findings are a prime example of intelligence that India should have procured through its own initiatives or collaborative efforts.
While intentions to develop firmer barriers have existed for some time, there is a major disconnect between these objectives and the actual implementation of strategies. This inconsistency is a multifaceted problem in India, with lack of awareness about the dangers of cyberspace and no real centralization of risk management playing a large role in India’s vulnerability.
Academics and other experts have had their eye on how the cyber risks have changed and become more threatening. “We must realize as a nation that attack modes are beginning to evolve from purely a financial motive to probably national security interests where countries have actually considered the option of employing cyber security as one of their frontline tools for use as an attack vector,” said Debasis Nayak, director and co-founder of the Asian School of Cyber Laws in Pune.
India’s national security is very much dependent on the proper development of its infrastructure. Platforms that control operations like Supervisory Control and Data Acquisition (SCADA) networks build a space for hackers to wreak harm. One such SCADA attack was the notorious Stuxnet worm, which temporarily seized Iran’s nuclear centrifuges. “Incidentally, Stuxnet also infected systems in India but did no damage,” Nayak said in an interview. “This means the payload was designed for a very specific purpose. But we are already seeing a variant of Stuxnet called DuQu, which is supposed to be more generic than, and not as targeted as, Stuxnet was.” India’s critical stage in infrastructural development opens a tempting window for cyber criminals to infiltrate networks.
Transportation is another critical link. On February 8, 2012, the Indian Association of Multimodal Transport Operators signed an agreement with the Antwerp Port Authority to create an e-platform for information exchange, making port communication more efficient. If these networks are not properly protected, hackers can disorganize and disrupt trade and logistics at the port of entry, which is a threat to national security. India’s significant investment in energy and transport, undertaking projects like the Delhi-Mumbai Rail Freight Corridor and high-speed trains, highlight the need for protocol. Inadequate security in the operations of these industries could not only unleash catastrophes such as power outages, fuel spills, and explosions, but could deter investment, hindering India’s growth.
India is struggling with its cyber security operations because authority is so diffused. Venkatraman Rajendran, Senior Vice President of the Cyber Society of India, argues that the lack of cooperation and communication between other institutions – Central Bureau of Investigation, Research & Analysis Wing, police officials in various distracts – leads to improper functioning and incidents not being reported to CERT-In (Indian Computer Emergency Response Team), the officially designated agency to combat cyber crimes.
What should India do? Here are five recommendations:
- Consolidation of authority – Currently, efforts to identify and thwart cyber threats are disorganized. India should establish a central agency or division within the Ministry of Defence to oversee all aspects of cyber security for the government, military, and the private sector. It is also imperative that the designated agency comprises highly-competent, properly trained experts with access to cutting-edge research. They must be abreast of the latest developments on how enemies could use the newest attack vectors to carry out cyber warfare and espionage.
- Appointment of a cyber leader – There should be a single individual whose responsibility it is to coordinate and ensure the implementation of cyber policies and programs. This leader would work with the Ministry of Defence (or the designated agency) in setting a budget and priorities for ensuring national cyber security.
- Public-private cooperation – Government officials must communicate with private sector companies to deal with concerns about the standards for information security and how burdensome they may be on smaller businesses. One idea proposed in the U.S. has been that the U.S. Congress could formalize the public–private partnership by creating a non-profit corporation (akin to the American Red Cross and the Millennium Challenge Corporation).
- Global partnerships – As it’s evident that the impacts of attacks are often not limited to the targeted country, an international cyber security policy is necessary. India should seek out alliances with like-minded nations committed to freedom, peace, and prosperity to fight against hostile parties in cyber space. The US and the EU would be good partners for intelligence sharing. And there should also be a focus on working cooperatively thorough existing bilateral partnerships such as Japan.
- Educating the public – There should be a national awareness campaign to educate the public on cyber threats and the need for secure networks. The increasing use of mobile phones has made cyber security a vastly larger issue. With mobile e-commerce becoming the next frontier in India, much greater attention is needed to educate both businesses and consumers on their personal vulnerability to cyber crime.
Networks are only as safe as the people who use them. India’s government and its citizens should be equipped with the know-how to prevent, detect, and engage cyber threats.
Chaya Babu is a freelance writer based in Mumbai.
Edited by Samir N. Kapadia, researcher at Gateway House: Indian Council on Global Relations, based out of Mumbai, India.
This article was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.
For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in.
© Copyright 2012 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.