INDIA IS looking to slaughter the lamb when the lion’s eyes are trained on its own guts. That’s the feeing one gets after going through the Centre’s Information Technology (Intermediaries guidelines) Rules, 2011, and its decision to move a UN resolution seeking the creation of a 50-nation superbody to regulate the Internet. Both come at a time when India’s critical infrastructure and government servers are being attacked daily by hackers who leave no footprints but a big trail of destruction.
Worries about cyber security made headlines after MoS Communications and IT Sachin Pilot told Parliament on 14 March that 133 government websites, including that of the Planning Commission, finance ministry and state governments, had been defaced by unknown hackers.
Pilot was only referring to website defacements, which don’t pose security threats but leave a lot of red faces. The attacks on critical assets such as power stations, traffic lights, airports, water supply, Metro rail and nuclear plants still remain a blind spot with India finding itself incapable of defending them from debilitating hacks.
On 24 April, Defence Minister AK Antony, who was already staving off reports of India’s under-preparedness in the battlefield, reminded the three chiefs of staff that “another dimension in the form of communication technology is being misused by anti- nationals. The services need to be fully aware of the implications and put in place security systems and standard operating procedures to counter such threats”.
A week later, Home Minister P Chidambaram said at a NASSCOM event on cyber security: “We have taken numerous steps to protect physical infrastructure. I think all that we have done to protect the infrastructure in the physical space seems to be a lighter task compared to the threats that have been outlined in the cyberspace.”
On 16 May, National Security Adviser (NSA) Shivshankar Menon reiterated the same fears at an event organised by the Institute of Defence Studies and Analyses. Trying to flag the issue of India’s preparedness in facing cyber attacks — warfare, terrorism, espionage or critical infrastructure threats — whose intensity and reach are increasing by the day.
“India is staring down a double-barrelled gun,” says an analyst with the Indian Computer Emergency Response Team (CERT-IN). “On the one hand, the intrusions into our critical networks are growing phenomenally in which even India’s intelligence agencies are not spared. On the other hand, the government has very little ingenious talent to bank on to understand and counter the threat.”
The gravity of this dual-faced crisis was revealed by an embarrassing hacking that created a mini diplomatic crisis between the US and India earlier this year. Documents allegedly of India’s Military Intelligence (MI) were leaked online by a hacker group called Lords of Dharmaraja. The leaked memo purportedly showed how the MI was snooping in on confidential documents related to US-China trade relations, and triggered an investigation by Washington into the role of MI hackers. However, the US probe concluded that Chinese hackers had used the name of an Indian god of death to morph information stolen from American foreign office onto letterheads of the MI in a bid to embarrass New Delhi.
Indian agencies had little clue of who had taken the MI for a ride. That underscored the nature of attacks — not only are cyber attacks being used to harm critical infrastructure but they are also being used to create chaos in the otherwise non-impulsive nature of foreign relations.
The second aspect of the looming crisis pointed out by cyber experts is the extreme lack of consciousness in the government to groom ethical hackers in offensive tactics and give them a career path free from the rigid bureaucracy that inhibits the flexibility required for such a job. The shortage came to the fore when the Ministry of External Affairs instructed Indian embassies in March to hunt for foreign security firms that could be acquired along with their Intellectual Property Rights (IPR) by Indian companies. It has also been suggested by NSA Menon that a special fund to finance these acquisitions be set up so that the IPR that is acquired can be manipulated and retro-fitted by Indian security agencies to design their own offensive and defensive capabilities.
That the government has little confidence in its own abilities despite the fact that our human resource potential in IT is one of the best in the world did not surprise many. Agencies such as the National Technical Research Organisation (NTRO) and CERT-IN are also in need of an urgent revamp to attract bright talent. NTRO is embroiled in a bitter court case filed by former director VK Mittal. A confidential CAG report has blamed NTRO for irregularities in recruitment and pointed to a Rs 450 crore scam in the purchase of intelligence equipment. Many young professionals are disillusioned by the bureaucratic dogfights and want to move out before they are inadvertently caught in the inter-departmental crossfire.
NASSCOM had pointed out in its report ‘Securing Our Cyber Frontiers’ how the UK, Japan and Australia had dedicated programmes, including competitions, to source young talent and put them at the forefront of their strategies for a cyber war.
Like in the West, the distinction between private and government networks are blurring. With an increasing number of private players controlling critical infrastructure like airports, power supply and sewage networks, the government is now tasked with not just shoring up its own defences but also making sure that private players comply with stringent protection norms so as to stave off attacks from hostile nations.
THE INDIAN defence forces are also being asked to shore up their cyber capabilities. In particular, the Indian Army, which is moving towards networked combat with its Project Shakti and Army Wide Area Network that aim to synchronise battalions and artillery systems. A hostile hack into these networked systems would make the army’s network-centric war strategy come to a naught.
“A cyber command within the defence forces with cyber warfare capabilities should be established,” suggests the NASSCOM report. “Appreciating that cyberspace is offence-dominant, the cyber command should be equipped with defensive and offensive weapons, and manpower trained in cyber warfare. The command needs to build capabilities in countering cyber espionage, and deny the enemy any benefits if it succeeds in breaking defences.”
India can take heart from the fact that finally someone has spoken about the need to build our cyber offensive capability. NSA Menon acknowledged that cyber capabilities had negated conventional imbalances by introducing asymmetry in the rules of modern warfare.
“In the name of defence, all major powers are developing offensive cyber capabilities as well as using cyber espionage,” he says. “So are smaller powers who see this as an equaliser. One estimate suggests that 120 countries are developing cyber warfare capabilities. Even small groups and individuals are using it to meet their own ends and India often gets unwelcome attention from such people. India is in the process of putting up capabilities and systems that will enable us to deal with this anarchic world of constant cyber threat, attack, counter-attack and defence.”
However, this has not yet dawned on India’s political class, which considers “malicious content” from its own freeminded netizens as an internal security threat when the real danger lies beyond our borders and is constantly hurting the nation silently. One would rather tolerate a jibe on Twitter than be stuck underground in Delhi Metro just because some hostile Chinese hacker decided to take the centralised control systems for a spin.