DIA and NTRO to head offensive cyber warfare Wing of India

[Sridhar]

Published July 3, 2012 | By admin

SOURCE: VOM

India is set to take steps to protect its cyber infrastructure and designate agencies for carrying out offensive cyber attacks on other countries. The move comes at a time when proof shows countrieslaunching cyber attacks — not only for intelligence gathering — and many nations describing the attacks as an act of war.

According to sources, the National Security Council (NSC) headed by Prime Minister Manmohan Singh would soon approve the comprehensive plan and designate the Defence Intelligence Agency (DIA) and National Technical Research Organization (NTRO) as agencies for carrying out offensive cyber operations, if necessary. All other intelligence agencies would be authorized to carry out intelligence gathering abroad, but not offensive operations, sources said.

The detailed policy for national cyber infrastructure protection is presently before the NSC awaiting its approval. The policy would identify all government agencies that would have a role in the protection of Indian cyber infrastructure and define their roles. The move to not just define defensive mechanism but also designate agencies for offensive operations comes as New Delhi tackles repeated waves of cyber intrusions, though all of them are aimed at gathering information from critical networks. But the next stage, of an adversary carrying out offensive cyber attack, of bringing down a power grid, stalling air traffic control systems, or manipulating controls of a dam are now believed to be a real possibility.

Stuxnet, the cyber worm created by US's National Security Agency and Israeli military and specifically targeted at Iran's nuclear enrichment center at Natanz, was found to have infected Indian systems. "It was probably unintentional, but an intentional attack on India's critical infrastructure cannot be ruled out," says a senior official. "We haven't yet seen a cyber attack, but only intelligence gathering. An attack that can debilitate our infrastructure is what we must be prepared for," he said.

CERT-IN (Computer Emergency Response Team India) would be responsible for protection of most of the cyber space, while NTRO would be tasked to protect the critical infrastructure such as important government networks. NTRO would be tasked to create the National Critical Information Infrastructure Protection Centre (NCIPC), which would be a command-and-control centre for monitoring the critical infrastructure. It would be a round-the-clock centre, providing real time response to cyber security breaches.

The proposal before NSC also envisages creation of sectoral CERTs in order to respond quickly to protect power distribution networks, Air Traffic Controls, traffic networks and other areas that heavily dependent on networked systems, and thus are susceptible to attacks. The policy suggests that the defence forces would be responsible for their own networks' protection. NTRO and Intelligence Bureau (IB) would primarily be responsible for security of various government networks. While NTRO would operate through NCIPC, IB would be mainly looking at the physical security of networks. State polices, CBI, NIA etc would be tasked to do follow up action, if any intrusions are detected.

DIA and NTRO to head offensive cyber warfare Wing of India | idrw.org

 

[Oracle]

I doubt this would be as effective as other countries like the US. Security professionals cost a lot. How much would the GoI pay, that people from this domain would leave IT jobs? I am not sure, but the Govt. need to loosen the purse. It was during 2009-10, that IT professionals in US started getting e-mails like 'Want to do a fully paid M.S.', something like that. This was a US Govt. initiative where-in they choose people from the IT industry, fund their M.S. in return for a 2 year bonded stint with US Cyber Warfare Agencies.

 

[sayareakd]

well people you can get receuitment from here, may be on part time basis.

 

[Oracle]

well people you can get receuitment from here, may be on part time basis.

What do you mean?

 

[sayareakd]

What do you mean?

O they will recruit you for your skills for part time basis.

 

[spikey360]

Oracle is right. There are great doubts with the efficiency of this supposed governmental agency/team. The announcement of their existence is a failure on the part of GoI to keep their mouths shut. Not sure why such an announcement was made if they will be doing covert warfare anyway.
Secondly, one doubts if they will be able to attract the brightest minds on the game. Not everyone is motivated by money, certainly not the best talents in the world. Their motivation comes mainly from how difficult the challenge is, I think. This country has never been able to pursue an aggressive policy in any sphere irrespective of which party is at helm. Therefore it is highly doubtful that on the issue of political questions like 'Should we go on and make the effort to cripple Pakistani/Chinese nuclear reactors' or 'Should we create a honeypot to lure Jihadis online' will never be answered by the political masters and they'll go on pussyfooting forever.
Furthermore, one can tell from experience that internal bickering and corruption forms a vital part of any governmental agency, it is debatable if CERT will be free from that.
And don't even get me started on the question of reservation in these kinds of organisations.

 

[Oracle]

O they will recruit you for your skills for part time basis.

Let me be humble when I say this. I work for money, not peanuts. GoI can't afford me. Plus I do not want to get sucked in a corrupt way of life.

 

[Bhadra]

DIA is the correct agency.
Just a clue.

IA, IN and IAF combined have twice the numbers of elctronics and IT qualified professional than WIPRO and INFOSYS combined !!

Well, it would depend how one motivates the team. No one excels as an underdog .

 

[Oracle]

IA, IN and IAF combined have twice the numbers of elctronics and IT qualified professional than WIPRO and INFOSYS combined !!.

I am no fan of sweatshops, but this analogy is wrong, until you prove me with credible sources.

 

[Bangalorean]

Agree with Oracle. I don't see the GoI being able to get the right kind of people to do this stuff. Even companies find it tough to recruit talent today - GoI has no idea of the realities.

They are better off outsourcing the whole effort to some Indian company.

 

[agentperry]

as if we have some other tom dick and harry agency for doing the same. what they are doing right now they will go on doing it tomorrow also but just with new SLOGAN and GEARS

 

[Yatharth Singh]

I doubt this would be as effective as other countries like the US. Security professionals cost a lot. How much would the GoI pay, that people from this domain would leave IT jobs? I am not sure, but the Govt. need to loosen the purse. It was during 2009-10, that IT professionals in US started getting e-mails like 'Want to do a fully paid M.S.', something like that. This was a US Govt. initiative where-in they choose people from the IT industry, fund their M.S. in return for a 2 year bonded stint with US Cyber Warfare Agencies.

Students passing out from IIT`s and NIT`s and various institutions can be selected via campus selection process after various tests and trials. But again for that they have to be paid 'enough' to take off and employ the 'creamy layer'.

 

[Yatharth Singh]

There is no doubt over the extraordinary talent of the upcoming generation in the field of Cyber Attacks and its Defence. I guess this is one single field where the experience of old Babus and venerable scientists stands nowhere.

And with dedicated training and paid salaries, atleast I wouldnt even try to mess with them ever. Not over networking.

 

[ejazr]

Scathing criticism by Karnaud on the NTRO's role in cyber warfare


Cyber Neanderthals | The Asian Age
The news story about the Chinese hacker corps getting into the computer systems of the Eastern Naval Command (ENC) and stealing information related to the Arihant nuclear submarine came as no surprise. Like everything else they do, the Chinese are thorough in casing out likely adversaries as part of their military preparedness regime.

The senior echelon in the government had been warned through unofficial channels about the Chinese achieving improbably high levels of access into ostensibly "fire-walled" servers of the Bhabha Atomic Research Centre (BARC), Trombay, missile design facilities (such as the Advanced Systems Laboratory, Hyderabad) and other critical DRDO installations, the ministry of defence and the various service headquarters and, perhaps, even the Prime Minister's Office (PMO).
How vulnerable such agencies are can be gauged from the fact that at one point in time not too long ago Indian hackers forcefully assumed control of the Indian Navy, Indian Air Force and BARC servers (named after Indian rivers — Ganga, Yamuna, Saraswati, etc.). A more malicious force could have merrily wreaked havoc, sucked out information and secreted away bugs of the kind the Chinese hackers placed in the ENC's computer network — designed to relay targeted classified information to external sources. There's no guarantee this was not done.
One might, in the circumstances, wonder just what it is that official Indian agencies tasked with cyber defence are doing. The supposedly premier National Technology Research Organisation (NTRO), like every other institution in the overly bureaucratic Indian state, is busily aggrandising turf and monopolising capability, but, by itself, has conducted near zero offensive or even defensive cyber operations — the reason why the Indian government remains exposed to almost any passing cyber threat.
Heavy financial investments in the NTRO have so far led to it successfully warding off Research & Analysis Wing's (RAW) attempts to have its own offensive cyber operations cell, for instance, but not to it mounting even a single sustained offensive against Chinese networks. Such offensive programmes, protocols and algorithms that have been created are products of informal Indian hacker groups working for the NTRO. Except that the NTRO has expropriated and passed off this work as its and won laurels for itself!
The NTRO, which is manned by DRDO stalwarts, like the RAW, has huge funds at its disposal for which there is no accountability, affording ample opportunities for siphoning off public monies. How is this done? One method, as already indicated, is to hire highly motivated young privateers who hack as serious hobby but are also eager to do their bit for the nation. They are promised much but paid a pittance and that too tardily, thereby de-incentivising them. By one account, as much as nine-tenths of any sanctioned expenditure is thus spirited away. The NTRO, in other words, is yet another vehicle for unreported scams on a vast scale. If this organisation is proving to be more a cyber liability than help, what are the other agencies in the same business up to?
The Headquarters Integrated Defence Staff, ministry of defence, has under its wing the Defence Information Assurance and Research Agency. It is manned by veteran officers from the EME (Electrical and Mechanical Engineers) Corps of the Indian Army, who have almost no clue about the cyber warfare domain, leave alone what to do in it.
The Indian Navy and the Indian Air Force have separately developed capabilities for engaging in purely defensive operations. They can repel cyber strikes and penetration attempts — apparently not all that well in light of the Chinese cyber infection of the ENC communications hub — but cannot counter-attack.
Extant Indian cyber capability and efforts are, in actuality, so pathetic that the NTRO has stalled exploratory inquiries by the US National Security Agency to jointly develop means to attack and defeat the Chinese cyber threat. The NTRO understandably fears that any collaborative work with professional American organisations will quickly expose them as poseurs and frauds or, at the very least, as incompetent.
The trouble is, despite boasting of incomparable cyber talent in the country in the non-governmental sphere, India is saddled with a government, a science and technology establishment, and a military that are strictly industrial age. It is doubtful if anybody in the PMO, for instance, knows anywhere near enough to appreciate the basic fact of cyber reality — that the most inspired offensive and defensive cyber operations and breakthroughs are done by youngsters barely out of school who can negotiate their way through the most complicated protection schemes and plant "logic bombs" in heavily defenced communication networks on a dare or just to show off to their peers.
This enormous human resource wealth is available and can be mobilised for the national cause by offering these computer whiz-kids not babu pay scales and suffocating bureaucratic environs of work, but freedom to operate as they wish to overcome meaty challenges. Of course, they have to be compensated directly and well (without intervening organisations decanting the moolah). Pitting a huge number of teams of these young guns hired by military and intelligence agencies — the more of them the better — to compete with each other in relentless offensive, defensive and pre-emptive cyber campaigns, bypassing the usual mode of government functioning, is a desperate need. They would seriously discomfit any adversary — something the wretched NTRO and other cyber-wise Neanderthal government organisations cannot ever dream of doing.
The problem, however, is the reliance on technology imports. Everyone is aware of the Chinese Army-controlled Huawei telecommunications company being permitted to sell area networks, including switching systems, in India, on the condition that its wares are certified by a Huawei-funded centre at the Indian Institute of Science, Bengaluru. This is a joke considering the centre is given select units to examine.
Worse, the Indian government talks incessantly of "buying Indian" but its agencies as studiously purchase possibly compromised cyber software and enabling systems from RSA, Cisco, etc, rather than support indigenous development of comparable software and hardware, such as the enormously efficient router developed by IIT Mumbai. In the event, one should be prepared for cyber-savvy states, like China, to disable the Indian government and military at will early in any crisis.

 

[nrj]

GOI's Offensive Cyber Wing?

**yawn**

Sent via Tapatalk from a galaxy far far away

 

[Bhadra]

I am no fan of sweatshops, but this analogy is wrong, until you prove me with credible sources.

Just crunch the numbers....... after all one required numbers too !

 

[Bhadra]

Agree with Oracle. I don't see the GoI being able to get the right kind of people to do this stuff. Even companies find it tough to recruit talent today - GoI has no idea of the realities.

They are better off outsourcing the whole effort to some Indian company.

Outsource the Cyber Warfare !! You must be kidding

 

[secsec]

Hello.
I am a specialist in information security researcher from Russia.
I learned from the news that the Government of India launches 5-year plan to improve the cyber security of the country. I also know that it will be engaged in two departments: National Critical Information Infrastructure Protection Center (NCIIPC) and the Computer Emergency Response Team (CERT).
I have enough of this experience in Russia and want to help and get involved in this. But I badly guided the Indian segment of the Internet.

Please tell me how and where should I turn to.

 

[spikey360]

Hello.
I am a specialist in information security researcher from Russia.
I learned from the news that the Government of India launches 5-year plan to improve the cyber security of the country. I also know that it will be engaged in two departments: National Critical Information Infrastructure Protection Center (NCIIPC) and the Computer Emergency Response Team (CERT).
I have enough of this experience in Russia and want to help and get involved in this. But I badly guided the Indian segment of the Internet.

Please tell me how and where should I turn to.

Unfortunately, it doesn't work like that. They're probably going to recruit from corps of other Indian services. The government of India isn't very worldly wise when it comes to computing.

 

[secsec]

Unfortunately, it doesn't work like that. They're probably going to recruit from corps of other Indian services. The government of India isn't very worldly wise when it comes to computing.

Do you think if I find a serious security hole and let us know how likely cooperate with me free of charge?