India's Cyber Security Challenges - Gerdab.IR · Email: [email protected]. 3 CONTENTS...

9 798186 019985

ISBN 81-86019-98-7ISBN 81-86019-98-7

9 798186 019985

1

INDIA'S CYBER SECURITYCHALLENGE

IDSA Task Force ReportMarch 2012

2

IDSA Task Force Report

Map on the cover is only indicative and not to scale.

Institute for Defence Studies and Analyses, New Delhi.All rights reserved. No part of this publication may be reproduced, sorted in a retrieval system or transmitted in any formor by any means, electronic, mechanical, photo-copying, recording or otherwise, without the prior permission of theInstitute for Defence Studies and Analyses (IDSA).

ISBN: 81-86019-98-7

Disclaimer: The views expressed in this Report are of the Task Force Members and do not necessarily reflect those of theInstitute for Defence Studies and Analyses or the Government of India.

First Published: March 2012

Price: Rs. 125/-

Published by: Institute for Defence Studies and AnalysesNo.1, Development Enclave, Rao Tula Ram Marg,Delhi Cantt., New Delhi - 110 010Tel. (91-11) 2671-7983Fax.(91-11) 2615 4191E-mail: [email protected]: http://www.idsa.in

Layout &Cover by: Vaijayanti Patankar and Geeta Kumari

Printed at: M/s PrintlineH-10, IInd Floor, NDSE-INew Delhi - 110049Tel: (91-11) 24651060, 24643119Mob: 9716335119Email: [email protected]

3

CONTENTS

Acronyms and Abbreviations .................................. 5

Preface ...................................................................... 9

Chapter 1Setting the Scene ..................................................... 13

Chapter 2Cyber Security - An Overview ............................... 17

Chapter 3Cyber War - The Need for Preparedness ............... 30

Chapter 4Protection of Critical Information Infrastructurethrough Public-Private Partnership ...................... 38

Chapter 5Harmonising the National Legal Regime withthe International Legal Regime ............................. 47

Chapter 6Recommendations................................................... 57

Appendices

Appendix 1Proposed Coordination Structure forCyber and Information War .................................. 62

Appendix 2Cyber Security Incidents 2004-2011 ...................... 65

Appendix 3Speech of Mr Sachin Pilot, Minister of Statefor Communications and Information Technology,at the London Conference on Cyberspace............. 66

4


Appendix 4Selected ParliamentaryQuestions related to Cyber Security ..................... 70

Appendix 5Report of UN Group ofGovernmental Experts ........................................... 81

Appendix 6IBSA Multistakeholder Meeting onGlobal Internet Governance .................................. 93

5

ACRONYMS AND ABBREVIATIONS

APEC - Asia-Pacific Economic Cooperation

ARTRAC - Army Training Command

ASEAN - Association of South East Asian Nations

ATC - Air Traffic Control

ATM - Any Time Money

BPO - Business Process Outsourcing

BPR&D - Bureau of Police Research & Development

BSE - Bombay Stock Exchange

BSNL - Bharat Sanchar Nigam Limited

CBI - Central Bureau of Investigation

C-DAC - Centre for Development of Advanced Computing

CDTS - Central Detective Training School

CEITU - Council of Europe, International Telecommunication Union

CERT-In - Computer Emergency Response Team India

CFSL - Central Forensic Science Laboratory

CIA - Confidentiality, Integrity and Availability

CIDS - Chief of Integrated Defence Staff

CII - Critical Information Infrastructure

CISO - Chief Information Security Officer

CIW - Cyber and Information War

CIWEC - CIW Executive Committee

CS&IW - Cyber Security and Information Warfare

CSIS - Centre for Strategic and International Studies

DARPA - Defence Advanced Research Projects Agency

DDOS - Dedicated Denial of Service

DG - Director General

6


DIARA - Defence Information Assurance and Research Agency

DIT - Department of Information Technology

DNS - Domain Name System

DoT - Department of Telecommunications

DRDO - Defence Research and Development Organisation

DSCI - Data Security Council of India

DSF - DSCI Security Framework

DVD - Digital Versatile/Video Disc

ERNET - Education and Research Network

EU - European Union

FATF - Financial Action Task Force

GCHQ - Government Communications Headquarters

GDP - Gross Domestic Product

GGE - Group of Governmental Experts

GPS - Global Positioning System

GSLV - Geo-synchronous Satellite Launch Vehicle

GUCCI - Global Undersea Cable Communication Infrastructure

HQ IDS - Headquarter Integrated Defence Services

HR - Human Resource

IB - Intelligence Bureau

IBSA - India, Brazil, South Africa

ICANN - Internet Corporation for Assigned Names and Numbers

ICCIS - International Code of Conduct for Information Security

ICT - Information and Communications Technology

IDC - International Data Corporation

IETF - Internet Engineering Task Force

IGF - Internet Governance Forum

IPC - Indian Penal Code

ISEA - Information Security Education and Awareness

7

ISP - Internet Service Provider

ISRO - Indian Space Research Organisation

IT Act - Information Technology Act

ITU - International Telecommunications Union

IW - Information Warfare

J&K - Jammu and Kashmir

LEA - Law Enforcement Authority

LOAC - Laws of Armed Conflict

M.Tech - Master of Technology

MAG - Multi-stakeholder Advisory Group

MBA - Master of Business Administration

MCA - Master of Computer Applications

MHA - Ministry of Home Affairs

MMCR - Multi Medium Combat Role

MoD - Ministry of Defence

MTNL - Mahanagar Telephone Nigam Limited

NASSCOM - National Association of Software and Services Companies

NATO - North Atlantic Treaty Organisation

NCMC - National Crisis Management Committee

NCRB - National Crime Records Bureau

NCRC - National Cyber Response Centre

NCSP - National Cyber Security Policy

NCW - No Contact War

NDMA - National Disaster Management Authority

NeGP - National e-Governance Plan

NIB - National Information Board

NIC - National Informatics Centre

NICNET - NIC Network

NIIPC - National Information Infrastructure Protection Centre

Acronyms and Abbreviations

8


NKN - National Knowledge Network

NOFN - National Optical Fibre Network

NPT - Non-Proliferation Treaty

NSA - National Security Adviser

NSCS - National Security Council Secretariat

NSE - National Stock Exchange

NTRO - National Technical Research Organisation

NW - Network

OECD - Organisation for Economic Cooperation and Development

ONGC - Oil and Natural Gas Corporation

P2OG - Proactive Pre-emptive Operations Group

PCs - Personal Computer

PLC - Programmable Logic Control

PPP - Public-Private Partnership

RAW - Research and Analysis Wing

RBI - Reserve Bank of India

SCADA - Supervisory Control and Data Acquisition

SDC - State Data Centre

STQC - Standardisation, Testing and Quality Certification

TA - Territorial Army

TRAI - Telecom Regulatory Authority of India

TV - Television

UK - United Kingdom

UN - United Nations

UNGA - United Nations General Assembly

US - United States

USCYBERCOM - US Cyber Command

VSAT - Very Small Aperture Terminal

WLR - Weapon Locating Radar

9

PREFACE

Airplanes were used militarily for the firsttime in the Italo-Turkish war of 1911. Thiswas some eight years after the Wrightbrothers' maiden airplane flight. However,the recognition of airspace as a potentialtheatre of war may be said to haveoccurred when the first independent aircommand was formed with theestablishment of the RAF towards the endof World War I in 1918. The use ofairplanes for civilian purposes came beforetheir military use. The military use itselfevolved from supporting land and seaoperations to the independent use of airpower with strategic bombing, anevolution that took about a decade or so.

The present situation with regard tocyberspace is similar. The development ofthe Internet and low-cost wirelesscommunication is the contemporaryequivalent of what airplanes were ahundred years ago. Their use in economic,social and political transactions hasincreased at a rate that far exceeds thegrowth in airplane use over the lastcentury. These technologies already playan important part in military operationsin the traditional spheres of land, sea, airand the newer one of space. There are signsthat they have been used for aggressivepurposes by some states. There is alsoample evidence of their use by criminalsand terrorist groups. It is only a matter oftime, like air power a hundred years ago,before cyberspace becomes an

independent theatre of war.

There is one important nuance in thetreatment of cyberspace as a fifth potentialtheatre of war along with land, sea, air andspace. The use of cyberspace depends onphysical facilities like undersea cables,microwave and optical fibre networks(NWs), telecom exchanges, routers, dataservers, and so on. Protecting or attackingthese is in the domain of the traditionalarms of the military. Cyberspace as anindependent theatre of war is aboutattacks that compromise the capability touse these facilities: they cannot beprevented by the security services inisolation. The defence of cyberspacenecessarily involves the forging of effectivepartnerships between the publicorganisations charged with ensuring thesecurity of cyberspace and those whomanage the use of this space by myriadusers like government departments,banks, infrastructure, manufacturing andservice enterprises and individual citizens.

The defence of cyberspace has a specialfeature. The national territory or space thatis being defended by the land, sea and airforces is well defined. Outer space andcyberspace are different. They areinherently international even from theperspective of national interest. It is notpossible for a country to ignore what ishappening in any part of this space if it isto protect the functionality of the

10


cyberspace relevant for its own nationals.Moreover, a key part of this space, theglobal Internet system, is still under thecontrol of one country. Hence nationaldefence and international cooperation areinevitably intermeshed. This means that acountry's government must ensurecoherence between its security policy andthe diplomatic stance taken by it inmultilateral and bilateral discussions onmatters like Internet and telecomgovernance, human rights related toinformation freedoms, trade negotiationson infotech services, and so on.

There is another feature of cyberspace thatcomplicates the design of securitystructures and policies compared to theother theatres of conflict. In cyberspace itis very easy for an attacker to cover histracks and even mislead the target intobelieving that the attack has come fromsomewhere else. This difficulty inidentifying the perpetrator makes itdifficult to rely on the capacity to retaliateas a deterrent. Whom will you penalisewhen the perpetrator cannot be clearlyidentified? Moreover, the costs ofmounting an attack are very modest.These two factors make cyberspace anideal vehicle for states and non-state actorswho choose to pursue their war aimsthrough clandestine means. In thissituation effective security policy forcyberspace requires a high priority forearly warning, intelligence and pre-emptive defence.

The technologies that are used incyberspace are still very new and areevolving rapidly. Hence investing intechnological capacities to keep track of

global developments, developingcountermeasures and staying ahead of thecompetition is as central to the defence ofcyberspace as the more conventionalsecurity measures.

This report argues that Government andthe private sector should recognise theseaspects, give cyber security some priorityin their security and risk managementplans, and do this jointly. Being a reportthat is addressed to the securitycommunity in the widest sense andintended to stimulate public discussion, itrelies on publicly available information. Itscentral messages are:

The need to strengthen the inter-ministerial coordination arrangementsfor cyberspace security under theNational Security Adviser (NSA).

The case for a new Cyber Commandin the structure of the defence forces tomanage cyber defence and cyberwarfare.

Public-private partnerships (PPP) forinformation security in identifiedsectors dependent on the use of IT.

Legislative measures to handle thespecial features of crime and securityin cyberspace.

A proactive diplomatic policy to createan international legislative environmentthat can facilitate national defence.

Capacity building all around to copewith a potentially crippling shortageof qualified personnel.

The process of preparing this report reflects

11

(NITIN DESAI)Chairman, Cyber Security Expert Group, IDSA

New DelhiMarch 2012

the public-private and multi-sectoralnature of the problem. The initiative fordoing this came from the Institute forDefence Studies and Analyses, New Delhi,the premier security policy think-tank inthe country. The participants in theexercise included individuals with someexposure to Internet and telecom-relatedpolicy issues at the national and globallevel, former defence personnel, thoseinvolved in Internet and data securitytoday, defence technology researchers, anda lawyer who specialises in cyber law. As

the Chair of this eclectic group I wish tothank all of them for the time and effortthey devoted to this exercise, mainlybecause of our shared perception that thisarea needs urgent attention. But above allI am grateful to Shri Arvind Gupta for hisleadership on this issue not just in thisgroup but also earlier. On behalf of thegroup I would also thank Shri CherianSamuel from IDSA and Kapil Patil fromPugwash India who contributed greatlyto the efficiency with which the groupfunctioned.

Preface

12


13

SETTING THE SCENE

CHAPTER 1

1.1 PREAMBLE

The evolution of technology impacts thenature of conflict and war. Amongst therecent aspects of involving in conflict is“no contact war” (NCW) wherein thereis no “physical” or “kinetic” action acrossborders. Operations are conducted in acovert manner using resources such asagents in the information domain toweaken or strike at an adversary toachieve political objectives. These areclouded in ambiguity and deniability. Theenemy is unseen and the victim unsure ofhow and where to react.

Several states are on the way to achievingthis capability. Historically speaking,China studied Gulf War I in detail andanalysed that it could not defeat the USAwith numbers or in technology. It thereforeadopted the concept of asymmetric warbased on vulnerabilities of the USA in thecyber domain. This was structured aroundthe concept of “Wangluohua” –networkisation as a part of unrestrictedand asymmetric warfare. Amongst others,

a Task Force was created for InformationWar (IW), four universities set up, hackergroups supported, regular exercises heldand IW units raised in 2003. Through aprocess of cyber espionage, reverseengineering, source-code sharing,manufacture of hardware, supported bya huge human resource (HR) base, Chinahas greatly developed its capacity in thisregard to formidable proportions. Unlikeany other forms of warfare, there is noconvention or ban on sharing ofinformation with respect to the cyberdomain. Thus countries which are inimicalcould put together resources. Additionally,this capability could be shared withterrorist and fundamentalist groups towreak mayhem on an intended adversary.

As India progresses, its reliance on theInternet will increase1 at a rapid pace.Globalisation and governance require awired society. Along with this India’svulnerability to the threat of IW willbecome greater. This danger must beforeseen and planned for. Failure to do socan result in a catastrophe and severely

1 The number of Internet users increased from 1.4 million in 1998 to 100 million in 2010.Internet penetration during this period rose from 0.1% to 8.5%. Asia Internet Stats.

14


affect the country’s status andinternational partnerships, especially in thefinancial sector. To understand the impactof IW a hypothetical situation at the endof this decade is presented here.

1.2 REGIONAL SECURITY SCENARIO,2020

The regional situation is uncertain.Relations with China and Pakistan havenot seen any major change. The J&Kdispute and the boundary issue withChina have not been resolved and tensionprevails. Pakistan continues to flounder,with an unsettled situation in Afghanistan.India’s continued growth in the region of7 to 9% has generated an increaseddemand for water, energy resources andraw materials. Competition for resourcesand global business has grown. Globalwarming has had adverse environmentaland demographic effects.

1.3 BACK TO THE FUTURE: 1997 TO

2012

How bad will it be? An indicative answeremerges if we look back 15 years ago, i.e.1996-97. Vast changes have taken place inthis period. The rate and pace has beenexponential in every field, whether it is theeconomy, the telephone revolution,industrial growth, standard of living, left-wing extremism, threat of terrorism,regional instability or the very way inwhich the government functions. Inretrospect, despite the political instabilityof that period, India in a manner wasmuch safer and insulated. Applying thesame escalatory model, the security

situation in 2020 is bound to be far morecomplex and dangerous. The standard ofliving will go up, however, it will be a morewired society with the e-governance,communication, power and transportationNWs, financial transactions, health andmedicine, all dependent on the cyberdomain. Alongside will be the aspect ofincreased transparency and instantdissemination or democratisation ofinformation. All this will also createvulnerabilities and impact on securitywith disastrous consequences.

1.4 EVENTS OF 30 JUNE 2020

It has been a long hot day in a summer ofinternal and regional tension. At 1900hours, when everyone is likely to call it aday, Internet traffic has broken down allover. CERT-In sends a message to theNational Security Council Secretariat(NSCS) and the National Command Postthat “Large-scale movement of severaldifferent zero day malware programs onInternet affecting critical infrastructure.”Copies are sent globally. Soon thereaftercome in reports from different ministries,state governments, establishments andinstitutions all over the country. A scenarioof what could happen in isolation, or incombination, in the next few hours,follows.

• Telephone NWs Collapse

BSNL exchanges hang and switchingcentres of mobile NWs (hardware mostlyof Chinese origin) shut down or behaveerratically. Defence NW routers are failingand rebooting. Close to 1000 milliontelephones are functioning erratically,

15

affecting every aspect of life. Worrisomemessages abound. There is panic anduncertainty.

• Satellites out of Control

Communication, remote sensing andsurveillance satellites are thrown out ofgear. TV and other transmissions aredisrupted, spreading alarm. The IndianGPS system, operationalised in 2016,malfunctions, affecting traffic and securitysystems.

• SCADA Systems Controlling PowerGrids Collapse

The whole of North and Western India andsome other regions suffer a powerblackout. This affects all services, includingrail and road traffic. There is chaos on theroads as traffic lights and systems are notworking and the police are unable to copewith the rush-hour flow. Reports ofaccidents and traffic jams come in fromall over the country. It also results in lootingand police are unable to control the mobs.

••••• ATC Management Collapses

The international air traffic control (ATC)system, based on communication NWsand the Internet, is malfunctioning.Manual backup systems cannot meet therequirements. There is chaos at airports likeDelhi and Mumbai which handle 2000 to3000 flights a day. There are reports of atleast three mid-air collisions from differentparts of India. Rumours abound and thereis widespread alarm and hysteria.

• Railway Traffic Control Collapses

The complex Indian Railway managementand traffic system is clogged. Rail trafficon a number of routes is suspended due to

power failure. There are reports ofderailments and accidents. The metro andlocal train systems in major cities are alsosuffering from chaos.

• Oil Refineries

There are messages of explosions anddevastating fires in major refineries withextensive damage and loss of life. Pipelinesare ruptured and oil flow is disrupted.

• Collapse of Financial Services

Dedicated denial of service (DDOS)attacks paralyse the financial systems.There is data theft, destruction andclogging. Millions of transactions aredistorted. Banks cut off the systems fromthe Internet. ATM machines across thecountry hang. There is talk that moneyhas run out with resultant panic.

• Collapse of Health and Civic Services

Health and civic services, dependentheavily on the Internet, collapse. Data inrespect of emergency facilities are notavailable. Coupled with power andcommunication failures, the situation inhospitals is close to breaking point.

• Chemical Plants

The safety systems of chemical plants,governed by computer systems, fail.Lethal clouds of noxious gases billow,creating panic and deaths.

• Defence Forces

A large tri-service exercise, that has beenunderway, is in a crucial phase. There iscomplete dislocation due to failure ofcommunication and GPS systems as alsolarge-scale DDOS attacks. Amongstothers:

Setting the Scene

16


Avionics on the latest MMCRaircraft blank out.

Computer-controlled systems inthe C-17 not responding.

The ANTPQ-37 WLRs go intoseizure.

The newly developed tri-servicelogistic management system isaffected by virus and fails.

1.4.1 Damage and Loss

Millions of Indians have been affected. Theloss of lives has been in thousands. Giventhe reach of the media as also the visibilitythat any such event would invite, it could,in a few hours constitute a disaster for thecountry far greater than all the wars andnatural catastrophes put together. It would

expose India as weak and unprepared,unsafe to live in, an unreliable businesspartner and vulnerable in every sense ofthe word. India’s credibility as a countrywould be affected without a shot havingbeen fired in anger. It is difficult to imaginea greater national humiliation.

The other aspect is that there would be noattributability. When investigated, theseattacks will appear to have come from allover the globe as also servers within thecountry. Much as India would like toretaliate, there would be nobody whocould be definitely identified. Even ifidentified, it could be denied.

The foregoing scenario, which is onlypartial of what could happen, must serveas a wake-up call for urgent measures inthis regard.

17

CYBER SECURITY –AN OVERVIEW

CHAPTER 2

2.1 A COMPLEX ISSUE

Cyber security is a complex issue that cutsacross multiple domains and calls formulti-dimensional, multilayered initiativesand responses. It has proved a challengefor governments because different domainsare typically administered through siloedministries and departments. The task ismade all the more difficult by the inchoateand diffuse nature of the threats and theinability to frame an adequate response inthe absence of tangible perpetrators.

The rapidity in the development ofinformation technology (IT) and therelative ease with which applications canbe commercialised has seen the use ofcyberspace expand dramatically in itsbrief existence. From its initial avatar asan NW created by academics for the useof the military, it has now become a globalsocial and economic and communicationsplatform.

The increasing centrality of cyberspace tohuman existence is exemplified by factsand figures brought out recently by theInternational Telecommunications Union(ITU), according to which the number ofInternet users has doubled between 2005and 2010 and surpasses two billion. Users

are connecting through a range of devicesfrom the personal computer (PC) to themobile phone, and using the Internet fora variety of purposes from communicationto e-commerce, to data storage.

The rise in the Internet population hasmeant that while the threats andvulnerabilities inherent to the Internet andcyberspace might have remained more orless the same as before, the probability ofdisruption has grown apace with the risein the number of users. While suchdisruptions are yet to cause permanent orgrievous damage worldwide, they serve asa wake-up call to the authorities concernedto initiate measures to improve the securityand stability of cyberspace in terms of theirown security. Governments are constrainedin their responses by pressures exerted bypolitico-military-national security actors atone end and economic-civil society actorsat the other.

2.2 INTERNET GOVERNANCE –CHALLENGES AND CONSTRAINTS

The success of the Internet has partly beenattributed to its relative openness and lowbarriers (including minimal securityfeatures) to entry. However, the same

18


openness, while allowing companies toflourish, has also facilitated those withmalicious intent to operate with relativeease.

The origins of the Internet can be tracedback to the attempts by the DefenseAdvanced Research Projects Agency(DARPA) of the US Department ofDefense to create a communications NWthat would survive a nuclear exchangebetween the two superpowers of the time.It was subsequently used by academia asa means of communicating andcollaborating on research projects. Theuniqueness of the Internet in being an openstructure with few barriers to entry is theoutcome of the circumstances in which itwas conceptualised and a result of theworldview of its initial champions. Thougha military project, its very nature of beinga communications project plus the fact thatit was quickly adopted by academics as ameans of collaboration led to a quickcrossover to the civilian domain. The factthat the technology did not belong to anyone company saw the implementation ofstandards for its various protocols, whichwas responsible for continuing innovationand improvements of its capabilities.

In the early stages of development of theInternet, much of the task of developingcyberspace was in the hands of lineorganisations such as the Department ofInformation Technology (DIT) at thenational level or the ITU at theinternational level, and other expert bodies.While these organisations were competentin their own right, they were unable tobring a holistic perspective to the issue,given their domain-specific focus on issues.

This also resulted in fragmentedapproaches to cyber security, dictated bydifferent requirements and priorities atdifferent points in time.

Among the many institutions that cameup and have endured are the InternetEngineering Task Force (IETF), set up in1986. It comprised a number of experts onvarious aspects of the Internet who workedthrough a cooperative consensus-baseddecision-making process. The InternetCorporation for Assigned Names andNumbers (ICANN) was created in 1998on similar principles to manage theDomain Name System (DNS), anotherkey infrastructure of the Internet. Most ofthe ICANN’s powers and functions weredevolved to it by the US government,which hitherto controlled DNS. The multi-stakeholder approach to discussing thedevelopment of the Internet that wasinstitutionalised though theseorganisations was further carried forwardin the UN-sponsored series of conferencesbeginning with the World Summits on theInformation Society held in 2003 and2005, and ultimately resulting in theInternet Governance Forum (IGF),convened by and reporting to the UNSecretary General.

The US has had a major influence on thedevelopment of cyberspace by virtue of thefact that much of the initial infrastructureand use was centred in that country and itcontinues to be a major force in itsdevelopment and use. The US has thusbeen in a position to fend off periodicattempts to challenge its supremacy, andthose times when it has been forced toshed some of its control, as in the case of

19

ICANN, it has done so very reluctantly.Though it has been a participant inmultilateral fora, the United States’agenda invariably has been to ensure thatits dominant position is not disturbed.More recently, approaches to cyberspacehave taken on ideological hues, withcountries ultimately seeking to gaineffective control over deciding the formand shape of cyberspace within theirnational boundaries.

The jockeying for influence to impactInternet governance issues has seenincreased activity in recent times. Most ofthese have taken place at the multilaterallevel, with countries forming coalitions andintroducing resolutions at multilateral fora.While Russia has been introducingresolutions on cyber security at the UnitedNations since 1998, it recently joined handswith China, Tajikistan and Uzbekistan tointroduce an “International Code ofConduct for Information Security”(ICCIS). Some of the clauses within thisresolution have been criticised as anattempt to increase control over contentand information in the guise of securingcyberspace. Proposals by the IBSA forum(India, Brazil, South Africa) have also beenseen with similar scepticism. One of theunstated goals of the recent Cyber SecuritySummit held by the British governmentwould be seen as an effort on the part of theadvanced economies to regain the initiativein drawing up norms for cyberspace thathighlight core Western values.

2.3 THE INDIAN CYBERSPACE

The National Informatics Centre (NIC) wasset up as early as 1975 with the goal ofproviding IT solutions to the government.Between 1986 and 1988, three NWs wereset up: INDONET, connecting the IBMmainframe installations that made upIndia’s computer infrastructure; NICNET(the NIC Network), being a nationwidevery small aperture terminal (VSAT) NWfor public sector organisations as well asto connect the central government with thestate governments and districtadministrations; and the Education andResearch Network (ERNET), to serve theacademic and research communities.

Policies such as the New Internet Policy of1998 paved the way for multiple Internetservice providers (ISPs) and saw theInternet user base grow from 1.4 millionin 1999 to over 15 million by 2003. Thoughthe rate of growth has slowed subsequently,with Internet users now approximatelynumbering 100 million, exponentialgrowth is again expected as Internet accessincreasingly shifts to mobile phones andtablets, with the government making adetermined push to increase broadbandpenetration from its present level of about6%.2 The target for broadband is 160million households by 2016 under theNational Broadband Plan.

Despite the low numbers in relation to thepopulation, Indians have been active users

2 According to the Report for 2010 of the Telecom Regulatory Authority of India (TRAI),over 381 million mobile subscribers possessed the ability to access the Internet throughtheir mobiles, with 35 million having accessed at least once.

Cyber Security – An Overview

20


of the Internet across various segments.The two top email providers, Gmail andYahoo, had over 34 million users registeredfrom India.3 Similar figures have also beenseen in the social networking arena, whichis the most recent entrant to the cyberplatform. India currently has the fastestgrowing user base for Facebook andTwitter, the two top social networkingsites. An indication of the rapid pace ofadaptation to the Internet in India is thatIndian Railways, India’s top e-commerceretailer, saw its online sales go up from 19million tickets in 2008 to 44 million in 2009,with a value of Rs. 3800 crore ($875 million).4

Even though the Indian government wasa late convert to computerisation, there hasbeen an increasing thrust on e-governance,seen as a cost-effective way of taking publicservices to the masses across the country.Critical sectors such as Defence, Energy,Finance, Space, Telecommunications,Transport, Land Records, Public EssentialServices and Utilities, Law Enforcementand Security all increasingly depend onNWs to relay data, for communicationpurposes and for commercial transactions.The National e-governance Program(NeGP) is one of the most ambitious in theworld and seeks to provide more than 1200governmental services online.

Looking to the future, the Cisco VisualNetworking Index estimates that India’sInternet traffic will grow nine-fold between

now and 2015, topping out at 13.2Exabytes in 2015, from 1.6 Exabytes in2010. That will be the equivalent of the datacontained in 374,372 DVDs being carriedevery hour through these NWs.

In terms of contribution to the economy,the ICT sector has grown at an annualcompounded rate of 33% over the lastdecade. The contribution of the IT-ITeSindustry to GDP increased from 5.2% in2006-7 to 6.4% in 2010-11. Much of theactivities of the IT/BPO sector, which wasresponsible for putting India on theservices export map, would not have beenpossible but for the cost-efficienciesprovided through the expansion of globaldata NWs.

The government has ambitious plans toraise cyber connectivity. There has been aboom in e-commerce, and many activitiesrelated to e-governance are now beingcarried out over the Internet. As we growmore dependent on the Internet for ourdaily activities, we also become morevulnerable to any disruptions caused inand through cyberspace. The rapidity withwhich this sector has grown has meantthat governments and private companiesare still trying to figure out both the scopeand meaning of security in cyberspace andapportioning responsibility. As in othercountries, much of the infrastructurerelated to cyberspace is with the privatesector, which also provides many of the

3 According to Internet research firm Comscore, 62% of Internet users in India use Gmail.4 A report compiled by the Indian Market Research Bureau (IMRB) projects domestic e-

commerce to be in the region of $10 billion by the end of 2011.

21

critical services, ranging from banking, toelectricity to running airports and otherkey transportation infrastructure.

Taking telecommunications as a case inpoint, CII in India comprises around 150Internet and telecom service providers,offering Internet, mobile and wirelessconnectivity to a user base of nearly 800million. A major portion of datacommunication is facilitated by submarinecables. India has landing points for majorsubmarine cable systems which areminimally protected. A preview of whatcould happen by way of these cables beingdisabled took place in 2008 when a seriesof outages and cable cuts in underseacables running through the Suez Canal,in the Persian Gulf and Malaysia causedmassive communications disruptions toIndia and West Asia.

Other sectors that could be subject toserious threats include the financial sector,which has largely transferred operationsonline. Stock exchanges in the UnitedStates and Hong Kong have reportedlybeen subject to cyber attacks. Theelectricity grid is also vulnerable with theinevitable move towards a smart grid,given the economic and efficiency factors.The protection of critical infrastructure isa complex task requiring forethought,planning, strong laws, technologies, PPPand resources. For all these reasons it needsto be given top priority by thegovernment. The country cannot afford towait indefinitely for a robust policy toprotect this critical infrastructure. Aboveall, the political will needs to be musteredto take the challenge head on.

The government would necessarily haveto work closely with the private sector,particularly in promoting cyber securitypractices and hygiene.

2.4 CYBER THREATS

Cyber threats can be disaggregated, basedon the perpetrators and their motives, intofour baskets: cyber espionage, cyberwarfare, cyberterrorism, and cyber crime.Cyber attackers use numerousvulnerabilities in cyberspace to committhese acts. They exploit the weaknesses insoftware and hardware design through theuse of malware. DOSS attacks are used tooverwhelm the targeted websites. Hackingis a common way of piercing the defencesof protected computer systems andinterfering with their functioning. Identitytheft is also common. The scope and natureof threats and vulnerabilities is multiplyingwith every passing day.

2.4.1 Cyber Warfare

There is no agreed definition of cyberwarfare but it has been noticed that statesmay be attacking the information systemsof other countries for espionage and fordisrupting their critical infrastructure. Theattacks on the websites of Estonia in 2007and of Georgia in 2008 have been widelyreported. Although there is no clinchingevidence of the involvement of a state inthese attacks, it is widely held that in theseattacks, non-state actors (e.g. hackers) mayhave been used by state actors. Since thesecyber attacks, the issue of cyber warfarehas assumed urgency in the global media.The US has moved swiftly and set up a


22


cyber command within the StrategicForces Command and revised its militarydoctrine. In the latest official militarydoctrine, the US has declared cyberspaceto be the fifth dimension of warfare afterland, air, oceans and space, and reservedthe right to take all actions in response,including military strikes, to respond tocyber attacks against it. It is almost certainthat other countries will also respond byadopting similar military doctrines. Theissue whether cyber attacks can be termedas acts of warfare and whetherinternational law on warfare applies tocyber warfare is being hotly debated.Multilateral discussions are veering aroundto debating whether there should be rulesof behaviour for state actors in cyberspace.The issue becomes extremely complicatedbecause attacks in cyberspace cannot beattributed to an identifiable person and theattacks traverse several computer systemslocated in multiple countries. The conceptof cyber deterrence is also being debatedbut it is not clear whether cyber deterrencecan hold in cyberspace, given the easyinvolvement of non-state actors and lackof attribution.

There is, however, ongoing debate betweenthose who believe that cyber warfare isover-hyped and those who believe that theworld is heading towards a cyberArmageddon. Both sides have validarguments, but even as that debatecontinues, cyber warfare as a construct hasbecome inevitable because the number ofcountries that are setting up cybercommands is steadily growing. These

commands have been accompanied byefforts at developing applicable militarydoctrines. There is, therefore, a pressingneed to think about norms for cyberwarfare, whether the laws of armed conflict(LOAC) can be adapted to cyber warfare,and how principles like proportionality andneutrality play out in the cyber domain.Current rules of collective security such asArt. 41 of the UN Charter and Chapter 7are found wanting in the context of cyberwarfare, particularly when it comes to therapidity of cyber attacks, and theinordinate time it takes for decision-making and action under these rules.

2.4.2 Cyber Crime

The increasing online population hasproved a happy hunting ground for cybercriminals, with losses due to cyber crimebeing in billions of dollars worldwide.While other countries are reportingenormous losses to cyber crime, as well asthreats to enterprises and criticalinformation infrastructure (CII), there arehardly any such reports coming out ofIndia other than those relating to cyberespionage. Though the report of theNational Crime Records Bureau (NCRB)for 2010 reported an increase of 50% incyber crime over the previous year, thenumbers were quite small in absoluteterms.5 The total number of casesregistered across various categories was698; but these low numbers could bebecause cyber laws have proved ineffectivein the face of the complex issues thrownup by Internet. As a case in point, though

5 http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

23

the cyber crimes unit of the BengaluruPolice receives over 200 complaints everyyear, statistics show that only 10% havebeen solved; a majority of these are yet tobe even tried in the courts; and the casesthat did reach the courts are yet to reach averdict since the perpetrators usually residein third countries. Even though theInformation Technology Act (IT Act) 2000confers extraterritorial jurisdiction onIndian courts and empowers them to takecognisance of offences committed outsideIndia even by foreign nationals provided“that such offence involves a computer,computer system or computer networklocated in India”, this has so far existedonly on paper.

Similarly, there are relatively few reportsof Indian companies suffering cybersecurity breaches of the sort reportedelsewhere. Companies attribute this to theprimacy placed on information assurancein the outsourcing business. Industrybodies such as the National Association ofSoftware and Services Companies(NASSCOM) also attribute this to the factthat they have been at the forefront ofspreading information security awarenessamongst their constituents, with initiativessuch as the establishment of the DataSecurity Council of India (DSCI) and theNational Skills Registry. The Indiangovernment has also aided these initiativesin a variety of ways, including deputing asenior police officer to NASSCOM to workon cyber security issues, keeping the needsof the outsourcing industry in mind.

That said, cyberspace is increasingly beingused for various criminal activities anddifferent types of cyber crimes, causing

huge financial losses to both businessesand individuals. Organised crime mafiahave been drawn to cyberspace, and thisis being reflected in cyber crimes graduallyshifting from random attacks to direct(targeted) attacks. A cyber undergroundeconomy is flourishing, based on anecosystem facilitated by exploitation ofzero-day vulnerabilities, attack tool kitsand botnets. The vast amounts of moneylubricating this ecosystem is leading toincreased sophistication of malicious codessuch as worms and trojans. The creationof sophisticated information-stealingmalware is facilitated by toolkits such asZueS, which are sold on Internet for a fewthousands of dollars. At the other extreme,components of critical infrastructure suchas Programmable Logic Control (PLC)and Supervisory Control and DataAcquisition (SCADA) systems weretargeted by the Stuxnet malware thatattacked supposedly secure Iraniannuclear facilities. Stuxnet exploited fivedistinct zero-day vulnerabilities in desktopsystems, apart from vulnerabilities in PLCsystems, and exposed the grave threat tocritical infrastructure such as nuclear plantsand other critical infrastructure. Cybercriminals are using innovative socialengineering techniques through spam,phishing and social networking sites tosteal sensitive user information to conductvarious crimes, ranging from abuse tofinancial frauds to cyber espionage. Whilelarge enterprises are ploughing moreresources into digital security, it is the smallenterprises and individuals that are fallingprey to cyber crime, as evinced by theincreasing number of complaints onconsumer complaint forums.


24


The low levels of computer security are alsoapparent in recurring statistics that showthat India is the third-largest generator ofspam worldwide, accounting for 35% ofspam zombies and 11% of phishing hostsin the Asia-Pacific-Japan region. Over6,000,000 computers were part of botNWs. India ranked first in the Asia-Pacificregion and contributed 21% to the regionaltotal. A continuing trend for Internet usersin India was that of the threat landscapebeing heavily infested with worms andviruses. The percentage of worms andviruses in India was significantly higherthan the Asia-Pacific regional average.According to CERT-In, India sees anaverage of 788 bot-infected computers perday. With regard to web-based attacks,India has seen a significant increase andhas ranked seventh, with 3% of the worldattacks, and second in the Asia-Pacificregion.

2.4.3 Cyberterrorism

Cyberspace has been used as a conduit forplanning terrorist attacks, for recruitmentof sympathisers, or as a new arena forattacks in pursuit of the terrorists’ politicaland social objectives. Terrorists have beenknown to have used cyberspace forcommunication, command and control,propaganda, recruitment, training, andfunding purposes. From that perspective,the challenge of non-state actors to nationalsecurity is extremely grave. The shadowyworld of the terrorist takes on even murkierdimensions in cyberspace whereanonymity and lack of attribution are agiven. The government has taken anumber of measures to counter the use ofcyberspace for terrorist-related activities,

especially in the aftermath of the terroristattack in Mumbai in November 2008.Parliament passed amendments to the ITAct, with added emphasis oncyberterrorism and cyber crime, with anumber of amendments to existingsections and the addition of new sections,taking into account these threats. Furtheractions include the passing of rules suchas the Information Technology (Guidelinesfor Cyber Cafe) Rules, 2011 under theumbrella of the IT Act. In doing so, thegovernment has had to walk a fine balancebetween the fundamental rights to privacyunder the Indian Constitution and nationalsecurity requirements.

While cyber hactivism cannot quite beplaced in the same class, many of itscharacteristics place it squarely in therealm of cyberterrorism both in terms ofmethods and end goals.

2.4.4 Cyber Espionage

Instances of cyber espionage arebecoming quite common, with regularreports of thousands of megabytes of dataand intellectual property worth millionsbeing exfiltrated from the websites andNWs of both government and privateenterprises. While government websitesand NWs in India have been breached, theprivate sector claims that it has not beensimilarly affected. It may also be that theftof intellectual property from privateenterprises is not an issue here becauseR&D expenditure in India is only 0.7% ofGDP, with government expenditureaccounting for 70% of that figure.Companies are also reluctant to discloseany attacks and exfiltration of data, both

25

because they could be held liable by theirclients and also because they may suffer aresultant loss of confidence of the public.As far as infiltration of government NWsand computers is concerned, cyberespionage has all but made the OfficialSecrets Act, 1923 redundant, with even thecomputers in the Prime Minister’s Officebeing accessed, according to reports. Themultiplicity of malevolent actors, rangingfrom state-sponsored to hactivists, makesattribution difficult; governmentscurrently can only establish measures andprotocols to ensure confidentiality,integrity and availability (CIA) of data.Law enforcement and intelligenceagencies have asked their governments forlegal and operational backing in theirefforts to secure sensitive NWs, and to goon the offensive against cyber spies andcyber criminals who are often acting intandem with each other, and probablywith state backing. Offence is notnecessarily the best form of defence in thecase of cyber security, as seen in thecontinued instances of servers of thevarious government departments beinghacked and documents exfiltrated.

2.5 NEED FOR A COMPREHENSIVE

CYBER SECURITY POLICY

As in most countries around the world, thecyber security scenario in India is one ofrelative chaos and a sense of insecurityarising out of the periodic reports of cyberespionage, cyberterrorism, cyber warfareand cyber crime. The complexity of theissue has resulted in a virtual paralysis.Legal and law enforcement mechanismshave not shifted gears fast enough to

grapple with growing cyber crime.Periodic newspaper reports indicate thata wide variety of offensive measures arebeing contemplated by various agencies,but that is all. The lack of a coherent cybersecurity policy will seriously interfere withIndia’s national security and economicdevelopment.

It is essential that more attention at thehighest levels is paid to ensuring thatcyber-related vulnerabilities that canimpact on critical sectors are identified andremoved. A coherent and comprehensivecyber security policy will have severalmajor elements, including accurateconceptualisation of cyberspace threats;building of robust cyberspace through avariety of measures, including technical,legal, diplomatic, internationalcooperation; creation of adequateorganisational structures; strengthening ofPPPs; HR development; andimplementation of best practices andguidelines. The list is only illustrative.

India’s approach to cyber security has sofar been ad hoc and piecemeal. A numberof organisations have been created buttheir precise roles have not been definednor synergy has been created amongthem. As it transcends a vast domain, thisfalls within the charter of the NSCS.However, there appears to be noinstitutional structure for implementationof policies. Neither the private sector norgovernment has been able to buildinformation systems that can be describedas reasonably robust. There has not beenenough thinking on the implications ofcyber warfare.


26


Meanwhile, many countries are seriouslyengaged in attending to their cybersecurity doctrines and strategies. The US,Russia, UK, France, Australia, Germany,New Zealand, South Korea, China, Brazil,South Africa, Denmark, Sweden, EU,Singapore, Malaysia – the list is long andgrowing – are actively engaged inensuring a safe and secure cyberenvironment for their citizens. Theinternational community is also engagedin a variety of discussions. NATO hastaken the task of creating cyber securityinstitutions in member countries. A groupof governmental experts (GGE), set up bythe UN Secretary General, gave a reportin 2010 on “developments in the field ofICT in the context of internationalsecurity”. The report noted that there wasincreasing evidence that states weredeveloping ICTs as “instruments ofwarfare and intelligence, and for politicalpurposes”. To confront challenges incyberspace, the GGE recommendedcooperation among likeminded partners,among states, between states, and betweenstates and civil society and the privatesectors.

The draft cyber security policy documentput out by the DIT for public discussion isan important step but it is essentially adepartmental effort, not taking a whole-of-government approach. DIT does nothave jurisdiction over departments. Thedocument lists a number of majorstakeholders, including: (1) NationalInformation Board (NIB); (2) NationalCrisis Management Committee (NCMC);(3) NSCS; (4) Ministry of Home Affairs(MHA); (5) Ministry of Defence; (6) DIT;(7) DoT; (8) National Cyber Response

Centre (NCRC); (9) CERT-In; (10)National Information InfrastructureProtection Centre (NIIPC); (11) NationalDisaster Management Authority (NDMA);(12) Standardisation, Testing and QualityCertification (STQC) Directorate; and (13)sectoral CERTs. However, only CERT-In ismandated under the IT Amendment Act,2008 to serve as the national agency incharge of cyber security. The Act alsoprovided for a national nodal agency forprotection of CII but it is not clear whethersuch an organisation exists other than onpaper; NDMA and some others play onlya peripheral role; and many of the sectoralCERTs are yet to come up. In themeantime, real oversight over cybersecurity may be said to be distributedamongst the Ministries of Communicationand Technology, Home Affairs andDefence, and the office of the NSA.

2.6 NEED FOR A NODAL

AUTHORITY

The NIB is tasked with national-levelpolicy formulation and creation of suitableinstitutions and structures on Cyber andInformation War (CIW). It is consideredthat the Secretariat of the NSC needs tobe suitably structured and strengthenedwith the appointment of a Director General(DG) as head of CIW. To ensure the desiredlevel of coordination, the DG must besuitably empowered and should be aperson who combines a technical,operational and innovative mind with aproactive and decision-oriented approach.

The NIB as structured finds it difficult tomeet frequently. It is thereforerecommended that a smaller effective and

27

flexible apex body be created to overseeand deliberate on policy and other issuesin respect of CIW, with coordination andmonitoring left to the DG. This apex bodycould constantly review the situation andinstitute remedial measures, whererequired. With experience, and confidencein delegation it could possibly take on therole of the NIB. A suggested structure withcharter of the apex and executive bodies isat Appendix 1. As these include public andprivate agencies, the PlanningCommission’s experience, whichincorporates expertise from all fields, couldserve as a guide. The success of the IndianBPO industry is based on ensuringdemanding security requirements ofclients. This experience can usefully beadapted and harnessed. Tasked as it is, theNIB could under its powers establish thisapex body and DG CS&IW office asproposed. Permanence in functioningcould be ensured by the allocation ofbusiness rules.

2.7 NEED FOR AN INTERNATIONAL

CONVENTION ON CYBERSPACE

Cyber security is becoming anindispensable dimension of informationsecurity. The rapid growth of ICTs hascontributed immensely to human welfarebut has also created risks in cyberspace,which can destabilise international andnational security. Global and nationalcritical infrastructure is extremelyvulnerable to threats emanating incyberspace. Additionally, the growth ofsocial media (Twitter, Facebook, etc.) hascreated a new medium for strategiccommunication that bypasses national

boundaries and national authorities. Theglobal data transmission infrastructurealso depends critically on the NW ofundersea cables, which is highlyvulnerable to accidents and motivateddisruptions.

The UNGA resolution of 8 December 2010(A/RES/65/41) deals with the impact of ICTon international security. The underlyingconcern is that ICT should not be used todestabilise international peace andstability.

Given the positive as well as negativepotential of cyberspace, there has been talkof devising an international convention oncyber security which would ensure thatstates behave responsibly in cyberspace.There already exist several internationalconventions (chemical weaponsconvention, biological toxins and weaponsconvention, NPT, etc.) and a body ofinternational humanitarian law (Genevaand Hague conventions) from whichinspiration to draw up a cyber warfareconvention can be drawn.

A pressing question to be considered in thecurrent unpredictable cyber scenario is thefollowing. Should India actively engageitself in international efforts in framing atreaty or drawing up a framework ofcoherent cyber laws? Or, alternatively,should it wait till its own cyber capabilitiesmature to a level that they are beyond theambit of control regimes that may evolveas subsidiaries of a proposed cyberspacetreaty?

Such a question has faced decision-makersright from the missile to nucleartechnology control regime eras.


28


Opponents of a cyberspace-related treatyargue that even though the internationalefforts for harmonisation of internationallegal frameworks for cyberspace do notrefer to technology control regimes in theircurrent manifestations, it would be just amatter of time before ancillaries/corollariesof such a treaty may emerge which wouldbe based on technology control regimes;and signing such a treaty would result inundermining national sovereign interests.Similar arguments are brought up inrespect of the European Convention onCyber crime, specifically Article 32, which,countries like Russia maintain,undermines their sovereignty.

The argument is that such treaties arebiased in favour of the requirements of themajor international players/powers andthat India should stay aloof from suchexercises till its own cyber capabilitiesmature to a level that they are beyond theambit of control regimes. But this type ofisolationist approach is extensivelydependent on capability maturity model;and derives little or no benefit of theopportunities that can be capitalised byfollowing an engagement model towardsthese treaties and conventions.

On the other hand, most of these cybertreaties are currently in their infancy andare undergoing development at varioustier 2 and tier 1 forums. If at this stage Indiaproactively engages with the internationalcommunity in drafting these cyber treatiesand conventions, and capitalises on thisopportunity by moulding these cybertreaties and conventions to suit itssovereign interests, then the benefits

achieved by the engagement approachwould, without doubt, outweigh thepotential outcomes of an isolationistapproach.

Can there be a convention to govern cyberwarfare, cyber weapons, use of force incyber warfare, prevent cyber crime, etc.?As debate on these issues goes on, there isas yet no convention governingcyberspace. One idea that has beenmooted is that critical systems like thoseof schools and hospitals should beprotected from attacks in cyberspace, asattacking them would be tantamount toviolating international humanitarian law.It is a separate matter whether suchinformation systems can be marked forprotection and whatever source of attackcan be identified and sanctioned.

A cyber convention would be unlikeexisting conventions in many ways. Thisis because in cyberspace attribution andidentification is extremely difficult andidentities can be easily masked. Cyberattacks also typically involve systemslocated in many countries. Often, cyberattacks are silent and go unnoticed for longperiods.

UNGA has regularly passed resolutions oninformation security. Information securitysummits have been held in which cybersecurity has also been discussed. Severalregional initiatives like the EuropeanConvention on Cyber crime have been inexistence for decades. These efforts can beconsolidated in the form of a cyberspaceconvention. The key issues forconsideration for a possible cyberspaceconvention would be:

29

National critical infrastructures shouldnot be harmed.

Secure, stable and reliable functioningof the Internet should be ensured.

A common understanding of Internetsecurity issues should be evolved.

National governments should have thesovereign right to make nationalpolicies on ICT consistent withinternational norms.

A global culture of cyber security basedon trust and security should beencouraged.

The digital divide should be overcome.

International cooperation should bestrengthened.

PPP should be encouraged.

CIA of information systems should beensured.

Balance between the need to maintainlaw and order and fundamentalhuman rights should be maintained.

Such a convention would also define moreprecisely what constitutes threat incyberspace and what would be the basicprinciples of information security. It wouldhave many don’ts, as for instance theobligations on states not to take any overtor clandestine measures which wouldresult in cyber warfare. It would also needto define what the use of force incyberspace would mean and in whatcircumstances such force can be used, ifat all. How would a state react if it issubjected to cyber attacks by a state, or anon-state actor, or by a combination of thetwo? Given the nature of cyberspace,where attribution is difficult, theseprohibitions will be hard to define andeven harder to agree upon.

Arriving at a cyberspace convention wouldprove highly contentious. Yet, in India weneed to debate openly the merits anddemerits of the international law oncyberspace. Is such a convention possibleat all? An Indian view needs to be evolved.


30


3.1 THE NEED TO BE PREPARED

The growing threat of cyber warfare hasnot been well appreciated or sufficientlyunderstood. Cyber warfare is a term thathas been loosely used to describe almostall events in cyberspace, irrespective ofperpetrator, motive or scale. Cyberwarfare forms a part of Information War(IW), which extends to every form ofmedia, and inter alia includes aspects ofpropaganda and perception management.Cyberspace, though technically restrictedto the Internet, is now increasingly linkedby convergence to every communicationdevice. With greater connectivity, thisdivide is narrowing and every citizen oraspect of life is vulnerable. It is also animportant constituent of NCW. The cyberrealm, like the universe, is expanding andit is estimated that by 2015 there will bealmost double the number of devicesconnected to the Internet as there arepeople. The scope for exploitation byinimical elements, ranging frommischievous hackers, to criminals,terrorists, non-state actors as also nationstates, is thus unlimited. The damagecould be immense and many countries arepressing ahead and taking steps to buildcapabilities and capacities for defending

themselves, as also taking offensive actionin cyberspace.

The United States was the first country toformally declare this as the fifth domainwarfare after land, sea, air and space. Ithas also formally classified the use ofcyberspace as a “force”, a euphemism foroffensive capability. The Chinese adoptedthe concept of “informationalisation” inthe mid-1990s and have relentlessly builtup structures and operations in thisdomain. Consequent to the raising of theUS Cyber Command (USCYBERCOM),South Korea followed with the creation ofa Cyber Warfare Command in December2009. This was also in response to NorthKorea’s creation of cyber warfare units. TheBritish Government CommunicationsHeadquarters (GCHQ) has begunpreparing a cyber force, as also France.The Russians have actively been pursuingcyber warfare. In 2010 China overtlyintroduced its first department dedicatedto defensive cyber warfare andinformation security in response to thecreation of USCYBERCOM. The race isthus on.

India is a target. There have beennumerous incidents of sensitivegovernment and military computers being

PREPARING FOR

CYBER WAR

CHAPTER 3

31

attacked by unknown entities andinformation being stolen. The frequencyand intensity of such episodes is increasing.There is enough evidence to suggest thatthis is the action of nation states eitherdirectly or through proxies. There have alsobeen cases of offensive action such asreports of shutting down of powersystems. Such attacks on criticalinfrastructure either singly or in multiplesare of serious concern, especially withrespect to national security. The draftNational Cyber Security Policy (NCSP)mainly covers defensive and responsemeasures and makes no mention of theneed to develop offensive capacity. This isa must if we are to ensure capability forself-defence granted under Article 51 of theUN Charter. This leads to the question:what is cyber warfare?

In the absence of a formal definition ofcyber warfare, we may define it as “actionsby a nation-state or its proxies to penetrateanother nation’s computers or networks forthe purposes of espionage, causing damageor disruption” . These hostile actionsagainst a computer system or NW cantake two forms: cyber exploitation andcyber attacks.

Cyber exploitation is in a manner non-destructive and includes espionage. It isusually clandestine and is conducted withthe smallest possible intervention thatallows extraction of the informationsought. It does not seek to disturb thenormal functioning of a computer systemor NW. The best cyber exploitation is onethat a user never notices. These are silent

and ongoing, and as mentioned earlier,have shown an upward trend.

Cyber attacks on the other hand aredestructive in nature. These are deliberateacts of vandalism or sabotage – perhapsover an extended period of time – to alter,disrupt, deceive, degrade, or destroy anadversary’s computer systems or NWs orthe information and programs resident inor transiting these systems or NWs.

Actors in both types of activities cover awide range, as mentioned earlier. Of these,nation states and their proxies are of thegreatest concern. For easier understanding,the domains of cyber warfare may broadlybe classified as:

3.1.1 Espionage

Intelligence gathering and data theft.Examples of this were Titan Rain andMoonlight Maze. These activities could beby criminals, terrorists or nations as partof normal information gathering orsecurity monitoring.

3.1.2 Vandalism

Defacing web pages or use DDOS to takethem down. Such actions were evident inEstonia or Georgia.

3.1.3 Sabotage

This has the most serious implications andincludes DDOS, destruction of data,insertion of malware and logic bombs. Italso encompasses actions in war such asthose taken for preparation of thebattlefield.

Preparing for Cyber War

32


3.2 FIFTH DOMAIN OF WARFARE

The cyber warfare that this sectionaddresses is that which is practised mainlyby nation states or their proxies. Thepotency of this threat has compelledalmost every country to developcapabilities in the cyber domain, as is thecase for land, air, sea and space. Accordingto Spy Ops, by the end of 2008 nearly 140countries possessed varying degrees ofcyber attack capabilities. In addition, anunknown number of extremist groupsand non-state actors have developed oracquired cyber weapons. Somecommercially available products areflexible enough to be classified as dual-purpose – security testing tools andweapons of attack. Thus someorganisations have or are developing cyberweapons and cloaking them as securitytesting tools. All this is classifiedinformation and each nation works on itsown. An assessment of cyber warfarethreat matrix by the USA, which coveredover 175 countries and organisations,made a watchlist in which the top ten inorder of priority were: China; Russianbusiness NW; Iran; Russia tied withFrance; extremist/terrorist groups; Israel;North Korea; Japan; Turkey; andPakistan.

India on its growth path is vulnerable.Located in an unstable region where thelarger neighbours possess this capacity, itis logical to assume that the country isunder serious threat and constant attack.The impact on national security is thusserious and such that all institutions andorgans of the state must jointly work to

counter this challenge. In order tounderstand the challenge, the followingissues need to be addressed.

3.2.1 Coordination

It is appreciated that in keeping withcurrent needs, the Defence forces, DRDO,NTRO, CERT-In, RAW, IB, C-DAC,Ministries, NIC, NASSCOM, privateindustry et al. have to work in concert. Theimpact of this on every aspect of electronicmedia requires a coordinated andintegrated approach. Given its allencompassing nature, it also follows thatcontrol of all cyber and IW activities at thenational level must fall under the purviewof the NSC and controlled by itsSecretariat ie the NSCS as mentioned inChapter 2. Within this lead agencies forexecuting offensive cyber operations interalia could be the NTRO, CIDS and theDRDO.

3.2.2 Defining Objectives andDoctrine

Application of such measures must be inaccordance with clearly defined objectivesthat would be in keeping with customaryinternational law and practice. Theprimary objective would be to garnerknowledge to find how systems arebreached and thus provide the ability fordefensive measures to be developed andput in place. There is a further argumentthat it must be visible as an armour of self-defence so as to deter an attack. While thiscapability will be ambiguous, subtlesignals and clear definition of objectiveswill lend credibility. Moral argumentsstand thin in the face of realities. There is

33

therefore a need to lay down the objectivesand include them in the draft NCSP orissue a doctrine in this regard.

3.2.3 Proactive Cyber Defence

This comprises actions taken inanticipation to prevent an attack againstcomputers and NWs. As opposed to thecurrent practice of passive defence, itprovides a via media between purelyoffensive and defensive action: interdictingand disrupting an attack, or an adversary’spreparation to attack, either pre-emptivelyor in self-defence. Proactive cyber defencewill most often require operationalisingupstream security mechanisms of thetelecommunications or Internet providers.The most compelling reasons for aproactive defence can be couched in termsof cost and choice. Decision-makers willhave few choices after an impact, and allof them are costly to start with. Proactivedefence is thus the key to mitigatingoperational risk. The USA had set up aProactive Pre-emptive Operations Group(P2OG) in 2002. Such actions thus findinternational acceptability.

3.2.4 Critical Infrastructure

There is a need to prioritise and protectcritical infrastructure. In the USA 18sectors have been identified. In India’scase, the sectors of power, water supply,communications, transportation, defenceand finance are vital constituents ofnational security. These need to be definedand suitable protection measures ensuredas laid down in the IT Act. Steps to guardagainst threats, i.e. destructive actions orcyber exploitation will constitute a basisfor research on offensive action. The

electric power system merits top priority.While the risk of an attack can be reduced,it would be unrealistic to assume that anattack can be prevented. This leads to theconclusion that containment, isolation,minimising the impact, backup systemsand reactivation are areas of capacitybuilding. The debate on which agency willundertake this in India rages and begsimmediate resolution. As criticalinfrastructure spans both the public andprivate domains, the organisation toensure its protection has to be in the publicrealm and, in a manner, accountable.

3.2.5 Legal Provisions

The IT Act of 2008 covers all actions in thisdomain. Sections 69, 69A and 69B containprovisions for intercepting, monitoring orblocking traffic where, amongst otherreasons, there is a threat to nationalsecurity. Section 70A covers protection ofcritical infrastructure. There is a need towork within these provisions. LOACprovide the primary legal frameworkwithin which one can analyse constraintsfor offensive cyber operations. Immunityfor actions taken against another nation,institutions, hostile group or individual ispossible if taken under LOAC or for self-defence under Article 51 of the UNCharter. The cyber realm, with scope ofnon-attributable actions as also ease ofdeniability, provides immense scope forexploitation. The fact that there are nointernational cyber laws or treaties atpresent is also used to advantage.Offensive cyber operations by their verynature have to remain in the grey realmand restricted. Each nation would thusdetermine the structure best suited to its


34


needs. However, the necessity to clearlyenunciate such measures or self-defenceactions in a doctrine as also the NCSP isessential for steps in this regard; it also actsas an element for deterrence. Theemphasis must remain on protecting NWs,systems and users.

3.3 MEETING THE CYBER WARFARE

CHALLENGE

Cyber warfare encompasses governmentand public and private domains. Asclarified earlier, this must be coordinatedby the NSCS. In the USA it comes directlyunder the White House. Thus the need tocreate a Directorate or Special Wing in theNSCS for this as proposed in Chapter 2. Itwould oversee and coordinate bothdefensive and offensive cyber operations.There is also a requirement for intimateinvolvement of the private sector, as theyare equal, if not larger, stakeholders.Regular meetings must be held and, ifneeded, working groups created. Currentorganisations which could be tasked to takeon the cyber warfare challenge include theNTRO, HQ IDS, DRDO, RAW and IB.Representatives of CERT, NASSCOM, etc.will invariably be involved. Each wouldhave to function under guidelines andthrough proxies.

3.3.1 Raising of Cyber Command

While cyber warfare is ongoing activityduring peacetime, there is a dire need todevelop this capacity for a warlikesituation. Cyber warfare in a manner isNCW and will form an essential part ofpreparation of the battlefield in any future

conflict. Such attacks may also precede thekinetic war. Building this capability willtake time and must remain covert andambiguous. It could also form part of thestrategic deception process. This should bethe responsibility of the Armed Forces (HQIDS) along with the DRDO and otherexperts. Detailed discussions andconsultations in this regard require to beinitiated.

India must raise a Cyber Command. Thiswill comprise not only the three servicesbut personnel from the DRDO andscientific and technological community. Itcould work with the space commandbecause many aspects overlap and wouldeconomise on resources. It will oversee allactivities undertaken during peacetime, asalso plan for offensive cyber operations asrequired, to include preparation of thebattlefield. It must work in close concertwith the NTRO. To determine the structureit would be prudent to study the missionand objectives of USCYBERCOM as aguide.

USCYBERCOM plans, coordinates,integrates, synchronises and conductsactivities to: “direct the operations anddefense of specified Department of Defenseinformation NWs and; prepare to, and whendirected, conduct full spectrum militarycyberspace operations in order to enableactions in all domains, ensure US/Alliedfreedom of action in cyberspace and deny thesame to our adversaries.” The Command ischarged with pulling together existingcyberspace resources, creating synergyand synchronising war-fighting effects todefend the information security

35

environment. It comes under the StrategicCommand, which also has the SpaceCommand as a constituent. A similarstructure for India could be considered,especially as the US has evolved itsstructure based on experience and alsobecause it functions as an open democracy.India already has the Strategic ForcesCommand, which could be augmentedwith both Space and Cyberspace Wings.These may be of smaller size to start with,and will develop in accordance with threatsand needs. Each service has its ownrequirements. The structure therefore hasto be need-based and flexible. The variouselements of this could be:

· Army, Navy and Air Force CERTs

These would monitor traffic, disseminateinformation, ensure remedial measures toensure ongoing security to NWs andsystems. They would also in a manner becharged with protection of criticalinfrastructure of each service, i.e.communication backbone, power systems,high-priority NWs, et al. The structure thusenvisages a Defence CERT which worksin concert with each service CERT.

······ Intelligence and informationoperations

A Defence Intelligence Agency exists underHQ IDS. Its cyber and informationoperations elements could work with thiscommand. Intelligence gathering is anaccepted reality and cyberspace possiblyprovides the best scope for this as alsoinformation operations.

······ Defence communication NWs

Each service has its special requirements

and own communication directorates. Jointoperations, strategic communications as alsohigh-security NWs need to be coordinatedunder HQ IDS and the proposed CyberCommand.

· Cyber operations which are requiredfor preparation of the battlefield.

This again would be a tri-serviceorganisation, with additional experts fromthe DRDO or any other such institution.This would include R&D.

3.3.2 Territorial Army (TA)Battalions for Cyber Warfare

While cyber warfare is ongoing, there areperiods of heightened threat. A recentexample was the Commonwealth Games,when NWs were subjected to attacks.There is therefore need to create andmaintain a “surge capacity” for crisis orwarlike situations. Young IT professionalsconstitute a vast resource base and a largenumber would be willing to loyally servethe nation when required. This resourcemust be capitalised by raising of cyberwarfare TA battalions similar to those forRailways and ONGC, which could beembodied when required. In addition topurely “defence” requirements these couldalso provide for protection of criticalinfrastructure.

3.3.3 Perception Management andSocial NWs

In the current age of “democratisation” or“instant availability of information” andgrowth of social NWs, there is tremendousscope for perception management andmanipulation of information. The year


36


2011 saw extensive use during the “ArabSpring” and London Riots. This media isseen as a potential tool for psychologicaland no-contact warfare and must formpart of any offensive or defensive action.All this requires central coordination andstudy with respect to national security.

3.4 CAPACITY BUILDING

Capacity building is vital. It must also besustainable and of larger benefit. There isa need to create an R&D base andinstitutions. Growth forecasts of Internetusage, especially with e-governance, willcreate an employment potential for “cyberdoctors” and sleuths. Just as the terroristattack on Mumbai in November 2008created a whole new dimension ofrequirement of physical security, protectionof Internet usage and transactions willcreate millions of jobs in the near future. Itwill be a seller’s market for which Indiawith its HR base must be ready.Consequently, the government mustaccelerate this process. Some thoughts inthis regard are:

3.4.1 Partnerships

India cannot go it alone. Various pastattempts have not been of much success.It has to be seen as a global issue andcapacities developed.

3.4.2 HR and R&D

DIT has set up the Information SecurityEducation and Awareness (ISEA)programme with funding of Rs 100 crore.Other options which need to considered

are government and public and privateinstitutions. The Chinese models could bestudied in this regard. They set up fouruniversities for this purpose in 1999.Security of data for the BPO industry hasbrought up the necessity for suchinstitutions. Talent spotting withcompetitions is an easy option.Programmes and competitions such as“Cyber Patriot” need to be followed up inschools and educational institutions. Thesecould be self-financed. Army TrainingCommand (ARTRAC), as also the othertwo services, must take the lead inpartnership with the private sector.

3.4.3 Testing and Certification

The outsourcing model has affected testingand certification. Hardware and HR in thisregard has to be Indian. This can then beadapted for proactive defence. Steps takenby DIT need to be implemented.

3.4.4 Language Training

HR trained in language of our potentialadversaries is a must. This must beprovided suitable incentives andpermanence of employment.

3.4.5 Legal Capital

Legal aspects of developing capacities,understanding use of cyberspace as a“force”, implications of the UN Charter,negotiating international laws and treaties– all of this needs trained personnel. Whilethe legal aspects are covered in a separatesection, expertise with respect to cyberwarfare needs special attention.

37

3.4.6 UnderstandingVulnerabilities

Study of vulnerabilities both of ownsystems as also those of potentialadversaries must be undertaken to preventintrusion and exploit weaknesses.

3.4.7 Identification of Technologies

There is a need to identify technologies inthis regard. Section 4.2.3 of the DraftNCSP mentions these. These should alsoinclude isolation of NWs within thecountry, close monitoring of gateways andbackbone, identification of “zero day”vulnerabilities, protection of power grids,secure communications for defence andcritical services, penetration, et al.

3.5 SUMMARY

Understanding the threat of cyber warfareand developing capacity for offensiveactions in this domain is a sine qua non.Nations, non-state actors, terrorist groupsand individuals pose a challenge togrowth, which is increasingly going to bedependent on the cyber domain. Cyberwarfare will also be central to any hostileor conflict situation. Clearly definedobjectives and national doctrine in thisregard along with supporting structuresand matching capabilities are thusinescapable.


38


CRITICAL INFORMATION INFRASTRUCTURE

PROTECTION THROUGH PUBLIC-PRIVATE PARTNERSHIP

CHAPTER 4

4.1 THE NEW CONTEXT FOR PPPIN NATIONAL SECURITY

National security has traditionally beenthe sole responsibility of governments. Butas the world has moved into theinformation age, with increaseddependence on information infrastructurefor production and delivery of productsand services, the new responsibility ofsecuring the critical informationinfrastructure (CII) against the risingnumber of cyber attacks has come withinthe ambit of national security. This newresponsibility is not, however, solely thatof government; and the private sector hasa major role to play since more and moreCII is owned and operated by it. DIT hasidentified such critical IT-dependentinfrastructure, namely Defence, Finance,Energy, Transportation and Telecommunications.

The IT Act, 2000, as amended in 2008,provides for protection of CII under section70A. The government will designate anorganisation as the national nodal agencyfor CII protection, which will be responsiblefor all measures to protect CII. In fact, theconcept of protected system, under section69, has been there in the Act since 2000.

However, no system of the government hasprobably been declared as protected so far.

As of now the government has notdeclared the nodal agency for CIIprotection. As and when such an agencycomes into being, it will create theframework and rules for CII organisations.

The following analysis of some of thesesectors shows that a significant part of theCII is owned and operated by the privatesector in India:

The telecom sector is mostly governedby private players, except MTNL andBSNL. The global undersea cablecommunication infrastructure(GUCCI) is largely owned by privateplayers.

The banking sector, where more than30% of the transactions are doneonline, and the value of thesetransactions is over 80% of totaltransaction value, has a large numberof foreign and private banks

Stock Exchanges – The major stockexchanges BSE and NSE are privateplayers, wherein most of thetransactions are done through theelectronic medium.

39

The airline industry is dominated byprivate players, with Air India beingthe only government enterprise.

Energy and Utilities – Though thissector is largely dominated bygovernment players, the distribution inmajor cities is largely controlled byprivate partners.

Thus, the private sector is equallyimportant when it comes to securing anation’s cyberspace. However, thegovernment cannot leave it to the privatesector alone for securing its own CII. Thisis because if any cyber attack takes placeon CII owned by a private company, theconsequences of such an attack may havean adverse impact on the entire nation andnot restricted to the company owning theCII. For example, if there is a cyber attackon one of our national stock exchanges, itcould possibly bring down the entire tradeoperations, impacting the economy andcreating panic among investors. Therefore,there is an urgent need of appropriatecollaboration and partnership between thegovernment and the private sector forsecuring CII. The private sector needs tobe greatly involved in government’s cybersecurity initiatives through variousmechanisms, including PPP.

Given the foregoing background,following are some of the issues inprotecting CII and recommendations forprotecting CII.

4.2 INFORMATION SHARING AND

COORDINATION

While CERT-In is doing an excellent jobin the government sector, the same needs

to be replicated for the private sectorthrough establishment of SecurityInformation Sharing and AnalysisCentres within each of the identifiedprivate sectors, that coordinate withCERT-In and/or National Nodal Centrethat may be created. Information sharingbetween government-to-private andprivate-to-private should be promoted.

In this context it is pertinent to study theeffectiveness of information sharingprogrammes elsewhere in the world,especially in the United States, which hasput in place voluntary approach based oninformation sharing and PPP at the centreof cyber security policy. The difficultiesthey have encountered include privateentities’ inability to share informationbecause of liability, anti-trust, and businesscompetition risks. From the governmentside, difficulties of sharing classifiedinformation with the private sector havebeen reported. It seems that many of theinformation-sharing activities will requireeven legal changes to make thisprogramme work.

It is recognised throughout the world thatthe private sector follows high standardsof security compared to its counterpartsin the public sector, and that the latter canlearn from the practices in the privatesector. There should be appropriatemechanisms for the public sector to usesuch security practices as are followed inthe private sector, for enhancing the cybersecurity posture and preparedness of thepublic sector infrastructure. Appropriateprocesses and structures need to beestablished to make this happen in ourown environment.

Critical Information Infrastructure Protection through Public- Private Partnership

40


There should be a National Commandand Control Centre, which should beresponsible for coordinating cybersecurity-related activities at the nationallevel for both the public and private sectorsand also assign roles and responsibilities.

Both the private and public sectors shouldcoordinate within their verticals withrespect to the following:

Security Alerts and Vulnerabilitiesimpacting their ICT infrastructure

Tracking botnet, phishing sites, spam,malware, etc. and the steps toovercome these issues

Sharing of best practices

Early-watch-and-warning system

Incident response mechanism

Work with their respectivecounterparts nationally andinternationally. For example, theIndian banking sector CERT shouldwork closely with its counterpartinternationally, much the same way asCERT-In does with the CERTs of othercountries.

4.3 INNOVATION IN REGULATORY

APPROACH

The government can intervene inprotection of CII by the private sector byenacting stringent regulations (as is beingdone traditionally). Though regulationsare necessary they should not add costwithout necessarily improving security ofCII. Too much of government interventionthrough regulations can also underminebusiness innovation.

In addition to enacting promotional legalframework for securing CII, thegovernment must also create incentivesfor industry to invest in security of CIIbeyond what is necessitated bycompanies’ business plans. Examples ofsuch incentives could be tax deductionsand rebates on security investments, lower-cost loans for SMEs that implement bestsecurity practices, reduced liability forimproved security, recognition, etc.

4.4 INNOVATION IN SECURITY

PROGRAMMES

Information security is considered as oneof the biggest inhibitors to businessinnovation. As per IDC global surveyconducted in 2008, IT security risk is thesingle biggest inhibitor to businessinnovation, with more than 80% of theexecutives surveyed admitting theirorganisations have “occasionally” or“often” backed away from innovativebusiness opportunities because ofinformation security concerns. This couldbe partly because of the following issuesin security programmes:

Compliance driven Focus of securityinvestments, efforts and time is oncompliance documentation ratherthan managing real risks, making theprogramme bulky. As per IDC, “C-level executives indicate businessalignment of information security as ahigh priority, yet the compliance or feardriven nature of many organizationsreveals the disconnect between thedesired and actual state.”

Security certification, which bringscomfort factor , results in a static

41

nature of security while securityrequires complete dynamism.

The controls approach falls short ofcomprehending the changing threatlandscape and quick aligning oforganisational response. Also, such anapproach hinders business innovationand, as per the IDC survey, “Themajority of organizations considerthemselves ‘compliance/control driven’when it comes to security; with only21% reporting that their security effortsare strategic, proactive and usingsecurity to enable innovation.”

Bulky security program neglectschallenges to the specific data, wheresecurity of each data element is nowcritical.

The government should encourageadoption of security standards/frameworks/practices that:

enable an organisation to focus on realthreats in its environment;

assess the organisation’s maturity inimplementing security in different

areas with a view to continuallyimprove it;

help the organisation draw a strategicplan based on evolution of differentdisciplines of security, and theirinterdependencies, with continuousfocus on protecting data; and

promote dynamic and vibrant securitythat enables quick response to threats,vulnerabilities and actual cyber attackwith compliance as an outcome.

DSCI has created such a security standard– DSCI Security Framework (DSF), whichis based on a set of security principles.6

Government should recognise securitystandards such as DSF and encourageimplementation in both the public andprivate sector companies.

4.5 PROACTIVE THREAT AND

VULNERABILITY MANAGEMENT

The success of a security programme liesin the ability of an organisation to swiftlyrespond to security threats and attacks.This requires more proactive delivery ofsecurity intelligence. CERT-In may like to

6 DSF principles are as follows:a. Visibility: consolidated view of all the data elements, understanding of environmentb. Vigilance over recent trends and threats: Strengthen defence against perennial and

evolving threats, Aligns protection to address new threatsc. Coverage and Accuracy: To ensure the scope of security initiatives is extended to all

the desired elements, Assures that critical vulnerabilities or weaknesses are not leftunaddressed

d. Strategic, Tactical and Operational views of disciplines : structured understanding ofsecurity and defence, allocation of sufficient resources and efforts at all layers, Bringsclarity in roles and responsibilities

e. Discipline in Defence : continuous discipline in defence and govern security initiativeseffectively

f. Compliance Demonstration from security initiatives


42


partner with the private sector for afocused effort to create enablers forincreasing interactivity with securityorganisations of critical sectors for sharingthe research findings and information.

Government should enhanceinteractivity of security organisationswith national cyber security machinery,with active participation of the privatesector.

4.6 PROMOTING BEST PRACTICES IN

CRITICAL INFRASTRUCTURE

SECTORS THROUGH

GOVERNMENT FUNDING

There is an urgent need to revitalisesecurity in the critical infrastructure sectorsas they become obvious and lucrativetargets of security threats. This requiressignificant resources and efforts. Forexample, SCADA systems may require asustained nationwide security analysiscentre. A programme is required to createan inventory of information assets. Thesectors may not be in a position to fundthe investment. For proactive defence, thegovernment needs to intervene to fundimplementation of security practices inthese sectors.

Government should initiate a specialdrive of implementing practices in thecritical infrastructure sectors andprovide necessary budgetary supportfor such implementation.

4.7 ASSESSING AND MONITORING

SECURITY PREPAREDNESS OF

SECTORS (SECURITY INDEX)

National cyber security can be measured

by assessing the performance of keyindustry segments against the risingchallenges of security. Criticalinfrastructure sectors, because of theirincreasing dependence on IT, are posing anew set of challenges to national security.Hence, it becomes necessary to develop amechanism that assesses the preparednessof these sectors and monitors progress intheir preparedness in a measurable form.

Government should establish amechanism for measuring preparednessof critical sectors such as security index,which captures the preparedness of thesector and assigns value to it:operationalise the mechanism forroutinely monitoring the preparedness.

4.8 SECURITY IN INFORMATION

TECHNOLOGY SUPPLY CHAIN

IT supply chain, in its reach andcharacteristics, reflects a high level ofglobalisation. In fact, that has been onereason for the success and continuousgrowth of the Internet. Innovations oftechnology, products and services, withcomponents such as chips, tool sets,operating systems, databases, applications,and so on have ensured that no singlecountry can claim to innovate, design, test,manufacture, operate and maintainhardware and software products andservices. A veritable global chain hasemerged – the ICT Supply Chain. Thisposes a critical challenge for obtainingassurance over the security of the productand services being outsourced to, andprocured from global technologyproviders. With increased dependency oncyberspace, increased concern about cyber

43

threats, and increased appreciation of theglobalisation of the development,manufacture, and maintenance of ICTsystems, fears have grown that adversarieswill taint the supply chain to engage inespionage. They might introduce hiddenmalware, and change functionality ofproducts and services with a view to givetheir own countries advantages that aredifficult to gain otherwise. For example, aservice could be disrupted at criticaljunctures, or kill switches may be plantedto disable a CII organisation. Addressingsuch threats is a major concern ofgovernments around the world. From theIndian perspective, there is need to payattention to two types of concerns:

· Concerns with respect to globalproducts

Concerns with respect to vulnerabilities inproducts offered by global technologyproviders, which are deployed in criticalsectors.

·· Services delivered from offshore

Concerns with respect to services beingoffered from the country to the rest of theworld, like application code developmentoffered by Indian companies.

A pragmatic policy environment,adequate partnership with industry,technical competence and focusedinitiatives are required. DIT mayundertake a focused program for securityassurance in the ICT supply chain. The firstrequires setting up of testing labs; thesecond requires a joint effort of DIT, in

partnership with NASSCOM and DSCI, toassure secure delivery of services from India.

The Government should incorporateIT Supply Chain Security as animportant element of e-security planto address security issues.

4.9 TAKING LEADERSHIP AND

PARTICIPATING IN

INTERNATIONAL EFFORTS

The Government of India should takeleadership in international efforts andcooperation for cyber security as manycyber attacks on CII originate from foreigncountries. For example, India could leadan international co-operation that makesa nation responsible for the actions incyberspace of individuals who areresident in its territory. A good exampleof similar effort is the Financial Action TaskForce (FATF). FATF began as a group ofnations opposed to money laundering.They established practices and rules forbanks and for banking authorities to makemoney laundering more difficult. Nationsthat did not comply faced greater difficultyin participating in the global financialNWs – higher costs, longer delays, moreimpediments. A similar approach tonations that tolerate cyber crime could beto make it more difficult for them toconnect to the global NW, or to have theirnational NWs face additional scrutiny andimpediments. These constraints would notbe foolproof but they would increase thecost to nations that act as sanctuaries andprovide incentives for changed behaviour.7

7 James Andrew Lewis, The Cyber War Has Not Begun, Center for Strategic & InternationalStudies, March 2010.


44


4.10 R&D IN SECURITY

Cyber security demands creation of keycapabilities in the nation that can help raisestrength of deterrent, proactive andreactive measures. The extent ofinvestment in R&D can prove animportant differentiating factor in thecyber world. However, this requires closeparticipation of private industry to ensurethat the outcomes of the investment areconverted into usable products andsolutions that can stand the test ofinternational scrutiny and capture theglobal markets. The government, apartfrom working with academic institutions,should fund security research projects inthe private sector. This requires adequatebudgetary arrangement, effectivetechniques for management of researchprojects, and enabling mechanisms forengaging the private sector. Some of thegrant conditions are difficult to fulfil.

Government should promote R&D inprivate industry through activegovernment support for industry-ledresearch projects in the areas ofsecurity: establish enablingmechanisms to facilitate this.

4.11 CAPACITY BUILDING IN

SECURITY SKILLS AND

TRAINING AND AWARENESS

The Government should focus oncreating a workforce of securityprofessionals in the country, keeping inview the requirements of the future. Thiswould require introducing security-relatedcourses in formal education in engineering

courses, and postgraduate courses such asMCA, M.Tech and MBA. Simultaneously,specialised security courses should bedesigned for the working professionals.

On the other hand, there is continuousneed for providing training andeducation to the professionals workingin the critical sectors – both specialisedtraining and general awareness,depending on the work profile of theprofessionals.

The scope and extent of security traininginitiatives and outreach programme,undertaken under the leadership of CERT-In, should be expanded to cover other citiesand private industries. This will improveaccess of regional establishment andprivate sectors to the skill improvementprogramme and ensure their participationin cyber security initiatives. Organisationslike DSCI can partner with thegovernment for expanding the scope of theprogramme, arranging experts fromindustry and sustain delivery of theprogramme. PPP model should beexplored for taking security to theregions and industry sectors. This willrequire creating enablers to engage privateorganisations like DSCI. These institutionswill augment the capability of CERT-In bysetting up training programmes, developcontent, arrange experts, and developtraining platforms. Apart from capabilityenhancement, they will also ensuresustained delivery of the programme.

4.12 PPP IN CYBER SECURITY

Some of the possible areas for PPP are:

45

4.12.1 Capacity Building in the Areaof Cyber Crime and CyberForensics

Such capacity building can take place interms of infrastructure, expertise andavailability of HR and cooperationbetween industry, law enforcementauthorities (LEAs) and judiciary. Asuccessful example is the Cyber LabsProgramme run by DSCI, which got aboost with the support of the DIT foropening a cyber lab in Kolkata, andaugmenting the existing infrastructure ofMumbai, Bengaluru and Pune cyber labs.This programme is further poised tobecome a full-fledged Cyber ForensicsProgramme for which a proposal is underconsideration of the Union Government.8

4.12.2 Developing SecurityExpertise for Protection of CII

Security expertise for protection of CIIcould be developed by providing hands-on training to professionals, especiallyfrom the government sector, who areresponsible for safeguarding suchinfrastructure by utilising the expertiseavailable within the private sector. DSCIhas been working with CERT-In to provide

security training to government andpublic sector units, and organisations thatfall under the definition of CII. More than700 officials from different governmentdepartments and organisations across thecountry have attended these trainingsessions.

4.12.3 Imparting Education andAwareness

Imparting education and awareness isnecessary, because no amount of educationand awareness is enough and there is acontinuous need for PPP in all sectors ofthe Indian economy. DIT and NASSCOMjointly funded a project “Cyber SecurityAwareness Program”, which was executedby DSCI, wherein a number of events,conferences, seminars and workshopswere organised to create awarenessamongst different stakeholders in cybersecurity, including security professionals,government employees and children.9

4.12.4 Developing Approaches, BestPractices and Standards

Approaches, best practices and standardsneed to be developed based oninternational standards to protect CII (e.g.

8 Till date, around 9000 police officers have been trained through this programme. Also,DSCI has developed a Cyber Crime Investigation Manual to help police officers incybercrime investigations using cyber forensic tools and standard operating procedures.NASSCOM and DSCI have also signed a Memorandum of Understanding with the CBIto establish collaboration between law enforcement agencies and the Indian IT industry.

9 Under this project, computer-based training in different areas of data protection such asInternet security awareness, privacy, etc. was also created. To create a platform for sharingknowledge on data security and privacy, this programme created 10 E-security forumsacross 10 major cities in India. Currently, more than 1000 security and privacy professionalsare members of these forums.


46


GUCCI, SCADA systems, etc.). This canbe achieved by creating an expert grouphaving representation from both thepublic and private sectors. For example,international efforts are being made forprotecting GUCCI (by global think-tankslike EastWest Institute), as over 99% ofintercontinental communications traffic iscarried through GUCCI and 95% of thesecables are privately owned andmaintained. Such groups can also act asan agency for information disseminationand information sharing. For example,such a group can spread the learning ofStuxnet attack in industries that useSCADA systems.

4.12.5 Bringing Innovation throughR&D

This can be done with the governmentfunding the private sector for conductingresearch in the area of cyber security.

4.12.6 Taking Leadership andParticipating in InternationalEfforts on Cyber Security

Participation in international efforts oncyber security could be through globalthink-tanks and institutes such asEastWest Institute, where governmentofficials, NASSCOM and DSCI are partof the global conferences and NASSCOM/

DSCI will be hosting the 3rd EWI GlobalCyber Security Summit in Delhi in 2012,which will be attended by top government,industry and technical experts fromdifferent countries.

4.12.7 Strengthening TelecomSecurity

Strengthening telecom security is a pillarof cyber security, especially throughdevelopment of standards andestablishment of testing labs for telecominfrastructure (equipment, hardware).

4.12.8 Collaborating in Specific Areas

Such areas for collaboration could includereduction of spam, malware, etc. Arelevant example is the report released bythe EastWest Institute and the InternetSociety of China on “fighting spam to buildtrust”. This is the first joint China-UnitedStates report on cyber security. Spam,which comprises as much as 90% of allemail messages carried in NWs, irritatesend-users, clogs NWs, and carries themalicious codes used by hackers for fraudand other crimes. To fight spam, theexperts made two key recommendations:first, the creation of an international forumto deal with spam; second, that NWoperators, ISPs and email providers followmutually agreed best practices.10

10 http://www.ewi.info/fighting-spam-build-trust

47

HARMONISING THE NATIONAL LEGAL REGIME

WITH THE INTERNATIONAL LEGAL REGIME

CHAPTER 5

5.1 AREAS FOR INTERVENTION

Cyberspace has become, in present times,the fifth common space, along with land,air, space and sea. Technology has grownrapidly, and law has not been able to keeppace. Since the Internet and crimescommitted thereon are not limited bygeographic or territorial boundaries, it isbecoming increasingly imperative that aneffective mechanism be set up to curb therampant growth of crime and terrorismonline, by means either of an internationallegislation in this regard (which may bein the form of modifying existinglegislation to suit cyberspace, or by wayof setting up international agencies underthe aegis of the United Nations to dealspecifically with cyber crime andcyberterrorism) or to ensure internationalcooperation to achieve the end ofharmonising existing national andregional cyber crime legislation to createa seamless, borderless cyberspace.

India was the 12th nation in the world tolegislate on cyber law, adopting an IT Act,and has also brought about amendmentsto the Indian Penal Code (IPC) and theIndian Evidence Act to aid in cyber crimeinvestigation. The government has made

efforts towards putting in place an NCSPthat addresses several areas related tocyber security, particularly incidentresponse, vulnerability management andinfrastructure security.

This chapter seeks to highlight some of theareas in which more regulatory andlegislative intervention is needed in orderto give a detailed perspective onharmonising the national laws with theinternational legal regime.

5.2 LEGAL RESPONSES

In the absence of international legislationto curb the ever-increasing threat posed tothe world at large by cyberterrorists, it hasbeen proposed that existing legislation bemodified to some extent and adopted atan international level. Two probablemethods of doing so were: either to applythe Council of Europe Convention onCyber crime at an international level; orto apply LOAC to Cyberterrorism.

5.3 EUROPEAN CONVENTION ON

CYBER CRIME

The European Convention on Cyber crimeis aimed at harmonising national cyber

48


crime laws within the EU. Signatories toit numbered 34 in November 2001; as ofDecember 2009 it had been signed by 46states and ratified by 26.

Argentina, Botswana, Egypt, Nigeria,Pakistan and the Philippines, amongothers, have modelled parts of theirlegislation on the Convention withoutformally acceding to it. But compared toglobal standards, the number and speedof signature and ratification has remainedan issue.11 The convention was draftedmostly by and for European states, and isalso now somewhat outdated.12

The treaty has been criticised as beingfundamentally unbalanced. It includessweeping powers of computer search andseizure and government surveillance ofvoice, email and data communications,but has no correspondingly detailedstandards to protect privacy and limitgovernment use of such powers.13 Anotherconcern has been that law enforcementinterests have dominated the draftingprocess from the outset, and 19 drafts werecompleted before it was released for publiccomment. The Council of Europe hasmade little effort to address the concernsof other stakeholders in the process.14 Theproblems relating to the definitions ofterms in the treaty, privacy issues, and theinvestigative powers raise many concerns,

including from India. In this light, theConvention is considered as largelysymbolic; its long-term effectiveness hasbeen brought into question on numerousoccasions. Overall, it leaves too manyloopholes in terms of the lack of definitionsand inconsistencies that will allowcriminals to continue to commit criminaloffences. India chose not to emulate theconvention because it would haveintroduced a completely alien legalframework into the Indian legislativeprocess.

Current international law can be appliedto cyber warfare if cyber warfare is viewedas involving the use of a new technologyto gain military advantage. The conceptof warfare is no longer restricted to armedattack in the traditional sense of the term.The crippling of critical informationsystems of a country, or cyber attacks thatblock government websites for a fewhours, are also now being considered asmethods of gaining military advantage.This only emphasises the pressing need foran international regime to check cybercrime and cyberterrorism. There would,however, be a corresponding need to alsoexpand the definitions of key terms ininternational law such as sovereignty, useof force, armed attack, and combatants,so as to apply them in the cyber context.

11 http://www.unodc.org/documents/crime-congress/12th-CrimeCongress/Documents/A_CONF.213_9/V1050382e.pdf

12 http://www.stlr.org/2010/03/a-global-convention-on-cyber crime/13 http://www.crime-research.org/library/CoE_Cyber crime.html14 Ibid.

49

While LOAC seems the most suitableexisting international regime that mightbe extended to cyberterrorism and cybercrime, it also has a large number oflimitations, as mentioned earlier, andwould most likely not serve as an effectivemeans of addressing the pressing issue ofcyber crime. Aside from these specificissues in extending LOAC to the cybercontext, LOAC would also suffer from thegeneral concerns that arise in theapplication of international law.

International law is merely soft law, andmost countries still give supremesovereignty to their own municipal laws,even if they are not in consonance withinternational law, and as such, theapplication of LOAC would be highlysubjective and would only apply when acountry so desires.

5.4 HARMONISATION OF

LEGISLATION

The main obstacles in meeting cyberthreats have been identified as: technicalhurdles, lack of social responsibility, andinadequate international cooperation.15

While the first and second issues can beovercome by increasing investments intechnology, education and R&D, thegreatest obstacle remains the reluctance ofstates to cooperate in cyberspace. Beingtransnational crimes, cyber crimes canonly be tackled with the combined effortsof the international community.

Regulations and cooperation agreementsor the inclusion of an additional protocolon cyber crime to the Geneva Conventionthat may enable countries to assist eachother in bringing to book offenders whouse to their advantage the lack of aneffective punitive mechanism are essential.The long-established national andinternational criminal codes weredeveloped in an era prior to the Internet;criminal codes therefore need to beamended to create criminal offences toensure the protection of information andcommunication in cyberspace. Animpartial international body on the linesof Interpol can be set up to coordinateinternational efforts with regard toprevention of cyber crimes. Such anorganisation could also act as a facilitatingbody in bringing about harmonisation ofcyber crime legislation among the membernations.

In the last couple of years alone, a largenumber of countries, including Russia,Japan, Australia, USA, Canada, Ireland,Cameroon, Namibia, Kenya, Bangladesh,Jordan, UAE, Jamaica, Portugal andNorway have enacted laws relating tocyberspace or amended substantially theexisting national law in this regard. Overa period of two decades, regionalorganisations have sought to establishuniform Internet regulations at a regionalor local level, including the Council ofEurope, ITU, ASEAN, OECD, NATO,Commonwealth of Nations, APEC,

15 Global Cyber Deterrence: Views from China, the U.S., Russia, India, and Norway, East West Institute,April 2010.

Harmonising the National Legal Regime with the International Legal Regime

50


League of Arab States, Organisation ofAfrican States, Shanghai CooperationOrganisation and the G-8 countries.

Despite the efforts made by countries andregional organisations in last 20 years,apart from a few common trends, thereare considerable variations in nationalcyber crime legislation. The main reasonfor this is the variance of the effect of cybercrimes on different countries. Spam, forinstance, is a bigger threat to developingcountries than developed countries.Similarly, certain online content may beunlawful in some countries while othersmay protect it under the freedom ofspeech. It is therefore clear that such issuescannot be addressed at a local or regionallevel and it is necessary to develop acommon understanding in theinternational community and harmoniselegislation.

Consequent to the need for an effectivemachinery to address cyber crime inIndia, the IT Act, 2000 was enacted inkeeping with the Model Law on ElectronicCommerce adopted by the UN GeneralAssembly in 1997. The IT Act criminalisedtampering with computer sourcedocuments, hacking, and publishing ofobscene information in electronic formunder Sections 65, 66 and 67. Theseprovisions were, however, foundinadequate and the 2008 amendments,which came into force in 2009, widenedthe scope of cyber crime, criminalising agreater number of offences than itspredecessor. Section 66F was the mostsignificant as it for the first time definedand criminalised cyberterrorism, makingit punishable with life imprisonment.

Amendments have also been made to theIPC to criminalise cyber offences and setout procedures and punishments for thesame. However, there still is a huge gapbetween existing laws and the requiredlaws to fully combat cyber threats. Tobridge this gap DIT issued a Discussiondraft on NCSP on 26 March 2011. It calledfor greater international cooperation whichcan be achieved through theharmonisation of national laws andenforcement procedures. Dynamic legalframework in synchronisation withtechnological changes and internationaldevelopments in the area of informationsecurity has been pointed out as an areaof priority.

5.5 CRIMINALISATION OF CYBER

OFFENCES

The Preamble of the European Conventionon Cyber crime laid down as its objectivethe prevention of action directed againstCIA of computer systems, NWs andcomputer data as well as the misuse of suchsystems, NWs and data. To counter suchactivities the convention suggested thatcertain conducts be classified as criminaloffences and procedural measures beintroduced to investigate these crimes.

Cyber crimes usually originate from stateswith comparatively lenient laws andenforcement mechanisms. Domestic lawsdo sometimes cover electronicallyperpetrated crimes but are not alwayseffective in their application andenforcement. They may provide forinsufficient punishment, antiquateddefinitions of key elements, or words may

51

render a provision of law inapplicable andthere is always the problem of jurisdiction.Singapore is the only exception where thelaw provides that in the case of certainspecified offences, even if an offence iscommitted outside its borders, courts inSingapore shall have jurisdiction to hearthe same.

The key elements of effective cyberdeterrence have been identified as: first,attribution (understanding whoperpetrated cyber attack); second, location(knowing where the strike came from);third, response (being able to respond,even if attacked first); and lastly,transparency (being the cyber criminal’sknowledge of a state’s capability andintent to counter cyber attacks withmassive force).16 These principles shouldbe incorporated in all cyber legislation forit to be an effective deterrent.Criminalisation of illegal access, illegalinterception, illegal data interference,illegal system interference, computer-related fraud and forgery are the standardprovisions in most cyber laws enacted incountries around the world. However,some countries have taken stricter actionand have also criminalised the productionand distribution of tools (both softwareand/or hardware) that can be used tocommit cyber crime, acts related to childpornography, “grooming” or hate speech.

Cyber law in India has been primarilydeveloped to further e-commerce.However, elements of cyber deterrencehave been introduced throughcriminalisation of various offences. The IT

Act and the IPC have included tamperingwith source-code documents, hacking,publishing and transmitting of obsceneelectronic information, andmisrepresentation of any material facts tothe Certifying Authority for procuring adigital signature certificate as criminaloffences. Efforts have been made by thegovernment in this direction, but severalloopholes in law still exist. Additionalresources, time and efforts are needed toeffectively tackle the problem. Allocationof more funds in addition to acomprehensive cyber security plan is theprimary means to improve and strengthencyber security in India. It is imperative thatsubstantive laws dealing with illegalaccess, illegal interception, datainterference, misuse of devices, computer-related forgery, child pornography, etc.must be implemented. Besides, procedurallaws also need to be in place to achievecooperation and coordination ofinternational organisations andgovernments to investigate and prosecutecyber criminals.

5.6 NATIONAL SECURITY AND

ISSUES RELATING TO PRIVACY

AND FREEDOM OF EXPRESSION

The paradox is that security measuresintended to protect a democracy can endup actually eroding civil liberties likeindividual privacy and freedom ofexpression that are at the heart of thedemocratic setup: the right balance needsto be struck between national security andcivil liberties.

16 Ibid.


52


With various government initiatives onnational security, like the National Grid,designed as an NW of 21 availabledatabases across government and privateagencies and meant to help flag potentialterrorist threats and also the Aadharprogramme, for issuing unique identitynumbers, there have arisen seriousconcerns about privacy as personal dataare compiled in central databases andaccessed by the various governmentagencies. It is essential that properamendments or necessary laws like aseparate data protection/privacylegislation be put in place to safeguardagainst the misuse of such personalinformation and protect individual privacy.

Similarly, there need to be put in placeproper legislative as well as proceduralmeasures to ensure that the freedom ofexpression guaranteed under Article 19 ofthe Constitution is not compromised at thealtar of national security.

5.7 INVESTIGATION PROCEDURES

Due to the peculiar nature of cyber crime,existing methods adopted by investigativeagencies have been largely unsuccessful.Owing to the ease with which identitiescan be changed and data altered anddestroyed, it becomes difficult to obtainevidence and perform investigativeprocedures. Specific search-and-seizureprocedures, expedited preservation ofcomputer data, disclosure of stored data,interception of content data and collectionof traffic data are some of thecomprehensive regional frameworksspecially put in place to further cyber crimeinvestigation.

The identification of path of packets withthe help of ISPs, seizure of computers andstorage media, collection of traffic data inreal time, establishing jurisdiction oversubstantive offences and the power tocollect data in real time are some of theinvestigative techniques that may be usedby agencies.

With regard to investigative procedures,the cases that brought to light the need forthe development of specific cyber crimeinvestigative measures, the differentprocedures and techniques developed atregional and national levels, the provisionsrequired by law agencies to work moreeffectively and differences in approach incommon law and civil law countries arethe key points that need to be deliberatedupon to plug the existing loopholes ininvestigative techniques, that play asignificant role in poor cyber deterrence.

The foremost challenge that cyberspace inIndia faces is the multiplicity of cyberoffences that have led to an urgent needto place adequate tools for investigationand prosecution. The Central ForensicScience Laboratories and GeneralExaminers of Questioned Documents atChandigarh, Hyderabad, Kolkata andShimla, and CFSL and CBI at New Delhiare the major computer forensic centres setup in India. In spite of the efforts of thegovernment to set up such centres, thecyber crime fighting infrastructureremains inadequate. The fact that cybercriminals are highly educated is a hugechallenge for the investigative agencies,since most investigating officers are not astechnically well versed as the offenders.

53

The CPC only makes scientificexamination conducted by a certainspecified laboratory admissible. This hasincreased the workload, thus leading to anurgent need to substantially expand thenumber of the computer forensiclaboratories in India. Greater investmentis required in the development of trainingcentres for law enforcement officers andupgrading police stations so they canhouse the essential infrastructure toinvestigate cyber crime. Computerforensics must be the focal point formodernisation of the police force and otherinvestigative agencies in India. Besides, thepolice must work closely with bothgovernmental and non-governmentalagencies, Interpol and the public at large,to develop a comprehensive strategy toaddress the problems.

5.8 INTERNATIONAL COOPERATION

As mentioned earlier, internationalcooperation is increasingly becoming thecornerstone for the development of aneffective legal framework against cybercrime. Limited number of treaties andagreements, disparity between thelegislation of nations, varying policies andprocedures of states act as major deterrentsto the development of an effective globalunderstanding and agreement on thesubject. Extradition laws, mutual legalassistance in criminal matters, andcooperation for the purpose of confiscationare some of the legal procedures necessaryto garner international cooperation.

Four main sources for internationalcooperation have been identified.International agreements like the United

Nations Convention against TransnationalOrganized Crime and the Council ofEurope Convention on Cyber crime arerecognised as the foremost instruments tobuild formal cooperation among nations.Regional treaties on internationalcooperation, like the Council of Europe,Inter-American and Southern AfricanDevelopment Community conventions onextradition or mutual legal assistance incriminal matters are the second recognisedsource.

Bilateral agreements on extradition andmutual legal assistance containingprovisions regarding the kind of requeststhat can be made, the modes of contactused, rights and obligations of therequesting and requested states andprocedures to be followed form the thirdsource of international cooperation. Lastly,domestic laws dealing with internationalcooperation, like assistance on reciprocalor a case-by-case basis, can also be usedeffectively.

International cooperation is seen as a veryimportant aspect in the fight against cybercrime in India. Article 51 of the DirectivePrinciples of State Policy provides that thestate shall endeavour to promote respectfor international law and treatyobligations. Article 253 empowersParliament to make laws for implementingany international treaty, agreement orconvention. The IT Act under Section 75gives extraterritorial jurisdiction to the Actif the offence committed involves acomputer, computer system or NW locatedin India. It shall apply to all personsirrespective of their nationality. Hence, itis essential that the government should


54


lobby at an international level for theharmonisation of existing nationallegislation to ensure that laws provide afair measure of deterrence to cybercriminals and cyberterrorists, therebymaking cyberspace a safer place fornational and international transactions.

5.9 ELECTRONIC EVIDENCE

The collection and admission of electronicevidence pose separate sets of challengesfor LEAs. When it comes to digital crime,the evidence is often at the byte level, deepin the magnetics of digital media, initiallyinvisible to the human eye. That is just oneof the challenges of digital forensics, whereit is easy to destroy crucial evidence, andoften difficult to preserve correctly.17

Another challenge faced by digitalforensics is that the fundamental aspectsof the field are still in development.Whether it is the terminology, tools,definitions, standards, ethics and more,there is a lot of debate amongstprofessionals about these areas.18

Provisions concerning the handling andadmissibility of electronic evidence, theanalysis of different approaches used toidentify electronic evidence in common-law and civil-law countries and thedevelopment of common principles arefocal study points.

The Indian Evidence Act 1872 has beenamended to include provisions dealingwith the admissibility and recognition of

electronic evidence by the courts. Thevarious legislative amendments toaccommodate and recognise the changesthat the advent of the Internet has broughtabout are an indicator of progress withrespect to the admissibility of digitalevidence. Courts’ affirmative outlooktowards recognising digital evidence is astep forward towards the appreciation ofdigital evidence. However, there is still along way for India to go to be at par withglobal developments. There is an urgentneed for trained and qualified experts todeal with the highly specialised field ofcyber security. Also, awareness with regardto the threat to ICT infrastructure needs tobe created and the necessary legalprovisions to ensure cyber safety must bedeveloped.

5.10 LIABILITY OF ISPS

ISPs with LEAs play a significant role inbuilding trust in online transactions andmaking the best use of multifacetedtechnology. The character of cyber crimeis such that even though the offender actsalone, several entities get automaticallyinvolved. For instance, sending a simpleemail requires the service of the e-mailprovider, access providers and the routerswho forward the e-mail message to therecipient. In achieving this objective theseorganisations are faced with the dilemmaof how best to collaborate with each otherto make the Internet safer withoutinfringing the fundamental rights of users.

17 https://www.infosecisland.com/blogview/16705-Digital-Evidence-and-Computer-Crime.html

18 Ibid.

55

The role of ISPs is essential as it is notpossible to commit cyber crime withouttheir involvement in one way or another.But it is not always possible for the ISPs toprevent the commission of cyber crime.The point to be looked into is whether theirrole should be limited. The implications ofthe answer directly affect the economicdevelopment of the ICT infrastructure.

The discussion draft on NCSP suggeststhat ISPs must be closely associated inproviding for secure information flowthrough their NWs and gateways. Legallybinding agreements to support lawenforcement, information security incidenthandling and crisis management processesare the need of the hour. Differentiatingbetween different service providers toregulate their responsibility, limitation ofresponsibility and the possible areas ofcooperation with LEAs to prevent cybercrime need to be analysed.

The role and legal responsibility of the NWservice providers in India has been definedby the IT Act. Section 79 restricts theliability of service providers in certaincases. It provides that the service providersshall not be responsible for any third-partyinformation or data provided by them ifthey had no knowledge of it or hadexercised all due diligence to prevent theoffence from being committed. However,these provisions shall not apply if theservice provider has conspired, abetted oraided in the commission of the offence orwhere the ISP fails to cooperate with thegovernment in preventing the commissionof an unlawful act.

Their liability in India is also determinedby Licence for Internet Services, Clause 33

and Clause 34 of which set out the variousresponsibilities of the service providers,some of which are:

ISPs must prevent unlawful content,messages or communications includingobjectionable, obscene, unauthorisedcontent from being carried on theirNW.

They must ensure that content carriedby them does not infringe cyber laws.

They must comply with the IT Actprovisions and must assist thegovernment in countering espionage,subversive acts, sabotage or any otherunlawful activity.

Privacy of communication online isensured by preventing unauthorisedinterception of messages.

Government can take over theirequipment and NWs in times ofemergency, war, etc.

The role of NW service providers is animportant one and needs to bestrengthened to tackle cyber crime. Thedraft NCSP also states that the NWservices providers must play a greater rolein the betterment of cyber security in thecounty. DoT shall provide guidelines toservice providers to guarantee theuninterrupted availability anddevelopment of alternate routing in caseof physical attacks on the NWs. It sets outthat the ISPs must ensure compliance withinternational security best practices,service quality and service levelagreements, keep up with changingtechnology, make sure that all legalobligations are complied with, and develop


56


crisis management strategies andemergency response plans.

5.11 CONCLUSION

Cyberspace being the fifth common space,it is imperative that there be coordination,cooperation and uniformity of legalmeasures among all nations with respectto cyberspace. The exponential growth ofcyberspace is possibly the greatestdevelopment of the current century.Unfortunately, this development has alsoled to the near-simultaneous growth of themisuse of cyberspace by cyber criminalsand in recent times. Cyberspace has beenvulnerable to a large number of attackson crucial information infrastructure bycyberterrorists. The peculiar nature ofcyberspace implies that existing laws arelargely ineffective in curbing cyber crimeand cyberterrorism, thus creating anurgent need to either modify existinglegislation or to enact laws that are effectivein checking the growing menace online.Internet security is a global problem andcyber crime and cyberterrorism areincreasingly becoming a worldwidenuisance. Only international cooperationwill enable the nations of the world to crackdown more efficiently on cyber crime andensure healthy development of theInternet.

Since the Internet is not limited by nationalgeographic boundaries, it requires thatany regime that is set up with regard tothe Internet be one that is applicable not

only to a given state, but should haveglobal application anywhere on theInternet. To meet this end, it is the need ofthe hour that nations of the world cooperateand make constructive efforts to reducevulnerabilities, threats and risks tomanageable levels. Attempts that havebeen made so far, including the EuropeanConvention on Cyber crime or the OECDGuidelines and even the probableextension of LOAC to cyberspace are notwithout their respective glaring loopholesand deficiencies.

This is increasingly taking the shape of aglobal crisis that can only be contained byharmonising various national legislationsand creating an international regime thatis not a result of tweaking outdated piecesof legislation, but by proactive steps beingtaken by countries towards making theInternet a seamless space, not one that is ahaven for terrorists due to lack oflegislation, investigative agencies,enforcement mechanisms and, above all,due to lack of international cooperation.

It is time that the countries of the world,including India, realise that a well-protected cyberspace would only be anasset to developing and developed nationsalike. With regard to the present legalsituation in India, certain commendableadvances have taken place that haveplaced India in a relatively strong position.However, there are still gaping loopholesnot only in legislation but also investigationand enforcement that have allowed Indiato become prey to cyber crime.

57

RECOMMENDATIONS

CHAPTER 6

6.1 GENERAL RECOMMENDATIONS

In view of the rapidly growing threatsto national security in cyberspace thereis urgent need for the government toadopt a cyber security policy. Thegovernment should immediatelyadopt such a policy so that urgentactions in a coordinated fashion can betaken to defend India’s economy andsociety against cyber attacks.

Cyber security policy will necessarilybe an evolving document in view of thechanging nature of cybervulnerabilities, risks and threats. Thegovernment will need to review thedocument periodically.

Cyber security should be regarded asan integral component of nationalsecurity. Urgent attention should begiven to the issues of cyber crime,cyberterrorism, cyber warfare and CIIprotection.

6.2 TO GOVERNMENT

· The NSA, through NIB, should be putin charge of formulating andoverseeing the implementation of thecountry’s cyber security policy within

the ambit of a larger national securitypolicy. This body should be servicedby the NSCS for policy measures andDIT and other departments (e.g.Telecom, space, etc.) for operationalmeasures.

A Cyber Coordination Centreshould be established at the operationallevel, staffed by personnel from therelevant operational agencies. Thiscentre would serve as a clearing-house,assessing information arriving in realtime and assigning responsibilities tothe agencies concerned, as and whenrequired.

MHA should be the nodal agencyfor handling cyberterrorism. Tohandle cyberterrorism and cybercrime, a slew of measures will beneeded, ranging from monitoring andsurveillance, investigation, prosecution,etc. Cyberterrorism should beregarded as a part of the nation’s overallcounterterrorism capabilities. TheNational Counter Terrorism Centrebeing set up should have a strongcyber component. NIB, with MHA asthe nodal agency, should be taskedwith the responsibility of formulatingand implementing a policy to deal with

58


cyberterrorism. The issues of ethicalhacking and immunity for defenceand intelligence officers should beconsidered.

MHA should also be the nodalagency for dealing with cybercrime. In dealing with cyber crime,some of the measures needed willoverlap with those required to dealwith cyberterrorism but extra effortwill be required to ensure greaterawareness, strengthening of the legalframework, law enforcement,prosecution, etc. Particular focusshould be placed on awareness andenforcement. MHA, in collaborationwith DIT and the Law Ministry shouldmake a necessary roadmap in thisregard.

Headquarters IDS should be thenodal agency for preparing thecountry for cyber warfare in all itsdimensions. The necessary structuresshould be created in a time-boundmanner. Since cyberspace is integralthere should be an appropriateinterface between defence and civiliandepartments. NIB should smooth outthe difficulties.

NSCS should be given the nodalagency for coordinating the effortsto protect critical infrastructure ofthe country. This will requireidentification of the criticalinfrastructure and formulation andimplementation of strategies to ensureprotection of each component fromcyber attacks.

DIT should be tasked with creating

the necessary cyberspacesituational awareness,strengthening PPP, promotinginternational cooperation, andother residual measures. DIT willnecessarily have other nodal agencies.The interface between DIT and otheragencies should be smoothed out bythe NIB.

Cyber security education, R&D andtraining will be an integral part ofthe national cyber securitystrategy. The government should setup a well-equipped National CyberSecurity R&D Centre to do cutting-edge cyber security R&D. This Centreshould be a PPP endeavour. Cybersecurity research should also beencouraged in public and privateuniversities and institutions. DIT couldcome up with a roadmap for cybersecurity research in the country. Thecountry’s strengths in ICT should beleveraged. DRDO should conductspecialised research for the armedforces and NTRO should do so for thecountry’s intelligence agencies.

DIT’s CERT should be the nodalagency, much like the MetDepartment for weather forecasting, tocreate and share cyberspace situationalawareness in the country. DIT shouldmake public awareness of risks, threatsand vulnerabilities in cyberspace andhow these should be managed.

Disaster management and recoverymust be an integral part of anynational cyber security strategy. TheDIT should be the nodal agency forsuch efforts. It should coordinate its

59

efforts with NDMA and also othergovernment departments as well asprivate bodies.

6.3 SPECIFIC RECOMMENDATIONS

(These recommendations deal withspecific technical and legal measures tostrengthen cyber security. They are beingflagged in view of their criticality. They canbe part of the action plans and roadmapsto be developed by NIB, NSCS, DIT,MOD, MHA, etc.)

There is need to place special emphasison building adequate technicalcapabilities in cryptology, digitalsignatures, testing for malware inembedded systems, operatingsystems, fabrication of specialised chipsfor defence and intelligence functions,search engines, artificial intelligence,routers, new materials, SCADAsystems, etc. Cyber security should bemandatory in computer sciencecurriculum and even separateprogrammes on cyber security shouldbe contemplated.

Emphasis should be placed ondeveloping and implementingstandards and best practices ingovernment functioning as well as inthe private sector. Cyber security auditsshould be made compulsory fornetworked organisations. Thestandards should be enforced througha combination of regulation andincentives to industry.

The government should launch aNational Mission in Cyber

Forensics to facilitate prosecution ofcyber criminals and cyberterrorists.

International cooperation is crucialto handle cyber crime, cyberterrorismand in managing risks in cyberspace.It is necessary to participate inmultilateral discussions on rules ofbehaviour in cyberspace. Thegovernment should also considerjoining the European Convention onCyber crime. A 24x7 nodal point forinternational cooperation with cyberauthorities of other countries should beset up. The Indian agencies should alsoparticipate in regional fora on cybersecurity. Engagement of Indian cyberauthorities with internationallyrenowned cyber professional bodiesshould be encouraged.

The impact of the emergence of newsocial networking media, andconvergence of technologies onsociety including business, economy,national security should be studiedwith the help of relevant experts,including political scientists,sociologists, anthropologists,psychologists, and law enforcementexperts. It should be ensured that theissues of privacy and human rights arenot lost sight of and a proper balancebetween national security imperativesand human rights and privacy ismaintained.

6.3.1 Cyber Warfare

Need to lay down red lines, defineobjectives and enunciate a doctrine.

Flesh out a policy of proactive cyber

Recommendations

60


defence with emphasis on actionstaken in anticipation to prevent anattack against computers and NWs.

· Raise a Cyber Command and build upoffensive capabilities.

· Create a pool of trained people such asCyber TA Battalions who can provide“surge capacity” to bolster thecountry’s resources during criticalperiods or in the event of hostilities

· Study the impact of social NWs withrespect to national security andperception management, especiallyduring crisis.

6.3.2 Critical Infrastructure

Government should initiate a specialdrive of implementing practices in thecritical infrastructure sectors andprovide necessary budgetary supportfor such implementation.

Develop security expertise forprotection of CII by providing hands-on training to professionals, especiallyfrom the government sector.

Government should establish amechanism for measuringpreparedness of critical sectors such assecurity index, which capturespreparedness of the sector and assignsvalue to it. Operationalise themechanism for routinely monitoringpreparedness.

Government should incorporate ITSupply Chain Security as animportant element of e-security planto address security issues.

Government should promote R&D inprivate industry through activegovernment support for industry-ledresearch projects in the areas ofsecurity. Establish enablingmechanisms to facilitate this.

Government should focus on creatinga workforce of security professionals inthe country keeping in view therequirements of the future.

PPP model should be explored fortaking security to the regions andindustry sectors.

Strengthening telecom security – oneof the key pillars of cyber security,especially through development ofstandards and establishment of testinglabs for telecom infrastructure(equipment, hardware).

Capacity building in the area of cybercrime and cyber forensics in terms ofinfrastructure, expertise andavailability of HR and cooperationbetween industry, LEAs and judiciary.

6.3.3 Legal

Need for trained and qualified expertsto deal with the highly specialised fieldof cyber security.

Awareness with regard to the threat toICT infrastructure needs to be createdand the necessary legal provisions toensure cyber safety must bedeveloped.

Substantive laws dealing with illegalaccess, illegal interception, datainterference, misuse of devices,

61

computer-related forgery, childpornography, etc. must beimplemented.

Procedural laws need to be in place toachieve cooperation and coordinationof international organisations andgovernments to investigate andprosecute cyber criminals.

The police must work closely with bothgovernmental and non-governmentalagencies, Interpol and the public atlarge to develop a comprehensivestrategy to address the problems.

Lobbying at an international level forthe harmonisation of existing nationallegislation to ensure that such lawsprovide a fair measure of deterrence tocyber criminals and cyberterrorists,thereby making cyberspace a saferplace for national and internationaltransactions.

Government must put in placenecessary amendments in existing laws

or enact a new legislation like a DataProtection/Privacy Act so as tosafeguard against the misuse ofpersonal information by variousgovernment agencies and protectindividual privacy.

6.3.4 Miscellaneous

Examine the impact of cloudcomputing and wireless technologiesand formulate appropriate policies.

Make it a mandatory requirement forall government organisations andprivate enterprises to have adesignated Chief Information SecurityOfficer (CISO) who would beresponsible for cyber security.

Establishment of a cyber range to testcyber readiness.

More powers to sectoral CERTs.

Establish an online mechanism forcyber crime-related complaints to berecorded.

Recommendations

62


PROPOSED COORDINATION STRUCTURE

FOR CYBER AND INFORMATION WAR

APPENDIX 1

PROPOSED COORDINATION

STRUCTURE FOR CYBER AND

INFORMATION WAR(CIW)

1. NSA with the NSCS should be thenational controlling and coordinatingagency for CIW. An omnibus boardcould be created in the NSCS along witha CIW Executive Committee(CIWEC).These could be established by the NIB.Recommended composition and rolesof these two bodies in brief is given inthe succeeding paragraphs.

CIW BOARD

2. Composition

Amongst others:

(a) Chairman. NSA.

(b) Members Government. CabinetSecretary, DG RAW, Secy DIT,Representatives (Reps) from MHA,MEA, I&B, Ministry of Power.

(c) Members Ministry of Defence.CIDS(Or CDS when created) andDG DRDO.

(d) Private Sector. ChairmanNASSCOM.

(e) DG CIW.

(f) Member Secretary(Secy). DyNSA.

Notes:

i. Reps of ministries should be of astatus in keeping with othermembers of this Committee.

ii. The Board may invite or co-opttechnical or other experts asrequired.

iii. The Board should meet at least oncea quarter or as required.

3. Charter

(a) Overall review and policy for CIW.

(b) Formulation of strategy formeeting emerging threats.

(c) Ensure necessary coordinationbetween all public and privateagencies at the national level as alsomonitor implementation of allaspects of CIW.

(d) Ensuring all international treatiesand agreements are vetted inkeeping with needs of nationalsecurity.

63

CIWEC

4. Executive CommitteeExecutive CommitteeExecutive CommitteeExecutive CommitteeExecutive Committee

The Dy NSA who is the Secy of the ApexBody could chair the CIWEC, DG CIWwill be the Secy with support from theNSCS. He will be responsible to ensureday to day coordination and follow up onall CIW issues and report to the apex bodythrough Dy NSA. The composition of thisCIWEC could include:-

(a) Members Public Agencies .Chairman NTRO, DG CERT, Repsfrom MHA, RAW, CSIR, DIT,Public IT related services, ie,Finance, Railways, Telecom, CivilAviation, Power, HR and I&B. Alsoreps from Rep from MEA who is anexpert on international agreements.

(b) Members MoD. Rep IDS. Repsof Cyber Command(When formed)& DRDO.

(c) Private Sector . Reps fromNASSCOM r e p r e s e n t i n gdifferent spheres of the IT industry.

(d) Academic Institutions. At leastthree.

5. Charter

CIWEC will be a coordinating agencywhich will issue policy guidelines andmonitor all activities on a regular basis. Itsorganization will be flexible to ensurerepresentation of all agencies. Sub groupscould be formed for specific aspects suchas proactive defence or protection ofcritical infrastructure. The CSIWEC willmeet at least once a month to oversee andreport progress on all issues which include:-

(a) NCSP as also internationalcooperation in this regard. Allagreements on IT with respect toneeds of national security. This willalso include recommendations forsimplifying and laying downflexible procedures to meetrequirements of the IT domain.

(b) Technology development forprotection of NWs and systems, asalso proactive defence.

(c) Installation of systems, monitoringand response management,specially for emergencies.

(d) Development of HR and publicawareness.Recommendations for funding inthis regard both in the public andprivate spheres.

(e) Standardization and certification.This will include creation of test beds.

6. Organisation & Functioning

CIWEC should be an empowered body.DG CIW should be of appropriate level toensure executive action and compliance byagencies. All public agencies like theDRDO, HQ IDS, NTRO, DIT, NationalCERT, CSIR, NIC are represented andcould constitute its executive arms. Fornecessary coordination and follow up, theoffice of DG CIW in NSCS must compriseof security, legal and technical experts. Itcould be a small body to start with.Allocation of business rules must formalizefunctioning. Policy and conduct ofoffensive cyber operations could also becoordinated by a sub group drawn fromthe above.

Appendices

64


PRO

PO

SE

D O

VE

RA

LL C

YB

ER

SE

CU

RIT

Y S

TR

UC

TU

RE IN

GO

VE

RN

ME

NT O

F IN

DIA

65

CYBER SECURITY INCIDENTS 2004-2011

APPENDIX 2

Appendices

66


SPEECH OF MR SACHIN PILOT, MINISTER OF

STATE FOR COMMUNICATIONS AND

INFORMATION TECHNOLOGY, AT THE LONDON

CONFERENCE ON CYBERSPACE

APPENDIX 3

The internet is arguably the mostimportant invention of the previouscentury. An increasing proportion of theworld’s population is migrating tocyberspace to communicate, enjoy, learn,and conduct commerce. With this, newpossibilities and opportunities are openingup. With the free flow of information toeveryone at marginal incremental cost,businesses can reach clients andgovernments can reach citizens quickly,almost free, and directly. Internet has trulybeen an agent of change – a change forthe better.

Cyberspace is not restricted byconventional physical boundaries. If weattempt to trace digital pathways, we willfind that the entire world is connected asnever before. These connections are morenumerous than air routes, rail networks,highways, shipping lanes, and even dusttracks put together. Cyberspace will definethe future of humanity, and the onlyrestrictive aspect is the limits of ourimagination to leverage it for improvingthe lives of our citizens.

London, 1 November, 2011

Mobile phones, tablets, and computers arenot just means of communication, but aretools of empowerment. The cyber world isalso fostering collaborative creativity andsharing of expertise. To derive maximumbenefit from cyber space on a social scale,all states must strive to provide universaldigital access.

India has been growing at an impressiverate of 7-9 percent in recent years, and willcontinue to do so in the near future. Alongwith economic prosperity has come anexpected shift in how we conductgovernance, economic activity, and evenour personal lives. There has also been anexponential growth in the dominance ofIT networks, and the increased importanceof these networks to the way we live.Internet users in India have gone up from5 million in 2000 to 100 million in 2011.Globally there was just 1 website in 1990,130 websites in 1993, 100,000 websites in1996 and 200 million websites today.

India has one of the most ambitiousNational e-Governance Plan (NeGP) to

67

create a citizen-centric and business-centricenvironment for governance. The NeGPwas approved by the Government in 2006with the objective of creating the rightgovernance and institutional mechanisms,capacity building initiatives, coreinfrastructure, policies & standards, andnecessary legal framework for adoption ofe-Governance in the country.

The NeGP is a comprehensive plan and isbeing implemented all the way down toour local governments. Under the plan,more than 1100 government services willbe online; State Data Centres (SDCs) willserve as the repository of data at state level;and, the National Knowledge Network(NKN) will connect about 1500 institutesand organizations of higher learning,research, and governance.

The Electronic Delivery of Services Billprovides for delivery of public services bythe Government to all persons byelectronic mode to enhance transparency,efficiency, accountability, accessibility andreliability. The ‘Unique Identity’ projectproviding a unique number to each citizenis yet another link that will help us takegovernment services to citizens more easilyand efficiently.

Economy activity everywhere has becomeheavily reliant on IT networks because ofcost-effectiveness, the ability of IT solutionsto make business processes morestreamlined and integrated, improvingtransparency and reaching out toconsumers. While big businesses in Indiahave been heavy investors in IT for a while,it is small and medium scale businesses

that are joining the cyber world in largenumbers now.

Using IT solutions and the internet is nolonger a luxury, but a necessity for Indiancompanies to be able to competedomestically, and also globally. With anincreasing number of people with accessto the internet, and advancements inmobile banking and mobile trading, onlinefinancial transactions are fast becoming areality for everyone.

India is also sharing its expertise in the ITsector with other countries. We have setup a Pan-African Network, in which 47African countries now participate. This isone of the biggest projects of distanceeducation and tele-medicine everundertaken in Africa. It is also equippedto support e-governance, e-commerce,infotainment, resource mapping andmeteorological and other services in theAfrican countries.

The total number of broadbandsubscribers in India at nearly 13 million isset to rise rapidly with an expandingbroadband infrastructure. TheGovernment has approved a scheme forthe creation of a ‘National Optical FibreNetwork’ (NOFN) for providingbroadband connectivity at village level,which will help in offering governance,banking and health services online. Inaddition to connecting all villages withbroadband in the next 2 years, thegovernment is working together with theindustry to provide an improved businessenvironment for the broadband industry,bring prices down through increased

Appendices

68


competition, and ensure high qualityconnectivity.

Under the National Broadband Plan, Indiawill connect 160 million Indian householdswith high-speed Internet connections by2014. We want every Indian to beconnected to the information highway. Inurban areas, mobile penetration rates haverisen exponentially. Broadbandconnectivity too is on the rise. However,our focus now is on ICT penetration in ruralareas where a large number of potentialbeneficiaries of e-governance actuallyreside. As a nation, we are committed toensuring that the benefits of cyber spacereach every corner of the country.

Our draft Information Technology policy,which is up for public comments, proposesto make Internet access a right of ourcitizens. No other county of India’s size anddiversity is moving so steadfastly in thisdirection. We are preparing for the future,and the policy framework will establish adigital infrastructure that will not onlytake care of India’s immediate needs, butalso sustain India’s growth over the long-term.

Along with equity, we should also beconcerned about issues of privacy. Fromsocial networking sites to financialtransactions, an increasing number of ushave an online personality. Who owns therights to digital data of individuals?Another issue of global concern is ‘freedomof speech’ online. Dictating individual/corporate behaviour online is not advisablebut we do need to have a debate on normsof behaviour.

Unfortunately a more active cyber spaceis also inviting more malicious activitywhether it is related to online fraud, theftof information or disruptive activities thatmay manifest in many forms includingattacks on critical national infrastructure.These developments are likely to concernall such nation states that are increasinglyrelying on use of internet to improvegovernance and make the growth processmore inclusive.

At stake are concerns about confidentialdata being used for illegal activities; thevery survival of new business models likee-commerce is also dependent on thesecurity of cyber systems. We know thatin recent years, there has been a sharp risein the number of cyber attacks, which weare closely monitoring. India is not alonein being the target of such acts. The UKand many other countries have been at thereceiving end too.

Ensuring cyber and IT security is hardbecause networks can be attacked fromanywhere in the world, and the motivesto attack them may include simplydemonstrating technical prowess, casualhacking, political orientation, fraud, crimeor an extension of state conflict. Furtherstill, digital footprints are easy to hide.Global coordination can ensure that theinternet continues to thrive without theconstant fear of misuse of information.

We have to think of safety in the cyberworld as a global public good and addressthis problem together. Many countries,including India, have called for adiscussion on whether laws covering

69

international armed conflict, such as thoseunder the Geneva Convention can alsocover cyber attacks. India was one of thestrongest voices at the 47th MunichSecurity Conference this year arguing forsuch a review.

India remains committed to being aresponsible member of the internationalcommunity and a willing participant inefforts to stimulate action around thisissue. Together we can ensure that theinformation highways are secure. At theglobal level, we can coordinate our efforts

on multiple fronts including settingstandards, safeguarding digital intellectualproperty rights, sharing best practices,capacity building of developing countries,providing critical intelligence information,and establishing relevant securityparameters. As the cyber world continuesto unravel itself at a breakneck speed, ourefforts to create and maintain a safe cyberspace for individuals, corporations andcountries remains a challenge that willrequire all of our collective efforts to cometo the fore sooner rather than later.

Thank you.

(Courtesy: UK High Commission)

Appendices

70


SELECT PARLIAMENTARY QUESTIONS

RELATED TO CYBER

APPENDIX 4

MINISTRY OF COMMUNICATIONS

AND INFORMATION TECHNOLOGY

Lok Sabha Starred Question No 160

Answered on 08.03.2010

NATIONAL CYBER SECURITYPOLICY

160. Shri PRALHAD VENKATESHJOSHIGANESH SINGH

Will the Minister of COMMUNICATIONSAND INFORMATION TECHNOLOGY be pleased to state:-

(a) whether the Government hasformulated a National Cyber SecurityPolicy to deal with the unabated cybercrimes challenging the security andsovereignty of the nation;

(b) if so, the details thereof and if not, thereasons therefor;

(c) whether the Government hasdeveloped and established any CyberSecurity system which can instantly detectany cyber crime/hacking attempts to take

pre-emptive action to diffuse such criminalact;

(d) if so, the details thereof and if not, thereasons therefor;

(e) whether an audacious attempt wasrecently made by some foreign basedhackers to hack the computers of someimportant offices of the Government ofIndia; and

(f) if so, the details thereof along with theaction taken by the Government in thisregard?

ANSWER

MINISTER FOR COMMUNICATIONSAND INFORMATION TECHNOLOGY(ANDIMUTHU RAJA)

(a) to (f) A Statement is laid on the Tableof the House.

STATEMENT REFERRED TO IN REPLYTO LOK SABHA STARRED QUESTIONNO. 160 FOR 8.3.2010 REGARDINGNATIONAL CYBER SECURITY POLICY

(a) and (b) As a prelude to having a

71

National Cyber Security Policy, theGovernment as formulated CrisisManagement Plan for countering cyberattacks and cyber terrorism forimplementation by all Ministries/Departments of Central Government,State Governments and theirorganizations and critical sectors. Further,an information security action plan forprotection of critical informationinfrastructure is in place. The plan is aimedat enabling Government and criticalsectors in improving the security of theirInformation Technology systems andnetworks and verification through periodicrisk assessments and annual audits bythird party auditing organizations. Theplan has been circulated to Governmentand critical sector organizations. Inaccordance with information securityaction plan, Government and criticalsector organizations are required to do thefollowing on priority: ‘ Identify a memberof senior management, as ChiefInformation Security Officer (CISO),knowledgeable in the nature ofinformation security & related issues anddesignate him/her as a ‘Point of contact‘,responsible for coordinating securitypolicy compliance efforts and to regularlyinteract with the Indian ComputerEmergency Response Team (CERT-In),Department of Information Technology(DIT). ‘ Prepare information security planand implement the security controlmeasures as per IS/ISO/IEC 27001: 2005and other guidelines/standards, asappropriate. ‘ Carry out periodicInformation Technology security riskassessments and determine acceptablelevel of risks, consistent with criticality ofbusiness/functional requirements, likely

impact on business/functions andachievement of organizational goals/objectives. ‘ Periodically test and evaluatethe adequacy and effectiveness of technicalsecurity control measures implemented forInformation Technology systems andnetworks. Especially, Test and evaluationmay become necessary after eachsignificant change to the InformationTechnology applications/ systems/networks and can include, as appropriatethe following:

Penetration Testing (both announced aswell as unannounced)

Vulnerability Assessment

Application Security Testing

Web Security Testing ‘ Carry out Auditof Information infrastructure on anannual basis and when there is majorup gradation/change in theInformation TechnologyInfrastructure, by an independentInformation Technology SecurityAuditing organization. ‘ Report cybersecurity incidents, as and when theyoccur and the status of cyber security,periodically to CERT-In. In support ofthe above action plan, Indian computerEmergency Response Team (CERT-In)has created a panel of 40 InformationTechnology security auditors to helpthe organizations to get theirInformation Technology infrastructureand information systems audited fromthe point of view of Risk assessment,penetration of network andvulnerability assessment.

(c) and (d) National Informatics Centre(NIC) provides network and systems

Appendices

72


services to Central Government and StateGovernment departments. As a serviceprovider, NIC has installed state-of- artCyber Security System, which monitorsthe events on the network for detection andprevention of malicious traffic on thenetwork. The Cyber Security Systemincludes:

Intrusion Prevention Systems, Firewalls,Anti-virus solution and applicationfirewalls.

Similarly, other large Governmentorganizations running services on theirown also have installed Cyber SecuritySystem to protect their Systems andNetwork. The Information TechnologyAct, 2000 as amended by the InformationTechnology (Amendment) Act, 2008 hasbeen enforced on 27.10.2009. The Section69B empowers Government tomonitor andcollect traffic data or information througha computer resource for Cyber Security.The Indian Computer EmergencyResponse Team (CERT-In) scans the IndianCyber Space to detect traces of anyuntoward incident that poses a threat tothe cyber space. CERT-In performs bothproactive and reactive roles in computersecurity incidents prevention, identificationof solution to security problems, analyzingproduct vulnerabilities, malicious codes,web defacements, open proxy servers andin carrying out relevant research anddevelopment. Sectoral CERTs have beenfunctioning in the areas of defence andFinance for catering critical domains. Theyare equipped to handle and respond todomain specific threats emerging from thecyber systems.

(e) and (f) There have been attempts of

foreign origin from time to time topenetrate high security cyber networkoperating in some important offices of theGovernment of India. Investigations haverevealed that these are merely attempts andno system has been found to be hacked orinfected. National Informatics Centre hasbeen conducting the security audit of thecomputer systems at regular intervals andhas not found any hacked systems orinfected. The following attempts have beendetected on the network of NIC, in therecent past:

Maliciously crafted email withattachments containing malware to anumber of mail recipients attemptingto infect the client machines.

Scanning and probing of ITinfrastructure. These attacks have beenobserved to be coming from thecomputers installed in a number offoreign countries.

However, these computers could becompromised and may be under thecontrol of hackers from other parts of theworld. Most of the attacks are stopped withthe help of Cyber Security Systemdeployed for detection and prevention ofsuch attempts.

Rajya Sabha Unstarred QuestionNo-4470

Answered on-06.05.2010

CYBER ESPIONAGE IN INDIANCOMPUTER SYSTEM

4470 . SHRI P. RAJEEVE

(a) whether Government has taken any

73

steps to prevent cyber espionage networkhacking into computer systems of IndianGovernment;

(b) if so, the details of the preventivemeasures taken; and

(c) whether preventive steps had beenextended to several Indian Embassiesabroad ?

ANSWER

MINISTER OF STATE FORCOMMUNICATIONS ANDINFORMATION TECHNOLOGY

(SHRI SACHIN PILOT)

(a) and (b) The Government has takenseveral measures to detect and preventcyber attacks/espionage. The details are:

1. As per existing computer securityguidelines issued by Government, nosensitive information is to be stored onthe systems that are connected toInternet.

2. The Government has formulated CrisisManagement Plan for counteringcyber attacks and cyber terrorism forimplementation by all Ministries/Departments of Central Government,State Governments and theirorganizations and critical sectors.

3. The organizations operating criticalinformation infrastructure have beenadvised to implement informationsecurity management practices basedon International Standard ISO 27001.

4. Ministries and Departments have beenadvised to carry out their IT systems

audit regularly to ensure robustness oftheir systems. The Indian ComputerEmergency Response Team (CERT-In)has already empanelled a number ofpenetration testing professionalsthrough a stringent mechanism ofselection to carryout audits.

5. National Informatics Centre (NIC),providing services to Ministries/Departments is continuouslystrengthening the security of thenetwork operated by them and itsservices by enforcing security policies,conducting regular security audits anddeploying various technologies atdifferent levels of the network to defendagainst the newer techniques beingadopted by the hackers from time totime.

6. The Information Technology Act,2000 as amended by the InformationTechnology (Amendment) Act, 2008has been enforced on 27.10.2009. TheAct provides legal framework toaddress the issues connected withhacking and security breaches ofinformation technology infrastructure.

Section 70 of the Act provides to declareany computer resource which directlyor indirectly affects the facility ofCritical Information Infrastructure, tobe a protected system.

Further, Section 70B has empoweredIndian Computer EmergencyResponse Team to serve as nationalnodal agency in the area of cybersecurity.

7. The Indian Computer Emergency

Appendices

74


Response Team (CERT-In) scans theIndian Cyber Space to detect traces ofany untoward incident that poses athreat to the cyber space. CERT-Inperforms both proactive and reactiveroles in computer security incidentsprevention, identification of solution tosecurity problems, analyzing productvulnerabilities, malicious codes, webdefacements, open proxy servers andin carrying out relevant research anddevelopment.

Sectoral CERTs have been functioningin the areas of defence and Finance forcatering critical domains. They areequipped to handle and respond todomain specific threats emerging fromthe cyber systems.

CERT-In has published severalSecurity Guidelines for safeguardingcomputer systems from hacking andthese have been widely circulated. AllGovernment Departments/ Ministries,their subordinate offices and publicsector undertakings have been advisedto implement these guidelines to securetheir computer systems andinformation technology infrastructure.

CERT-In issues security alerts,advisories to prevent occurrence ofcyber incidents and also conductssecurity workshops and trainingprograms on regular basis to enhanceuser awareness.

(c) Yes, Sir. Ministry of External Affairs hasissued a comprehensive set of IT securityinstructions for all users of MEA andperiodically updates them on

vulnerabilities. The Indian Missionsabroad have been regularly sendinginformation on safe computing practices.All personnel posted to Indian Missions andPosts abroad are being imparted ITsecurity training.



CYBER ATTACKS

1203 . SHRIMATI SHOBHANABHARTIA

(a) whether Government is aware thatmany Indian companies are losing severalcrores every year due to cyber attacks;

(b) if so, whether Government, inconsultation with the State Governments,proposes to enact a law to check suchcyber attacks;

(c) if so, the details thereof; and

(d) whether any separate wing is likely tobe created to check such cyber attacks andalso to prosecute the culprits involved?

ANSWER


(SHRI SACHIN PILOT)

(a) Cyber attacks such as phishing andinformation stealing softwareprogrammes, denial of service attacks areintended for conducting financial fraudswherein users‘ personally identifiable

75

information such as credit card details etc.are stolen. Due to these incidents financialinstitutions (Banks) and users sufferfinancial losses.

Department of Financial Services, Ministryof Finance has reported online bankingfrauds worth Rs. 590.49 lakhs in the year2009.

(b) and (c) The primary responsibility ofprevention, detection, registration,investigation and prosecution of all casesof crime, including cyber crimes, lies withthe concerned State Governments(s). TheUnion government however attacheshighest importance to the matter ofprevention of crime. The InformationTechnology Act 2000 is a Central Act toaddress cyber crimes and is applicable inall the States/ Union Territories. The cybercrimes are technology driven crimes andwith changing technologies new crimesneed to be addressed. Aware of this fact,the Government has amended the Act andfurther strengthened the legal framework.The IT (Amendment) Act, 2008 which cameinto force from 27.10.2009 has specialprovisions for checking new forms of cybercrimes like phishing, identity theft, dataprivacy etc. The Act provides legalframework to address the cyber crimesseen largely at present.

(d) The State Police Departments have setup separate cyber police stations/cells inmany states/ Union Territories whichhandle all the cyber crime cases includingcyber attacks.



CYBER ATTACKS FROM OTHERCOUNTRIES

1779 . SHRI KUMAR DEEPAK DAS

(a) whether it is a fact that India is facingincreasing cyber espionage cases fromcountries including China;

(b) if so, the details of number of suchcases registered by the relevant agenciesin the country;

(c) whether initiatives have been taken tocombat the menace of cyber attacks andto build cyber defence shield around theMinistries and security establishments;

(d) if so, the details thereof; and

(e) if not, the reasons therefore?

ANSWER


(SHRI GURUDAS KAMAT)

(a) and (b) There have been attempts fromtime to time to penetrate cyber networksoperating in Government. A large numberof these attacks have been observed to becoming from the computers installed in anumber of foreign countries. However,some of the attacks have been traced to beoriginating from systems located in China.

Appendices

76


Specific information on such cases is notmaintained by National Crime RecordsBureau (NCRB), which is the nodal agencymaintaining the records of crime cases.However, the cases reported under Section72 of Information Technology Act (Breachof confidentiality / privacy) and Sections405, 406, 408 & 409 of Indian Penal Code(IPC) related to Cyber Criminal Breach oftrust / Fraud during 2007-2009 areenclosed at Annexure.

(c) and (d) Government is following anintegrated approach with a series of legal,technical and administrative steps toensure that necessary systems are in placeto address the growing threat of cyberattacks in the country. Salient details aregiven below:

(i) Computers Security Policies, StandardOperating Procedures and guidelineswere formulated and circulated to allMinistries/Departments forimplementation.

(ii) All Central Government Ministries /Departments and State/UnionTerritory Governments have beenadvised to conduct security auditing ofentire Information Technologyinfrastructure including websitesperiodically to discover gaps withrespect to security practices and takeappropriate corrective actions.

(iii)National Informatics Centre (NIC) hasbeen directed not to host web sites,which are not audited with respect tocyber security.

(iv)The “Crisis Management Plan forcountering cyber attacks and cyber

terrorism” was prepared andcirculated for implementation by allMinistries/ Departments of CentralGovernment, State Governments andtheir organizations and critical sectors.

(v) The Information Technology Act, 2000as amended by the InformationTechnology (Amendment) Act, 2008has been enforced on 27.10.2009. TheAct provides legal framework toaddress the issues connected withsecurity breaches of informationtechnology infrastructure.

(vi)The Indian Computer EmergencyResponse Team (CERT-In) issues alertsand advisories regarding latest cyberthreats and countermeasures onregular basis.

(e) Does not arise

PRESS INFORMATION BUREAU

RELEASE NOVEMBER 2011

Cyber Attacks

Government is aware of misuse ofInternet/ emails by anti-social elementsand criminals. National InvestigationAgency during investigation of certainterror cases has found that terrorists hadbeen using Internet and communicatingthrough Email to execute the terror action.

Cases involving misuse of Internet / Emailsis not maintained separately byGovernment. However, as per the generalcyber crime data maintained by NationalCrime Records Bureau, a total of 217, 288,420 and 966 Cyber Crime cases wereregistered under Information Technology

77

Act during 2007, 2008, 2009, 2010respectively, thereby showing anincreasing trend. A total of 339, 176, 276and 356 cyber crime cases were reportedunder Cyber Crime related Sections ofIndian Penal Code (IPC) during 2007,2008, 2009, 2010 respectively.

Internet has emerged as an online medium/ platform to enable users to share ideas,activities & events and express views/opinions on specific topics / events. Severalgroups and individuals have hostedcontent on Internet for a variety ofpurposes, which may be liked by onesection of society and used gainfully. Suchsites can be accessed by all sections ofusers. Millions of users worldwide from allsections of society use Internet. Thetechnology and the associated applicationsallow the users to post the content of theirchoice automatically after registration withsuch sites, without the role of serviceproviders hosting such sites. Most of thelarge number of users logging on the sitesand millions of pages on such sites makeit practically very difficult to keep a vigilon all contents posted/hosted on these sites.Most of the sites are hosted outside thecountry. Further, Government does notregulate content of such sites hosted onInternet.

A total no. of 90, 119, 252 and 219Government websites as reported andtracked by the Indian ComputerEmergency Response Team (CERT-In)were defaced by various hacker groups inthe year 2008, 2009, 2010 and January –October 2011 respectively.

Government has notified IntermediaryGuidelines Rules, 2011 under Section 79

of the Information Technology Act, 2000.These rules provide for the intermediariesto follow self-regulation. Any affectedperson may report the misuse ofnetworking sites to the intermediaryhosting these networking sites and requestfor removal / disabling of wrongful factsor objectionable content. Theintermediaries are also required todesignate a grievance officer to redresssuch requests by the affected person.

The Information Technology Act, 2000 hasalready been amended by InformationTechnology (Amendment) Act, 2008 w.e.f.27.10.2009. The amended Act is acomprehensive Act and provides legalframework to fight all prevalent cybercrimes. Stringent punishment rangingfrom imprisonment of three years to lifeimprisonment and fine has been providedfor various acts of cyber crime.

This reply was given by Shri Sachin Pilot,the minister of State in the Ministry ofCommunication and InformationTechnology in response to a question inLok Sabha on 30 November 2011.

MINISTRY OF DEFENCE

Lok Sabha Unstarred Question No 79


HACKING OF SECURITYINFORMATION

79 . Shri RAJAGOPAL LAGADAPATI

Will the Minister of DEFENCE bepleased to state:-

(a) whether the Government proposes to

78


deal with the hackers which have allegedlystolen vital security data recently from theIndian defence networks;

(b) if so, the details thereof;

(c) whether the Government is planningto coordinate with national cyber agenciesto deal with such hackers;

(d) if so, the details thereof;

(e) whether the Government has anycyber security policy in this regard; and

(f) if so, the details thereof?

ANSWER

MINISTER OF DEFENCE (SHRI A.K.ANTONY)

(a) The report of hacking Indian DefenceNetworks put up by a group of researchersat the Munk School of Global Affairs,University of Toronto, Canada wasanalysed thoroughly. It was ascertainedthat certain internet facing computers werecompromised by the hackers which hadno sensitive defence data.

(b) To mitigate such incidents fromrecurring in the future, organizationsunder Ministry of Defence have workedout a Crisis Management Plan formeasured response in case of anyuntoward incident.

(c) & (d) Defence Information Assuranceand Research Agency (DIARA), a nodalagency mandated to deal with all cybersecurity related issues of Tri Services andMinistry of Defence is having a closecoordination with national agencies likeComputer Emergency Response Team –

India (CERT-In) and National TrainingResearch Organisation (NTRO).

(e) & (f) Specific Cyber Security Policieshave been devised at all levels. ServicesHeadquarters have an InformationSecurity Policy and their networks areaudited as per the guidelines.

Lok Sabha Unstarred Question No5452


CYBER WARFARE STRATEGY

5452 . Shri MANISH TEWARI

Will the Minister of DEFENCE be pleasedto state:-

(a) whether the Government has a CyberWarfare strategy to deal with attempts toinfiltrate and cripple the command,control and communication systems of theDefence Establishments of the threeServices and other establishments underthe Ministry and if so, the details thereof;

(b) if so, whether the Government has aCyber Warfare doctrine like theneighbouring countries to engage inasymmetric warfare given India‘s prowessin the software aspect of InformationTechnology (IT);

(c) if so, whether there are rules ofengagement that have been formulatedinternationally or multilaterally forengagement in cyber space/warfare;

(d) the number of occasions whenInformation Technology networks of theIndian Defence Establishments wereinfected by the Stuxnet worm that caused

79

havoc in Indonesia and Iran;

(e) whether the failed launches of GSLVand Prithvi could be attributed to thepresence of Stuxnet in ISRO and DRDOsystems as Symantec reported that eightper cent of all Stuxnet infestations werereported from India; and

(f) if so, the details of efficiency of firewallprocesses adopted by the DefenceEstablishments to protect their IT systemsand the frequency with which the same isupgraded?

ANSWER

MINISTER OF DEFENCE (SHRI A.K.ANTONY)

(a) to (f) The Government has elaboratecyber security policies. Variousorganizations have prepared Cyber CrisisManagement Plans for appropriateresponses. No formal rules of engagementin cyber space/warfare exist at present atinternational or multilateral level. NoDefence establishment has reported beingeffected by Stuxnet worm. Defencenetworks have adequate defensivemeasures which are upgraded as perStandard Operating Procedures.

MINISTRY OF HOME AFFAIRS



CYBER MONITORING

285 . Shri GORAKHNATH

Will the Minister of HOME AFFAIRS be

pleased to state:-

(a) whether there are reports indicatingthe usage of internet/e-mails by terrorists;

(b) if so, the details thereof alongwith thetotal number of such incidents detected inthe current year;

(c) whether the Union Government, incoordination with the States has taken anysteps to enhance the technicalinfrastructure for skill upgradation as wellas for cyber monitoring; and

(d) if so, the details thereof alongwith themeasures taken in this regard?

ANSWER

MINISTER OF THE STATE IN THEMINISTRY OF HOME AFFAIRS (SHRIAJAY MAKEN)

(a) to (d) Available inputs indicate thatterrorists are using several means forcommunication inter-alia, including use ofinternet and e-mail. The Department ofInformation Technology (DIT) hasinitiated a major programme on cyberforensics specifically focused towardsdevelopment of cyber forensic tools, settingup of infrastructure for investigation andtraining of law enforcement and judicialoffices in use of cyber forensic tools, tocollect and analyse the digital evidence.Further, DIT has set up cyber forensictraining labs at CBI and Kerala Police forskill upgradation in the area of cyber crimeinvestigations and have also sponsoredprojects in the North Eastern States toestablish cyber forensic training facilitiesat the state police organizations. Besides,Indian Computer Emergency Response

Appendices

80


Team (CERT –In) under DIT has been setup for creating awareness about cybersecurity. It performs both pro-active andreactive roles.



TRAINING IN CYBER CRIMES

1199 . Shri NISHIKANT DUBEY

Will the Minister of HOME AFFAIRS bepleased to state:-

(a) whether the Government has takenany initiative for providing training tosecurity agencies/police officials to dealwith increasing cyber crime cases in thecountry; and

(b) if so, the details thereof?

ANSWER

MINISTER OF STATE IN THE MINISTRYOF HOME AFFAIRS

(SHRI JITENDRA SINGH)

(a) to (b) Bureau of Police Research &Development (BPR&D) and other

organizations under Ministry of HomeAffairs organize courses regularly forPolice Officers at various levels onInformation Technology in Police andCybre Crime.

Police being a state subject, training ofpolice personnel is primarily theresponsibility of State Governments. As apart of the process of capacity building ofthe police, the efforts of the StateGovernments and Union Territories aresupplemented by the CentralGovernment. Courses on “Cyber Crime”are conducted at Central DetectiveTraining Schools (CDTSs) every year forstate police officers and CAPF personnel.National Police Academy, North- EasternPolice Academy, Central Bureau ofInvestigation are also conducting trainingon cyber crime.

81

REPORT OF UN GROUP OF

GOVERNMENTAL EXPERTS

APPENDIX 5

82


83

CONTENTS PAGE

Foreword by the Secretary-General ........................................... 84

Letter of transmittal ..................................................................... 85

I. Introduction ...................................................................... 87

II. Threats, risks and vulnerabilities ..................................... 88

III. Cooperative measures ...................................................... 89

IV. Recommendations ............................................................ 90

Annexure ....................................................................................... 91

Appendices

84


A decade ago we could not have foreseenhow deeply information technologies andtelecommunications would be integratedinto our daily lives, or how much we wouldcome to rely on them. These technologieshave created a globally linkedinternational community and, while thislinkage brings immense benefits, it alsobrings vulnerability and risk.

Considerable progress has been made inaddressing the implications of the newtechnologies. But the task is arduous andwe have only begun to develop the norms,laws and modes of cooperation needed forthis new information environment.

With that in mind, I appointed a group ofgovernmental experts from 15 States tostudy existing and potential threats in thissphere, and to recommend ways toaddress them. I thank the Chair of theGroup and the experts for their diligentand careful work, which has produced thisreport, a concise statement of the problem

FOREWORD BY THE SECRETARY-GENERAL

and of possible next steps.

The General Assembly has an importantrole to play in the process of makinginformation technology andtelecommunications more secure, bothnationally and internationally. Dialogueamong Member States will be essential fordeveloping common perspectives.Practical cooperation is also vital, to sharebest practices, exchange information andbuild capacity in developing countries, andto reduce the risk of misperception, whichcould hinder the internationalcommunity’s ability to manage majorincidents in cyberspace.

This is a rich agenda for future work. Thepresent report is meant to serve as an initialstep towards building the internationalframework for security and stability thatthese new technologies require. Icommend its analysis andrecommendations to Member States andto a wide global audience.

85

I have the honour to submit herewith thereport of the Group of GovernmentalExperts on Developments in the Field ofInformation and Telecommunications inthe Context of International Security. TheGroup was established in 2009 pursuantto paragraph 4 of General Assemblyresolution 60/45. As Chair of the Group, Iam pleased to inform you that consensuswas reached on the report.

In that resolution, entitled “Developmentsin the field of information andtelecommunications in the context ofinternational security”, the GeneralAssembly requested that a group ofgovernmental experts be established in2009, on the basis of equitablegeographical distribution, to continue tostudy existing and potential threats in thesphere of information security and possiblecooperative measures to address them, aswell as concepts aimed at strengtheningthe security of global information andtelecommunications systems. TheSecretary-General was requested tosubmit a report on the results of that studyto the General Assembly at its sixty-fifthsession.

In accordance with the terms of theresolution, experts were appointed from 15States: Belarus, Brazil, China, Estonia,France, Germany, India, Israel, Italy,Qatar, the Republic of Korea, the Russian

Federation, South Africa, the UnitedKingdom of Great Britain and NorthernIreland and the United States of America.The list of experts is contained in the annex.

The Group of Governmental Experts metin four sessions: the first from 24 to 26November 2009 in Geneva; the secondfrom 11 to 15 January 2010 at UnitedNations Headquarters; the third from 21to 25 June 2010 in Geneva; and the fourthfrom 12 to 16 July at United NationsHeadquarters.

The Group had a comprehensive, in-depthexchange of views on developments in thefield of information andtelecommunications in the context ofinternational security. Furthermore, theGroup took into account the viewsexpressed in the replies received fromMember States in response to GeneralAssembly resolutions 60/45, 61/54, 62/17and 63/37, respectively entitled“Developments in the field of informationand telecommunications in the context ofinternational security”, as well ascontributions and background papersmade available by individual members ofthe Group.

The Group wishes to express itsappreciation for the contribution of theUnited Nations Institute for DisarmamentResearch, which served as consultant to the

LETTER OF TRANSMITTAL

16 July 2010

Appendices

86


Group and which was represented byJames Lewis and Kerstin Vignard. TheGroup also wishes to express itsappreciation to Ewen Buchanan,Information Officer of the Information and

Outreach Branch of the Office forDisarmament Affairs of the Secretariat,who served as Secretary of the Group, andto other Secretariat officials who assistedthe Group.

(Signed) Andrey V. KrutskikhChairman of the Group

87

1. Existing and potential threats in thesphere of information security areamong the most serious challenges ofthe twenty-first century. These threatsmay cause substantial damage toeconomies and national andinternational security. Threats emanatefrom a wide variety of sources, andmanifest themselves in disruptiveactivities that target individuals,businesses, national infrastructure andGovernments alike. Their effects carrysignificant risk for public safety, thesecurity of nations and the stability ofthe globally linked internationalcommunity as a whole.

2. Information and communicationtechnologies (ICTs) have uniqueattributes that make it difficult toaddress threats that States and otherusers may face. ICTs are ubiquitousand widely available. They are neitherinherently civil nor military in nature,and the purpose to which they are putdepends mainly on the motives of theuser. Networks in many cases areowned and operated by the privatesector or individuals. Because of the

complex interconnectivity oftelecommunications and the Internet,any ICT device can be the source ortarget of increasingly sophisticatedmisuse. Malicious use of ICTs caneasily be concealed. The origin of adisruption, the identity of theperpetrator or the motivation can bedifficult to ascertain. Often, theperpetrators of such activities can onlybe inferred from the target, the effector other circumstantial evidence.Threat actors can operate withsubstantial impunity from virtuallyanywhere. These attributes facilitatethe use of ICTs for disruptive activities.

3. Considering the implications of thesedevelopments for internationalsecurity, the United Nations GeneralAssembly asked the Secretary-General,with the assistance of governmentalexperts, to study both threats in thesphere of information security andrelevant international concepts and tosuggest possible cooperative measuresthat could strengthen the security ofglobal information and communicationsystems.

I. INTRODUCTION

Appendices

88


4. The global network of ICTs has becomean arena for disruptive activity. Themotives for disruption vary widely,from simply demonstrating technicalprowess, to the theft of money orinformation, or as an extension of Stateconflict. The source of these threatsincludes non-State actors such ascriminals and, potentially, terrorists, aswell as States themselves. ICTs can beused to damage information resourcesand infrastructures. Because they areinherently dual-use in nature, the sameICTs that support robust e-commercecan also be used to threateninternational peace and nationalsecurity.

5. Many malicious tools andmethodologies originate in the effortsof criminals and hackers. The growingsophistication and scale of criminalactivity increases the potential forharmful actions.

6. Thus far, there are few indications ofterrorist attempts to compromise ordisable ICT infrastructure or to executeoperations using ICTs, although theymay intensify in the future. At thepresent time terrorists mostly rely onthese technologies to communicate,collect information, recruit, organize,promote their ideas and actions, andsolicit funding, but could eventuallyadopt the use of ICTs for attack.

7. There is increased reporting that Statesare developing ICTs as instruments ofwarfare and intelligence, and for

II.THREATS, RISKS AND VULNERABILITIES

political purposes. Uncertaintyregarding attribution and the absenceof common understanding regardingacceptable State behaviour may createthe risk of instability andmisperception.

8. Of increasing concern are individuals,groups or organizations, includingcriminal organizations, that engage asproxies in disruptive online activities onbehalf of others. Such proxies, whethermotivated by financial gain or otherreasons, can offer an array of maliciousservices to State and non-State actors.

9. The growing use of ICTs in criticalinfrastructures creates newvulnerabilities and opportunities fordisruption, as does the growing use ofmobile communications devices andweb-run services.

10. States are also concerned that the ICTsupply chain could be influenced orsubverted in ways that would affectthe normal, secure and reliable use ofICTs. The inclusion of malicious hiddenfunctions in ICTs can undermineconfidence in products and services,erode trust in commerce and affectnational security.

11. The varying degrees of ICT capacityand security among different Statesincreases the vulnerability of the globalnetwork. Differences in national lawsand practices may create challenges toachieving a secure and resilient digitalenvironment.

89

Appendices

III. COOPERATIVE MEASURES

12. The risks associated with globallyinterconnected networks requireconcerted responses. Member Statesover the past decade have repeatedlyaffirmed the need for internationalcooperation against threats in thesphere of ICT security in order tocombat the criminal misuse ofinformation technology, to create aglobal culture of cybersecurity and topromote other essential measures thatcan reduce risk.

13. Over the past decade, efforts to combatthe threat of cybercrime have beenconducted internationally, inparticular, within the ShanghaiCooperation Organization, theOrganization of American States, theAsia-Pacific Economic CooperationForum, the Association of SoutheastAsian Nations (ASEAN) RegionalForum, the Economic Community ofWest African States, the African Union,the European Union, the Organizationfor Security and Cooperation in Europeand the Council of Europe, as well asthrough bilateral efforts between States.

14. Non-criminal areas of transnationalconcern should receive appropriateattention. These include the risk ofmisperception resulting from a lack ofshared understanding regardinginternational norms pertaining to Stateuse of ICTs, which could affect crisismanagement in the event of majorincidents. This argues for theelaboration of measures designed toenhance cooperation where possible.

Such measures could also be designedto share best practices, manageincidents, build confidence, reduce riskand enhance transparency and stability.

15. As disruptive activities usinginformation and communicationstechnologies grow more complex anddangerous, it is obvious that no Stateis able to address these threats alone.Confronting the challenges of thetwenty-first century depends onsuccessful cooperation among like-minded partners. Collaborationamong States, and between States, theprivate sector and civil society, isimportant and measures to improveinformation security require broadinternational cooperation to beeffective. Therefore, the internationalcommunity should examine the need forcooperative actions and mechanisms.

16. Existing agreements include normsrelevant to the use of ICTs by States.Given the unique attributes of ICTs,additional norms could be developedover time.

17. Capacity-building is of vital importanceto achieve success in ensuring globalICT security, to assist developingcountries in their efforts to enhance thesecurity of their critical nationalinformation infrastructure, and tobridge the current divide in ICTsecurity. Close international cooperationwill be needed to build capacity inStates that may require assistance inaddressing the security of their ICTs.

90


18. Taking into account the existing andpotential threats, risks andvulnerabilities in the field ofinformation security, the Group ofGovernmental Experts considers ituseful to recommend further steps forthe development of confidence-building and other measures to reducethe risk of misperception resulting fromICT disruptions:

(i) Further dialogue among Statesto discuss norms pertaining toState use of ICTs, to reducecollective risk and protect criticalnational and internationalinfrastructure;

(ii) Confidence-building, stabilityand risk reduction measures to

address the implications of Stateuse of ICTs, including exchangesof national views on the use ofICTs in conflict;

(iii) Information exchanges onnational legislation and nationalinformation and communicationstechnologies security strategiesand technologies, policies andbest practices;

(iv) Identification of measures tosupport capacity-building in lessdeveloped countries;

(v) Finding possibilities to elaboratecommon terms and definitionsrelevant to General Assemblyresolution 64/25.

IV. RECOMMENDATIONS

91

Mr. Vladimir N. GerasimovichHead of the Department of InternationalSecurity and Arms ControlMinistry of Foreign AffairsBelarus

Mr. Aleksandr Ponomarev (thirdsession)Counsellor of the Permanent Mission of theRepublic of Belarus to theUnited Nations Office at Geneva

Mr. Alexandre Mariano FeitosaCommanderBrazilian Marine Corps, Brazilian NavyPolicy, Strategy and International AffairsSecretariatMinistry of DefenceBrazil

Mr. Li Song (first and second sessions)Deputy Director GeneralDepartment of Arms Control andDisarmamentMinistry of Foreign AffairsChina

Mr. Kang Yong (third and fourth sessions)Deputy Director GeneralDepartment of Arms Control andDisarmamentMinistry of Foreign Affairs, China

Mr. Linnar ViikAssociate ProfessorEstonian IT CollegeEstonia

Mr. Aymeric SimonRelations internationalesAgence nationale de la sécurité dessystèmes d’informationSecrétariat général de la défense et de lasécurité nationaleFrance

Mr. Gregor KoebelHead of the Division for ConventionalArms ControlFederal Foreign OfficeGermany

Mr. B. J. SrinathSenior DirectorIndian Computer Emergency ResponseTeamDepartment of Information TechnologyIndia

Ms. Rodica Radian-GordonDirectorArms Control DepartmentMinistry of Foreign AffairsIsrael

ANNEXEURE

List of members of the Group of Governmental Experts on Developments inthe Field of Information and Telecommunications in the Context ofInternational Security

Appendices

Mr. Vladimir N. GerasimovichHead of the Department of InternationalSecurity and Arms ControlMinistry of Foreign AffairsBelarus

Mr. Aleksandr Ponomarev (thirdsession)Counsellor of the Permanent Mission of theRepublic of Belarus to theUnited Nations Office at Geneva

Mr. Alexandre Mariano FeitosaCommanderBrazilian Marine Corps, Brazilian NavyPolicy, Strategy and International AffairsSecretariatMinistry of DefenceBrazil

Mr. Li Song (first and second sessions)Deputy Director GeneralDepartment of Arms Control andDisarmamentMinistry of Foreign AffairsChina

Mr. Kang Yong (third and fourth sessions)Deputy Director GeneralDepartment of Arms Control andDisarmamentMinistry of Foreign Affairs, China

92


Mr. Vincenzo Della Corte (first and thirdsessions)

Director of Communication SecuritySectorPresidency of the Council of MinistersItaly

Mr. Walter Mecchia (second and fourthsessions)Communication Security SectorPresidency of the Council of MinistersItaly

Mr. Rashid A. Al-Mohannadi (firstsession)Commander of the Land Forces SignalCompanyAmiri Signal CorpsQatar

Mr. Saad M. R. Al-KaabiLieutenant Colonel (Engineer)Ministry of DefenceQatar

Mr. Lew Kwang-chulAmbassadorMinistry of Foreign Affairs and TradeRepublic of Korea

Mr. Andrey V. KrutskikhDeputy DirectorDepartment of New Challenges andThreatsMinistry of Foreign AffairsRussian Federation

Ms. Palesa Banda (first session)Deputy Director, Internet GovernanceDepartment of CommunicationSouth Africa

Maj. Gen. Mario Silvino BrazzoliGovernment Information TechnologyOfficerDepartment of DefenceSouth Africa

Mr. Gavin WillisInternational Relations TeamNational Technical Authority forInformation Assurance (CESG)United Kingdom of Great Britain andNorthern Ireland

Ms. Michele G. MarkoffSenior Policy AdviserOffice of Cyber AffairsUS Department of StateUnited States of America

93

IBSA MULTISTAKEHOLDER MEETING ON

GLOBAL INTERNET GOVERNANCE

APPENDIX 6

94


95

IDSA TASK FORCE ON CYBER SECURITY

CHAIRMAN

Dr Nitin Desai was formerly Chief Economic Adviser in the Ministry ofFinance, GOI and later Under Secretary General of the UN and Chair ofthe Multi-stake holder Advisory Group that organises the annual UNInternet Governance Forum.

MEMBERS

Dr Arvind Gupta is Director General, IDSA.

Lt Gen Aditya Singh retired as General Officer Commanding-in-Chief,Southern Command, of the Indian Army. He served as a member of theNational Security Advisory Board from 2008 to 2010.

Dr Kamlesh Bajaj is the CEO of the Data Security Council of India(DSCI)and was the founding Director of the Indian Computer EmergencyResponse Team (CERT-In) at the Ministry of Communications and IT.

Mr B J Srinath is a Senior Director (Scientist ‘G’) in the ‘Indian ComputerEmergency Response Team (CERT-In), Department of IT, Ministry ofCommunications and IT, Government of India.

Mr Salman Waris is currently a Partner with a prominent Delhi basedlaw firm and expert on Cyber law issues.

Mr Amit Sharma is a Joint Director in the Office of Secretary, Dept ofDefence (R&D), Ministry of Defence.

Wg Cdr Ajey Lele is Research Fellow at the IDSA.

Dr Cherian Samuel is Associate Fellow at the IDSA.

Mr Kapil Patil is Research Assistant, Pugwash India.

Date post:	26-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times