- Types of Security Threats
- Conventional cyber crimes
- Cyber warfare and its examples
- Cyber terrorism
- Cyber terror: Some Example
- Why we need to regulate Cyber space
- Tool to protect against Cyber Threats
- Cyber Laws in India
- Ongoing efforts in India
- Stakeholder Agencies in India
- Intergovernmental organizations and Initiatives
Cyberspace is such a term, which is not yet completely defined and also has no geographical limitation. It is a term associated with application of the Internet worldwide. It is also called as a virtual space as physical existence of cyberspace is not detectable at all. Cyberspace is “the total interconnectedness of human beings through computers and telecommunication without regard to physical geography.”
Information through computers is transferred in the form of Ones (1) and Zeros (0), which do not inherently carry any separate information along with them for authentication. For authentication purposes, additional information needs to be carried with cyberspace transactions for identity purposes.
Providing extra information in digital communication introduces the possibility for identity theft. Because nothing prevents the transmission of false identity information, or the duplication of another’s identity information.
The seriousness of this problem is highlighted when you consider that future technologies will allow extremely important identifiers, such as a retinal scan or a fingerprint, to be represented digitally. These biometrics characteristics are protected in real space because they are embedded in the physical body of the person. This is lost in cyberspace. Thus, cyberspace needs a system that allows individuals to verify their identities to others without revealing to them the digital representation of their identities.
Types of Security threats
Cybercrimes consist of specific crimes dealing with computers and networks, such as hacking, phishing and the facilitation of traditional crime through the use of computers (child pornography, hate crimes, telemarketing/internet fraud). A brief introduction to some common cyber related violations, or cybercrimes as they are more commonly referred to are discussed below:
Hacking in simple terms means an illegal intrusion into a computer system and/or
network. There is an equivalent term to hacking i.e. cracking, but from Indian legal
perspective there is no difference between the term hacking and cracking. Every act
committed towards breaking into a computer and/or network is hacking. Hackers write
or use ready-made computer programs to attack the target computer.
The Internet is extensively used for sexual abuse of children. As more homes have access to internet, more children are accessing it and this enhances their vulnerability of falling victims to the aggression of paedophiles. Paedophiles (a person who is sexually attracted to children) lure the children by distributing pornographic material and then pursue them for sexual exploitation. Sometimes paedophiles contact children in chat rooms posing as teenagers or a children of similar age, they win the confidence of these children, then induce them into sexually provocative discussions. Then begins the actual exploitation of children.
This term is used to refer to the use of the internet, e-mail, or other electronic communications devices to stalk another person. Cyber stalking can be defined as the repeated acts of harassment or threatening behaviour of the cyber-criminal towards the victim by using internet services.
This is a technology driven cyber intrusion, where by the influencer floods the bandwidth or blocks the user’s mails with spam mails depriving the user, access to the Internet and the services provided therefrom. A DoS Attack (as it is commonly known) can be perpetrated in a number of ways.
- Dissemination of Malicious Software (Malware)
Malware is defined as a software designed to perform an unwanted illegal act via the computer network. It could be also defined as software with malicious intent. Malware can be classified based on how they get executed, how they spread, and/or what they do. Some of them are discussed below.
A virus is a program that can infect other programs by modifying them to include a possible evolved copy of itself. A virus can spread throughout a computer or network using the authorization of every user using it to infect their program. Every program so infected may also act as a virus and thus the infection grows. Viruses normally affect program files, but in some cases they also affect data files disrupting the use of data and destroying them completely.
Worms are also disseminated through computer networks, unlike viruses, computer worms are malicious programs that copy themselves from system to system, rather than infiltrating legitimate files. For example, a mass mailing e-mail worm is a worm that sends copies of itself via e-mail. A network worm, on the other hand makes copies of itself throughout a network, thus disrupting an entire network.
Trojan is another form of Malware, trojans do things other than what is expected by the user. Trojan or trojan horse is a program that generally impairs the security of a system. Trojans are used to create back-doors (a program that allows outside access into a secure network) on computers belonging to a secure network so that a hacker can have access to the secure network.
Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.
Hoax is an e-mail that warns the user of a certain system that is harming the computer. The message thereafter instructs the user to run a procedure (most often in the form of a download) to correct the harming system. When this program is run, it invades the system and deletes an important file.
Spyware invades a computer and, as its name implies, monitors a user’s activities without consent. Spywares are usually forwarded through unsuspecting e-mails with bonafide e-mail i.ds. Spyware continues to infect millions of computers globally.
Phishers lure users to a phony web site, usually by sending them an authentic appearing e-mail. Once at the fake site, users are tricked into divulging a variety of private information, such as passwords and account numbers
Data interception –Hijacking e-mails, interference of an intermediary in the network, may be a prelude to another type of computer crime, typically data modification.
Data diddling: –Usually done in conjunction with data interception, valid data intended for a recipient is hijacked or intercepted and then is replaced with an erroneous one. This could also apply to illegal tapping into database and altering its contents. Basically, any form of alteration without appropriate authorization falls under this category.
Data theft-outright stealing of most commonly classified or proprietary information without authorization. This could be the result of data interception. It might also be the unlawful use or possession of copyrighted works such as songs, pictures, movies or other works of art.
Network interference -any activity that causes the operation of a computer network to be temporarily disrupted. Interference implies something momentarily such as Denial of Service Attacks that causes delays in data transmission by using up all available bandwidth. Distributed denial of service, ping of death and smurf attacks also fall under this category.
Data Security Network sabotage– causing permanent damage to a computer network such as deleting files or records from storage.
Conventional cyber crimes
Defamation comprises of both libel (defamation by means of writing) and slander (defamation by speaking). After the popularity of the printing press, one witnessed the increase in libel. With the advent of information technology and the Internet, libel has become much more common and of course, easier.
In simple words, it implies defamation by anything which can be read, seen or heard with the help of computers/technology. Since the Internet has been described as having some or all of the characteristics of a newspaper, a television station, a magazine, a telephone system, an electronic library and a publishing house, there are certain noticeable differences between online and offline attempt of defamation which makes the online defamation more vigorous and effective.
Corporate Cyber Smear
Harmful and defamatory online message has been termed as corporate cyber smear. It is a false and disparaging rumour about a company, its management or its stock that is posted on the Internet. This kind of criminal activity has been a concern especially in stock market and financial sectors where knowledge and information are the key factors for businessmen.
Forgery is creation of a document which one knows is not genuine and yet projects the same as if it is genuine. Digital forgery implies making use of digital technology to forge a document. Desktop publishing systems, colour laser and ink-jet printers, colour copiers, and image scanners enable crooks to make fakes, with relative ease, of cheques, currency, passports, visas, birth certificates, ID cards, etc.
Gambling is in many countries illegal. Computer is a medium for the purposes of online gambling. The act of gambling is categorised as an offence in some countries and has a legal sanctity in others. The main concern with online gambling is that most virtual casinos are based offshore making them difficult to regulate.
It is in this situation that the Internet helps the gamblers to evade the law. Anyone with access to a personal computer and an Internet connection can purchase lottery tickets or visit gambling sites anywhere in the world. The world of online gambling, due to its anonymity, unfortunately has many other hazards like danger of illegal use of credit card or illegal access to bank account.
Online sale of illegal articles
There are certain articles like drugs, guns, pirated software or music that might not be permitted to be sold under the law of a particular country. However, those who would want to sell such articles find Internet a safe zone to open up online shops. There are specific concerns with regard to increase in online sale of drugs.
The sale of illegal articles on the Internet is also one of those computer crimes where the computer is merely a tool to commit the crime
E-mail spamming/ e-mail bombing
Spam refers to sending of unsolicited messages in bulk. Technically, it overflows the limited-sized memory by excessively large input data. In relation to e-mail accounts, it means bombing an e-mail account with a large number of messages maybe the same or different messages
Spam is an unsolicited message requiring one’s time and effort to get rid off. A regular supply of such spam messages would naturally result in considerable annoyance. It would also directly hamper the interest of the user in his electronic mailbox where he does not expect any interference and encroachment. The result, apart from loss of Internet working hours and thwarting one’s regular e-mail stream, could be one of mental agony and distress.
Cyber Warfare and its example
Cyber warfareis Internet-based conflict involving politically motivated attacks on information and information systems. Cyber warfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems.
In 2010, Stuxnet, which was designed to attack industrial programmable logic controllers was directed against the Iranian nuclear programme. Since the discovery of the Stuxnet malware, other “cyber weapons” have made their appearance.
The Duqu worm was discovered in September 2011, followed in quick succession by the Mahdi, Gauss and Flame malware. Flame, Duqu and Gauss shared similar digital DNA with Stuxnet with primary purpose seemed to be espionage (spying), with their targets ranging from banking to governmental to energy networks.
Flame’s capabilities ranged from recording Skype conversations and downloading information from smart phones to more mundane activities such as recording audio, screenshots, keystroke and network traffic recording.
The Mahdi Trojan
seemed to have spread via phishing emails even though its purpose was also apparently espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, Syria, Lebanon and Egypt.
Wiper, a new virus
was reported in April 2012 that was much more malicious, and wiped off the data on all computers that it infected. This virus largely affected networks in Iran.
The Shamoon virus
is reported to have wiped off the data from 30,000 computers of the Saudi Arabian State oil company, Aramco, followed a week later by a similar episode on the networks of the second largest LNG company in the world, Ras Gas of Qatar.
In what has become the norm for such cyber-attacks, despite intense investigations by anti-virus companies, the origins of the malware have remained largely in the realm of speculation and inference.
While ownership of the Stuxnet (and by inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama Administration for electoral purposes, the Shamoon virus is speculated to be a reverse-engineered version of the Wipe virus unleashed by hackers loyal to the Iranian regime. Tit-for-tat attacks look set to become the norm as the countries of the region secure up their cyber space.
In another incidence, it was reported that the Chinese Intelligence Agencies may have planted Malware in Computers and broken into the Headquarters of 33 Corps, Indian Army formation looking after most of the North-Eastern border with China. The Cyber Intrusion also planted a Trojan Horse to give Chinese Agencies remote access to the computer network at the 33 Corps Headquarters in Sukhna, near Siliguri, West Bengal.
Cyber war would not actually be war because there aren’t loss of human lives, but analyzing these incidents and the continuous discoveries of malicious state-sponsored malware, it is possible to understand the great activities in cyberspace and related unpredictable repercussions on civil and military infrastructures.
‘Cyber terrorism is the convergence of terrorism and cyber space. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
Further, to qualify as cyber terrorism, an attack should result in violence against persons or property or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism depending upon their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.
Cyber-terrorism can also be understood as “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population.” A hostile nation or group could exploit these vulnerabilities to penetrate a poorly secured computer network and disrupt or even shut down critical functions.
Cyber terror: Some examples
Middle East Tension Sparks Cyber Attacks
With the Middle East Conflict at a very heated moment between bordering countries Pro-Palestinian and Pro-Israel Cyber Groups have been launching an offensive against websites and mail services used by the political sectors the opposing groups show support for. The attacks had been reported by the NIPC (National Infrastructure Protection Center) in October of 2000 to U.S. Officials. The attacks were a volley of email floods, DoS attacks, and ping flooding of such sites as the Israel Foreign Ministry, Israeli Defense Forces, and in reverse, sites that belonged to groups such as Hamas and Hezbollah.
As tensions between the neighboring regions of India and Pakistan over Kashmir grew over time, Pro-Pakistan cyber-terrorists and recruited hackers began to target India’s Internet Community. Just prior to and after the September 11 attacks, it is believed that the sympathizers of Pakistan (which also included members of the Al Qaeda Organization) began their spread of propaganda and attacks against Indian Internet based communities. Groups such as G-Force and Doctor Nuker have defaced or disrupted service to several major entities in India such as the Zee TV Network, The India Institue of Science and the Bhabha Atomic Research Center which all have political ties.
Retaliation in China
In May 1999 the accidental bombing of a Chinese embassy in Yugoslavia by U.S. Bombers, led to a massive web site defacement and e-mail bombardment attack on American companies and agencies. Pro-Chinese hackers and political groups executed the attacks to gain sympathy for the Chinese cause.
US Government sites such as the U.S. Departments of Energy and the Interior, and the National Park Service were all hit and had web sites defaced along with the White House web site. The site was downed for three days by continual e-mail bombing. Although the attack was rather random and brief and affected a small number of U.S. sites, the effects could have been worse.
Tamil Tiger Attempt
In 1998, with surges of violence committed in Sri Lankan over several years, attacks in cyber-space were the next area to target. The group known as the Tamil Tigers, a violent guerrilla organization, bombarded Sri Lankan embassies with over 800 e-mails a day. This was carried out over a two week period. The attacked the e-mail message conveyed the message, “We are the Internet Black Tigers and we’re doing this to disrupt your communications.” After the messages created such major disruption the local Intelligence authorities were dispatched to investigate. The authorities declared the attack as the first known attack on the Sri Lankan by the terrorists on any computer system in the nation.
Recent activities of ISIS in Middle East and series of videos released by them are potential cyber terrors. They are using Cyber space for their propaganda and for influencing vulnerable people to join ISIS. It is threat to the world and the way they are growing needs global cooperation to check them before they create havoc.
Why we need to regulate Cyberspace
There has been a rapid increase in the use of the online environment where millions of users have access to internet resources and are providing contents on a daily basis.(For example INSIGHTS 😛 )
The use of internet particularly for the distribution of obscene, indecent and pornographic content. The use of internet for child pornography and child sexual abuse and the relative ease with which the same may be accessed calls for strict regulation.
The increasing business transaction from tangible assets to intangible assets like Intellectual Property has converted Cyberspace from being a mere info space into important commercial space. The attempt to extend and then protect intellectual property rights online will drive much of the regulatory agenda and produce many technical methods of enforcement.
The major area of concern where some sort of regulation is desirable is data protection and data privacy so that industry, public administrators, netizens, and academics can have confidence as on-line user.
Internet has emerged as the ‘media of the people’ as the internet spreads fast there were changes in the press environment that was centered on mass media. Unlike as in the established press, there is no editor in the Internet. People themselves produce and circulate what they want to say and this direct way of communication on internet has caused many social debates. Therefore the future of Cyberspace content demands the reconciliation of the two views of freedom of expression and concern for community standards.
Another concern is that, money laundering, be ‘serious crime’ becomes much simpler through the use of net. The person may use a name and an electronic address, but there are no mechanisms to prove the association of a person with an identity so that a person can be restricted to a single identity or identity can be restricted to a single person. Therefore Cyberspace needs to be regulated to curb this phenomenon.
Tools to protect against cyber threats
Other than the general use of antivirus, firewalls & gateways, strong passwords, secure wi-fi connection, training to netizen, etc. there are few other practise which keeps our data and network safe from cyber threats. Some of them are mentioned below:
A Digital Signature is a technique by which it is possible to secure electronic information in such a way that the originator of the information, as well as the integrity of the information, can be verified. This procedure of guaranteeing the origin and the integrity of the information is also called Authentication.
The authenticity of many legal, financial, and other documents is determined by the presence or absence of an authorized handwritten signature. For a computerised message system to replace the physical transport of paper and ink documents handwritten signatures have to be replaced by Digital Signatures.
A digital signature is only a technique that can be used for different authentication purposes. For an E-record, it comes functionally very close to the traditional handwritten signatures. The user himself/ herself can generate key pair by using specific crypto software. Now Microsoft IE and Netscape, allow the user to create his/ her own key pair. Any person may make an application to the Certifying Authority for issue of Digital Signature Certificate.
One of the most powerful and important methods for security in computer systems is to encrypt sensitive records and messages in transit and in storage. Cryptography has a long and colourful history. Historically, four groups of people have used and contributed to the art of Cryptography, the military, the diplomatic corps, diarists, and lovers. The military has had the most sensitive role and has shaped the field.
At present, information and data security plays a vital role in the security of the country, the security of the corporate sector and also of every individual, working for personal benefit. The message or data to be encrypted, also known as the plaintext, is transformed by a function that is parameterized by a KEY. The output of the encryption process, known as the cipher text, is then transmitted through the insecure communication channel. The art of breaking ciphers is called cryptanalysis. The art of devising ciphers (cryptography) and breaking them (cryptanalysis) is collectively known as cryptology. It is done with the help of algorithms, few of them are- The Secret-Key Algorithm, Data Encryption Standard (DES, Public Key Algorithms, RSA Algorithm, etc.
A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. It is to find out the vulnerabilities that an organization is facing with its IT infrastructure. A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes, and user practices.
Cyber Forensics is a very important ingredient in the investigation of cyber crimes. Cyber forensics is the discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve a crime.
Principal concerns with computer forensics involve imaging storage media, recovering deleted files, searching slack and free space, and preserving the collected information for litigation purposes.
The other concern is network forensics, is a more technically challenging aspect of cyber forensics. It gathers digital evidence that is distributed across large-scale, complex networks.
E-discovery investigation includes areas like money laundering, corruption, financial frauds, cyber crimes, serious frauds and white collar crimes investigation, etc. Presently e-discovery services in India are in infancy stage and this is the reason why many cases of corporate frauds and cyber crimes remain unreported.
Cyber Laws in India
The first technology based law in India was the Indian Telegraph Act of 1885. This law was framed with the advent of the telegraph and later covered yet another advance in technology, the telephone.
In the domain of technology driven law falls the Information Technology Act, 2000.While the Information Technology Act is the most significant Act addressing conduct in cyberspace in India, there are a whole lot of other Acts that would apply to govern and regulate conduct and transactions in cyberspace.
Take for instance online contracts. Apart from the relevant provisions of the IT Act, the Indian Contract Act, the Sale of Goods Act, 1930 etc. would be relevant to determine the legality of such contracts.
Further the provisions of the Competition Act, 2002 or in case of unfair trade practices, the Consumer Protection Act 1986, would also be relevant.
Protection of intellectual property available on the Internet is one of the greatest challenges of the day. Be it books, films, music, computer software, inventions, formulas, recipes, everything is available on the net. Protection of copyrights trademarks online would entail the invocation of the Indian Copyright Act and, the Trade Marks Act.
As far as illegal activities on the net are concerned, apart from specific provisions in the IT Act that penalizes them, a whole gamut of other Acts would govern them. For instance in case of an Internet fraud, based on the nature of the fraud perpetrated, Acts such as the Companies Act, 1956, the
Thus it can be inferred that while the IT Act is the quintessential Act regulating conduct on the Internet based on the facts of a case or the nature of a transaction, several other Acts may be applicable. Therefore, cyber laws includes the whole set of legislation that can be applied to determine conduct on the Internet.
Information Technology Act, 2000
The Information Technology Act, 2000 intends to give legal recognition to e-commerce and e-governance and facilitate its development as an alternate to paper based traditional methods. The Act has adopted a functional equivalents approach in which paper based requirements such as documents, records and signatures are replaced with their electronic counterparts.
The Act seeks to protect this advancement in technology by defining crimes, prescribing punishments, laying down procedures for investigation and forming regulatory authorities. Many electronic crimes have been bought within the definition of traditional crimes too by means of amendment to the Indian Penal Code, 1860. The Evidence Act, 1872 and the Banker’s Book Evidence Act, 1891 too have been suitably amended in order to facilitate collection of evidence in fighting electronic crimes.
The IT act has been amended in 2008 and its important provisions can be read here- http://cis-india.org/internet-governance/publications/it-act/short-note-on-amendment-act-2008
National Cyber security Policy, 2013
In light of the growth of IT sector in the country, the National Cyber Security Policy of India 2013 was announced by Indian Government in 2013 yet its actual implementation is still missing. As a result fields like e-governance and e-commerce are still risky and may require cyber insurance in the near future. Its important features include:
- To build secure and resilient cyber space.
- Creating a secure cyber ecosystem, generate trust in IT transactions.
- 24 x 7 NATIONAL CRITICAL INFORMATION INFRASCTRUCTURE PROTECTION CENTER (NCIIPC)
- Indigenous technological solutions (Chinese products and reliance on foreign software)
- Testing of ICT products and certifying them. Validated products
- Creating workforce of 500,000 professionals in the field
- Fiscal Benefits for businessman who accepts standard IT practices, etc.
Ongoing efforts in India
The government has conducted several awareness and training programmes on cyber crimes for law enforcement agencies including those on the use of cyber Forensics Software packages and the associated procedures with it to collect digital evidence from the scene of crime.
Special training programmes have also been conducted for the judiciary to train them on the techno-legal aspects of cyber crimes and on the analysis of digital evidence presented before them. Both the CBI and many state police organizations are today geared to tackle cybercrime through specialised cyber crime cells that they have set up.
Cyber security initiatives and projects in India are very less in numbers. Even if some projects have been proposed, they have remained on papers only.
The list is long but sufficient is to talk about the projects like National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, Cyber Attacks Crisis Management Plan Of India, etc. None of them are “Coordinating” with each other and all of them are operating in different and distinct spheres. Recently, the National Technical Research Organization (NTRO) was entrusted with the responsibility to protect the critical ICT infrastructures of India.
India has already launched e-surveillance projects like National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Internet Spy System Network and Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Thus, these projects are violate of Civil Liberties Protection in Cyberspace and provisions of
National Informatics Centre (NIC) has been formed which provides network backbone Manages IT services, E -GOV initiatives to central and state governments.
Stakeholder agencies in India
Countering cyber crimes is a coordinated effort on the part of several agencies in the Ministry of Home Affairs and in the Ministry of Communications and Information Technology. The law enforcement agencies such as the Central Bureau of Investigation, The Intelligence Bureau, state police organizations and other specialised organizations such as the National Police Academy and the Indian Computer Emergency Response Team (CERT-In) are the prominent ones who tackle cyber crimes. We will see about of few of them:
1. National Information Board (NIB)
National Information Board is an apex agency with representatives from relevant Departments and agencies that form part of the critical minimum information infrastructure in the country.
2. National Crisis Management Committee (NCMC)
The National Crisis Management Committee (NCMC) is an apex body of Government of India for dealing with major crisis incidents that have serious or national ramifications. It will also deal with national crisis arising out of focused cyber-attacks.
3. National Security Council Secretariat (NSCS)
National Security Council Secretariat (NSCS) is the apex agency looking into the political, economic, energy and strategic security concerns of India and acts as the secretariat to the NIB.
4. Department of Information Technology (DIT)
Department of Information Technology (DIT) is under the Ministry of Communications and Information Technology, Government of India. DIT strives to make India a global leading player in Information Technology and at the same time take the benefits of Information Technology to every walk of life for developing an empowered and inclusive society. It is mandated with the task of dealing with all issues related to promotion & policies in electronics & IT.
5. Department of Telecommunications (DoT)
Department of Telecommunications (DoT) under the Ministry of Communications and Information Technology, Government of India, is responsible to coordinate with all ISPs and service providers with respect to cyber security incidents and response actions as deemed necessary by CERT-In and other government agencies. DoT will provide guidelines regarding roles and responsibilities of Private Service Providers and ensure that these Service Providers are able to track the critical optical fiber networks for uninterrupted availability and have arrangements of alternate routing in case of physical attacks on these networks.
6. National Cyber Response Centre – Indian Computer Emergency Response Team (CERTIn)
CERT-In monitors Indian cyberspace and coordinates alerts and warning of imminent attacks and detection of malicious attacks among public and private cyber users and organizations in the country. It maintains 24×7 operations centre and has working relations/collaborations and contacts with CERTs, all over the world; and Sectoral CERTs, public, private, academia, Internet Service Providers and vendors of Information Technology products in the country.
6. National Information Infrastructure Protection Centre (NIIPC)
NIIPC is a designated agency to protect the critical information infrastructure in the country. It gathers intelligence and keeps a watch on emerging and imminent cyber threats in strategic sectors including National Defence. They would prepare threat assessment reports and facilitate sharing of such information and analysis among members of the Intelligence, Defence and Law enforcement agencies with a view to protecting these agencies’ ability to collect, analyze and disseminate intelligence.
7. National Disaster Management of Authority (NDMA)
The National Disaster Management Authority (NDMA) is the Apex Body for Disaster Management in India and is responsible for creation of an enabling environment for institutional mechanisms at the State and District levels.
8. Standardization, Testing and Quality Certification (STQC) Directorate
STQC is a part of Department of Information Technology and is an internationally recognized Assurance Service providing organization. It has also established a test/evaluation facility for comprehensive testing of IT security products as per ISO 15408 common criteria security testing standards.
9. The Cyber Regulations Appellate Tribunal
The Cyber Regulations Appellate Tribunal has power to entertain the cases of any person aggrieved by the Order made by the Controller of Certifying Authority or the Adjudicating Officer. It has been established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000.The body is quasi-judicial in nature
Intergovernmental organisations and initiatives
Intergovernmental organisations and initiatives. Here we will see in brief, an overview of intergovernmental bodies and initiatives currently addressing cyber security at the policy level.
Council of Europe
The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Budapest Convention on Cybercrime, the Cybercrime Convention Committee (T-CY) and the technical co-operation Programme on Cybercrime. The Budapest Convention on Cybercrime was adopted on 8 November 2001 as the first international treaty addressing crimes committed using or against network and information systems (computers). It entered into force on 1 July 2004.
Internet Governance Forum (IGF)
The IGF was established by the World Summit on the Information Society in 2006 to bring people together from various stakeholder groups in discussions on public policy issues relating to the Internet. While there is no negotiated outcome, the IGF informs and inspires those with policy making power in both the public and private sectors.
The IGF facilitates a common understanding of how to maximise Internet opportunities and address risks and challenges. It is convened under the auspices of the Secretary-General of the United Nations.
Its mandate includes the discussion of public policy issues related to key elements of Internet governance in order to foster the sustainability, robustness, security, stability and development of the Internet.
United Nations (UN)
The International Telecommunication Union (ITU) is the specialized agency of the United Nations which is responsible for Information and Communication Technologies.
ITU deals also with adopting international standards to ensure seamless global communications and interoperability for next generation networks; building confidence and security in the use of ICTs; emergency communications to develop early warning systems and to provide access to communications during and after disasters, etc.
Conferences on Cyberspace
The London Conference on Cyberspace51 (1-2 November 2011) was meant to build on the debate on developing norms of behavior in cyberspace, as a follow-up to the speech given by UK Foreign Minister Hague at the Munich Security Conference in February 2011 which set out a number of “principles” that should underpin acceptable behavior on cyberspace.
The Meridian process aims to provide Governments worldwide with a means by which they can discuss how to work together at the policy level on Critical Information Infrastructure Protection (CIIP). Participation is open to all countries and targets senior level policymakers. An annual conference and interim activities are held each year to help build trust and establish international relations within the membership to facilitate sharing of
In reaction to spying and surveillance activity by National security agency of USA through PRISM, NETmundial – Global Multistakeholder Meeting on the Future of Internet Governance(23 April 2014 – 24 April 2014) was organized in a partnership between the Brazilian Internet Steering Committee and /1Net, a forum that gathers international entities of the various stakeholders involved with Internet governance. This meeting focused on the elaboration of principles of Internet governance and the proposal for a roadmap for future development of this ecosystem.
Community in cyberspace is based on the interaction between people. Cyberspace has an important social aspect to it that must not be overlooked. Cyberspace can be treated as a channel touching portion of real space at key points. Ideas are passed through the channel, and business is transacted through this channel. The cyberspace communities are members of the global community interacting on a different plane than in real space.
With the huge growth in the number of Internet users all over the world, the security of data and its proper management plays a vital role for future prosperity and potentiality. It is concerned with people trying to access remote service is that they are not authorized to use.
Rules for compulsory wearing of helmet for bikers by government authorities, has no benefit for them, it is for our own safety and life. Same we should understand our responsibilities for our own cyber space and should at least take care of safety for our personal devices. These steps include installation of antivirus software and keeping it updated, installing personal firewalls and keeping rules updated. We should monitor and archive all security logs.
We should have backup of important data. Our devices should be protected by passwords and there should be restricted access to sensitive data on our devices. And above all, we should aspire for more computer literacy to understand the safety issues related to our cyber space. At the same time we need to utilise the specialisation of private sector in the field of cyber security and government should promote more PPP projects for the national cyber space
•After China and the U.S., India has the highest number of Internet users. There are also an estimated over 381 million mobile phone subscriptions with Internet connectivity. In the list of online infection risk India ranks 9th and in personal computer across the globe, India ranks 7th. •A recent survey by McAfee named India next to Brazil, Romania and Mexico the least able to defend against cyber attacks. •Cyber security threats and hacking attempts in India rose to 22,060 in 2012 from 23 in 2004 What it means
•Cyber terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Cyber Threats
Cyber threats can be disaggregated, based on the perpetrators and their motives, into four baskets: cyber espionage, cyberwarfare, cyberterrorism, and cyber crime. Cyber Warfare – attacking the information systems of other countries for espionage and for disrupting their critical infrastructure.
Why Cyber Security is needed
•Third most populous country after China and India is not any geographical entity but a ‘virtual state’ called facebook! •The same computing DNA that produced the communications revolution has also created acute vulnerabilities – and attractive terror targets – for societies that depend on cyberspace for national security and economic survival. •The growing dependency on the information technology (IT) makes cybersecurity a vital component of the India’s national security infrastructure. Lately, data collection, processing, storage, transmission capabilities, mobile, wireless, and cloud computing are increasing in huge numbers and make cyber attacks easily to occur. •Considered the newest domain in modern warfare, cyberspace has now joined the ranks of traditional areas assessed by militaries all over the world. And this is exactly how cyberspace should be assessed, since an effective terrorist attack against a nation’s power grid,
for example, could result in massive loss of life, crippling damage to infrastructure and a blow to the economy that could take years to repair. Stuxnet has carried out what in the past could only be accomplished by directly bombing a country’s infrastructure or sending in human agents to plant explosives. •It can affect Infrastructures like banking system, air traffic control, power infrastructure and gas pipelines. •Destruction now can bypass the military force and attack via “cyber-brute-force” suppressing a country’s military control systems, navigation, communication system, shutting down or paralysing critical infrastructure and affecting the country’s economy, cyber-weapons linking nuclear weapons •Most common usage of Internet is by designing and uploading websites on which false propaganda can be pasted. This comes under the category of using technology for psychological warfare. •The web can promote and support acts of terrorism by means of propaganda, promotion, instructional dissemination and execution, financing, training, recruiting and can also facilitate specific attacks. •Non-state actors have the technology to create cyber attacks or endanger the cyber environment of the global socio-political system. The 2011, Arab Spring revolution in Tunisia, Egypt, and Libya was successful to use cyberspace to pass its message. •Threats abound: cyber crime, cyber espionage, cyber war and cyber terrorism, all represent genuine risks to nations, firms and individuals around the world. Experts reckoned it is a matter of time before cyberspace becomes an “independent theatre of war”. •With the rapid march of technology, such attacks will only become more widespread as the use of Internet for manipulating things increases. “We have now entered into a new phase of conflict in which cyber weapons can be used to create physical destruction in someone else’s critical infrastructure. And there is a distinct possibility that the disruptions and dislocations it causes are permanent and severe.”
•The Flame virus (which has been circulating for more than five years and has yet to be claimed by an owner, although speculation centres around Israel) has turned the computer into the ultimate spy, gathering data files, turning on PC microphones to record nearby conversations, logging instant messaging chats, taking screen shots and even remotely changing settings on
other computers. •Moreover, hacker groups, such as Anonymous and Lulz Security (Lulz Sec), have executed distributed denial of service (DDOS). Under that process, they were successful to deface websites to various governmental and corporate interests. They hacked NASDAQ and International Momentary Fund (IMF). •Internet’s capabilities dictate the rules of engagement in cyberspace to initiate on-ground battles and at the same time create a fertile ground for new, aspiring jihadist. •In the recent past, the case of Stuxnet virus which attacked centrifuges. While the targeted victim was the Natanz nuclear site in Iran, other organisations across the world, including in India, operating with the Siemens system suffered from collateral damage from the attack. •Since 2000-01, there have been regular reports of Pakistani cyber criminals defacing Indian websites and writing derogatory messages against India. On the other hand, China has become a formidable adversary in cyber space. Recent cases of Chinese hacking into many Indian government establishment computers and even the highly secure national security domains provide enough evidence of its capability in waging cyber warfare. Since 2003, the People’s Liberation Army has trained more than 30,000 cyber warriors and another 150,000 in the private sector. According to several reports available in the public domain, the Chinese goal is to build the world’s best ‘informationised armed forces’. •
Existing Counter Cyber Security Initiatives.
Indian Computer Emergency Response Team (Cert-In).
Cert-In is the most important constituent of India’s cyber community. Its mandate states, ‘ensure security of cyber space in the country by enhancing the security communications and information infrastructure, through proactive action and effective collaboration aimed at security incident prevention and response and security assurance’.
National Information Security Assurance Programme (NISAP).
(a) Government and critical infrastructures should have a security policy and create a point of contact. (b) Mandatory for organizations to implement security control and report any security incident to Cert-In. (c) Cert-In
to create a panel of auditor for IT security.
(d) All organizations to be subject to a third party audit from this panel once a year. (e) Cert-In to be reported about security compliance on periodic basis by the organizations.
Indo-US Cyber Security Forum (IUSCSF).
Under this forum (set up in 2001) high power delegations from both side met and several initiatives were announced for intensifying bilateral cooperation to control cyber crime between the two countries.
To mitigate supply-chain risks emanating from telecom equipment manufactured by companies belonging to China, the telecom and home affairs ministry have issued guidelines mandating service provides to secure their networks and induct equipment that has been tested as per international standards.
CCTNS taking help of ISRO for making project fully indigenous Warned by intelligence agencies that using a foreign satellite in the proposed nationwide Crime and Criminal Tracking Network and Systems (CCTNS) could make critical databases vulnerable to eavesdropping by other countries, the Union Home Ministry has decided to take the help of the Indian Space Research Organisation (ISRO) to make the project fully indigenous. Since the intelligence agencies raised objections to the proposed use of the IPSTAR satellite managed by Thaicomm in the project, the BSNL diverted to this project some 400 VSATs that it had for other services.
Fact Box: National Cyber Coordination Centre (NCCC)
Indian government will establish its own multi-agency body — National Cyber Coordination Centre (NCCC) — that would carry out “real-time assessment of cyber security threats” and “generate actionable reports/alerts for proactive actions” by law enforcement agencies. NCCC , to be set up at a cost of Rs 1000 crore, would be a multi-agency body under Department of Electronics and IT. It will function in sync with other government agencies. These agencies include: •National Security Council Secretariat (NSCS)
•Intelligence Bureau (IB)
•Research and Analysis Wing (RAW)
•Indian Computer Emergency Response Team (CERT-In)
•National Technical Research Organisation (NTRO)
•Defence Research and Development Organisation (DRDO)
•DIARA (Defence Information Assurance and Research Agency) •Army, Navy, Air Force
•Department of Telecommunications
What will be its functions?
•It will be India’s first layer for cyber threat monitoring and all communication with government and private service providers would be through this body only. •The NCCC would be in virtual contact with the control room of all Internet Service Providers to scan traffic within the country, flowing at the point of entry and exit, including international gateway. •Apart from monitoring the Internet, the NCCC would look into various threats posed by cyber attacks. • The agency will provide law enforcement agencies direct access to all Internet accounts, be it e-mails, blogs or social networking data.
DRDO doesn’t uses any US based company services in its organization.
In India, we need to create an environment within which security is built into our cyber and communications working methods. While it is the government that correctly takes a lead in evolving a coherent picture of what constitutes vulnerability in our cyber domain and a strategy on how to counter attacks, the private sector needs to recognise the real threat it faces. And this is not a future threat or a prospective threat that we need to prepare ourselves against; this is an ongoing, current threat.Cyber threat will continue to grow due to the fast evolution and development of internet and related technologies. At the global level, nations are stepping up their cyber defence efforts. The U.S. was one of the first countries that considered this to be a strategic problem in 2006, both in terms of national
security and their future economic wellbeing.
•The major concern when dealing with Cyber threats is ubiquity and anonymity. What other international medium is highly accessible, far-reaching, ridiculously inexpensive, whereby information is transferred at the speed of light, the attacker invisible and untraceable? Unlike a missile trajectory, IP (Internet Protocol) pathways can be masked and the locations appear opaque. Implicating a source and assigning blame to the attack progenitor is extremely difficult. •the extreme difficulty of producing timely actionable warning of potential cyber attacks •the extreme complex vulnerability associated with the IT supply chain for various India’s networks •India’s approach to cyber security has so far been ad hoc and piecemeal. A number of organisations have been created but their precise roles have not been defined nor synergy has been created among them. • Lack of awareness and the culture of cyber security at individual as well as institutional level. • Lack of trained and qualified manpower to implement the counter measures. •Too many information security organisations which have become weak due to ‘turf wars’ or financial compulsions. •A weak IT Act which has became redundant due to non exploitation and age old cyber laws. • No e-mail account policy especially for the defence forces, police and the agency personnel. •Cyber attacks have come not only from terrorists but also from neighboring countries inimical to our National interests.
•Acknowledging that better indigenous snooping capabilities may not be enough to protect India’s cyber security, National Security Advisor Shivshankar Menon has advocated formulating a set of “standard operating procedures” (SOPs) — ground rules for cooperation which would help India succeed in obtaining Internet information from major powers that control much of cyber space. •Given the cyber reality, ‘sensible’ powers should work towards a globally acceptable cyber regime to bring in a set of rules, build transparency and reduce vulnerabilities. •Agreements relating to cyber security should be given the same importance as other conventional
agreements. •The government should also consider joining the European Convention on Cyber crime. •A 24×7 nodal point for international cooperation with cyber authorities of other countries should be set up. Critical Infrastructure
•Cyber security should be mandatory in computer science curriculum and even separate programmes on cyber security should be contemplated. Government should initiate a special drive of implementing practices in the critical infrastructure sectors and provide necessary budgetary support for such implementation. • Government should establish a mechanism for measuring preparedness of critical sectors such as security index, which captures preparedness of the sector and assigns value to it.
•Government should incorporate IT Supply Chain Security as an important element of e-security plan to address security issues. •Government should promote R&D in private industry through active government support for industry-led research projects in the areas of security. Establish enabling mechanisms to facilitate this. •Emphasis should be placed on developing and implementing standards and best practices in government functioning as well as in the private sector. Cyber security audits should be made compulsory for networked organisations. •Capacity building in the area of cyber crime and cyber forensics in terms of infrastructure, expertise and availability of HR and cooperation between industry, LEAs and judiciary. •Cyber security education, R&D and training will be an integral part of the national cyber security strategy. •PPP model should be explored for taking security to the regions and industry sectors. •Strengthening telecom security – one of the key pillars of cyber security, especially through development of standards and establishment of testing labs for telecom infrastructure(equipment, hardware). •More investment in this field in terms of finance and manpower. •The impact of the emergence of new social networking media, and convergence of technologies on society including business, economy,national security should be studied with the help of relevant experts,
•Procedural laws need to be in place to achieve cooperation and coordination
of international organisations and governments to investigate and prosecute cyber criminals. •Government must put in place necessary amendments in existing laws or enact a new legislation like a Data Protection/Privacy Act so as to safeguard against the misuse of personal information by various government agencies and protect individual privacy. •Need for trained and qualified experts to deal with the highly specialised field of cyber security and laws related to it. •
•Make it a mandatory requirement for all government organisations and private enterprises to have a designated Chief Information Security Officer (CISO) who would be responsible for cyber security. •Establishment of a cyber range to test cyber readiness.
• More powers to sectoral CERTs.
•Establish an online mechanism for cyber crime-related complaints to be recorded. •Policymakers need to recognise this and put in place structures that allow the sharing of cyber security information through both formal and informal cyber exchanges. That requires a fast, unified action between government agencies and the private sector. •Indian agencies working after cyber security should also keep a close vigil on the developments in the IT sector of our potential adversaries. •Joint efforts by all Government agencies including defence forces to attract qualified skilled personnel for implementation of counter measures.
Need to sensitize the common citizens about the dangers of cyber terrorism. Cert-in should engage academic institutions and follow an aggressive strategy.
•Defining how we deal with Cyber threats and attacks internationally is crucial to peace and security. If Cyber weapons are treated with indifference in comparison to other weapons then it can open the doors to
multifaceted retaliation if a nation is provoked •Enforcing the right policies to amalgamate security of governments and law-abiding citizens is critical. The safety of individuals outweighs commercial piracy. Sophism and intellectual rhetoric redirects focus on eliminating irrefutable threats like violence and terrorism. Instead, diluted versions of policies are implemented and lives are put at risk. •. “India must take an early lead in creating a framework where the government, the national security experts and the industry catering to strategic sectors of economy, can come together, to pursue the goal of cyber security in the larger national cause •Need to prepare cyber forces .
The United States was the first country to formally declare this as the fifth domain warfare after land, sea, air and space. It has also formally classified the use of cyberspace as a “force”, a euphemism for offensive capability. The Chinese adopted the concept of “informationalisation” in the mid-1990s and have relentlessly built up structures and operations in this domain.
Cyber Security Dilemma
•John Herz, an American scholar of international relations and law is credited for coining the term “security dilemma”. • The dilemma expresses how both the strong and weak states can upset the balance of power that could eventually become a catalyst for war. The security dilemma could arise from the state’s accumulation of power due to fear and uncertainty about other states’ intentions. • Post-9/11, successive US administrations have mostly attempted to handle global disorder by accumulating more “power”. Not surprisingly, since 2007, the US has been collecting and analysing significant amount of data available in the cyber space. •Cyber security dilemma of the US was recently exposed by the US whistle-blower Edward Snowden, giving details about the US National Security Agency’s controversial Prism programme. • The US, clearly has been monitoring the global e-traffic covertly and in the process checking on cyber activities on Google, You Tube, Skype, Facebook, etc. This has resulted in a huge amount of metadata (a data about data). • US administration has been spoofing on the rest of the world. •In the 21st century, with the number of computer
and internet users is increasing significantly, the cyber environment has almost become fundamental to a nation’s ‘existence’. • Over the years Information and Communication Technologies (ICT) have become central to various sectors from social, economic, political to defence. The fillip side to it is that various unauthorised, illegal, criminal, anti-national and terrorist activities have also become rampant. Astonishing as it may sound, but the third most populous country after China and India is not any geographical entity but a ‘virtual state’ called facebook! •The human rights activists and states who are under the US surveillance consider it an anti-democratic act that undermines the civil liberties and individual privacy. The absence of a globally accepted cyber regime and legal structure adds further to the commotion. • The excessive dependence on cyber tools has given rise to various vulnerabilities. Recently the US National Security Agency chief Gen Keith Alexander, who also heads the US military’s Cyber Command, has expressed concerns and is of the opinion that on a scale of 1 to 10, the US critical infrastructure’s preparedness to withstand a destructive cyber attack is about 3, this in spite the US having established a major defence infrastructure to defend against foreign hackers and spies. This assessment would push the US to strengthen its defences further. However, since the nature of the threat is extremely dynamic it may not be possible to build any foolproof defensive mechanism. •Any cyber architecture can be viewed as a doubled edged sword – either ignore it and be exposed or use it to one’s advantage. Cyber espionage is here to stay. Today, the US is upfront because of its technological superiority and ability to ‘manage’ the ICT industry and prevent few acts of terrorism from actually happening. More importantly, the data gathered would have utility in other fields too.
•Snowden has clearly exposed the US but it is hard to imagine that the US would halt its cyber activities. As a leading power, the US is accustomed to international criticism, lawsuits and questioning and at the end of the day cyber spying and spoofing actually strengthens their intelligence gathering capability. •It is important to note that cyber expertise offers significant amount of asymmetric advantage to the user. In the future, it is
not only the US but many other states that are also likely to use this method (mostly covertly). •States would support a cyber regime essentially because intelligence collection is not the sole purpose for possessing cyber assets. ITC also leads to empowerment and its importance for socioeconomic development s undisputed. •In general, the norms of privacy in a cyber-era world would remain a constant subject of debate since the nature of technology presents a challenging task to catch the actual offender. Technologically superior power would always have an advantage. The time has come to recognize that in the future we would always be watched and mostly against our own wishes!
India-US collaboration in Cyber Security
Indian officials and security officers would soon be visiting the U.S. for training in an array of courses — from cyber security, megacity policing and forensics, to critical infrastructure protection, financial terrorism and anti-terrorism intelligence. “The list of training programmes include ‘Land Transportation Anti-terrorism’; ‘Weapons of Mass Destruction’; ‘Seaport Security’; ‘International Border Interdiction Training’ and ‘International Sea Interdiction Training’ to check smuggling and trafficking; ‘Handling of equipment for screening men against radiological, chemical and explosive materials’ and ‘Handling of intrusive detection at airports and seaports.’
With the growing population in cities and increasing threat perception, the U.S. has also offered India to help develop the concept of megacity policing, a step it has been promoting since the 9/11 attacks.
“An advance course in surveillance, control room design and its operation by various security agencies and police authorities are key elements of this concept.
Balancing vigilance and privacy
As the government steps up its surveillance capabilities, the entire social contract between the state and citizens is being reformulated, with worrying consequences
The Indian state is arming itself with both technological capabilities and the institutional framework to track the lives of citizens in an unprecedented manner.
A new Centralised Monitoring System (CMS) is in the offing, which would build on the already existing mechanisms. As The Hindu reported on June 21, this would allow the government to access in real-time any mobile and fixed line conversation, SMS, fax, website visit, social media usage, Internet search and email, and will have ‘unmatched capabilities of deep search surveillance and monitoring’.
Civil society groups and citizens expressed concern about the government’s actions, plans, and intent at a discussion organised by the Foundation for Media Professionals, on Saturday.
Usha Ramanathan, a widely respected legal scholar, pointed to the larger political context which had permitted this form of surveillance. It stemmed, she argued, from a misunderstanding of the notion of sovereignty. “It is not the government, but the people who are sovereign.” Laws and the Constitution are about limiting the power of the state, but while people were being subjected to these restrictions, the government itself had found ways to remain above it – either by not having laws, or having ineffective regulators. States knew the kind of power they exercised over citizens, with the result that ‘impunity had grown’.
“There is also a complete breakdown of the criminal justice system,” Ms Ramanathan said. This had resulted in a reliance on extra-judicial methods of investigation, and ‘scape-goating’ had become the norm. ‘National security’ had been emphasised, re-emphasised, and projected as the central goal. “We haven’t paused to ask what this means, and the extent to which we have been asked to give up personal security for the sake of national security.” It was in this backdrop that technology had advanced by leaps, and made extensive surveillance possible.
The implications are enormous. The data is often used for purposes it is not meant for, including political vendetta, keeping track of rivals, corporates, and digging out facts about a citizen when he may have antagonised those in power.
Pranesh Prakash, director of the Centre of Internet and Society (CIS) looked back at the killing of Haren Pandya, the senior Bharatiya Janata Party (BJP) leader in Gujarat. Mr Pandya was using the SIM card of a friend, and it was by tracking the SIM, and through it his location, that the Gujarat government got to know that Mr Pandya had deposed before a commission and indicted the administration for its role in the riots. Eventually, he was found murdered outside a park in Ahmedabad. The Gujarat Police had accessed call details of 90,000 phones.
It is also not clear whether mining this kind of data has been effective for the national security purposes, which provide the reason for doing it in the first place. Saikat Datta, resident editor of Daily News and Analysis, and an expert on India’s intelligence apparatus, said a core problem was the absence of any auditing and over sight. “There needs to be a constant review of the number of calls, emails under surveillance, with questions about whether it is yielding results. But this does not happen, probably because a majority is not for counter-terrorism. There would be trouble if you build accountability mechanisms.” When he sought information under RTI around precisely such issues, he was denied information on the grounds that it would strengthen ‘enemies of the state’.
Anja Kovacs, who works with the Internet Democracy Project, said this form of “mass surveillance” criminalised everybody since it was based on the assumption that each citizen was a “potential criminal”. She also pointed out that having “more information” did not necessarily mean it was easier to address security threats – there was intelligence preceding the Mumbai attacks, but it was not acted upon. She added, “Most incidents have been resolved by traditional intelligence. Investing in agencies, training them better could be more effective.”
Bring in the caveats
Few argue that the state is not entitled to exercise surveillance at all. In fact, a social contract underpins democratic states. Citizens agree to subject some of their rights to restrictions, and vest the state with the monopoly over instruments and use of violence. In turn, the state – acting within a set of legal principles; being accountable to citizens; and renewing its popular legitimacy through different measures, including elections – provides order and performs a range of developmental functions.
This framework, citizens and civil liberty groups worry, is under threat with governments appropriating and usurping authority to conduct unprecedented surveillance. Citizen groups, technology and privacy experts came together globally to draft the International Principles on the Application of Human Rights to Communication Surveillance.
It prescribed that any restriction to privacy through surveillance must be ‘legal’; it must be for a ‘legitimate aim’; it must be ‘strictly and demonstrably necessary’; it must be preceded by showing to an established authority that other ‘less invasive investigative techniques’ have been used; it must follow ‘due process’; decisions must be taken by a ‘competent judicial authority’; there must be ‘public oversight’ mechanisms; and ‘integrity of communications and systems’ should be maintained. (Full text available on www.necessaryandproportionate.org)Mr Prakash of CIS, which has done extensive work on surveillance and privacy issues, said, “An additional principle must be collection limitation or data minimisation.” Giving the instance of Indian Railways seeking the date of birth from a customer booking a ticket, Mr Prakash said this was not information which was necessary. But it could be used by hackers and many other agencies to access an individual’s private transactions in other areas. The UPA government is finalising a privacy Bill, but its final version is not yet public, and it is not clear how far the government would go in protecting citizen rights.
National cyber security Policy 2013
National Cyber Security Policy 2013
This policy aims at facilitating creation of secure computing environment and enabling adequate trust and confidence in electronic transactions and also guiding stakeholders actions for protection of cyber space.
• The National Cyber Security Policy document outlines a road-map to create a framework for comprehensive, collaborative and collective response to deal with the issue of cyber security at all levels within the country.
• The policy recognises the need for objectives and strategies that need to be adopted both at the national level as well as international level.
• The objectives and strategies outlined in the National Cyber Security Policy together serve as a means to:
i. Articulate our concerns, understanding, priorities for action as well as directed efforts. ii. Provide confidence and reasonable assurance to all stakeholders in the country (Government, business, industry and general public) and global community, about the safety, resiliency and security of cyber space. iii. Adopt a suitable posturing that can signal our resolve to make determined efforts to effectively monitor, deter & deal with cyber crime and cyber attacks.
Salient features of the policy
•The Policy outlines the roadmap for creation of a framework for comprehensive, collaborative and collective responsibility to deal with cyber security issues of the country. The policy has ambitious plans for rapid social transformation and inclusive growth and India’s prominent role in the IT global market. •The policy lays out 14 objectives which include creation of a 5,00,000-strong professional, skilled workforce over the next five years through capacity building, skill development and training. •The policy plans to create national and sectoral level 24×7 mechanisms for
obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective, predictive, preventive, proactive response and recovery actions. •The policy will also establish a mechanism for sharing information as well as identifying and responding to cyber security incidents and for cooperation in restoration efforts. •The policy identifies eight different strategies for creating a secure cyber eco-system including the need for creating an assurance framework apart from encouraging open standards to facilitate inter-operability and data exchange amongst different products or services. •There is in place a plan to operate and strengthen the national Computer Emergency Response Team (CERT-In) to operate 24×7 and to act as a nodal agency for all efforts for cyber security, emergency response and crisis management, as an umbrella agency over CERTs. •It is expected that he policy will cater to the cyber security requirements of government and non-government entities at the national and international levels. The policy will help in safeguarding the critical infrastructure like Air Defence system, nuclear plants, banking system, power infrastructure, telecommunication system and many more to secure country’s economic stability.
National Nodal Agency
•The National Cyber Security Policy, in order to create a secure cyber ecosystem, has planned to set-up a National Nodal Agency. The nodal agency will be coordinating all matters related to cyber security in the country. •The nodal agency has a wide mandate as it will cover and coordinate security for all strategic, military, government and business assets. This is distinctive, since, so far, national security regimes have been divided among the Ministry of Defence (for securing India’s borders) and the Ministry of Home Affairs (for national and internal security across States).
Public-private partnership to protect national assets
•Another defining aspect of the policy is the level at which it envisages public-private partnership to protect national assets. •There is a clear recognition in the policy that, apart from India’s IT, technology and telecommunications services, large parts of financial & banking services,
airline & transportation services, energy and healthcare assets are not only owned by the private sector but, in fact, remain vulnerable to cyber-attacks, both from state and non-state actors.
•A crucial aspect of the policy is building resilience around the Critical Information Infrastructure (CII) by operationalising a 24×7 Nation Critical Information Infrastructure Protection Centre (NCIIPC). The Critical Information Infrastructure will comprise all interconnected and interdependent networks, across government and private sector. •The NCIIPC will mandate a security audit of CII apart from the certification of all security roles of chief security officers and others involved in operationalising the CII.
•The policy will be operationalised by way of guidelines and Plans of Action, notified at national, sectoral, and other levels. While there is a recognition of the importance of bilateral and multilateral relationships, the policy does not clearly identify India’s position vis-à-vis the Budapest Convention even though government delegations have attended meetings in London and Budapest on related issues in 2012.
Why does India need a cyber security policy?
•Cyber security is critical for economic security and any failure to ensure cyber security will lead to economic destabilisation. •India already has 800 million active mobile subscribers and 160 million other Internet users of which nearly half are on social media. India targets 600 million broadband connections and 100% teledensity by 2020. Internet traffic in India will grow nine-fold by 2015 topping out at 13.2 exabytes in 2015, up from 1.6 exabytes in 2010. •The ICT sector has grown at an annual compounded rate of 33% over the last decade and the contribution of IT and ITES industry to GDP increased from 5.2% in 2006-7 to 6.4% in 2010-11, according to an IDSA task force report of 2012. •Given the fact that a nation’s cyber ecosystem is constantly under attack from state and non-state
actors both. It becomes extremely critical for India to come up a coherent cyber security policy. •One of the key objectives for the government is also to secure e-governance services where it is already implementing several nationwide plans including the “e-Bharat” project, a World Bank-funded project of Rs. 700 crore.
The release of the National Cyber Security Policy 2013 is an important step towards securing the cyber space of our country. However, there are certain areas which need further deliberations for its actual implementation. The provisions to take care security risks emanating due to use of new technologies e.g. Cloud Computing, has not been addressed. Another area which is left untouched by this policy is tackling the risks arising due to increased use of social networking sites by criminals and anti-national elements. There is also a need to incorporate cyber crime tracking, cyber forensic capacity building and creation of a platform for sharing and analysis of information between public and private sectors on continuous basis.
Creating a workforce of 500,000 professionals needs further deliberations as to whether this workforce will be trained to simply monitor the cyberspace or trained to acquire offensive as well as defensive cyber security skill sets. Indigenous development of cyber security solutions as enumerated in the policy is laudable but these solutions may not completely tide over the supply chain risks and would also require building testing infrastructure and facilities of global standards for evaluation.
Indian Armed forces are in the process of establishing a cyber command as a part of strengthening the cyber security of defence network and installations. Creation of cyber command will entail a parallel hierarchical structure and being one of the most important stakeholders, it will be prudent to address the jurisdiction issues right at the beginning of policy implementation. The global debate on national security versus right to privacy and civil liberties is going on for long. Although, one of the objectives of this policy aims at safeguarding privacy of citizen data
however, no specific strategy has been outlined to achieve this objective.
The key to success of this policy lies in its effective implementation. The much talked about public-private partnership in this policy, if implemented in true spirit, will go a long way in creating solutions to the ever-changing threat landscape.
Central Monitoring System (CMS) project – Justified??
•Indian government’s own Central Monitoring System (CMS) project. •roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring “privacy of communications”. • While the CMS is in early stages of launch, investigation shows that there already exists — without much public knowledge — Lawful Intercept and Monitoring (LIM) systems, which have been deployed by the Centre for Development of Telematics (C-DoT) for monitoring Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users. •While mobile operators deploy their own LIM system, allowing “interception” of calls by the government, only after checking “due authorisation” in compliance with Section 5(2) of the Indian Telegraph Act read with Rule 419(A) of the IT Rules •In the case of the Internet traffic, the LIM is deployed by the government at the international gateways of a handful of large ISPs. The functioning of these secretive surveillance systems is out of reach of these ISPs, under lock and key and complete control of the government.