Articles and Commentaries |
September 12, 2017

India’s Cyber Security: Architecture and Imperatives

Rapid and unprecedented growth of Information and Communication Technologies (ICT) and media with its speedy and all-pervasive penetration has ushered in the digital age.  Not only has it brought the world together through globalisation, it has become the driver for economic growth. Technology and Information are the new normal of this digital transformation. This transition from an industrial to an information era has also ushered in a new security paradigm with new threats to both national and human security. With large scale automation, technology and connectivity, the developed nations are enjoying a much better quality of life. There exists a definite digital divide amongst the developed, developing and poor nations. This digital divide, coupled with the rising aspirations of the people accentuated by religious beliefs and cultural issues and technology denial have created serious security issues wherein new threats by way of cyber-crimes, cyber terrorism, cyber espionage and even cyber war have emerged making cyber security a strategic imperative at the national, regional and international levels.

Environmental Scan: India

While India has made considerable progress in the last decade or so towards the establishment of ICT infrastructure, enhancing the reach of the electronic media and extension of e-services in the finance, health and education sectors to ensure better governance, the development still remains differential. For example while India has the second largest number of Internet users in the world, it also has the second largest number of “Unconnected” population. The situation, however, is changing rapidly with the mobile telephone revolution which is under way and greater penetration of internet.

India’s drive towards digital economy coupled with national projects like Digital India, Smart Cities, National Broadband Network and so on are altering the digital landscape rapidly with direct impact on governance, transparency and accountability. While there is a definite requirement of greater penetration of ICT for development and better governance, this rapid change towards a digital environment has brought to fore the challenges of cyber security. A cyber insecure Digital India Initiative can turn from a strategic asset to an unaffordable liability and a direct threat to national security. India, needs safe navigation through cyberspace for its prosperity, national and human security. Hence, ensuring complete cyber security of our assets and National Information Infrastructure is both a national strategic imperative and an urgent national mission.

Threat Landscape

From leaking debit card details to influencing the US Presidential Election, cyber-attacks have become a significant part of our political and social discourse. Cyber threat exists 24/7 and manifests along the full spectrum starting from cybercrime to cyber espionage to cyber terrorism and cyber war.

Cyber crimes are a real threat today and are increasing very rapidly both in intensity and complexity with the spread of internet and smart phones. About eighty percent of cyber-attacks are related to cybercrimes. More importantly, cyber-crimes have changed the nature of conflict by blurring the line between state and non-state actors.

Cybercrimes are likely to increase exponentially with the fielding of virtual currency, Internet of Things, big data, cloud technology, drones, robotics, Blockchain and so on. Capabilities of hijacking a car, taking over the controls of an aircraft, cyber murder and remote injunction of viruses through drones and air crafts have already been demonstrated and in some cases, already inducted.

Dark net and Deep web are already being exploited for sale of vulnerabilities, weapons, recruitment of people in terrorist groups, drugs and so on.

Latest entrant to the long list of cyber-crimes is the installation of “Ransom Ware” to cripple a network or facility and demand ransom to restore the same. Recent ransomware attacks using Wanna Cry and Petya viruses have amply confirmed cyber as a “Weapon of Mass Disruption” with more than 300,000 computers affected across different sectors:  health, finance, transport, ports and so on in 150 countries! Another major cyber-attack on HBO is still awaiting resolution with hackers demanding 2.5 million in Bit Coins.

One of the biggest cyber-attack in 2016 was the hacking of Indian debit cards wherein as many as 32 lakh debit cards belonging to various Indian banks were compromised resulting in the loss of Rs. 1.3 crore in fraudulent transactions as per National Payments  Corporation of India (NPCI).

The Infamous hacker group “Legion Crew” made headlines in the sub-continent after hacking into the Twitter accounts and partial email dumps of prominent public figures such as politician Rahul Gandhi, businessman Vijay Mallya, and NDTV journalists Barkha Dutt and Ravish Kumar.

Cyber Espionage

Internet has become a very powerful source for intelligence collection in support of national, diplomatic, military, technology or economic objectives. It is estimated that more than 90 percent of “open source intelligence” is being obtained from the cyber world. It is economical and safe. Cyber espionage is also being used for technology theft and for launching probing missions on the critical infrastructure for possible exploitation later. The extent of threat can be gauged from the fact that Japan alone had 25.6 billion cyber-attacks in the year 2014 mostly for technology exfiltration. That is 900 cyber-attacks per second.  The fact that attack Vectors for cyber espionage and cyber war are the same makes cyber espionage a major threat in being. Recent alleged interference by Russia in the democratic elections in France and the USA add another dimension to the threat landscape and the cyber intelligence.

Cyber Terrorism:

Coincidence between the physical and virtual worlds, as demonstrated by the STUXNET attack on Iran’s nuclear facility at Natanz in 2010, has put complete information infrastructure at risk. Targeted attacks on a nation’s critical infrastructure like military installations, power plants, air traffic control, surface transport traffic control, telecommunication networks would be considered as part of cyber terrorism. These are low level, “short of war” attacks which would cripple part of a critical infrastructure or adversely affect the functioning of a business. These attacks are not large enough to warrant a military response but have the potential to inflict enough damage that numerous attacks over a long period of time could harm economy, complicating a policymaker’s calculus for determining an appropriate response.

Social Media

Social Media like Face Book, Twitter, and LinkedIn has emerged as powerful tool for perception management, social engineering, cyber-crimes and intelligence. It has also emerged as a major instrument of waging “Asymmetric Warfare” through exploitation of the aspirations of people, differential development, varying religious beliefs and cultural leanings.  These have also become attractive sources for recruitment and radicalisation by the terrorist organizations.

Nations across the world are putting legal frame work, infrastructure and human resource for monitoring this media to remain proactive. Major issue being privacy vs human/national security.

Cyber Warfare

It is universally acknowledged that the 21st century war will be highly “Cyber-centric” if not fully led by cyber theatre.  Glimpses of these have been given by the Russian assault on Estonia and Ukraine. While in Estonia, it was pure cyber intervention, in Ukraine, it was a combination of cyber and Kinetic attacks wherein the bits preceded the bullets. This operation is a land mark in Cyber Enabled Warfare. Nations across the world have pronounced their doctrines of cyber warfare, have raised organisations to conduct cyber warfare and are busy in the making and testing of cyber weapons. USA is reported to have used “logic bombs” in Afghanistan and Syria to effectively neutralise their communication networks.

The Indian Scene

India is very vulnerable to cyber interventions due to certain strategic deficiencies, inadequate appreciation of the threat and rather tardy and disjointed implementation of policies. India was one of the handful of nations to promulgate Information Technology Act in year 2000 as a legal policy document to deal with cyber interventions. The same was revised in 2008. Similarly, the National Policy on Electronics was issued in 2012 and the National Cyber Security Policy in 2013. Yet, till a few years ago, well co-ordinated and focused efforts towards cyber security were missing except for the establishment of Computer Emergency Response Team – India (CERT-IN) and similar organisations at the state level and the Indian Army.

India’s  cyber security chief Gulshan Rai told Parliament’s finance standing committee in July 2017, that cyber threats had evolved swiftly from viruses and “nuisance” attacks in the early 2000s to sophisticated malware and advanced denial of service, and could pose the risk of severely destructive attacks by 2020.

India will face increasingly sophisticated “destructive” cyber threats as compared to the “disruptive” attacks in the Indian cyberspace that are currently adding up to 200 million malware-related and 1,90,000 “unique” intrusions in any given week. The government — the Centre and states — is the main target of cyber-attacks, driven by motives ranging from theft, espionage and data extraction to counterfeiting. In 2015 and 2016, the government sector accounted for 27% and 29% of all cyber-attacks.

Other sectors high on the priority list of cyber criminals are banking, energy, telecom and defence, which along with the government, account for three-fourths of all cyber-attacks. The emergence of new services and apps, cloud and cognitive technologies, has made cyber security more challenging even as the value of data and its applications in commerce grows by the day, making cyber security a major task.

The incidence of e-transactions is rising with India logging in an estimated 2 billion such dealings a day as compared to around 54 billion worldwide, according to World Payments Report 2016.

Cyber-attacks use techniques and tools that help criminals evade detection with increasing refinement, and this has led the government to recognise cyber security as a “strategic domain” and devise strategies aimed at deepening cooperation at the international level. The PMO and the national security adviser are key elements overseeing a range of civilian and defence agencies with cyber security mandates.

Cyber Security Architecture

India is setting up its own ‘cyber security architecture’ that will comprise the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing among stakeholders, the Cyber Operation Centre that will be jointly run by the NTRO and the armed forces for threat management and mitigation for identified critical sectors and defence, and the National Critical Information Infrastructure Protection Centre (NCIIPC) under the NTRO for providing cover to ‘critical information infrastructure’.

Concurrently, the government is also coming up with a legal framework to deal with cyber security; has launched a drive for creating greater awareness to this threat and is creating necessary human resource with requisite skills. Major cyber security projects under implementation are given in the succeeding paragraphs.

National Cyber Coordination Centre (NCCC)

NCCC is a critical component of India’s cyber security against hackers and espionage as well as track terrorist activity on line. A group of cyber security professionals and experts will look after the functioning of the Centre and track illegal and terror activities on line. It will run on similar lines as in the US, UK, France and Germany. Its mandate may also include cyber intelligence sharing.

Botnet Cleaning and Malware Analysis Centre

India has the largest number of Botnets in the world. To obviate and limit the threat due to botnets, the Government has recently set up a Botnet Cleaning and Malware Analysis Centre. The project is a part of Digital India programme and aims to create safe and secure cyberspace. It will automatically detect botnets that trigger various cybercrimes and suggest the device owner to remove them from their device with their help.

Central Monitoring System (CMS)

Central Monitoring System, the Union Government’s ambitious electronic intelligence monitoring system, is likely to start functioning fully by this year-end. According to the Ministry of Home Affairs officials, the hi-tech unit which will provide unhindered access to phone calls, text messages, and social media conversations to law enforcement agencies in real-time will have two units in the inaugural phase in Delhi and Bangalore.

National Critical Information Infrastructure Protection Centre (NCIIPC)

Article 70A (IT Act 2008) mandated the need for a special agency that would look at designated CIIs and evolve practices, policies and procedures to protect them from a cyber-attack. The National Critical Information Infrastructure Protection Centre (NCIIPC) was created and placed under the technical intelligence agency, the National Technical Research Organisation, to roll out counter-measures in cooperation with other security agencies and private corporate entities that man these critical sectors.

Protection of Power Sector

In December 2010, Ministry of Power had constituted CERTs (Computer Emergency Response Teams) for power sector i.e.; CERT-Thermal (nodal agency- National Thermal Power Corporation (NTPC)), CERT-Hydro (nodal agency- National Hydroelectric Power Corporation (NHPC)) and CERT-Transmission (nodal agency- Power Grid Corporation of India Limited (PGCIL)) to take necessary action to prevent cyber attacks in their domains. The State Power Utilities have also been advised to prepare their own sectorial Crisis Management Plan (CMP) and align themselves with the Nodal Agencies i.e. NTPC, NHPC & PGCIL and CERT – for the necessary actions.

Grid Security Expert System (GSES)

Grid Security Expert System (GSES) was developed by POWERGRID and it involves installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units up to 132 kV stations and the reliable Optical fibre Ground wire (OFGW) communication system. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.

Crisis Management Plan

India has prepared a Crisis Management Plan (CMP) for countering cyber-attacks and cyber terrorism for preventing the large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. The Crisis Management Plan (CMP) for Countering Cyber Attacks and Cyber Terrorism outlines a framework for dealing with cyber related incidents for rapid identification, swift response and remedial actions to mitigate and recover from cyber related incidents impacting critical national processes.

 Network Traffic Analysis System (NeTRA)

A monitoring and electronic surveillance project being executed by the DRDO.It appears to be Indian government’s first attempt of mass surveillance rather than individual targets. It will scan the activities over the social networking websites like twitter and would scan the mails and chat transcript and even the voices in the internet traffic.

The above efforts are aligned towards developing a cyber defence capability. There is no information in the open domain regarding development of cyber offensive capabilities and their integration. Cyber space is essentially “Offence Dominant” by its very character and cyber power includes both defensive and offensive capabilities backed by appropriate organisation, technology, skilled human resource and a well-developed defence electronic manufacturing and components base.

Imperatives

India needs national scale effort supported by political will, adequate funding, contemporary technology and skilled people to realize necessary cyber security capability. These imperatives would require synergy amongst various ministries and agencies through appropriate policy framework and organisation and must be executed concurrently. Some of the essential imperatives are given in the succeeding paragraphs.

Establish National Cyber Security Commission (NCSC) – a fully empowered body with its own department, on the lines of Space Commission and Atomic Energy Commission. The country needs to build thought leadership and weave together India’s potential in cyber security under one organisation. NCSC will have the onerous tasks of creating synergy amongst various stake holders through an enabling policy framework; developing technology, manpower, industry clusters, education standards and certification, intelligence and counter intelligence mechanisms, cyber forensics, security standards, and policy research. It will also coordinate with all ministries for National Critical Information Infrastructure (NCII) in their areas.  It will play a catalytic role for the requirements of military in cyber warfare.

The National Cyber Security Policy 2013 needs to be revisited urgently in the light of rapid pace of technology development and very dynamic threat scenario. This policy should be translated to a time bound action plan in consonance with the national cyber security doctrine and specify clearly the responsibility for its execution and accountability. The policy, action plan, organisation and assured budgetary support must be discussed and approved by the Parliament.

Develop Cyber War Capability: India urgently needs to develop policies and capabilities in this ‘Fifth’ domain of war.  These cannot wait and must be taken up on top most priority in a “Mission Mode” by the Services. The situation and threats to India are unique and hence there is the necessity of developing an indigenous solution in consonance with the doctrine to include organisation, technology, skill sets, training infrastructure and R&D. Immediate raising of an Indian Cyber Command is a national strategic imperative.

Energise “Make in India” Programme

India announced her National Electronic Policy (NEP) in 2012 with a view to establish an Electronic System Design and Manufacturing (ESDM) eco system and manufacture of semi-conductors in the country. Unfortunately, the scheme did not take off inspite of the fact that it offered attractive financial and taxation terms. This scheme has now been given a push under the “Make in India” programme. Absence of electronic manufacturing base and indigenous semi-conductor manufacturing capability in the country are strategic deficiencies. These are absolutely essential and fundamental pre-requisites for cyber security and need immediate attention at the highest level.

Cyber Policy Research Centre: There is no think tank that is studying policies and documents being produced by groupings of governments, industry, civil society, academia, interested organisations and international policy making organisations. Thousands of pages are being churned out, which require deeper understanding through analysis and discussions to decide on what is in India’s interest. We are unable to address policy as well as operational issues due to the lack of focused studies. Numerous NGOs created at the behest of foreign governments, are obfuscating policy discussions to derail national positions. Also as technology evolves, a large amount of cyber security research and policies require timely revision.

Cyber Threat Intelligence Centre: India needs to have cyber analysis centers which collects attack data on various infrastructures, financial systems, web sites and services; correlate “big data” generated from government with financial and commercial data to create patterns and suggest anomalies, for advance preventive actions.

Cyber Workforce development: There is an urgent requirement to have a national plan to develop cyber security workforce and an associated cadre. NCSP 2013 has set up a target of five lakhs skilled cyber resource in the non-formal sector for cyber security and also to exploit the business opportunity of providing services to global customers by 2018. India also must lay emphasis on developing “Science of Cyber Security”.

R&D for product development: India needs focused R&D in the development of safe products; discovery and analysis of vulnerabilities, fixing attribution and design of cyber weapons. Manufacturing and export of cyber security products presents a very attractive opportunity for India.

Security Standards and Frameworks, Audit: India needs to develop and promulgate the cyber security standards and frameworks for development, and audit processes for assurance of protection of our NCII. Enabling Policy measures are required to encourage establishment of testing labs for managing ICT Supply Chain Risks.

Cyber-crime investigations: There is an urgent need for development and continual upgradation of cyber forensics capabilities and investigating skills with our law enforcement agencies (LEAs), to handle cyber-crimes in the ever expanding proliferation of devices, platforms, big data, Internet of Things, mobility and social media.

Assurance Framework, Test & Certifica-tion: There is an immediate requirement of setting up a national cyber test facility providing for network emulation, monitoring and audit, vulnerability analysis, simulated attacks, graduated response, performance analysis and security assurance modeling.

Build Thought Leadership, Executive/ Political Sponsors: Build cyber security savvy leadership, subject matter experts, solution architects and system engineers so as to address the inadequate comprehension of lack of cyber security capability and its bearing on national security including the military dimension.

Leveraging Diaspora: Indian diaspora is at the fore front of building security technologies, platforms and solutions across world class institutions and industry in USA and Europe. They can be the biggest catalyst in building cyber security capability. Proactive and aggressive steps should be taken to leverage the diaspora.

Outreach Programme to Attract Industry. Government needs to make it attractive for the private sector to invest in capability building through innovative mechanisms, such as funding development of new technologies, committing to buy from partner companies etc. Both the Government and the Industry must recognize multi-billion opportunity in cyber security related products and services and cash on this through a focused and proactive approach as was done for IT.

Establish Cyber Policy Research Centre: A Think-tank funded by the government/Industry, for studying all facets of cyberspace and making policy recommendations to the government.

In this digitally connected world, development of full spectrum cyber security along with an electronic industrial base, skilled human resource, enabling policy and legal frameworks, assured financial support, R&D and so on,  in consonance with the national security and cyber doctrines, is a national imperative. The digital world of today demands “Technical Sovereignty” and complete protection of data to ensure national and human security. India must ensure these for continued development and securing her rightful place in the comity of nations.

(Lieutenant General Davinder Kumar is a former Signal Officer-in-Chief, Indian Army and former CEO & MD of Tata Advanced Systems.)

(This article is carried in the print edition of September-October 2017 issue of India Foundation Journal.)

Latest News

Leave a comment

Your email address will not be published. Required fields are marked *

five + four =

Explide
Drag