Britain, CERT-In, CERT-US, China, critical information infrastructure, Cyber Command, cybersecurity, hacking, India, information and communications technology, Operation Shady Rat, Pakistan, United States
The recent revelation by McAfee Vice President Dmitri Alperovitch that a five-year cyber-snooping campaign had been uncovered (Operation Shady Rat) that affected 72 organisations in 14 countries among which were the governments of India, US, South Korea, Taiwan, Vietnam, ASEAN, IOC and the world anti-doping agency has reiterated the emergence of a new front in warfare – computer networks. Although Alperovitch declined to comment on who were the chief suspects, he did indicate that it was most probably a state actor. “This is the biggest transfer of intellectual property in history and the scale at which this is occurring is really frightening,” the McAfee official said. “What is happening to all this data…is still largely an open question. However, if even a fraction of it is used to build better competing products or beat competitors at key negotiations, the loss will represent a massive economic threat.” James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, was less candid. “China rises to the top of the list of nations that could do this…this fits precedent with other attacks we’ve seen. It’s not conclusive, but who else cares this much about Taiwan?” George Kurtz, Executive Vice President of McAfee, commented, “We have strong evidence suggesting that the attackers were based in China…the tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”
In our modern information society, the need for information systems and cyber networks need not be emphasised, and neither should the need for cybersecurity infrastructure. The failure to meet an expected service level of any one information network, be it banking, health, transportation, or defence, could have a significant impact on national life. An emerging issue is that cyber infrastructures, until now independent, are becoming entangled into network-of-networks. When infrastructures are interconnected, new vulnerabilities might arise from the common links, failures might propagate through the different systems, intrusion and disruption in one infrastructure might provoke unexpected threats to others. In such cases, the question of specifying dependability and trust requirements and translating them as performance and functionality requirements for other systems becomes vital.
Cybercrime, for many years the purview of individuals who sought quick monetary gain, has now morphed considerably into a battleground for nations as well as the old guard individuals after a quick buck. In the last year alone, hackers from Pakistan and China have penetrated Indian computer systems as sensitive as the Central Bureau of Investigation (CBI), the Prime Minister’s Office (PMO), the National Security Guard (NSG), the Ministry of External Affairs (MEA), the Ministry of Defence (MoD) and even the computers of army officers. Just this year, over 117 breaches of Indian government computer systems have taken place and over 3,000 Indian websites. Yet there seems to be no serious consideration of the ramifications of these attacks. “Most of the hacks happen because Indian government departments and agencies do not follow the procedures set for regular audits of the sites,” a security official associated with the government said.
India’s feeble response to attacks on its information and communication technology (ICT) infrastructure has been to establish a body tasked with defending the country’s ICT networks. The Indian Computer Emergency Response Team (CERT-In) was established in 2003, whose duties were defined as a “specialist expertise” cell that could be called on by other institutions such as the Ministry of Home Affairs, courts, the intelligence services, the police and the National Human Rights Commission. CERT-In’s stated mission is “to enhance the security of India’s Communications and Information Infrastructure through proactive action and effective collaboration.” (Ironically, the organisation’s website was down at the time of this writing.) Despite the creation of CERT-In as a dedicated body to monitor and safeguard Indian ICT infrastructure, the organisation is hampered by many obstacles. First and foremost is the miniscule budget afforded CERT-In – the cyber team is quite small compared to its American equivalent, CERT-US, and more importantly, poorly remunerated. Given the pay scales of comparable jobs in the private sector, employee retention is difficult and attracting the best IT minds even more so.
If financial problems were India’s only woes, the solution would be a quick fix. Unfortunately, Indian cybersecurity suffers from a myriad of problems stemming from unclear conception of principles and goals. For example, CERT-In is used not only to protect Indian computer networks but also to censor the Internet. According to the Freedom Institute, India’s freedom index has declined from 34 in 2009 to 36 in 2011, reflecting the tightening controls. “While online journalists and bloggers are not often required to censor their writing, it is understood that certain topics must be approached with caution,” the report noted. “These include religion, communalism, the corporate-government nexus, links between government and organized crime, Kashmiri separatism, hostile rhetoric from Pakistan, and various forms of aggressive, demagogic speech. Such topics are indeed addressed by online writers, but they are handled carefully to avoid inciting violence, particularly by non-state actors,” the report pointed out. It also drew attention to the fact that unlike most other countries, most of the content forced to be taken down related to communities and individuals, rather than directly to politics and matters of the state, most notably in the case of Barkha Dutt forcing Chetan Kunte to take down his post criticising her sensationalism in the coverage of the Bombay tragedy in November 2008. Admittedly, there are no government agencies dedicated to censoring the internet in India. Requests are usually made from state-level executive authorities and from private individuals through court cases. This ad hoc nature, however, means that there is neither any public list of blocked websites nor a way for the affected website to request for a review or appeal.
Present Indian law covers the digital domain as follows:
1. Indian IT Act (2000) a. Section 43 – tampering of electronic records, b. Section 65 – hacking and computer offences, c. Section 66 – tampering with computer source code, d. Section 66A – cyber stalking, privacy invasion, identity theft, e. provides state powers to direct interception or decryption, f. Identification and protection of Critical Information Infrastructure (CII)
2. Indian Copyright Act – computer programmes have copyright protection but no patent protection, and any knowing use of an illegal copy of a programme is punishable
3. Indian Penal Code – a. Section 406 – criminal breach of trust, b. Section 420 – cheating and dishonestly inducing delivery of property.
4. Indian Contract Act (1872) – offers damages in case of breach of trust
5. Indian Telegraph Act (1885) (2008 amendment) – a. expanded state surveillance powers, including interception of SMS and email messages, b. broadened the scope of activities identified as criminal offences, which now include sending messages that are deemed offensive, violation of bodily privacy, cyber-terrorism, and the publication or transmission of sexually explicit material c. unnecessary to obtain warrant to intercept digitally transmitted data, d. imprisonment (ISPs, telecom operators, cyber cafe owners) for not surrendering data requested by the government.
<DIVERSION:> Cases of concern
In 2009, the authorities blocked a highly popular adult cartoon site called Savitabhabhi without granting the creators an opportunity to defend their right to free expression, raising concerns about the arbitrary nature and broad scope of the government’s power in this area
In September 2007, after Google and a major ISP cooperated with a police investigation, information-technology worker Lakshmana Kailash K was jailed for 50 days for allegedly defaming an Indian historical figure online.
In May 2008, two men were arrested and charged for posting derogatory comments about Congress party chief Sonia Gandhi on Orkut; the case is still pending.
In 2009, the Supreme Court ruled that both bloggers and moderators can face libel suits and even criminal prosecution for comments posted by other users on their websites due to several anonymous comments criticizing the right-wing party Shiv Sena that appeared on a web community moderated by a 19-year-old from Kerala, Ajith D.
The distribution of ICT security over various laws and the use of cybersecurity services for censorship purposes as well as protecting the CII makes for a broad and unclear definition of cybersecurity. In itself, the distribution of responsibility for cybersecurity over a variety of agencies is not unwise – in the United States, the task is handled by the Departments of Homeland Security (IT, transportation, postal and shipping, emergency services, government), Treasury (banking and finance), Health and Human Services (public health, food), Energy (power grids, production sites, storage), Agriculture (agriculture, meat and poultry), Defence (defence industrial base), and the Environmental Protection Agency (water, chemical industry hazardous waste). However, these networks are inextricably interlinked, and bureaucratic blind spots could easily occur. Britain, however, relies on the Office of Cyber Security (OCS) to provide coherence across Government. Presently, other organisations monitor Britain’s cyberspace, such as the CESG, GovCertUK, and the Centre for the Protection of National Infrastructure (CPNI). In an effort to streamline her cybersecurity efforts, the British government is forming the OCS which will have overall ownership of the cybersecurity strategy and will provide strategic leadership across government for such issues.
Cybersecurity is made more complicated by the diversity of groups it appeals to – it could induce corporate rivals to hack into their rivals’ systems; it could motivate environmental activists to deface the websites of corporations or government ministries; it could attract terrorists as a means of causing chaos in various national infrastructures; it could be a potent yet less obvious way for rival nations to damage or obtain knowledge of their opponents’ defence structures. Cybersecurity is also made more problematic as networks stretch across national boundaries and around the globe. Therefore, in order to effectively counter cybercrime, a purely national effort will not do. Information networks must be secure at all points internationally, and this needs to be coordinated with foreign governments. India has already taken steps in this regard, forming the Indo-US Cyber Security Forum (IUSCSF) in 2001 and entering into an agreement with the US in July 2011 to promote closer cooperation and the timely exchange of information between the organizations of both governments responsible for cybersecurity. Primarily, it sets up a framework of cooperation between CERT-In and US-CERT.
Cybersecurity has multiple facets, not one of which is less important. A family of qualities, it needs to be conceptualised thus:
1. The development of safe, secure, and resilient systems – besides traditional thinking such as firewalls and anti-virus software, cybersecurity should include the push towards international technology standards, addressing redundancy and resilience in previous-generation systems, refining procurement criteria, and maintain an intellectual dynamism in the face of emergent cyber threats. It is also unlikely that all attacks can be thwarted. Therefore, the government must identify critical infrastructure and then prioritise based on hierarchy.
2. Policy, doctrinal, legal, and regulatory – a centralised agency such as CERT-In should be empowered to oversee and guide all cybersecurity efforts in the country. Even if there are areas in which local agencies (such as police) may lead in efforts, CERT-In can provide expertise and guidance as needed. With a national overview, the organisation can also identify gaps in legal, doctrinal, policy, and regulatory frameworks and work towards suitable resolutions.
3. Awareness – security is in many ways ultimately a mental envisioning. Government and industry both need to be made aware of the dangers prevalent, the cybersecurity measures in place, and the regulatory requirements involved. Ultimately, (cyber)security, like environmental concerns, needs to be one of the aspects of policy formulation in any department rather than an afterthought. This needs to be extended to the general public as well – computer education should encompass safe online behaviour lessons. Furthermore, companies and other organisations should be approached to establish common policies for e-mail, internet, and other digital use in the workplace. Part of spreading awareness is transparency, at which Indian bureaucrats are notoriously bad. Cyber policy should be part of the public sphere, allowing average citizens to partake of it what they will and in return impress upon them the seriousness of this virtual threat.
4. Manpower – degrees and diplomas in information technology, computer science and engineering, and other related disciplines should be consistently updated to keep up with the latest developments in a rapidly changing environment. The present labour force in areas related to cybersecurity might possibly need to be retrained or may need their skill sets enhanced through professional development conferences at regular intervals to keep abreast of their fields. This is not limited to technical expertise but encompasses wider skills or combinations of skills which may be required to meet current or future skills gaps. This work will need to develop and initiate remedies to any identified shortfalls through, for example, development of training, provision of accreditation or incentives, and the longer-term development of viable career paths, within and outside Government.
5. Research & Development – as a first step, the government must encourage and fund the further development of ICT programmes in the country. Academic institutions should also be encouraged to develop new software, frameworks, and concepts individually or in collaboration with other academic institutions within and without the country, industry, or even Government. CERT-In can contribute to this by studying long-term trends emerging in cybersecurity and encouraging research in those areas to preempt a crisis further on.
6. International Cooperation – CERT-In should be tasked with the responsibility of bringing greater coherence to India’s cyber policy and authorised to work with overseas partners and international organisations. Clearly, CERT-In cannot undertake its own foreign policy and will therefore be second chair to the MEA on the international stage, but will nevertheless inform closely the MEA on India’s domestic situation and goals and how they fit in with the formulated international policy. In effect, CERT-In will provide expertise to the MEA and once policies have been declared, treaties signed, and alliances entered into, go to work in ensuring that what has been agreed upon is implemented faithfully. The agency’s main role is to ensure coherence of policy with international partners and domestic aims.
7. Governance – To be an effective cybersecurity force, CERT-In would also need to review regularly international policies, domestic laws, and technical developments in the field. Through such reviews, the organisation will be better able to recommend any required changes to the existing cybersecurity framework. CERT-In would also need to be able to follow up on implementation of government policy across ministries and industry, ensuring that cybersecurity does not remain a purely academic exercise.
8. Dilution of efforts – CERT-In needs to focus primarily on threats to Indian ICT networks, particularly CII. Internet censorship should not be part of its portfolio and may be delegated to another agency if the Indian government insists on a false definition of “free expression.”
In the latest revelation about Chinese surreptitude, the United States has not thrown down the gauntlet to China because they are probably doing the same thing in response. The Chinese are newer to the game and get caught more often. Chinese computer systems seem woefully inadequate, and there is much that could have been already garnered from them. In 2009, President Barack Obama announced the creation of the US Cyber Command, headquartered at Fort Meade. He also recently gave the military the go-ahead to develop cyber weapons that could perform tasks ranging from espionage to the crippling of an enemy’s electrical grid. It would indeed be a good question why India does not have its own cyber command – with Chinese and Pakistani activity already in the field, India would be well within her bounds to set up a similar directorate under the Ministry of Defence.
India’s recent considerable investment in its military can very easily amount to nothing if the threat of cybersecurity is not taken seriously. With increasing power comes increasing responsibility, and India’s greater international profile in the last 20 years has made India a bigger target for her enemies. If New Delhi thinks it can afford to wait and lag behind in cyber warfare, it will be in for a very costly lesson.