Last year brought a marked increase in the frequency of cyber attacks on Indian assets, with government and private infrastructure equally affected. A research report found an alarming 136 percent increase in cyber threats and attacks against Indian government organizations and a 126 percent spike in attacks targeting financial services organizations. According to Symantec’s 2013 Norton Report, by July 2013, sophisticated cyber assaults like ransomware and spear-phishing has cost Indian individuals and companies some $4 billion.
Such is the dark side of the rising dependence on mobile systems and smartphones. At a time of heightened online breaches – phishing, defaced websites, network break-ins, virus attacks – the Indian government published its first ever National Cyber Security Policy (NCSP), in early July, 2013. The success and feasibility of the policy, however, is debatable.
India’s Regional Woes
In June 2012, cyber attacks were reported on the Indian Navy’s Eastern Command systems. The Eastern Naval Command oversees the maritime activities in the South China Sea, as well as the development of ballistic missile submarines. On July 12, 2013, just days after the NCSP was released, several high-level officials of the GOI reported their emails had been hacked. A subsequent investigation put the total number of hacked accounts at roughly 12,000, including systems from the Ministry of External Affairs, Ministry of Home Affairs, Defence Research and Development Organisation (DRDO), and the Indo-Tibetan Border Police Force (ITBP). Even the main National Informatics Centre email server, which serves as the nexus for all government departments, was believed to have been affected. Officers from the National Technical Research Organization (NTRO), India’s premier technical intelligence agency under the NSA, believed that the hacks were directed at networks hosting state secrets.
While any number of countries could be after secrets from the foreign and home ministries and DRDO, only one would be interested in ITBP: China, with which India has a long-running boundary dispute. This, along with the PLA’s recent involvement in cross-globe cyber espionage, should be ringing alarm bells in New Delhi. The U.S. recently indicated five People’s Liberation Army officers for hacking and economic espionage, in what is known as the Unit 61398 case. Although Beijing has repeatedly denied state involvement, a 2009 executive summary prepared for the American Congress by Northrop Grumman states that the nature of the malicious software being used was designed to steal data only a nation-state would want, primarily seeking defense-engineering specifications, military operational information, and U.S.-China policy documents.
There are few reports of Pakistan and India indulging in overtly threatening cyber warfare, although in recent times, hacker groups based out of Lahore and Karachi have managed to break into the websites of the Central Bureau of Investigation (CBI) and the Bharat Sanchar Nigam Limited (BSNL), mostly to deface the sites and leave hate mail. However, it is widely speculated that regional terrorist outfits, such as the Indian Mujahideen (IM), make heavy use of social media sites to not only communicate effectively, but also to conduct recruitment drives, all under the government’s nose. Any cyber policy instituted by the GOI will need to actively deal with these issues.
National Cyber Security Policy
The NCSP essentially speaks of a framework for the protection of information in cyberspace by eliminating vulnerabilities. Major clauses include greater emphasis on research and development of indigenous security technology, and their effective testing and deployment. The policy also calls for enhanced public and private partnership vis-à-vis technical and operational cooperation, aimed at encouraging organizations to adopt individually tailored IT regulations and infrastructure, in conformity with international best practices. Development of human resources through training programs and other capacity-building measures is another crucial priority. The policy envisions creating a workforce of 500,000 cyber specialists in the next five years. Auxiliary services like the protection of private information in process, transit and storage; the creation of a well-defined legislative framework to deal with criminal investigations and prosecution; and the promotion of individual responsibility in dealing with cyber security also find a mention in the policy.
The policy has also facilitated the creation of a new agency called the National Critical Information Infrastructure Protection Centre (NCIIPC), charged with protecting assets in sensitive sectors such as defense, finance, energy, and telecommunications. The Indian Computer Emergency Response Team (CERT-In), which was previously tasked with security of national assets, now protects cyber assets in non-critical areas, and also acts as the nodal agency for all cyber security emergencies with round-the-clock functionality.
Despite being a positive step towards securing India’s cyber assets, the NCSP is far from answering all nuances of the cyber threat, as they exist today.
The most critical factor is the lack of details, along with a feasible nationwide strategy to achieve the objectives set out in the policy. Unlike statutes, policies passed by the Indian legislature are neither binding nor enforceable, but merely provide guidelines for a standard operating procedure. In this regard, the NCSP does not maximize its potential for optimum benefit. The text of the policy is easy to comprehend, as it basically outlines the perceived requirement to amend the existing framework and make it better suited to countering the threat of cyber attacks today. Yet the NCSP fails to comment on any political, economic or legal measure it intends to implement to achieve this objective. The Indian government budgeted just $7.76 million for cyber security in 2013, compared with at least $751 million spent by the U.S. government on its cyberspace programs.
“Indian agencies don’t have enough resources. Their budget should be at least 10 times bigger if they have to function properly,” says Subimal Bhattacharjee, a cyber security expert and former India head of the U.S. information systems giant General Dynamics.
A crucial point missing entirely from the NCSP is the security concerns in the telecom industry. Today, telecommunications are fully integrated into cyberspace, since the advent of internet protocols on mobile devices, and this has been identified as one of the primary factors for the increase in the number of attacks. Russian cyber security solutions firm Kaspersky Lab placed India second on its 2013 list of those countries must vulnerable to attacks on mobile phones.
For its telecom industry, India incorporates equipment and infrastructure from global telecom companies, primarily Huawei Technologies Co.,Ltd., a leading Chinese telecommunications and networking equipment company, founded by Ren Zhengfei. It should be noted that Ren Zhengfei, an ex-major with the PLA, enjoys extensive ties with the Chinese military and the Communist Party, having been elected a member of the 12th National Congress of the Communist Party of China. For their part, the U.S. and U.K. have severely curbed Huawei’s foray into their respective markets.
Another notable point on which the NCSP maintains an ambiguous silence are the deliberations presently underway on setting up a fully fledged Indian Cyber Command, under the aegis of the defense services, to engage in network-centric warfare. Should this actually happen, a question of jurisdiction will arise, one that could easily become a quagmire.
Even though the NCSP was released over a year ago, any benefits are yet to materialize. In the meantime, Indian companies and government organizations continue to defend themselves against unconventional warfare, which they do not understand in its entirety. Still, as the Dell Software Global Security Survey reports, companies in the Asia-Pacific have at least begun to prioritize their IT policies, to be in a better position to counter threats.
CERT-In’s recent survey labels the .in domain as the most frequently attacked, which is alarming as this address is primarily used by government agencies and a few major private companies. Full statistics of the survey can be found here.
Meanwhile, the Indian government seems to have realized the urgency of the need to develop cyber security training. In January 2013, the University Grants Commission directed technical universities and institutions to add Cyber Security and Information Security as subjects for higher studies. Premier institutes like the Institute for Information Security and Indian School of Ethical Hacking now offer these technical courses, as do a few major private universities in India.
The key to cyber security in India lies in the effective operationalization of the NCSP. Workshops, seminars and courses aimed at informing the general public about the issue of cyber security, coupled with feasible public-private partnerships will work to offset the threat to India’s online assets in the long run.
Amit R. Saksena is a postgraduate scholar at the Jindal School of International Affairs. The views expressed in this article are his own.