In 2012, the national power grid collapsed across 22 states,
affecting half the population, due to a system overload. It may have been a
crisis waiting to happen but a Union government probe into the two-day fiasco
found that the reasons for failure included “mis-operation of the protection
system of the 400 kV Bina-Gwalior link” in northern India. The committee
ordered an audit of the protection systems, but it is unclear whether it was
ever carried out or what it recommended.
The event did highlight one crucial point: the possibility that such an attack can be orchestrated by an external agency or group of people, within the country or outside, using the Internet. Cyber experts claim even after automation and integration, the grid will present few problems to a cyber assault force. “The people who carry them out will only require decent infrastructure and a motive, which is quite true for our neighbours (like Pakistan and China),” an expert says.
The power grid is not the only sitting duck. Hardly any government agency is adequately protected or even equipped to handle cyber attacks, according to experts working the strategic sector. Targets include services like the metro, the Railways or airports. The government response, especially the bureaucracy, has so far been denial of even the possibility. It seems inevitable, however, that a major breach is really just a matter of time and timing.
The communications revolution has led to an unprecedented degree of connectivity by phone, computer, and Internet—a massive boon for businesses, institutions and individuals—but it’s also made everyone acutely vulnerable to malicious electronic interception. Latest industry estimates say Indians will buy more than 100 million phones, mostly smartphones, in the next few years. The computer-laptop-tablet sales industry has also hit a boom cycle across the world.
The web is where the action is, whether information or money, and that means it’s also the place where future wars, bloodless or otherwise, will be fought. Some are already being fought, silent and invisible, but the stakes are high and outcomes could be deadly.
In any system, the first leak occurs at the level of the
Internet Service Provider (ISP)—operators licensed by the government to provide
Internet service. That is the point of access and ISPs generate large revenues
by selling identity details of customers to third parties. This includes
information on phone usage, Internet usage, average bill per month, age
profile, all provided for a sum. In many cases, specific items like numbers of
people from a particular age group are also provided, though this sale of
customer information is illegal, says V. K. Sharma, a Supreme Court lawyer who
works on cases related to cybercrime. Moreover, Internet applications launched
by various companies have become a medium for selling ads and also sharing a
lot of personal information.
The hundreds of emails people receive about real estate, insurance, or other sales with “special offers” on their “private” mail accounts are a result of information leaks at this end of the site. It is estimated that 10 per cent of the people who access the web in India have their identities stolen and used for various other purposes.
According to Ashim Sanyal of consumer protection group VOICE (Voluntary Organisation in Interest of Consumer Education), “The IT revolution came so fast that not enough awareness could be generated among users. Moreover, since people are in their private spaces, they believe they are safe. Due to this pseudo-security and the absence of a threat perception, consumers suffer every day. The number of unsafe devices runs into millions.”
The major reason for the high number of security breaches is that so many people have so many devices that are unprotected. The movies always show hackers as young, hyper-intelligent sociopaths but a basic hacking job is pretty easy. One simple way is to send a link of an otherwise legitimate website but with embedded malware that opens up the visitor to invasion. The owner is unaware of a system security breach but the hacker creates a backdoor and can control the system remotely. Such attacks now include smartphones, tablets and other Internet-connected devices with the widespread use of applications and software that have wide-ranging uses. Most have little or no security.
Neelabh Rai, an independent expert who runs the website cybercops.in, says in one of his research papers, “Contrary to popular belief, most attacks do not require great technical sophistication, yet present an unprecedented challenge for law enforcement. As technologies become more user-friendly, computer users require less knowledge and are, therefore, more vulnerable to cybercrime, home users perhaps the most. Personal computers are a favourite target for such criminals.”
That’s true of mobile phones as well. It’s claimed that Chinese manufacturers have put in backdoor-entry systems to snoop and collect any sensitive data they can lay their hands on. In 2008, the media reported experts as saying the Chinese company Huawei was manufacturing military-grade chips used in missile defence systems and selling them in India. These chips have embedded backdoor-entry that can be activated whenever the company wants, which means when it is instructed to do so, and it can bring thousands of devices directly under its control. India has neither taken any action against the company nor asked it to explain the charge. Huawei, while not denying the charge, claims it is following the best security practices. Debabrata Nayak, chief security officer at Huawei’s India office in Gurgaon, says, “Not one charge against us can be proven.”
While the way cybercrime affects the average user is mostly understood and the competitive environment is forcing companies to raise the barricades, a proper understanding of the threats to national security is lacking. The increase in complexity of attacks against important installations has prompted them to set up dedicated cyber security cells for protection, but India has not yet fully linked national security to its national cyber security policy, even though there is a clear understanding that cyber warfare—all-out attacks on critical information infrastructure through cyberspace—is the fourth dimension of warfare that has emerged in the past decade apart from land, air and sea warfare.
n 2011, the nuclear facility at Ratehalli in Mysore district, Karnataka, came under threat from software originally developed to target the Iranian nuclear programme. The Rare Materials Plant (RMP) produces highly enriched uranium for the country’s nuclear programme. The damage has not been made public till date but is believed to be marginal, as it was detected in the early stages.
“The main reason it could not affect the facility was that it was a poor derivative of the highly potent Stuxnet program, most details of which were with our experts by then,” said a source who was a senior officer at the RMP when the attack took place. He concedes that the facility is still not up-to-date on the cyber security front.
“The software was infiltrated through online mediums and not a planned breach through the hardware, as was the case with Stuxnet,” he added.
While the challenge to secure cyberspace using software and a policy to monitor their use is huge, hardware protection is easier. Physical hacking is usually done through external means, like a pen drive that can be linked to a computer and a virus or malware downloaded into it. It has also proved to be the most potent way to destroy critical infrastructure the world over—Operation Stuxnet, first named Operation Olympic Games, being the deadliest known till date.
Sometime in 2005, when the US and Israel were under considerable pressure over Iran’s uranium enrichment project, Olympic Games was launched to develop malware and viruses that could electronically derail the program so that Israel or the US would not have to bomb Iran’s enrichment plants. Scientists from both the US and Israel probed for weaknesses in Iran’s systems in a project considered the beginning of large-scale cyber warfare.
What followed was an elaborate procedure of testing, stealing and cheating by American and Israeli scientists and security establishments. Scientists ascertained that the machines the Iranians were using to enrich uranium had been built based on the famous P-1 design, named after the Pakistanis who first built it. A. Q. Khan, considered the father of Pakistan’s nuclear weapons programme, stole the design of the six-foot high tough-to-handle machine from a lab in the Netherlands where he worked in the 1970s and fled to Pakistan in 1976. After building up the Pakistani programme, Khan allegedly sold the design to Iran, Libya and North Korea in the black market. While North Korea and Iran went ahead, Libya reportedly gave it up in 2003 under immense pressure from Israel and the Western powers.
Meanwhile, the Idaho National Laboratory in the US was working with German company Siemens on its controller machine, called the Process Control System-7 (PCS-7), which Siemens had supplied to Iran, used to control the centrifuges at their Natanz nuclear facility. PCS-7 proved vulnerable to cyber attack, which the US and Israel decided to exploit. They had Stuxnet, considered the most potent cyber weapon deployed till date. It can lie dormant for years in a system and wake up when there are ideal conditions for the particular function it has been designed to execute.
After Stuxnet was ready, American agencies are said to have tried to push it across online platforms the world over to make sure it infiltrated Iran. It was even discovered by engineers in India and Indonesia who found it to be present, yet causing no harm. How it reached India and whether it managed to infiltrate any critical installations has not been discussed till date. But it is now clear that it was a variant of Stuxnet that breached Ratehalli.
Stuxnet was designed in two phases. The first one was to make sure that when 984 centrifuges—a figure provided by Israel’s intelligence agency Mossad—were in place, they were commanded to over-speed and spin out of control till they destroyed themselves. The second, considered a masterstroke, was to make sure data present during the plant’s normal functioning was recorded by the program and relayed to the system when the centrifuges were destroying themselves. This prevented security systems from kicking in and shutting down the plant. Iran’s uranium enrichment programme suffered a major setback and has been delayed by many years.
In all this, two things stand out. First, software attacks like Stuxnet are just the beginning—experts have termed it the beginning of a revolution and said more attacks around the world will follow. Second, countries across the world will find ingenious ways of physically hacking into the defences of other countries to destroy their capabilities.
An expert who has worked closely with the Indian defence sector, speaking on condition of anonymity, said, “Stuxnet was either transported through Siemens machinery into Iran or through a mole, who might well have been duped into it or unknowingly passed it onto the system.”
Does India have the ability to defend itself from such attacks? At present, no. India has started to take its software defence seriously only now, with the Defence Research and Development Organisation (DRDO) deciding to develop its own testing software this year. But the physical hacking aspect can be plugged right away. Sadly, even that is a matter of serious concern. “Even though there is a strict procedure at agencies like the DRDO, it is common practice for personnel to carry their own pen drives. Some of the software is outdated and people download and run open-source software. An agency wanting to hack into the systems will not need much effort. Amateurs can do it,” says the expert.
Even the National Informatics Centre (NIC)—which develops software for various government agencies, including the defence sector—works in a manner that would shock a security expert. “We ask fresh graduates from colleges to do some of the work for us on an ad-hoc basis. While there is a risk of data leak, it has not usually happened. And then there is a lot of work at NIC,” says an ex-employee of NIC on condition of anonymity. However, there is no way for anyone to know whether data has been leaked or not.
Instead of focusing on developing our own systems we are following others. We are too happy to follow others.
That the functioning of key agencies such as NIC is under question is a severe indictment of the security establishment. “The point is that people trust them to follow the greatest standards of security. But Indians are averse to change and ask too many questions of anyone who tries to change rules, especially when they are to be mandatory,” says the defence expert.
This sentiment was echoed by Ram Narain, deputy director-general (security) of the Department of Telecommunications, during a cyber security conference in New Delhi recently. He said the implementation of mandatory processes recommended for various departments has been abysmal.
“Instead, there has been a tendency to question the need for mandatory processes. Instead of focusing on developing our own systems we are following others. We are too happy to follow others,” Narain said.
A cyber security analyst who has advised many companies, including some sensitive government departments, says, “After all the recommendations were given, I felt like giving a ‘not sufficient’ tag to the overall arrangement after my team had conducted all the tests. To that they said, ‘Aap approval de do ji, baaki ham dekh lenge. Aise nahi chalega, approval deke jao. (Just give us an approval; we will make all the arrangements. This will not do. We need an approval.)’ After much deliberation, I did so. Next year, they hired some other analyst, and I suppose the same things transpired even then.” Cyber security in India is plagued by a lack of trained personnel. There are not even 500 people working on cyber security in the various government departments at present.
he National Cyber Security Policy (NCSP), unveiled last year, emphasised the promotion of research at centres of excellence set up in various fields of strategic importance, and R&D on cutting edge security technologies. There is, however, little or no interest since India, despite being an international IT hub, is focused on developing technologies for private companies based outside the country, instead of its own needs. China, on the other hand, has beaten even the US on many fronts by developing its own security systems. In India, the Centres for Development of Advanced Computing (CDACs) run by the government function in major cities like Mumbai, Hyderabad, Bengaluru, Thiruvananthapuram and Noida, but with hardly any results. Only Thiruvananthapuram is said to have taken some strides in developing indigenous software but they too are of low quality compared to other countries.
Cyber security in India is plagued by a lack of trained personnel. There are not even 500 people working on cyber security in government at present.
The NCSP also calls for developing human resources, establishing cyber security training infrastructure through public-private partnership, and institutional mechanisms for law enforcement agencies. Creating a workforce of five lakh cyber security professionals in the next five years is also envisaged in the policy through skill development and training. Looking at the present figure of experts, this ambition will take a miracle to realise.
Indian cyber experts, some of whom also freelance under the web names Bharat Cyber Army or Indian Cyber Army, were exposed when they decided to retaliate against China’s hacking of some Indian government websites. While attacks by the Chinese and even some Pakistani hackers resulted in government websites shutting down for at least a day, the attempt by Indian hackers was detected, repulsed, and the exact IP address of the hacker’s computer displayed on that very website within three minutes.
Bharat Chengappa, who was part of one such hacker group (name of group not revealed on request), says the difference lies in the energies put into the preparation for an infiltration, where both defence and attack are equally important. “The problem with Indian (freelance) hackers is that they have solely aimed at defacing websites from China or Pakistan and never gone beyond that,” Chengappa says.
Most of the attacks by Indian hackers have been less sophisticated than the Chinese or US variety. “First, their sole aim has been to find weak online links of these countries. Their aim is to leave messages and make their presence felt,” he says. When these hackers attacked Chinese websites, defence mechanisms already prepared by experts kicked into place automatically.
“They have been designed to counter much more sophisticated virus attacks developed in countries like the US. But Indian programs are created by amateurs who put in comparatively little time into their work, leave alone defending the country’s websites or joining in to build counter-hacking software,” Chengappa says. “Most of the time, they do it to get a kick; it is almost like playing a video game and winning by defacing a website. The enthusiasm is limited to that.”
The latest defacing of the website of the Pakistani Railways was enough proof—a group called the Black Dragon Indian Hacker Online Squad claimed revenge for hacking of Indian websites and the bloodshed in Kashmir and threatened to hack more websites, including commercial banks.
“These threats are always hollow. They would have hacked the banks’ sites if they could but chose the cash-strapped and badly managed Pakistani Railways,” Chengappa says.
The Chinese have closely studied the attacks Indians and Pakistanis have carried out against each other and prepared their defences. The mistakes committed by Indian hackers have been amateurish in most cases. A series of attacks called Operation Hangover between 2010 and 2013, for example, exposed some Indian IP addresses used from locations in Delhi. “One of the reasons for that was that many of the codes of Trojan viruses had been written in Hindi,” a part-time hacker based in Delhi said. The attacks had been mostly at Pakistan and China, though some private corporations based in the US were also targeted.
“The trends showed that defence establishments in Pakistan and China were the main targets. But some of them committed mistakes such as not using hacked IP addresses, which allowed researchers at the offices of some anti-virus companies outside India to trace them (to India).”
More than 500 IP addresses were targeted in Pakistan at one go, which obviously left some traces. In some cases, the identities of people were revealed since their resumés at online freelancing sites were also traced but it was later found that the resumés were fake. The attack first came to light after the Norwegian telecom company Telenor set up an internal enquiry into the growing number of malware detected in its offices. When the various versions of the malware, termed Hangover, were detected, they were all found to have codes partly written in Hindi.
“The attacks aimed at China were detected with such speed
because the codes written were too many in
number and targeted different offices at different times, but were not sophisticated enough for the Chinese. Once they detected the trends of the malware and the way they had been designed, it became easy to resist every attack. They shamed Indian hackers every time,” the Delhi-based hacker says.
n all the attacks by hackers in India, China or Pakistan, no action has been possible because none have signed any international treaty on cybercrimes. While agencies like the Intelligence Bureau (IB) and the three wings of the armed forces of India do initiate retaliatory attacks against hackers, there is no legal mechanism to have them punished in their respective countries. As a result, unless the attacks are internal or agencies like the Federal Bureau of Investigation (FBI) from the US provide specific instances of attacks and information on the hackers, there is hardly a case registered with the police or any other agency.
The brunt of the lack of security on the web is borne by corporations and financial institutions across the world. Dr Vivek Lall, president and CEO, New Ventures, Reliance Industries Limited says, “Cybercrimes have an impact on every sector in the country and across the world. It is difficult to establish exactly who the adversaries are and the detection of espionage and the threats is almost impossible. Deterrence is also difficult since breaches go undetected for years in many cases.” He also says that it is possible that service providers collaborate with the adversaries.
A major information leak from various corporate entities in India was averted in 2011, purely by chance, when an information-seeking virus named Duqu was detected in the early stages. A Mumbai-based data centre company, Web Werks, with about 200 employees, turned out to have been the centre of the attack. The company server and all its machines were infected with the virus, which was quickly detected by agencies based outside the country. The Department of Telecommunications closed down the server, averting a major infestation.
Others have had less luck. In one of the biggest hacking scandals, an alleged Indian mastermind, Amit Vikram Tiwari, son of a retired colonel, was arrested from Pune earlier this year in coordination with the FBI. The CBI raided several places in Mumbai and Ghaziabad to nab other hackers in the ring, members of which were also tracked in China and Romania.
Tiwari was allegedly approached by individuals and even big
corporations to access information about other individuals or companies due to
financial or market rivalry. Tiwari is also said to have been working for
people associated with the Indian Premier League (IPL) to hack some accounts.
While the master-hacker is said to be situated in some other country, Tiwari
and his group hacked some 900 accounts from 2011 to 2013 for a fee of $250-$500
each, the CBI said. Payments were made through Western Union Money
Transfer or PayPal.
One of the most potent attacks on big companies and individuals was Operation Night Dragon, so named because all the attacks came from China. Hackers used freely available services in the US and infiltrated servers in the Netherlands to get confidential data about some major oil companies and individuals based in countries as far apart as Greece, Kazakhstan, Taiwan and the US.
The primary tools were similar to Microsoft Windows Terminal Services, which allow a distant user to take control of a system affected by a virus. While Microsoft uses it to prevent data loss and to repair systems, the hackers developed these tools—called Remote Administration Tools (RATs)—and used them and vulnerabilities in the Microsoft Windows Operating Systems to access information on bids for oil and gas fields, financing information, and competitive proprietary operations.
They gained access to internal servers and desktops of individuals they wanted to target. They then accessed the additional email and other usernames and passwords of all infected computers and enabled direct access to the Internet through these machines—which means that even if the machines had no direct access to the Internet or were working offline using only the internal servers of a particular group or company, the flow of information from them to the Internet was still active. Using this access, the hackers got details of all the sensitive information they wanted.
Most of the individuals and companies are said to have been clients of McAfee, which came out with a detailed report on the breaches. Its chief technical officer admitted on a public platform that the operation had been going on for at least two years, if not more.
“With the information on its crucial oil and gas reserves lost, it is estimated that Bahrain will incur losses to the tune of $130 billion in the next 15 years in the global markets,” says Arvind Chandrasekar, director, government affairs, of AMD (Advanced Micro Devices).
India will be going the same way if security systems are not in place soon. Chandrasekar says India is among the most targeted countries for cyber attacks; it is second in terms of mobile phones and the third-most attacked on the web. While most attacks are motivated by immediate financial gain, like credit card fraud, many also target private companies working in the IT sector. According to government figures, there were 20,000 cyber crimes against Indians or Indian interests in 2013 across the world. The complexity of attacks will rise and loss of crucial and sensitive data looms large. The range of places and locations from where attacks take place will also multiply in the coming years as fibre-based connectivity reaches more and more homes, giving people access to terabytes of data and capability. This means attacks will take place from homes across the world and it will be impossible to stop the attacks.
The figures too are baffling—India has more than 444 million Internet users. In 2010, there was one mobile device connected to the Internet out of 10 in the country; by 2020 it is expected to shoot to 6.5 out of every 10 compared to the expected world average of 2.9. “In fact, a United Nations estimate says that within the next decade, the Internet connectivity rate will catch up with the average birth rate in the world,” says Chandrasekar.
hile the Information Technology Act, 2000, is in place and was also amended in 2008, the most significant step taken by the government in the cybercrime domain is the unveiling of a National Cyber Security Policy (NCSP) in 2013. The broad objective is to create a secure cyberspace and strengthen the regulatory framework.
The government is also setting up a National Critical Information Infrastructure Protection Centre (NCIIPC) in Delhi to deal with cyber threats on a constant basis. The centre is under the National Technical Research Organisation (NTRO) and began hiring experts and consultants last year but is far from being functional. Its role is confined to issuing guidelines and directives to various agencies that handle government websites. Its sole achievement since inception has been that its directives and alerts prevented the hacking of Indian sites around Independence Day.
But the biggest problem faced by people within the government and the corporate world is the inability to understand the concept and scope of Critical Information Infrastructure (CII). While Section 66 (F) of the IT Act calls for harmonisation of legal policy and regulatory frameworks, there is hardly any understanding of this concept. The 2008 Act also gives a definition of CII but there is no awareness about it.
Critical infrastructure is broadly defined as ‘those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”. Section 70 of the IT Act defines CII as “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”.
Dr S. M. Bhaskar, director of the NTRO, said in a recent conference of cyber experts, “The problem is that to understand CII and the sector-wise analysis to calculate the importance of each one of them is missing. Prioritisation has not been done. There are no indigenous applications or technology present to analyse data. Despite the promotion of indigenous research and development, there is no final product that can help in doing so.”
In short, the scope of CII across various sectors is so complex that the tools to calculate the data and decide upon the overlap from sector-to-sector are not available, which basically means there is no coherent definition of CII in India. “Though a lot of the country’s energies are focused on the cyberspace sector, the need to develop cutting edge security technologies has not been addressed,” Bhaskar said.
At the NCSP, the Indian Computer Emergency Response Team (CERT-In) was designated as a nodal agency for coordination of crisis management and to act as umbrella for coordination and operationalisation of such teams (or CERTs) set up for various sectors. A mechanism has been proposed for obtaining strategic information on threats to information and communication technology (ICT) infrastructure, creating scenarios of response, resolution and crisis management through effective predictive, prevention, response and recovery action.
The biggest hurdle to moving ahead on this plan, however, is inter-departmental coordination, and getting private companies to interact with designated government departments. Most departments and companies go for bulk private anti-virus protection and forget about the threats they may face despite their constant presence in cyberspace. There is little thought to the possibility that the anti-virus package will not function in case of planned attacks.
The NCSP also requires every company to create a post of chief information security officer (CISO) who will be responsible for cyber security and create a policy to be integrated with the company’s business policy. Industry insiders concede that hardly any company has done so in the year since the policy was announced. Instead, the post is seen as an extra financial burden and the need for such an officer not felt at all, since cyber security is neither a priority, nor are there penalties for offenders.
The only department to take some steps towards a viable cyber security environment is the Department of Telecommunications, which has set up the Telecommunication Engineering Centre (TEC) that is to come up with a viable policy on testing for cyber security by the end of this year, according to R. R. Mittar, deputy director general of the TEC. All the telecom network labs, including those of companies like Google and Facebook, will eventually be required to obtain security certification.
The biggest hurdle is inter-departmental coordination. Most departments go for bulk private anti-virus protection and there is little thought to the possibility that the package will not function in case of planned attacks.
“Some private companies are also doing their bit to set up
their own labs and will be able to test servers eventually,” Mittar said at a
recent conference. However, the department still requires R&D to develop
big routers to monitor heavy traffic and Deep Packet Inspection (DPI) Engines.
DPI helps monitor every packet of data that passes through a server for violations
of protocols, spyware, malware, viruses, etc., but also slows down the passage
of information. Mittar says industry participation with the TEC will be required
to help develop fast processors which will eventually also enable monitoring of
the various applications floating in cyberspace, especially on smartphones.
“Secure software development by the Indian cyber security work force will be
required,” Mittar says.
All the wings of the armed forces have set up their own CERTs to safeguard their data and information shared on Local Area Networks (LANs). The DRDO has also set up its own cyber security wing which is developing its own Operating System (OS) as well as software that will make sure that there is no snooping through the various defence systems India buys from foreign vendors.
The development of its own OS, while considered a good step by cyber experts, will take time and not automatically offer a safeguard against attacks on defence systems which are not necessarily targeted at OSes but aimed at the weaknesses in security systems.
Russia and China are developing software compatible with the open-source Linux OS to reduce costs while India has decided to invest heavily in developing its own OS. This, say experts in the telecom industry, is like reinventing the wheel. “What the DRDO should focus on is to adopt security systems already developed by the telecom sector while developing more security parameters for its own use,” an expert said.
This lack of foresight is linked to the fact that India has never taken part in the global debates on cyber governance. Indian representatives have not come up with a single plan on cyber security initiatives. For example, it chose not to ratify the Budapest Convention on Cybercrime, passed by the Council of Europe and enforced in 2004. The convention principally aims at harmonising the domestic law elements of cybercrime offences and connected provisions and setting up a fast and effective regime of international cooperation in such cases. Countries like the US, Australia and Japan have ratified the convention, but not India.
On the defence front too, India has advocated that countries develop their own security policies instead of cooperating with each other. “Cyberspace defence needs partners as in other areas of defence, both internal and external. Cross-pollination of ideas from government to private sector and vice versa is important. While the government is duty bound to create a cyber security system, the private sector also needs to contribute. But the government itself is not doing its bit. From a budget of Rs. 37 billion for the defence sector (in 2013) the allotment for cyber security was negligible,” says Vikram Tiwathia, associate director–general of the Cellular Operators Association of India.
A senior government official privy to the discussions on cyber policy stance said, “We have usually gone with countries like Iran and Russia which want to develop their own security systems since they are wary of the west. While there has been a consensus on involving the private sector in cyber defence, the emphasis has been to develop our own systems. This will mean a delay in getting a robust system quickly.”
The NCIIPC is envisaged as the umbrella organisation to deal with all cyber attacks, internal or external, since defence forces and organisations like NTRO, IB, etc will all be required to work under it.
However, there are worries that the NCIIPC will turn into a super cyber snoop. The organisation will have a free hand on accessing private email and social networking accounts of citizens. This can easily lead to spying on accounts of people the politicians or security establishments might want to target.
The Indian Central Monitoring System (CMS), proposed in 2009 after the Mumbai terror attacks the previous year, and implemented last year, is modelled on the same system. Before the CMS, all Telecom Service Providers (TSPs) were required to have Lawful Interception Systems at their premises to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, all TSPs have to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. These, once installed, are connected to the Regional Monitoring Centres (RMC) of the CMS. Each RMC is connected to the CMS.
All data intercepted by TSPs are automatically transmitted to RMCs, and subsequently to the CMS. Therefore the CMS has centralised access to all data intercepted by TSPs in India, and can also bypass service providers in gaining such access. This is because, unlike so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows data to be automatically transmitted to its centre without the involvement of TSPs.
This means CMS can snoop on any individual without consent. While CMS is considered an essential tool in the national cyber security scenario, the growing number of FIRs and targeting of social networking websites like Facebook and Google have meant that the privacy of an individual has been lost.
The police have especially focused on targeting people who post “politically incorrect” messages on social networking sites. One such case involved a Mumbai girl, Shaheen Dadha, who allegedly posted messages after the death of Shiv Sena leader Bal Thackeray in 2012 that “hurt the religious sentiments” of Hindus. Even though Dadha apologised for the post and filed a complaint that her Facebook account had been hacked, she and her relatives were targeted by alleged Shiv Sena workers.
The problem with ensuring cyber security is that the criterion for accessing personal information of people will be decided by people sitting at the office of the NCIIPC. No formal procedure will be required. The National Security Agency (NSA) of the US has already come in for much criticism after a private contractor, Edward Snowden, blew the whistle on its illegal and worldwide surveillance that included heads of state across the world to access their personal conversations and other data over the past several years.
“It (the CMS) has become an important tool in the hands of politicians and the highly politicised police forces. The NCIIPC will ultimately provide it the core infrastructure it needs,” a Bangalore-based cyber expert says.