Indian Cyber Warfare Capability | An Analysis

India is getting rapidly wired to the information superhighway. As India gets connected to the global village, asymmetric IW threat posed by the adversaries as well as non-state actors would be on the rise. With always ON broadband connections through DSL (Digital Subscriber Lines), Cable modems and 3G (third generation) cellular networks, widely spread across homes and offices, the cyber threat potential, has become more pronounced. As per, Mr. S.K. Gupta, Advisor (CN & IT), TRAI, the definition of broadband has been modified to include only those services that offer access speeds of 512 kbps from 01 Jan 2011. This is expected to be upgraded to 2 Mbps network speeds from Jan 2015 [1] .

As brought out earlier India has carried a niche for itself in the IT Sector. India’s reliance on technology also reflects from the fact that India is shifting gears by entering into facets of e-governance. Ever since the launch of the largest software project implemented in India, the Country Wide Network for Computerised Enhanced Reservation and Ticketing (CONCERT) for the Indian Railways in 1986 [2] , India has now brought sectors like income tax, passports, visa under the realm of e-governance. Sectors like police and judiciary are to follow. The travel sector is also heavily reliant on this. Most of the Indian banks have gone on full-scale computerisation. This has also brought in concepts of e-commerce and e-banking. The stock markets have also not remained immune. To create havoc in the country these are lucrative targets to paralyze the economic and financial institutions. The damage

done can be catastrophic and irreversible.

Fig-1 India’s Information Infrastructure (Source – CERT-India).

India currently occupies a leading position in the IT outsourcing and Business Process Outsourcing (BPO) industry. India is ideally situated in South Asia, offering a 10-12 hour time differential to North America and Europe that together encompass nearly 80 percent of the global IT business. The time zone difference ensures round the clock productivity for these nations wanting to outsource their software as well as other services requirements [3] . India’s total revenue due to IT and BPO outsourcing was US$33 billion, which is estimated to grow to US$60 billion by the end of year 2011. Datamonitor, a leading UK-based business information company, research indicates that 67-72% of costs to call centers operating in the US/UK are directly linked to man power costs. India, on the other hand spends only 33-40% of costs on man power. This includes training, benefits and other incentives for labor [4] . 83 per cent of Indian businesses had reported a security breach (against the global 64 per cent) and 42 per cent of these had three or more breaches (as of Sept 2004).

Existing Counter Cyber Security Initiatives. Having realised the importance of racing ahead of its adversaries in cyberspace, the Indian Govt has put in place various initiatives. Salient features of these initiatives have been discussed in succeeding paragraphs.

NASSCOM is in the process of setting up the Data Security Council of India (DSCI) as a Self-Regulatory Organization (SRO) to establish, popularize, monitor and enforce privacy and data protection standards for India’s IT & ITeS industry.

National Informatics Centre (NIC). A premier organisation providing network backbone and e-governance support to the Central Government, State Governments, Union Territories, Districts and other Governments bodies. It provides wide range of information and communication technology services including nationwide communication Network for decentralized planning improvement in Government services and wider transparency of national and local governments.

Indian Computer Emergency Response Team (Cert-In). Cert-In is the most important constituent of India’s cyber community. Cert-In is a functional organisation of Dept of Information Technology, Ministry of Communications and Information Technology, Govt of India, operational since 2004, with the objective of securing Indian Cyber space. It serves as a national agency for computer incident response. Its mandate states, “ensure security of cyber space in the country by enhancing the security communications and information infrastructure, through proactive action and effective collaboration aimed at security incident prevention and response as well as security assurance”.

National Information Security Assurance Programme (NISAP). This is for Government and critical infrastructures, highlights are: ­

Government and critical infrastructures should have a security policy and create a point of contact.

(b) Mandatory for organizations to implement security control and report any security incident to Cert-In.

Cert-In to create a panel of auditor for IT security.

(d) All organizations to be subject to a third party audit from this panel once a year.

(e) Cert-In to be reported about security compliance on periodic basis by the organizations.

Indo-US Cyber Security Forum (IUSCSF). Under this forum (set up in 2001) high power delegations from both side met and several initiatives were announced. Highlights are: ­

Setting up an India Information Sharing and Analysis Centre (ISAC) for better cooperation in anti-hacking measures.

Setting up India Anti Bot Alliance to raise awareness about the emerging threats in cyberspace by the Confederation of Indian Industry (CII).

Ongoing cooperation between India’s Standardization Testing and Quality Certification (STQC) and the US National Institute of Standards and Technology (NIST) would be expanded to new areas.

The R&D group will work on the hard problems of cyber security. Cyber forensics and anti-spasm research.

Chalked the way for intensifying bilateral cooperation to control cyber-crime between the two countries.

Challenges and Concerns. Some challenges and concerns are highlighted below: ­

(a) Lack of awareness and the culture of cyber security at individual as well as institutional level.

(b) Lack of trained and qualified manpower to implement the counter measures.

(c) Too many information security organisations which have become weak due to ‘turf wars’ or financial compulsions.

(d) A weak IT Act which has become redundant due to non-exploitation and age old cyber laws.

(e) No e-mail account policy especially for the defence forces, police and the agency personnel.

(f) Cyber-attacks have come not only from terrorists but also from neighboring countries inimical to our National interests.

Recommendations. Certain recommendations are given below: ­

Need to sensitize the common citizens about the dangers of cyber terrorism. Cert-in should engage academic institutions and follow an aggressive strategy.

(b) Joint efforts by all Government agencies including defence forces to attract qualified skilled personnel for implementation of counter measures.

(c) Cyber security not to be given more lip service and the organisations dealing with the same should be given all support. No bureaucratic dominance should be permitted.

(d) Agreements relating to cyber security should be given the same importance as other conventional agreements.

(e) More investment in this field in terms of finance and manpower.

(f) Indian agencies working after cyber security should also keep a close vigil on the developments in the IT sector of our potential adversaries.

National security adviser M K Narayanan set up the National Technology Research Organization, which is also, involved in assessing cyber security threats. But the cyber security forum of the National Security Council has become defunct after the US spy incident. This has scarred the Indian establishment so badly that it’s now frozen in its indecision. This has seriously hampered India’s decision-making process in cyber warfare.

Cyber attacks usually happen very quickly and often with great stealth. Critical war fighting operations must continue to function effectively while under cyber attack. India is yet to formulate a framework to evolve suitable response to PLA cyber warfare developments.

Organisations in the pipeline. After being at the receiving end of cyber attacks from across the border for many years, India is preparing a blueprint for undertaking counter cyber warfare on unfriendly countries. According to a proposal being considered by the National Security Council, Indian agencies may be told to enhance capabilities to exploit weaknesses in the information systems of other countries and also collect online intelligence of key military activities. The proposal includes setting up laboratories in research institutions to simulate cyber attacks with the help of ethical hackers. These laboratories would be used for training intelligence agencies for offensive and defensive cyber warfare techniques. Personnel working in this area may be given legal immunity for carrying out these activities.

The blueprint is likely to be put into action by the National Technical Research Organisation, the Defence Intelligence Agency and the Defence Research and Development Organisation. The plan also talks about setting up early-warning capabilities about impending attacks on the country’s information systems and developing expertise in cyber forensics, which includes tools that focus on acquiring information from attacked systems to find out sources of attacks.

The Government is looking at setting up a National Testing Facility that will certify all imported software and hardware procured for key information systems. Security agencies are concerned about spyware or malware embedded into imported products which can be used by unfriendly countries to disrupt key sectors. The proposed testing facility will be on the lines of the Trust Technology Assessment Programme in the US. In order to secure key areas such as banking, Defence, the Railways, civil aviation, atomic energy and oil and gas, it is being proposed to set up a Computer Emergency Response Team for each of these sectors.

Privileged information suggests the Indian government could seriously consider creating the position of a cyber security czar whose mandate would be to fundamentally overhaul cyber security and bring the currently fragmented networks under a clearly defined structure.

The overhaul will demand a whole new approach outside the bureaucratic confines considering that it necessarily requires tapping the cyber security community constituted by young professionals in their 20s and 30s. Since this community is used to working in a highly non-hierarchical environment with a great deal of personal freedom the government will have to use the office of the cyber security czar as its interface with the young professionals.

Threats Faced by Indian Cyberspace. Although cyber security had already been coming under government focus for some time now, a 10-month-long investigation by the University of Toronto’s Munk Centre for International Studies, Canadian security firm SecDev Group and US-based cyber sleuthing organisation Shadow server Foundation has added extra urgency to the task. The investigators have issued a report titled ‘Shadows in the Cloud: An investigation into cyber espionage 2.0’ which highlights how India’s defence establishment was seriously penetrated by cyber attackers based in Chengdu, the capital of Sichuan province in southwest China.

The report exposes widespread penetration of computer systems at the National Security Council Secretariat, which is part of the Prime Minister’s Office, Indian diplomatic missions in Kabul, Moscow, Dubai and Abuja, Military Engineer Services, Military Educational Institutions, the Institute of Defence Studies and Analyses, the National Maritime Foundation and some corporations. It is hard to quantify the damage the information obtained by the hackers can cause, but it could be potentially significant.

The report has served to highlight serious flaws and vulnerabilities in India’s official information networks. Those who know how the systems work point to a ‘lack of discipline’ in even seemingly trivial details such as senior government officials in sensitive positions still using email addresses on Yahoo, Hotmail and Gmail. They say inasmuch as no email system can be made foolproof, these free accounts are even less so. Even the use of social networking sites such as Facebook and Twitter are known to be prone to systematic attacks.

Apart from the inherent interest in India’s defence and other establishments because of its rise as a major power, there is also another reason why the country has emerged as an important target. Its position as home to large IT companies which are in turn repositories of vast global information also makes India particularly attractive to hackers. In a sense hacking India could lead to a great deal of diverse economic, financial, health and other forms of valuable intelligence.

One of the primary mandates of any future cyber security czar would be to create a multi-layered security system around its national assets in a manner that no single successful penetration would yield a treasure trove of information in one place. The cyber security czar could also be mandated to lay down standards and code of conduct for those in the government handling data of certain sensitive nature. Informed sources say the czar would report to the National Security Advisor and would often end up operating outside the traditional command and control structure of the Indian bureaucracy because of the kind of monitoring the office would be expected to do.

One specific approach that the Indian government might have to consider adopting relates to what in industry parlance are known as defensive and offensive hackers. While the former’s job would be to ensure strong defences against all attacks, that of the latter would be to actively be part of hackers worldwide who perform the role of flooding malware or malicious software codes used to infiltrate large systems. Such participation is crucial to pre-empting attacks. It is in this context that the Canadian investigation makes an interesting point. Under the section ‘Patriotic Hacking’ the report says, ‘The PRC – has a vibrant hacker community that has been tied to targeted attacks in the past and has been linked through informal channels to elements of the Chinese state, although the nature and extent of the connections remain unclear. One common theme regarding attribution relating to attacks emerging from the PRC concerns variations of privateering model in which the state authorizes private persons to perform attacks against enemies of the state.’

Unlike China, which has developed a sizable community of defensive as well as offensive hackers, India has not even begun to evolve a cohesive approach to what cyber security experts regard as a decisive aspect of the information technology-driven world. Since the government cannot officially or even unofficially recruit these hackers, it will have to find creative ways to utilize their services and create enough indirect protections in the event some of them run afoul of law-enforcement agencies which may not know about their existence.

This is clearly a grey area which many cyber security experts say is a necessary evil. It is conceivable that India may have to create its own version of ‘patriotic hackers’ if it has to effectively thwart hacking attacks.