The Indian Cyberspace And Cyber Security Initiatives Information Technology Essay

CHAPTER 3

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre (NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET which connected the IBM mainframe installations that made up India’s computer infrastructure, NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT) NW for public sector organisations as well as to connect the central govt with the state govts and district administrations, the third NW setup was ERNET (the Education and Research Network), to serve the academic and research communities.

New Internet Policy of 1998 paved the way for services from multiple Internet service providers (ISPs) and gave boost to the Internet user base grow from 1.4 million in 1999 to over 150 million by Dec 2012. Exponential growth rate is attributed to increasing Internet access through mobile phones and tablets. Govt is making a determined push to increase broadband penetration from its present level of about 6%1. The target for broadband is 160 million households by 2016 under the National Broadband Plan. An indication in support of the rapid pace of adaptation to the Internet in India is that, India’s top e-commerce retailer, Indian Railways, saw its online sales go up from 19 million tickets in 2008 to 44 million in 2009, with a value of Rs. 3800 crore ($875 million)2.

3. Even though the Indian govt took a while to convert to computerisation, there has been an increasing thrust on e-governance. The govts e-governance plan is seen as a cost-effective way of taking public services to the masses across the country. Critical sectors such as Finance, Energy, Space, Telecommunications, Defence, Transport, Land Records, Public Essential Services and Utilities, Law Enforcement and Security all increasingly depend on NWs to relay data for both communication purpose and commercial transactions. The National e-governance Program (NeGP) is one of the most ambitious in the world and seeks to provide more than 1200 govt services online.

Indian Economy Going the e-Way

3. Post liberalization in 1991, India witnessed steady economic growth, benefiting from globalization and information revolution. IT revolution has played a crucial role in transforming country’s GDP growth rate. As per recent Boston Consulting Group report3 the Internet economy of India in 2010 amounted to USD 70 billion (4.1% of GDP) and is estimated to reach USD 242 billion (5.6% of GDP) in 2016. IT is contributing in India’s development in following ways:-

(a) Development of Infrastructure. Airports, metros, highways and augmentation of existing infrastructure which include power generation, financial services, telecom, transportation, defence, etc. Nation’s critical infrastructure are driven and controlled by ICT and it is getting increasingly dependent on IT this includes power grids, air traffic controller, industrial systems, stock exchanges, banking, telecom among others.

(b) e-Governance. Govt is undertaking projects driven by IT to address social, economic and development challenges in the country. Using IT, the govt intends to improve governance by increasing transparency, curbing corruption, time bound delivery of govt services and ensuring financial inclusion. The National e-Governance Plan (NeGP) is designed to take a holistic view of e-Governance initiatives across the country. The purpose is to integrate the initiatives, into a collective vision for a shared cause of delivering benefits to citizens in the remotest parts of the country. The ultimate objective of NeGP is to bring public services closer to home to all citizens as given in the vision statement of NeGP4. The NeGP comprises 27 mission mode projects (MMPs) and 8 common core and support infrastructure including State Wide Area Networks and State Data Centres.

(c) Aadhaar. The Aadhaar number provides unique identity, which will become acceptable across India. The project promises to eliminate duplicate and fake identities through effective verification and authentication. Many of the govt’s social benefit programs are envisaged to be linked with the Aadhaar number.

(d) e-Commerce. e-Commerce industry is witnessing phenomenal growth and expected to touch USD 10 billion, an increase of 47% from 20105. e-payments in India account for 35.3% of the total transactions in terms of volume and 88.3% in terms of value6, card circulation both credit and debit was around 200 million in 20107. The e-commerce is still an untapped potential considering the fact that the Internet penetration8 in India is only around 8% (rising exponentially) with around 120 million Internet users9 and India is projected to become the third largest Internet user base by 201310. With around 894 million mobile subscribers11 (as on December 2011), m-commerce market is a big opportunity, especially as it promises to bring rural India into the realm of e-commerce.

( e) IT/BPO sector. India is emerging as the IT knowledge hub of the world with many global companies opening their R&D and innovation centres in India. The industry has provided job opportunities to over 10 million people and accounts for 6.4% of India’s GDP. It aims to grow revenues to USD 225 billion by 202012 out of which USD 175 billion will be on account of export of software and services. Cloud Computing is a huge opportunity for India as the next wave of growth for the Indian IT industry.

(f) Modernization of Police and Defence. Defence forces & Police agencies are making strategic use of technology to modernize. Projects such as Crime and Criminal Tracking Network and Systems (CCTNS) and National Intelligence Grid (NATGRID) are flagship projects for modernization of police. CCTNS will connect 14,000 police stations and 6,000 police officers to a centralized database. The goal of CCTNS is to facilitate collection, storage, retrieval, analysis, transfer and sharing of data and information at the police station and between the police station and the State Headquarters and the Central Police Organizations.’13 Indian Army has also taken similar initiatives which include creation of an Army Wide Area Network (AWAN) designed to connect all Army formations, units, training establishments and logistic installations in the country for secure and direct information exchange14. Army also launched project ‘Shakti’ a fully digitized and integrated Artillery Combat Command and Control System (ACCCS), which is a network of military grade tactical computers automating and providing decision support for all operational aspects of Artillery functions from the corps down to a battery level.15

(g) Social Media. Social media is emerging as a very powerful phenomenon in Indian cyberspace with around 45 million16 Indians using the social media and the number is increasing every day. It is revolutionizing the way society interacts. Personal Information is becoming the economic commodity on which social networking is thriving. Businesses, Non-Governmental Organizations (NGOs) and even the governments are using this platform for variety of reasons which include communication, marketing, branding, awareness, etc. The social media has also caught the attention of the governments and the regulators worldwide (for wrong reasons) including the Indian govt and there is an on going debate on regulating the social media17.

Threat Landscape

4. As nation it’s important for us to continue leveraging technology for overall development of the country & improving lives of the citizens. Thus, it is crucial to comprehensively understand the risks associated with the use of technology and operating in cyberspace. Cyberspace has become a new play field for non state actors & it is getting increasingly linked to national security. The cyberspace is being used by terrorists to spread their message, hire recruits, do encrypted communication, surreptitious surveillance, launch cyber attacks on govt infrastructure, etc. Sophisticated use of technology was made by 26/11 Mumbai attackers which included Global Positioning System equipment, satellite phones, BlackBerrys, CDs holding high-resolution satellite images, multiple cellphones with switchable SIM cards, e-mails routed through servers in different locations, which made it harder to trace them.

5. Cyber attacks targeted at critical information infrastructures (energy, telecom, financial services, defence, and transportation) have the potential of adversely impacting a nation’s economy, public safety and citizens’ lives. These critical infrastructures are mainly owned and operated by the private sector. For example, the telecom sector is mostly owned by the private players, except Mahanagar Telephone Nigam Ltd. and Bharat Sanchar Nigam Ltd. Bombay Stock Exchange and National Stock Exchange are private players wherein most of the transactions are done through electronic medium. Airline industry is dominated by private players with Air India being the only the govt enterprise, Energy & Utility sector though dominated by govt players, the distribution is largely controlled by private partners. The banking sector has large number of private banks. Business requirements and not national security concerns drive the investments made by these private players in securing the infrastructure. This may leave possible security loop holes. India recently witnessed a cyber attack on its state-of-the-art T3 terminal at New Delhi airport that made check-in counters of all airlines non-operational causing public inconvenience. Stuxnet - the deadliest attack vector that has been designed so far & which destroyed a nuclear reactor in Iran has reportedly infected systems in India18.

6. As the dependency of critical information infrastructure on technology increases in future and if such infrastructures remain vulnerable, it is possible that adversaries may use cyber attacks on critical information infrastructure to produce impact similar to that in physical attacks / accidents, at worst leading to physical harm like collision of aircrafts because of manipulation with Air Traffic Controlling system, train accidents due to signal malfunctioning or could adversely affect the national economy. Failure of telecommunication services, power grids, oil production and distribution, breakdown of stock markets and banking infrastructure.

7. Given the increased usage of Internet in the country, India is witnessing sharp rise in cyber crimes. Data released by National Crime Records Bureau (NCRB) in 2010 shows this trend. 966 cyber crimes cases were registered in 2010 under the IT Act across India (an increase of around 128% over 2009 and 235% over 2008) and 799 persons in 2010 were arrested (an increase of around 177% over 2009 and around 349% over 2008) for cyber crimes included hacking, obscene transmission, tampering, etc. Cyber attackers have also been repeatedly defacing Indian websites especially government websites. In January 2012 alone, 1425 websites were defaced, with 834 target websites being hosted on ‘.in’ domain19. Many high profile cyber espionage attacks targeting systems of senior Indian bureaucrats have been reported in the media20.

India’s Cyber Security Initiative

8. Having visualised the cyber security threat & its impact on national security, Indian govt has taken many initiatives to protect the critical infrastructure driven by IT within Indian cyberspace domain. Some of the initiatives are as follows:-

(a) Legal Framework to include enactment of IT Act (Amendment) 2008.

(b) Policy Initiatives.

(c) Cyber Security Initiatives.

9. IT Act (Amendment) 2008. Information Technology Act (IT Act) was enacted in year 2000 to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. To establish a robust cyber security and data protection regime in the country, the IT Act was amended in year 2008. It provides a comprehensive definition of the computer system & tries to ascertain liability based on the type of cyber crime committed ( Hacking, spamming, tampering, identity theft, impersonation, cyber terrorism, pornography, child pornography). The act introduces the concept of ‘sensitive personal information’ and fixes liability of the ‘body corporate’ to protect the same through implementation of ‘reasonable security practices’. In case a body corporate fails to do so, it can be fined upto Rs. 5 crore (approx. USD 1.2 million) by the Adjudicating Officer and civil court can fine amount greater than Rs. 5 crore. The rules issued under the Act, also require body corporates to follow privacy principles such as notice, choice & consent, access & correction, disclosure to third party, etc. The amended Act provides provision for legal action against a person for the breach of confidentiality and privacy, under lawful contract. Critical systems can be declared as ‘protected systems’ under the Act. Security breaches of such systems attract higher prison sentences. The amended Act also enables setting up of a nodal agency for critical infrastructure protection and strengthens the role of CERT-In. This Act creates provision for the central government to define encryption policy for strengthening security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy. Cyber Appellate Tribunal, which is now operational, is expected to expedite legal proceeding of cyber crime cases. Overall, the IT (Amendment) Act, 2008 is an omnibus and comprehensive legislation which includes provisions for digital signatures, e-governance, e-commerce, data protection, cyber offences, critical information infrastructure, interception & monitoring, blocking of websites and cyber terrorism21.

10. Policy Initiatives. The draft version of National Cyber Security Policy was released by the DIT in March 2011 for public consultation. The draft policy has been aimed to enable secure computing environment and adequate trust and confidence in electronic transactions. The draft policy tries to layout the cyber security ecosystem for the country. It covers the following:-

(a) Based on the key policy considerations and threat landscape, the draft policy identifies priority areas for action.

(b) Identifies PPP as a key component.

(c) Identifies key actions to reduce security threats and vulnerabilities

(d) Establishment of National Cyber Alert System for early watch and warning, information exchange, responding to national level cyber incidents and facilitating restoration.

(e) Defines role of sectorial CERTs and establishment of local incident response teams for each critical sector organization.

(f) Implementation of best practices in critical information and government infrastructure protection through creation, establishment and operation of Information Security Assurance Framework.

(g) Establishes framework for Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism.

(h) Identifies priorities for action for legal framework and law enforcement capability development.

(j) Defines priorities for international cooperation for information sharing.

(k) Identifies indigenous Research & Development as an essential component of cyber security and enlists thrust areas for R&D.

(l) Identifies major actions and initiatives for user awareness, education, and training (capacity building).

(m) Defines responsible actions for network service providers, large corporates and small/medium & home users to secure information and systems.

(n) Identifies various stakeholders (ministries and government departments only) in cyber security and their responsibilities.

11. The Ministry of Communications and Information Technology (MCIT), Govt of India, is formulating a combination of three interdependent and synergistic policies for IT, Telecom and Electronics "Triad of Policies to Drive a National Agenda for Information & Communications Technology and Electronics (ICTE)". The three policies are as below:

(a) National Policy on Electronics, 2011.

(b) National Policy on Information Technology, 2011.

(c) National Telecom Policy, 2011.

13. The integrated policy has twin goals:-

(a) To facilitate the application of new, technology-enabled approaches to overcome developmental challenges in education, health, skill development, employment generation, financial inclusion, governance etc and to enhance efficiency, convenience and access.

(b) To harness the power and capability of India in ICT to meet global demand.

14. Cyber Security Initiatives. Govt and IT industry have taken various initiatives in cyber security. However, much more needs to be done in this area. Major initiatives are summarized below:-

(a) CERT-In. In 2003, Govt set up a the Indian Computer Emergency Response Team (CERT-In) under DIT, MCIT as a nodal agency for responding to cyber security incidents. The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal agency for security incident management and provides it the authority to call for information on security incidents from organizations. CERT-In charter involves collection, analysis, dissemination of information on cyber security incidents through a dedicated infrastructure. It monitors and investigates threats that affect computer systems and forecasts and generates alerts for cyber security incidents. It collaborates internationally for the incident response, tracks incidents affecting both public and private sector and issues security guidelines and advisory on vulnerabilities. It provides technical assistance to organizations in resolving security incidents. It has helped establish sectoral CERTs in defence and banking sectors. To test preparedness of organizations operating critical information infrastructure, CERT-In conducts cyber security drills in partnership with the public and private sector. To help law enforcing agencies (LEAs) solve cyber crimes, CERT-In has developed standard operating procedures for cyber crime investigations. It organizes regular trainings and funds research and other projects in security to academic institutes and industry. It also engages with its counterparts in other countries for increased collaboration and information sharing. CERT-In has developed 12th five year plan on cyber security.

(b) Information Security Education and Awareness. To make up the shortfall of cyber security professionals in the country, DIT initiated the Information Security Education Awareness (ISEA) program in 2005. To spread awareness on cyber security in the country, ISEA program aims at capacity building by introducing information security courses at graduate, post-graduate and doctoral levels, establishing education exchange programs, training system administrators and government officers.

(c) LEA Capacity Building Programs. To address the challenges that Indian LEAs face in handling cyber crimes such as poor knowledge of technology and cyber crime investigation techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure, insufficient training facilities & forensics labs in the country. Govt has taken some key initiatives. These initiatives are aimed at building the capacity of LEAs in cyber forensics and cyber crime investigation to curb rising cyber crimes and ensure speedier trials. Ministry of Home Affairs (MHA) will be launching the Cyber Crime Investigation Program (CCIP), which will establish a Cyber Crime Police Station and a Cyber Crime Investigation and Forensic Training Facility in each State and Union Territory and a central National Centre of Excellence for Cyber Forensics Services. The CCIP will create a network of cyber police stations across the country, equipped with state-of-the-art technology and well trained police officers, which can collaborate to benefit from each other’s experiences. The National Centre of Excellence will act as the guiding force, providing thought leadership to the Cyber Crime Police Stations and Cyber Crime Investigation and Forensic Training Facilities by conducting advanced research & development. Under the Directorate of Forensic Science, under MHA, three Central Forensic Labs (CFSLs) have developed capabilities in cyber forensics. Also, there are 28 State Forensic Labs (SFSLs) that are acquiring capabilities in cyber forensics techniques and skills. Resource Centre for Cyber Forensics (RCCF) at Thiruvananthapuram, Kerala under Centre for Development of Advanced Computing (CDAC) has been established to develop cyber forensic tools and to provide technical support and necessary training to LEAs in the country22.

(d) Security in e-Governance projects. The National e-Governance Division (NeGD), under DIT, is the Program Management Office of NeGP. Among its various activities, including facilitating implementation of NeGP by various Ministries and State governments, the agency is also responsible for issuing cyber security and data security standards and guidelines for all the e-Governance projects under NeGP. For securing e-Governance projects, Standardization Testing and Quality Certification Directorate (STQC) has developed e-Governance Security Assurance Framework (e-SAFE), which provides list of security controls based on the risk categorization of particular assets.

(e) Common Criteria Certification Scheme. This scheme has been set up by DIT to evaluate and certify IT Security Products and Protection Profiles against the requirements of Common Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently, the scheme provides national certification. The scheme would also provide a framework for international certification through the National Mutual Recognition Arrangement with the other member countries of Common Criteria Recognition Arrangement (CCRA). Along with 24 other countries, India has already become a member of CCRA as a certificate consuming nation and soon will be recognized as a certificate producing nation. STQC is a certification body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab23.

(f) Sectoral Security. Critical sectors such as banking and telecommunication are strongly regulated through Reserve Bank of India (RBI) and Department of Telecommunications (DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The regulators keep issuing security guidelines, mandating the companies to implement the same. For example, RBI constituted a working group on ‘information security, electronic banking, technology risk management, and cyber frauds,’ which provided a set of guidelines to banks, covering areas such as IT governance, information security (including electronic banking channels like Internet banking, ATMs, cards), IT operations, IT services outsourcing, information system audit, cyber frauds, business continuity planning, customer education and legal issues. These guidelines serve as a common minimum standard for all banks to adopt.31 DoT made amendments to the Unified Access Service License Agreement (UASL) in 2011, incorporating security related measures and made the Licensee (Telecom Service Providers) "completely and totally responsible for security."