Government rolls out cyber security framework

By Ajai Shukla

Business Standard, 13th Jun 13

As Delhi prepared for the closing ceremony of the Commonwealth Games on Oct 14, 2010, Indian cyber security analysts carefully monitored metadata trends for any signs of a cyber attack that could disrupt the high-profile ceremony, or throw city infrastructure like traffic lights out of gear. Already, during the course of the games, more than 8,000 cyber attacks had been detected and defused. At noon, analysts detected a spike in malware (malicious software) and found that it came from a computer in the “Games Control Room” at the Ashok Hotel, which it had entered disguised as pornography. Unable to neutralise the malware on line, a physical raid was launched on the Ashok Hotel, the offending computer taken off the network and the closing ceremony went off unimpeded.

At that time, in 2010-11, India was the 10^th most heavily cyber-attacked country; today, it is second only to the United States. With internet usage rising exponentially --- from 202 million users in Mar 2010, to 412 million in Mar 2011, to 485 million in Mar 2012, India is now second only to China in the number of devices (including cellphones) connected to the internet.

This also makes India uniquely vulnerable. Intelligence sources say that, in the recent past, malicious activities against Indian networks have originated from hosts in 20 different countries: the US, Brazil, Nigeria, China, Iran, Russia, North and South Korea, Japan, Taiwan, Australia, Ukraine, Romania, Israel, France, UK, Netherlands, Germany, Poland and Pakistan.

Emphasising the amorphous nature of cyber attack, sources clarify that they could have been routed through those countries without the hosts even being aware of this activity. During the same period, several attacks abroad were detected as originating from hosts located in India.

Now the government is rolling out an extensive policy, which the union cabinet cleared on May 8. This consists of a National Cyber Security Framework, which broadly empowers the government to create a legal and structural framework. Based on this, a National Cyber Security Policy lays out the ground rules in a more specific manner. The aim is to facilitating the creation of a secure computing environment in which users can enjoy a level of trust and confidence in electronic transactions.

The new framework is rooted in the Information Technology Act 2000, specifically Sections 43, 43A, 72A and 79, which enjoin companies to comply with data security and privacy protection. It provides for multi-layered protection, with responsibility allocated to various stakeholders, including the Dept of Electronics and IT; Ministry of Defence; Defence R&D Organisation; and the National Technical Resource Organisation. The National Security Council Secretariat will ensure compliance of cyber security policies

Government IT officials say that the new policy has successfully straddled the spectrum of users, including central and state governments, public private entities, academia and private users. Unlike with the National Counter Terrorism Centre (NCTC), which many state governments opposed as an infringement on their federal autonomy, the states have cooperated without reserve on cyber security. Already nine states have set up cyber security centres.

“As India becomes more networked, we will become more vulnerable to cyber attack. Today, we are protected by virtue of being under-networked. As a networked country, coordinating between multiple agencies will becomes a growing challenge,” says an official who works on cyber security.

New Delhi has increasingly focused on cyber security, given the threat from China-based hackers, who many people believe are directly linked with the Chinese military. In March, security consultancy, Mandiant, accused the Shanghai-based People’s Liberation Army (PLA) Unit 61398 of stealing commercial secrets from US companies. That same month, Tom Donilon, President Obama’s National Security Advisor, charged that cyber attacks were “emanating from China on an unprecedented scale.”

“Hostile cyber entities map our systems daily. They scope us out, check the effectiveness of our safeguards and see how good our reactions are. That is why we need a strong framework,” says the cyber security official.

To ensure the system’s readiness, the Computer Emergency Readiness Team (CERT) --- an umbrella body that will oversee cyber-protection --- will conduct regular cyber security drills, at the national level and bilaterally with other countries. The first national drill is scheduled in August.

In addition, CERT is training “cyber security auditors”, who will be empanelled and listed on a website, from where they can be hired by companies for auditing their cyber security. In addition, the government has set up a website --- SecureYourPc.org --- that ordinary citizens can access to ensure that their personal computers are free of malware.