A much-delayed cyber security policy is only making things worse
In a book published on India’s cyber security challenges, the think tank on defence and security issues, Institute of Defence Studies and Analyses (IDSA), paints a picture that comes straight out of a Hollywood thriller.
The report presents a scene set on a hot evening in June 2020, when government offices are closing for the day. A sudden alarm is sent to the National Security Council Secretariat by a Cert-In, India’s response centre for major computer security incidents. Cert-In, or Indian Computer Emergency Response Team, informs the government of an internet malware that has disabled the country’s critical infrastructure. Within minutes, mobiles are down, oil refineries malfunction, air traffic controllers are disabled and financial systems are in a shambles.
The report says that if the government doesn’t ‘wake up’ and implement ‘urgent measures’ to thwart the threat of cyber attack, much of the above has a good chance of coming true.
Just last week, the proliferation of another powerful malware, Flame, has poignantly raised important questions about India’s preparedness in handling a cyber security challenge. Over the last decade, the country has seen an increase in the number of cyber attacks, from 2,565 in 2008 to 8,266 in 2009 and 10,315 in 2010.
“There is little doubt that India has long been the focus of attention of special services of various countries. I presume there are constant attacks on the networks of the Indian government and Indian companies,” says Aleks Gostev, chief security expert, Global Research & Analysis Team, Kaspersky Lab. “They are mass attacks which, unfortunately, are often successful,” he adds.
Even viruses that don’t specifically target the Indian state, but originate abroad and then find their way here, can wreak havoc. Back in 2010, as tensions rose between the West and Iran over the latter’s nuclear plans, an internet worm, later called Stuxnet, was discovered at Iran’s nuclear enrichment centre at Natanz. The worm was attacking the computers that controlled the centre, by taking over the control of the centrifuges at the plant. It was partially successful. The worm then escaped the nuclear plant and spread over the internet, infecting computers worldwide. India was the third-most affected country, with 8.31 per cent computers affected, following Iran (58.85 per cent) and Indonesia (18.22 per cent).
|UNDER SIEGE: CYBER SECURITY INCIDENTS HANDLED BY CERT-IN|
|Network Scanning / Probing||11||40||177||223||265||303||477|
|Virus / Malicious Code||5||95||19||358||408||596||1,817|
Website Compromise &
|Source: Cert-In (Indian Computer Emergency Response Team)|
The worm soon raised an alarm amongst security establishments in India, as one of the two solar panels of the satellite Insat-4B stopped working after a power glitch. The closing down of 12 of the 24 transponders affected 70 per cent of the direct-to-home connections. The reasons were unknown, until cyber-security expert, Jeffery Carr, writing in a news magazine, claimed that the Insat-4B could have stopped work because of the Stuxnet worm. This claim was denied by Isro.
However, fears remained. In December 2010, a leading daily reported Intelligence Bureau’s (IB) refusal to give a nod to the Oil and Natural Gas Corporation (ONGC) to extend its IT network through internet. The IB was reported to have expressed reservation that the company would become vulnerable to attacks from the Chinese hackers and the Stuxnet computer mole.
Ironically, one reason for the increase in the number of attacks has been the growing number of internet users here. Also, India’s reputation as the back office of the West has attracted hackers looking to steal valuable data. However, most hackers and security experts agree that ignorance of cyber security is the most significant reason for India’s vulnerability.
Ankit Fadia, ethical hacker and computer security expert says, “In government offices, most employees are not trained to understand cyber security. They walk in with a USB, without realising what it can do if it is infected.
Absence of a policy
But, is India prepared to handle a coordinated cyber attack? Experts point out that a major flaw in the country’s cyber-security policy has been the absence of any comprehensive cyber security approach. As a result, the legal and law enforcement agencies of the country have been unable to maintain pace with the rapid growth of internet penetration in India and the world.
“If someone commits a cyber crime or any such offence, the police aren’t trained adequately enough to understand the offence. When it comes to dealing with cyber crimes, our establishments are still much behind the world,” says Fadia, ethical hacker and computer security expert.
The Department of Information Technology has formulated a draft for discussion on the National Cyber Security Policy. However, it has not been finalised, despite overshooting its deadline by over a year. Moreover, there has been criticism of the policy as it has lacked a holistic approach. Also, there is a lack of inter-ministerial co-ordination, which unnecessarily increases multiple command centres in the event of a cyber attack.
Threat to corporates
The risk is more pronounced for private companies, where loss of important data could mean a tremendous advantage for the competitor. “Everyone is vulnerable. However, if I have to rank in terms of merit, the IT/BPO sector has the highest standards of security because of the pressure of foreign countries, followed by banks and then telecom,” says Kamlesh Bajaj, CEO, Data Security Council of India and former head of Cert-in.
Even among companies, the threat to pharmaceutical companies is far more serious where intellectual properties of drugs are always prone to theft. The Symantec Internet Security Threat Report says that in 2011, 40 per cent of all spam attacks were on pharmaceutical companies, though this was down from 74 per cent in 2010.
“Pharma companies are especially vulnerable to the loss of intellectual property, given that most data is digital and can be replicated... Cyber crime perpetrators are now sophisticated and form highly organised intelligence networks. It is tough for the enterprise to stay ahead of the threats... Nothing that we do can be guaranteed to prevent incidents, so systems need to be resilient enough to withstand an event, which is where business continuity planning and disaster recovery comes in,” says Mayur Danait, CIO, Lupin.
However, the companies' growth was lower than 21.8%, their combined growth in 2011