On August 15, 2012, in what Vanity Fair dramatically termed "history's first known cyber war", hackers calling themselves the Cutting Sword of Justice inserted a sophisticated virus called Shamoon into 30,000 computer hard-disk drives in the headquarters of Saudi Arabian oil giant Saudi Aramco. Shamoon wiped out all the data, leaving behind an image of an American flag on fire. US officials and forensic analysts could not but wonder whether this was Iranian vengeance, visited on a key US ally. Two years earlier, hackers, now known to be American and Israelis, had infiltrated a destructive computer worm called Stuxnet into the centrifuges that Iran uses to enrich uranium for its nuclear programme. The Stuxnet attack is believed to have disabled a thousand centrifuges, setting back Iran's nuclear weapons programme.
Soon after the Shamoon attack, it became clear that Washington did not regard this as the work of amateurs. Speaking publicly in New York on October 11, 2012, then US Defence Secretary Leon Panetta, who had often raised the spectre of a "cyber Pearl Harbour", described what could happen in such an attack. "An aggressor nation or extremist group could gain control of critical switches and derail passenger trains or trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country."
America is hardly the only one in this game, with China reportedly nurturing a sophisticated cyber warfare capability with which to target US computer networks as a part of its strategy of "asymmetric warfare". In March, security consultancy firm Mandiant accused the Shanghai-based People's Liberation Army Unit 61398 of stealing commercial secrets from US companies. That month, Tom Donilon, Barack Obama's National Security Advisor, charged that cyber attacks were "emanating from China on an unprecedented scale." (THREAT TRENDS)
* * *
India has been slow in fixing its attention on cyber security. This may partly be because much of the country's critical infrastructure - power grids, public transportation, nuclear power plants, defence systems - is controlled by manual systems, or by standalone computer systems that are not linked over the internet. In that respect, India's infrastructural backwardness has proved useful against cyber-attacks. "It is not unusual to find central ministry officials in New Delhi using unsecured email systems, sometimes even commercial email accounts on public servers. But India's sensitive networks tend to be isolated, with no point of contact with the Internet that would render them vulnerable to online hacking. Several agencies have their own dedicated, secure fibre-optic networks, notably the military, Defence R&D Organisation (DRDO), and police's Crime and Criminal Tracking Network System," says Praveen Swami, strategic affairs editor of Network18.
But the government has understood that an ostrich-like response to the digital threat - which is to have as little digitisation as possible - is not a viable, long-term strategy. The economic ministries are finding that volumes of data are becoming larger and larger. And the compulsion for more open governance requires the Internet to be harnessed, mastered and adequately secured. Although India's day-to-day governance and infrastructure management is not heavily reliant on the Internet, there is unease within the government at the growing vulnerability of private Internet users to cyber-attacks. According to figures that the government shared with Business Standard, India was the 10th most intensely cyber-attacked country in 2010-11; today, it is second only to the US. With internet usage (including cellphones) rising dramatically - from 202 million users in March 2010 to 412 million in March 2011 and 485 million in March 2012 - India is now second only to China in the number of devices connected to the Internet.
This makes users vulnerable. Intelligence sources say, in the recent past, malicious activities against Indian networks have originated from hosts in 20 different countries: US, Brazil, Nigeria, China, Iran, Russia, North and South Korea, Japan, Taiwan, Australia, Ukraine, Romania, Israel, France, UK, The Netherlands, Germany, Poland and Pakistan. "As India becomes more networked, we will become more vulnerable to cyber attack. Coordinating between multiple agencies will become a growing challenge," says a top government cyber security official.
* * *
Under the National Security Advisor (NSA), the government has begun rolling out an expansive cyber security policy. This aims to create a secure computing environment and generate the high level of public trust and confidence in electronic transactions that is essential for a modern e-economy. The new framework is rooted in the Information Technology Act 2000, specifically Sections 43, 43A, 72A and 79 which require companies to comply with data security and privacy protection. On May 8, the Cabinet Committee on Security cleared a National Cyber Security Framework. Senior officials who are spearheading this effort describe it as a "multi-layered approach that ensures defence in-depth." Put simply, that means making things difficult for a hacker - he must have to hack through successive layers of defences in order to breach the network.
In all this, the private sector has been allowed an unprecedented role in partnering government bodies. In July 2012, a joint working group was set up with representatives from both the public and private sectors, which considered how the two could work together. On Oct 15, 2012, the group's report was released by NSA, laying out a roadmap for engaging the private sector.
Besides incorporating the private sector, the new policy also appears to have successfully bridged the federal divide between central and state governments. Unlike the National Counter Terrorism Centre, which many state governments had opposed as an infringement on their federal autonomy, almost every state is cooperating wholeheartedly on cyber security. Nine states have already set up cyber security centres and South Block officials say many more are set to follow. The overall responsibility for overseeing and ensuring compliance with cyber- security policies is with the National Security Council secretariat. In addition, various stakeholders like the Department of Electronics and Information Technology, Ministry of Defence, DRDO and National Technical Research Organisation have been allocated specific roles in cyber defence.
Then there is the Indian Computer Emergency Response Team (CERT-In), with its network of sector-specific CERTs, which is designated under the Information Technology Amendment Act, 2008 as the national custodian of information relating to cyber-security. Its job is to issue forecasts and alerts, coordinate responses to incidents of cyber-attack, and issue guidelines and advisories as required. CERT-In is also required to conduct regular cyber-security drills, within the country and bilaterally with other countries. The first national drill has been scheduled for August. CERT-In is also training "cyber-security auditors" who will then be empanelled and listed on a website, from where they can be hired by companies for auditing their cyber-security readiness.
Preparing for the time when India's power grids and transport systems are networked over the internet, the National Critical Information Infrastructure Protection Centre is being set up. To remain state-of-the-art in a field in which last week's technology is already out-dated, a high-powered committee under the Principal Scientific Advisor to the government will control a national R&D fund that will set priorities for research and indigenisation. Backing this up will be a Centre of Excellence in Cryptology, which will be set up in IIT Kolkata.
But the big question remains: is India's cyber establishment purely defensive, or have our cyber czars begun creating the cyber-kinetic attack capabilities that can destroy enemy equipment and infrastructure - assets that the US and China have painstakingly built? The head of the US Cyber Command, General Keith Alexander, has recruited thousands of computer experts, nerds and hackers, building up a military cyber strike capability that can reputedly paralyse a modern, networked country. But ask Indian officials about whether they are building such capabilities and you get a wry smile and a bland response: "You know we don't do things like that." Certainly the Indian military has not raised any military cyber units.
Along with the initiative to protect computer networks, the government is also moving boldly into the sensitive realm of information monitoring. A recent Reuters report says that New Delhi has launched a massive surveillance programme, called Central Monitoring System, which is reportedly capable of monitoring all of India's 900 million landline and mobile phone subscribers and 120 million internet users. The new system, which started rolling out in April, allows intelligence agencies to monitor and record phone conversations, read email and text messages, and track social media like Facebook, Twitter and LinkedIn.
* * *
Making the new system unusually draconian is the discretion it provides bureaucrats to approve requests for surveillance, which can be made by any one of nine government agencies, including the Central Bureau of Investigation, Intelligence Bureau and Income Tax Department. With the union and state home secretaries permitted to approve requests for surveillance, this bypasses the traditional system of a court warrant being needed for monitoring a citizen. That Indian intelligence agencies are already tracking Google searches is evident from Google's Transparency Report which reports that New Delhi sent Google 4,750 requests for user data in 2012, a figure exceeded only by Washington.
The recent expose on the US government's monitoring of communications through the so-called Prism project and the worldwide outrage that it led to highlighted an increasingly vociferous debate over cyber security: between security on the one hand and privacy and civil liberties on the other. "Given the security threats today, I will grudgingly accept that some monitoring is necessary," says a woman who lives in Mumbai, a city that has seen multiple terror attacks. "But I want my privacy protected. I want tight safeguards on the data that agencies collect. I may not be doing anything wrong, but I don't want anyone to know that the first thing I do when I wake up in the morning is call my greengrocer and ask him to send across a papaya!"
Meenakshi Ganguly, the South Asia director of Human Rights Watch, points out that Indian agencies tend to leak data that should remain private. "There is always the danger of private data and conversations going out to unauthorised recipients. A central monitoring system is vulnerable to misuse. An innocuous comment can be interpreted as a threat to someone or something; and we have seen that the response of the state can be ugly," she says. The often ham-handed response of the state was visible in the case of Illina Sen, the wife of civil rights activist Binayak Sen, whose email to the Indian Social Institute (ISI), a research body set up by Jesuit priests, was recovered from Binayak Sen's computer. But Chhattisgarh Special Prosecutor, TC Pandya, deposed in court that she had links with Pakistan's Inter-Services Intelligence (ISI), little caring for truth or reputation.
"We need a new set of very tight laws. If we are going to live with surveillance, we need an internationally accepted protocol that protects the public from misuse of data. Unless that comes into place, the central monitoring system will be misused by apparatchiks," says Ganguly. "There is also the argument that the threat of a cyber attack is deliberately overplayed. So far, even in the highly-networked West, no major incident has ever been caused by a cyber crime. There is definitely an element of hype in scenarios of terrorists hijacking a nuclear power plant… it is far-fetched. So there is a need for balance," adds Swami.