Kamlesh Bajaj, former government servant and now CEO of the Data Security Council of India (DSCI), tells Aditi Phadnis that India must beware another attack on its cyber security and suggests ways in which this can be countered. Edited excerpts:
What, in your view, caused thousands of Indian citizens to abandon places where they were living and working and return to the Northeast overnight?
Essentially it was fear. Fear will take root when you think the state will not protect you if you’re in trouble — when you feel you’re on your own.
It was driven by news travelling on the social media like Facebook, Google and Twitter about what happened in Mumbai and Pune [where meetings about so-called atrocities on one community were disrupted]; and bulk Short Messaging Service [SMS] text messages.
We are supposedly the world’s best known IT power. And yet, with just a click of a key on a mobile phone, somebody managed to shift huge swathes of the population from one part of the country to another.
It happened. I am deeply ashamed and angry that someone was able to do this.
Somebody, somewhere, must be laughing their heads off…
What is mystifying is: how could SMSes have been sent to just members of a particular community undetected? Especially when telephone companies are supposed to have the identity of users…
It seems to have been planned rather well. For example, mobile numbers may have been harvested in advance and/or websites that are frequented by a community may be used to send out SMSes to them. Websites collect a lot of data from users through cookies and by registrations too. These can be compiled by software tools to identify people, and then target them. But I think mobile companies are unlikely to allow their databases to be sorted by names to identify communities, unless they have been hacked into. Individuals, in a state of fright or to spread rumours, can, of course, always send the SMSes to their entire address book.
This is one part of the story. You can use websites to create images – extrapolating images from Myanmar and the Tibet earthquake or the tsunami – to pass them off as a community under attack.
If it is so simple to do this, then it must be equally easy to detect it. Then why did the government say some part of it is the handiwork of Pakistan and the rest of the culprits are unknown? It should have been detected minutes after it happened.
I, too, have read the statement of the gentleman of Karachi who said these images have been in circulation for long. But basically, anyone, anywhere could have done it. More analysis is required to prove attribution.
We lauded technology because it is caste neutral, it doesn’t recognise religion or community. But here…
Yes, technology is neutral but like everything else, it can be put to uses that serve the purpose of interested parties. We’ve seen the way technology has been used selectively in Syria and Libya — the so-called Arab Spring; and nearer home the way the Anna Hazare movement has used it.
But there is nothing infallible about the way it is used. The state can also master it.
And are you satisfied that the Indian state has managed to master it?
My favourite response to this question is: India is, by and large, in a state of denial — we just do not admit that any significant loss occurred in successful cyber-attacks. This is perhaps owing to our feudal approach to governance, whereas cyberspace warrants an information age response — it calls for information-sharing and cooperation across multiple agencies.
What we see happening is a part of the larger picture called cyber security, which, in turn, is critical for national security. Misuse of social media is but one dimension of cyber security. While the intelligence agencies have to master their use, cyberspace has no boundaries, even though nations are trying to police and control activities within their jurisdictions. Traditional dividing lines between defence and security, civilian and defence, military solutions and law enforcement, the public and private sectors, are breaking down. No single ministry can handle all facets of cyber security; they need to coordinate. Lead agencies have to be appointed and empowered. Because the networks and critical infrastructure are largely owned by the private sector, its involvement in cyber security is essential. The government has to launch public-private partnership [PPP] programmes to protect critical infrastructure. This calls for a cultural change in outlook.
And how would a change in outlook would occur?
In April this year, the DSCI, which I head, gave a report to the government. Mr Chidambaram was still the home minister. We recommended 10 things that the government needed to do yesterday:
One, create a national structure for cyber security that is positioned at the highest level within the government: we had recommended that the head report to the national security advisor and to the prime minister
Two, design and implement a competency framework to build an adequate and competent cyber security workforce.
Three, create and maintain an inventory of critical information infrastructure so that in case of a cyber-attack or crisis, this inventory can determine the possible impact on various information infrastructures and contain the attack.
Four, establish a centre for best practices in cyber security that will help us focus on real threats in their environment instead of creating extensive documentation
Five, establish a National Threat Intelligence Centre for early watch and warning
Six, build capacity in law enforcement agencies in cybercrime forensics and cyber forensics
Seven, build legally-sound interception capabilities to balance national security and economic growth. We badly need a national centre for research in encryption and crypto analysis
Eight, establish a centre of excellence in cyber security research
Nine, set up testing labs for accreditation of ICT [Information and Communication Technology] products to manage ICT supply chains
And finally, establish a cyber command to defend Indian cyberspace.
All these can be done through PPP. We need to protect each critical sector through sector-critical information infrastructure protection plan with its own risk management framework, mitigation plan, incident response, crisis management, and so on.
All this sounds complicated. So either the problem is very simple — in which case we are using a hammer to swat a fly; or it is so complex and ubiquitous that you need very sophisticated, complex (and expensive) solutions ?
It is both. At one level it is simple, but it is also complex and vast. It depends on how you look at it. Take some of the issues. There is this website called doctoryumyumsingh that is a parody of a PMO website. My own suggestion would be: let it be. It is not worth the trouble to investigate these sites. Do we investigate every cartoon, every piece of satire that is written? No. Social media is a new medium that must be allowed to reach maturity. In any case, the government is saying it is not interested in controlling social media.
So the kind of attack we saw can happen again?
Yes it can. It can happen in a different shape and it can exploit sentiments easily. The answer is government agencies need to share intelligence over secure networks. But ultimately it is human intelligence at the top that cannot afford to fail.
So we have the answers. But we don’t know all the questions…
That sounds right. Technology has to be used to stay ahead of itself.