[This paper examines the dimensions of National Cyber Security Policy- 2013 and the multi- faceted challenges faced ... assurance framework for designing security policies, protecting critical security ...... corporate-technology-purchases.aspx.
SAVING OUR FRAGILE GLASS HOUSE: INDIA’S CYBER SECURITY CHALLENGES
Hemant K. Dash1
[This paper examines the dimensions of National Cyber Security Policy- 2013 and the multifaceted challenges faced by Indian Cyber Domain. Increasing dependence on Information Technology and maintaining a fine balance between “Tech-Dependence” and “Secured TechUtilisation” will be evaluated as a crucial aspect of this paper. The Indian Cyber Vision of “Building a Secure and Resilient Cyberspace for Citizens, Businesses and Government” and its strands of effective implementation will be analysed through various parameters. Timely response to cyber threats, creating secure Cyber-Ecosystem and adoption of IT in all sectors of Society and Economy will form the core analysed aspects of this paper. Finally, creation of an assurance framework for designing security policies, protecting critical security infrastructures from domestic as well as global threats, strategic real time information sharing and developing indigenous security technology by bringing innovation in R&D sector will form the suggestive aspects of this paper, evaluating their recent strengths of actualisation. Updating Legal Frameworks with adoption of International Standards and Procedures coupled with Effective adherence of Cyber Crisis Management Plan is the need of the hour. Moreover, enabling effective prevention, investigation and prosecution of Cyber Crime and enhancement of Law Enforcement capabilities through appropriate legislative intervention can certainly save our fragile glass house is the positive aspiration expressed in this paper.] Over the last two decades, the Internet and more broadly cyberspace has had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. An open and free cyberspace has promoted political and social inclusion worldwide, it has broken down barriers between countries, communities and citizens, allowing interaction and sharing of information and ideas across the globe; it has provided a forum for freedom of expression and exercise of fundamental rights, and empowered people in their quest for democratic and more just societies - most strikingly during the Arab Spring. Recent surveillance and un-authorised track of Telecom & Cyber Information by US National Security Agency operation PRISM and revelations by Edward Snowden has created a global outrage. India being the second most vulnerable country in surveillance disclosures, our policy framework and safety norms are facing a critical challenge and a big question mark. Indian Cyber Domain is most compromised every 1
Hemant K. Dash is presently a Doctoral Research Scholar at Centre for European Studies, School of International Studies, Jawaharlal Nehru University, New Delhi. His research areas include Development Economic Policy, Energy Security, European Development Strategy and Mechanism of Regional Cooperation. He has served for more than 2 years in UNDP with the capacity of a Team Lead under the Millennium Development Goals Framework working in North Eastern States of India. Recently, he has presented a paper at Second International Economic Conference of Morocco on India’s Recent Experience with Regional Integration at Dakhla, Casablanca. Basically a science graduate in Physics, he has Masters Degree in both Public Administration and Journalism.
Page | 1
day among all Asian nations which has made us a glass house indeed. All can see us and track us which, in turn, making our Cyber Security framework more fragile each next moment. The Internet has undergone astounding growth, by nearly any measure, in recent years. The number of Internet users increased from roughly 360 million in 2000 to nearly 2.45 billion at the end of 2012. The number of hosts connected to the Internet increased from fewer than 30 million at the beginning of 1998 to nearly 880 million in early 2013. According to industry estimates, this global network helps facilitate $15 trillion in online transactions every single year.144 billion E Mails circulate everyday and 634 million websites till December 2012 are astounding figures which clearly reflects that, how much our life is deeply entangled in the web domain. It also signifies that, without the help of internet and technological support mechanism, the whole globe will come to a standstill. Over the last two decades, the Internet and more broadly cyberspace has had a tremendous impact on all parts of society. Our daily life, fundamental rights, social interactions and economies depend on information and communication technology working seamlessly. An open and free cyberspace has promoted political and social inclusion worldwide, it has broken down barriers between countries, communities and citizens, allowing interaction and sharing of information and ideas across the globe; it has provided a forum for freedom of expression and exercise of fundamental rights, and empowered people in their quest for democratic and more just societies - most strikingly during the Arab Spring. Today, the Internet is again at a crossroads. Protecting security of consumers, businesses and the Internet infrastructure has never been more difficult. Cyber attacks on Internet commerce, vital business sectors and government agencies have grown exponentially. Some estimates suggest that, in the first quarter of 2013, security experts were seeing almost 87,000 new malware threats on the Internet every day. This means more than 45 new viruses, worms, spyware and other threats were being created every minute – more than double the number from January 2012. As these threats grow, security policy, technology and procedures need to evolve even faster to stay ahead of the threats. Addressing these issues in a way that protects the tremendous economic and social value of the Internet, without stifling innovation requires a fresh look at Internet policy. For cyberspace to remain open and free, the same norms, principles and values that India upholds offline, should also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. The freedom and prosperity of nations increasingly depend on a robust and innovative Internet, which will continue to flourish if private sector innovation and civil society drive its growth. But freedom online requires safety and security too. Cyberspace should be protected from incidents, malicious activities and misuse and governments have a significant role in ensuring a free and safe cyberspace. Governments have several tasks:
To safeguard access and openness, To respect and protect fundamental rights online and Page | 2
To maintain the reliability and interoperability of the Internet.
However, the private sector owns and operates significant parts of cyberspace, and so any initiative aiming to be successful in this area has to recognise its leading role. Information and communications technology has become the backbone of our economic growth and is a critical resource which all economic sectors rely on. It now underpins the complex systems which keep economies running in key sectors such as finance, health, energy and transport while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information systems. In this context, the phrase Cyber Security is abuzz in several policy discussion forums and International summits and specifically in year 2013, this is the most discussed and debated security aspect. Cyber Security can be defined as the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cyber security. One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment. The Global Cyber Space & its Domain: Cyberspace has become an important arena of world politics. Cyber security has political, security and economic dimensions which further blur the concept of conflict. Perpetual (cyber) conflict could become the norm. The digital world has become a domain where strategic advantage can be won or lost, the latter being more likely without serious indigenous cyber capabilities. In short, every modern country in the world is creating cyber capabilities, with the result that the global military security landscape has not changed as dramatically since the advent of nuclear weapons. Cyber capabilities will soon be essential for nation states and armed forces that want to be treated like credible players. Cooperation at national and international levels is integral to improving cyber security. This includes updating international and domestic legal frameworks to ensure that state actions are accountable, and to protect citizens from wanton strikes at critical infrastructure. Governments must hold private sector partners accountable, and through partnerships ensure that societal cyber security is not overshadowed by private interests. In this regard, public-private partnerships have a crucial role to play in this. The cyber domain should not be treated as a separate domain but one that is intertwined with the physical space. As an increasing number of people and objects are digitally connected, the cyber domain expands and becomes more complex at every turn. The integration of the cyber world with the physical world will give humanity a new dimension of life. Our dependence on the digitalized world has increased to such an extent that for all developed and most developing Page | 3
economies, normal life has become impossible without it. This great dependence on bytes has also developed into a genuine weakness – one which many actors around the world want to exploit. Critically, from a military perspective, the difference between kinetic and non-kinetic environments will become more blurred and in many respects will merge into one. The actors involved also continue to evolve. The threat of a lone hacker popularized by Hollywood movies has given way to various virtual ‘cooperatives’ and professionally organized entities. Unlike in the case of conventional military capabilities, these non state actors can and do challenge far larger states, highlighting the potential systemic impacts of the emergence of the cyber domain. States recognize this, but have only recently begun to actively develop and resource the development of cyber capabilities. At present, more than 140 countries have indicated that they have programmes to militarize cyber capabilities. The most extensive such efforts can be found in the US, China, Russia and Israel. Though benefits of scale and computational power available to states still apply, the reality of cyber security is that even the smallest actors can contribute to the largest. The best hackers in the world can cause more damage than thousands of good coders. Those same individuals can also create a suite of cyber tools to be deployed by thousands of less skilled national cyber soldiers. In international cyber conflicts small states and non-state actors can potentially have far more significant roles than in the physical world. Cyber weapons are attractive for a number of reasons and for three in particular: First, due to the very nature of the cyber world (especially the technical structure underpinning the Internet), the offence-defence balance is heavily tilted in favour of offence. Second, it is possible to cause equivalent damage through investments that are orders of magnitude cheaper than using conventional weapons. Third, while physical weapons can almost always be identified, cyber weapons provide a new level of deniability. Some facts about Cyber Security from different sources reflects the extent of vulnerability we are exposed into. • Microsoft opines, there are an estimated 150,000 computer viruses in circulation every day and 148,000 computers compromised daily. • According to the World Economic Forum, there is an estimated 10% likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion. • Cybercrime causes a good share of cyber-security incidents. Symantec estimates that cybercrime victims worldwide lose around € 290 billion each year, while a McAfee study put cybercrime profits at € 750 billion a year. • The 2013 Microsoft Corporation survey on cyber security in India found that 38 % of Indian internet users have changed their behaviour because of these cyber-security concerns. 18% are less likely to buy goods online and 15% are less likely to use online banking. It also shows that Page | 4
74% of the respondents agreed that the risk of becoming a victim has increased, 12% have already experienced online fraud and 89% avoid disclosing personal information. • According to the public consultation on NIS, 56.8% of respondents had experienced over the past year NIS incidents with a serious impact on their activities. According to Adam Vincent, CTO - Public Sector at Layer 7 Technologies2 who describes the problem as: "The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly..." The statement clearly signifies that, how the vulnerability factor is increasing every passing moment and our technological dependence is leading us towards greater insecurity. Cyber Security Challenges Faced by India: 1) Updating Legal Frameworks: Mirroring its concern that private sector firms are the most vulnerable and potentially most lucrative targets of cyber operations, National Cyber Security Policy 2013 has among other things have set minimum standards for cyber security and created a form of reporting to ensure compliance. The policy directive differentiates between general network defence and cyber operations, as well as spelling out responsibilities between federal agencies. The directive further clarifies which cyber domain operations can be undertaken by whom in the government, thereby taking tentative steps to address the second key challenge facing Indian officials, creating rules of engagement. 2) Creating Cyber Rules of Engagement for the Military: Cyberspace is considered by governments to be the fifth domain of warfare, in addition to space, land, sea and air. As such, militaries and their political masters demand clear and understandable rules of engagement (ROE). What makes the creation of these ROE difficult, among other things, is that although cyber combat has some stand-alone qualities, it exists in the political and strategic context of warfare, of the physical world. More critically, the ‘equivalencies’ of different actions are not clear; especially when actions cross the physical-digital divide. Can the same ROE allow for a cyber attack that degrades digital 2
Layer 7 Technologies is a security services provider to federal agencies including Defence Department Organizations of US and some European Countries. It has now started operating in South Asian countries and in talks with several Indian major IT firms to have a foot inside Indian Territory.
Page | 5
network performance, while disallowing an attack using physical weapons on a key communications node? Currently, even if the initial impact were the same, it is likely that the cyber attack would not be viewed as an act of war by another state actor. Considering these and other challenges, it is not surprising that India has struggled to create clear rules of engagement. Moreover, even if the United States managed to create ROE, without global cooperation they may even cause further instability. The reason is that there is also a dearth of globally accepted concepts that would undergird the creation of cyber ROE. The need for such concepts is apparent if one considers the physical world, where Chinese and US Navy ships may not know their respective ROE at any given moment, but the general concepts of what they may be are understood by both sides. 3) Building Cyber Deterrence: In every domain of warfare, it is imperative to build some level of deterrence, which consists of a combination of doctrine of use, real capabilities, and others’ awareness of those capabilities. Building cyber deterrence (which by definition are capabilities that others are not able to see) is a tough challenge for India. Just talking about defensive and offensive cyber capabilities in general terms, without revealing or demonstrating those capabilities does not advance deterrence. This can effectively be contrasted with nuclear deterrence, where capabilities are well understood by all sides, yet even here the usefulness of the concept of deterrence against non-state actors must be challenged. Indian cyber deterrence is currently seen to consist of a triad. The first leg of this cyber triad is resilience. In practice this means that we must build resilience into different systems and procedures, so that adversaries know that they cannot succeed in crippling the economy, government, or Indian military with cyber attacks. The task is to convince others that no actions they take will paralyze security of India. The second leg of the new Cyber Triad is attribution. It is difficult to identify the ultimate source of cyber attacks - this is the problem of attribution. If enemies can attack a country´s networks without identifying themselves, they can attack with near impunity, making deterring them practically impossible. India is expending considerable resources to be able to confirm the ultimate sources of attacks and probes more rapidly doing so in ways that can be publicized only adds to the challenge. The third leg of the Cyber Triad is offensive capabilities. Just as with kinetic weapons, opponents must know that a potential target state possesses effective offensive capabilities and is ready to use these capabilities - if needed. The idea of offensive capabilities is no longer an issue in India with the discussion now focusing on how and what capabilities should be (further) developed. The logic behind offensive weapons, which is applicable to developed states, is that offensive capabilities are necessary to build a robust defence and to support the building of deterrence and confidence in the armed forces’ capabilities in the cyber domain. The ultimate goal of cyber deterrence-building is that states, terrorists and rogue regimes realize that Indian Page | 6
digital infrastructure is resilient, that we can accurately identify any attackers, and that it can fully defend itself in cyberspace or through other means. 4) Clarifying the Cyber Security Roles and Responsibilities of Public & Private Sector Actors: There is an increasing awareness that governments and private sector firms must cooperate for cyber security to be effective. Indian government officials understand that cooperation must take place in at least three spheres:
Real-time information sharing of threat pictures The coordination of initial responses & Recovery - with resilience again being a key attribute of cyber security.
The ways in which this cooperation occurs, and under what legal or contractual constraints cooperation is placed is only beginning to be grappled with. For example, when Indian Cyber Command observes an attack on any financial institution, it is unclear how it should respond, whom it should inform, what assistance it could provide and what the private sector firm would want in terms of government assistance. The primary role of the Indian government is relatively clear when discussing extensive cyber attacks (comparable to an act of war) initiated by other sovereign states, even though the main target is likely to be critical private sector owned and operated infrastructure. However, the roles and responsibilities are considerably less clear during normal / peacetime periods when the problem is more one of cyber espionage, theft and disruption. The current environment can be summarised by saying that cybercrime and cyber espionage constitute “the greatest transfer of wealth in history”. To begin combating this, Public-Private Partnerships (PPPs) are viewed as essential to a rational and functional cyber security approach, even in the United States. Some American politicians are concerned with imposing additional regulations on companies, but most companies themselves admit that they lack the resources and knowledge to fight aggressive attempts to steal intellectual property, especially when opponents (thieves) are supported by other states. By acting as clearinghouses for shared information and providing guidance on security, as well as counterespionage capabilities, states can greatly assist the private sector. The focus of initial PPP efforts is likely to be firms that are involved in operating critical infrastructure, military contractors or those firms which create significant intellectual property. Cyber Terrorism: Information Technology (IT) has exposed the user to a huge data bank of information regarding everything and anything. However, it has also added a new dimension to terrorism. Recent reports suggest that the terrorist is also getting equipped to utilize cyber space to carryout
Page | 7
terrorist attacks. The possibility of such attacks in future cannot be denied. Terrorism related to cyber is popularly known as 'Cyber Terrorism'. In the last couple of decades India has carved a niche for itself in IT. Most of the Indian banking industry and financial institutions have embraced IT to its full optimization. Reports suggest that cyber attacks are understandably directed toward economic and financial institutions. Given the increasing dependency of the Indian economic and financial institutions on IT, a cyber attack against them might lead to an irreparable collapse of our economic structures. And the most frightening thought is the ineffectiveness of reciprocal arrangements or the absence of alternatives. Methods of Cyber Attacks: The most popular weapon paralysing cyber security is the use of computer viruses and worms. That is why in some cases of cyber terrorism is also called 'computer terrorism'. The attacks or methods on the computer infrastructure can be classified into three different categories. (a) Physical Attack: The computer infrastructure is damaged by using conventional methods like bombs, fire etc. (b) Syntactic Attack: The computer infrastructure is damaged by modifying the logic of the system in order to introduce delay or make the system unpredictable. Computer viruses and Trojans are used in this type of attack. (c) Semantic Attack: This is more treacherous as it exploits the confidence of the user in the system. During the attack the information keyed in the system during entering and exiting the system is modified without the user’s knowledge in order to induce errors, Cyber terrorism is not only limited to paralyzing computer infrastructures but it has gone far beyond that. It is also the use of computers, Internet and information gateways to support the traditional forms of terrorism like suicide bombings. Internet and email can be used for organizing a terrorist attack also. Most common usage of Internet is by designing and uploading websites on which false propaganda can be pasted. This comes under the category of using technology for psychological warfare. Tools of Cyber Terrorism: Cyber terrorists use certain tools and methods to unleash this new age terrorism. These are: (a) Hacking: The most popular method used by a terrorist. It is a generic term used for any kind of unauthorized access to a computer or a network of computers. Some ingredient technologies like packet sniffing, tempest attack, password cracking and buffer outflow facilitates hacking. (b) Trojans: Programmes which pretend to do one thing while actually they are meant for doing something different, like the wooden Trojan horse of the 12th Century BC. Page | 8
(c) Computer Viruses: It is a computer programme, which infects other computer, programmes by modifying them. Their rate of spreading is very fast. (d) Computer Worms: The term 'worm' in relation to computers is a self contained programme or a set of programmes that is able to spread functional copies of itself or its segments to other computer systems usually via network connections. (e) E-Mail Related Crime: Usually worms and viruses have to attach themselves to a host programme to be injected. Certain emails are used as host by viruses and worms. E-mails are also used for spreading disinformation, threats and defamatory stuff. (f) Denial of Service: These attacks are aimed at denying authorized persons access to a computer or computer network. (g) Cryptology: Terrorists have started using encryption, high frequency encrypted voice/data links etc. It would be a herculean task to decrypt the information terrorist is sending by using a 512 bit symmetric encryption. Challenges to India's National Security: As brought out earlier India has carried a niche for itself in the IT Sector. India's reliance on technology also reflects from the fact that India is shifting gears by entering into facets of egovernance. India has already brought sectors like income tax, passport service and visa under the realm of e -governance. Sectors like police and judiciary are to follow. The travel sector is also heavily reliant on this. Most of the Indian banks have gone on full-scale computerization. This has also brought in concepts of e-commerce and e-banking. The stock markets have also not remained immune. To create havoc in the country these are lucrative targets to paralyze the economic and financial institutions. The damage done can be catastrophic and irreversible. Existing Counter Cyber Security Initiatives: Just days before the United Nation’s led Internet Governance Forum in Indonesia, India, held its own and first of its kind conference on cyber governance and cyber security. With the support of the National Security Council Secretariat of the Government of India, the two-day conference was organized by private think-tank Observer Research Foundation and industry body, Federation of Indian Chambers of Commerce and Industry, (FICCI). Speakers were from a host of countries including Estonia, Germany, Belgium, Australia, Russia, Israel, and of course, India. It was ironic, that in a post-Snowden world, buried under allegations of the extent of the NSA’s spying, US officials were unable to attend the conference due to their government’s shutdown. Instead, other views took centre stage, and India also visibly demonstrated the various positions its stakeholders take around the questions of governance and security. Right at the kickoff, India’s Minister for Communications and Technology, Kapil Sibal, challenged the question of sovereignty and jurisdiction in cyberspace. “If there is a cyber space violation and the subject Page | 9
matter is India because it impacts India, then India should have jurisdiction. For example, if I have an embassy in New York, then anything that happens in that embassy is Indian territory and there applies Indian Law.” India has, over the last few years, flirted with the idea of an UN-lead internet governance structure, and subsequently backed away from it. Minister Sibal said that India believes in “complete freedom of the internet”, however, at the same time needs to acknowledge that along with cyber freedoms come cyber gangsters, and the state and its citizens need to be protected from them. India, with its 860 million mobile subscriptions (although, the numbers of users would be lower than this figure) is looking more and more to the internet as a delivery platform of socio-economic programs and a tool to boost the economy. That the internet can raise GDP by 10% is a much favoured figure for those who promote the internet for economic reasons. The fact is that as the remaining unconnected population of India begins to acquire net connections through desktops and smart phones, the government is increasingly looking at security and surveillance over the internet as a necessary and inevitable route. This also means that the government needs to rely on industry to help them with this gigantic task. The possible synergy between businesses and government in India was a central theme for discussion; as industry bodies asked the government to invest in training more cyber security specialists and also start moving towards uniform security standards and protocols. In fact, Indian industry most certainly wants to be relived of the financial burden of training personnel, and to an extent, investment in security R&D, and is keen to partner with the government to achieve both ends. Indian industry is often in the news because it appears almost universally under prepared for cyber attacks, both from within the country and externally. Suggestions of a government-led cyber awareness program were made as well, with calls to allocate funds for these exercises in the budget. However, as has been the case in India, the real source of friction still lies between civil society and the government over the question of surveillance and monitoring. In a session entitled ‘Privacy and National Security’; perhaps the only India-centric panel of the entire conference, the debate became overheated. The panel consisted of a senior police officer involved in surveillance, India’s director-general of CERT (Computer Emergency Response Team), a representative from the mobile industry and a privacy expert. The government official was pushed by civil society members and journalists to explain the workings of the Central Monitoring System, still very opaque to the public, and later the official definition of privacy. He did neither. Unsurprisingly, India is yet to really define what privacy is, leading to simultaneous furore in the room and twitter about why this hasn’t been done as yet. The sense in the room was that surveillance, while necessary to protect citizens, is only really effective when it is conducted in a targeted manner. Mass surveillance leads to self-censorship and is, in the end, counterproductive. The other bone of contention was the question of identity, with the government making arguments that verifiable cyber identity is a possible solution to Page | 10
cyber crime. However, other participants found the issue troubling, as anonymity is necessary for a number of reasons, including as we have seen around the world, political dissent. The prominent point of discussion was how best to inculcate a multi stakeholder approach when legislating the internet. It was pointed out more than once that the internet was a product of private enterprise, made on open standards and principles, but now governments are attempting to control this resource. However, while public calls for multi stakeholderism were made for many reasons; human rights, protection of privacy and even to benefit business in the long run (as they would not risk being caught up in lengthy court cases in the future if they took civil society on board from the start), there was still an elephant in the room. Offline, many official participants wondered why Chatham House Rules were not observed, or why there were no closed-door meetings only for government officials. It was clear that much of the weighty – and honest – discussions still don’t involve the public. Perhaps not where the question of governance is, but certainly when the question of security is. Ultimately, two broad outcomes that came out of the conference were that India has indicated its willingness to start shouldering discussions to do with the global cyberspace. The other is, as India’s National Security Advisor put it, “India has a national cyber security policy not a national cyber security strategy.” This is certainly a start to building a consensus for that strategy. Indian Cyber Infrastructure: National Informatics Centre (NIC): A premier organisation providing network backbone and e-governance support to the Central Government, State Governments, Union Territories, Districts and other Governments bodies. It provides wide range of information and communication technology services including nationwide communication network for decentralized planning improvement in Government services and wider transparency of national and local governments. Indian Computer Emergency Response Team (Cert-In): Cert-In is the most important constituent of India's cyber community. Its mandate states, 'ensure security of cyber space in the country by enhancing the security communications and information infrastructure, through proactive action and effective collaboration aimed at security incident prevention and response and security assurance'. National Information Security Assurance Programme (NISAP): This is for Government and critical infrastructures. Relevant aspects of it are: a) Government and critical infrastructures should have a security policy and create a point of contact. (b) Mandatory for organizations to implement security control and report any security incident to Cert-In. (c) Cert-In to create a panel of auditor for IT security. (d) All organizations to be subject to a third party audit from this panel once a year. (e) Cert-In to be reported about security compliance on periodic basis by the organizations.
Page | 11
Indo-US Cyber Security Forum (IUSCSF): Under this forum (set up in 2001) high power delegations from both side met and several initiatives were announced. Prominent aspects of it are: (a) Setting up an India Information Sharing and Analysis Centre (ISAC) for better cooperation in anti hacking measures. (b) Setting up India Anti Bot Alliance to raise awareness about the emerging threats in cyberspace by the Confederation of Indian Industry (CII). (c) Ongoing cooperation between India's Standardization Testing and Quality Certification (STQC) and the US National Institute of Standards and Technology (NIST) would be expanded to new areas. (d) The R&D group will work on the hard problems of cyber security like cyber forensics and anti spasm research. (e) Chalked the way for intensifying bilateral cooperation to control cyber crime between the two countries. Cyber Challenges and Concerns: Lack of awareness and the culture of cyber security at individual as well as institutional level is the primary focus. Lack of trained and qualified manpower to implement the counter measures is also a prominent area of focus. Too many information security organisations which have become weak due to 'turf wars' or financial compulsions needs to be better managed. A weak IT Act which has became redundant due to non exploitation and age old cyber laws and effective implementation of recommendations of national cyber security policy directive 2013 needs a complete overhaul of our traditional approach of functioning. No e-mail account policy especially for the defence forces, police and the agency personnel is a concern area. Cyber attacks have come not only from terrorists but also from neighbouring countries inimical to our national interests must be dealt with a serious note. Recommendations: (a) Need to sensitize the common citizens about the dangers of cyber terrorism. Cert-in should engage academic institutions and follow an aggressive strategy. (b) Joint efforts by all Government agencies including defence forces to attract qualified skilled personnel for implementation of counter measures. (c) Cyber security not to be given more lip service and the organisations dealing with the same should be given all support. No bureaucratic dominance should be permitted. (d) Agreements relating to cyber security should be given the same importance as other conventional agreements. (e) More investment in this field in terms of finance and manpower. (f) Indian agencies working after cyber security should also keep a close vigil on the developments in the IT sector of our potential adversaries.
Page | 12
Conclusion: There is a growing nexus between the hacker and the terrorist. The day is not far when terrorists themselves will be excellent hackers. That will change the entire landscape of terrorism. A common vision is required to ensure cyber security and prevent cyber crimes. The time has come to prioritize cyber security in India's counter terrorism strategy. Ensuring cyber and IT security is hard because networks can be attacked from anywhere in the world, and the motives to attack them may include simply demonstrating technical prowess, casual hacking, political orientation, fraud, crime or an extension of state conflict. Further still, digital footprints are easy to hide. Global coordination can ensure that the internet continues to thrive without the constant fear of misuse of information. We have to think of safety in the cyber world as a global public good and address this problem together. Many countries, including India, have called for a discussion on whether laws covering international armed conflict, such as those under the Geneva Convention can also cover cyber attacks. India was one of the strongest voices at the 47th Munich Security Conference of 2011 arguing for such a review. Unfortunately a more active cyber space is also inviting more malicious activity whether it is related to online fraud, theft of information or disruptive activities that may manifest in many forms including attacks on critical national infrastructure. These developments are likely to concern all such nation states that are increasingly relying on use of internet to improve governance and make the growth process more inclusive. This fragile glass house inside the vast cyber domain which is becoming more vibrant and threatening each next moment needs determination as well as political will, knowledge sharing and real time information match up to become an inclusive power hub.
*****
Page | 13
BIBLIOGRAPHY
Billo, G. Charles and Chang, Welton (2004), Institute for Security Technology Studies at Dartmouth College, Cyber Warfare : An Analysis of the Means and Motivations of Selected Nation States, Hanover, December 2004. Branigan, Tania, “ South Korea on alert for cyber-attacks after major network goes down”, The Guardian, 20th March 2013. Department Of Defence Cyberspace Policy Report of Govt. of US (2011), A Report to Congress Pursuant to the National Defence Authorization Act for Fiscal Year 2011, Section 934, November 2011. Draft Paper, National Cyber Security Policy 2013, Govt. of India, 2013. Gori, Umberto (2009), Modelling Cyber Security: Approaches, Methodology, Strategies, NATO Science & Peace Security Series, Netherlands : IOS Press BV. IDSA Task Force Report, India’s Cyber Security Challenge, March 2012. Mitra, Ananda (2010), Digital Security: Cyber Terror and Cyber Security, New York : Chelsea House Probst, C.W. et al. (2010), Insider Threats in Cyber Security, New York : Springer. Raghav S.S., Cyber Security in India’s Counter Terrorism Strategy, Directorate of Defence Studies, Govt. of India. Shalhoub, Z.K. and Al Qasimi, S.L. (2010), Cyber Law and Cyber Security in Developing and Emerging Economies, London : Edward Elgar Publishing Inc. Web Links Accessed: (16th February, 2013 to 30th January, 2014) http://www.pcmag.com/article2/0,2817,2373909,00.asp http://www.pcmag.com/article2/0,2817,2372952,00.asp http://www.pcmag.com/article2/0,2817,2392643,00.asp http://www.pcmag.com/article2/0,2817,2415029,00.asp http://www.microsoft.eu/digital-policy/events/event-microsoft-eu-cybersecurity-and-digitalcrimes-forum.aspx
Page | 14
http://www.microsoft.eu/Portals/0/Document/Technology%20Policy/CybersecurityNewsletterAp ril_2.pdf http://www.microsoft.eu/skills-and-education/posts/are-you-safe-online-microsoft-observessafer-internet-day-cm3l.aspx http://www.microsoft.eu/digital-policy/posts/tracking-protection-technologies-a-step-closer-tomore-privacy-online.aspx http://www.microsoft.eu/digital-policy/posts/they-know-where-you-live-and-more.aspx http://www.microsoft.eu/digital-policy/futures/the-eus-digital-agenda-creating-a-safer-ride-onthe-net.aspx http://www.microsoft.eu/digital-policy/posts/cyber-threats-in-the-european-union.aspx http://www.microsoft.eu/digital-policy/posts/no-one-size-fits-all-approach-to-online-safetyhighlighting-the-european-model.aspx http://www.microsoft.eu/digital-policy/posts/keeping-children-safe-and-empowering-them-to-begood-digital-citizens.aspx http://www.microsoft.eu/digital-policy/posts/cybercrime-fighting-in-action-botnet-takedowns.aspx http://www.microsoft.eu/digital-policy/futures/whos-in-charge-here-consumers-drivingcorporate-technology-purchases.aspx http://www.microsoft.eu/digital-policy/futures/cybercriminals-versus-the-good-guys.aspx http://www.microsoft.eu/digital-policy/posts/tracking-protection-a-new-way-to-protectconsumers-information-online.aspx http://www.microsoft.eu/digital-policy/posts/counterfeiting-piracy-and-ip-enforcement.aspx http://www.microsoft.eu/digital-policy/posts/stepping-up-the-fight-against-cybercrime-ineurope.aspx http://www.technewsdaily.com/7138-911-cybersecurity-changes.html http://www.technewsdaily.com/7128-911-cyberterrorism-threat.html http://www.technewsdaily.com/6960-cyberwar-definition-cyber-war.html http://www.technewsdaily.com/6961-what-cyberwar-would-look-like-cyber-war-attackscenario.html
Page | 15
http://www.technewsdaily.com/6962-cyberwar-unlikely-deterrence-cyber-war.html http://www.pcmag.com/article2/0,2817,2415062,00.asp http://www.thehindu.com/news/international/anonymous-claims-responsibility-for-hacking-usfed/article4386417.ece http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-andonline-freedom-and-opportunity-cyber-security http://www.pcmag.com/article2/0,2817,2415380,00.asp http://articles.washingtonpost.com/2012-11-14/world/35505871_1_networks-cyberattacksdefense http://articles.washingtonpost.com/2012-10-11/world/35502244_1_crucial-system-filesshamoon-secretary-leon-e-panetta http://articles.washingtonpost.com/2012-08-09/world/35491430_1_cyber-command-militaryaction-networks http://articles.washingtonpost.com/2013-02-19/world/37166888_1_chinese-cyber-attacksextensive-cyber-espionage-chinese-military-unit http://articles.washingtonpost.com/2013-03-12/world/37645469_1_new-teams-national-securitythreat-attacks http://articles.washingtonpost.com/2012-09-21/world/35497878_1_web-sites-quds-forcecyberattacks http://articles.washingtonpost.com/2013-03-11/world/37620683_1_mandiant-china-source-code http://articles.washingtonpost.com/2013-04-05/business/38300321_1_foreign-banks-onlinepayments-bank-customers http://articles.washingtonpost.com/2013-03-27/business/38066070_1_denial-of-service-attackmassive-attack-dns-servers http://articles.washingtonpost.com/2012-08-06/opinions/35494073_1_private-sectorcybersecurity-legislation-national-security-agency http://articles.washingtonpost.com/2012-07-25/opinions/35487073_1_cyber-stuxnet-voluntarysecurity-standards
Page | 16
