Cyber Security In India - On October 28, The Nuclear Power Corporation of India Ltd (NPCIL) confirmed the breach by the malware. WhatsApp sued the Israel-based NSO Group for the use of its ‘Pegasus’ spyware on thousands of WhatsApp users in the lead-up to the general elections in India.
What is cyberspace?
- It is a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
What is cyber security?
- The IT Act, 2000 defines “cyber-security” as the protection given to devices and information stored therein from “unauthorized access, use, disclosure, disruption, modification or destruction.”
Evolution of cyber security:
Cyber Security scenario in India
- India is now second only to China in terms of internet us
- ers, according to a report by Internet and Mobile Association of India (IAMAI).
- India was ranked among the top five countries to be affected by cyber crime, according to a report by online security firm ”Symantec Corp”.
- India is at number 23 of the UN Global Cyber security Index.
- Cyber crimes in India almost doubled in 2017, according to statistics released by the National Crime Records Bureau (NCRB).
Recent cyber-attacks in India:
- In 2010, India was the third worst-affected country by computer worm Stuxnet.
What are the types of cyber threats?
- In India, cyber threats fall into two categories.
- a computer is used to attack another computer via hacking, virus attacks, DOS attack, and so on.
- the computer is used as a weapon to commit real-world crimes like cyber terrorism, IPR violations, credit card frauds, EFT frauds, and pornography.
Universally, there are broadly four kinds of cyber threats:
- Cyber Criminals: Seeking commercial gain from hacking banks & financial institutions as well phishing scams & computer ransom ware.
- Cyber terrorists: Mission to penetrate & attack critical assets, and national infrastructure for aims relating to political power & ‘branding’.
- Cyber espionage: Using stealthy It Malware to penetrate both corporate & military data servers in order to obtain plans and intelligence.
- Cyber hacktivists: Groups such as ‘Anonymous’ with political agendas that hack sites & servers to virally communicate the ‘message’ for specific campaigns.
What are the weapons used in cyber threats?
- Threats & Malware – Malicious software to disrupt computers
- Viruses, worms : Theft of Intellectual Property or Data
- Hacktivist – Cyber protests that are socially or politically motivated
- Mobile Devices and applications and their associated Cyber Attacks
- Social Engineering – Entice Users to click on malicious links
- Spear Phishing – Deceptive Communications (e-mails, texts, tweets)
- Domain Name System (DNS) Attacks
- Router Security – Border Gateway Protocol (BGP) Hijacking
- Botnets, Denial of Service (Dos) – blocking access to websites
Government institutions and regulation for cyber security
- The National Technical Research Organization is the main agency designed to protect national critical infrastructure and to handle all the cyber security incidents in critical sectors of the country.
- The Indian Computer Emergency Response Team (CERT-In) is responsible for incident responses including analysis, forecasts and alerts on cyber security issues and breaches.
Information Technology Act, 2000
- The Information Technology Act of India states that when a cyber crime has been committed, it has a global jurisdiction and a complaint can be filed at any cyber cell.
- The Act especially provides protection to Critical Information Infrastructure (CII) by prescribing punishment in the form of imprisonment for a term of up to 10 years.
The IT Act defines “critical information infrastructure” to be “the computer resource, incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety” like power and energy, telecom sector etc.
The National Cyber Security Policy, 2013 (NCSP): The objective of this policy in broad terms is to create a secure cyberspace ecosystem and strengthen the regulatory framework.
- A National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats through National Critical Information Infrastructure Protection Centre (NCIIPC).
- A mechanism is proposed to be evolved for obtaining strategic information regarding threats to information and communication technology (ICT) infrastructure, creating scenarios of response, resolution and crisis management through effective predictive, prevention, response and recovery action.
- Creating a workforce of 500,000 professionals trained in cyber security in the next 5 years is also envisaged in the policy through skill development and training.
- The policy plans to promote and launch a comprehensive national awareness program on security of cyberspace.
The B.N. Srikrishna Committee has recommended creating a data protection framework for India.
RBI Meena Hemchandra Expert Panel on Information Technology and Cyber Security: The RBI has instructed banks to mandate cyber security preparedness for addressing all cyber risks at their end as well.
National Strategy for Artificial Intelligence by Niti Aayog: NITI Aayog provided over 30 policy recommendations to invest in scientific research, by encouraging reskilling
and training, accelerating the adoption of AI across the value chain, and promoting ethics, privacy, and security in AI.
‘Framework for enhancing security in cyberspace’ for cyber security in the Indian cyberspace, with the National Security Council Secretariat as nodal agency.
Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) has been launched for providing detection of malicious programmes and free tools to remove such programmes.
Cyber-Crime Prevention against Women & Children’ Scheme: Implemented by Ministry of Home Affairs, the scheme aims to prevent and reduce cyber crimes against women and children.
TechSagar: The National Cyber Security Coordinator’s office in partnership with Data Security Council (DSCI) of India launched TechSagar –a consolidated and comprehensive repository of India’s cyber tech capabilities.
Cert-In’s secureurpc.com: People can download scanners and run it on their computers to clean them of any malware.
Future govt. initiatives:
Tri-service agency for cyber warfare.
- It will have more than 1,000 experts who will be distributed into a number of formations of the Army, Navy and IAF.
- The new Defence Cyber Agency will have both offensive and defensive capacity.
Changing purview of data privacy, security, cybercrime and related issues: These are currently under the purview of the IT ministry which may soon be overseen by the Telecom Regulatory Authority of India (TRAI) and the Telecom Commission (TC) because 93 percent of all such data is consumed on the telecom networks, like e-commerce.
What are the loopholes in govt policy?
- Lack of privacy laws in India allow cybercriminals to misuse users’ data on social networks. In India, users who lost their data could do nothing.
- Digital and mobile payments: Inadequacy of the current legal frameworks to help and promote the Digital India vision by helping and promoting digital and mobile payments.
Loopholes in IT Act:
India does not have a dedicated cyber security law. The Information Technology Act, 2000, is not a cyber security law, which is why, breaches of cyber security continue to go unreported and there is no statutory elaboration of rights, duties, and responsibilities of stakeholders in this regard.
- A majority of cyber crimes are bailable offenses, which basically translates into inadequate deterrence to the offenders who violate the provisions of the law.
- The threat of data in the Cloud being lost: The Information Technology Act, 2000, have some provisions to deal with such cases of breaches of data on the Cloud, but they are only by way of compensation.
- Cyber criminals (often based outside the country) hack email accounts, websites and impose bogus profiles of celebrities across the web there's no straight legal route to book them.
- There are no distinct dedicated cyber crime courts whose only job would be to deal with cyber crime matters for expeditious disposal of cases.
Loopholes in the National Cyber Security Policy, 2013 (NCSP):
- New technologies: The provisions to take care of security risks emanating due to use of new technologies e.g. Cloud Computing, has not been addressed.
- Use of social networking sites by criminals and anti-national elements: The policy does not address the issue.
- Missing tools to incorporate cyber crime tracking, cyber forensic capacity building and creation of a platform for sharing and analysis of information between public and private sectors on continuous basis.
- Creating a workforce of 500,000 professionals: There is no clarity whether this workforce will be trained to simply monitor the cyberspace or trained to acquire offensive as well as defensive cyber security skill sets.
- Safeguarding the privacy of citizen data: No specific strategy has been outlined to achieve this objective.
Cybersecurity standards and regulations for mobile applications and devices to tackle ransomware: The MEITY has not formulated a policy.
Proposed cyber command Vs. Tri-Service Agency: Indian Armed forces are in the process of establishing a cyber command for strengthening the cyber security of defence installations. It will be a parallel hierarchical structure which can result in the jurisdiction issues with the Tri-service agency.
Offshore cybersecurity Threats: Over the years, Indians have been subject to several forms of cyber threats from overseas. However, India has not acceded to the Budapest Convention on Cybercrime.
The Convention on Cybercrime of the Council of Europe (CETS No.185), known as the Budapest Convention, is the only binding international instrument on this issue. It serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to this treaty.
The Budapest Convention is supplemented by a Protocol on Xenophobia and Racism committed through computer systems.
What are the challenges for cybersecurity in India?
Technology & Fundamental Rights:
- Right to privacy – National security must not be used as a shield by either governments or private players to justify the violation of the right to privacy and right to life and liberty.
- Since most search engines and social media platforms have no “permanent establishment” in India rather they are based in the US, law enforcement agencies do not get data access as the US laws bar US-based service providers from disclosing electronic communications.
- The bilateral mechanism of the India-US Mutual Legal Assistance Treaty is a bit outdated and does not seem to work.
Policy challenges in ascribing responsibility in cases of financial breaches due to multiple stakeholders: Cyber security encompasses banks, telecom companies, financial service providers, technology platforms, social media platforms, e-commerce companies, and the government, so there is difficulty in role assignment.
Untrained police: the conviction rate is low because policemen are not trained.
Lack of people's awareness: People do not understand the ramifications of cybersecurity breaches and India lacks the culture of cybersecurity.
Contracts awarded to Chinese companies for installation of supervisory control and data acquisition systems (SCADA) for power distribution: Cyberattacks on the electricity grid could have a debilitating impact on national security, governance, economy and social well-being of the nation.
SCADA is a computer-based industrial automation control system that practically makes factories and utilities run on their own. In an electrical system, SCADA maintains a balance between demand and supply.
Chinese Mobiles: Chinese handset brands command more than half of India’s smartphone market share, and are often pre-loaded with bundled apps. In 2014, the Indian Air Force red-flagged the use of Chinese origin smartphones by its personnel and their family members due unencrypted transfer of user data to servers located in China.
“Black Box Phenomenon” in AI: It is related to very little or no understanding of what happens in between AI and only the input data and results being the known factors due to developer’s emphasis being less on ethics.
The ‘Internet of Things’ is a weak link : Often the IoT devices lack basic security features and rely upon default passwords that can give attackers easy access giving rise to botnets threats.
Skills shortage: The dearth of skilled cybersecurity professionals continues to be a major problem for many organizations. There is inadequate research in academia.
An understanding of the legal challenges unique to cyberspace: Crimes committed on the internet, throw up complex jurisdictional questions requiring cross-border cooperation between law enforcement agencies. Current solutions operate in silos.
Gulshan Rai Committee recommendations on Cybersecurity:
- Establish a new Indian Cyber Crime Coordination Centre to check attempts of international gangs to penetrate Indian government official communication network.
- It would be linked to NATGRID and CCTNS (Crime and Criminal Tracking Network System) and branches in states to curb cybercrime.
CCTNS aims to connect the police stations of the country to facilitate collection, storage, retrieval, analysis, transfer and sharing of data and information at the police station and between the police station and the State Headquarters and the Central Police Organizations.
- Devise an advance application for Social Media Analytics to monitor social media platforms activities related to Ministries of Home, External Affairs, Defence and other government organizations.
- Reduce Government’s dependence on foreign servers and ensure one dedicated secure gateway for all government communication. A separate agency for online cybercrime registration, monitoring, and integration of CCTNS data with the same.
- Amend the Evidence act to suit the current requirements and prosecute the cybercrimes
- Sensitize the states by setting up cyber forensic laboratories in states along with workshops and international cooperation.
- Handling cyber complaints: Various steps should be clarified to law enforcement agencies which they must follow upon receiving a complaint about a cyber-crime, and to obtain information for prosecution.
- Data protection regulation: Agencies should be familiarised with electronic evidence gathering processes, including the rules and regulations in place for accessing data and intermediary liability.
- Stringent regulations for multi-level checks on equipment imported for the domestic power distribution sector to prevent the electricity grid from cyber attacks.
- State Cybersecurity Framework should be envisaged in P-P-P Model. The govt. needs to have more interaction with the private sector.
- Establishment of the State CERT to operate in conjunction with ICERT and coordinate with NCIIPC.
- Big Data Analytics can help companies that possess huge volumes of data to identify patterns of behavior and also the potential mistakes made in the corporate environment, which could have a detrimental impact on the protection and preservation of cybersecurity.
- Govt. should take appropriate steps for enhancing awareness of citizens and small business for cybersecurity
- Training manpower: There are three aspects to the entire IT security phenomenon: people, process and technology. The most important one is people because the other two depend on it.
- Promotion of research and development in cybersecurity.
- The customers also have a responsibility to maintain basic cyber hygiene by following practices and taking precautions to keep one’s sensitive information organized, safe and secure. They should also understand the security implications of using foreign origin smartphones with bundled, pre-installed apps.
- India’s approach with respect to the protection of its cyber assets thus far has been dictated by occurrences of cybersecurity incidents, particularly where the systems of the government have been impacted.
- A proactive, rather than a reactive approach, is the need of the hour.